Visit us at UKISUG Connect 2021

Come and visit our booth at UKISUG Connect 2021. We are looking forward to connecting with delegates in person this year. We have also partnered with UK & Ireland SAP User Group (UKISUG) to bring to you an informative session on ‘How to improve the organisation’s risk awareness with business-centric GRC’ presented by Emile Steyn, Business Unit Director at Soterion Benelux.

About UKISUG CONNECT 2021

UKISUG Connect is the largest annual gathering of SAP Professionals across the UK & Ireland.

This event, held at The ICC Birmingham, is spread over three days and is the ‘go-to’ for all SAP users, with knowledge-rich keynotes, engaging breakout sessions and an exhibition hall of over 70 SAP
partners and various interactive sessions.

About Our Breakout Session:

• Date: 29 November 2021
• Time: 16:30 – 17:10 BST
• Venue: Level 2, Hall 9
• Register: Online
• Find out more

What to Expect from the Session

Organisations have been struggling to derive value from their GRC investment since the inception of GRC solutions. Coupled with this, business users often perform compliance tasks with minimal intent and/or consideration to the impact on business. The technical nature and complexity of SAP security and GRC means that ownership typically remains an IT problem.

In this session we will articulate the techniques and strategies to successfully shift access risk from IT to the business, thus enhancing business accountability and buy-in. This will ultimately improve an organisation’s overall risk awareness and ability to manage their risk.

Emile Steyn will share his extensive experience in the field of Access Risk management. The GRC challenge is growing with more incidents taking place around the globe. Organisations will benefit from learning how SAP access risk is related to business risk and addressing it as a business risk leads to enhanced accountability and a security culture. Emile will share tips and tricks that will benefit the audience in how they address the challenges in their organisation.

——–

If you require any further information or have any questions about the event or Emile Steyn’s presentation please email [email protected]

At Soterion, a study was recently conducted to find out how many organisations have customised their SAP access risk rule set.

We were surprised to find out that more than half of the companies we surveyed haven’t customised their rule sets and are using the vendor’s out-the-box standard rule set. Interestingly, SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

• Segregation of Duties (SOD)
• Critical Transactions
• Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advanatges of customising your SAP access risk rule set aren’t immediately apparent.

Here are some reasons to customise your SAP access risk rule sets that you might already know about (and some you might not have considered).

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your unique business. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage.

 

By removing risks that are not applicable to your business, you will reduce the effort and cost to manage those risks.

 

Benefit 2: Get better coverage of all your processes

 

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.

 

The more common scenario with regard to updating the rule set is adding any custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in a number of ways:

Monitoring relevant and applicable risks: monitoring risks that the business believe in will enhance their participation and buy-in. This will raise the organisation’s risk awareness.

 

Building understanding of business impact: A big challenge for many organisations is that business users do not understand the SOD access risks, resulting in actions being taken without understanding the consequences or impact on the business. Rule set projects are usually workshop based where business users and functional consultants discuss each risk. This is a useful educational exercise where each SOD risk is explained in detail and how fraud can potentially be committed with the conflicting combination of access. Once business users understand the SOD risk, they will have a better understanding of the impact of this on the organisation, and thus be able to make a more informed decision as to whether users should have that access or not.

 

Defining a Standard Operating Procedure (SOP): As it is unlikely that the organisation can operate without any risk violations, there will be a number of end users who will have access risks. When a user requests additional access that is in conflict with access they already have, it’s unclear whether it can be approved. As a result, these types of requests often sit in the reviewer’s inbox for a number of days.

 

It’s important to define a policy for risk levels i.e. what is the rule for a simulation for each risk level? Part of the rule set customisation is to define these rules (SOP).

 

An example here is:

– If risk = Critical – access cannot be assigned

– If risk = High – access can be assigned but with Mitigating Control

– If Risk = Medium – access can be assigned without Mitigating Control

 

By defining these types of guidelines, your business users are able to make quicker decisions on whether the additional access requested can be approved. This reduces the time that SAP access change requests sit in a manager’s inbox waiting to be approved, which ultimately reduces the business downtime (end-user waiting for requested access).

 

Whether you need assistance with customising your out-the-box SAP access risk rule set or advice on where to start, Soterion’s team of SAP experts can assist with your unique requirements and help you implement more effective GRC. Email us at [email protected] to get started.

