How to Validate Segregation of Duties Results

  • by Jayne Gibbon, Director of Customer Care, SAP
  • September 13, 2011
Upon first running segregation of duties (SoD) reports in SAP BusinessObjects Access Control, management staff can become overloaded with data and assume that the results simply cannot be correct. It is then the responsibility of the owners of SAP BusinessObjects Access Control to prove that the reports are accurate. Step through the process that SAP BusinessObjects Access Control owners can go through to prove that the reports are correct. The steps are specific to SAP BusinessObjects Risk Analysis and Remediation (RAR) version 5.3, as this is currently the most used version. They are also applicable to SAP BusinessObjects Access Control 10.0.
Key Concept
Management staff must be confident that segregation of duties (SoD) reports are accurate in order to prove that controls are in place to prevent fraud or material misstatement. Being able to prove to management staff and auditors that the results are complete and correct is imperative in showing that the company is in control.

SAP BusinessObjects Access Control is a reporting application that depends on the segregation of duties (SoD) rule master data to analyze users’ access in the connected systems. When you are trying to prove that the results of the analysis are correct, your analysis needs to consider both the master data rule set, which is the responsibility of the company, and the processing logic of SAP BusinessObjects Access Control, which is the responsibility of SAP. I discuss both areas of analysis in this article.

SoD Report Concerns

Management has two types of concerns with regard to reporting accuracy. I walk you through validation steps for both of these concerns to prove to management staff and auditors that the results are correct. The two concerns are:

False Negatives

  1. The first validation check should be to check if there are rules that exist for the system for which the risk analysis is being run. This check has several parts:

          a. First, check to ensure that risks are loaded into the system. Go to RAR > Rule Architect > Rules > Permission Rules. Enter the Risk ID that you are concerned with (Figure 1) and click the Search button.

Jayne Gibbon

Jayne Gibbon, CPA, has been implementing SAP applications since 1996 and is currently a director in the Chief Customer Office at SAP. Jayne’s focus is making customers successful with their SAP HANA deployments. She has helped more than 100 customers drive business value with SAP HANA. Prior to joining SAP in 2007, Jayne worked for two multinational manufacturing companies based in Wisconsin. While an SAP customer, Jayne led the very first implementation of Virsa’s Compliance Calibrator, which is now part of SAP Access Control. Jayne’s experience includes internal audit; computer security; governance, risk, and compliance; SAP HANA; and SAP analytics.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.