by Rohan Bhatia, Senior Manager, Enterprise Application Solutions at Protiviti and Brandon Drake, Manager, Enterprise Application Solutions at Protiviti
These days, when remote working is forcing nearly every organization to take a close look at their security practices in efficiently providing the proverbial “to find the needle in the haystack,” a tool like SAP Access Violation Management (AVM) by Pathlock Technologies (GLT) can be more important than ever. The purpose of AVM is to identify and report “true” segregation of duties (SoD) violations within a company’s core business systems. True SoD violations reported by AVM complement “potential” SoD violations reported by traditional Governance, Risk, and Compliance (GRC) tools in that the former are based on end-to-end transactions that have been executed by users in the monitored system(s), whereas the latter are access-based violations derived from the security roles assigned to users. Because of this, AVM provides a deeper level of visibility to SoDs that have been committed and the associated financial impact.
Protiviti’s technology consulting team recently partnered with a large multinational oil and gas company to implement AVM. This implementation served as a catalyst for a holistic SoD process and governance improvement for the organization. Before AVM, the company had varying degrees of SoD risk reviews for their core business systems (multiple ERP and procurement applications), all of which were very manual in nature. These reviews consisted of manually generating transactional violation reports for each SoD risk, many of which, we discovered as part of our AVM implementation, needed design improvements. These manually generated reports were sent to the appropriate business owners within the organization, and their review responses and supporting documentation were stored for the external auditors. This process was highly cumbersome in nature and difficult to maintain. So, the client decided to implement AVM to automate and streamline the SoD review process with Protiviti as the system implementation partner. In total, the project team implemented over 50 SoD risks across dozens of production business systems, including cross-system risks to monitor conflicting functions across separate applications.
In the early phase of the project, we developed an SoD monitoring strategy and corresponding business process flows to illustrate how to maximize the technology investment in AVM. We created a roadmap for ongoing maintenance of not only the AVM product, but the comprehensive SoD process itself, which allowed the client to effectively own the process after deployment. This led to the creation of an SoD governance team, comprised of representatives from across the client’s global organization, including internal controls, business process leads, IT and other relevant groups. In doing this, the business decisions around the SoD process were made the focus, while the enabling technology elements (e.g. AVM, GRC) were tapped into in order to bring those automated business decisions to fruition. Before this project, the SoD review process took place infrequently. However, with AVM, the client could perform SoD reviews much more frequently due to its simplicity. This would have been an unreasonable request before AVM was implemented because of the manual nature of the legacy process. With AVM implemented, the client is able to run the risk monitoring jobs on a monthly cadence and have plans to move to a weekly or even daily frequency in the future. This example shows the harmonization of a business decision with technological enablement, all of which is facilitated by the SoD governance team. The established governance structure also provides the organization with a mechanism for continuous process improvement moving forward.