When managing your ERP system, you have a lot of choice when it comes to how to achieve your goal. You can hire people, you can buy tools, you can do it yourself, etc. The answer to this question will be different for each of you reading this. Below are some of our thoughts on the matter.
Anything can be manual. In the interest of “saving money” many companies choose to “just do it with the people we have”. Often that is not the most efficient way to proceed – skillsets may not match the task, the data might be a mess, or nobody really has the time. With Fastpath, our segregation of duties and security access review module can help solve many of these problems. You can create saved reports for each functional business or control owner, have those reports sent via email automatically on a specified date, and have those folks sign-off via the email to evidence their review. Need to check on status? Navigate to the Signature Log to see what is outstanding and needs follow-up. Enterprising Internal Audit or Compliance leads can even schedule the Signature Log as a report and have it sent to finance or IT leadership, as needed. Stop chasing less-than-enthusiastic co-workers, and start doing those things that matter!
The most effective individuals are sometimes hand strung by the tools at their disposal. If the system you are trying to analyze presents additional complexities like SAP, doing so manually sometimes is not as effective as you’d hope. Anybody who has audited or coded SAP knows how complex customizations can be an example of difficult analysis to perform manually. The Fastpath Code Checker looks for transactions, programs and functions that call an SAP BAPI or transaction. This tool scans all Z and Y programs and functions that need to be checked. Then actual Business Processes from Fastpath Assure are cross-referenced and the Fastpath Code Checker tells the user which Business Process that each Z transaction should be added to. This eliminates the ability of a programmer to bury a transaction call or BAPI call in a transaction that the security team does not know about. Not only that, but now the user of Fastpath Assure knows exactly which Business Process to add the Z-transaction into. Performing this search manually can take days of working in SE-38 and some inherent knowledge of the called transactions, which is frequently found out about only after the auditors catch it.
As discussed in previous articles in this series, critical access and SOD reviews are becoming more prevalent in business – for both compliance and operational reasons. Often, the owner of these exercises is not part of IT, which means having to go to a DBA or BSA and try to communicate what is needed. The beauty of a tool like Fastpath Assure is that the data comes to you, and the platform is straightforward enough to use on your own. Perhaps you’ll need to sit down with someone within IT to understand some technical aspects of your SAP instance, but once you’ve saved a Critical Access Group or custom SOD Conflict, you can run that report on your own going forward. No longer do you need to go back to the well every quarter to ask for the same information, interrupting someone with too much on their plate and no time for your non-critical requests. And just like quarterly access reviews, these saved reports can be scheduled for review and tracked via our platform.
Segregation of Duties and security access reviews are only the beginning. Fastpath’s Identity Manager and Audit Trail modules both allow you to take your control activities beyond the common set of reviews and into preventative and detective procedures that can answer the second and third questions from your business leadership or auditors.
Fastpath Identity Manager allows you to avoid specific issues before they occur. Our platform allows you to leverage our integrated toolset and workflow to request and approve access with key data at-hand. When a user’s access is requested, you can set effective dating and you are then provided with a risk ranking based on the SOD and Critical Access rules you’ve already developed. Then, you can route requests based on risks to the appropriate approvers, such as finance or compliance leadership. All approvals are logged in an immutable log, all of which is covered by Fastpath’s SOC reports.
Inevitably, something will happen. If I had to guess, most controls fail between 3 and 5pm on Fridays. I’ve never validated this in any way, but it makes sense. I’m sure we all love our jobs, but they are still jobs, which means we have something else we’d do for free, tugging at our heartstrings throughout the week. The problem with mistakes is they are often caught after-the-fact, when nobody remembers what they were doing six months ago. Enter Fastpath’s Audit Trail module. Out-of-the-box you get key configuration tracking that can usurp the need for a quarterly configuration review via esoteric system reports, and can even be used as part of your change management controls during the year. In addition, once installed, your SAP team can target additional data as you wish, and track who changed what, when. This deep dive detective capability, when combined with access management and business process controls, can make your control environment significantly more effective than it already is.
When charged with protecting assets in your business, arm yourself with information and the tools to do your job efficiently. Automate the basics, and focus on the complex areas that require more forethought and leadership. Allow us to help you be smarter, more efficient, and more effective – please contact us for a demo to see how you can get on the fast path to complete Access Control in SAP.