Case Study – Managing SOD Access Risks
Problem Statement
Problem
Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue. Ruleset did not contain custom transactions and gaps had been highlighted by big4 benchmarking exercise. Controls were weak and did not fit for purpose, Risks were unmitigated in live system
Problem metrics
2 key systems, 6000 users using SAP, 20,000+ single roles. Users in some departments required up to 200+ roles for their job.
Client Information
Business vertical/type
FTSE 100 customer in the Luxury Retail sector
Business size & complexity
10k employees globally, 60% SAP users, 2 ERP systems, S/4 HANA, GRC, BW, Ariba and SuccessFactors
Solution
Xendl’s approach
Working with Group Financial Compliance, Xendl assessed and updated RuleSet with all Big4 gaps where appropriate. Assessed custom t’codes and the need for inclusion to the RuleSet. Carried out assessment of Fiori and non-SAP (3rd party procurement and manufacturing systems) impacts on the RuleSet. Provided technical support in a business led review of mitigating controls and helped establish the appropriateness and effectiveness of each.
Designed and provided guidance for new mitigations including risk materialisation reports to mitigate SoD risks and built a roadmap for full automation leveraging existing tools with customised Xendl bolt-on.
Supported a small selection of critical automated controls using a Xendl CCM bolt on to GRC.
What was delivered
Established quick wins for SoD remediation, leveraging transactional usage
Created, documented 20 new strong semi-automated detective controls leveraging custom reports developed by Xendl (see below)
GRC Continuous Control Monitoring (CCM) to strengthen / protect existing automated controls
Took the client on a journey to ≈ 0 unmitigated conflicts
Xendl accelerators / IP
Rapid mitigating report generation
Reference available
– Yes