The basic rules for ensuring project success are worth for SAP Access Control deployment projects and for SAP Access Profile Redesign projects and / or projects that contemplate the 2 scenarios at the same time.

Usually the need for a project to deploy the SAP Access Control and SAP Access Profile Redraw almost always arises after the execution of internal audits or independent audits (external audits), which in many cases indicate Non-conformities with SoD (Segregation of Functions) users' access profiles. When this occurs, the IT area responsible for managing SAP access profiles is held accountable for the results of audits and sometimes even unfairly.

The IT area then takes on the role of putting the SAP Access Control and SAP Access Profile Redesign project into practice and begins planning and defining the scope. And it is from this point that the main mistakes that lead to the failures of projects of this nature occur and, almost always, influenced by the lack of "GRC" skills that IT teams generally do not have, otherwise, nonconformities would not have been pointed out. So, what should be done to avoid the failures mentioned and the failure of projects of this nature?

Applying the following ground rules ensures the reduction of most major failures in SAP Access Control and SAP Access Profiling Redesign projects. Are they:

Specialized Workforce: Defining a good team implementing or consulting services with excellence in the subject is fundamental to having a project without surprises. However, the service provider alone does not guarantee the success of the project. Involvement of the contracting company is critical to making the definitions that best meet the organization's culture and requirements. Specialization in this area of ​​service rendering in GRC is an enormous differential that must be sought by companies, in addition to proven experience in previous similar projects.

Requirements Mapping: If the organization has chosen GRC expertise for the project definition process, the mapping of requirements will be determined by the advisor prioritizing the organization's budget, culture and goals. It is essential to identify the following items:

  • Map the main audit GAPs that may have motivated the project
  • Define market practices or frameworks (eg, COSO, SOx, COBIT etc.) that should be incorporated into the project
  • Determine whether the project will consider redesigning Access Profiles and deploying SAP Access Control at the same time
  • Identify if there are other projects planned in the organization that can impact the project that will be contracted
  • Do not be tempted to adopt a proposed SAP authorization template (profiles) without the requirements and culture of the organization being evaluated and considered in their adherence
  • Find an SAP authorization template (profiles) that facilitates the maintenance, reuse and treatment of SoD risks
  • Understand the main features available in the SAP Access Control solution and define where you want to go with the deployment:
    • Adopt the Standard SoD Risk Matrix or tailor a customized matrix for your business
    • Define the Catalog of Compensatory Controls to mitigate SoD Risks
    • Identify the risks in the customized ABAP developments and include them in the SoD Risk matrix
    • Define ABAP governance procedure to ensure that future maintenance on customized ABAP developments are aligned with GRC practices
    • Define an Arrangement of Responsibilities (RACI) so that those involved in the project and operation have the vision of their responsibilities
    • Establish the main GRC streams desired

Sponsor Determination: Because it is a project that involves different areas of the organization (business area, technical area, internal controls, auditing, etc.), it is necessary to involve someone with representation in the organizational structure, such as CFO, CIO etc., to act as a sponsor and facilitator for the engagement of those involved in other impacted areas. SAP Access Control and SAP Access Profiling Redesign Projects Require Top Management Sponsor!

Let's make your project happen?