Mitigating controls – is this a cure for “all evil” in redundant authorizations in SAP? (part 5/5)
Part #5/5: Summary and conclusions
The fifth and the last part of the article summarizes the topic. In this section, we will gather all the information and answer the questions:
Why the topic of access risk and SoD control is important? and Why it is worth dealing with in? We will suggest a correct sequence of actions. Why are redundant permissions dangerous and why shouldn’t this problem be left for later? Why do financial audits analyze this topic in such detail? We will also select the most important points from the previous parts to present both the problem itself and the method of dealing with it in a short summary. Finally, we will also look at the topic from the financial perspective – what determines the cost of ‘compliance’ ($$$) and how to reduce it. Enjoy reading!
Why is the topic important?
Every year, the American organization ACFE (Association of Certified Fraud Examiners) investigates cases of fraud in organizations around the world. The data disclosed in the report for 2020 confirm the trend that has been visible for many years, in which the costs of fraud are on average 5% of financial revenues. It takes an average of 14 months to detect an abuse from the moment it first occurs. The abuses cost businesses an average of $ 8,300 per month. Financial corruption is the most common type of fraud. In the report itself, the authors repeatedly emphasize that the best cost-effective approach to reducing financial losses resulting from fraud is prevention, i.e. preventing the occurrence of fraud.
It may seem obvious, but from our perspective it is important to pay attention to the ‘direction of thinking’. Which means that it is possible, and it is worth investing in preventing abuse than bearing the costs of repairing the damage caused by them. The lack of an appropriate internal control system is responsible for 1/3 of the abuses. We refer to the topic of our article here, because the question about mitigating controls is the question about the architecture of the internal control system. Building an effective internal control system should start, just like building a house, with a good foundation. Our experience shows that this foundation is the appropriate secured IT systems that support business processes and generate financial data because of their implementation. These financial data are summarized later in the Profit and Loss Account or in the Corporate Financial Balance Sheet. These data are the basis for making investment decisions by investors and for setting the course of action by the Management Board and management of the company. Therefore, they cannot be wrong. The central point of ensuring the correct processing of this data is a properly planned, designed, and implemented user authorization control system. The authorizations have the advantage that if they do not make it possible to perform a specific operation in the IT system, the user will not perform it. Of course, this is often the subject of frustration for users who want to carry out the tasks entrusted to them, and the system displays the message “You are not authorized to perform this operation“. Most importantly, however, by its nature, correct authorizations in the SAP system enable preventive control, i.e. preventing the occurrence of financial fraud.
How to approach the topic in correct manner?
In a few words – when you identify the risk of excessive access rights, do not start with the implementation of a new mitigating control. In the first place, it is necessary to analyze the authorization model and determine whether the user who has the risk of excessive access rights needs access from which the risk arises. The practice of working with organizations shows that users use only 50-60% of the rights they are assigned to. It is worth approaching each identified risk in the entitlements individually, taking into account the level of risk and its negative impact on our organization. After deciding on the lack of acceptance for the effects of the risk and the willingness to eliminate it, it is worth analyzing the algorithm below, which presents the possible actions and, more importantly, the suggested sequence of their execution.
How to deal with user excessive access?
Excessive user access rights often result from copying privileges during access requesting (“I am asking to copy authorities from Mr. Kowalski) and taking into account that access rights of Mr. Kowalski are very rarely removed when the employee moves from the one to another department. The system for periodic access review comes to the rescue, which allows to define authorizations that are not or have not been used (e.g. in the last 6-12 months) by the user to perform daily system tasks based on his HR responsibilities. The process of periodic verification is the foundation of the authorization control system, unfortunately, companies rarely use it, because such a process is difficult to implement in the organization without the use of appropriate tools that support management decisions. Valuable information during such a review of rights is not only whether a given transaction was used, but also whether, for example, a given risk has already appeared in the history of reviews and if so, what was the decision made at that time (acceptance or rejection of rights) for a given risk, context organizational and user. Before starting the access review, useful information is to determine which authorizations have already been withdrawn in accordance with the verifiers’ decision and, for example, have been re-granted in the authorization process. That is why the processes of broadcasting and periodic verification should be mutually coupled, so that information between them is shared for better decisions of the management of the organization.
How to improve the user authorization model?
A good authorization model is one in which users have only the privileges they require to perform the tasks assigned to a given HR position or process steps. Two challenges will often arise at this point. The first is how to determine what is needed to perform tasks at a given HR position (process steps), and the second is how to technically define (map) it to the accesses in the SAP system (ERP). The scope of duties in each position is defined, but it often happens that it is allowed to extend the scope of an employee’s tasks – and thus – system authorization accesses. This is a partially understandable practice, but it does not improve the situation of the person who is to design a new entitlement model and wants to base it on the minimum needed for work. In such a situation, during the project initiative, the management redefines the division of tasks in each process or area. For this purpose, it uses the practices resulting from the segregation of duties matrices that define the scope of authorizations that should not be combined as they cause unacceptable risks for the company.
