RE: [sap-security] SAP Segregation of Duties for Small Companies
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by Lee Allen (Senior Lead Analyst) on Aug 29 at 5:58 PM |  Mark as helpful |
Reyhan,
First Question: Is you company publicly or privately held? I publicly held
you should have a Sarbanes-Oxley control inventory.
One of the most used best practices is to cross reference your reported SOD
violations to the compensating control in the SOX matrix. Mitigate those
areas where compensating controls do not exist.
Good luck.
From: Reyhan Joshi via sap-security
[mailto:sap-security@Groups.ITtoolbox.com]
Sent: Saturday, August 29, 2009 4:49 PM
To: Lee Allen
Subject: [sap-security] SAP Segregation of Duties for Small Companies
Posted by Reyhan Joshi
on Aug 29 at 5:12 PM
Hello Gurus,
I am currently trying to work on remediation of certain SoD violations at
our company and wanted to know if there are some best practice or tried
solutions.
Basically, the company is a medium-sized SAP shop with around 900 SAP users.
Currently we have US and Canada on SAP and soon Mexico will be live. After
review of the latest Compliance Calibrator violation report, we are thinking
of a long-term approach for SoD remediation instead of an excel based
approach with mitigating controls for most of the violations. The compliance
calibrator has not been customized for our business and is being used
out-of-the-box so all the risks may not directly apply to our company. So my
questions are:
- What are some of the possible approaches for fixing these violations? We
have a lot of mitigating controls so more of them is not a solution.
- Is there an SAP best-practices approach for Small and medium sized
businesses for Segregation of Duties? If yes, please let me know where I can
get that.
- Can we do something with roles design?
Any thoughts?...Your responses are highly appreciated....
Thanks,
Reyhan,
Sr. IT Auditor
__.____._ First Question: Is you company publicly or privately held? I publicly held
you should have a Sarbanes-Oxley control inventory.
One of the most used best practices is to cross reference your reported SOD
violations to the compensating control in the SOX matrix. Mitigate those
areas where compensating controls do not exist.
Good luck.
From: Reyhan Joshi via sap-security
[mailto:sap-security@Groups.ITtoolbox.com]
Sent: Saturday, August 29, 2009 4:49 PM
To: Lee Allen
Subject: [sap-security] SAP Segregation of Duties for Small Companies
Posted by Reyhan Joshi
on Aug 29 at 5:12 PM
Hello Gurus,
I am currently trying to work on remediation of certain SoD violations at
our company and wanted to know if there are some best practice or tried
solutions.
Basically, the company is a medium-sized SAP shop with around 900 SAP users.
Currently we have US and Canada on SAP and soon Mexico will be live. After
review of the latest Compliance Calibrator violation report, we are thinking
of a long-term approach for SoD remediation instead of an excel based
approach with mitigating controls for most of the violations. The compliance
calibrator has not been customized for our business and is being used
out-of-the-box so all the risks may not directly apply to our company. So my
questions are:
- What are some of the possible approaches for fixing these violations? We
have a lot of mitigating controls so more of them is not a solution.
- Is there an SAP best-practices approach for Small and medium sized
businesses for Segregation of Duties? If yes, please let me know where I can
get that.
- Can we do something with roles design?
Any thoughts?...Your responses are highly appreciated....
Thanks,
Reyhan,
Sr. IT Auditor
Copyright © 2009 CEB Toolbox, Inc. and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
Share Knowledge About SAP Scripting. Join the New Discussion Group
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
