In order to manage a Segregation of Duties project successfully, it is essential that you eliminate business risk across your organization. To accomplish this you need to implement a comprehensive rule-set.
What is a rule-set?
A rule-set is an extended list of rules, each including business activities that should not be performed simultaneously by one person. Prohibiting a single person from performing a set of activities prevents potential situations of fraud. For example, the same person should not be permitted to open a new vendor and also pay the vendor.
Why? Because this may result in an employee opening a fake vendor and then paying that fake vendor, where the bank account to which the money is being transferred actually belongs to the employee himself/herself.
What happens after implementing a rule-set?
Upon applying a rule-set, each rule must be reviewed in order to identify users who can potentially perform forbidden combinations of activities. Such risky potentials need to be eliminated by removing related authorizations, accordingly.
What if a combination of activities is essential for business performance?
If in your organization the business decision requires the employee in charge of opening vendor accounts to also be the one responsible for paying vendors (which is a forbidden rule), you will need to apply compensating controls.
Example of forbidden combinations (rules), written in plain language ready to be uploaded to ProfileTailor Dynamics from Excel file.
What goes on in SAP?
In SAP systems the rules of business risks include activities (or T-Codes), authorization objects and values. For example, in order to implement the rule: a single user may not be authorized to perform Payment Proposal and Payment Run together, you must include T-Code F110 (Payment Run) and
T-Code FBZ0 (Payment Proposal) in a rule and then check who has the authorization to violate such rule. However when dealing with SAP, leaving this at the level of T-Codes is not enough, as each
T-Code operates differently depending on the values of different authorization objects. In this case, T-Code F110 and FBZ0 are highly dependent on the values of authorization objects F_REGU_BUK.
The following are possible values of field FBTCH in this authorization object: 02 Edit parameters, 03 Display parameters, 11 Execute proposal, 12 Edit proposal, 13 Display proposal, 14 Delete proposal, 15 Create payment medium proposal, 21 Execute payment run, 23 Display payment run, 24 Delete payment run payment data, 25 Create payment media of payment run, 26 Delete payment orders of payment run, 31 Print payment medium manually…. So, in fact the rule should be: T-Code F110 with object F_REGU_BUK, Field FBTCH and value 21 and T-Code FBZ0, object F_REGU_BUK, Field FBTCH and value 11.
Hello! Are you still there? Did the above make any sense? Did it scare you away? No need to feel uncomfortable. Whatever takes place inside the SAP system is either too complex for most business users, or of no interest to them.
Most business users do not understand activities, authorizations objects and values. Furthermore, they have no interest in trying to make sense of them, since they must handle their own expertise-related tasks. It is for this reason that in most organizations GRC consultants (who understand SAP authorizations) define the rules for the users, tying them with a rule-set that they cannot change independently.
Putting the notion into motion
We believe that business users should define business rules, whereas technical people should handle technical issues. For this reason, we present you with the concept of isolation.
Integrated into ProfileTailor Dynamics, the concept of isolation means that each activity
(e.g. T-Code) has a different logical mode, which is technically defined by the combination of authorization objects, fields and values. Business users define the business rules only by using activities and modes, and technical people define the modes for each T-Code, dealing with authorization objects and values.
In order to shorten the technical process, we have already analyzed most of the SAP standard activities and pre-included approximately 60,000 different modes. Thus, in many cases there is no need for new modes to be defined by users at all, allowing them to focus on enhancing their business rules (also pre-loaded in ProfileTailor Dynamics).
The way we perceive things here at Xpandion, the concept of isolation literally cheers up business users; they understand the rules and have full ownership on them. In addition, they also can change the rules when business risks change without any assistance from external resources. Finally, instead of dealing with technical issues, business users are able to efficiently concentrate on the vital task of mitigating business risk and accomplishing Segregation of Duties throughout their organization.