You are not authorised to use transaction ME21N.
Pause. (Thought bubble appears).
Why don’t I have access? I used to be able to create purchase orders. I need to be able to do this. Why is my manager stopping me from doing my job?
(Sound of pencil snapping).
“Rob, can I borrow your SAP password to create this purchase order? Need to get this invoice paid today, otherwise the vendor is not going to deliver the stock we need!”
Sound familiar? Read on as we share our years of experience to help ensure that your organisation’s expenditure in SAP includes a comprehensive governance framework to ensure that this situation doesn’t occur.
Oh, and what’s the likely cost to your business if you get it wrong?
$3.08 million.
That’s the average loss to an organisation which experiences fraud, according to a recent KPMG report,[i] which also found that 91% of frauds are carried out by an individual with no known history of dishonesty, and 2012 saw an 82% increase in individual frauds exceeding $1 million. And you’ve just spent how much on that SAP implementation or security remediation project? Our tips below will help ensure that your investment is secure, so you’re less likely to become the next statistic in the news.
Tip 1: Integrate Security in every SAP project, from Blueprint onwards
Data governance is typically given top priority in any SAP project, and security is often the last thing to be considered (or sometimes even scrapped until after Go Live, which is painful!) Yet it’s just as important, and should be integrated in every project, right from the Blueprint phase. This requires executive sponsorship, team integration, effective stakeholder engagement and training, which are just as important as effective access control and risk analysis tools, such as SAP GRC.
Tip 2: Mix business with Security, consistently
It’s critical that SAP Security is not viewed as a technical IT function, separate from the business requirements…that inevitably results in “Damned security!” frustration. Functional Consultants need to dovetail their design with the goals of Security, then work with the business to ensure that practical solutions result, meeting the needs of the business while providing the required governance. This is where expert change management guidance will help bring the parties together effectively, and assist with facilitating quality process mapping and business validation, and role design and role mapping that everyone understands well before the access is provisioned.
Ultimately, proper security governance facilitates Best Practice business processes, and ensures that these are sustained, which results in your SAP return on investment being realised over the long term.
It might sound obvious, but don’t forget to engage with the Internal Audit team also!
Tip 3: Test effectively
Security is often overlooked during the Test phase of a project (or unable to be tested, if the role design was not considered early enough). SAP Best Practice is to conduct User Acceptance Testing with the security roles which will be used in Production, to provide a comprehensive testing regime (both positive and negative testing) which will minimise the number of unexpected access restrictions (or segregation of duties risks) arising at Go Live.
Case study:
A greenfield implementation was running behind schedule, with process mapping and security role design partially incomplete when UAT commenced. As a result, testing could not be done with the final roles. The result at Go Live? A large number of users could not perform key tasks, so the decision was made to drastically broaden the Production roles to allow the business to function. This in turn exposed the business to high fraud risk for the interim period. The resulting role re-design, re-mapping and re-provisioning into the Production environment consumed time and energy which should have been spent bedding down the system. The total costs subsequently blew out.[ii]
Tip 4: Include Security Awareness Training
Nobody likes to have something enforced which they don’t understand the rationale for, yet security is often imposed as a “rule” without explaining the reasons why. This is a critical piece of the engagement exercise, which should commence early and ideally expand to an organisation-wide cultural acknowledgment of security principles and their practical application, in the same way that safety awareness is embedded in today’s organisations. Executives and the governance team should also be included, to drive engagement and demonstrate commitment from the top.
Furthermore, cultivating a culture of awareness among staff enhances even the best system controls. In Australian organisations, 35% of fraud is detected through a tip off, both by internal and external sources and through formalised whistleblower programs.[iii] Training staff in what to look for and identifying the ‘Red Flags’ of fraud is an invaluable fraud mitigation and detection tool. All organisations, regardless of size, should consider a security awareness training program, including:
- Fraud awareness
- A whistleblower program that staff trust
- Maintaining and promoting fraud reporting channels
- Data security
It’s not just about fraud. The Age of Data is by definition also the Age of Data Breaches. The average cost of a data breach to an Australian enterprise increased to $2.72 million last year,[iv] and if your business is managing sensitive customer data with SAP CRM, your security framework can’t be limited to the SAP ECC system.
Tip 5: Finish strongly
As Go-Live approaches, project teams have to set up new users, provision access and perform final checks, and ensure that user accounts activate on day one and not before. These activities all need to be perfectly timed to ensure minimal disruption to the business, and if security is understood and integrated with the project team’s objectives, success is far more likely.
Tip 6: Ensure that the security model is sustainable
After Go Live, there are inevitably alterations to roles required, so all changes must go through a rigorous risk analysis and acceptance process to ensure that the good work done in role design is not unwound. A sustainable governance model should include regular “Working Group” meetings, with Role Owners, Risk Owners and Internal Audit involved. The SAP GRC toolset provides ample reporting capability for review of risks and mitigating control compliance, but this only yields value if the information is reviewed regularly.
Case study:
An operational manager of a large manufacturing company had detailed knowledge of the invoicing systems which enabled them to create fraudulent invoices inflating the costs of regular supply of goods and services from a third party. In addition, the employee had responsibility for the management of asset disposal, and had the ability to write down stock to minimal value. This stock was then sold on the secondary market for a significant profit.
The total estimated loss was in the range of AUD 8 million. [v]
Tip 7: Don’t try to go it alone
In an era of exponentially increasing data and interconnected IT systems, the potential for misuse of data is increasing correspondingly. Likewise, there are more and more technical and consulting offerings; some tried and true, others recent and untested. Recognise the limits of your expertise and engage trusted help early, where you need to.
With the correct application of the latest risk analysis and management tools, combined with a strategic and practical change management program to achieve implementation and sustainability, not just installation, you’ll achieve the best possible security outcomes.
Don’t think of it as money spent; think of it as $3.08 million saved.
Like our content? Use the LinkedIn Follow button at the top of the page to have our blog posts delivered directly to your feed.
[ii] Observed first-hand by authors
Hi Lynton and Robert
Its a great article. very apt tips for any organisation to take sap security seriously.
Hi Vasant
Thank you for the comment and the positive feedback – glad that you enjoyed it.
Cheers
Lynton