The Benefits of Performing Regular SAP Access Risk Assessments

Organizations without an access control or GRC solution should consider performing regular SAP access risk assessments.

“For many organizations, their external audit is the only time in the year where an access risk assessment is performed on their SAP system. As a result, these organizations have very little visibility into their SAP access risk exposure for the majority of the year, placing them at unnecessary risk,” explains Dudley Cartwright, CEO of Soterion.

Soterion is an international software solutions company assisting organizations to extract maximum value from their Governance, Risk and Compliance (GRC) investment in the SAP environment by implementing the correct tools and methodologies.

“The appropriateness of an SAP authorization solution degrades over time, primarily due to SAP authorization creep. Authorization Creep is where users inherit more access over a given period than the access removed from them as they move to different job positions internally. This also happens when they require a single transaction code but are assigned a role with many transaction codes,” Mr Cartwright adds.

It is impractical, he notes, for the SAP security team to identify all technical mistakes that may occur during the SAP role build. The complexity of SAP authorizations not only means that mistakes are relatively common, but the sheer volume of data makes it very difficult to identify any issues. It is like finding a needle in a haystack.

“With a number of vendors who have developed a cloud offering, performing an access risk assessment is simple and easy. The data extraction can typically be done in less than an hour, which is the only effort required by the company. The vendor will perform the assessment and send the company their access risk results.”

“Performing more regular access risk assessments can be a more failsafe way to ensure the SAP authorization solution has not provided in-appropriate access to the users during the course of the year,” he says.

Three Benefits of Performing Regular SAP Access Risk Assessments:

  1. Reduce SAP access risk: By performing SAP access risk assessments, organizations will be able to identify any role(s) that is providing users with inappropriate access. Often it is only a handful of roles that have been incorrectly maintained that are responsible for the majority of the access risks. In many cases, these roles can be addressed with minimal effort. They are the ‘low hanging fruit’, and with minimal effort can have a significant reduction in the total access risk count.
  2. Better prepared for audits: Performing an access risk assessment prior to the external audit can enable the opportunity to identify ‘quick wins’ which can be addressed prior to the audit. There is no organization that wants an unfavourable audit report, so reducing any findings prior to audit can be quite attractive. In addition, there could be a cost-saving to being better prepared for an audit. If an authorisation solution is providing users with such wide access that the audit firm believes that substantive audit procedures are required, not only will there be additional audit costs to carry this out, but there will be additional effort required by key employees to prepare for the audit.
  3. Enhanced business accountability of access riskAlthough access risk is business risk, the business users are unlikely to take accountability without some form of visibility i.e. A user cannot be accountable for something they are not aware of. Without regular access risk assessments, business users are unlikely to know who has access to specific SAP functions. By performing regular assessments, IT is providing the business with the necessary visibility for them to understand the access risks that exist in the SAP system and therefore enhancing business accountability of access risk.

Soterion SAP Access Risk Assessment

Mr. Cartwright concludes: “Soterion can be used to perform SAP access risk assessments on the organization’s SAP environment by, either using the Soterion standard ruleset, or the customer is able to import or customize their own ruleset.”

Contact if your organization is interested in having ad hoc assessments. 

Media Contact
Company Name: Soterion
Contact Person: Caryn Pretorius
Email: Send Email
Phone: +27 11 540 0232
Address:Block A, Wedgefield Office Park, Muswell Road South
City: Bryanston
State: Johannesburg
Country: South Africa