Choose your language


Category: Thought Leadership

Thought Leadership

Enhancing Business Accountability of Access Risks

 By Dudley Cartwright, CEO of Soterion.

This article explains what we at Soterion believe is needed for effective Governance, Risks and Compliance (GRC). What do we mean by effective GRC?

Many companies make the mistake of thinking that the GRC or access control tool alone is the silver bullet to solve all their SAP security challenges. And because of this, many organisations have an access control solution which it is not adding much value. In essence, these companies have GRC, but it is not effective.

 When measuring your organisation’s GRC effectiveness, it is important to measure this in relation to the organisation’s business objectives. The most common of these are:

  • Having a secure SAP solution
  • Complying with regulations, in particular, the data privacy regulations
  • Improving efficiencies (JML process)
  • Enhancing business accountability of risk

Enhancing business accountability of the organisation’s risk is fast becoming a key business objective. Not only is access risk a business risk, but many organisations are realising that enhancing business accountability of risk is making the organisation more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle of the three lines of defence.

The first line of defence are your business or operational users. The second line of defence are your risk and compliance departments, and the third line of defence are the audit and assurance departments.

The first line of defence should be the strongest line of defence. These are people who have been in your organisation for 15 – 20 years. They understand your business better than anyone else. Yes, it is often the organisation’s weakest line of defence – not because users do not know the risks or the processes, but because the environment is not set up for these business users to take ownership and become accountable.

To facilitate business buy-in, organisations need to look further than just the GRC or access control solution. They need to look at all the associated components collectively and understand the inter-relationships. To illustrate this, we will use what we call the ‘Effective GRC Pyramid’.

At the base of the pyramid is the SAP role design. This forms the foundation of all things GRC. If the role design is not good, the entire GRC capability will be diminished. The middle section is the rule set and GRC or access control solution. And at the top are the internal processes.

GRC effectiveness is measured by how well business users carry out their access risk management activities, such as the review and approval of SAP access change requests, user access reviews, rule set reviews and business role reviews.

There are generally two reasons why organisations struggle to get the business to take ownership of access risks. The first is a lack of senior management support for such initiatives. It is very difficult to achieve business buy-in and accountability without significant support from senior management.  The second reason why organisations struggle to achieve access risk ownership is due to the complexity and technical nature of each of the components in the pyramid.

To explain this, let’s work through each layer.

The Role Design:
This is a very technical component made up of transaction codes, authorisation objects, fields and values. Yet it is the business users who need to understand the level of access contained in each role if they are expected to review and approve access, or when performing a user access review.

The Rule Set: Again, this is a technical component consisting of risks, risk functions, transaction codes, authorisation objects and field. Yet, these are business risks and need to be understandable by the business users.

The GRC Software: GRC or access control solutions are generally very technical in nature. Yet the ultimate user is a business user. Therefore, the risk assessment results need to be understandable to the business users.

The Internal Processes: This is partly technical in setting up the configuration and workflow, yet it needs to be practical and effortless for business users.

While business users are not expected to carry out many functions, it is important that the few tasks they are expected to do is presented to them in such a manner that they can perform these with maximum ease and with the data presented to them in such a manner that they can easily understand and interpret it, and make an informed business decision.

In summary, your entire GRC effectiveness will be measure by how well your business carries out these functions.

If you’d like more information or would like to discuss your companies GRC needs, feel free to email us on [email protected].

Thought Leadership

SAP Security 101 – The Basics to SAP Security

SAP Security and Authorisations are controlled by many different elements in the SAP system. We list the most common items and explain how they can assist in achieving a more secure SAP environment.

By Emile Steyn

Master the basics

To ensure that your SAP security solution provides the necessary level of control for your organisation, the SAP security administrator will need to have a good understanding of the basics of SAP security. The following section explains some of the basic concepts of SAP security.

Transaction Codes

A Transaction code is the term used to describe an action or activity in SAP e.g. ME21N – Create Purchase Order. An SAP user will be assigned various transaction codes in order to perform their job function.  Transaction codes have underlying authorisation objects and values that allow for a more granular control such as restricting a user to only operate in one Company Code or Plant. In a standard SAP system  there are over 140 000 possible transaction codes.  Most companies typically use between 2000 – 3000 of these transaction codes. Transaction codes need to be assigned to a role and the role in turn is assigned to the user.  From a risk perspective, it is important to only assign access that the SAP users require to perform their job function. Assigning wide access to users increases your organisation’s access risk exposure.

SAP Role

◦   SAP Single Role – A single role is a data container for a group of transaction codes. SAP users are assigned the single roles for them to be able to execute the transaction codes. The different approaches of assigning access is referred to as the role methodology. The various role methodologies are:

  • Derived – A derived / parent role methodology is where the parent role acts as a master role containing the transaction codes, and is derived out to cater for the various organisational levels (Company Code, Plant etc).
  • Task / Value – A task role is a functional (small) role that contains a group of associated transaction codes to perform a certain task e.g. Purchase Order Maintenance. Users are typically assigned many task roles to make up their complete access/profile.  Value roles are secondary roles that work in conjunction with the task role. Value roles only contain SAP authorisation objects with specific values to restrict the users to only operate in the Organisation Levels for which they have value roles assigned.
  • Profiles – Before SAP introduced the role concept, SAP profiles were mechanisms to provide users with the necessary access to carry out their job function. SAP profiles still exist in the SAP system, but are seldom used. The most common example of this is the SAP_ALL profile.

◦   SAP Composite Role – An SAP Composite role is a container for a group of single roles. The Composite role can then be assigned to the users who then inherit the access (transaction codes) contained in the single roles.

