Audit Services

What is SAP Authorization Review & Segregation of Duties (SoD)?

Authorizations in SAP system is a complex area and requires detailed understanding of both SAP authorization concepts (such as authorization objects, authorizations, profiles, roles and user master records) and business processes (such as financial accounting, procurement and sales).The purpose of authorizations review is to ensure that user access is based on their responsibilities and users are not assigned any additional access.

Segregation of Duties (SoD), on the other hand, ensures that no one individual has complete control over major phase of a process and is typically enforced through a combination of authorizations and compensating controls

img-SOD

Objective of this assessment

Ensure the user access is based on the responsibilities and users are not assigned any additional access
Ensure that no individual has complete control over major phase of a process
Maintain a secure and well-controlled SAP system

Approach & Methodology

SoftScheck’s SAP Authorizations Review and Redesign Methodology is based on softScheck’s extensive experience in the area of SAP authorizations review and redesign. This is a comprehensive methodology and consists of following three components.

The SAP authorizations and SoD review utilizes the first two components of the methodology while the third component is utilized for redesign engagement.

The methodology is based on a risk-based approach, which goes beyond the symptoms to identify ‘root causes. This results in the following benefits:

Achieves long-term resolution of issues
Minimizes recurrence of issues
Prioritizes actions based on cost-benefit analysis
icon-preparation

Step 1: Preparation

  • Obtain existing SAP authorization documentation
  • Obtain business blueprints/ process flows
  • Obtain SoD ruleset
  • Install tool/ obtain authorization tables from SAP

icon-Evidence

Step 2: Analysis

  • Define sensitive & critical access
  • Configure tool with access and SoD rules
  • Run access risk analysis using tool +

icon-assessment

Step 3: Assessment

  • Analyze the risk analysis results
  • Identify inappropriate/ excessive access and unauthorized SoD risk violations
  • Identify authorization issues including role design, definition and governance

icon-Reporting

Step 4: Reporting

  • Discuss the issues with management
  • Discuss recommendations to address the issues
  • Issue draft report
  • Obtain management feedback and inputs
  • Finalize report