When releasing the blog GRC Tuesdays: Building The Case For Your Fraud Detection and Investigation Solution, I had mentioned that this was the fourth and last blog of the 4 parts “Building The Case” series. As you may recall the previous 3 blogs all focused on solutions addressing how to support the 3 Lines Model: internal control and compliance, enterprise risk management, but also internal audit.

Well, as for any good series, it doesn’t really stop! Remember Star Wars or Indiana Jones? We all thought that it was the last we’d seen of Darth Vader or Indy… Until a prequel/sequel was released. The same goes for these Building The Case blog series.

This time, we’ll be focusing on another facet of Governance, Risk and Compliance (GRC), and on building the case for an access governance solution. Hence on giving employees the applications and services they need without exposing data and processes to unauthorized use. Organizations can achieve this by enforcing a process of managing and validating user access with a governance software that automates user provisioning and helps them certify access swiftly.

In case you have been looking at how to quantify potential gains and savings with such user access governance approaches then the value calculator described in this blog should be able to help.

It’s intended to help organizations create a business case by calculating the potential value of technologies designed to improve the identification and remediation of violations of Segregation of Duties (SoD), automating user access assignments across SAP and third-party systems, defining and maintaining compliance roles in business-friendly terms and language but also, when required, granting temporary super-user status with “firefighter” login IDs – in a controlled, auditable environment.

To quantify the potential benefits of an enterprise approach to access governance, the SAP Access Control Value Calculator provides real, useful estimates and data to help organizations:

• Identify and remediate access risk violations automatically across systems
• Embed compliance checks and mandatory risk mitigation into business processes
• Enable users to submit self-service, workflow-driven access requests and approvals

Should you decide that this is worth trying out, then just go to the SAP Access Control Value Calculator and click on GET STARTED. No need to register to this free tool!

Before we start, I just want to highlight the fact that this value calculator provides estimated data for illustration purposes only. Actual results or costs may of course vary and may be affected by additional factors that would need to be taken into account when using this information in your business case.

Section 1 – Configure

SAP Access Control can be the backbone of a company’s access governance helping organizations automate and accelerate administration of user access – even across hybrid environments – while securing their applications, processes, and data against the risk of unauthorized use. Most calculations will be driven by your estimation of users involved, number of roles, time spent reviewing access risks, etc.

Properly configured, the solution will allow you to:

• Ensure right access at the right time to the right person – which, in turn, will enable business users to effectively perform their functions
• Meet regulatory needs by analyzing access and establishing required control
• Optimize roles to ensure security, privacy, business functionality, and ease of maintenance
• Manage privileged access
• Provide transparent auditability of who got what, when, and why

In this first step, you’ll therefore be asked to provide your best estimate for various company attributes. Don’t worry, you can then change them to create different scenarios if you wish.

What indicators are required:

• Number of monitored users – includes full-time employees (FTE) but also contractors
• Average fully-loaded administrative costs per users
• Number of distinct applications across the organization’s landscape
• Average segregation of duties cycle time per employee
• Average time required to review each segregation of duties report

Section 2 – Analyze Risk

As per SAP benchmarks, organizations that use automation to analyze segregation of duties issues in business applications could see up to 80% reduction in time spent analyzing segregation of duties issues. This section will therefore focus on performing risk analysis to find and remediate segregation of duties and critical-access violations.

What indicator is required:

• Average number of segregation of duties (SoD) audits per year

Section 3 – Manage Access

As per customer survey results, with automation, the time to request, approve, and systematically assign access can decrease more than 90%, hence resulting in operational efficiencies where users can obtain the access required to do their job more promptly. In this area, benefits can be achieved via self-service, workflow-driven access requests and approvals enabled by a device-independent user experience to accelerate them.

What indicators are required:

• Annual turnover including joiners, movers and leavers. Note: as per Forrester, companies experience an average annual turnover of 10%
• Number of password resets per employee per year. Here, Forrester estimates an average of 4 password resets per employee per year

Section 4 – Maintain Roles

Organizations that use technology to streamline and automate the role lifecycle management process see greater efficiency in access assignments and enhanced security due to assignment of fewer privileges. This section of the value calculator will therefore address the ability to define and maintain roles in business terms, providing the ability to rely on a configurable methodology for role definition and maintenance.

What indicators are required:

• Average annual role audits per year
• Total number of access roles available
• Maintenance cycle time per role per year

Section 5 – Certify Authorization

Companies that automate periodic certification reviews see significant time savings in evaluating and responding to access reviews and certifications, and a cost reduction of 60% and greater. With this in mind, tasks relating to periodic user-access reviews and certification of role content certification and assignment to users are still warranted, but can be automated to achieve these gains.

What indicators are required:

• Number of certifications per year
• Number of reviewers involved in review cycle
• Average time spent on reviewing tasks

Section 6 – Monitor Privileges

Monitoring of emergency privileges and transaction usage is a key component of any sound access governance process. As per customer survey results, companies that automate the assignment and monitoring of privileged or emergency access see reduced audit times of 35% in this area and 40% reduction in cycle time for assigning privileged or emergency access.

What indicators are required:

• Percentage of users with privileged access
• Time to review privileged access per user
• Percentage of employees requiring privileged access
• Average time for privileged account changes

Section 7 – Total Value

That’s it! This last section is a summary that displays the potential value gain achievable with SAP Access Control. It includes 4 graphs:

Current Spend vs. Potential Spend

Difference in Spend (lighter color is previous state and darker colors represents potential shift)

Total Gain by Section

Total Spend and Gain

Registration is not required, and you can change your assumptions as many times as you wish. So why not give it a try?

What about you, what other variables do you take into consideration when building the case for an access governance solution? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

And feel free to have a look at the previous GRCTuesdays site for the previous blogs on internal control, enterprise risk management, internal audit and fraud detection and investigation.