◦   SAP Business Role – The Business Role is similar to an SAP Composite Role but only exist in the IDM or Access Control solution, a virtual role that can be managed through an SAP Access Risk tool. Business roles have the added benefit of being a data container for SAP single roles from multiple SAP systems, simplifying provisioning significantly.

SAP Users

SAP users are the identities for the end-users to access the SAP system. When creating an SAP user, the following fields are available for maintenance:

  • SAP Password complexity – SAP allows for many different complexity settings on passwords. Your current password settings (these include minimum password length, special characters, Upper case letter, etc) can be viewed through transaction RSPFPAR.
  • User Types – In SAP there are different user types, namely: Dialog, Service, System, Communication and Reference users. The most common types are used for the following:
    • Dialog – Your typical user ID will be a dialog user. They are subject to password parameters unless specific security policies have been applied to them.
    • Service – A service user’s password does not change. There is a large risk with these IDs if passwords are shared.
    • System User – These IDs are used for background jobs, system communication etc. These IDs cannot logon via the SAP GUI, but carry risk because of the wide access typically assigned. These IDs can be used to expose the SAP System to risk through RFCs (Remote Function Calls).
  • Validity dates – Certain User IDs are only required to access the system for a certain time. It would be recommended to maintain a validity date for a user to ensure they cannot gain unauthorised access to the system. These dates should also be maintained when a date is known for a user leaving the company.

SAP Provisioning

SAP provisioning is the process of assigning SAP roles to the SAP User ID. SAP Provisioning can be handled in different ways. A user can inherit access directly or indirectly:

  • Direct – Assign roles directly to users.
  • Indirect – Assign roles to a Position. The HR team will assign a user to a position.

SAP Fiori Security

The transaction code is being replaced by Fiori Applications which are executed through a web browser. These changes add an additional level of complexity and security. Some of these changes include the use of the S_SERVICE authorisation objects and catalogs. Although a friendlier user interface, it is a more difficult solution to maintain.

SAP HANA Database Security

Certain users are provided database access to execute reports. It is important that access at database level is restricted using a data privacy management tool to ensure no unauthorised inserts or edits are done at the database level.

SAP Access Risk

  • SAP SOD Risk – A segregation of duty risk is where a user has the ability to perform two or more conflicting functions. These conflicting functions expose a company to fraud, user error and misstatements.
  • SAP Critical Transaction Risk – Certain transactions can be sensitive all by itself based on the potential impact if misused. These are classified as Critical Transaction or Sensitive Access risks.

Optimise SAP Security to achieve business objectives


Once you’ve optimised and mastered the basics ask yourself, ‘How do I optimise my SAP Security to achieve my business objectives?’.

SAP Role Methodology

The methodology you have applied has a big impact on what you can achieve. Certain methodologies allow for easier remediation and ensuring users are only assigned the access they require for their job function. Decide what you need to achieve and see if the methodology allows for it.


There are different tools like Soterion and SAP that can help you manage the access risk in your SAP system. It is important to consider the benefits that the tools provide and what you want to get from a tool.

Items to consider:

  • User Interface
  • Ease of use
  • Implementation time
  • ROI
  • Process improvements

SAP Access Risk Rule Set

The SOD tools are shipped with a standard rule set. The rule set does not cater for customization or business process changes that have been applied. It is important to ensure the rule set is adjusted to be company specific.

Manage SAP Access Risks

After identifying the relevant risks, you need to clean-up your SAP Access Risks. How can this be done?

  • Remediation (role clean-up) – Clean-up can happen in different ways. Roles can be removed from users or transactions can be removed from roles.
  • Mitigation Controls – For access risk that cannot be remediated, Mitigation controls need to be defined to ensure the access risk exposure is adequately reduced.

SAP Role Redesign 

When your Role methodology does not allow you to reach your business objectives, it could be required to do a complete SAP Role Redesign. This would mean that new roles are built for the entire user base.

The information we have provided is focussed on SAP Access and the risks associated with it. Other items to consider could be the following:

  • SAP Security notes
  • SAP configuration settings
  • SAP Audit logging

Feel free to email us at [email protected] if you would like a discussion with one of our experts around SAP Security.

Thought Leadership

The GRC (R)evolution

How recent innovations are making GRC implementations simpler, faster and cheaper for SAP companies

In recent years Sony(1) and Mossack Fonseca(2) have been examples of corporates who have underestimated the value of managing risk across their enterprises. The ramifications to their reputations, and bottom lines, are far-reaching and probably long lasting.

Perhaps more alarming though is the vast number of internal fraud cases which go unreported by organisations of various sizes, and in varying industries and locations. Organisations tend to prefer taking corrective action quietly, for obvious reasons, and therefore the problem is likely much bigger than formal studies indicate.

“The threat of economic crime is a very real concern for all organisations ─ regardless of their size, sector or region (3).”

A CEO survey (4) provided a window into this, revealing that around one in three organisations have been affected by economic crime, with asset misappropriation, cyber-crime, and bribery and corruption being the usual suspects. Further, the survey indicated that more than half of all internal fraud involves middle or senior management.

Furthermore, aside from actual information security breaches, regulatory compliance is also a motivating factor for companies to pay attention to GRC. Whether or not you currently operate in a country with stringent compliance Acts, as global markets continue to change the face of business,
many countries are translating their governance recommendations into policies.

SAP organisations aren’t immune to all of this, even though a range of GRC tools are readily available. For many companies, high costs and tool complexity often inhibit adoption of these tools.

