Choose your language

Thought Leadership

The Cost of an Incorrect GRC Solution to your Organisation

By Dudley Cartwright,
CEO of Soterion

Are you making this $144,000 mistake with your access control solution?

When it comes to SAP access control solutions, sticking with what you have might seem like a smart decision. The cost and time associated with researching, selecting and getting business approval for a new solution can seem like more effort than it’s worth.

But if your access control solution isn’t a good fit for your company, it could be costing you more than you realise – both financially and otherwise.

It’s not that you chose the wrong solution

There are many different access control solutions in the market that can assist companies with their SAP Security and compliance activities. Each of these tools has its strengths and weaknesses, making finding exactly the right solution challenging.

As a result, many organisations implement an inappropriate access control solution – often because their System Integrator (SI) convinced them it was the right solution. But in fact, the SI was chasing the large implementation revenue often associated with the larger and more complex GRC solutions such as SAP GRC.

A side note here: SAP GRC is a great product for those organisations that have the necessary internal expertise and GRC maturity. However, those organisations that do not have the necessary internal expertise and/or maturity to derive any value from the solution, generally experience a high degree of under-utilisation and/or business resistance.

When organisations complain to their SI that they are not getting value from their GRC investment, the SI will often propose offering more consulting or selling more solutions or modules that will ‘fix’ what is broken.

The challenge though is that if the access control solution is not a right fit for your organisation, possibly due to its complexity, nothing is going to change this. No amount of additional consulting, training or add-on solutions will reduce the complexity of the solution.

Sticking with what you know makes sense

There are many reasons why organisations stick with their current solutions, even if it’s not working for them.

  • The cost of switching seems high
  • The effort associated with switching seems high
  • They believe that all access control solutions have similar functionality and that switching will not bring about any significant change in value
  • They are under pressure from certain departments to stick with the current solution

The last reason is perhaps the most challenging to overcome. Some organisations find it difficult to put the business case together to switch from one solution to another. This is often due to the finance or procurement teams digging their heels in purely from a financial perspective who say, ‘we have already spent X dollars on solution Y – make it work’.

The $144,000 mistake

The costs and associated effort of finding and switching to a new access control solution may seem high, but the cost of not switching can be even higher. Especially when you’re using an inappropriate access control solution.

Let’s look at one simple example – user access reviews.

Organisations across the globe are constantly being put under more pressure by auditors and regulators to perform compliance tasks such as User Access Reviews. US companies have been doing this since the advent of Sarbanes-Oxley. UK companies will see added pressure to introduce such activities as soon as UK SOX kicks in (if they are not doing these types of activities already).

A user access review requires reviewers (often line managers) to review all their user’s SAP access on a bi-annually or annual basis to determine if that access is still relevant for the SAP user’s job function for the next period. It can take the reviewers many hours to perform the review if they are using an inappropriate access control solution.

On top of this challenge, the reviewer may have many users reporting to them, and the SAP role design and naming convention could make it difficult to determine what access is contained in each SAP role.

If the organisation is using an inappropriate access control solution for their User Access Review process, these tasks become very challenging for the reviewers, wasting many hours on an activity that if not done well adds very little value to the organisation.

This all adds up. If you aggregate the wasted man-hours for each reviewer, multiply that by each review set per year, and multiply that by the number of years, it doesn’t take long for this cost to overtake the cost of switching access control solutions.

And, this doesn’t factor in the cost of being more exposed to fraud due to an ineffective GRC capability, as well as the opportunity cost of those reviewers not performing their normal job function during the review period.

Ineffective solutions cost you more than just dollars

The formula above is just one cost associated with not switching solutions. Because it’s a quantifiable cost, it does make you sit up and take notice. But there are other, more intangible, costs associated with not switching your access control solutions.

Increased risk

Access control and GRC solutions are business tools to manage and mitigate risk. Sticking with an inappropriate or complex access control solution often leads to resistance or pushback from the business users, and IT end up performing access risk management activities on behalf of the business.

Access risk is business risk, not IT risk

It is the business users who are best positioned to determine if a specific user should have certain access and whether that risk is acceptable to the organisation. IT do not have the expertise or business knowledge to make such a decision.

