SAP Risk can be monitored and controlled by software application tools which are available from multiple vendors. Most of the SAP Software tools have the following general features and the prime objective is to control the SAP risk before being introduced into the system.I:0:J
Here the tools basically look for transaction combination which can create segregation of duties or have access to sensitive transactions. This analysis is usually done at the role level or at the user level. Once the risk is identified the role can be fixed to clear the sap risk or can apply a mitigating control to accept the risk with some conditions.
The mitigating control essentially means that the clients agree to the SAP risk and they have designed a process to monitor the risk frequently. This monitoring plan could be automated or manual. This tool will help the internal auditor monitor the SAP risk and can also act as a preventive control. From the SAP security developer point of view the tool can help the administer check for SAP risk in the role or user before he makes the change.
Most of clients want to give more access to users in production system when the user is trouble shooting unique problem. So by giving them surplus access means that the user can have full access to the system. This means the user could have transaction which will let him do some damage and also perform unrelated activities. So managers want to monitor what the user is doing in the system during the time the user has more access. So software tools which are available in the market can track the users' access and send an email once they complete their mission. Thus the high access is provided for narrow amount of time and monitored.
One the key area where risk can be introduced easily is when the user is created. The system administrator can give access to user without authorization or make a mistake entering the SAP access into the user master. In both cases it could be a SAP risk to the company. So most of the tools have features which addresses the user approval method and taking away the manual step of creating the user. One of the ways they handle this is by having a workflow which can be routed to the proper people for approval prior to the user being provisioned in the SAP System.
Here the tools basically look for transaction combination which can create segregation of duties or have access to sensitive transactions. This analysis is usually done at the role level or at the user level. Once the risk is identified the role can be fixed to clear the sap risk or can apply a mitigating control to accept the risk with some conditions.
The mitigating control essentially means that the clients agree to the SAP risk and they have designed a process to monitor the risk frequently. This monitoring plan could be automated or manual. This tool will help the internal auditor monitor the SAP risk and can also act as a preventive control. From the SAP security developer point of view the tool can help the administer check for SAP risk in the role or user before he makes the change.
Most of clients want to give more access to users in production system when the user is trouble shooting unique problem. So by giving them surplus access means that the user can have full access to the system. This means the user could have transaction which will let him do some damage and also perform unrelated activities. So managers want to monitor what the user is doing in the system during the time the user has more access. So software tools which are available in the market can track the users' access and send an email once they complete their mission. Thus the high access is provided for narrow amount of time and monitored.
One the key area where risk can be introduced easily is when the user is created. The system administrator can give access to user without authorization or make a mistake entering the SAP access into the user master. In both cases it could be a SAP risk to the company. So most of the tools have features which addresses the user approval method and taking away the manual step of creating the user. One of the ways they handle this is by having a workflow which can be routed to the proper people for approval prior to the user being provisioned in the SAP System.
About the Author:
Want to find out more about SAP Audit, then visit Selva Kumar's site on how to choose the best SAP Risk for your needs
Really great stuff here.Thanks for keeping up such an awesome resource.Internal Auditor CV Templates
ReplyDelete