I noticed a comment on a recent blog post suggesting that the difference between security and controls is only a choice of semantics, which is to say that they are for all practical purposes the same. Perhaps I badly misunderstood the writer’s intent, because I must respectfully disagree with that view. Such a simplistic generalization is how the security group can end up getting blamed by the business for their failure to build adequate controls into their processes and system configuration. While security is an important control, it is just one tool in the controls arsenal. In the SAP landscape security and controls are not synonymous, and business people who expect security to be “the” control may be in for a rude awakening.
SAP offers a number of configurable controls that are completely separate from security. Such transaction controls include:
- Number ranges
- Automatic postings
- Data entry validation
- Default values
- Controls on accounting periods
- Recurring entries
to name just a few.
In addition, a good controls environment offers both preventive and detective controls, including monitoring, reconciliations, exception reporting, and approvals.
Segregation of duties is one of the most well known controls that is accomplished through security role design and careful role assignment; the segregation can occur at the transaction level or at the enabling authorization level. For example, sensitive FI doc types are frequently restricted to the users who need to carry out specific functions such as accounts receivable. Sometimes combinations of controls are the most effective; for example, ideally printers used for check printing are secured both physically and by restrictions on printer authorizations. However, achieving ideal segregation of duties is not always possible in small businesses or satellite locations. This is where multiple controls on processes can bring extra control assurance.
Security and other controls can be seen as the bad guys, stopping people from getting the work done, or seen as your partner in keeping the business compliant to the applicable regulations and protected from fraud. A good security design goes hand in hand to complement other controls, and together they can form a strong controls environment. Just don’t expect security design to go it alone.