Even when business users are given control of access risk management, if they’re using an inappropriate or overly-complex access control solution, you often find that these activities are being done with minimal intent or understanding. Business users carry out these activities to tick an audit box with very little consideration of the actual risk to the organisation.

Both of the above scenarios are terrible for the organisation. The C-Suite will incorrectly believe they have a sound access risk management program in place, but in reality, it is very ineffective.

Wasted hours on manual tasks to compensate for an inappropriate access control solution

Where a company is burdened with an access control solution that is not a good fit, we often see them extract reports from their GRC solution and then manipulate those reports externally to be ‘fit-for-business’, wasting hundreds of support hours.

This wastage is never attributed to the access control solution itself.

Using solutions that provide companies with ‘out-the-box’ valuable reports and recommendations will not only reduce the number of support hours but will also increase the speed at which SAP users are assigned their SAP access (SAP access change requests and the Joiner-Mover-Leaver (J-M-L) process). This will ensure that users are assigned their access more timeously and thus more productive i.e. reducing business downtime.

Time to switch?

When evaluating your current access control solution, look at the business value it is adding to the organisation.

When evaluating a replacement, determine whether the solution will help you achieve your objectives instead of focussing on the software cost that you paid for your existing solution. The cost of change will be minute compared to the savings a company will make through effective access control and risk management.

Soterion is a leading provider of business-centric GRC solutions for companies running SAP. Improve your organisations risk awareness and ability to manage access risk by empowering the business users with business-centric GRC.


Thought Leadership

Can Pablo Escobar teach us something about Risk Management?

Written by Dudley Cartwright
CEO of Soterion

Pablo Escobar is one of the most infamous narco-terrorists of our time. His name is synonymous with illegal drugs, brutal murders, and a remarkable talent for avoiding capture. He is perhaps less well known as an access risk management professional.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

  • First line: Operational / Business users
  • Second line: Risk / Compliance departments
  • Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.




How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.


Thought Leadership

The Hidden Benefits of Customising Your Organisation’s SAP Access Risk Rule Set

At Soterion, a study was recently conducted to find out how many organisations have customised their SAP access risk rule set.

We were surprised to find out that more than half of the companies we surveyed haven’t customised their rule sets and are using the vendor’s out-the-box standard rule set. Interestingly, SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

  • Segregation of Duties (SOD)
  • Critical Transactions
  • Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advanatges of customising your SAP access risk rule set aren’t immediately apparent.

Here are some reasons to customise your SAP access risk rule sets that you might already know about (and some you might not have considered).

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your unique business. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage. By removing risks that are not applicable to your business, you will reduce the effort and cost to manage those risks.


Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.


The more common scenario with regard to updating the rule set is adding any custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in a number of ways:

Monitoring relevant and applicable risks:
monitoring risks that the business believe in will enhance their participation and buy-in. This will raise the organisation’s risk awareness.

Building understanding of business impact: A big challenge for many organisations is that business users do not understand the SOD access risks, resulting in actions being taken without understanding the consequences or impact on the business. Rule set projects are usually workshop based where business users and functional consultants discuss each risk. This is a useful educational exercise where each SOD risk is explained in detail and how fraud can potentially be committed with the conflicting combination of access. Once business users understand the SOD risk, they will have a better understanding of the impact of this on the organisation, and thus be able to make a more informed decision as to whether users should have that access or not.

Defining a Standard Operating Procedure (SOP): As it is unlikely that the organisation can operate without any risk violations, there will be a number of end users who will have access risks. When a user requests additional access that is in conflict with access they already have, it’s unclear whether it can be approved. As a result, these types of requests often sit in the reviewer’s inbox for a number of days.

It’s important to define a policy for risk levels i.e. what is the rule for a simulation for each risk level? Part of the rule set customisation is to define these rules (SOP).

An example here is:

– If risk = Critical – access cannot be assigned

– If risk = High – access can be assigned but with Mitigating Control

– If Risk = Medium – access can be assigned without Mitigating Control

By defining these types of guidelines, your business users are able to make quicker decisions on whether the additional access requested can be approved. This reduces the time that SAP access change requests sit in a manager’s inbox waiting to be approved, which ultimately reduces the business downtime (end-user waiting for requested access).

