Security and role design
Access controls is an area that many organisations find difficult to manage, monitor and maintain. Access controls are the way that activities within the business process are divided and allocated to users of an ERP system. Business roles need to be clearly defined and the access model designed to support Segregation of Duties principles. The access model should be managed by security administration processes, for example user and role administration to ensure the ongoing integrity of access controls. The following are areas that are associated with access controls:
- Auditing & monitoring of users access
- Segregation of Duties in user access privileges
- Security configuration settings
- Secure user provisioning
- Control user access levels
- Control over super user accounts
Difficulties in upholding Segregation of Duties principles
Business process controls are undermined due to lack of segregation between sensitive functions. These may be inherit directly in the SAP role itself or through a combination of access assigned to users.
The super user problem
Support users and third parties have uncontrolled or excessive access to the ERP system posing a reoccurring audit risk.
Poorly designed, inefficient support processes
Lead to increasing cost of compliance and controls being seen as potential business blocker.
We can help you re-evaluate your key access requirements in the context of your current business processes and user roles. We can also help you align and maintain access control within your business systems. We have vast experience of utilising a range of ERP access and authorisation reporting technologies which are both cost effective in execution and provide enhanced visibility of control effectiveness for management and auditors.
We use a four stage approach to implement sustainable access controls solutions; a quick start analysing pre-existing risk and controls, achieving a compliant status, dealing with exceptions, privileged access and outsourcing partners and ultimately achieving sustaining compliance. We can assist you with anything from one stage through to the full access control implementation lifecycle.