Why care about SAP access controls?
By Aidan Parisian
Why are access controls in SAP so important? Why should anyone who helps to manage a company’s assets in an SAP environment care about who can access what information? Because this is a critical topic as it pertains to the safeguarding of a company’s financial, physical, and intangible assets.
Simply put, most people are not trying to steal from the company they work for, but, given the motivation, opportunity, and pressure to do so, even the most honest human beings can turn into fraudsters. By taking away the opportunity, one piece of this critical “fraud triangle” can be removed. This is accomplished by setting up important access controls and defining who can do what and how those measures prevent turning your honest coworker into a potential dishonest fraudster.
How did this become an important topic?
Setting up your accounting systems (which govern the way employees do their job, but only their job, in controlling most of a company’s financial assets) is how most managers would choose to disseminate responsibility if they had the time. This is often more difficult than it appears on the surface and many companies instead choose to grant unencumbered access to most employees and assume they will do the right thing. The definitions associated with system access is often written in some alien language that a good manager cannot easily interpret despite their best efforts.
During our experiences as auditors assisting customers to build and design ERP systems in a compliant fashion, we have seen many systems that were supporting growing organizations. Many of these systems were originally purchased when the companies had five users and managed themselves by transaction. Eventually, those organizations would grow exponentially and end up looking for capital or going public. Most of the time, rather than changing the way their systems were managed as they grew, these companies would simply setup new users with the same roles and permissions as the original five. This process created pervasive access for several users, which led to a need to completely overhaul roles and permissions.
It is critical, as your company grows, to make certain your systems (and the access to them) grow and develop with you. One company we worked with was preparing for their IPO, in hyper-growth mode, with 100 users in their ERP system. Eighty of those 100 users had administrator privileges - even if all those users were completely trustworthy, taking away the opportunity is critical to preventing motivation and pressure which cause them to become dishonest.
Why do we even need to build access controls in the first place? Will this really keep our auditors happy?
One of the most critical reasons to care about access controls is because your company is public and must deal with Sarbanes Oxley sections 302 and 404 regulations, or is preparing for a public offering. Beyond that, many industries are regulated and force their constituents to obtain audits of their financial statements and systems. Others are required to be audited by their venture capitalists, and some are simply required by the bank. There are many reasons to be audited, but the auditor who can rely upon internal controls, the foundation of which are IT General Controls, is significantly more effective and efficient. Private companies may lack the compliance drivers of larger organizations, but are still subject to our discussion around protecting company assets.
At the end of the day, the reason to care about access to these systems should all be concentrated upon protecting your company and its assets. Your financial system is more directly exposed to the assets of the company than any other area of the company. As you introduce more automation into these complex systems and are less able to closely manage individual transactions, it becomes more critical to know that you have appropriately limited who can do what in these critical business systems.
Continue reading the next article in the series, "SAP Access Controls: An Audit Introduction."