Whether you need assistance with customising your out-the-box SAP access risk rule set or advice on where to start, Soterion’s team of SAP experts can assist with your unique requirements and help you implement more effective GRC. Email us at [email protected] to get started

Thought Leadership

Business-Centric GRC for SAP Customers – how to get the most out of your investment

Investing in Governance, Risk and Compliance (GRC) is one of the most important business investments you can make. Modern businesses need effective yet efficient risk and compliance management solutions to support growth and sustain operations. Unfortunately, the vast majority of SAP customers that have implemented a GRC solution are not seeing the value they should from their investment.

While this can be influenced by a number of factors, it often comes down to one key reason: lack of business uptake. At Soterion, we have specifically developed a solution that simplifies GRC for SAP customers. However, the principles discussed in this article are just as relevant to users of other ERP solutions as they are those using SAP.

GRC for SAP customers: The link between uptake and ROI

Typically, an organisation’s GRC effectiveness is measured by how well business users perform their access risk management activities.

However, by their nature, GRC solutions are very complex and technical. They have been developed to analyse transaction codes, authorisation objects, and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for their use by business users.

It’s a well-known rule of business that when it comes to technology, the more complex the solution, the less uptake you can expect from users.

Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to resistance. Users will typically keep pushing these activities back onto IT, which means that your GRC solution will become a back-end solution used by the SAP security and GRC teams, with minimal involvement from the rest of the business.

Putting business users at the heart of GRC

Business-centric GRC puts the business user at the centre of the process. It is all about enhancing business accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in its risk management activities. One of the best ways to illustrate this is with the audit principle covering the three lines of defence.

The first line of defence is your business or operational users, the second line of defence is your risk and compliance departments, and the third line of defence is the audit and assurance departments.

Your first line of defence should always be your strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else.

Unfortunately, in most organisations, this is typically the weakest line of defence. That is not because those employees don’t know the risks in their area, it is because the organisation has not implemented the correct processes and systems to empower those users to participate in risk management activities.

Practical solutions and processes are key to performance

To facilitate business buy-in, it’s crucial that organisations running SAP use a GRC solution that is business-centric.

Business-centric GRC solutions convert technical language into business-friendly terms, allowing business users to not only understand the risks in their area of responsibility but also facilitate quicker decision making. And faster, more informed decision making reduces the business downtime of an SAP user waiting for long periods for SAP access requests.

It’s also important that your access risk management processes are practical enough that business users can execute appropriate controls.

Take, for example, the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. Additional challenges can also present along the way, such as non-descriptive SAP role names making it difficult for the reviewers to know exactly what access or functionality the role users are entitled to.

The process can be so time-consuming that in many cases, organisations discover the effort does not justify the value of the exercise.

Soterion is a leader in business-centric GRC for SAP customers. Each and every feature has been developed from the perspective of the business user.  Our GRC solution enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users can perform a more effective review that has a better business outcome. Using a business-centric GRC solution like this means a review typically takes less time, resulting in a significant cost saving for the organisation.

Get your users on board with business-centric GRC solutions

An organisation cannot manage their access risk effectively without business involvement. However, getting your business users on board and accountable for managing risk without the right tools and processes in place is an uphill battle.

Enhancing business accountability of access risk, with the use of a business-centric GRC solution, will improve the organisation’s overall risk awareness as well as their ability to manage their risk.

Soterion is a leader in business-centric GRC for SAP customers. If you don’t feel like you’re getting the most out of your GRC investment, get in touch to discuss how we can help.

Thought Leadership

Three Benefits of Regular SAP Access Risk Assessments

For those organisations who do not have an access control / GRC solution, there are considerable benefits in performing regular SAP access risk assessments.

Soterion Dashboard

The appropriateness of an SAP authorisation solution degrades over time, primarily due to SAP authorisation creep. Authorisation Creep is where users inherit more access over a given period than the access removed from them as they move to different job positions internally. This also happens when they require a single transaction code but are assigned a role with many transaction codes.

