Quarterly Access Risk Review

Client Profile

Location: Malaysia

Industry: Chemicals

The client is a privately-owned major manufacturer of palm oil products.

  • The client runs SAP ECC in its standard installation. They do not use SAP GRC or any other additional software to assess segregation of duties (SoD) and critical access compliance.
  • Periodic (in this case quarterly) SAP access risk assessment is required as part of agreed internal control and audit procedures. As part of this assessment, analytics is required on actual SAP user authorisations,
  • The client outsources the process of performing user access analytics and report production based on this analytics.
  • This decision was taken in order to focus their resources on analysing instances of non-compliance and defining follow-up actions.

Project Objectives

  • On a quarterly basis, to perform data analytics on the client’s user access rights (i.e. SAP authorisations) based on an agreed rulebook and a set of parameters.
  • To leverage best practice rulebook and fine-tune it to the client’s SAP control environment, in order to maximise the relevance of generated reports.
  • To present a set of reports with all relevant details, eliminating the need for the client to install and get familiar with any software.

Challenges and Opportunities

  • Efficient periodic access risk review requires specialist knowledge and the use of a tool.
  • Outsourcing the generation of user access analytics reporting to XS Control offers the opportunity to leverage on subject matter expertise and reliable software.
  • Reporting content and format were developed specifically for the client in order to present relevant information in easy-to-digest format and facilitate subsequent investigation process.

Why XS Control

  • Solid knowledge and experience in the area of SAP access risks and controls, including the management of critical access and segregation of duties.
  • Strong understanding of technical SAP authorisation concept and the its application to business risks.
  • The use of a state-of-the-art expert software product (MARC) to deliver the required reports quickly at a fair price.

Project Highlights

  • XS Control worked closely with the client to select and fine-tune the rulebook to suit their requirements.
  • Easy-to-use tool called MARC Data Extractor is used for the client to download relevant authorisation data from their SAP system.
  • The use of MARC allows access analytics to be performed efficiently and accurately.
  • Meaningful reports with relevant details are provided in Microsoft Excel.
  •  

Project Benefits

  • here is no need to invest in additional software and expertise in order to perform the user access analytics and generate useful reports.
  • The reporting gives clear visibility about the client’s access risks in a practical format which allows data to be interpreted quickly, without requiring further manual work.
  • XS Control provides instant support to address queries about unexpected access risk violations.
  •  

Related Services

Access Framework

Through close collaboration with you, we identify access risks in your SAP processes and design the controls for them.

User Access Analytics

We analyse how well your SAP access complies with segregation of duties and critical access requirements, then present you with reporting in a format that works for you

We would like to hear from you

Send us a message and we will get in touch with you!