Soterion has partnered with SAP Swedish User Association (SAPSA) to bring to you a presentation on the User Access Assigned via an Identity Access Management and/or an Access Control (GRC)

About SAPSA

SAPSA – SAP Swedish user association – is an independent and non-profit association that since 1990 promotes the exchange of knowledge and experience between our members through networking.  SAPSA annually organises content-rich conferences, meetings and other network meetings in order to promote the members’ opportunities to exchange experiences and expand their knowledge in the use of SAP.

Event Details

• Date: 8 – 9 November 2021
• Learn more
• Register/Book tickets

Here’s what you’ll take away from our sessions:

User Access Assigned via an Identity Access Management and/or an Access Control (GRC)
Tuesday 9 November 14:00 – 14:30 CEST
Presented by: Emile Steyn, Unit Business Director at Soterion Benelux

Identity Access Management solutions can bring great efficiencies in the user access provisioning process but are less well equipped to identify access risk. On the other hand, access control solutions are well equipped to identify access risk but are less powerful at user provisioning. Learn about the benefits of provisioning SAP access using an IAM solution outweigh that of GRC solution, as well as other scenarios where provisioning access using the Business Role concept (of the access control / GRC) solution are more beneficial than that of the IAM solution.

Orkla Solved GRC in a Quick and Efficient way
Monday 8 November 10:00 – 10:30 CEST
Presented by: James Quinn, GRC Manager, Orkla Group & Karin Ejstrup, Business Unit Director, EPI-USE Labs

Orkla needed a fast implementation of GRC when moving to S/4HANA. Hear what challenges Orkla IT group had with  requirements from the business side, how they implemented Soterion GRC in an S/4HANA context and how they managed to please both internal and external auditors.

—–

We look forward to connecting with everyone virtually.

If you require any further information or have any questions about the event, please email  [email protected]

Read more about our offerings  – Software as a Service, Managed Service, and On-Premise Software. Soterion’s GRC modules include Access Risk Manager, Basis Review Manager, Elevated Rights Manager, Periodic Review Manager, Employee Self-Service, and SAP Licensing Manager.

Soterion has partnered with BR1GHT to bring you a free 1-hour webinar on the very current and pressing topic – Managing Security and Authorisations for SAP S/4HANA in a Changing World. We look forward to hearing from our guest speakers at BR1GHT, PwC and Soterion.

About the webinar

S/4HANA is on the horizon for many organisations.
For SAP end-users, the new Fiori functionality will provide an improved user experience. However, this benefit comes at the cost of more complexity from a security perspective. Coupled with this, organisations are under increased pressure from internal and external auditors to ensure that their SAP security provides an adequate level of control. The S/4HANA project provides a great opportunity to prioritise security from the outset (security-by-design) and implement a robust security solution that adequately addresses your organisation’s security requirements for years to come.  

During this free 1-hour webinar, experts from BR1GHT, PwC and Soterion will provide insights needed to identify these challenges and pro-actively address issues before and during the S/4HANA migration.

What to expect:

• Meindert Keuning (BR1GHT) will share his vision on how organisation’scan minimise their SAP security risks and save costs through an SAP authorisation service concept. 
• Steven Hordijk (PwC) will provide insights on trends and why better set-up and use of tools like Soterion is essential. Steven will discuss key risks that should be managed, highlight key focus areas from auditors and explain why S/4HANA transition is the moment to invest in compliance. 
• Emile Steyn (Soterion) will explain how Soterion’s business-friendly solutions can help companies remove these challenges and pro-actively address their current issues.

Webinar Details

• Date: Wednesday, November 17, 2021
• Time: 10:00am – 11:00am (CET)
• Register Here

 

More about our speakers:

Meindert Keuning – BR1GHT – Responsible for the continuous monitoring and SAP propositions at BR1GHT. He gained his hands-on experience from his 15 year tenure at KPMG as an IT advisor and IT auditor.  

Steven Hordijk – PwC – Director at PwC Risk Assurance supporting clients globally with their internal control and automation challenges.  

Emile Steyn – Soterion Benelux – Business Unit Director and an SAP security specialist with experience in retailing, manufacturing, agriculture, mining and healthcare.
 

 

 —–

We look forward to connecting with everyone virtually.

If you require any further information or have any questions about the event, please email  [email protected]

Soterion has partnered with SAP Australian User Group (SAUG) to bring to you a 1-hour webinar on SAP User Access Provisioning (IAM vs GRC) – understand your options, presented by Soterion CEO, Dudley Cartwright.

 

About SAUG

 

The SAP Australian User Group (SAUG) is an independent not-for-profit industry association that provides information, access, and advocacy for SAP customers and professionals (including SAP acquired companies – SuccessFactors, Ariba, BusinessObjects, Concur, hybris and Fieldglass). With a member base of over 6,000 individuals from 300+ companies, SAUG is the only SAP-endorsed user group in Australia.