Technical mistakes in the role-build process can also cause the SAP authorisation solution to provide users with wider access than required. A very basic example here is where S_TCODE is maintained in a role with S_ALR*.
It is important to note that not all S_ALR* are Display Transactions.

Another common mistake is where display roles are created with update transaction codes in them, and the ACTVT values are maintained to Display only (03, 08 etc). These roles work well in isolation, but as soon as they are assigned to users who also have other update roles, the combination of the S_TCODE value from the Display role, and the update ACTVT fields in the user’s other roles, results in the user having far wider access than intended.

It is not only unfair on the SAP security team, but also impractical, for them to pick up on these types of issues. The complexity of SAP authorisations not only means that these types of mistakes are relatively common, but the sheer volume of data makes it very difficult to identify these issues. It is like finding a needle in a haystack.

For many organisations, their external audit is the only time in the year where an access risk assessment is performed on their SAP system. These organisation have very little visibility into their SAP access risk exposure for the majority of the year, placing them at unnecessary risk.

Soterion SAP Access Change Request Simulation

With a number of vendors who have developed a cloud offering, performing an access risk assessment is simple and easy. The data extraction can typically be done in less than an hour, which is the only effort required by the company. The vendor will perform the assessment and send the company their access risk results.

Performing more regular access risk assessments can be a more failsafe way to ensure the SAP authorisation solution has not provided in-appropriate access to the users during the course of the year.

Below are three benefits of performing regular SAP access risk assessments:

  1. Reduce SAP access risk: By performing SAP access risk assessments, you will be able to identify any role(s) that is providing users with in-appropriate access. Often it is only a handful of roles that have been incorrectly maintained that are responsible for the majority of the access risks. In many cases, these roles can be addressed with minimal effort. They are the ‘low hanging fruit’, and with minimal effort can have a significant reduction in the total access risk count.
  2. Better prepared for audits: Performing an access risk assessment prior to your external audit can allow you the opportunity to identify ‘quick wins’ which can be addressed prior to the audit. There is no organisation that wants an unfavourable audit report, so reducing any findings prior to audit can be quite attractive. In addition, there could be a cost-saving to being better prepared for audit. If an authorisation solution is providing users with such wide access that the audit firm believes that substantive audit procedures are required, not only will there be additional audit cost to carry this out, but there will be additional effort required by key employees to prepare for the audit.
  3. Enhanced business-accountability of access risk: Although access risk is business risk, the business users are unlikely to take accountability without some form of visibility i.e. you cannot be accountable for something you are not aware of. Without regular access risk assessments, the business users are unlikely to know who has access to specific SAP functions. By performing regular assessments, IT is providing the business with the necessary visibility for them to understand the access risks that exist in the SAP system. This in turn will allow IT to shift responsibility to the business. Visibility enhances accountability.

Consider how your data will be handled by the vendor performing the access risk assessment, ensure that the vendor is both ISO27001 and SOC certified. Vendors providing such services need to illustrate that they will handle client data that is in accordance with your organisation’s internal requirements as well as any regulatory requirements.

Soterion SAP Access Risk Assessment

Soterion can be used to perform an SAP access risk assessments on the organisation’s SAP environment by, either using the Soterion standard rule set, or the customer is able to import or customise their own rule set. Soterion’s SAP access risk assessment includes:

  • SAP Access Risk Assessment:An access risk assessment is performed at User, Composite Role and Single Role level. Access risks reports are based on what access has been assigned (potential) and displays this in relation to the actual transaction usage. Soterion’s Get Clean module supports risk remediation consulting projects.
  • Basis Review: This assessment reports on the SAP basis configuration settings against a set of industry best-practices.

Soterion Access Risk Assessment Process

Viewing the Results of the Soterion Access Risk Assessment

Soterion SOD Risk Detail – Business Friendly Reporting

One of the key advantages of a Soterion access risk assessment is that the results are displayed in the Soterion web application. This allows quicker analysis of the results and more effective remediation. Soterion will highlight the risks with the highest contribution, as well as flag the users and roles who are responsible for the majority of the access risk violations.

