Since the Sarbanes-Oxley (SOX) Act passed in 2002, an organizations’ emphasis on their internal controls and risk management has increased significantly. United States Federal Law set new standards for all publicly traded US company’s boards, management and for public accounting firms. As a result of SOX, top management of these companies must individually certify the accuracy of their reported financial information.
Different software has been developed in order to meet these new requirements. One of the most famous is the module designed by SAP, known as SAP GRC Access Control. The driving idea behind this Security module is to ensure segregation of duties (SoD), by defining an SoD Matrix and allowing risk analysis reports to be periodically generated. It also helps organizations detect if they have Super User accounts in Production Systems, a finding usually flagged during any traditional audit as this violation implies there is no controlled environment for the use of emergency users. The SAP GRC Access Control module ties into workflows for creating new users or modifying existing users, allowing the workflow to interact with the SoD Matrix and alerting administrators if they are granting accesses that would represent an SoD conflict as they grant that access. Finally, the design and configuration of users’ roles can be broken out into several approval steps. This means that risk analysis can also be made at the role level.