GRC Remains a Challenge for SAP Organisations

Internally, the tendency is to address business first. GRC is seldom the priority that it should be. While SAP GRC is undoubtedly the benchmark for larger, complex organisations, it’s not always the perfect fit for those companies who lack internal expertise. The more comprehensive GRC tools cater for a myriad of complex scenarios which are often not essential to the average organisation.

“Varying levels of maturity in risk and compliance processes are driving the need for identifying and implementing the right GRC tool (5)

Implementations may not achieve the desired result as business resistance is experienced.
This is attributed to its struggle to associate effort required with the value derived (6). Software often remains under-utilised, a manifestation of the lack of alignment between IT, GRC and business.

The bottom line is that although it is of significant concern when appropriate risk management tools are not in place, having poorly implemented or managed tools in place can lull you into a dangerously false sense of security. The potential for fraud exists as long as there is lack of alignment between people, processes and technology.

Four innovations are changing GRC for SAP companies:

1. Cloud & Hosted Deployment

GRC applications have historically been available primarily as on-premise deployments, but a trend is emerging that is seeing the rise of remotely hosted and cloud deployment options.

For example, more and more organisations are reviewing their employees’ authorisations for the internal systems using the cloud. The data is obtained from the internal network, then transferred securely to the cloud.

A key advantage of using the cloud is that no hardware is needed, which means there are no installation costs or ongoing maintenance. Cloud platforms allow for quick deployment, given the ability to scale storage and technology infrastructure to meet increases in demand.

“In 2015, Gartner listed cloud computing as one of the top five enterprise technology investments in the next five years (7).”

Perhaps more importantly, given that most organisations often lack adequate internal GRC expertise, cloud solutions allow for vendors to supplement the client’s resource requirements remotely, creating further efficiency. Here are three common myths surrounding cloud computing (8):

  • Myth 1: It is only for tech companies
    Not so, companies across all industries, big and small, are making use of cloud computing.
  • Myth 2: Security is a big risk
    Security measures used by well-known cloud vendors are often better than their clients’ measures. Cloud vendors have the resources and skills to keep security up to date.
  • Myth 3: It’s always cheaper to run in the cloud
    It’s not always cheaper to run in the cloud, but it can often be more cost efficient. Cloud works best for variable demands and workloads, where you have high demand at times but lower demand at others.

2. Software-as-a-Service Pricing Models

The growth in the global Software-as-a-Service (SaaS) market is largely driven by the increasing need for organisations to cut costs, and by the relative speed and ease with which SaaS solutions can be deployed.

Whereas conventional pricing models are usually based on ownership of an instance of a software application, paid through licensing agreements, SaaS pricing models tend to match pricing more closely with usage levels.

Typically, significant savings are realised in upfront investment costs beyond just traditional upfront purchase costs. Infrastructure costs are now borne by providers, which is a significant saving for organisations. Further, SaaS implementation costs are often significantly lower than traditional implementations.

“Where SaaS models are paired with cloud deployment models, GRC capabilities are effectively put in the hands of users on an on-demand basis (9).”

Beyond the upfront cost benefits of a SaaS pricing model for GRC tools, is the real benefit of flexibility. Companies can increase or decrease their number of users as required, and can also choose to avail themselves of discrete elements of functionality as they become necessary.

Software-as-a-Service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. It is sometimes referred to as “on-demand software”. SaaS is typically accessed by users using a thin client via a web browser. Where traditional on-premise applications require upgrades periodically, these costs are usually borne by the SaaS vendor (10).

3. Size-Sensible GRC Maturity Goals

There’s no denying that the large enterprise GRC applications are the best tools for the large, global multinationals. Tools like SAP GRC cater for every conceivable GRC scenario. Many companies are learning that although these tools are impressive, they can be oppressive when an organisation isn’t yet mature enough to make comprehensive use of them. Less mature companies are opting for scaled down, size-appropriate GRC tools and goals, and realising surprising benefits.

“Instead of viewing GRC maturity as a fixed point, we need to see it on a spectrum. Appreciating that there are varying manifestations of maturity allows companies to focus on the essential tools they require, right now.”

Paradoxically, adoption of size-sensible maturity definitions and GRC strategies is accelerating the GRC maturity of many organisations.

4. Managed Service Models

In the eternal race for the most efficient way to conduct operations, the rapid rate of change in technology presents a headache for most organisations, from a resourcing point of view. Most businesses use a wide range of technologies, each requiring specialist skilled people.

Outsourcing has become a widely used practice for ‘grunt-work’ level activities, but has been less successful where the need for proactive management of tools has been required. The idea of Managed Services has evolved to fill the gap.

The essential difference between Managed Services and Outsourcing is that Managed Services includes the proactive management of the application, whereas Outsourcing has traditionally been limited to reactive deployment of an IT asset. Accordingly, a Managed Service relationship can directly achieve a specified business result, whereas an Outsourced relationship typically delivers an IT result.

Many companies are increasingly leveraging IT Managed Services to avail themselves of both IT management and deployment skills, in the most efficient and flexible manner. These organisations have the ‘best of both worlds,’ ensuring they have the most up to date technology solutions to suit their own needs without the excessive costs associated with in-house IT support.

We Solve GRC for SAP companies. How can we help you?

Soterion’s entire business is focused on building GRC products to suit your team and your pocket. Because companies differ, we’ve developed three ways SAP companies can affordably handle GRC, whatever their internal GRC capability.



What is it?

Soterion’s Compliance Cloud platform is a cloud-based, pay-as-you-go GRC Access Risk tool.

Ideal for?