Soterion’s business-centric reporting capability will also illustrate each risk with supporting business process flow diagrams, thereby providing more context to the access risk and converting the technical GRC language into a business-friendly language to ensure better decision-making.

If your organisation is interested in having ad hoc assessments, please contact us – [email protected]

Thought Leadership

SAP User Access Review – Why is it Important to Get This Right?

By Dudley Cartwright,
CEO of Soterion

When looking at all the components (activities) that make up a Governance, Risk and Compliance (GRC) solution, the majority are backend type activities performed by GRC or SAP security administrators.

However, there are some GRC activities that have a huge touch point with business users i.e. they are the primary users of that functionality, namely:

  • SAP access risk simulations (approval / rejection done by line managers)
  • User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

Why is it becoming so important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such a Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the   is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 Jan 2021.

The User Access Review therefore provides the organisation with an opportunity to re-look at the user’saccess to confirm whether it is still relevant and applicable (as the user may have moved to a different job functions, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that is limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity.

However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

Role Design
Role Design

1.Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Rule Set Customization and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether and risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process.

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool at facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review.To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.
–  Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
–  User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:
–  Geography: User Access Review done by region.
–  Risk Level: User Access Review done by risk level.
–  SAP module: Users Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.

Related Tag: Sap Access Controls

Thought Leadership

Adding Value to SAP Customers Around the Globe

We are passionate about developing SAP access risk management solutions that add real value to an organisation. For the past 10 years we have been successful in reducing SAP access risk in combination with enhancing business accountability of risk through ‘easy-to-use’ business centric Governance, Risk and Compliance (GRC) software.

Co-founded by Johan van Noordwyk and Dudley Cartwright, Soterion’s software solution empowers SAP customers to achieve SAP authorisation compliance with great ease, regardless of their internal GRC capability and expertise.

Reflecting back

“While working in the SAP Security space, it came to our attention that many organisations were having challenges with their SAP access risk and compliance,” recalls Soterion co-founder Dudley Cartwright. “There were a number of tools for dealing with this problem, but many were either too expensive or not user-friendly.” As a result, Soterion was born to provide an effective GRC solution for companies running SAP.

How our GRC software adds value

“It brings us great joy to see our software in action and bringing the intended value to the client,” says Dudley.

Energy company Aker Solutions implemented SAP between 2004 to 2006. The company then implemented SAP GRC, but struggled to derive value due to the software’s complexity, leading to under-utilisation.

Petter Natås, Aker Solutions Director, Finance Process Improvement & Systems, Norway, explained: “We had offers from our service provider to get on top of SAP GRC. One of the main concerns was the long implementation period. They estimated one and a half years to get it into place, so the costs were high.”

Aker Solutions switched to Soterion’s GRC software and reduced access risk by 85%, the company explained in a recent case study. Through implementing Soterion for SAP, Aker achieved improved efficiency, better effectiveness, as well as regulatory compliance.

Another client, KOMATSU Australia, who manufactures and sells construction and mining equipment, forest machines and industrial machinery, reported its SAP access risk results in a spreadsheet.

After implementing Soterion for SAP, KOMATSU was able to view its access risk more easily, and in real-time, in a user-friendly web application.

Saint Gobain Construction Products (South Africa) implemented SAP in 2001 and faced typical SAP security challenges of over-allocation of access and / or in-appropriate access resulting in internal audit findings. After evaluating various SAP access risk (GRC) systems, the company implemented Soterion for SAP.

The result: Saint-Gobain’s audits were successful. Management were provided with a better understanding of the company’s business risks as well as having improved access control, visibility, and improved management buy-in.

Over the years our GRC software has also received numerous positive reviews in reports and from analysts. In a recent report covering SAP Governance, Risk and Compliance (GRC) by KuppingerCole Analysts, an international independent analyst organisation, noted that we are able to offer a range of deployment options not available from several other vendors.

The report notes that because Soterion is not an ABAP application locked into the SAP ecosystem, it is able to run as an independent application interfacing to the SAP ecosystem.

The report also notes that one of our specific strengths is our well-thought-out user interface and mapping capabilities.

Interested to find out more about Soterion’s Access Risk Manager and our other modules? Email us on [email protected]. Let us help you take your GRC to the next level.

