Choose your language


Category: Thought Leadership

Thought Leadership

Building More Effective Access Control Through Business-Centric GRC

Building More Effective Access Control Through Business-Centric GRC

If your SAP roles and rule sets are sound, your access control solution is set up for success

This article is based on a Tech Insights brief by Craig powers, Research Analyst at SAPinsider. The Brief takes a deeper look into what is needed to set an organisation up for success when it comes to access control.

Read a summary of Craig’s findings below or download the full SAPInsider Tech Insights Brief.

SAPInsider’s Tech Insights Brief highlights:
  • Business-centric access control engages business users in the access risk management process to help align access better with business needs.
  • SAP role clean-up and GRC rule set customisation are vital foundational elements to a successful access control solution.
  • Companies can significantly reduce access risk and access over-allocation through greater business involvement in access control.

Companies utilise access control solutions to identify risk within their user base. These solutions and processes are often technical and driven from audit and IT perspectives with very little input from business users who might find the technical GRC language hard to decipher. That’s where the idea of business-centric GRC comes into play for access control—providing the business with easier to understand, less technical language so that they can better interpret the data.

Understanding risk = greater ownership

If business users understand the access risks presented to them, they are more likely to ultimately take ownership of it. And when the business users take ownership of access risk, they can be held accountable.

 However, creating business-centric access control is difficult to do internally. More often than not it requires a solution that speaks to business users, such as Soterion’s Access Risk Manager, which features user-friendly interfaces and business process flows for easy risk remediation and effective access control management. 

Building a solid access control foundation

While it may take the right business-centric GRC solution to get business users invested in access control, it’s a mistake to view the software as a silver bullet.  
First, correcting the SAP role design within SAP must be done to optimise any technology investment. Once the organisation has implemented a good SAP role design, they must then ensure their GRC rule set is customised to align with their unique access and risk requirements.   

If your SAP roles and rule sets are sound, your access control solution is set up for success. The question then becomes: How do you measure success in access control? One way to do this is by gauging how well business users carry out access risk management activities.

The problem is that often business users need to perform certain GRC functions, but they understand very little about GRC itself. They complete the tasks to tick an audit box rather than to address a specific need within the organisation. This is why having business user engagement is so important.


Top 4 access control requirements and strategies

There are a few reasons organisations use an access control solution.

  1. Firstly, they need to ensure that their SAP systems are secure, often driven by internal and external audits. These audits seek to monitor if people are         assigned appropriate access and determine fraud risk associated with improper access.
  2. Companies are also concerned about improving efficiencies of their SAP user provisioning processes and making it easier to manage authorisations. The goal is to get business users to perform compliance tasks and access risk management activities much more efficiently.
  3. Complying with regulations is also a top priority for implementing access control processes and solutions, especially when it comes to data privacy. There is a significant amount of sensitive personal data in SAP. Understanding where that data resides and who has access to it is important—especially when complying with data privacy regulations
  4. Finally, companies see the need to move access risk responsibility away from IT departments to business users. This shift means moving beyond using GRC solutions solely as back-end tools and becoming more business-centric in managing access risk.

To accomplish these objectives, companies should look to streamline provisioning processes and utilise automation to improve efficiencies. One example is to make use of Business Roles.

This is a collection of SAP access from a number of SAP systems. When a Business Role is assigned to an SAP user, all the required access from the various SAP systems (including DEV and QAS) for that user is assigned. This reduces the effort and time taken to assign appropriate access.

Benefits of business-centric access control

There is such a tendency to over-allocate access in SAP. This is either due to SAP users inheriting roles as they move internally, or a user being assigned an SAP role that has 50 transaction codes where the user only needs to use one transaction code (SAP authorisation creep).

 A business-centric GRC solution will ensure compliance tasks such as a User Access review are more effective, and can result in much of the over-allocated access being removed resulting in an SAP authorisation solution that is well-aligned to what the users are doing in the SAP system. This remediation effort will reduce the effort required to carry out any future user access reviews i.e. with a well-aligned solution, the business users will have far fewer user–role relationships to review which can have a significant cost saving to the organisation.

Soterion has seen organisations reduce access risk by as much as 80%, significantly minimising the potential for fraud. One way business-centric access control reduces risk is that business users make informed decisions as to whether their users need specific SAP access or whether it poses too significant a risk to the organisation. This informed decision-making process results in only assigning only appropriate access to the users, which reduces the potential for fraud in the organisation.

