Audit Services

What is SAP Authorization Review and Segregation of Duties (SoD)?

Authorization in SAP system is a complex area and requires detailed understanding of both SAP authorization concepts (such as authorization objects, authorizations, profiles, roles, and user master records) and business processes (such as financial accounting, procurement, and sales).The purpose of authorizations review is to ensure that user access is based on their responsibilities and that users are not assigned any additional access.

Segregation of Duties (SoD), on the other hand, ensures that no one individual has complete control over a major phase of a process and is typically enforced through a combination of authorizations and compensating controls.


Objective of this assessment

Ensure the user access is based on the responsibilities and users are not assigned any additional access
Ensure that no individual has complete control over major phase of a process
Maintain a secure and well-controlled SAP system

Approach & Methodology

softScheck’s SAP Authorizations Review and Redesign Methodology is based on softScheck’s extensive experience in the area of SAP authorization review and redesign. This is a comprehensive methodology and consists of the following three components.

The SAP authorization and SoD review utilize the first two components of the methodology, while the third component is utilized for redesign engagement.

The methodology is based on a risk-based approach, which goes beyond the symptoms to identify ‘root causes. This results in the following benefits:

Achieves long-term resolution of issues
Minimizes recurrence of issues
Prioritizes actions based on cost-benefit analysis

Step 1: Preparation

  • Obtain existing SAP authorization documentation
  • Obtain business blueprints/ process flows
  • Obtain SoD ruleset
  • Install tool/ obtain authorization tables from SAP


Step 2: Analysis

  • Define sensitive & critical access
  • Configure tool with access and SoD rules
  • Run access risk analysis using tool +


Step 3: Assessment

  • Analyze the risk analysis results
  • Identify inappropriate/ excessive access and unauthorized SoD risk violations
  • Identify authorization issues including role design, definition and governance


Step 4: Reporting

  • Discuss the issues with management
  • Discuss recommendations to address the issues
  • Issue draft report
  • Obtain management feedback and inputs
  • Finalize report