MONITORING AND ASSESSING SEGREGATION OF DUTIES(SoD) CONFLICTS IN SAP SYSTEMS USING SAGESSE TECH SOLUTIONS

Segregation of Duties (SoD) is an internal process which is designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.

SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control. Payroll management, for example, is an administrative area in which both fraud and error are risks. A common segregation of duties for payroll is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks.

Although it improves security, breaking tasks down into separate components can negatively impact business efficiency and increase costs, complexity and staffing requirements. For that reason, most organizations apply SoD to only the most vulnerable and the most mission critical elements of the business.

Applying the right SoD in ERP Systems like SAP adds more to this complexity since it is a very complicated task taking into consideration all the business related tasks which can be executed on an SAP System. This necessitates a continuous monitoring of SoD Conflicts and execution of business processes related to these conflicts to prevent fraud in SAP Systems.

When SAP Systems are taken into consideration, an individual should not oversee more than one of these transaction components : Authorizing transactions, booking transactions and handling the related assets. For example, a person who can approve purchase orders should not be responsible for processing payments.

To follow SoD principles in SAP Systems, you need to carry out 4 processes :

1.   SoD Design

2.   SoD Implementation

3.   SoD Assessment

4.   SoD Remediation

In SoD Design Process, companies should set up an organizational structure where the business roles of every employee type are outlined. These business roles ( e.g. an account manager, buyer, seller ) should consist of certain functions such as creating a vendor or customer master, creating a payment order, approving a payment order etc.

Each of these functions can be mapped to transactions, services, remote function calls or other system related actions and APIs in SAP Systems. For that reason, it is important to determine which actions belong to which functions and apply them using SAP technical roles in the system in a correct way. SoD Design is a long and complicated process which is open to errors due to complex nature of business processes run on SAP Systems.

In SoD Implementation Process, you map your business roles to technical roles in SAP Systems. Technical roles hold the transactions which can be executed in SAP Systems. You can than assign the technical roles to SAP Users who will execute the business transactions on SAP Systems.

SoD Assessment is the most complicated process even if the SoD Design and SoD Implementation phases are properly fulfilled. You need to monitor your SAP Systems to check if everybody follows these requirements during any change. This is where SoD Tools come into play.

SoD Tools check if users can execute critical transactions or their combinations in the existing organization structure since there is a risk of fraud. The word existing indicates that most of the companies don’t even have SoD Development and SoD implementation steps in place. SoD Tools can be quite handy when it comes to obtaining the list of users with access to critical default transactions, which exist almost everywhere (e.g. SU01 – user transaction, SE16 – table reading ). This alone can save a lot of time and give a high-level understanding how bad our situation with the role management is. If we see many users in SAP System who can run critical transactions e.g. SU01, SM59, SE16 , there are multiple issues at the SoD Design stage regardless of company’s business processes.

On second level, we can get list of users with the access to typical combinations of critical transactions such as create payment order and approve it. Business process level SoD Assessment is also a quite complicated task in SAP Systems, a continuous monitoring and reporting solution must be in place here, like SAGESSE TECH SAP AuditX Solution.

SAGESSE TECH SAP AuditX Solution has over 100 pre-configured Segregation of Duties Checks for SAP Systems. It can also be easily configured for customized SoD Checks for objects in customer namespace.

SAGESSE TECH, global SAP Security / Oracle Security / ERP Security Tech Company, is providing Automated Audit Tool for SAP, SAP Threat Detection and Monitoring Products, SAP PenTest Framework and an SAP Audit Service which control these kinds of configurations, vulnerabilities and much more in your SAP Systems. Their products and services can help you to integrate your SAP System into your central threat detection solutions and foster your NIS2 and DORA Compliance.

SAGESSE TECH is now providing companies who do not use a SIEM Solution or would like to have a separate SIEM for SAP Threat Detection with a Wazuh SIEM App.

You can contact SAGESSE TECH(E-mail : info@sagesseconsultancy.com, sales@sagesseconsultancy.com or kaankars@sagesseconsultancy.com ), if you would like to have more information about our products or to have a Vulnerability Scanning, SAP Audit or SAP PenTest on your SAP Systems or implement a SAP Threat Detection and Monitoring Solution integrated with leading SIEM Vendors like SPLUNK, IBM QRadar and Wazuh.