What does this mean for you?

Here are three key takeaways to consider when planning your business-centric GRC and access control strategy:

  1. Properly defining your SAP roles and GRC rule sets are essential. 
    If your SAP roles and GRC rule sets aren’t adequately set up and customised to your organisation, it becomes difficult to assign appropriate access. If that’s the case, it doesn’t matter how great your GRC solution is because it won’t correctly assess risk without accurate role and rule set data.
  2. Make access control accessible to business users.
    While many companies rely on IT to carry out access control through GRC software, the business users must carry out proper access risk management processes. Provide business users with user-friendly interfaces and easy-to-understand (read: non-technical) language around necessary risk management. They will be more engaged and more likely to limit access risk effectively.

  3. Go beyond audits when measuring GRC effectiveness. 
    It’s tempting to rely on audits to do the heavy lifting when it comes to measuring the effectiveness of your GRC and access control programs and technologies. However, that’s more of a measurement of the result, not the process. Companies can get ahead of audits by looking at how well business users are performing their access risk management duties along the way.


How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.


Thought Leadership

5 Key Business Risks in 2022: Are You Covered?

“Access control is central to the management of key business risks”. This is one of the key takeaways from IDC, a leading provider of global IT research and advice, in their recent IDC Vendor Spotlight, sponsored by Soterion.

The IDC Vendor Spotlight outlines key challenges associated with SAP access management, the benefits of investing in a quality access control solution, and actions required to drive improvements.

Download the full IDC Vendor Spotlight  here or read an excerpt below which details IDC’s views on the key business risks that access control solutions can help manage.

1. Financial Risk

Financial processes must be designed to prevent fraud by those inside the business. Segregation of duties is a key technique to protect against fraud, the principle being that transactions must always require action from two or more staff, making it extremely difficult for an individual to commit fraud and more errors are likely to be picked up.

 2.  Reputational Risk

Organisations must protect their reputation among customers and investors. The failure of risk management processes can have a big impact on the reputation of a business as well as direct financial losses or legal repercussions.

In Europe, a series of corporate scandals and failures have made the public aware of the fact that not all businesses meet the standards required of them, reducing trust in the business in question. This loss of trust can have a material impact on brand value and the share price of listed companies.

3. Regulatory Risk

Applying processes that manage risk goes beyond good business practice. All businesses are legally required to comply with regulations determined by the jurisdictions in which they operate. Organisations in certain industries such as financial services and pharmaceuticals must adhere to a specific set of regulations driven by the types of products they develop and sell.

Auditors will check compliance with these regulations. Critically, it is not enough for an organisation to show that no failures occurred; regulators and auditors must see that robust processes are in place to ensure continued compliance.

4. Privacy Risk

An example of a set of regulations that apply to all organisations in Europe are those set out in the General Data Protection Regulations (GDPR). All businesses that operate in Europe must treat personal data in line with a set of rules that control the way data is collected and consent for its use, storage, and retention is handled. There are serious penalties for organisations that breach these regulations.

5. Access Control

Processes designed to mitigate financial, reputational, and legal risks are the first part of the solution; access control is the second. The effectiveness of business processes is contingent on the correct people actioning each step of the process. Risk management is ultimately in the hands of people who must perform the role defined for them precisely. Individuals with access rights to systems that are too broad may find they are able to circumvent or compromise processes designed to protect the business.

Compliance is a Complex and Evolving Challenge

The chief financial officer is the primary owner of risk management, answerable to the board, and holding a personal legal responsibility. In Europe, the regulatory burden has been rising as the European Union in particular seeks to protect consumers and investors and reduce systemic risks in certain industries.

The financial crisis of 2008 in particular triggered a wave of new regulations. CFOs had to respond quickly and received investment to upgrade systems and processes to meet emerging requirements, but in most cases, compliance was achieved by adjusting existing systems to meet the new requirements of regulations such as MIFID, IFRS, and SOX.

Is your access control solution keeping up?

It’s worth revisiting your access control processes to ensure they’re keeping up with changing regulations and best practices. Get in touch with one of Soterion’s SAP security consultants to explore how we can help solve your GRC objectives.

Learn more

Soterion is an international leading provider of governance, risk, and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure.

Soterion is passionate about simplifying the governance, risk, and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability. Email [email protected] for more information.

