Re: [sap-security] SAP Segregation of Duties for Small Companies
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by upile76 on Sep 1 at 12:37 PM |  Mark as helpful |
Hi - While it may sound as easy as turning off tcodes that do not have a direct bearing on financials, there are some combination of Tcodes, or values that used in combination will pose an SOD violation. A violation that if you are just relying on a visual review you may miss. You are better off getting someone who is familiar with the tool, tweak it according to your environment and run Risk analysis accordingly.
PM
________________________________
From: MarkD via sap-security <sap-security@Groups.ITtoolbox.com>
To: upile76 <upile76@yahoo.com>
Sent: Tuesday, September 1, 2009 9:49:41 AM
Subject: RE:[sap-security] SAP Segregation of Duties for Small Companies
Posted by MarkD (Senior IT Audit Consultant)
on Sep 1 at 10:50 AM Mark as helpful
Lee,
We use a 3rd party bolt on system for determing SOD issues. One of the first things I did was to go through the rules and shut most of them off as there were many that did not affect the financials, which is the crux of Sarbannes Oxley (SOX) 404 controls. I am not familiar with Calibrator but I believe if it's the SAP security tool it used to be Virsa and they are all rule based. Make sure in addition to the transactions that you are including the related objects as well. I would focus your SOD rules around the following areas: creation of master data such as customers, vendors, materials, GL accounts etc., minimize those users that can open close accounting periods or modify tables such as currency, etc. Also limit who can post journal entries. I find that there are rules you need to test for one key activity and there are rules where you need to combine activities such as who can create a customer, create a sales order, and can process cash reciepts as
an example. Best thing to do is to find all SAP transactions that allow any of those activities and test them down to the object level. It is time consuming up front but is easy to maintain after the fact and limiting the number of SOD rules will save your sanity. You will not be able to eliminate SOD issues completely, especially for small remote offices with little staff. In cases like this you need to have mitigating controls established and documented for each SOD SOX risk. Good luck.
Mark
__.____._ PM
________________________________
From: MarkD via sap-security <sap-security@Groups.ITtoolbox.com>
To: upile76 <upile76@yahoo.com>
Sent: Tuesday, September 1, 2009 9:49:41 AM
Subject: RE:[sap-security] SAP Segregation of Duties for Small Companies
Posted by MarkD (Senior IT Audit Consultant)
on Sep 1 at 10:50 AM Mark as helpful
Lee,
We use a 3rd party bolt on system for determing SOD issues. One of the first things I did was to go through the rules and shut most of them off as there were many that did not affect the financials, which is the crux of Sarbannes Oxley (SOX) 404 controls. I am not familiar with Calibrator but I believe if it's the SAP security tool it used to be Virsa and they are all rule based. Make sure in addition to the transactions that you are including the related objects as well. I would focus your SOD rules around the following areas: creation of master data such as customers, vendors, materials, GL accounts etc., minimize those users that can open close accounting periods or modify tables such as currency, etc. Also limit who can post journal entries. I find that there are rules you need to test for one key activity and there are rules where you need to combine activities such as who can create a customer, create a sales order, and can process cash reciepts as
an example. Best thing to do is to find all SAP transactions that allow any of those activities and test them down to the object level. It is time consuming up front but is easy to maintain after the fact and limiting the number of SOD rules will save your sanity. You will not be able to eliminate SOD issues completely, especially for small remote offices with little staff. In cases like this you need to have mitigating controls established and documented for each SOD SOX risk. Good luck.
Mark
Copyright © 2009 CEB Toolbox, Inc. and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
How Can Predictive Analytics Drive Competitive Advantage? Find out here
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
