Audit Services

What is SAP Authorization Review and Segregation of Duties (SoD)?

Authorization in SAP system is a complex area and requires detailed understanding of both SAP authorization concepts (such as authorization objects, authorizations, profiles, roles, and user master records) and business processes (such as financial accounting, procurement, and sales).The purpose of authorizations review is to ensure that user access is based on their responsibilities and that users are not assigned any additional access.

Segregation of Duties (SoD), on the other hand, ensures that no one individual has complete control over a major phase of a process and is typically enforced through a combination of authorizations and compensating controls.

Objective of this assessment

Ensure the user access is based on the responsibilities and users are not assigned any additional access

Ensure that no individual has complete control over major phase of a process

Maintain a secure and well-controlled SAP system

Related Audit Services

Approach & Methodology

softScheck’s SAP Authorizations Review and Redesign Methodology is based on softScheck’s extensive experience in the area of SAP authorization review and redesign. This is a comprehensive methodology and consists of the following three components.

The SAP authorization and SoD review utilize the first two components of the methodology, while the third component is utilized for redesign engagement.

The methodology is based on a risk-based approach, which goes beyond the symptoms to identify ‘root causes. This results in the following benefits:

Achieves long-term resolution of issues

Minimizes recurrence of issues

Prioritizes actions based on cost-benefit analysis

Step 1: Preparation

Obtain existing SAP authorization documentation
Obtain business blueprints/ process flows
Obtain SoD ruleset
Install tool/ obtain authorization tables from SAP

Step 2: Analysis

Define sensitive & critical access
Configure tool with access and SoD rules
Run access risk analysis using tool +

Step 3: Assessment

Analyze the risk analysis results
Identify inappropriate/ excessive access and unauthorized SoD risk violations
Identify authorization issues including role design, definition and governance

Step 4: Reporting

Discuss the issues with management
Discuss recommendations to address the issues
Issue draft report
Obtain management feedback and inputs
Finalize report

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Audit Services

What is SAP Authorization Review and Segregation of Duties (SoD)?

Objective of this assessment

Related Audit Services

Access Control Review

Information System Audit & Compliances

IT Audit

IT Audit as a Service (ITaaS)

IT Security System Acceptance Test (SSAT)

IT Workshop