Get in touch with one of our SAP security consultants to explore how we can help solve your GRC objectives.


Source: IDC Vendor Spotlight, Sponsored by Soterion, Soterion: Managing Risk and Ensuring Compliance Through Application Access Management, Doc. #EUR148915922, March 2022


Thought Leadership

Soterion Featured as a Provider of SAP Access Management Solutions

SAP access management is a complex undertaking for businesses. The increasing regulatory pressures on organisations are leading to tighter management of user access rights – which means access management is crucial to business security.

But there are also benefits associated with improving access management that go beyond simply mitigating risk.

Leading IT market research and advisory firm IDC, has outlined some of these benefits, as well as challenges associated with SAP access management, and actions required to drive improvement in access control in a recent IDC Vendor Spotlight, sponsored by Soterion.

Read or download the full IDC Spotlight

Key Takeaway #1: SAP access management is highly complex and is difficult to maintain as business, processes, and regulations change

Managing SAP access rights is highly complex due to the vast array of process and role configurations that organisations can and do utilise within their SAP applications. As organisations evolve and adopt new applications, the burden of managing access rights only increases, leading to increased costs and risks, particularly the chance of audits identifying control weaknesses resulting from SAP access irregularities.

Staying on top of SAP access rights is a challenge due to the vast number of possible access permutations and the rate at which they must be updated to keep up with organisational change. The rate of business transformation and pace of regulatory change will only increase, so organisations must find a way of preventing increased SAP access risk becoming a product of this environment.

Key Takeaway #2: Poor access management can lead to compromised processes that present a business risk and audit failures

Poor access management is most likely to be identified either during a statutory or internal audit, as these audits set out to identify weaknesses in an organisation’s processes that present a risk to the organisation and its various stakeholders, customers, and suppliers.

But, as the IDC Spotlight points out, the cost of poor access management extends beyond the risk of fraud and the cost of remediation. Incorrect access rights can be the root cause of an array of process inefficiencies, where users underutilise the technology available to them as they are unable to fully capitalise on it.

Where SAP users do not have the correct access, businesses can experience downtime (end-user waiting for appropriate access) as assigning new access and getting the necessary approvals from line managers and risk owners can take time. There is also a link between access rights and software licensing. Over-allocated access can lead to paying for more licenses than what is required by the organisation.

Key Takeaway #3: SAP access management is technical in nature, but access decisions are best made by risk owners and line managers

SAP ERP manages access via the transaction code, which is assigned to an SAP role. The SAP role in turn is assigned to the SAP user.

This sounds reasonable and straight-forward, but vast dimensions of typical SAP installations mean that it is not:

  • Over 140,000 transaction codes in SAP ECC
  • Thousands of users that are not easily aggregated into roles with identical or highly similar access needs
  • Often multiple legal or geographic entities with separate SAP installations and separate access management needs
  • Frequent changes in access management requirements due to reorganisations, spin-offs, consolidations, changes in business scope, etc.

Despite this technical nature, IDC says this shouldn’t be left to the technical experts alone.

Access management responsibilities must be shared between the IT function and the process owners and managers. Business process owners are best placed to determine the rights required to execute a task within the relevant compliance rules, while managers are best placed to allocate roles to the individuals they manage.

Importantly, these business owners will be able to proactively manage and maintain access rights within their domain, given the right tools. This helps move access management from an annual reactive activity toward being an exercise in continuous compliance.

Empowered business owners will be able to map processes, identify weaknesses, and implement improvements. Understanding precisely how individuals interact with SAP processes enables organisations to apply the principle of least privilege to each member of staff, reducing risk without harming productivity.

Key takeaway #4: SAP access must be managed proactively, and to do this a tool is required to monitor, interpret, and optimise each user’s access as it pertains to their role.

In the IDC Vendor Spotlight, IDC profiles Soterion as an SAP access management solution that helps business managers understand, implement, and monitor access to SAP, reducing risk and improving efficiency.

Here’s what they had to say about Soterion:

“Soterion software tackles the challenge of the changing nature of SAP access rights – with an access management solution that helps business users see how users utilise their access in practice and highlights the business implications of poorly configured access rights.

“The work that Soterion has done to convert technical access rights data into insights that business decision-makers can understand and monitor continuously will help access management become proactive, rather than something to be tackled periodically ahead of an audit.”

