The basic rules to ensure the success of the projects apply to SAP Access Control implementation projects and SAP Access Profiles Redesign projects and/or projects that include both scenarios at the same time.
Generally, the need for a project to implement the SAP Access Control solution and Redesign of SAP access profiles almost always arises after carrying out internal audits or independent audits (external audits), which in many cases point out non-compliance with Segregation of Duties (SoD) in user access profiles. When this occurs, the IT area responsible for managing SAP access profiles is held accountable for the results of the audits, and sometimes even unfairly.
The IT area then assumes the role of putting into practice the SAP Access Control and SAP Access Profiles Redesign project and starts planning and defining the scope. And it is from this point that the main errors that lead to the failures of projects of this nature occur and, almost always, influenced by the lack of “GRC” competences that IT teams usually do not have, otherwise, non-conformities would not have been pointed. So, what should be done to avoid the aforementioned failures and the failure of projects of this nature?
Applying the following ground rules ensures the reduction of most major flaws in SAP Access Control and SAP Access Profile Redesign projects. Are they:
SPECIALIZED WORKFORCE: Defining a good implementing team or a service provider consultancy with excellence in the subject is essential to have a project without surprises. However, the service provider alone does not guarantee the success of the project. The involvement of the contracting company is essential so that the definitions that best meet the organization’s culture and requirements are made. Specialization in this area of service provision in GRC is a huge differential that should be sought by companies, in addition to proven experience in previous similar projects.
REQUIREMENTS MAPPING: If the organization has opted for a GRC specialist consultancy for the project definition process, the requirements mapping will be determined by the consultancy prioritizing the organization’s budget, culture and goals. It is essential to identify the following items:
-
- Map the main audit GAPs that may have motivated the project;
- Define market practices or frameworks (example: COSO, SOx, COBIT etc.) that should be incorporated into the project;
- Determine if the project will contemplate Redesign of Access Profiles and implementation of SAP Access Control, at the same time;
- Identify if there are other projects planned in the organization that may impact the project that will be hired;
- Do not fall into the temptation of adopting a proposed SAP authorization model (Roles) without the organization’s requirements and culture being evaluated and considered in its adherence;
- Search for a SAP authorization model (Roles) that facilitates the maintenance, reuse and treatment of SoD risks;
- Understand the main features available in the SAP Access Control solution and define where you want to go with the implementation;
- Adopt the SoD Standard Risk Matrix or adapt a customized matrix for your business;
- Define the Compensatory Controls catalog to mitigate SoD’s Risks;
- Identify the risks in custom ABAP developments and include them in the SoD Risk matrix;
Define ABAP governance procedure to ensure that future maintenance on custom ABAP developments are aligned with GRC practices; - Define a responsibility matrix (RACI) so that those involved in the project and operation have a view of their responsibilities,
- Establish the main desired GRC flows.
DETERMINATION OF THE SPONSOR: Because it is a project that involves different areas of the organization (business area, technical area, internal controls, audit, etc.), it is necessary to involve someone with representation in the organizational structure, such as CFO, CIO etc., to act as a sponsor and facilitator for the engagement of stakeholders from other impacted areas. Projects to implement SAP Access Control and Redesign SAP Access Profiles require a sponsor from the top management!