SAUG’s vision is to be a strategic partner of the Australian SAP community to help each other achieve business goals by gaining the insights and influences required to utilise and improve SAP and close the gap between strategy and execution.

About the webinar

 

This 1-hour webinar, presented by Soterion CEO, Dudley Cartwright, will impart valuable insight into assigning SAP user access via an Identity Access Management solution (IAM) versus the Access Control (GRC) solution. We will discuss the pros and cons of both provisioning methodologies, as well as when to consider a hybrid approach.

• Date: Tuesday, October 19, 2021
• Time: 2:00PM – 3:00PM AEST
• Register Here (Webinar open to SAUG Members only)

 

Identity Access Management solutions can bring about great efficiencies in the user access provisioning process but are less well equipped to identify access risk. On the other hand, access control solutions are well equipped to identify access risk but are less powerful at user provisioning.

We will discuss some scenarios where the benefits of provisioning SAP access using an IAM solution outweigh that of GRC solution, as well as other scenarios where provisioning access using the Business Role concept (of the access control / GRC) solution are more beneficial than that of the IAM solution.

Key takeaways

• Pros and cons of user provisioning of the different methodologies
• Understanding your organisation’s business objectives to help you decide on the most appropriate provisioning strategy

This webinar is open to SAUG members only, be sure to log into the website to register. If you are interested in joining SAUG, head to their Membership Page.

—–

 

We look forward to connecting with everyone virtually.

If you require any further information or have any questions about the event, please email  [email protected]

Read more about our offerings  – Software as a Service, Managed Service, and On-Premise Software. Soterion’s GRC modules include Access Risk Manager, Basis Review Manager, Elevated Rights Manager, Periodic Review Manager, Employee Self-Service, and SAP Licensing Manager.

 

 

Investing in Governance, Risk and Compliance (GRC) is one of the most important business investments you can make. Modern businesses need effective yet efficient risk and compliance management solutions to support growth and sustain operations. Unfortunately, the vast majority of SAP customers that have implemented a GRC solution are not seeing the value they should from their investment.

While this can be influenced by a number of factors, it often comes down to one key reason: lack of business uptake. At Soterion, we have specifically developed a solution that simplifies GRC for SAP customers. However, the principles discussed in this article are just as relevant to users of other ERP solutions as they are those using SAP.

GRC for SAP customers: The link between uptake and ROI

Typically, an organisation’s GRC effectiveness is measured by how well business users perform their access risk management activities.

However, by their nature, GRC solutions are very complex and technical. They have been developed to analyse transaction codes, authorisation objects, and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for their use by business users.

It’s a well-known rule of business that when it comes to technology, the more complex the solution, the less uptake you can expect from users.

Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to resistance. Users will typically keep pushing these activities back onto IT, which means that your GRC solution will become a back-end solution used by the SAP security and GRC teams, with minimal involvement from the rest of the business.

Putting business users at the heart of GRC

Business-centric GRC puts the business user at the centre of the process. It is all about enhancing business accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in its risk management activities. One of the best ways to illustrate this is with the audit principle covering the three lines of defence.

The first line of defence is your business or operational users, the second line of defence is your risk and compliance departments, and the third line of defence is the audit and assurance departments.

Your first line of defence should always be your strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else.

Unfortunately, in most organisations, this is typically the weakest line of defence. That is not because those employees don’t know the risks in their area, it is because the organisation has not implemented the correct processes and systems to empower those users to participate in risk management activities.

Practical solutions and processes are key to performance

To facilitate business buy-in, it’s crucial that organisations running SAP use a GRC solution that is business-centric.

Business-centric GRC solutions convert technical language into business-friendly terms, allowing business users to not only understand the risks in their area of responsibility but also facilitate quicker decision making. And faster, more informed decision making reduces the business downtime of an SAP user waiting for long periods for SAP access requests.

It’s also important that your access risk management processes are practical enough that business users can execute appropriate controls.

Take, for example, the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. Additional challenges can also present along the way, such as non-descriptive SAP role names making it difficult for the reviewers to know exactly what access or functionality the role users are entitled to.

The process can be so time-consuming that in many cases, organisations discover the effort does not justify the value of the exercise.

Soterion is a leader in business-centric GRC for SAP customers. Each and every feature has been developed from the perspective of the business user.  Our GRC solution enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users can perform a more effective review that has a better business outcome. Using a business-centric GRC solution like this means a review typically takes less time, resulting in a significant cost saving for the organisation.