  • Highly cost-sensitive companies
  • Companies that require access risk assessments seldom or ad hoc, e.g. internal auditors
  • Companies with basic in-house GRC expertise


  • Instant GRC access risk visibility
  • Easy-to-use
  • Business-friendly reporting
  • Extremely cost effective
  • Only pay when you use

Managed Service

What is it?

Combines ‘on-tap’ GRC expertise with Soterion’s Compliance Cloud platform for a complete GRC solution. Delivered in collaboration with Soterion’s Consulting Partner Network.

Ideal for?

Smaller companies who have a GRC requirement, but lack internal expertise.


  • Instant GRC capability, including both tools and expertise
  • Give business hassle free, complete control of access risks via dependable GRC service
  • Significantly cheaper overall solution than employing in-house GRC expertise and purchasing GRC tool
  • Proactive GRC management


On-Premise Software

What is it?

Soterion for SAP is a size-sensible GRC software application, offering powerful, easy-to-use features for smaller SAP companies.

Ideal for?

  • Smaller companies that have a GRC requirement, and have internal expertise
  • Companies with IT policies requiring on-premise solutions.


  • Powerful, size-sensible GRC features for smaller businesses without complex, unnecessary functionality
  • Highly cost-effective on-premise GRC alternative
  • Intuitive and easy to use
  • Minimally invasive to infrastructure and SAP installation

Soterion’s SAP Compliance Cloud gives you what you need, when you need it.

Instant GRC Access Risk Visibility: Move from no GRC access risk visibility to full visibility, within 24 hours. With our seamless data extraction process and intuitive interface, you won’t require any technical knowledge getting set up.

Insights As You Need Them: Avoid external audit surprises by viewing easy- to-understand access risk reports as and when you need to.

Pay As You Go: Benefit from the lower cost of ownership by avoiding the expense of a full-time on-premise solution and the staff to support it. No fixed term contract requirements.

Easy to Use: Our platform is extremely intuitive, and requires no GRC technical knowledge. Our business-friendly reporting tools allow focussed reports by business area.

Guided, Step By Step GRC Maturity Process: Use our proprietary GRC Maturity Model to benchmark your current GRC maturity level. Enhance your GRC capability by following the provided recommendations.

Simulate Changes Before Applying Them: Play it safe with our Allocation Simulator which runs pre-emptive ‘what-if’ analyses, showing you the impact before making changes in SAP.

For more information download the ebook. Email [email protected] if you have any questions, need more information or would like a demo.

Source 1: Peter Elkind, “Part 1: Who was manning the ramparts at Sony Pictures?” Fortune, July 1, 2015
Source 2: Charles Riley, “The Panama Papers: 7 things to know” CNN, April 7, 2016
Source 3: Various, “Global Economic Crime Survey 2014” PWC, November 2014
 Source 4: Various, “Global Economic Crime Survey 2016” PWC, November 2016
 Various, “Centralized Operations: The Future Of Operating Models for Risk, Control & Compliance” EY, November 2014,_Control_and_Compliance/$FILE/EY-Insights-on-GRC-Centralized-operations.pdf 
Source 5: Website, “GRC Technology Enablement” PWC, 2016
Source 6: David Houlihan, “GRC Vendor Implementation Success Strategies” Blue Hill Research, August 2015
 Source 7: Various, “Flipping to Digital Leadership” Gartner, 2015
 Source 8: Ahmed Banafa, “10 Myths About Cloud Computing” OpenMind, September 2015
 Source 9: David Houlihan, “GRC Vendor Implementation Success Strategies” Blue Hill Research, August 2015
 Source 10: Software as a service – Wikipedia, the free encyclopaedia,
General references:
  • Achieving Effective Risk Management and Compliance” Deloitte, 2014   
  • “GRC Today” KPMG, October 2015

Thought Leadership

SAP Security and Soterion GRC Solutions

SAP Security and GRC Solutions Through Three Offerings – SaaS, On-Premise Software and Managed Services

Since 2011, Soterion has offered SAP security and GRC for SAP for companies of all shapes and sizes.  We assist businesses implement smart solutions to counter the very real threat of economic crime. We offer our expertise through three offerings – SaaS, managed service, and on-premise software. 

Software-as-a-Service (SaaS)

Through our offerings, we implement GRC for SAP for companies that seek an effective and affordable solution and for those that already possess a degree of GRC expertise. This pay-as-you-use service is easy to implement, business-friendly, and provides instant GRC risk visibility.

It is an ideal choice for businesses that need a governance, risk, and compliance strategy in place but do not have the in-house solutions to do so. This is a robust and dependable service for proactive GRC management.

The Access Risk Manager, available with Soterion’s SaaS offering, is a convenient application that enables quick identification of SAP access risk exposure. It also recommends remedial steps and prevents risks associated with the implementation of the change request in SAP through a proactive approach. The SAP License Manager gives businesses the information to create a bespoke SAP license agreement that addresses the company’s particular needs. This helps bring down costs and ensures adequate compliance.

On-Premise Software

The on-premise solution is ideal for companies that have IT policies mandating such a solution. Usually, such companies have the necessary expertise to handle GRC tools and implement solutions. The Soterion on-premise solution for GRC for SAP security is powerful, easy-to-use, and highly cost-effective.

We’ve completely re-imagined the GRC user experience from the ground up, making it a pleasure to use. Our business-friendly reporting tools allow focused reports to be produced by business area. We provide all the GRC features your business needs without complex, unnecessary functionality.

Managed Services

Combine “on-tap” GRC expertise with Soterion’s Cloud platform for a complete GRC solution, delivered in collaboration with Soterion’s Consulting Partner Network.