Thought Leadership

Enhancing Business Accountability of Access Risks

 By Dudley Cartwright, CEO of Soterion.

This article explains what we at Soterion believe is needed for effective Governance, Risks and Compliance (GRC). What do we mean by effective GRC?

Many companies make the mistake of thinking that the GRC or access control tool alone is the silver bullet to solve all their SAP security challenges. And because of this, many organisations have an access control solution which it is not adding much value. In essence, these companies have GRC, but it is not effective.

 When measuring your organisation’s GRC effectiveness, it is important to measure this in relation to the organisation’s business objectives. The most common of these are:

  • Having a secure SAP solution
  • Complying with regulations, in particular, the data privacy regulations
  • Improving efficiencies (JML process)
  • Enhancing business accountability of risk

Enhancing business accountability of the organisation’s risk is fast becoming a key business objective. Not only is access risk a business risk, but many organisations are realising that enhancing business accountability of risk is making the organisation more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle of the three lines of defence.

The first line of defence are your business or operational users. The second line of defence are your risk and compliance departments, and the third line of defence are the audit and assurance departments.

The first line of defence should be the strongest line of defence. These are people who have been in your organisation for 15 – 20 years. They understand your business better than anyone else. Yes, it is often the organisation’s weakest line of defence – not because users do not know the risks or the processes, but because the environment is not set up for these business users to take ownership and become accountable.

To facilitate business buy-in, organisations need to look further than just the GRC or access control solution. They need to look at all the associated components collectively and understand the inter-relationships. To illustrate this, we will use what we call the ‘Effective GRC Pyramid’.

At the base of the pyramid is the SAP role design. This forms the foundation of all things GRC. If the role design is not good, the entire GRC capability will be diminished. The middle section is the rule set and GRC or access control solution. And at the top are the internal processes.

GRC effectiveness is measured by how well business users carry out their access risk management activities, such as the review and approval of SAP access change requests, user access reviews, rule set reviews and business role reviews.

There are generally two reasons why organisations struggle to get the business to take ownership of access risks. The first is a lack of senior management support for such initiatives. It is very difficult to achieve business buy-in and accountability without significant support from senior management.  The second reason why organisations struggle to achieve access risk ownership is due to the complexity and technical nature of each of the components in the pyramid.

To explain this, let’s work through each layer.

The Role Design:
This is a very technical component made up of transaction codes, authorisation objects, fields and values. Yet it is the business users who need to understand the level of access contained in each role if they are expected to review and approve access, or when performing a user access review.

The Rule Set: Again, this is a technical component consisting of risks, risk functions, transaction codes, authorisation objects and field. Yet, these are business risks and need to be understandable by the business users.

The GRC Software: GRC or access control solutions are generally very technical in nature. Yet the ultimate user is a business user. Therefore, the risk assessment results need to be understandable to the business users.

The Internal Processes: This is partly technical in setting up the configuration and workflow, yet it needs to be practical and effortless for business users.

While business users are not expected to carry out many functions, it is important that the few tasks they are expected to do is presented to them in such a manner that they can perform these with maximum ease and with the data presented to them in such a manner that they can easily understand and interpret it, and make an informed business decision.

In summary, your entire GRC effectiveness will be measure by how well your business carries out these functions.

If you’d like more information or would like to discuss your companies GRC needs, feel free to email us on [email protected].

Thought Leadership

SAP Security – The New Normal – Dealing with the Internal Threat of Working from Home

By Dudley Cartwright, CEO of Soterion, an SAP Governance, Risk and Compliance security solutions provider

Stephen McBride, Forbes Magazine contributor and editor of RiskHedge Report, predicts in his article that the largest cyberattack in history is likely to occur in the next six months, with the coronavirus laying the groundwork.

McBride explains that the more devices connected to a network, the larger the number of entry points, making it easier for hackers to access. With so many people working from home, firms had only days to cobble up remote work plans. System security planning often did not include planning around masses of remote workers, or the use of less secure home internet connections. Hackers only need to gain entry through one single unsecure point.

