Conquer User Access Reviews in SAP Systems Once and for All
by Jody Paterson, CEO, ERP Maestro
Published in SAPInsider
The process for reviewing SAP system user access can be very painful and time consuming. Depending on the company, a review can take weeks to perform and should be done quarterly or semiannually based on the company’s risk appetite. The end report from each review needs to be complete and accurate to pass audit muster. Achieving that result can be quite costly — in terms of time, resources, and money — if reviews are done manually or without processes to speed and complete them with confidence.
5 Strategies for Conquering User Access Reviews
The following five strategic initiatives can help take the sting out of performing these user access reviews for good.
1. Share Responsibility for the Review Process
Who owns the access review process? While the responsibility of performing access reviews generally falls to a company’s audit or IT administrators, a larger group — from C-level executives to managers who need to review and approve user access — should take serious ownership. Because reviews are a control for access and security of SAP systems, they should be included in a company’s overall security strategy. Education and communication across departments is vital to ensure all parties involved understand the significance of access reviews and the importance of scrupulous manager approvals as part of an internal security defense. A May 2018 Americas’ SAP Users’ Group (ASUG) survey revealed a substantial disparity between executives and IT/security professionals and their level of concern about internal security. Executives had far less concern than the employees in IT or security roles, most likely because they lack visibility into the day-to-day frontline IT and security work. Communication can help bridge that gap and make sure employees at all levels understand the risks, the importance of reviews, and the need for solid security strategies.
2. Start with the End in Mind
Access reviews serve as a main detective internal control to ensure that management knows who has access to perform critical tasks within an organization’s systems. Performing these reviews can help companies detect over-provisioned accounts and prevent insider threats. Completing the review process and removing access from those users who don’t need it amounts to a successful review project. Getting to that end game starts with charting the most efficient and effective way to reach the finish line with as little effort and cost as possible. An audit or IT admin generally begins creating a review by pulling access reports from the SAP system and engineering the data to prepare it for manager analysis and approval. If done manually, this process can be a time-killer in and of itself, and information may no longer be up to date by the time it’s routed to managers. Using a solution that enables an admin to pull reports and set up the review process in minutes instead of hours or weeks can solve one of the biggest problems right from the start. ERP Maestro’s Access Reviewer can pull reports without any drain on the system or servers regardless of report size. A simple download and installation of the Access Reviewer tool can make reporting of this nature available right away. If ERP Maestro’s Access Analyzer is used in unison throughout the year to monitor and control access, access reviews are much smoother to begin with.
3. Manage Reviews Efficiently End to End
To wrap up a review quickly, managers need to do their part to check and certify that access is appropriate for each user based on his or her role and need. To avoid mass approvals, managers must do this in a way that forces review of every single user under their span of control. When the reviews are finally sent out to the appropriate managers, chaos can spark. Oftentimes, reviewers will rubber stamp “Approved” for every row and forego getting into the nitty-gritty of assessing their employees’ access. That shortcut is an auditing no-no. The Access Reviewer solution’s forced single-line approvals helps eradicate this scenario, saving reviewers time, increasing precision in authorizations, and further reducing risk for a company. Because reviews are conducted electronically, manager input is routed immediately through the system straightaway. Built-in email reminders and tracking keep managers on task to complete their work.
4. Make Remediation as Easy as the Review Process
Once the reviews are completed, Access Reviewer automates the manual task of removing user access. For every role that is rejected, Access Reviewer automatically removes the user’s access. In the final stage, admins can generate a certified auditor report, detailing the timelines and notated approval decisions for a complete audit trail. Hours spent removing access and generating a report for compliance are given back to admins in an instant.
5. Automate to Gain More Efficient Controls
The ASUG survey also found that as automation increases, governance, risk, and compliance challenges decrease. User access reviews don’t have to be a daunting, confusing, and time-draining process. With automation tools, like Access Analyzer and Access Reviewer, these reviews can become brief, yet efficient, internal controls to keep companies secure on the inside, while meeting audit and compliance requirements.
Start Automating Reviews Today
ERP Maestro’s automated solutions have zero implementation time or cost. With those benefits and the numerous other advantages of their cloud architecture, there isn’t a case for not automating. According to the Association of Certified Fraud Examiners, typical organizations lose 5% of their revenue to fraud. That statistic puts it all in perspective. The cost of automating is chicken feed compared to the potential losses, especially when strong controls can prevent fraud. To learn more, visit www.erpmaestro.com/access-reviewer.