Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOD (Separation of Duties) Project

Go to solution
former_member459694
Participant

‎01-23-2013 9:29 AM

0 Kudos

Hello all,

we will hold an SOD project which aims to separate conflict duties in our ECC system, for example: the one who define salary will not have authorization to pay the salary, accountant will not have authorization as cashier, etc.

to do this task, I think we should go through our current system to find out which role contains conflict authorization objects(values) and then correct them.

my question is:

1. am my understanding right? is it the right way to do SOD?

2. how to do it? to download authorization data from profile related tables and then analysis?

3. will this project involve functional consultant? for example, besides basis consultant, MM, PP, SD also needed?

4. how long will it take to finish this project? total end user is around 150, and there are 5 modules.

I heard that there is an SAP product GRC which is used to do this? however this will need additional license fees, so we would like to do it by manual, I think the main problem is the ruleset that we should define, am I right? then, where should I find this kind of ruleset? from SOX regulation?

Thank you so much for all

Freshman

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎01-23-2013 10:15 AM

0 Kudos

You should probably have this discussion over in the space - people there will be more familiar with the process and the issues, as well as with SAP's GRC software.

We have just completed a project using SAP's GRC, and have got our SoD conflicts down to zero. Even with the help of SAP's GRC software it took a long time. We had a concentrated period of a few months initially, which reduced the count enormously, but the majority of the time is spent in negotiation with users and their departments about how to split up duties. We found that we couldn't continue with the project as a primary focus because we were spending lots of time in those negotiations. After a few months it became a part-time project for us, and the timescales necessarily became longer. From start to finish I'd say it took us about two years on that mostly part-time basis.

I would say SAP's GRC software was invaluable in this project, for a couple of reasons. First, obviously it automates the analysis. There's a lot of work involved in finding all of the SoD conflicts, if you are going to do it right. Having that work done automatically overnight, every night, and being able to instantly see the results of the last batch of cleanup, saved us a lot of manual work. In addition, we we pretty much required to do this work by our auditors, and having the analysis done by a piece os software from SAP took a lot of the pressure off. If we were to do the analysis ourselves we would have had to prove to the auditors we were doing it right. Auditors like systems

You can do it without, maybe. I'm told when an SAP GRC project starts, a typical customer has a "violation count" in the millions. When we started, our count was just over 50k. That's because we had an ex-auditor managing our user creation and role allocation. She, obviously, did a fantastic job of keeping things under control. Our GRC consultants were very, very surprised by that number being so low. That said, 50k is still a lot and it took us two years to get it down to zero. Would we have been able to get it down to zero without SAP GRC? And more importantly keep it there? And more importantly prove to the auditors that the number is correct? I don't think so.

If you are serious about this project and want to do it properly, and provably, I suggest you investigate the costs of SAP GRC. It may not be as high as you think, and you may decide it is worth it.

To address your questions:

  1. You need to analyse roles/profiles for internal conflicts, but you also need to analyse each user separately as roles/profiles that are "clean" in themselves can still create conflicts in combination.
  2. That is in effect what SAP GRC does, so yes. What would you use for the analysis? It isn't an easy problem. You need to look at the authorisation level, not just the transaction level.
  3. Yes, functional knowledge will be required. I would seriously suggest you need somebody with a financial audit background also. That helped us a lot.
  4. We have about 800 users. The majority of our conflicts were in MM, SD and FI/CO. We haven't implemented HR. And as I said it took us two years to get to zero, with the help of SAP GRC. For you I would assume at least 6 months.

I hope that all helps. I know I sound a bit like a salesman for SAP GRC. I'm not - just a very satisfied user. You can in principle do this without, but I wouldn't...

Steve.

2 REPLIES 2

Go to solution
Former Member

‎01-23-2013 9:57 AM

0 Kudos

Hi

First of all you need to identify the key controls that require access to be segregated.  Once you have this then you have the rules you can validate against your roles.

1. General approach for remediation is start small & work up. That means remediate single roles then composite roles (if using) then users.

2. If working offline suits you then do it that way.  When doing it manually often it is done using SUIM and running the SOD cases.

3. Your functional team will need to take the controls and map the relevant transactions that need to be segregated.

4. Assuming you have a matrix of conflicting transactions you should be able to identify the issues manually in around 3 days (it is hard to be sure).  Remediation will depend on how big the problem is, what your role design is etc.

SAP has GRC Access Controls.  There are other vendors but they all come at a cost. 

You may also find companies local to you who can run an SOD analysis as a service.  I would strongly look to this option if you are not willing to invest in software as it will save you a lot of time in risk definition and reporting.

Good luck & have fun!

Go to solution
Former Member

‎01-23-2013 10:15 AM

0 Kudos

You should probably have this discussion over in the space - people there will be more familiar with the process and the issues, as well as with SAP's GRC software.

We have just completed a project using SAP's GRC, and have got our SoD conflicts down to zero. Even with the help of SAP's GRC software it took a long time. We had a concentrated period of a few months initially, which reduced the count enormously, but the majority of the time is spent in negotiation with users and their departments about how to split up duties. We found that we couldn't continue with the project as a primary focus because we were spending lots of time in those negotiations. After a few months it became a part-time project for us, and the timescales necessarily became longer. From start to finish I'd say it took us about two years on that mostly part-time basis.

I would say SAP's GRC software was invaluable in this project, for a couple of reasons. First, obviously it automates the analysis. There's a lot of work involved in finding all of the SoD conflicts, if you are going to do it right. Having that work done automatically overnight, every night, and being able to instantly see the results of the last batch of cleanup, saved us a lot of manual work. In addition, we we pretty much required to do this work by our auditors, and having the analysis done by a piece os software from SAP took a lot of the pressure off. If we were to do the analysis ourselves we would have had to prove to the auditors we were doing it right. Auditors like systems

You can do it without, maybe. I'm told when an SAP GRC project starts, a typical customer has a "violation count" in the millions. When we started, our count was just over 50k. That's because we had an ex-auditor managing our user creation and role allocation. She, obviously, did a fantastic job of keeping things under control. Our GRC consultants were very, very surprised by that number being so low. That said, 50k is still a lot and it took us two years to get it down to zero. Would we have been able to get it down to zero without SAP GRC? And more importantly keep it there? And more importantly prove to the auditors that the number is correct? I don't think so.

If you are serious about this project and want to do it properly, and provably, I suggest you investigate the costs of SAP GRC. It may not be as high as you think, and you may decide it is worth it.

To address your questions:

  1. You need to analyse roles/profiles for internal conflicts, but you also need to analyse each user separately as roles/profiles that are "clean" in themselves can still create conflicts in combination.
  2. That is in effect what SAP GRC does, so yes. What would you use for the analysis? It isn't an easy problem. You need to look at the authorisation level, not just the transaction level.
  3. Yes, functional knowledge will be required. I would seriously suggest you need somebody with a financial audit background also. That helped us a lot.
  4. We have about 800 users. The majority of our conflicts were in MM, SD and FI/CO. We haven't implemented HR. And as I said it took us two years to get to zero, with the help of SAP GRC. For you I would assume at least 6 months.

I hope that all helps. I know I sound a bit like a salesman for SAP GRC. I'm not - just a very satisfied user. You can in principle do this without, but I wouldn't...

Steve.