Depending on their size, companies have a number of SAP users who can be assigned roles (created in SAP software) according to their tasks. But changed areas of responsibility, new functions from SAP, or new in-house transactions cause these roles to change quickly. Companies must manage a large number of roles and evaluate, test, and correct problems in access rules and authorizations.
But doing so involves risk. For example, if an employee who has long been allowed to change vendor master data is now granted authorization to execute a payment run, the company faces the possibility of fraud. Such employees could transfer money to their own accounts. International law requires companies to set up control mechanisms for such possibilities. So far, most control processes have been implemented at the organizational level, outside of SAP software. External auditors monitor access rights and use their experience to identify risky combinations of transactions. But the period between audits can last as long as a year – plenty of time for someone who wants to do damage.
The most efficient, cost-effective way to find gaps in the control systems and to avoid violations of user rights involves automated testing and real-time monitoring, for example in terms of separation of duties.
Virsa Compliance Calibrator
Virsa Compliance Calibrator is an internal, permanent system auditor. For example, when a user is authorized to create an order and check invoices, Virsa Compliance Calibrator reacts in real time. It uses stored rules (the result of ten years of auditing experience) to identify a potential risk and notifies the person responsible for the procure-to-pay business process.
Virsa Compliance Calibrator also suggests solutions. For example, the risk of misuse can be lessened by separating duties when checking invoices. And independent of that kind of supplemental, manual process, the risk of misuse is now known, so the company can consider alternative approaches. Does the user really have to be allowed to create orders and check invoices? Might it be enough to check invoices for more than 10,000 Euros according to separation of duties?
A set of rules is the core of Virsa Compliance Calibrator. The rules cover about 200 risks that are derived from several thousand standard transactions in SAP software. The risks are classified according to business processes, such as procure to pay or order to cash. Virsa Compliance Calibrator was programmed in ABAP and can be imported directly into the mySAP ERP application with a transport request.
At first, the rules do not recognize Z transactions – the transactions created by SAP customers to meet specific needs. These transactions must be added to enable a comprehensive view of all possible combinations of transactions and the related risks. For example, if an SAP customer has simplified the screen template for order creation with an in-house transaction, system audits must also consider the new transaction.
If the Z transaction involves comprehensive, in-house development, the company should consult with an external system auditor about possibly critical combinations of transactions and the resulting risks. After that kind of inspection, customer-specific Z transactions can be stored in the automated rules for permanent, real-time checks.
Virsa Role Expert
Virsa Role Expert is a profile generator that can be used to create and manage roles. IT authorization concepts generally work very technically with transactions, but Virsa Role Expert deals with this content in a language and with an interface that both IT departments and user departments can understand.
Descriptors like “MIRO,” “MIGO,” and “FB03” hide transactions for invoice verification, goods receipt, or document display. An individual role, Z_INVOICE – invoice verification – bundles these examples and makes them available for the collective role of vendor management.
These descriptions can be used to document the design of new roles together with user departments and check them with Virsa Compliance Calibrator in real time. An easy-to-understand, Web-based workflow enables user departments to evaluate authorization queries and assign them in the system. This approach requires a uniform design of roles (even beyond the confines of individual systems), proactive evaluation of risks, and central documentation for the system auditor.
Virsa Access Enforcer
Virsa Access Enforcer can then assign the roles and authorization profiles to users with a simple workflow. If clerks in customer accounting are given additional assignments from vendor accounting, they can then request the vendor management and invoice verification roles for themselves.
The request goes to the supervisor in the user department, who can perform a brief risk analysis with Virsa Compliance Calibrator to document and then either approve or deny the request. No employees from the IT department need to become involved. The IT department simply monitors all requests for new authorization and documents the procedures for the system auditor.
Virsa FireFighter for SAP
Companies often find it necessary to work with an emergency user for a limited time. For example, if the employees who normally work with vendor accounting are on vacation or on sick leave, a clerk who normally verifies invoices might have to take over the work temporarily. Virsa FireFighter for SAP can give this user comprehensive authorizations and access to the payment program for a brief period.
The actions of the emergency user are recorded in detail and for a long period of time – up to several years. The log can then be used to check the selection criteria of the payment run. Emergency users are also subject to an additional direct control. For example, if the invoice verification clerk sets up an emergency user for specific payments, the head of the financial department is notified. That’s how companies can fight against misuse, but without losing the flexibility they need.
By working together, Virsa Compliance Calibrator, Virsa Role Expert, Virsa Access Enforcer, and Virsa FireFighter for SAP round out the options available to control access to and authorizations for SAP solutions.