Roles, permissions and authorizations in SAP are a topic that we have already discussed several times.
We wrote about the threats that result from the lack of the concept of permissions, poorly conducted processes of granting them and the associated risks for the organization. Today, in this new reality for many enterprises, the topic is even more "hot".
The PWC report "Global Economic Crime Survey 2020" clearly indicates that there is a significant increase among Polish companies. accounting frauds. It turns out that approx 63% frauds were madeby inside employees (insider).
The scale of abuse is also increasing -over 61% companies, in which fraud was detected, incurred more than 400k PLN losses (more than halfof them made losses over 4 mln PLN).
It is also worth noting that the majority of fraud detections were made by routine activities (such as audits or document reviews). Only 23% of the detections came from the automation of suspicious activities and IT protection systems.
Since most of the abuses were carried out by employees - it is worth looking at the possible causes. During the implementation of projects - in the context of SAP authorization, we observe three significant trends in this area: neglect of authorization at the initial stage of system implementation, the approval process and conflicts of permissions.
Implementation projects have the fact that there is quite a lot of pressure on the budget and the speed of project implementation. This, of course, has its justification, because business must generate revenue, and time is of the utmost importance. However, at a later stage of the life of the system and the users in it it is important to secure authorization management with specific guidelines.
Hence the concept the concept of permissions, which is a set of details about the basic principles of this challenge. Starting from the naming and content of roles, through mapping roles with positions, to defining the framework and risks related to access. And it seems that such consistency of access should be a priority in every organization - the above PWC study shows that there is still a lot to be done.
If the system works for a few (often a dozen or so) years - there is a high probability that unauthorized
(by definition) people have the potential to abuse through too much access.
It is easier for a user to add a role than to take one away - and this comes from our observations, where approx 10-15% of authorizations given to users are used in everyday life (the rest is just unnecessary).
Do you know such a scenario?
- "I will ask for a role like Mr. Brown's"
- "OK, accepted"
What does BASIS (or the authorization department) do in this situation?
If the approval process ends at this point - the request is carried out.
Does the acceptor have knowledge of all transactions and roles, associated risks and potential threats?
We dare say that is unlikely.
Applications by e-mail, in paper form or in the ticket system, the verification of which is detached from the context of the system (no feedback with risks in SAP) means that the organization
is not proactive Thanks to this, dangerous authorization sets regularly get into the system.
During many years of work in the organization, an employee goes through its various levels. He gets new access, changes functions, gets new roles. This is also a derivative of the first two points (typical omissions).
The consequences are very visible here, because his access allows you to perform entire business processes. Often a lot...
It is good when the organization knows the risks and is able to deal with them by implementing appropriate GRC processes
in SAP. However, these are exceptional situations, in most cases the activities come down to making general reports on individual conflicts.
There are many abuses related to Segregation of Duties (SOD). They concern practically every area of business carried out by SAP.
A simple scenario for FI:
Authorization no 1 - FK01 / XK01 - Supplier master data management
Authorization no 2 - FB60 / FB65 / FB01 / F-53 - Invoicing of incoming goods
SoD - The risk of sending an invoice to a fictitious supplier. Outflow of money due to invoice settlement.
SD area
VA01/VA02/WCS0
+
E.g.: V32/V32/V33/V35
Ability to enter sales documents and reduce prices in order to achieve financial benefits for the user who can edit fictitious suppliers and initiate purchases for a given supplier.
HR/PY area
E.g.:F-18/F-46/F-58_K
+
E.g.: FEBA/FF.5/FF/4/FF/5
Entering unauthorized payments and realizing your bank balance. Risk of entering an unauthorized payment and confirming the bank balance by the same person.
In such a powerful tool that processes the most important data in organizations—issues of optimal access management are nothing more than a requirement to organization can control risks and potential abuses.
And this is not the only need we pay attention to as a manufacturer of GRC process management tools in SAP. These are also the studies of the Big Four, and their clients, who encounter measurable problems precisely because of the abuse of users who should not have access, or this access should be closely monitored.
So what can be done?
First of all, take a look at the current SAP infrastructure:
1 - what is your current authorization concept? Is it taken into consideration in daily activities?
2 - what does your process of granting permissions and their acceptance look like? Do the acceptors have sufficient knowledge of the risks?
3 - do you know the level of risks related to access and authorization conflicts?
If you have any doubts about any of the points - we are at your disposal.
author: Tomasz Jurgielewicz
tomasz.jurgielewicz@lukardi.com
------------------------------------------------------------------------------------------------
References
https://www.slideshare.net/slideshow/embed_code/key/36w8AjPl4t9TcE
https://www.pwc.com/gx/en/forensics/gecs-2020/pdf/global-economic-crime-and-fraud-survey-2020.pdf
-------------------------------------------------------------------------------------------------
WORTH READING:
