For a full demo and documentation please download:
Enterprise Resource Planning or ERP is a business management system that integrates all facets of the business, including sales, manufacturing, planning, and marketing into a single coherent system.
Nature of ERP systems
• Tie operational and financial data together;
• Remove paperwork;
• Users tend to have access to both transactional as well as master data.
Sarbanes-Oxley compliance drives an organisation to document and understand the linkage between its infrastructure components and reporting elements, to segregate duties and assign ownership, accountability and responsibility.
ERP Built in Controls
• Masterfile change logs
• MM-FI: 3-way matching of PO, GR & invoice
• Authorisation profiles
• Automatic validation of data
• Accounting periods can be closed off
From an ERP viewpoint, User & Role Management, transaction validation and segregation of duties are a vital part of a company’s internal controls systems. These are also a vital part of Sarbanes-Oxley compliance.
Management of accounts and password controls is the first port of call but this needs to be extended to include Application Security.
Authorisation and Segregation of Duties
• Authorisation concept is extremely complex.
• Many transactions affect Accounts Payable.
• Role of authorisation checks is critical in determining whether duties are appropriately segregated.
• Consider and analyse access to sensitive objects and transactions within the system;
• Perform segregation of duties analysis for significant transactions and users;
• Evaluate access control policies and procedures.
Apphion’s Access Monitor is a powerful suite of tools that can assist companies that use SAP R/3 provide a framework within which it is possible to identify, correct and monitor segregation of duties on a continuous basis.
Access Monitor provides an easy to use interface, simplifying analysis of user access and segregation of duties. Initial setup is for the Accounts Payable function but it can be expanded to include other areas once the relevant rules are defined.
Auditors, both internal and external, Business process owners and SAP administrators can use Access Monitor to identify authorisation violations as well as use its reports to correct/document these violations.
Access Monitor rules are based on a standard list of Segregation of Duties (SOD) rules and this list will come pre-loaded.
Access Monitor rules can be updated as required.
Access Monitor reports can provide detail of access from different view points e.g. transaction code, user, role etc. providing clarity on what each user can do within SAP.
Access Monitor Reports can be generated in several output formats.
Access Monitor provides a simulation framework enabling Administrators to see the effect of changing the authorisations of users or roles thereby simplifying the task of managing SAP.
For a full demo and documentation please download: