Implementing Effective Controls in your Organisation
Understanding Effective Controls
Effective controls are essential for any organisation to manage and mitigate risks, particularly in SAP security and Governance, Risk, and Compliance (GRC). Accepting a certain level of risk is necessary for operations, and in the SAP context, users often face Segregation of Duty (SoD) risks due to resource constraints. Thus, the real value of a GRC program lies in defining and ensuring the effectiveness of appropriate controls.
Identifying and Mitigating Risks
To manage risks associated with SAP user access, organisations must first understand these risks. Once identified, it’s crucial to define the controls needed to mitigate them and establish control activities to ensure their effectiveness. Unfortunately, SAP users often accumulate excessive or inappropriate access over time due to the concept of SAP authorisation creep. This occurs when users receive roles that grant more access than necessary or retain old access after internal transfers.
The risk is that users with broad or inappropriate access can perform unauthorised functions, potentially leading to fraudulent activities, data breaches, or financial misstatements. Therefore, controls must be implemented to ensure users only have the access necessary for their job functions (least-privileged access) and to monitor the activities of those with unavoidable access risks.
Control Activities and Effectiveness
Control activities to mitigate access risks include:
- Access Risk Analysis: This detective control assesses users and roles against an access risk rule set to highlight violations. Effectiveness depends on taking corrective actions, such as removing unnecessary access.
- Access Risk ‘What-If’ Simulations: A preventative control that simulates access changes to identify potential new risks before they occur. Effectiveness requires all access requests to undergo simulation and business review.
- SAP Access Risk Rule Set and SoD Mitigations: Customising the rule set to ensure relevance and defining mitigations for each SoD risk. Effectiveness relies on keeping the rule set updated and applicable.
- Emergency Access Management: Ensuring users who need wide access for critical support functions do so in a controlled and auditable manner. Effectiveness requires thorough review of activity logs post-access.
- User Access Reviews: Periodic reviews to ensure assigned access remains relevant. Effectiveness depends on reviewers understanding the access details and risks associated with each role.
The Role of People, Process, Technology, and Design
The effectiveness of controls is influenced by the interplay between people, process, technology, and design. Identifying the right people to participate in compliance tasks, defining clear processes, selecting appropriate technology, and ensuring robust design are all critical.
- People: Include both IT and business users in compliance activities. Business users, in particular, need to understand and manage the access risks relevant to their roles.
- Process: Define detailed processes for each use case, ensuring that all involved understand their responsibilities and timeframes.
- Technology: Implement the right technology to facilitate control activities. The chosen solution should be user-friendly, translate technical language into business terms, and support effective control activities.
- Design: Ensure the SAP role design is robust and provides appropriate control. Outdated designs granting wide access hinder effective control activities.
Measuring Control Effectiveness
Control effectiveness is assessed by comparing the costs of control activities against their effectiveness. Consider the costs of SAP security resources, software licenses, and compliance task efforts. Evaluate the nature of controls (preventative vs. detective, system vs. manual, continuous vs. ad hoc) and how well they are executed.
Preventative controls are generally more effective than detective ones. System controls are more reliable than manual ones, and controls that are run continuously are more effective than those run on an ad hoc basis.
Continuous Control Monitoring
Implementing continuous control monitoring of materialised risks can significantly enhance control effectiveness. Materialised risks are those that have actually occurred, as opposed to potential or actual risks. Monitoring these in real-time allows for immediate alerts and focused reviews, making the process more manageable and efficient.
Conclusion
The inter-relationship between people, process, technology, and design is critical to control effectiveness. Choosing the right technology and ensuring clear processes and appropriate role designs can significantly enhance an organisation’s ability to mitigate access risks and ensure compliance. Effective controls not only provide security but also add value to the organisation by optimising resources and reducing the potential for fraud and errors.