Use of third party tools
It can be difficult to manage key processes ensuring accuracy and completeness, whilst also addressing identified risks without compromising operational efficiency. SAP controls have proven to be highly effective in resolving these issues, however, this is a complex area. Obtaining reliance on the operational effectiveness of these controls without a dedicated tool can prove difficult, time consuming and inefficient. A key challenge for management is to dramatically reduce the cost of executing and monitoring controls whilst also increasing their effectiveness. Management need to meet their business and compliance objectives by verifying that controls have addressed identified risks and are operating effectively.
Operating system, database and infrastructure security
The operating system, database and infrastructure security is the first line of defence against unauthorised individuals gaining access and making changes to key financial information. Therefore the configuration at this level underpins the security of your IT environment.
SAP application access controls is an area that many organisations find difficult to manage, monitor and maintain. Application access must be configured to restrict access to activities that are in line with users’ jobs to prevent unauthorised changes. Business roles should be clearly defined and the access model designed to enforce appropriate restriction of sensitive access and prevent Segregation of Duties (SoD) violations. Accurately determining sensitive access and SoD exposure is complex and may require the implementation of an in-house or third party developed tool.
Business process controls
Automated controls reduce the need for manual controls and minimise effort needed to maintain a controlled environment. Appropriate system configuration is essential to enabling these controls.
Effectively analysing operating system and database security through Deloitte’s Sekchek and OASIS tools
- Implementation and use of tools that review the security configured at the underlying operating system and database level. The security of your system is compared to leading practice and benchmarked against your industry. Unique insight into SoD and sensitive access exposure through SAP GRC Access Controls, Bizright Approva, SecurityWeaver Separations Enforcer or Deloitte’s eQSmart.
- Implementation and use of tools that analyse your sensitive access and SoD exposure in the context of your current business processes and key business and compliance risks.
- We can identify remediation and mitigation priorities as well as determine the design and operation of mitigating controls that may already be operating within your business. Automation and reporting of application controls through SAP GRC Process Controls, SecurityWeaver Process Auditor or Deloitte’s Automated Control Testing Tool.
- Implementation and use of tools that monitor and analyse the configuration of the automated business process controls set up in your system. Detailed reports are automatically produced highlighting the weaknesses in the configuration of automated controls across key business processes.