Get your users on board with business-centric GRC solutions

An organisation cannot manage their access risk effectively without business involvement. However, getting your business users on board and accountable for managing risk without the right tools and processes in place is an uphill battle.

Enhancing business accountability of access risk, with the use of a business-centric GRC solution, will improve the organisation’s overall risk awareness as well as their ability to manage their risk.

Soterion is a leader in business-centric GRC for SAP customers. If you don’t feel like you’re getting the most out of your GRC investment, get in touch to discuss how we can help.

 

UKISUG Webinar: Business-centric GRC – User Access Review by Business Process

Effective GRC is measured by how well the business users carry out their access risk management activities. Join our webinar to learn more!

Soterion has partnered with UK & Ireland SAP User Group (UKISUG) to bring to you a 1-hour Webinar on Business-centric GRC – User Access Review by Business Process presented by Soterions CEO, Dudley Cartwright.

 

About UKISUG

Founded in 1988, The UK & Ireland SAP User Group (UKISUG) is an independent ‘not for profit’ organisation. UKISUG comprise of over 600 organisations and 5,000 professionals, are an independent voice for SAP users in the UK and Ireland and provide a channel for SAP to communicate to customers.

 

Webinar Details

• Date: Wednesday, 15 September 2021
• Time: 2:00 PM – 3:00 PM BST
• Register: Online
• Note: This webinar is open to all. If you are interested in joining, please be sure to visit UKISUG’s website to book as a guest, or if you are a member login to reserve your place
• Find out more

 

What to Expect from the Session 

In this webinar, we will discuss the importance and interrelationship between the components of effective GRC, namely the role design, rule set, and access control solution. We will explain how a combination of design, process improvements, and the right solutions will enable the SAP user access review to be performed effectively and efficiently.

 

 

 

We look forward to connecting with everyone virtually.

If you require any further information or have any questions about the event, please email  [email protected]

For those organizations who do not have an access control / GRC solution, there are considerable benefits in performing regular SAP access risk assessments.

The appropriateness of an SAP authorization solution degrades over time, primarily due to SAP authorization creep. Authorization Creep is where users inherit more access over a given period than the access removed from them as they move to different job positions internally. This also happens when they require a single transaction code but are assigned a role with many transaction codes.

Technical mistakes in the role-build process can also cause the SAP authorization solution to provide users with wider access than required. A very basic example here is where S_TCODE is maintained in a role with S_ALR*.
It is important to note that not all S_ALR* are Display Transactions.

Another common mistake is where display roles are created with update transaction codes in them, and the ACTVT values are maintained to Display only (03, 08 etc). These roles work well in isolation, but as soon as they are assigned to users who also have other update roles, the combination of the S_TCODE value from the Display role, and the update ACTVT fields in the user’s other roles, results in the user having far wider access than intended.

It is not only unfair on the SAP security team, but also impractical, for them to pick up on these types of issues. The complexity of SAP authorizations not only means that these types of mistakes are relatively common, but the sheer volume of data makes it very difficult to identify these issues. It is like finding a needle in a haystack.

For many organizations, their external audit is the only time in the year where an access risk assessment is performed on their SAP system. These organization have very little visibility into their SAP access risk exposure for the majority of the year, placing them at unnecessary risk.

With a number of vendors who have developed a cloud offering, performing an access risk assessment is simple and easy. The data extraction can typically be done in less than an hour, which is the only effort required by the company. The vendor will perform the assessment and send the company their access risk results.

Performing more regular access risk assessments can be a more failsafe way to ensure the SAP authorization solution has not provided in-appropriate access to the users during the course of the year.

 

Below are three benefits of performing regular SAP access risk assessments:

 

1. Reduce SAP access risk: By performing SAP access risk assessments, you will be able to identify any role(s) that is providing users with in-appropriate access. Often it is only a handful of roles that have been incorrectly maintained that are responsible for the majority of the access risks. In many cases, these roles can be addressed with minimal effort. They are the ‘low hanging fruit’, and with minimal effort can have a significant reduction in the total access risk count.
2. Better prepared for audits: Performing an access risk assessment prior to your external audit can allow you the opportunity to identify ‘quick wins’ which can be addressed prior to the audit. There is no organization that wants an unfavourable audit report, so reducing any findings prior to audit can be quite attractive. In addition, there could be a cost-saving to being better prepared for audit. If an authorization solution is providing users with such wide access that the audit firm believes that substantive audit procedures are required, not only will there be additional audit cost to carry this out, but there will be additional effort required by key employees to prepare for the audit.
3. Enhanced business-accountability of access risk: Although access risk is business risk, the business users are unlikely to take accountability without some form of visibility i.e. you cannot be accountable for something you are not aware of. Without regular access risk assessments, the business users are unlikely to know who has access to specific SAP functions. By performing regular assessments, IT is providing the business with the necessary visibility for them to understand the access risks that exist in the SAP system. This in turn will allow IT to shift responsibility to the business. Visibility enhances accountability.

Consider how your data will be handled by the vendor performing the access risk assessment, ensure that the vendor is both ISO27001 and SOC certified. Vendors providing such services need to illustrate that they will handle client data that is in accordance with your organization’s internal requirements as well as any regulatory requirements.

 

Soterion SAP Access Risk Assessment

 

Soterion can be used to perform an SAP access risk assessments on the organization’s SAP environment by, either using the Soterion standard rule set, or the customer is able to import or customize their own rule set. Soterion’s SAP access risk assessment includes:

• SAP Access Risk Assessment:An access risk assessment is performed at User, Composite Role and Single Role level. Access risks reports are based on what access has been assigned (potential) and displays this in relation to the actual transaction usage. Soterion’s Get Clean module supports risk remediation consulting projects.
• Basis Review: This assessment reports on the SAP basis configuration settings against a set of industry best-practices.
  

   

Soterion Access Risk Assessment Process

 

 

Viewing the Results of the Soterion Access Risk Assessment

 

One of the key advantages of a Soterion access risk assessment is that the results are displayed in the Soterion web application. This allows quicker analysis of the results and more effective remediation. Soterion will highlight the risks with the highest contribution, as well as flag the users and roles who are responsible for the majority of the access risk violations.

Soterion’s business-centric reporting capability will also illustrate each risk with supporting business process flow diagrams, thereby providing more context to the access risk and converting the technical GRC language into a business-friendly language to ensure better decision-making.

 

If your organization is interested in having ad hoc assessments, please contact us – [email protected]

Soterion has partnered with SAP Australian User Group (SAUG) to bring to you a 45-minute Solution Series Webinar on Data Privacy and how to manage it in SAP.

About SAUG

The SAP Australian User Group (SAUG) is an independent not-for-profit industry association that provides information, access, and advocacy for SAP customers and professionals (including SAP acquired companies – SuccessFactors, Ariba, BusinessObjects, Concur, hybris and Fieldglass). With a member base of over 6,000 individuals from 300+ companies, SAUG is the only SAP-endorsed user group in Australia.

SAUG’s vision is to be a strategic partner of the Australian SAP community to help each other achieve business goals by gaining the insights and influences required to utilize and improve SAP and close the gap between strategy and execution.

This upcoming event will allow many to leverage their SAP success with the help of Soterion’s data and access management solutions.

The webinar will impart valuable insight into the basics of SAP security, which will help your organization help monitor and maintain Data Privacy.

 

Event Details

• Date: Tuesday, July 20, 2021
• Time: 2:00 PM – 2:45 PM AEST
• Register Here (Webinar open to SAUG Members only)

 

Event Take Away

Many elements in the SAP system regulate SAP Security and Authorizations; therefore, having a good understanding of the basics of SAP security is imperative. Data Privacy regulations are one of those elements, and they contribute to the overall framework of your security.

Understanding what data is sensitive, the purposes of the data, how it should be controlled, and who should have access to it is a crucial component for organizations running data subjects. This dynamic will help organizations achieve a more secure SAP environment, but it is a great way to ensure you maintain your SAP security and achieve other business objectives.

Due to the vast number of SAP transaction codes and tables in SAP, managing who has access to personal data in SAP can be a real challenge. In this webinar, join our CEO, Dudley Cartwright, as he discusses how Soterion’s Data Privacy Manager can identify which tables and transaction codes in SAP contain personal information and who has access to it.

In this session you will learn how you can:

• Easily identify whether your SAP system is storing personal data

• Highlight which users in the organization have access to personal data

• Manage access to sensitive personal data going forward – data privacy by design

 

This webinar is open to SAUG members only, be sure to log into the website to register. If you are interested in joining SAUG, head to their Membership Page.

 

—–

 

We look forward to connecting with everyone virtually.

If you require any further information or have any questions about the event, please email  [email protected]

Read more about our offerings  – Software as a Service, Managed Service, and On-Premise Software. Soterion’s GRC modules include Access Risk Manager, Basis Review Manager, Elevated Rights Manager, Periodic Review Manager, Employee Self-Service, and SAP Licensing Manager.