Hackers broke into the networks of America’s largest defense contractor, Lockheed Martin, by targeting remote workers. If they can infiltrate this system, you best believe remote workers with little security are easy pickings, he adds.

In the past couple of months, hackers have targeted the US Department of Health. And attacks against the World Health Organisation have more than doubled.

Cyber intelligence firm CYFIRMA revealed cyberthreats related to coronavirus shot up 600% from February to March. It’s only a matter of time before we hear about a major cyber breach, he says.

In his recent article Reza Rassuli, SDA Inc. CEO and SAP technical advisor mentions five key cyber threats that enterprises using SAP need to take seriously and should watch out for in 2020. These are social engineering attacks, IoT-based attacks, ransomware attacks, internal threats, and state-sponsored attacks. He advises SAP users to place emphasis on detecting threats in real-time or ahead of time before it is too late.

SAP themselves, in a recent Covid-19 response article, stress that enhanced cybersecurity is critical while the World Economic Forum has warned that cybercriminals have escalated their efforts to capitalise on the unfolding tragedy of Covid-19.

In this article, we focus on a number of security activities that an organisation should consider to minimise the risk of the internal threat associated with remote working.

The ‘new normal’ high-security risk of working from home should therefore be changing the way organisations view security.

There is a significant difference between accessing the SAP system from the office and from home and therefore opens the door to vulnerabilities. Coupled with the increased likelihood of a breach (external), work from home is therefore likely to also increase the chance of a data leak (internal).

Some questions do arise. Will work-from-home change user behaviour? Without having a supervisor or work colleagues looking over one’s shoulder, will this lead to a change in user behaviour where users ‘explore’ what they have access to in the system? Are users going to be more likely to download data onto a memory stick if there is no one around to see?

It is fair to say that when employees are not in the office environment, many of them are likely to behave slightly differently. Remote working will be the catalyst for organisations to embark on SAP security activities that security professionals have been advocating for many years.

Five SAP security activities that organisations should place more importance on in this new era of remote working:

1.  Appropriate user access: 
Numerous organisations have outdated SAP role designs, where users have been assigned inappropriate access over the years in relation to their actual job function. To minimise the risk of both a breach and leak, it is imperative that organisations follow a ‘zero-trust’ approach and ensure that users are assigned appropriate access.

2. Rule set customisation:
Many organisations that implement an access risk solution make use of the standard rule set with minimal or no customisation. This is necessary to ensure the rule set addresses relevant risks in their organisation. For those organisations that do go through a rule set customisation project, many do not review (edit/update/adjust) the rule set again after the initial project. With the increased risk caused by remote working, organisations should place more emphasis on customising the standard rule set to ensure that the rule set covers risks applicable to their organisation, including data privacy risks.

3. Business Accountability of risk:
Organisations struggle with business buy-in and a lack of accountability in access risk from the business. This is often caused by a lack of understanding of the risks and their impact on the organisation should it occur. When the business does not understand the risks and the impact, the granting and approving of inappropriate access is likely to occur.

4. User Access Reviews:
The User Access review process requires businesses to review all users’ SAP access on a periodic basis. Most organisations perform this on an annual basis. With the increase in risk caused by remote working, ensuring users are assigned appropriate access must be done on a more regular basis. Many organisations will need to start performing periodic user access reviews, and the frequency of the reviews is likely to increase to be done bi-annually or even quarterly.

5. Activate Logging:
There are many different types of logging available in SAP that can provide useful information. Numerous organisations do not activate them due to performance or space concerns. With the increased risk of remote working, it is critical that certain categories of logging are activated.

Besides the basic SM20 filters of transaction start, it is advisable to activate other filters such as generic access to tables (CUZ and DU9) or RFC calls accessing data in SAP. With data privacy becoming more topical because of legislation such as GDPR, CCPA and POPIA, having the ability to identify who has displayed this data becomes crucial and the logging of this information can be configured by using the Read Access Logging (RAL) functionality in SAP.

If you’d like to know how Soterion can assist you with managing SAP security issues discussed in this article please email [email protected] We look forward to assisting you.

Read more about our offeringsSoterion’s GRC modules include Access Risk ManagerBasis Review ManagerElevated Rights ManagerPeriodic Review Manager, Password Self-Service and SAP Licensing Manager.

