skip to Main Content

SAP SoD

Running a business involves managing risk. A variety of threats can diminish the value of your shareholders’ assets. Many of these risks can be mitigated through insurance and sensible practices. However, compliance risk, which means protecting your business from the consequence of running afoul of government regulations, requires focus and effort to manage. Managing compliance risk means organizing your approach to corporate governance. For SAP-run companies, mitigating compliance risk starts with implementing robust Segregation of Duties (SoD) controls. This makes SAP SoD a cornerstone of Governance, Risk Management and Compliance (GRC) on SAP.

Governance, Risk Management and Compliance (GRC): An Overview

The term GRC describes a broad range of activities that enable a corporation to manage risk, execute sound governance and stay compliant with applicable laws. Governance refers to the way a business runs itself, starting at the board level and c-suite. It’s about “governing” the corporate entity. GRC unites the board of directors, senior management and other departments that are specifically tasked with risk management and compliance. Typically, GRC work involves the legal department, finance, HR and IT. SAP software is deeply enmeshed in GRC given the centrality of information systems in corporate operations, governance and accounting.

SAP Access Controls

SAP offers a number of system components that enable corporations to define and implement GRC policies. They also make it possible for users to analyze GRC risks and track the remediation of problematic risks. The most commonly used GRC element in SAP is Access Control (AC). Indeed, access control is at the heart of many GRC policies, including Segregation of Duties. AC itself comprises four modules that handle requests for access, access risk analysis, emergency risk management and role management. Of these four, the SAP Access Risk Analysis (ARA) tool is the main tool employed to define SoD violations and then locate such violations.

GRC Risk Analysis and SoD Checks

Our ControlPanelGRC tool augments SAP’s native GRC capabilities. It uses a function-based approach to GRC risk analysis on SAP. It is able to define and analyze risks in the SAP software, rather than through the laborious and error-prone process of mapping duties and roles in an SoD matrix. Risk Analyzer in ControlPanelGRC defines SoD risk according to conflicting functions. It states conflict details using simple descriptions. The result helps cut down on redundant reporting and false positives.

ControlPanelGRC also provides rulebooks for managing SoD. The Risk Analyzer rulebook lays out common, sensitive authorization, critical transaction and SoD rules. In addition, it can be customized to meet specific corporate or audit requirements. Rulebooks contains sensitive authorization, critical transaction and SoD rules most commonly used across all industries. They also include predefined checks for access risks relevant to regulations like SOX, HIPAA, GDPR and others.

Risk Analyzer works with a high degree of granularity, defining risks at the transaction and authorization object level. For SAP HANA applications, the Risk Analyzer rulebook includes delivered SAP Fiori applications.  Automatic discovery of custom transactions and SAP Fiori applications accelerates the process of including company specific functionality into SoD rules.  The tool automatically discovers and captures both SAP Transaction and Fiori application usage.  This usage is included in the  SoD analysis and sent to designated business stakeholders for review or follow up action.

From there, ControlPanelGRC enables risk modeling. This capability makes possible “what if” scenarios that let analysts spot potential SoD risks when new roles and authorization privileges get assigned to employees. It also points out possible SoD risks when a company implements new transactions.

ControlPanelGRC then monitors SoD to enforce compliance policies for SoD and other GRC rules. The suite is able to generate reports automatically and notify selected stakeholders about risk execution. These reports let risk managers remediate and mitigate. The ability to “drill down” into report detail helps managers assess how severe an SoD risk might be, so they can decide how urgently action is needed to remediate it.

A number of GRC benefits flow from the use of ControlPanelGRC. The suite makes it easier to maintain compliance while it pares down audit preparation costs. It eliminates manual processes for creating SAP risk analysis reports along with the follow up with reviewers. A built-in workflow expedites and documents reports needed for SoD audits. ControlPanelGRC also notifies selected stakeholders about SoD incidents in real time.

The SAP SoD Remediation Process

The Risk Analyzer tool in ControlPanelGRC outputs the information required to make decisions about SoD risk remediation. In addition to describing the risk and its severity, Risk Analyzer highlights conflicting functions and details of the authorization object. It gives direct access to the user’s master records in SU01 and assigned roles in PFCG. By being integrated, in-module, with the ControlPanelGRC Usage Analyzer, Risk Analyzer calculates usage history on transactions or SAP Fiori applications and automatically generates a remediation plan.

The Symmetry Difference

GRC rule sets are vital, but they tend to be complex. Yet, they don’t necessarily need to be a burden to IT. ControlPanelGRC gives your organization peace of mind by automating GRC functions. The suite reduces SoD conflicts and facilitates readiness for audits.

Beyond ControlPanelGRC’s capabilities, Symmetry delivers a fast deployment, backed by support and managed services. We are proud of our industry-leading Net Promoter Score and 23 years of experience in managing SAP systems. Working with us, your ControlPanelGRC Access Control Suite implementation is assured of success. We accelerate your time to value in GRC and SoD.

Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.