Faced with a fast approaching Sarbanes-Oxley compliance audit, the client’s corporate office mandated a Segregation of Duties (SOD) review and SAP role redesign. The work had to be completed within a 6 week time frame for this Multi-National Entertainment Services Provider.

A third-party monitoring software package, Approva’s BizRights Authorizations Insight (AI), was chosen for implementation.

The first step was to review the standard SOD rules delivered within the Approva tool. The rules were reviewed for: 1) Applicability to the company’s business and 2) Priority rating for ongoing monitoring activities (i.e. High, Medium, Low, Informational).

Next, custom rules were developed for the company’s custom business processes. These were created for various custom transactions and authorization objects.

Rule review workshops were conducted for 10 business process areas. The workshops provided information and assistance to the business teams regarding understanding of SAP security for their particular business process. The discussions provided the input to modify the Approva rules to suit the company’s operations. On completion of the workshops, the resulting rule data was entered into AI.

Once the SOD rules were finalized, they were used to analyze the SAP roles and users for violations. The violations were then reviewed by the business teams for their severity. If a violation was a result of the company’s standard operating procedures, a compensating control and documentation was created and entered into AI. Otherwise, the resulting role or user assignment changes were given to the SAP Security team.

The Approva software was customized and the analysis applied to the SAP roles and users in time for the audit. This provided a standardized foundation on which to begin the Sarbanes-Oxley review. Additional information provided by the audit would then be input to the Approva system and used for on-going preventative monitoring.