These days, when remote working is forcing nearly every organization to take a close look at their security practices in efficiently providing the proverbial “to find the needle in the haystack,” a tool like SAP Access Violation Management (AVM) by Greenlight Technologies (GLT) can be more important than ever. The purpose of AVM is to identify and report “true” segregation of duties (SoD) violations within a company’s core business systems. True SoD violations reported by AVM complement “potential” SoD violations reported by traditional Governance, Risk, and Compliance (GRC) tools in that the former are based on end-to-end transactions that have been executed by users in the monitored system(s), whereas the latter are access-based violations derived from the security roles assigned to users. Because of this, AVM provides a deeper level of visibility to SoDs that have been committed and the associated financial impact.
Protiviti’s technology consulting team recently partnered with a large multinational oil and gas company to implement AVM. This implementation served as a catalyst for a holistic SoD process and governance improvement for the organization. Before AVM, the company had varying degrees of SoD risk reviews for their core business systems (multiple ERP and procurement applications), all of which were very manual in nature. These reviews consisted of manually generating transactional violation reports for each SoD risk, many of which, we discovered as part of our AVM implementation, needed design improvements. These manually generated reports were sent to the appropriate business owners within the organization, and their review responses and supporting documentation were stored for the external auditors. This process was highly cumbersome in nature and difficult to maintain. So, the client decided to implement AVM to automate and streamline the SoD review process with Protiviti as the system implementation partner. In total, the project team implemented over 50 SoD risks across dozens of production business systems, including cross-system risks to monitor conflicting functions across separate applications.
In the early phase of the project, we developed an SoD monitoring strategy and corresponding business process flows to illustrate how to maximize the technology investment in AVM. We created a roadmap for ongoing maintenance of not only the AVM product, but the comprehensive SoD process itself, which allowed the client to effectively own the process after deployment. This led to the creation of an SoD governance team, comprised of representatives from across the client’s global organization, including internal controls, business process leads, IT and other relevant groups. In doing this, the business decisions around the SoD process were made the focus, while the enabling technology elements (e.g. AVM, GRC) were tapped into in order to bring those automated business decisions to fruition. Before this project, the SoD review process took place infrequently. However, with AVM, the client could perform SoD reviews much more frequently due to its simplicity. This would have been an unreasonable request before AVM was implemented because of the manual nature of the legacy process. With AVM implemented, the client is able to run the risk monitoring jobs on a monthly cadence and have plans to move to a weekly or even daily frequency in the future. This example shows the harmonization of a business decision with technological enablement, all of which is facilitated by the SoD governance team. The established governance structure also provides the organization with a mechanism for continuous process improvement moving forward.
One of the key factors of the implementation being so successful was due to the strong partnership amongst the client’s key stakeholders, Protiviti and Greenlight, who made up the core AVM project team. Beyond the core team, however, many other client resources around the globe were needed in order to ensure a comprehensive design, testing, and training process. This included working with the offshore GRC team to ensure that the AVM SoD risk design was aligned with the GRC SoD ruleset; partnering with the local compliance network in other countries to translate our AVM training materials into different languages and providing the end-user training sessions in their respective language; and obtaining business and IT input on AVM risk design from process owners and functional leads from all over the globe. Throughout the design, build, testing, training and deployment phases, we coordinated the project’s efforts across our cross-functional team and provided regular updates to the project steering committee to apprise them of progress being made and obtain input on key decisions.
Because of the highly complex nature of the client’s global business processes and IT system landscape, we partnered with GLT throughout the implementation to customize several AVM features to meet business requirements. Some of the enhancements were specific to our client, such as a bespoke report which integrated AVM data to the company’s internal hierarchal reporting elements. Others, such as an LDAP integration to allow for automated synchronicity of user-to-supervisor mapping data between AVM and Active Directory, were productized by GLT and are now a part of the mainstream AVM product. Not only did our client benefit from these enhancements, but many other companies running AVM will as well.
In summary, through a strong cross-functional team, we were able to tailor a technological solution in AVM to meet the business needs of our client’s SoD monitoring process. The success of the project was dependent upon teaming with our client’s global organization and working with GLT to customize AVM where necessary to align it to our client’s requirements. Just as importantly as the implementation itself, we put in place a governance structure to allow the client to maintain and continuously improve the SoD monitoring process moving forward. This will ensure success not just for the present, but for the future as well.
For more information about Access Violation Management, contact us or visit Protiviti’s SAP consulting services to learn more about our solutions.
About the Authors
Enterprise Application Solutions
Enterprise Application Solutions