skip to Main Content

segregation of duties remediation

On the surface, segregation of dutiesremediation is simple. First, you compile a list of SOD conflicts from SOX and other applicable compliance regimes, and select the ones that are relevant to your company. Then, you compare that list to a list of user roles within your organization. If users have conflicting duties, you remediate SOD conflicts by assigning them to other users, or mitigate them — for example, by putting extra monitoring in place.

However, simple does not mean easy — particularly if you use an old, document-centric process instead of modern GRC software. Here’s why companies struggle with SAP SOD remediation, and what you can do about it.

Why Segregation of Duties Remediation is Hard

Finding and remediating SAP SOD conflicts is the type of task that’s easy for a computer, but hard for a human searching through access rights. Instead of having the computer compare SOD rules with user roles, many companies make their GRC teams examine tens of thousands of pages of spreadsheets — or even dig through the printed pages by hand.

Creating segregation of duties remediation rules and implementing SAP security is complicated by the lack of visibility. Your organization has a complex SAP security model which may have thousands of roles — and any change in an assigned role can have consequences for the business. Miss a detail, and you can leave gaps in business processes, or cause a new SAP SOD conflict.

Not all segregation of duties tools solves the remediation problem. A tool needs to decode access, capture usage reporting, compare usage to the security model, and provide a remediation roadmap. Otherwise, it can end up as just another wall to bang your head against.

How ControlPanelGRC Makes SAP SOD Remediation Easy

The ControlPanelGRC SAP Access Control Suite helps at every step of the segregation of duties remediation process. The SAP SOD Risk Analysis module uses a comprehensive and customizable rulebook to conduct real-time risk analysis. The software examines privileges in SAP to spot existing risks, and uses sophisticated modeling to spot unused access rights and provide remediation options. Customers tell us that they see a 60-70% reduction in SOD risks by taking away unused access. The software automatically analyzes risks, pushing notifications to business owners for quick segregation of duties remediation. Users can quickly perform root cause analysis, review the severity, and remediate or mitigate the SAP SOD conflict.

This integrates with other modules to facilitate other GRC tasks, including emergency access management, compliant user provisioning, accelerating routine SAP security tasks, and integrating with HR records to automate access provisioning tasks. ControlPanelGRC even automates SAP Audit Management with AutoAuditor™. The software runs reports automatically and pushes the output to the appropriate staff, allowing quick review without chasing down signatures.

Free GRC Buyer’s Guide. Get It Now!

Segregation of Duties Shouldn’t Be a Big Deal

SAP Segregation of duties remediation is a routine compliance and risk mitigation activity, not a major strategic endeavor. If you’re investing a lot of time, money and effort into remediation, it’s time to modernize your process.

To learn how Symmetry can help, contact us or check out our customer success story, Carlisle Construction Materials: Value Achieved in Automated Controls in an SAP Environment


Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.