Introduction

The frequence and volume of data leakage progresses as technolygy is evolving. On top of IT departments, boards and company decision makers are more than ever focusing on data protection. The control of access to the different systems is key to protect and secure data.

Access control allows organizations to identify,manage and prevent the risk of unauthorized access.

The maintenance and management of access rights across the different systems and applications of a company is key to a company:

Protect sensitive data

Protect against fraud

Avoid human error

Comply with external audit expectations

”Effective Segregation of Duties (SoD) controls can reduce the risk of internal fraud by up to 60% through early detection of internal process failures in key business systems.”

Le GARTNER, Market Guide for SOD Controls Monitoring Tools-ID: G00293793

Projects around identity and access management (IAM) are usually management by IT départements. Sometime there is a lack of consideration for the business needs when it comes to access management. When thorough roles and authorizations setup is not well handled, end users end up with broader access than what they would need, generating risks for the organization.

We also see a lack of governance and procedures when it comes to roles and authorisations management. As time passes, an initial framework can regress mainly due to:

    • A complex ERP and software environnement with more and more end users
    • Evolution of roles due to business needs generation seggregation of duties (SoD) issues that are not being considered.
    • The technical management of authorisations takes a lot of time for the administrators:
        • They manage a lot of access requests, sometimes without management approval and without,
        • They multiply manual low added value tasks as user access provisioning, password reset etc.

Considering these aspects, the regulators, external auditors and investors expect companies to cover risks related to access management and segregation of duties. This is now also under the radar of internal functions like compliance, internal control and internal audit.

The challenges around these topics are well known of our IAM, authorizations and GRC experts. We are supporting several clients on the implementation of a compliant and secured access rights management process including authorisations management, SoD and user life cycle management.

Gouvernance SoD

The controls around segregation of duties (SoD) improve the reliability of your transactions, improve the confidence of external auditors and enables you to manage anti fraud requirements. By detecting and preventing these risks, the SoD controls improve the integrity of key processes and limit financial exposure.

 

When facing regulatory frameworks on segregation of duties (SoD) management, companies usually start monitoring it manually through extracts and excel spreadsheets.

 

When these processes become too complex to maintain/manage, an SoD management tools becomes a requirement and will enable the following:

  • Automatize the processes of SoD management to enable exhaustive coverage,

  • Produce dashboard and reports on demand,

  • Setup preventive controls.

Companies need to insure compliance internally, for their stockholders but also for regulatory entities which requires reactivity when it comes to status updates.

Companies that are implementing tools to manage SoD are facing a reduction in time passed on reporting and control exécution and improve their decision making processes.

Indeed, SoD controls offer a convincing framework to reduce risks as they are remediated proactively and as SoD related violations are contained.

Gartner SoD Management hypothesis

SoD controls can lower internal fraud exposure up to 60% thanks to preventive detection of failures when it comes to access management to main ERPs.

It is hard to cover SoD risks in an organisation without a dedicated tool.

Standard SoD management fails when processes are being supported by several softwares (ERP, Procurement tool, CRM, HCM etc).

The high cost of traditional ERP platforms and the absence of direct ROI make it hard for IT security departments to justify the acquisition of a dedicated access and SoD management tool.

Le GARTNER, Market Guide for SOD Controls Monitoring Tools-ID: G00293793

ArtimIS’ SoD experts support their clients in the management of SoD risks, in particular in the design or optimization of a model to identify, apprehend and remedy SoD risks:

  • Conception and revue of an SoD matrix with corresponding governance

  • Definition of mitigating controls

  • Audit & Elaboration of a mitigating plan for SoD risks (ArtimIS Risk Observator – ARO)

  • Accelerated remédiation of SoD risks and critical access with the support of our decision making tools (ArtimIs Self Remediation Tool – ASR)

  • Audit, Benchmark, Project management, intégration-migration of GRC solutions, SoD Control Monitoring and change management.