IDC highlighted some of the standout features of Soterion’s solutions including its:

Business-centric design

“Decisions regarding SAP access are best made by those that understand the business context in which processes and the staff who interact with them operate. Soterion’s tool helps visualise the relationship between access rights and business processes, highlighting weaknesses in a way that managers can quickly comprehend. The power of this tool is that it puts control in the hands of those best placed to make decisions.” 

Reporting capabilities

“A key differentiator of Soterion is its reporting capabilities, which illustrates access risks in business process flow diagrams.”

Simplified language

“For business users that are not SAP transaction code experts, it simplifies understanding where in the business process the conflicting access resides. By converting the technical GRC language into a language the business users can understand, can help in making better decisions and making business users more involved and accountable in the process. Ultimately, this can improve the overall capability of the organisation to manage its risk.”

Learn more

Soterion is an international leading provider of governance, risk, and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure.

Soterion is passionate about simplifying the governance, risk, and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability. Email [email protected] for more information.

Get in touch with one of our SAP security consultants to explore how we can help solve your GRC objectives.


Source: IDC Vendor Spotlight, Sponsored by Soterion, Soterion: Managing Risk and Ensuring Compliance Through Application Access Management, Doc. #EUR148915922, March 2022


Thought Leadership

The Cost of an Incorrect GRC Solution to your Organisation

By Dudley Cartwright,
CEO of Soterion

Are you making this $144,000 mistake with your access control solution?

When it comes to SAP access control solutions, sticking with what you have might seem like a smart decision. The cost and time associated with researching, selecting and getting business approval for a new solution can seem like more effort than it’s worth.

But if your access control solution isn’t a good fit for your company, it could be costing you more than you realise – both financially and otherwise.

It’s not that you chose the wrong solution

There are many different access control solutions in the market that can assist companies with their SAP Security and compliance activities. Each of these tools has its strengths and weaknesses, making finding exactly the right solution challenging.

As a result, many organisations implement an inappropriate access control solution – often because their System Integrator (SI) convinced them it was the right solution. But in fact, the SI was chasing the large implementation revenue often associated with the larger and more complex GRC solutions such as SAP GRC.

A side note here: SAP GRC is a great product for those organisations that have the necessary internal expertise and GRC maturity. However, those organisations that do not have the necessary internal expertise and/or maturity to derive any value from the solution, generally experience a high degree of under-utilisation and/or business resistance.

When organisations complain to their SI that they are not getting value from their GRC investment, the SI will often propose offering more consulting or selling more solutions or modules that will ‘fix’ what is broken.

The challenge though is that if the access control solution is not a right fit for your organisation, possibly due to its complexity, nothing is going to change this. No amount of additional consulting, training or add-on solutions will reduce the complexity of the solution.

Sticking with what you know makes sense

There are many reasons why organisations stick with their current solutions, even if it’s not working for them.

  • The cost of switching seems high
  • The effort associated with switching seems high
  • They believe that all access control solutions have similar functionality and that switching will not bring about any significant change in value
  • They are under pressure from certain departments to stick with the current solution

The last reason is perhaps the most challenging to overcome. Some organisations find it difficult to put the business case together to switch from one solution to another. This is often due to the finance or procurement teams digging their heels in purely from a financial perspective who say, ‘we have already spent X dollars on solution Y – make it work’.

The $144,000 mistake

The costs and associated effort of finding and switching to a new access control solution may seem high, but the cost of not switching can be even higher. Especially when you’re using an inappropriate access control solution.

Let’s look at one simple example – user access reviews.

Organisations across the globe are constantly being put under more pressure by auditors and regulators to perform compliance tasks such as User Access Reviews. US companies have been doing this since the advent of Sarbanes-Oxley. UK companies will see added pressure to introduce such activities as soon as UK SOX kicks in (if they are not doing these types of activities already).

A user access review requires reviewers (often line managers) to review all their user’s SAP access on a bi-annually or annual basis to determine if that access is still relevant for the SAP user’s job function for the next period. It can take the reviewers many hours to perform the review if they are using an inappropriate access control solution.

On top of this challenge, the reviewer may have many users reporting to them, and the SAP role design and naming convention could make it difficult to determine what access is contained in each SAP role.

If the organisation is using an inappropriate access control solution for their User Access Review process, these tasks become very challenging for the reviewers, wasting many hours on an activity that if not done well adds very little value to the organisation.