Dudley Cartwright, CEO of Soterion explains: “Unlike outsourcing relationships, our managed services are premised upon proactive management of your GRC health, leveraging our consulting partners’ experience and expertise. Move from no GRC access risk capability to full visibility, within 24 hours. With both the tools and expertise provided as a managed service, you won’t require any technical GRC knowledge whatsoever. Your business will enjoy complete, hassle-free control of access risks via a dependable GRC service.”

He continues, “Your business can benefit from the lower total cost of ownership by avoiding the expense of an on-premise solution and the staff to support it. Our platform is extremely intuitive, requires no GRC technical knowledge, and is oriented towards those companies with minimal GRC capability. Use our proprietary GRC Maturity Model to benchmark your current GRC maturity level and enhance your GRC capability by following the provided recommendations.”

If you are interested in any of the above three offerings or would like more information, email us on [email protected].

Thought Leadership

SAP Security – The New Normal – Dealing with the Internal Threat of Working from Home

By Dudley Cartwright, CEO of Soterion, an SAP Governance, Risk and Compliance security solutions provider

Stephen McBride, Forbes Magazine contributor and editor of RiskHedge Report, predicts in his article that the largest cyberattack in history is likely to occur in the next six months, with the coronavirus laying the groundwork.

McBride explains that the more devices connected to a network, the larger the number of entry points, making it easier for hackers to access. With so many people working from home, firms had only days to cobble up remote work plans. System security planning often did not include planning around masses of remote workers, or the use of less secure home internet connections. Hackers only need to gain entry through one single unsecure point.

Hackers broke into the networks of America’s largest defense contractor, Lockheed Martin, by targeting remote workers. If they can infiltrate this system, you best believe remote workers with little security are easy pickings, he adds.

In the past couple of months, hackers have targeted the US Department of Health. And attacks against the World Health Organisation have more than doubled.

Cyber intelligence firm CYFIRMA revealed cyberthreats related to coronavirus shot up 600% from February to March. It’s only a matter of time before we hear about a major cyber breach, he says.

In his recent article Reza Rassuli, SDA Inc. CEO and SAP technical advisor mentions five key cyber threats that enterprises using SAP need to take seriously and should watch out for in 2020. These are social engineering attacks, IoT-based attacks, ransomware attacks, internal threats, and state-sponsored attacks. He advises SAP users to place emphasis on detecting threats in real-time or ahead of time before it is too late.

SAP themselves, in a recent Covid-19 response article, stress that enhanced cybersecurity is critical while the World Economic Forum has warned that cybercriminals have escalated their efforts to capitalise on the unfolding tragedy of Covid-19.

In this article, we focus on a number of security activities that an organisation should consider to minimise the risk of the internal threat associated with remote working.

The ‘new normal’ high-security risk of working from home should therefore be changing the way organisations view security.

There is a significant difference between accessing the SAP system from the office and from home and therefore opens the door to vulnerabilities. Coupled with the increased likelihood of a breach (external), work from home is therefore likely to also increase the chance of a data leak (internal).

Some questions do arise. Will work-from-home change user behaviour? Without having a supervisor or work colleagues looking over one’s shoulder, will this lead to a change in user behaviour where users ‘explore’ what they have access to in the system? Are users going to be more likely to download data onto a memory stick if there is no one around to see?

It is fair to say that when employees are not in the office environment, many of them are likely to behave slightly differently. Remote working will be the catalyst for organisations to embark on SAP security activities that security professionals have been advocating for many years.

Five SAP security activities that organisations should place more importance on in this new era of remote working:

1.  Appropriate user access: 
Numerous organisations have outdated SAP role designs, where users have been assigned inappropriate access over the years in relation to their actual job function. To minimise the risk of both a breach and leak, it is imperative that organisations follow a ‘zero-trust’ approach and ensure that users are assigned appropriate access.

2. Rule set customisation:
Many organisations that implement an access risk solution make use of the standard rule set with minimal or no customisation. This is necessary to ensure the rule set addresses relevant risks in their organisation. For those organisations that do go through a rule set customisation project, many do not review (edit/update/adjust) the rule set again after the initial project. With the increased risk caused by remote working, organisations should place more emphasis on customising the standard rule set to ensure that the rule set covers risks applicable to their organisation, including data privacy risks.

3. Business Accountability of risk:
Organisations struggle with business buy-in and a lack of accountability in access risk from the business. This is often caused by a lack of understanding of the risks and their impact on the organisation should it occur. When the business does not understand the risks and the impact, the granting and approving of inappropriate access is likely to occur.

4. User Access Reviews:
The User Access review process requires businesses to review all users’ SAP access on a periodic basis. Most organisations perform this on an annual basis. With the increase in risk caused by remote working, ensuring users are assigned appropriate access must be done on a more regular basis. Many organisations will need to start performing periodic user access reviews, and the frequency of the reviews is likely to increase to be done bi-annually or even quarterly.

5. Activate Logging:
There are many different types of logging available in SAP that can provide useful information. Numerous organisations do not activate them due to performance or space concerns. With the increased risk of remote working, it is critical that certain categories of logging are activated.

Besides the basic SM20 filters of transaction start, it is advisable to activate other filters such as generic access to tables (CUZ and DU9) or RFC calls accessing data in SAP. With data privacy becoming more topical because of legislation such as GDPR, CCPA and POPIA, having the ability to identify who has displayed this data becomes crucial and the logging of this information can be configured by using the Read Access Logging (RAL) functionality in SAP.

