Case Study – Managing SOD Access Risks
Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue. Ruleset did not contain custom transactions and gaps had been highlighted by big4 benchmarking exercise. Controls were weak and did not fit for purpose, Risks were unmitigated in live system
2 key systems, 6000 users using SAP, 20,000+ single roles. Users in some departments required up to 200+ roles for their job.
FTSE 100 customer in the Luxury Retail sector
Business size & complexity
10k employees globally, 60% SAP users, 2 ERP systems, S/4 HANA, GRC, BW, Ariba and SuccessFactors
Working with Group Financial Compliance, Xendl assessed and updated RuleSet with all Big4 gaps where appropriate. Assessed custom t’codes and the need for inclusion to the RuleSet. Carried out assessment of Fiori and non-SAP (3rd party procurement and manufacturing systems) impacts on the RuleSet. Provided technical support in a business led review of mitigating controls and helped establish the appropriateness and effectiveness of each.
Designed and provided guidance for new mitigations including risk materialisation reports to mitigate SoD risks and built a roadmap for full automation leveraging existing tools with customised Xendl bolt-on.
Supported a small selection of critical automated controls using a Xendl CCM bolt on to GRC.
What was delivered
Established quick wins for SoD remediation, leveraging transactional usage
Created, documented 20 new strong semi-automated detective controls leveraging custom reports developed by Xendl (see below)
GRC Continuous Control Monitoring (CCM) to strengthen / protect existing automated controls
Took the client on a journey to ≈ 0 unmitigated conflicts
Xendl accelerators / IP
Rapid mitigating report generation