This all adds up. If you aggregate the wasted man-hours for each reviewer, multiply that by each review set per year, and multiply that by the number of years, it doesn’t take long for this cost to overtake the cost of switching access control solutions.

And, this doesn’t factor in the cost of being more exposed to fraud due to an ineffective GRC capability, as well as the opportunity cost of those reviewers not performing their normal job function during the review period.

Ineffective solutions cost you more than just dollars

The formula above is just one cost associated with not switching solutions. Because it’s a quantifiable cost, it does make you sit up and take notice. But there are other, more intangible, costs associated with not switching your access control solutions.

Increased risk

Access control and GRC solutions are business tools to manage and mitigate risk. Sticking with an inappropriate or complex access control solution often leads to resistance or pushback from the business users, and IT end up performing access risk management activities on behalf of the business.

Access risk is business risk, not IT risk

It is the business users who are best positioned to determine if a specific user should have certain access and whether that risk is acceptable to the organisation. IT do not have the expertise or business knowledge to make such a decision.

Even when business users are given control of access risk management, if they’re using an inappropriate or overly-complex access control solution, you often find that these activities are being done with minimal intent or understanding. Business users carry out these activities to tick an audit box with very little consideration of the actual risk to the organisation.

Both of the above scenarios are terrible for the organisation. The C-Suite will incorrectly believe they have a sound access risk management program in place, but in reality, it is very ineffective.

Wasted hours on manual tasks to compensate for an inappropriate access control solution

Where a company is burdened with an access control solution that is not a good fit, we often see them extract reports from their GRC solution and then manipulate those reports externally to be ‘fit-for-business’, wasting hundreds of support hours.

This wastage is never attributed to the access control solution itself.

Using solutions that provide companies with ‘out-the-box’ valuable reports and recommendations will not only reduce the number of support hours but will also increase the speed at which SAP users are assigned their SAP access (SAP access change requests and the Joiner-Mover-Leaver (J-M-L) process). This will ensure that users are assigned their access more timeously and thus more productive i.e. reducing business downtime.

Time to switch?

When evaluating your current access control solution, look at the business value it is adding to the organisation.

When evaluating a replacement, determine whether the solution will help you achieve your objectives instead of focussing on the software cost that you paid for your existing solution. The cost of change will be minute compared to the savings a company will make through effective access control and risk management.

Soterion is a leading provider of business-centric GRC solutions for companies running SAP. Improve your organisations risk awareness and ability to manage access risk by empowering the business users with business-centric GRC.


Thought Leadership

Can Pablo Escobar teach us something about Risk Management?

Written by Dudley Cartwright
CEO of Soterion

Pablo Escobar is one of the most infamous narco-terrorists of our time. His name is synonymous with illegal drugs, brutal murders, and a remarkable talent for avoiding capture. He is perhaps less well known as an access risk management professional.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

  • First line: Operational / Business users
  • Second line: Risk / Compliance departments
  • Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.




How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.


Thought Leadership

The Hidden Benefits of Customising Your Organisation’s SAP Access Risk Rule Set

At Soterion, a study was recently conducted to find out how many organisations have customised their SAP access risk rule set.

We were surprised to find out that more than half of the companies we surveyed haven’t customised their rule sets and are using the vendor’s out-the-box standard rule set. Interestingly, SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

  • Segregation of Duties (SOD)
  • Critical Transactions
  • Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advanatges of customising your SAP access risk rule set aren’t immediately apparent.

Here are some reasons to customise your SAP access risk rule sets that you might already know about (and some you might not have considered).

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your unique business. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage. By removing risks that are not applicable to your business, you will reduce the effort and cost to manage those risks.


Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.


The more common scenario with regard to updating the rule set is adding any custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in a number of ways:

Monitoring relevant and applicable risks:
monitoring risks that the business believe in will enhance their participation and buy-in. This will raise the organisation’s risk awareness.

Building understanding of business impact: A big challenge for many organisations is that business users do not understand the SOD access risks, resulting in actions being taken without understanding the consequences or impact on the business. Rule set projects are usually workshop based where business users and functional consultants discuss each risk. This is a useful educational exercise where each SOD risk is explained in detail and how fraud can potentially be committed with the conflicting combination of access. Once business users understand the SOD risk, they will have a better understanding of the impact of this on the organisation, and thus be able to make a more informed decision as to whether users should have that access or not.

