Easy SoD — Segregation of Duties Rules in SAP ERP

Segregation of Duties (SoD) is a major element in SAP authorization concepts: user authorizations should be minimal, i.e. you restrict access to critical functions (single actions), and you try to avoid granting access to critical combinations of activities (SoD), such as one user creating vendors and maintaining their bank data, and also entering invoices for the same vendors, or initiating payments. This would violate the 4 eyes principle and create process risks that open up opportunities for errors and frauds.

SAP systems log a lot of useful information that can be used to mitigate risks, but sometimes they are hard to find and access and use. Changes to business objects can be in tables or change documents, and for SoD analysis purposes, you have to combine date from these different sources.

SoD is a cumbersome process in SAP it usually requires a fresh installation of SAP GRC Access Controls or another 3rd party system that will read the data from your SAP and allow you to check the results in this system.

SAP GRC requires additional implementation in order to be used by clients.

However, these statements aren’t entirely true.

Let us explain why.

REMEDYNE is a software that’s been on the market quite a while, it’s a mature product that has a lot to offer to their clients.

On top of that it’s an add-on to your existing SAP installation and doesn’t require any additional installations of the software to a new hardware or to a Cloud server.

With a simple transport request REMEDYNE is imported to your SAP environment.

And now comes the easy part.

With the transport request our clients receive +100 predefined SAP checks pre-configured based on SAP Best Practices, and handful tools that will allow you to create your own SoD checks without any coding knowledge from the user.

Normally, it’s expected from the user to be familiar with the standard SAP tables, and general knowledge of SAP Change Objects.

Let us dig a bit deeper how can one create SoD Checks without any coding skills.

First and foremost, you need to know what you want to achieve.

Second you need to know where this information is stored.

And finally how this information will be retrieved and displayed in a user friendly format.

What?

You have been in contact with your external auditors, a BIG 4 company, more less they all work with the same SoD matrices. These BIG 4 SoD checks are done only on a yearly basis during their audit, or if you have SAP GRC or some other tool as per your requirement. These SoD matrices have rules which comprise set of forbidden actions by user. SoD matrices are great starting point!

Where?

As mentioned previously all data in SAP is stored in tables, SAP uses the concept of dual tables one for the main information of the document (Header Table) such as date of posting, who posted it, what is the document type and so on, and the detailed information of the document (Item Table) containing information like material number, accounting posting keys, item values, quantities etc.

Other source of information are Change Objects.

For those of you unfamiliar with change objects, SAP stores the changes to any object/table in change objects. Changes can be viewed; either with a separate transaction or an option within the data transaction, in the form of Change Documents. These Change Documents contains all the relevant information like the changed object dataset, old & new values, date & time of change along with the person name who has made the changes. More details can be found here .

How?

REMEDYNE has created couple of tools which can make what & where possible in REMEDYNE. We have introduced that in one of our previous post on the website.

Therefore, we have created couple of tools:

· SoD tool which analyzes the two different change objects;

· Single Action tool which analyzes one change object/table/field;

· QV2CHECK that uses the power of SQVI to combine the results of Single Action Tool & any combination of SAP tables

Find out how you set up controls in our Knowledge Base article on our website.

REMEDYNE has built-in checks, and users can easily create new controls using hard to access data, allowing monitoring of critical activities and mitigate residual risks from the SAP roles and authorizations.

Comments are closed.