It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
SAP GRC access control and process control are automated tools that manage an internal security model, remediate compliance issues, and monitor potential business risks within an SAP system. When users have too much access in a system, they can damage the company and break compliance. This happens both by intentional misuse (e.g. using privileges to steal money or goods) and accidental misuse (e.g. by making a mistake in accounting or bypassing a quality control safeguard). By logging access, transactions and other information, GRC Software addresses compliance, quality, fraud and other internal security issues.
SAP GRC access control focuses on what users can do, while SAP GRC process control focuses on what users are doing. For example, if the system allowed managers to review workers’ medical records, SAP GRC access control would detect the potential for a HIPAA violation and create an alert. If someone were looking through the company’s medical records improperly, process control would alert monitors.
Expert Insight: Scott Goolik, VP of Compliance and Security
Access Control and Process Control are analogous to different types of security in a bank. SAP GRC access control is like locked doors, guards and alarms. It controls who can enter and exit sensitive areas, and sounds the alarm if someone enters a room they shouldn’t. An SAP GRC Access Control tool like the ControlPanelGRC® Access Control Suite is the first step in a GRC program, allowing companies to modernize role management, Segregation of Duties (SoD), auditing and other basic compliance tasks.
SAP GRC Process Control is similar to drawer counts, reconciliation checks and identity and credit verification. It examines processes looking for signs of fraud or theft.
What follows is a comprehensive guide to Symmetry’s top SAP GRC insights that IT leaders need to know. These links allow you to jump to specific sections:
- SAP GRC Access and Process Control
- GRC Access Control in SAP Fiori
- Understanding Cloud Identity and Access Management
- GRC Audit
- Understanding Segregation of Duties (SOD) in SAP GRC
- ControlPanelGRC Solution
- GRC Rule Sets
- GRC Software
- SAP GRC Risk Mitigation
- SAP GRC SOX Compliance Checklist
Compliance requirements like Sarbanes-Oxley (SOX) as well as industry-specific rules like 21 CFR Part 11, mandate controls to detect, mitigate and prevent misconduct. These rules are backed up by auditing and hefty noncompliance penalties, but leave many of the details of implementation up to companies. Traditionally, companies would manually review internal records to meet regulatory compliance goals. They would compile data into audit reports, which could also be used to detect fraud, design remediation efforts and perform other compliance activities.
Unfortunately, this technique is time-consuming and inefficient; it can take hundreds of hours to compile company access logs, create, authenticate and review reports. Manual reporting also leads to data entry errors, which can cause false positives. Plus, by the time the information is reviewed it’s usually at least a few months old.
This increases risks by delaying remediation. It also makes change control difficult to impossible, since there’s no practical way to check user access changes for Segregation of Duties (SoD) risks against current data. Additionally, these reports typically only sample access data, since it’s impractical to check everything by hand. Both internal fraud and external intrusions can slip by, making document-centric remediation a poor tool for both security and compliance.
Remediation efforts also tend to fail without SAP GRC access control and process control.
It’s very difficult to streamline the security model and see all the possible consequences of changing a user’s role, for example. As a result, companies often end up introducing new compliance issues, building excessively complex roles that further burden SAP GRC efforts, or both.
SAP GRC access control and process control solve these problems by automating most of the work that goes into creating audit reports, as well as detecting and remediating internal compliance issues. Output is generated directly from change logs, which eliminates errors and allows a complete review of access and business processes.
The software also centralizes controls and evaluates changes before they are implemented, allowing users to remediate easily and prevent unintended consequences. You can automate change control and instantly detect issues that could otherwise sit in the system for years, unnoticed.
What is SAP GRC Access Control?
Within the SAP environment, users are assigned roles, which give them particular privileges to access particular data and perform particular actions. SAP GRC access control governs these roles, handling both routine access within the system, and special permissions such as emergency access.
SoD is a key part of access control. Compliance regimes like Sarbanes-Oxley prohibit users from having certain combinations of privileges which can lead to fraud. For example, if a user is able to create and pay vendors, the user could use that ability to funnel money to collaborators, or simply steal money and hide their tracks through fake vendors. Therefore, businesses need to organize roles so that different users are responsible for entering vendors and payments.
Other types of access pose inherent security and compliance risks. For example, the ability to access credit card data or reconfigure the system could allow a user to do harm to a company, through theft, sabotage and negligence.
SAP GRC access control:
Guards against both kinds of risks by controlling what users can do and recording what they are doing. Within ControlPanelGRC, the Risk Analyzer holds segregation of duties rules, organized in a user-friendly fashion. It examines what users can do, and automatically executes what-if analysis to determine potential compliance issues. The module generates reports and notifications, allowing managers to remediate compliance issues.