Thought Leadership

World Crises: What Could be Next, Cyber Attacks and Data Fraud?

New-Generation Governance, Risk and Compliance are critical in SAP Environment
By Dudley Cartwright, CEO of Soterion

2020 will be remembered as the year that a virus almost caused worldwide lockdown. What could be next?

The 2019 WEF Report on significant global threats lists cyber attacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations. The stakes are higher than ever, should businesses fail to get it right.

We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities. Successful organisations are becoming more agile in their ways of working.

New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation and are embracing new agile technologies and methodologies.

GRC principles fit well with the ‘agile’ approach and are today more relevant and important than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools.

Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, in its entirety, is able to move, react and adapt. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.

Whilst agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued. Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities.

Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires.

Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework.

So, what is the correct approach then for agile GRC? Given that organisations vastly differ by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer.

Here are a few agile GRC descriptors. Agile GRC realises the need for engaging business users, and therefore puts business users at the heart of the process. GRC language is converted into a language that business users can understand. This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks.

A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital today than ever given the fluidity of organisational environments. GRC must become a team sport.

The GRC team need to ensure that access risk remains healthy if business users are not engaged. This is usually done in an episodic fashion, frequently timed to coincide with an audit.

The power of engaged business users is manifold: there are many of them, and they know and understand their processes better than anyone. Giving these users the means to monitor and respond to the risks inherent in their processes provides a powerful first line of defence which in turn allows the GRC team to play a more strategic, value-adding role.

In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows. The traditional paradigm assumes that such process flows seldom change. With today’s pace of change and agile ways of working, access risk simulations are performed against rule sets that are increasingly out of touch with an organisation’s reality. Business users become frustrated by this and their buy-in diminishes accordingly.

New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities. Machine learning technologies often play a role here. Another approach is ‘crowdsourcing’ rule set changes from business users themselves, through intuitive visualisations that keep GRC tools relevant and hence keep business users engaged.

Traditional applications typically have a software-license to implementation-cost-ratio of between 1:3 and 1:5. That is, for every dollar spent on licensing in the first year, the organisation can expect to pay up to $5.00 in configuration costs. The implementation process itself is often the organisational equivalent of open-heart surgery, given the sheer intensity of the process.

New-generation GRC applications are typically implemented at least 50% faster than traditional applications. This translates into lower total cost of ownership, less business disruption and quicker establishment of GRC capability.

Aside from the cost-saving implications of rapid deployment, Agile GRC configurations allow users to “fail faster” in the positive sense by getting vital feedback on access simulations and adverse process changes quicker, which allows for timeous adjustments.

Agile GRC vendors are connecting their applications with other vendors from similar but different fields to provide a more holistic offering. Examples of this are integrations with Identity Access Management solutions, Enterprise Risk solutions, Process Control solutions and Business Process Mining solutions.

The API economy enables organisations to choose the exact applications they require given their current business landscape and to create a “one-size-fits-one” GRC technology ecosystem that fits their needs. This contrasts with the traditional “one-size-fits-all” idea of one monolithic GRC application which caters for every conceivable scenario.

GRC solutions need to be able to analyse non-ABAP-based solutions as SAP moves more functionality to the cloud (SuccessFactors, Ariba, Concur, etc.) and customers start replacing non-core SAP products with 3rd party solutions ( and WorkDay). Agile GRC solutions are future proof, in that they will be able to seamlessly analyse access risk from traditional SAP systems (ABAP), as well as SAP cloud and 3rd party solutions.

Managing access risks is time-consuming and laborious. Using historical data to develop trust relationships will allow GRC practitioners and business users to focus on the exceptions. Examples of this include:

  • Monitoring transaction usage activity and highlighting exception transaction codes.
  • Knowing which terminal is used by the user to access SAP and highlighting any activity from a different (non-trusted) terminal.

In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations. Therefore, the evaluation of tools in terms of attributes which contribute to business user engagement is an appropriate evaluation tactic to employ.

To download the Agile GRC eBook, click here

For more information please email us at [email protected]

Related Tag: Risk Management SAP