I recently wrote about my experience as a SOX manager and head of internal audit at a global manufacturing company with SAP ERP. You can read it here.
The post explains how my staff and I, or more accurately IT staff and user management, chased exceptions for the better part of the year before finally resorting to prayer to get us through year-end without a significant SOX deficiency.
The post includes some requirements that I would consider essential in selecting solutions for managing this critical area – ensuring that only the access that should be granted is in fact granted.
The key is moving from detection to prevention.
It is far better to prevent issues, excess access, than chase after the problems they create. Even if the user with the excess access doesn’t steal, he or she can cause major disruption by adding or changing transactions. We had a not-so-amusing incident where the CIO gave the (external) auditor certain access privileges that were thought to be read-only. In fact, the auditor was able to close the accounting period while the corporate controller’s team was still processing journal entries, etc. Not a good situation.
What do I mean by ‘excess access’? It’s far more than SOD. Think about functionality like approving credit memos, inventory adjustments, new vendors, or journal entries. Would you want just anybody to have that ability? What about privileged user access or the ability to close the accounting period? The principle that you only give people what they really need to do their job is key. Even then, understand the risks in the access they have (nobody has just one function) and manage accordingly.
Companies that have moved to prevention through robust provisioning processes have shown great returns. The reduction in the cost of chasing exceptions can be so high that the cost of the software is matched in a matter of months, not years.
How important is this?
Well, the potential for disruption, fraud, and loss of confidential information is important for most organizations. Although SAP applications come with some security, more is typically needed and readily justified.
Should most enterprise applications come with a warning label: limited security provided?
I wouldn’t want to run a business without solutions that prevent excess access with a robust provisioning system. Would you?