With several large public companies deploying SAP applications for their financial and accounting operations, ensuring SOX compliance within the SAP ecosystem is crucial for a successful audit. Segregation of Duties (SoD) in SAP plays an important role in managing roles and authorizations among SAP users to prevent conflicts and mitigate the risk of fraud.
However, user access to SAP systems is dynamic in nature due to constantly changing roles, making it challenging to track, detect, and prevent SoD conflicts. Unfortunately, SAP’s security/access management capability is static, preventing a risk-adjusted adaptive security approach recommend by Gartner. In the context of SAP, SOX compliance demands that organizations also implement an effective monitoring, alerting, and prevention mechanism for fraudulent activity arising from SoD conflicts.
The Sarbanes-Oxley Act has two sections that address requirements for evidence of effective internal controls over accounting and financial reporting – sections 302 and 404. Section 302, titled: Corporate Responsibility for Financial Reports, states that the CEO and CFO are directly responsible for the accuracy, documentation, and submission of all financial reports as well as the internal control structure to the SEC. That act mandates the CEO and CFA to confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days.
While SOX section 302 defines the internal controls affecting accounting and financial reporting, SOX section 404, titled Management Assessment of Internal Controls, specifies requirements for monitoring and maintaining internal controls related to a company’s accounting and financials. Section 404 is the most complicated, most contested, and most expensive to implement of all the Sarbanes Oxley Act sections for compliance.
Access Controls are intended to effectively manage the inherent risks associated with managing access to systems and data. These risks include segregation of duty security violations, granting excessive access, ineffective access change management process, ineffective access termination process, ineffective access review and recertification process, and poor password enforcement, to name a few.
According to Audit Standard # 5, if these types of access risks are not effectively controlled, the external SOX compliance audit will report a control issue. Control issues are ranked as a control deficiency, significant control deficiency, or worst of all, a material level control weakness. Pathlock ProfileTailor GRC helps organizations effectively manage the entire SAP access management lifecycle to monitor and manage the internal control requirements of SOX sections 302 and 404.
Segregation of duty conflicts and SoD security violations are associated with inappropriate access at the SAP transaction workflow level. For example, an SAP user may have access to create a new vendor, create a vendor payment, and authorize that vendor payment. These three access functions should be appropriately segregated between different people because it can lead to fraud. SoD conflicts in SAP arise when user roles and the authorisations associated with those roles are not clearly defined. This leads to user over-provisining with users gaining more authortizations than required as per company policies and compliance regulations.
To avoid access risks like SoD security violations and achieve SOX compliance in SAP, organizations need to implement the following layers of controls:
Establish effective governance and oversight of the SAP security administration process, which includes defining roles, responsibilities, policies, processes, procedures, etc., and monitoring the performance of SAP security to identify and correct performance variances quickly. Governance is often one of the most overlooked processes, and often significant SAP security administration issues occur that could have been avoided.
Establish an effective SAP security administration process for adding new users, modifying access of existing users, terminating user access in a timely manner, and performing periodic reviews of all user access for recertification. Leveraging automation, analytics, and artificial intelligence can dramatically improve the operating efficiency of the SAP security administration process. Leveraging an attribute-based access control (ABAC) security model provides more effective and adaptive security than the role-based access control model native to SAP. Additionally, ABAC can automate your SAP policy enforcement at the business process, transaction, and data level.
Internal auditors should perform an independent audit of SAP security to verify the design and effectiveness of all SAP access controls after the business unit and IT department perform their own self-assessments.
Pathlock ProfileTailor GRC is a comprehensive compliance platform that enables greater control over user access risks, segregation of duties, compliance, and audit. The platform leverages embedded AI, machine learning, and predictive analytics to continuously identify potential risks and provide optimized suggestions to resolve conflicts. With Pathlock, your organization can achieve SAP SOX compliance by:
Get in touch with our SAP Compliance Experts to achieve and maintain a clean SAP security environment.
Share