If you’d like to know how Soterion can assist you with managing SAP security issues discussed in this article please email [email protected] We look forward to assisting you.

Read more about our offeringsSoterion’s GRC modules include Access Risk ManagerBasis Review ManagerElevated Rights ManagerPeriodic Review Manager, Password Self-Service and SAP Licensing Manager.

Thought Leadership

KuppingerCole’s Executive view on Soterion’s GRC solutions for SAP

Click here to download the full KuppingerCole Executive View.

In a report covering SAP Governance, Risk and Compliance (GRC) by KuppingerCole Analysts, an international independent analyst organisation headquartered in Europe, the company noted that Soterion, a provider of GRC for SAP, is able to offer a range of deployment options not available from several other vendors.

KuppingerCole Report Executive View

The report notes that due to Soterion not being an ABAP application that is locked into the SAP ecosystem, it is able to run as an independent application interfacing to the SAP ecosystem.

This approach has the added benefit of the Soterion solution being more flexible in building a modern, intuitive and business-centric user interface (UI). “It also will simplify the extension of Soterion for SAP to other solutions, specifically the SAP SaaS services such as Ariba or SuccessFactors, which currently are roadmap items and work in progress,” the report adds.

“All data is displayed in dashboards, supporting drag-and-drop capabilities for grouping, filtering, and re-arranging data. Thus, users can easily identify high-risk areas and other relevant information. Based on that, authorisations can be optimised. One of the capabilities of the Soterion Access Risk Manager is focused on reducing redundant access.”

“Risk clean-up wizards support the users in mitigating access related risks, but also in optimising the role model. The tool also provides a risk clean-up projection, indicating which amount of authorisations could be removed without impacting business operations.”

The report notes that a specific strength of Soterion is the well-thought-out user interface plus mapping capabilities, translating a technical perspective on SAP authorisations into information that relates to the perspective and understanding of business managers.

This includes the ability to provide graphical representations of business flow in the context of authorisations and access reviews, giving business managers an understanding about the activities in the business flow and their relationships.

KuppingerCole adds that Soterion is a user-friendly, well-thought-out solution for managing critical/emergency access, and licenses in SAP environments. “It is targeted at efficient usage, supporting business users that don’t come with a deep understanding of SAP specifics in performing both their routine jobs such as approving access as in the regular access reviews.”

In addition to Soterion’s Access Risk Manager module the report discusses Soterion’s suite of modules which include Basis Review Manager, Elevated Rights Manager, Periodic Review Manager, Password Self-Service and SAP Licensing Manager.


  • Very user-friendly and innovative user interface
  • Supports all major capabilities to be expected in this type of SAP GRC solutions
  • Supports transferring information into business-relevant representation
  • Graphical representation of business processes in the context of access reviews
  • Supports efficient identification and mitigating of access risks
  • Well-thought-out process for access review

Soterion’s agile GRC Access Risk solution solves GRC for SAP customers. Because companies differ, Soterion has developed three ways SAP customers can affordably handle GRC, whatever their internal capability.

Read more about our offerings
. If you’d like further information or would like to request a demo of our software email [email protected].

Thought Leadership

World Crises: What Could be Next, Cyber Attacks and Data Fraud?

New-Generation Governance, Risk and Compliance are critical in SAP Environment
By Dudley Cartwright, CEO of Soterion

2020 will be remembered as the year that a virus almost caused worldwide lockdown. What could be next?

The 2019 WEF Report on significant global threats lists cyber attacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations. The stakes are higher than ever, should businesses fail to get it right.

We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities. Successful organisations are becoming more agile in their ways of working.

New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation and are embracing new agile technologies and methodologies.

GRC principles fit well with the ‘agile’ approach and are today more relevant and important than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools.

Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, in its entirety, is able to move, react and adapt. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.

Whilst agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued. Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities.

Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires.

Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework.

So, what is the correct approach then for agile GRC? Given that organisations vastly differ by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer.

Here are a few agile GRC descriptors. Agile GRC realises the need for engaging business users, and therefore puts business users at the heart of the process. GRC language is converted into a language that business users can understand. This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks.

A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital today than ever given the fluidity of organisational environments. GRC must become a team sport.

The GRC team need to ensure that access risk remains healthy if business users are not engaged. This is usually done in an episodic fashion, frequently timed to coincide with an audit.

The power of engaged business users is manifold: there are many of them, and they know and understand their processes better than anyone. Giving these users the means to monitor and respond to the risks inherent in their processes provides a powerful first line of defence which in turn allows the GRC team to play a more strategic, value-adding role.

In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows. The traditional paradigm assumes that such process flows seldom change. With today’s pace of change and agile ways of working, access risk simulations are performed against rule sets that are increasingly out of touch with an organisation’s reality. Business users become frustrated by this and their buy-in diminishes accordingly.

New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities. Machine learning technologies often play a role here. Another approach is ‘crowdsourcing’ rule set changes from business users themselves, through intuitive visualisations that keep GRC tools relevant and hence keep business users engaged.

Traditional applications typically have a software-license to implementation-cost-ratio of between 1:3 and 1:5. That is, for every dollar spent on licensing in the first year, the organisation can expect to pay up to $5.00 in configuration costs. The implementation process itself is often the organisational equivalent of open-heart surgery, given the sheer intensity of the process.

New-generation GRC applications are typically implemented at least 50% faster than traditional applications. This translates into lower total cost of ownership, less business disruption and quicker establishment of GRC capability.

Aside from the cost-saving implications of rapid deployment, Agile GRC configurations allow users to “fail faster” in the positive sense by getting vital feedback on access simulations and adverse process changes quicker, which allows for timeous adjustments.

