Controlling access to your business environment is fundamental to the security and regulatory compliance of your organization, and maintaining the necessary levels of control requires frequent reviews of who is accessing what in your systems. While external auditors have always discouraged manual approaches to managing access control reviews, 70% of companies manually monitor access controls in their ERP system, including segregation of duties (SoD), emergency access, and provisioning.1
Why do so many organizations choose a manual approach over using an automated solution despite the advantages of automation, such as accuracy, completeness, and continuous auditing? It is not due to a lack of awareness of the value automated tools bring, but rather the perceived high cost and complex implementation project that is involved.
With tougher audits that incorporate higher expectations for controls, organizations will find it more difficult to demonstrate that a manual approach is accurate.
While organizations have been able to get by using ad hoc field tools to manually spot-analyze their environments, external auditors are changing how they evaluate access controls. This means that organizations can no longer continue to manage controls this way and still remain compliant going forward.
This shift is directly influenced by the updated COSO 2013 framework for internal management controls, which is being incorporated into access control audits.2 The updates to the framework focus on an increased reliance on IT in general, with a particular focus on completeness and accuracy of controls, including access controls.
As a result, external audit firms are reporting that the Public Corporation Accounting Oversight Board (PCAOB) is increasing pressure on them to prove their control effectiveness.3 With tougher audits that incorporate higher expectations for controls over processes and technology, organizations will find it more difficult to demonstrate that a manual approach — exporting large datasets and running them through numerous custom queries using homegrown spreadsheets and databases — is actually complete and accurate.
How Can Organizations Adapt?
Automated solutions can improve organizations’ ability to monitor access controls with the completeness and accuracy auditors require. However, many solutions can involve long, costly implementations that organizations simply can’t afford as 2015 audits rapidly approach.
ERP Maestro addresses the need for completeness and accuracy and can be implemented in time for 2015 audits. It is a quick and simple cloud-based solution that automates SoD, sensitive access, emergency access, and secure provisioning in SAP environments. Because it’s a software-as-a-service (SaaS) solution, it can be deployed and fully configured in 30 minutes, and flexible subscription pricing makes it easy to fit into any budget. The solution monitors all transactions in SAP systems for conflicts down to the authorization level and features a selection of audit-ready reports out of the box that follow best-practice reporting standards.
Although ERP Maestro can help organizations automate access controls quickly to reach compliance in the 2015 audit year, a fully mature governance, risk, and compliance (GRC) program is a journey of steps. As organizations’ GRC capabilities mature, they may require the functionality of SAP solutions for GRC — such as SAP Access Control, SAP Process Control, and SAP Risk Management — to build a comprehensive framework of controls for their environment. ERP Maestro supports this journey by complementing SAP solutions for GRC with transaction monitoring and advanced reporting features.
ERP Maestro is available for a free two-week trial to help organizations assess whether it can meet their access control automation needs. To learn more, visit www.erpmaestro.com.
1 Gartner, “Market Guide for SoD Controls Monitoring Tools” (April 2015; www.gartner.com/doc/3039718/market-guide-sod-controls-monitoring). [back]
2 See www.coso.org/IC.htm. [back]
3 Wall Street Journal, “Fees Rise as Internal Controls Draw Auditor Focus” (May 2015; http://blogs.wsj.com/cfo/2015/05/19/fees-rise-as-internal-controls-draw-auditor-focus). [back]