Aligning Your GRC Capabilities with Your Business Objectives

Periodically reviewing your SAP user access, analysing the associated risks and evaluating the necessary controls will align your GRC capacity with your individual business targets. This process will significantly enhance the insight into your GRC environment, as well as being an audit and statutory requirement in many business environments.

A Mature GRC Capability Includes Periodically Reviewing a User’s Access, Risks and Controls

The Periodic Review Manager provides a platform where user access reviews can be performed by business users in a simple, workflow-driven web environment while facilitating external rule set and control reviews.

Soterion’s Periodic Access Review Manager ensures central control, but decentralised management throughout the entire user access review process.

Rule Set Review

Regularly reviewing and updating your risk rule set will ensure continued relevancy in an evolving business environment.

Controls Review

Periodic reviews will consistently optimise the efficiency of your mitigating controls by identifying any gaps in control effectiveness.

User Access Review

Review your SAP user access allocations to ensure that all assignments are still relevant. Recertify user access by identifying and removing redundant and superfluous access.

Persons Involved in a Review

Any combination of line managers, risk owners and role owners may accept or reject user role allocations in the context of a particular risk scenario. Business users are able to participate from any web-enabled device. The Administrator has access to an illustrated view of the overall progress of all reviewers. Queries and disputes can be effectively regulated, and business users will be regularly updated via email.

The Review Process

A review set is a snapshot of the user access landscape in SAP at the time of its creation. Each review set also contains a list of owners and approvers for users, risks and roles.

Reviewers can Perform User Role Approvals and Rejections

An automated email from the Administrator prompts all relevant users to participate in the review process by simply logging into their Review Inbox from any web-enabled device and using the URL specified in the email.

When logging in, the user will be presented with an Inbox that will detail the role allocations and associated risks in separate tabs.

The user can approve or reject role allocations and if necessary, will be able to add comments.

The user is able to view (and revert) allocations that were previously approved or rejected by them. The user will have access to view and remediate allocations where conflicts exist – that is allocations that were previously approved, but have been rejected by another user.