ERP Systems are complex IT solutions that support business processes within organizations. Such systems support a large spectrum of configurations and customization. Within the range of configurations, ERP systems also allow for multiple access control management issues and security configurations. If not addressed correctly, these can cause various business disruptions as well as security leaks, eventually resulting in potential fraud, errors, lack of compliance with regulations and/or process inefficiency.
What do we encounter?
In our practice, we encounter many organizations struggling with their setup and maintenance of provided access control in their ERP system(s). There are many root causes but, in most cases, the problems are linked to access control and therefore theoretically come under the responsibility of the IT department. However, segregation of duties (SOD) and user access control management issues are not solely an IT issue. It is vital that organizations understand that user access should be the responsibility of the business (supported, of course, by IT).
Organizations experience several key challenges to overcome if they are to embed this understanding into their organizations.
What is Access Management?
Many organizations find that managing authorizations is a major challenge, and that assigning authorization roles and preventing segregation of duty conflicts are time-consuming matters that result in high administration costs, also stated by access control experts. Known problems are:
- Unknown and unmitigated risks related to segregation of duty violationsThe business model is not implemented, authorizations are not in line with the organizational role and responsibilities, excessive authorizations for system administrators and other ‘special’ users.
- No control over excessive access rightsEmployees with excessive authority can perform too many process steps, potentially leading to errors and/or fraudulent activities.
Defining and monitoring of SOD conflicts
Most organizations struggle with defining and monitoring segregation of duty (SOD) conflicts. SODs are referred to activities within business processes, which should be correctly segregated among employees. This ensures that an employee cannot control an entire or significant portion of a business process.
Most ERP systems do not provide (proper) access control management functionality embedded in them from the outset; these have to be established by the company itself.
Struggling to get a grip on SOD
Whether due to cost or time constraints and/or a lack of skills, the access control framework has not been implemented in a way that restricts employee access appropriately, thereby leading to compliance breaches.
Sofy Access Management can help you addressing these issues
To address these and other related issues, at KPMG Sofy Suite we have developed the Sofy Access Management solution. Sofy Access Management supports organizations in resolving a variety of business problems regarding access control management in Oracle, SAP and Microsoft Dynamics (AX/NAV) ERP systems. Using a unique cloud-based approach, the access management setup is analyzed and exceptions are identified in real time. The solution is an accelerator to enable the implementation and maintenance of solid access control processes and configurations.
We have developed Sofy Access Management for you to perform effective access control management. Real-time insights and alerts can be established for you to detect and also prevent compliance breaches (e.g. SOD conflicts, critical access issues).
The cloud service can be connected to your existing ERP back-end and requires minimal deployment and maintenance. Moreover, its integrated KPMG knowledge base makes user adoption and implementation seamless.
Author: Tony Kanters