Summarizing, therefore, the entitlement model should include the following features:
- user rights should be minimal required, necessary to perform tasks in each HR position. There should be no excessive rights, needed during the replacement or received as part of the performance of work in previous job-positions,
- authorizations should not include the risk of segregation of duties, in particular those marked as high or critical,
- The authorization process should be controled, i.e. one that takes into account segregation of duties risk analysis before assigning authorizations. Permissions should not be copied from other users (a frequently used simplification in the permission granting process). Access to data should be multi-stage, in particular approved by the appropriate data owner (“Data owner” or, for example, “Role owner”), i.e. avoiding a situation in which the manager of an employee in the logistics area grants authorizations to financial areas,
- authorizations should be periodically verified to consider organizational and process changes, or those resulting from the conducted HR policy. The data owner should have tools for periodic (once a year) efficient (supporting decision-making) verification of the existing accesses.
How to use mitigating controls wisely?
Mitigating controls are not an ideal solution to the problem of excessive user rights, but if properly implemented, they can be an effective protection against the access risks. They apply especially when in the SAP / ERP system it is impossible to partially restrict or revoke user access rights. The organization has resources or allows for the possibility of changing the current way of implementing the process in the short term.
In the third part of the article, we described the important role of knowing the business context. This is key in determining whether the control mechanisms we want to create haven’t already been implemented in the organization or there are similar ones, addressing the same control objective (the same risk). The only difference is in the way the control activity is described or there is a different business area requesting this control mechanism. It is very important to avoid duplication of control activities because it generates huge costs for the organization, without guaranteeing better (effective) management of the identified risks. An important element that helps to avoid duplication is an automatic repository of controls and risks, which allows in various aspects to report the reasons for the existence of control in processes: the perspective of risks, regulations or legal requirements, processes, etc. Touching the appropriate scale (> 30 risks), it is impossible to maintain such a repository and system without a dedicated tool/system/application that will enable the implementation of automatic mitigating controls.
Changes in business processes
If we are unable to implement business controls or their implementation is not justified in the long term, it is worth considering changes in the current business processes design and operations. In the short term, this is a greater organizational effort, but in the long term, it may turn out to be more beneficial and may generate some optimization into our business process flows. Of course, ad hoc changes in business processes require an appropriate project initiative that will plan and design the future shape of the processes and then prepare a roadmap to achieve this state. Then, through progress monitoring mechanisms, it will ensure that the changes are implemented. This requires costs related to:
- work of own managers and / or external experts who will help design the target model,
- costs of training employees in a new way of implementing the process,
- costs related to the maintenance of the new model, which, in principle, should be lower than the costs incurred so far.
How much does it cost?
Finally, it is worth considering the financial and cost aspect. From our experience, this aspect is often overlooked, as the management of the company often thinks in terms of must have, as it is required by a specific legal regulation. It is often justified, but the years of our professional practice show that no regulation directly indicates the method of implementation. The method of implementation is at the discretion of management or external advisers who yield to an approach based on the principle that it is better to do more than less. In the years 2003-2005, when the first implementations of the Sarbanes-Oxley Act appeared in the world, which forced the construction of an internal control system, organizations based on powers created new control mechanisms. In the following years, many costly optimization projects were carried out, as it turned out that maintaining unjustified, ill-considered controls in business processes cost a lot of money.
This cost of control resulted directly or indirectly from:
- time (working-days) of middle and high-level managers devoted not only to the implementation of control in the business process, but also its documentation and description,
- time (man-days) of internal and external audits needed to test these mechanisms, that is, certify that they work properly and further address the control objectives resulting from the risk described.
On the other extreme, there are penalties for companies for failure to control or misunderstanding of requirements. The Securities and Exchange Commission (SEC) imposed penalties on the anonymous amount of USD 4.3 billion only in 2019.
Therefore, the challenge remains the correct balance between the effectiveness of the internal control system and the expenditure incurred on its implementation and subsequent maintenance. An appropriate system of entitlements allows to reduce the costs of maintaining such a system, and the resources saved can be wisely invested in the automation and maintenance of those control mechanisms that are appropriate for the defined risk base
Please share feedback or thoughts in a comment section.
Read more on related topic in SAP Solutions for Governance, Risk, and Compliance Topic Page
- See our introductory post with link to other articles in this series prepared together with Andrzej Partyka
- Ask questions about Governance, Risk, Compliance (GRC), and Cybersecurity and follow us
- Read other Governance, Risk, Compliance (GRC), and Cybersecurity and follow blog post
- Please follow us on and our profile for future posts Filip Nowak and Andrzej Partyka