Agile GRC vendors are connecting their applications with other vendors from similar but different fields to provide a more holistic offering. Examples of this are integrations with Identity Access Management solutions, Enterprise Risk solutions, Process Control solutions and Business Process Mining solutions.

The API economy enables organisations to choose the exact applications they require given their current business landscape and to create a “one-size-fits-one” GRC technology ecosystem that fits their needs. This contrasts with the traditional “one-size-fits-all” idea of one monolithic GRC application which caters for every conceivable scenario.

GRC solutions need to be able to analyse non-ABAP-based solutions as SAP moves more functionality to the cloud (SuccessFactors, Ariba, Concur, etc.) and customers start replacing non-core SAP products with 3rd party solutions ( and WorkDay). Agile GRC solutions are future proof, in that they will be able to seamlessly analyse access risk from traditional SAP systems (ABAP), as well as SAP cloud and 3rd party solutions.

Managing access risks is time-consuming and laborious. Using historical data to develop trust relationships will allow GRC practitioners and business users to focus on the exceptions. Examples of this include:

  • Monitoring transaction usage activity and highlighting exception transaction codes.
  • Knowing which terminal is used by the user to access SAP and highlighting any activity from a different (non-trusted) terminal.

In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations. Therefore, the evaluation of tools in terms of attributes which contribute to business user engagement is an appropriate evaluation tactic to employ.

To download the Agile GRC eBook, click here

For more information please email us at [email protected]

Related Tag: Risk Management SAP

Thought Leadership

GRC essentials for SAP Customers

The importance of a solid foundation

Many organisations running SAP are either in project mode on their journey to S/4HANA or in the planning phases of their S/4HANA project. Most organisations have identified this journey as a unique opportunity to strengthen their SAP security. Thoughts intuitively turn to GRC and IAM tools to achieve this. Without addressing the underlying issues of the SAP role design, GRC and IAM tools will not deliver the expected results and leave the organisation disappointed.

Many organisations have outdated role designs that provide users with inappropriate access required for their job functions. These organisations mistakenly assume SAP security can be solved solely with products and tools e.g. Access Control or Identity Access Management solutions. These will help, but the capability of these tools are significantly diminished if the underlying SAP role design is outdated and/or inappropriate. Your organisation won’t derive the expected value from these investments due to this poor underlying SAP role design. The SAP role design forms the foundation of all things GRC and IAM.

Effective GRC Pyramid


Let’s consider the impact of inappropriate SAP role design, which provides users with far too much access, on both GRC and IAM tools.

1. Access Control solution
The Access Control solution highlights many access risk violations that business users reviewing the risks don’t know where to start. Business users may start approving every SAP access change request without placing much value on the results, due to the volume of risk violations. In short, the capability of the access risk solution is diminished.

2. Identity Access Management solution
The Identity Access Management solution brings about efficiencies in the joiner, leaver and mover processes. However, it will be assigning inappropriate access which results in a very high access risk count. This is far from ideal and counter-productive to their S/4 strategy, particularly as these organisations are placing more emphasis on security.

So, what does all this mean practically? If you’re a GRC practitioner wanting to leverage your organisation’s S/4HANA journey to bolster your security, and you suspect your underlying SAP role design is outdated, what should you do to address this? You have two options for addressing an inappropriate SAP role design: either an SAP role clean-up or an SAP role redesign. Let’s explain this in a bit more detail.

SAP Role Clean-up

An SAP role clean-up is usually possible where the underlying SAP role design is still in relatively good shape i.e. the SAP single roles are well built.

However, the challenge is that these roles have been over-allocated over the years due to SAP authorisation creep. You may find that there are a small number of roles that require content changes (role splits, etc.).

An SAP role clean-up is usually preferred by organisations as it is a quicker and less expensive project. An additional benefit is that it is less disruptive on the business, with fewer end-users testing and fewer authorisation issues than a redesign project.


SAP Role Redesign

A role redesign is recommended when the effort to clean-up the SAP solution is greater than the effort to perform a role redesign. In other words, the SAP solution has deteriorated past the point of no return.

An SAP role redesign is typically a longer, more costly engagement than a role clean-up, and entails greater levels of business involvement and disruption. However, there are several significant benefits to an SAP role redesign.

Firstly, if your organisation has not performed a role redesign for several years, the control requirements of the organisation may have changed over time. For example, Movement Types or Warehouse Numbers may not have been important ten years ago. However, with a role redesign, these new control elements can be introduced.

SAP has introduced several new control authorisations through the years. For example, controlling table access at a more granular level by table name (S_TABU_NAM) versus a wider level of authorisation groups (S_TABU_DIS). Many of the new data privacy regulations are affecting organisations. As a result, more granular control is required which can be achieved through a role redesign project. Data privacy by design is central to most of the data privacy regulations. Implementing this with a role redesign is likely to be easier than as part of a role clean-up project.

In summary, central to any secure SAP environment is a good SAP role design. It forms the backbone of all things GRC. If your organisation does not see the value in addressing the underlying SAP role design, they will never extract the expected value from their GRC and IAM solutions. Addressing the SAP role design will be an investment well worth it in the long run.

For more information please email us at [email protected]

Thought Leadership

What Does Agile GRC Mean?

Before we discuss what agile GRC means, we need to first look at what it means to be agile and what it means for an organisation to be agile.


What does it mean to be agile?

The agile approach originated in the software development industry, and essentially emphasised collaborative product delivery over everything else.