Defining a Standard Operating Procedure (SOP): As it is unlikely that the organisation can operate without any risk violations, there will be a number of end users who will have access risks. When a user requests additional access that is in conflict with access they already have, it’s unclear whether it can be approved. As a result, these types of requests often sit in the reviewer’s inbox for a number of days.

It’s important to define a policy for risk levels i.e. what is the rule for a simulation for each risk level? Part of the rule set customisation is to define these rules (SOP).

An example here is:

– If risk = Critical – access cannot be assigned

– If risk = High – access can be assigned but with Mitigating Control

– If Risk = Medium – access can be assigned without Mitigating Control

By defining these types of guidelines, your business users are able to make quicker decisions on whether the additional access requested can be approved. This reduces the time that SAP access change requests sit in a manager’s inbox waiting to be approved, which ultimately reduces the business downtime (end-user waiting for requested access).

Whether you need assistance with customising your out-the-box SAP access risk rule set or advice on where to start, Soterion’s team of SAP experts can assist with your unique requirements and help you implement more effective GRC. Email us at [email protected] to get started

Thought Leadership

Business-Centric GRC for SAP Customers – how to get the most out of your investment

Investing in Governance, Risk and Compliance (GRC) is one of the most important business investments you can make. Modern businesses need effective yet efficient risk and compliance management solutions to support growth and sustain operations. Unfortunately, the vast majority of SAP customers that have implemented a GRC solution are not seeing the value they should from their investment.

While this can be influenced by a number of factors, it often comes down to one key reason: lack of business uptake. At Soterion, we have specifically developed a solution that simplifies GRC for SAP customers. However, the principles discussed in this article are just as relevant to users of other ERP solutions as they are those using SAP.

GRC for SAP customers: The link between uptake and ROI

Typically, an organisation’s GRC effectiveness is measured by how well business users perform their access risk management activities.

However, by their nature, GRC solutions are very complex and technical. They have been developed to analyse transaction codes, authorisation objects, and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for their use by business users.

It’s a well-known rule of business that when it comes to technology, the more complex the solution, the less uptake you can expect from users.

Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to resistance. Users will typically keep pushing these activities back onto IT, which means that your GRC solution will become a back-end solution used by the SAP security and GRC teams, with minimal involvement from the rest of the business.

Putting business users at the heart of GRC

Business-centric GRC puts the business user at the centre of the process. It is all about enhancing business accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in its risk management activities. One of the best ways to illustrate this is with the audit principle covering the three lines of defence.

The first line of defence is your business or operational users, the second line of defence is your risk and compliance departments, and the third line of defence is the audit and assurance departments.

Your first line of defence should always be your strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else.

Unfortunately, in most organisations, this is typically the weakest line of defence. That is not because those employees don’t know the risks in their area, it is because the organisation has not implemented the correct processes and systems to empower those users to participate in risk management activities.

Practical solutions and processes are key to performance

To facilitate business buy-in, it’s crucial that organisations running SAP use a GRC solution that is business-centric.

Business-centric GRC solutions convert technical language into business-friendly terms, allowing business users to not only understand the risks in their area of responsibility but also facilitate quicker decision making. And faster, more informed decision making reduces the business downtime of an SAP user waiting for long periods for SAP access requests.

It’s also important that your access risk management processes are practical enough that business users can execute appropriate controls.

Take, for example, the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. Additional challenges can also present along the way, such as non-descriptive SAP role names making it difficult for the reviewers to know exactly what access or functionality the role users are entitled to.

The process can be so time-consuming that in many cases, organisations discover the effort does not justify the value of the exercise.

Soterion is a leader in business-centric GRC for SAP customers. Each and every feature has been developed from the perspective of the business user.  Our GRC solution enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users can perform a more effective review that has a better business outcome. Using a business-centric GRC solution like this means a review typically takes less time, resulting in a significant cost saving for the organisation.

Get your users on board with business-centric GRC solutions

An organisation cannot manage their access risk effectively without business involvement. However, getting your business users on board and accountable for managing risk without the right tools and processes in place is an uphill battle.

Enhancing business accountability of access risk, with the use of a business-centric GRC solution, will improve the organisation’s overall risk awareness as well as their ability to manage their risk.

Soterion is a leader in business-centric GRC for SAP customers. If you don’t feel like you’re getting the most out of your GRC investment, get in touch to discuss how we can help.