Is integrated with the User and Role Management module, which ensures change management and ongoing compliance. If a user takes on a new job or moves to a different department, they need to be assigned a new role. This can cause SoD issues if not handled properly. User and Role Management analyzes the request for potential problems before assigning it. It also automates the workflow, ensuring that risks are examined, and roles are assigned and signed off on by the proper parties.
In an emergency:
An SAP BASIS administrator or other user might need an extraordinary amount of access in the system to fix a critical error or other issue. Within SAP GRC access control, the Emergency Access Manager handles this access, minimizing its potential risks. Users can create pre-approved authorizations to assign emergency privileges. During the emergency, everything the user does is tracked for audit purposes. Users must also indicate why they requested emergency access and what they did, providing detailed descriptions which are then routed to managers automatically for review.
HR data is a special challenge for SAP GRC access control. it must be kept accurate and up to date, but it also contains sensitive information which requires tightly restricted access. Many SAP GRC access control modules handle SoD, but don’t place extra safeguards on this data.
ControlPanelGRC takes a more secure approach with the HR Analyzer™. This tool logs access and screen views of secure data, and notifies executives immediately of any indication that HR records have been improperly accessed or viewed. Data is automatically scrambled outside of production, ensuring it’s uncompromised by system testing and other non-HR uses.
HR Analyzer also synchronizes HR changes like hiring, terminations, job reassignments and pay raises with user provisioning processes handled elsewhere in SAP GRC. This ensures HR accuracy and cuts down on the time it takes to change employee status.
What is SAP GRC Process Control?
If your audits require you to spend a lot of time recreating transactions or proving that something bad didn’t happen, a tool like the ControlPanelGRC Process Control Suite can be a huge help. Instead of focusing on user roles and privileges, SAP GRC process control focuses on the business processes themselves, monitoring them to ensure they’re handled correctly.
Process control gives businesses a second chance to catch problems that they may have missed in SAP GRC access control. For example, SAP has a configuration flag allowing you to prohibit payment for duplicate invoices. However, if that duplicate check is disabled or wasn’t configured properly in the first place, SAP process control would detect it, using the transactional checks — that is, by inspecting the actual business transactions that occurred.
The ControlPanelGRC Process Analyzer for Procure to Pay can spot users making payments to vendors who haven’t been approved, or paying a duplicate invoice that may indicate fraud. Another module monitors Order to Cash transactions, allowing you to spot improper changes to customer credit limits, or excessive (and potentially fraudulent) returns. Both modules look for exceptions to business rules. If it detects an issue, key personnel are notified in real time, and the system provides tools for quick remediation.
The Enterprise Risk Management (ERM) module enhances documentation, testing and execution of controls. It helps companies ensure their controls are configured and functioning properly, and aligned with compliance requirements. This makes it particularly useful for stringent compliance regimes, such as HIPAA, SOX and 21 CFR Part 11.
The AutoAuditor™ eliminates the stress and delays of compiling audits across your SAP GRC environment. It syncs with other ControlPanelGRC modules, and schedules and pushes audits to the right users. This automates execution, delivery and validation ensuring your organization doesn’t miss an important deadline or step.
What is SAP GRC — Other Tools
Although SAP GRC access control and process control are the most important tools, certain vendor-specific products can support other areas of the GRC process. ControlPanelGRC offers a Security Acceleration Suite that automates many routine tasks in SAP security administration. For example, its User and Role Change Analyzer helps admins analyze and compare multiple role versions, document changes, alter multiple roles at once and analyze and remediate inadvertent problems with role changes. By automating these tasks, admins can save time and understand security changes better, reducing risk and cost.
ControlPanelGRC also offers a Basis Control Suite to help manage routine SAP Basis tasks, such as transports and batch jobs — something no other GRC software vendor currently offers. For companies without outside Basis support, this reduces the amount of time and work involved in day-to-day SAP Basis administration, reducing the burden on internal IT.
It also reduces the security risks posed by the slow or lax administration common among overtaxed internal teams. Many of the most dangerous SAP vulnerabilities prey on companies whose IT departments don’t have time to perform routine patching and maintenance promptly. By automating these tasks, the Basis Control Suite virtually eliminates the most frequently exploited cyber security vulnerabilities.
Should I Outsource SAP GRC Administration?
Like anything else in IT managed services, it depends on the vendor and on your internal resources. If you have SAP GRC access control software that produces incomprehensible output, the problem probably isn’t your compliance team — it’s the software or the vendor support; if your software doesn’t provide high level overviews for executives, clear technical data for administration and multi-level access for compliance teams, switch to a product that does.
