RE:[sap-security] SAP Segregation of Duties for Small Companies
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by MarkD (Senior IT Audit Consultant) on Sep 1 at 10:50 AM |  Mark as helpful |
Lee,
We use a 3rd party bolt on system for determing SOD issues. One of the first things I did was to go through the rules and shut most of them off as there were many that did not affect the financials, which is the crux of Sarbannes Oxley (SOX) 404 controls. I am not familiar with Calibrator but I believe if it's the SAP security tool it used to be Virsa and they are all rule based. Make sure in addition to the transactions that you are including the related objects as well. I would focus your SOD rules around the following areas: creation of master data such as customers, vendors, materials, GL accounts etc., minimize those users that can open close accounting periods or modify tables such as currency, etc. Also limit who can post journal entries. I find that there are rules you need to test for one key activity and there are rules where you need to combine activities such as who can create a customer, create a sales order, and can process cash reciepts as an example. Best thing to do is to find all SAP transactions that allow any of those activities and test them down to the object level. It is time consuming up front but is easy to maintain after the fact and limiting the number of SOD rules will save your sanity. You will not be able to eliminate SOD issues completely, especially for small remote offices with little staff. In cases like this you need to have mitigating controls established and documented for each SOD SOX risk. Good luck.
Mark
__.____._ We use a 3rd party bolt on system for determing SOD issues. One of the first things I did was to go through the rules and shut most of them off as there were many that did not affect the financials, which is the crux of Sarbannes Oxley (SOX) 404 controls. I am not familiar with Calibrator but I believe if it's the SAP security tool it used to be Virsa and they are all rule based. Make sure in addition to the transactions that you are including the related objects as well. I would focus your SOD rules around the following areas: creation of master data such as customers, vendors, materials, GL accounts etc., minimize those users that can open close accounting periods or modify tables such as currency, etc. Also limit who can post journal entries. I find that there are rules you need to test for one key activity and there are rules where you need to combine activities such as who can create a customer, create a sales order, and can process cash reciepts as an example. Best thing to do is to find all SAP transactions that allow any of those activities and test them down to the object level. It is time consuming up front but is easy to maintain after the fact and limiting the number of SOD rules will save your sanity. You will not be able to eliminate SOD issues completely, especially for small remote offices with little staff. In cases like this you need to have mitigating controls established and documented for each SOD SOX risk. Good luck.
Mark
Copyright © 2009 CEB Toolbox, Inc. and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
MarkDSAP Security Enthusiast
Contributed 100 posts in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
Share Knowledge About SAP Scripting. Join the New Discussion Group
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