Thought Leadership

Three Benefits of Regular SAP Access Risk Assessments

For those organisations who do not have an access control / GRC solution, there are considerable benefits in performing regular SAP access risk assessments.

Soterion Dashboard

The appropriateness of an SAP authorisation solution degrades over time, primarily due to SAP authorisation creep. Authorisation Creep is where users inherit more access over a given period than the access removed from them as they move to different job positions internally. This also happens when they require a single transaction code but are assigned a role with many transaction codes.

Technical mistakes in the role-build process can also cause the SAP authorisation solution to provide users with wider access than required. A very basic example here is where S_TCODE is maintained in a role with S_ALR*.
It is important to note that not all S_ALR* are Display Transactions.

Another common mistake is where display roles are created with update transaction codes in them, and the ACTVT values are maintained to Display only (03, 08 etc). These roles work well in isolation, but as soon as they are assigned to users who also have other update roles, the combination of the S_TCODE value from the Display role, and the update ACTVT fields in the user’s other roles, results in the user having far wider access than intended.

It is not only unfair on the SAP security team, but also impractical, for them to pick up on these types of issues. The complexity of SAP authorisations not only means that these types of mistakes are relatively common, but the sheer volume of data makes it very difficult to identify these issues. It is like finding a needle in a haystack.

For many organisations, their external audit is the only time in the year where an access risk assessment is performed on their SAP system. These organisation have very little visibility into their SAP access risk exposure for the majority of the year, placing them at unnecessary risk.

Soterion SAP Access Change Request Simulation

With a number of vendors who have developed a cloud offering, performing an access risk assessment is simple and easy. The data extraction can typically be done in less than an hour, which is the only effort required by the company. The vendor will perform the assessment and send the company their access risk results.

Performing more regular access risk assessments can be a more failsafe way to ensure the SAP authorisation solution has not provided in-appropriate access to the users during the course of the year.

Below are three benefits of performing regular SAP access risk assessments:

  1. Reduce SAP access risk: By performing SAP access risk assessments, you will be able to identify any role(s) that is providing users with in-appropriate access. Often it is only a handful of roles that have been incorrectly maintained that are responsible for the majority of the access risks. In many cases, these roles can be addressed with minimal effort. They are the ‘low hanging fruit’, and with minimal effort can have a significant reduction in the total access risk count.
  2. Better prepared for audits: Performing an access risk assessment prior to your external audit can allow you the opportunity to identify ‘quick wins’ which can be addressed prior to the audit. There is no organisation that wants an unfavourable audit report, so reducing any findings prior to audit can be quite attractive. In addition, there could be a cost-saving to being better prepared for audit. If an authorisation solution is providing users with such wide access that the audit firm believes that substantive audit procedures are required, not only will there be additional audit cost to carry this out, but there will be additional effort required by key employees to prepare for the audit.
  3. Enhanced business-accountability of access risk: Although access risk is business risk, the business users are unlikely to take accountability without some form of visibility i.e. you cannot be accountable for something you are not aware of. Without regular access risk assessments, the business users are unlikely to know who has access to specific SAP functions. By performing regular assessments, IT is providing the business with the necessary visibility for them to understand the access risks that exist in the SAP system. This in turn will allow IT to shift responsibility to the business. Visibility enhances accountability.

Consider how your data will be handled by the vendor performing the access risk assessment, ensure that the vendor is both ISO27001 and SOC certified. Vendors providing such services need to illustrate that they will handle client data that is in accordance with your organisation’s internal requirements as well as any regulatory requirements.

Soterion SAP Access Risk Assessment

Soterion can be used to perform an SAP access risk assessments on the organisation’s SAP environment by, either using the Soterion standard rule set, or the customer is able to import or customise their own rule set. Soterion’s SAP access risk assessment includes:

  • SAP Access Risk Assessment:An access risk assessment is performed at User, Composite Role and Single Role level. Access risks reports are based on what access has been assigned (potential) and displays this in relation to the actual transaction usage. Soterion’s Get Clean module supports risk remediation consulting projects.
  • Basis Review: This assessment reports on the SAP basis configuration settings against a set of industry best-practices.

Soterion Access Risk Assessment Process

Viewing the Results of the Soterion Access Risk Assessment

Soterion SOD Risk Detail – Business Friendly Reporting

One of the key advantages of a Soterion access risk assessment is that the results are displayed in the Soterion web application. This allows quicker analysis of the results and more effective remediation. Soterion will highlight the risks with the highest contribution, as well as flag the users and roles who are responsible for the majority of the access risk violations.