As the ideas enshrined in the agile approach gained ground, it began to dawn on organisational thinkers that the agile approach represented more than a new project management methodology; more fundamentally it represented an alternate organisational paradigm – that is, a new lens of what an organisation is.

This alternative organisational paradigm is discussed in more detail in our new ebook titled Agile GRC available to download.

How can a GRC function in an organisation be agile?

To this we should answer, how can it not!

Things are moving faster all around us. Agile thinking encompasses the idea of “clock speed” i.e. the pace at which an organisation, as an entire system, is able to move, react, adapt and so forth. It’s estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.

Change is the single greatest governance, risk and compliance (GRC) business challenge today…

-Michael Rasmussen, a highly regarded GRC thinker

Michael Rasmussen continues, “organisations often fail to monitor and manage access controls efficiently and effectively in an environment that demands agility.” It’s a reality that GRC practitioners are facing a continuous barrage of SAP access complexity, as well as regulatory and business change. Rasmussen says “Often, existing SAP access risk tools are dated, cumbersome, too costly to own and maintain, and lack the ease-of-use and intuitiveness that the business needs to understand SAP access risk and related processes.”

The point is clear: A more agile approach is required in the face of accelerating change, it cannot be “business as usual” for GRC practitioners.

Agile GRC

How can GRC practitioners get this right then?

Getting GRC right in an agile environment depends on having;

  • the right mindset,
  • the right approach,
  • the right framework,
  • and the right tools.

Download our Agile GRC ebook for a detailed explanation as we look at each of these four points in turn.

Soterion can help your organisation

Soterion has reimagined GRC from the ground up to offer an unparalleled GRC solution to organisations running SAP. It’s popular features combine with an award-winning user experience, delivering a solution that’s quick to install, easy to learn and S/4HANA ready.

Experience a better way of managing GRC, today.

Thought Leadership

GRC 20/20 recognises Soterion with the 2019 GRC User Experience Award

This article contains highlights from the GRC 20/20 report.

If you would like to read the full report, click here to download.

Access control in the face of constant change

Change is the single greatest governance, risk management and compliance (GRC) challenge today. Organisations are in a continuous state of change with new employees being hired, changing of roles, whilst others leave or are terminated.

Organisations often fail to monitor and manage access controls efficiently and effectively in an environment that demands agility. Access control management is too often a periodic exercise that provides incomplete visibility into the organisation’s people, processes and business systems.

Keeping up with controls in a changing workforce environment with access to ERP systems as regulations, risks, applications, priorities and business processes change is challenging. There is a need to automate access controls to bring real-time insight into what individuals are actually doing in ERP environments to mitigate user access and process risks.

Manual processes and document-centric approaches to SoD (Segregation of Duties), inherited rights and critical/superuser access is time-consuming, prone to mistakes and errors and leave the business exposed. Organisations often miss things, as there is no structure of accountability with audit trails. This approach is not scalable and becomes unmanageable over time. It leads to a false sense of control due to reliance on inaccurate and misleading results from errors produced by manual access control processes.

Technology for access control management, automation, and continuous monitoring now enable organisations to achieve a real-time, integrated view of enterprise access controls and risks. This not only enables an enterprise perspective of access risk, but also allows the organisation to increase efficiency, effectiveness and agility in access control management and automation.

Organisations are establishing an access control and SoD strategy with process and technology to build and maintain an access control program. This approach balances business agility, control and security to mitigate risk, therefore reducing loss/exposure, satisfying auditors and regulators – whilst enabling users to perform their jobs. When evaluating solutions for SoD and access controls the organisation needs solutions that are intuitive and easy to use.

Recognising Soterion’s contribution to SAP access risk management

Soterion was established in 2011 with a defined focus in SAP Access Security and Risk. They have worked with organisations across multiple industries, geographies, and sizes with a highly agile and intuitive solution that fits a range of cultures and approaches.

Soterion delivers an intuitive, easy to use, robust, and future-ready SAP access risk management platform that simplifies and strengthens regulatory compliance and risk management in line with industry standards and best practices, while focusing on the end user’s ease of use and GRC administrator’s ease of change.

Some of the key differentiators that GRC 20/20 has noted in the Soterion solution is its ability to do business process modelling to define access rights in the context of business process flows and diagramming, understanding access risk in a business user context, and detailed privacy access risk functionality to manage access to personal information in a privacy context.

Most Soterion clients moved to the solution because they found their manual document-centric approaches for SAP access management consumed too many resources. Too
often things were getting overlooked in a continuous barrage of SAP access complexity,
as well as in regulatory and business change.

Others moved to Soterion as they found their previous SAP access risk solution was dated, cumbersome, too costly to own and maintain, and lacked the ease-of-use and intuitiveness that the business needed to understand SAP access risk and related processes.

Across these clients, there is consistent praise for the value of the ongoing cost of ownership of the Soterion platform, in the speed of deployment, return on investment, improved effectiveness, and agility to manage, monitor and enforce SAP access risk.

Soterion saves organisations time over manual processes for SAP access risk that also delivers greater effectiveness and agility to the organisation. This enables organisations to meet audit requirements, better understand SoD and document mitigating controls.

Overall, it gives an organisation a clear understanding of their SAP access risk throughout the business and does so in a context the business can understand without the overwhelming complexity IT often presents.

About GRC 20/20 Research, LLC

GRC 20/20 Research provides clarity of insight into GRC solutions and strategies through objective market research, benchmarking, training and analysis.

Their research clarity is delivered through analysts with real-world expertise, independence, creativity and objectivity that understand GRC challenges and how to solve them practically.

If you would like to read the full report, click here to download.