The majority of components making up a Governance, Risk and Compliance (GRC) solution are backend type activities performed by GRC or SAP security administrators. However, some GRC activities have a crucial touchpoint with business users of that functionality, namely:
– SAP access risk simulations (approval/rejection done by line managers)
– User Access Review
Organizations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organizations.
It’s Becoming More Important
The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such as Sarbanes Oxley (SOX) Act and JSOX require listed organizations to perform a User Access Review on a periodic basis, usually annually.
Before we go any further, let’s remind ourselves of the purposes of the User Access Review:
During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.
The function of the User Access Review is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 Jan 2021.
The User Access Review, therefore, provides the organization with an opportunity to re-look at the user’s access to confirm whether it is still relevant and applicable (as the user may have moved to different job functions, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that it limits SAP authorization creep.
The downside for many organizations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.
There is a need to shift the mindset of the business users from it being an audit tick box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity.
However, to support this shift in thinking, organizations need to consider several process changes to support the business. It is important for organizations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organization will extract minimal value for the User Access Review.
How do You Facilitate This Shift in Thinking?
Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:
1. Role Design
2. Role Methodology
3. Rule Set Customization and Business Education of Access Risk
4. Use a Tool to Facilitate the User Access Review Process
5. Split Reviews
– Role Content Review
– User Access Review
6. Iterative Reviews
How can Soterion Help You?
Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.
Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organization time and money.
Feel free to email us at [email protected]. Let us help you take your GRC to the next level.
Company Name: Soterion
Contact Person: Caryn Pretorius
Email: Send Email
Phone: +27 11 540 0232
Address:Block A, Wedgefield Office Park, Muswell Road South
Country: South Africa