Soterion’s business-centric reporting capability will also illustrate each risk with supporting business process flow diagrams, thereby providing more context to the access risk and converting the technical GRC language into a business-friendly language to ensure better decision-making.

If your organisation is interested in having ad hoc assessments, please contact us – [email protected]

Thought Leadership

SAP User Access Review – Why is it Important to Get This Right?

By Dudley Cartwright,
CEO of Soterion

When looking at all the components (activities) that make up a Governance, Risk and Compliance (GRC) solution, the majority are backend type activities performed by GRC or SAP security administrators.

However, there are some GRC activities that have a huge touch point with business users i.e. they are the primary users of that functionality, namely:

  • SAP access risk simulations (approval / rejection done by line managers)
  • User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

Why is it becoming so important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such a Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the   is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 Jan 2021.

The User Access Review therefore provides the organisation with an opportunity to re-look at the user’saccess to confirm whether it is still relevant and applicable (as the user may have moved to a different job functions, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that is limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity.

However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

Role Design
Role Design

1.Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Rule Set Customization and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether and risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process.

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool at facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review.To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.
–  Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
–  User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:
–  Geography: User Access Review done by region.
–  Risk Level: User Access Review done by risk level.
–  SAP module: Users Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.

Related Tag: Sap Access Controls

Thought Leadership

Adding Value to SAP Customers Around the Globe

We are passionate about developing SAP access risk management solutions that add real value to an organisation. For the past 10 years we have been successful in reducing SAP access risk in combination with enhancing business accountability of risk through ‘easy-to-use’ business centric Governance, Risk and Compliance (GRC) software.

Co-founded by Johan van Noordwyk and Dudley Cartwright, Soterion’s software solution empowers SAP customers to achieve SAP authorisation compliance with great ease, regardless of their internal GRC capability and expertise.

Reflecting back

“While working in the SAP Security space, it came to our attention that many organisations were having challenges with their SAP access risk and compliance,” recalls Soterion co-founder Dudley Cartwright. “There were a number of tools for dealing with this problem, but many were either too expensive or not user-friendly.” As a result, Soterion was born to provide an effective GRC solution for companies running SAP.

How our GRC software adds value

“It brings us great joy to see our software in action and bringing the intended value to the client,” says Dudley.

Energy company Aker Solutions implemented SAP between 2004 to 2006. The company then implemented SAP GRC, but struggled to derive value due to the software’s complexity, leading to under-utilisation.

Petter Natås, Aker Solutions Director, Finance Process Improvement & Systems, Norway, explained: “We had offers from our service provider to get on top of SAP GRC. One of the main concerns was the long implementation period. They estimated one and a half years to get it into place, so the costs were high.”

Aker Solutions switched to Soterion’s GRC software and reduced access risk by 85%, the company explained in a recent case study. Through implementing Soterion for SAP, Aker achieved improved efficiency, better effectiveness, as well as regulatory compliance.

Another client, KOMATSU Australia, who manufactures and sells construction and mining equipment, forest machines and industrial machinery, reported its SAP access risk results in a spreadsheet.

After implementing Soterion for SAP, KOMATSU was able to view its access risk more easily, and in real-time, in a user-friendly web application.

Saint Gobain Construction Products (South Africa) implemented SAP in 2001 and faced typical SAP security challenges of over-allocation of access and / or in-appropriate access resulting in internal audit findings. After evaluating various SAP access risk (GRC) systems, the company implemented Soterion for SAP.

The result: Saint-Gobain’s audits were successful. Management were provided with a better understanding of the company’s business risks as well as having improved access control, visibility, and improved management buy-in.

Over the years our GRC software has also received numerous positive reviews in reports and from analysts. In a recent report covering SAP Governance, Risk and Compliance (GRC) by KuppingerCole Analysts, an international independent analyst organisation, noted that we are able to offer a range of deployment options not available from several other vendors.

The report notes that because Soterion is not an ABAP application locked into the SAP ecosystem, it is able to run as an independent application interfacing to the SAP ecosystem.

The report also notes that one of our specific strengths is our well-thought-out user interface and mapping capabilities.

Interested to find out more about Soterion’s Access Risk Manager and our other modules? Email us on [email protected]. Let us help you take your GRC to the next level.