Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

How Responsible Are You?

  • Font size: Larger Smaller
  • Hits: 6401
  • Print
When it comes to requesting and granting authorizations, I found that in many companies the process is performed manually – via email – as follows:

  1. User sends email to IT requesting additional authorization to perform activity.
  2. IT transfers request to relevant manager, who approves required authorization (at times without even inspecting the real intention of the request).
  3. IT allocates the required authorization to user.

Responsible 000006149074XSmall


Check out the following case:

  1. John from the finance department requests an additional authorization for the purpose of changing a vendor’s details.
  2. Barbara from IT receives the request (which makes sense to her) and she grants John the required authorization.
  3. John receives an email from Barbara informing him that he was granted the requested authorization.

John is very happy. The auditor is not.

What Upset the Auditor?

Flaws! Auditors do not like potential for flaws and misuse in the authorization request process.

First, the request was made by email and not via an automated workflow tool – the use of emails increases the chances of requests falling between the cracks.

Second, the process cannot be easily monitored and therefore is unlikely to improve accordingly.

Third, Barbara, who happens to be friendly with John, approved his request without further looking into the reason of the request. Even if John is totally honest, a hacker might pretend to be John, taking advantage of the fact that John is friendly with Barbara, and attempt to perform a fraud using John’s account.

Finally, the sensitivity rate of the request was not taken into account. If a request is for a sensitive activity (like changing vendor details) or entails a violation of SoD (Segregation of Duties) rules, at least one additional approval should be required, such as by the security team or SoD manager.

What Would Please the Auditor?

Responsibility! Auditors like a clear process with the right responsible owner. Clearly in this case, Barbara decided to grant a user an authorization based on a good feeling or friendship, and this is exactly what auditors do not like. We do not recommend that IT personnel be responsible for granting authorizations. The way we perceive things: business personnel should approve granting authorizations for business activities; IT should perform the task; security teams should monitor the task.

So what could and should have been performed differently? The process needs to be automated as much as possible, allowing further investigations when required.

I want to suggest the following alternative:

  1. John requests additional authorization for changing a vendor’s details.
  2. His direct manager approves the request.
  3. A sensitivity check is performed, and since changing a vendor’s details is considered a sensitive activity, additional approval is required from the financial data owner.
  4. A reasonability check (explained below) is performed, based on John’s business profile.
  5. IT person in charge of the finance module chooses the required authorization.
  6. A SoD check is performed; as John is able to open invoices changing vendor details, he is also violating a SoD rule. In such a case, additional approval is required from the risk assessment manager.
  7. The system grants the required authorization to John and notifies him accordingly. Alternatively, the system opens a task for granting John the authorization, and IT closes it after updating John’s authorization status.

This process is fully automated and can be re-inspected anytime. This kind of process would surely please your auditors.

How Responsible Are You

Reasonability Check

What is it and why should you perform it? A reasonability check is a unique technique for identifying potential business risk situations at a dynamic level. Basically, a set of tests and business rules are applied to determine whether a request for a specific authorization is reasonable or not. Even if one test fails (indicating that the authorization request is not reasonable), then additional approval is required by the security team.

Reasonability Checks – Examples  

  • A user should request authorizations within the practical usage zone. If a user who normally executes financial activities asks for authorizations to perform activities in the arena of human resources, additional approval will be required.
  • Request for additional authorization should be submitted from the user’s regular computer. If a request was submitted from a totally different segment of computers (such as from a different branch of the company), this will demand another hierarchy of approval.

Remember, identifying risky situations is critical from fraud-detection point-of-view. Use a smart automated tool and keep your auditors happy.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India