Control GRC and Segregation of Duties in Your Organization – It’s Your Duty!

Control GRC and Segregation of Duties in Your Organization – It’s Your Duty!

Companies of all kinds and sizes are focusing more and more on finding the most adequate GRC (Governance, Risk, and Compliance) and SoD (Segregations of Duties) solutions.



Why? Failure to comply with GRC and SoD requirements can affect a business severely.

SoD basically means ensuring that more than one person is required for completing a task within an organization. Today, companies understand the critical role SoD plays. Specifically, when dealing with money and sensitive information, SoD has become a key factor for gaining control and confidence in a business environment, as well as in assisting companies to successfully pass audit inspections. By complying with SoD rules an organization reduces the likelihood of fraud, significantly.

Since you and everyone else already know all this, you are probably wondering whether you will actually benefit from any new information. The answer is YES, of course, so to find out what is new, enjoy reading the rest of the blog…

Did you ever ask yourself what is the point of authorizing an employee to perform actions x, y and z, when that employee never actually uses such combination of authorizations? Authorizations are not free. They require monitoring and maintenance. Excessive authorizations merely floating around the company inevitably entail greater risk and unnecessary expenses.
What can you do?

Xpandion values its customers’ point of view. We like it when our customers enjoy our products. That’s why we offer ProfileTailor Dynamics GRC. You could use it as well.

Control GRC and Segregation of Duties in your Organizatio

What’s so special about it?

ProfileTailor Dynamics GRC identifies any SoD violations not only on a static level (the authorizations granted to users), but also on the dynamic level (as a compensating control). Essentially, the actual usage behavior of each and every SAP user is monitored in real time; all the time.

How does it work?

Only if and when a user performs actions x, y, and z, an alert is sent; and only then the need to allocate the resources for further inspection arises. There really is no need to check user actions based on theoretical authorizations on a regular basis.

Why does it matter?

Because customers using ProfileTailor Dynamics GRC are able to complete their entire SoD project successfully in just one month!

We have (painfully) witnessed organizations handling SoD projects (and there’s really no better word to describe this) in a “primitive” way. This project can take a year (!). The organization checks user after user in an attempt to determine who needs authorization/s and which of the authorization/s are really needed. Did I already mention that this process can carry on for a whole year?! I know it’s hard to believe. The first step of such a project: Import a set of rules or build a new set of rules based on best practice of about 10,000 rules. Then, the relevant rules for the company are determined. Let’s say 2,000 rules were selected; to this all the customer-development own objects need to be added; finally, you now have a set of rules suitable for the organization.

Second step: Initial running of the rules on the users will show that in an average organization there are about 900,000 violations (anyone with SAP_ALL or similar authorization violates all the rules). With 900,000 violations, you now need to check each and every violating employee, one after the other; set up a meeting, investigate and then analyze. This is a long, tedious and exhausting project. The average time for understanding a current situation of a company is – and I cannot stress this enough – a whole year. Don’t forget that after these steps are completed, you still need to provide recommendations and implement.

[Side note: Suppose only 20 users are violating rules. Do the math: 1000 rules, 20 users with SAP_ALL, that alone already adds up to 20,000 violations.]

What is the solution?

Applying dynamic SoD makes a difference. You can try it before beginning your SoD project the old way. Save meeting the users to begin with, in 95% of the times. How? Upload all rules to see what each and every employee is authorized to perform, and then dismiss all employees that have never used their authorization/s in the past year.

With ProfileTailor Dynamics GRC, if an employee is authorized to maintain a supplier account (SAP T-Code XK02), yet does not use it, the activity can be modified to XK03 (which allows display and not open), thus immediately that employee’s actions will not be defined as a violation. At the same time, if an employee really needs to perform a violation, a compensating control technique is then implemented (checking up on what the employee is really doing).

Keep a proactive approach and stay in control with ProfileTailor Dynamics GRC.

Yoav Michaeli

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.