But in many cases, outsourcing SAP GRC access control and process control can save money and improve your compliance program. The right IT managed services provider can ensure your software is setup and configured properly, free your internal staff to work on more strategic projects, and provide an invaluable outside observer to prevent issues like fraud and poor change management.
Symmetry’s Security Complete PlusGRC provides total security and compliance services, taking the stress out of protecting business assets. Our highly-trained consultants are experts in SAP administration, security and compliance, providing a level of protection very few organizations could afford to hire internally. Services include 24x7x365 user administration and compliance monitoring, and comprehensive reporting across all levels of your organization.
Because we offer a complete range of SAP services, we can provide as much or as little IT infrastructure support as you need. Whether you’re looking for a partner to configure, host and manage your entire SAP environment, or just some help setting up your SAP GRC program — Symmetry is the ideal managed services partner.
Companies that adopt SAP HANA and SAP S/4HANA can take advantage of the new User Experience (UX) features available through SAP Fiori software. Fiori offers SAP users a more modern, intuitive and productive UX. However GRC access control in SAP Fiori can be an issue.
At issue is the nature of SAP GRC. It’s invariably set up for the traditional SAP GUI which grants access in its own way. Fiori is different, and there are potential gaps that could open the door for compliance and SoD problems. Even with sound overall SoD controls around transactions, there is the still the potential for SoD conflicts to go undetected when using Fiori apps.
GRC teams can overcome this risk with GRC tools like ControlPanelGRC®. Its output provides remediation options and then facilitates the remediation itself—followed by ongoing monitoring.
ControlPanelGRC®’s SAP SoD Risk Analyzer is a complete compliance solution for SAP Fiori and SAP GUI. It integrates Fiori Services into existing transaction-based rules. This allows the tool to check Fiori access and automatically remove false negatives. As a result, it can spot and remedy conflicts regardless of the interface.
Cloud identity and access management, which is relevant now that SoD applies to cloud-based SAP instances, requires knowledge of basic Identity and Access Management (IAM). IAM is about controlling user access to digital assets. Cloud identity and access management is similar to the traditional, on-premises IAM, but there are a few differences.
Cloud computing puts software and data into remote cloud data centers. In effect, the cloud is like a separate, independent data center for your SAP landscape. You just don’t own it or control it. The cloud introduces a separate access zone. Cloud users can be anywhere. Unlike on-premises user authentication, which can be achieved by determining a user’s location on the local network or VPN, the cloud can give cover for a malicious actor who is logging in from just about anywhere in the world. This is a major risk exposure and problem for compliance. Cloud IAM must take this into consideration.
Indeed, cloud users may not even be human beings. Machine-to-machine transactions are common, so the IAM system must be able to authenticate non-human users. Many cloud systems are connected to their on-premises counterparts. This hybrid architecture creates IAM challenges as users hop back and forth between the local data center and cloud.
A GRC audit is meant to assess how well your organization is following the implementation of its chosen GRC framework. Frameworks vary so most companies have a unique GRC audit processes and set of deliverables. All GRC audits, however, generate and evaluate reports from security and compliance systems that support overall GRC. The audit process includes building accurate reports on the state of SoD, user account monitoring, role changes, ERP password management and more.
Our ControlPanelGRC AutoAuditor automates the execution and validation of reports used in the GRC audit. The tool makes it possible to pre-define numerous reports and then run them with. This capability removes some of the stress that comes from preparing GRC audit reports. It then enables you to schedule and automatically execute any customized, pre-defined compliance report. AutoAuditor then routes reports to designated users.
Understanding Segregation of Duties in SAP GRC means getting in touch with a basic reality for companies running SAP: They don’t stay static for long. Constant churning in personnel and organizational structure leads to inevitable SoD conflicts. The SAP GRC framework calls for mitigating controls upon discovery of an SoD conflict. This is typically a manual process, with steps like reviewing vendor lists and payment ledgers. Such a document-centric process is deficient, lacking systematic risk and usage analysis. Without mandated reviews, consistent compliance reports and sign offs, risks can go unnoticed for long periods.
ControlPanelGRC® is a Continuous Controls Monitoring (CCM) platform which automates SAP and SOX compliance, including audit-relevant tasks like SoD. We can work with you to implement ControlPanelGRC. Our process embeds SoD compliance into ongoing SAP administration, covering regular user and role changes as well as emergency access processes transport and batch jobs.
With ever changing GRC functions, having manual processes and documents to control your SAP environment is impractical. This system prevents your business from growing and being agile, efficient, and resourceful. Automating your GRC access control can also prove challenging due to the complexity and need for an integrated end-to-end approach.
