Improving SAP Security Control Effectiveness with Soterion’s Continuous Controls Manager

Are you looking for ways to be more effective in your access risk management approach? 

What if we told you there was a way to continuously monitor materialised risk violations enabling the organisation to move from manual controls to an automated and alert-based approach.  

Soterion’s materialised risk reporting tool transforms the approach to risk management and aids in fraud detection by identifying SAP users who have executed conflicting functions on the same document, journal, purchase order, and more. By monitoring access risk violations that have materialised, the control shifts from a ‘Can Do’ to a ‘Did Do,’ ensuring greater effectiveness.

Before we discuss continuous controls monitoring of materialised risks in more detail, it’s important to first consider the organisation’s SAP security and GRC control activities from a broader, holistic perspective. Continuous controls monitoring is only one of the crucial components of an organisation’s SAP security strategy or GRC program.


SAP security control activities to mitigate SAP access risks

Effective controls are vital for organisations to manage risks, especially in SAP security and Governance, Risk, and Compliance (GRC). Organisations should recognise and understand SAP user access risks, such as Segregation of Duty (SoD) and authorisation creep, which can lead to excessive access. To mitigate these risks, it is essential to define appropriate controls and establish monitoring activities, ensuring that users maintain only the access necessary for their roles (least-privileged access) to prevent unauthorised functions and potential fraud.

In this diagram we illustrate the various controls activities we believe are essential for an organisation to include in their GRC program.


Continuous Control Monitoring and the impact of people, process, design and technology

The effectiveness of controls is shaped by the interaction among people, process, technology, and design. It is crucial to identify the right individuals for compliance tasks, establish clear processes, select suitable technology, and ensure robust design. This blog article will address the challenges organisations face in defining effective continuous controls and examine the considerations for people, processes, design, and technology that facilitate this effort.

Real-time monitoring enables immediate alerts and targeted reviews, enhancing the manageability and efficiency of the process.


People

Challenges

  • Development, design, and testing of continuous controls are complex and time consuming.
  • Knowledge transfer and documentation of controls.
  • Time-consuming and complex interpretation and response to materialised risk results.

Considerations

  • Identify suitable software and business resources to support users with continuous controls monitoring (CCM).
  • Designate both technical and business resources to define, build, review, and maintain the controls and their outcomes.

Process

Challenges

  • Ongoing assessment of the effectiveness and accuracy of defined controls
  • Ensuring that reviews and appropriate actions are taken for identified materialised risks
  • Organisations lacking continuous control monitoring (a system detective control) invest significant time and effort in executing manual detective controls.
  • Data extraction and storage: Effective system detective controls often analyse large volumes of data, necessitating careful consideration for processing and storage.

Considerations

  • Incorporate workflow functionality to streamline the review and management of controls.
  • Explore opportunities for automating materialised risk detection.

Technology

Challenges

  • Without a CCM solution, internally developed controls may have limited capabilities and functionality, reflecting the expertise and resources of the internal team.
  • Considerations of implementation time, cost, and ongoing maintenance.

Considerations

  • When developing controls, organisations should evaluate the current system landscape to ensure completeness and accuracy.
  • Identify applications that fall within the scope.

Design

Challenges

  • SAP does not provide default controls for Continuous Controls Monitoring, necessitating the design of custom controls along with appropriate filters and sensitive fields. Additionally, quantifying access risks to enhance control effectiveness presents a challenge.

Considerations

  • Establish controls for your most critical risks and consider expanding these controls over time.

How does Soterion address the challenges that organisations face in developing effective continuous controls monitoring?


  • Soterion offers customisable, predefined Continuous controls to identify Materialised Segregation of Duty Risks
  • The system’s flexibility allows customers to tailor it to their specific requirements.
  • Significantly reduces the overwhelming volume of SoD risks.
  • Eliminates the necessity for manual checks.
  • Enables organisations to save substantial resources and reduce costs.
  • Automatically routes materialised risk cases to the appropriate personnel upon initiation.
  • Facilitates efficient case management and follow-up processes.
  • Continuously monitors compliance checks for IT General Controls (ITGC).
  • Provides comprehensive oversight.
  • Features an auditor-friendly design that ensures smooth external audits.

Watch Soterion’s Continuous Controls Manager Demo Video

Implementing continuous control monitoring of materialised risks can significantly enhance control effectiveness. Materialised risks are those that have actually occurred, as opposed to potential or actual risks. Monitoring these in real-time allows for immediate alerts and focused reviews, making the process more manageable and efficient.


Key Benefits of Soterions Continuous Controls Manager:

  • Identification of Segregation of Duty (SoD) Risks: Identify and address SoD risks that have materialised. 
  • Real-time Monitoring: Continuous control monitoring ensures enhanced security. 
  • Enhanced Access Risk Management: Elevate access management capabilities effortlessly. 

By extensively scrutinising the SAP transactional data, Soterion’s Continuous Controls Manager solution enables organisations to continuously monitor those access risks that have materialised, ensuring a more effective access risk management capability.     

Feel free to email us on [email protected] if you have any questions or would like to know more. We will gladly assist with a demo to see how we can help.

You may find this interesting