Identity & Access Management

As companies are growing, it is more and more difficult to manage end user life cycles. A lack of control exposes the company to several risks.

« In 2019, the global cost of failure or setup errors linked to access rights management is 8,7 billion dollars.»

SOURCE

There are several factors linked to a lack of control of the user life cycle:

  • Users with wide access can accidentally delete or share sensitive data.

  • An employee willing to fraud can do so using SoD failures, corrupting data, steeling data to sell them to competition or expose financial data to harm the company.

  • Hackers try to target user accounts with privileged access to be able to access wide databases, systems, applications and infrastructure. Indeed, the systems contain the most sensitive data for a company (suppliers, clients, patents, etc.)

It is important to avoid providing too wide access to end users. Generally, the target is to limit access to business needs, implementing a thorough SoD process or enhancing dual control.
To guarantee secured user provisionning, it is highly recommended to enforce the User Access Manangement (UAM) related processes by implementing a tool including automatic provisionning and preventive sanity checks.
The security experts at Artimis support their clients with the implementation of identity and user right related processes including appropriate tooling :

Design and implementation:

  • Of a proper identity management process,

  • Of a strategy to define a single sign on type of user management to improve end user experience,

  • Of a mutual access request management tool (cross system),

  • Of a process to manage end users with wide access (IT, business, internal audit, …),

  • Of a process to review the access rights that fits external audit requirements – User Access Review (UAR)

Autorisations security

Mastering user access rights enables to avoid a risk of error but also of fraud. Indeed, access control allows to control data integrity and confidentiality. Limiting user access to the exact needs and making sure the access is reviewed regularly is also important.

 

The authorization and security experts at ArtimIS bring key knowledge to our customers in order to support them from the authorization audit phase to the implementation phase of fully integrated SAP Authorization solutions complying with cross system SoD requirements including compliance related topics like GDPR.

ArtimIS offers the following:

  • Review and implementation of roles management and maintenance processes including rôle model design, access granting to end users including security best practices much needed to keep your systems clean.

  • Review of roles and access granted in ERPs like SAP, ORACLE & WorkDay
  • Implémentation d’une solution autorisations à l’aide de l’accélérateur ASAP (ArtimIS SAP Authorization Pack) optimisant les phases d’audit/cadrage, de conception et de réalisation des rôles
  • Maintenance of the autorisation solution in Neashore mode thanks to our Tunis office.

Why ArtimIS?

GRC expertise

Seniority of Consultants & Certifications to the key,
15 years of experience in GRC and on different application environments: SAP, Oracle & Workday
Strong proximity and good understanding of the challenges of the different executive members (Finance, Internal Audit, Internal Control, Compliance & IT)

Pragmatism

Pragmatic, agile, and aligned approach to the implementation strategy of market standards (COSO 2 & ISO 31000/2009 RM)
Proven experience in GRC program management and change management (communication, video, game challenge, training, …),

Complementarity

Proposition of a complete team combining Business (Internal Control & SOx) and Technical expertise on ERPs: SAP (ECC / S4 Hana / Ariba / Fiori) and Oracle (eOBS/Fusion/JDE/NetSuite/PeopleSoft)
Proposition of GRC technical experts on SAP GRC (Access Control, Process Control, Risk Management), Oracle RMC (with Selected Partner for GRC Go to Market strategy), Galvanize (ControlBond, AuditBond, ComplianceBond, RiskBond, …)

Sustainability

Competitive service costs compared to large Audit and Consulting firms,
Highly advantageous GRC technical implementation and support service costs thanks to our nearshoring/offshoring approach.
60% of our revenue comes from loyal customers and 40% from new customers who trust us and whom we will retain.

SAP Authorizations management is our key expertise. We have a lot of experts in the team and would be happy to support you in any SAP authorization related project. Our now how and our understanding of business processes will be key to a successful project and adherence of the different stakeholders affected by it.

Wassim Ben Mansour, Partner at ArtimIS