ControlPanelGRC alleviates these GRC concerns with its Access Controls Suite. Not only does it help identify control failures and SoD conflicts with continuous monitoring, but it also provides user-friendly reports and an intuitive interface.
Overall, ControlPanelGRC helps provide automated and authorized SAP audit reports, which provide assurance controls that keep your business audit ready.
Stream Symmetry’s SAP Governance, Risk and Compliance playlist for more information and insights in an easy to watch video format.
Automating Emergency Access Management
Emergency Access Management (EAM) proves complex in its potential Segregation of Duties (SoD) conflicts and audit issues. With the variety of access scenarios and SAP GRC Firefighter IDs to maintain and manage, an automated EAM process helps avoid human error. All while allowing SAP Security and Basis resources to prioritize more valuable business initiatives.
ControlPanelGRC’s EAM solution easily automates and manages complex emergency access situations. Its ability to reduce costs, provide flexibility, and ensure audit readiness make it a valuable tool for any SAP environment.
SAP GRC Mitigating Controls Automated with ControlPanelGRC
Managing SAP GRC mitigating controls can be a manual and time consuming process. It lacks systematic analysis, real-time alerts of compliance violations, and consistent compliance reporting. All of these limitations affect an organization’s ability to keep track of potential incidents and thus increases overall risk.
An automated solution for GRC mitigating controls like ControlPanelGRC Risk Analyzer is key to reducing Segregation of Duties (SoD) conflicts, identifying conflicts in real-time, and solving issues with reports that contain all necessary information.
Overall, ControlPanelGRC provides drilled-down data capabilities that are easy to understand by all business members. These include detailed risk analysis and compliance reports, and enable your business to assign the proper mitigating controls.
With GRC rulesets established to ensure compliance, reduced risk of theft and fraud, and data protection, understanding the business processes involved will help you customize rule sets that align properly with each process’ unique risk, likelihood, and severity.
Some processes involved may be internal or external regulatory in nature, such as SOX and HIPAA, meaning rulesets must meet requirements of both internal and external auditors. Creating excess rulesets may also occur due to the need for custom and accurate reflection of each business process’ risk impact and likelihood.
ControlPanelGRC Risk Analyzer can help simplify the GRC ruleset process with its rulebooks. These are easy to leverage so you can customize rulesets for different business process and auditor requirements. They also have the ability to define risks by authorization and transaction level.
Governance, Risk and Compliance (GRC) software provides tools that integrate compliance into day-to-day business processes. Whether it is user provisioning, role management, emergency access management, or periodic risk assessment, GRC software reduces the risk of fraud by automating routine compliance processes.
Organizations face a variety of information access risks due to stakeholders’ need to obtain sensitive information. These could be invoices, HR records, and financial reports to name a few. Manually managing the policies and procedures put in place to avoid fraud can be time consuming and overlook errors.
That’s why implementing GRC software can help your company simplify compliance and risk analysis by automatically and continually monitoring data and reporting. This will also keep your company ready for ever increasing audit requirements.
While midmarket companies face similar risk and compliance requirements as large companies, they often lack the resources and infrastructure to systematically support SAP compliance. Three main factors affect midmarket companies’ SAP GRC risk mitigation: staffing challenges, lack of automation, and ad-hoc IT strategy.
The technical SAP skills, compliance knowledge, and business insight required to implement GRC mitigation controls, while also regularly monitoring security and controls, requires a dedicated SAP admin team. Without proper automation tools, risk mitigation proves time consuming. Midmarket focus on keeping IT investments and resources over time also results in an ad-hoc IT strategy. Ultimately this makes improving SAP GRC more complex.
Automation tools and security consultants provided by ControlPanelGRC can help solve common mid market risk management issues with its real-time risk detection, continuous monitoring, and centralized controls.
By now, it’s clear that the SAP GRC controls you put in place affect your Sarbanes-Oxley (SOX) compliance. That’s why it’s crucial to consider implementing and evaluating four main controls.
- Segregation of Duties (SoD) controls prevent users from getting several, incompatible roles that could increase risk of fraud.
- Having automated SAP GRC compliance monitoring can also help indicate signs of risk in real-time.
- Using a solution like ControlPanelGRC can help avoid using generic firefighter IDs in emergency access situations.
- Lastly, having automated SAP audit reporting helps easily prepare your company for internal and external audits.
Overall, you can can easily automate SAP GRC SOX compliance with ControlPanelGRC. Ultimately providing you with real time monitoring, risk evaluation and remediation, and easy reporting. Contact us to learn how we can help — in GRC and beyond.