Managing SOD Access Risks

Challenge

Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue.  Ruleset did not contain custom transactions and gaps had been highlighted by big4 benchmarking exercise. Controls were weak and did not fit for purpose, Risks were unmitigated in live system .

Problem metrics

2 key systems, 6,000 users using SAP, 20,000+ single roles. Users in some departments required up to 200+ roles for their job.

Solution

Working with Financial Compliance team, Xendl assessed and updated RuleSet with all Big4 gaps where appropriate. Assessed custom t’codes and the need for inclusion to the RuleSet. Carried out assessment of Fiori and non-SAP (3rd party procurement and manufacturing systems) impacts on the RuleSet.

Provided technical support in a business led review of mitigating controls and helped establish the appropriateness and effectiveness of each.

Designed and provided guidance for new mitigations including risk materialisation reports to mitigate SoD risks and built a roadmap for full automation leveraging existing tools with customised Xendl bolt-on.

Supported a small selection of critical automated controls using a Xendl CCM bolt on to GRC.

What was delivered

• Established quick wins for SoD remediation, leveraging transactional usage
• Created, documented 20 new strong semi-automated detective controls leveraging custom reports developed by Xendl (see below)
• GRC Continuous Control Monitoring (CCM) to strengthen / protect existing automated controls
• Took the client on a journey to ≈ 0 unmitigated conflicts

Xendl accelerators / IP

Rapid mitigating report generation

Results

Xendl reviewed all access risks and remediated where possible and implemented controls to ensure ALL IT, Retail and Supply Chain and Finance Segregation of Duty (‘SoD’) risks were mitigated through the operation of documented mitigation controls.

SAP Tech Utilised

SAP GRC Access Risk Analysis (ARA)

Benefits

• Financial – Reduction in manpower / effort
• Operational – Massive reduction in manpower/effort also accelerated GRC ARM requests (no unmitigated access risk) GRC Continuous Control Monitoring (CCM) to strengthen / protect existing automated controls
• Compliance – Minimise access risk profile, strengthened integrity of financial Controls, reduced vector of attack from internal actors, reduced future audit issues.

These changes saved our client an estimated total of £40,154 annually