The business is responsible for establishing the risk profile of the organisation and determining the risk appetite. SAP security and controls initiatives must be aligned with this top down approach, taking into account the policies and standards that are in place as well as any local variations.
The success of security and controls projects is dependent on understanding and delivering to business requirements: failure to appreciate such requirements may result in implementing controls that do not address the business risk and only serve to increase overheads.
Business representatives have ownership of the controls that have been designed or that are being revised, whether they are configurable controls in the system, monitoring controls or access controls managed through security role design. Any changes will necessitate input and sign off from the business owner.
Engagement from business approvers is critical in order to ensure changes to design and access provisioning are managed in a controlled way. However owners and approvers must understand what they are responsible for, if controls are to be effective
New initiatives may introduce changes to the current ways of working such as streamlining processes through automation, changes to approvers and ruleset development to manage segregation of duties, development and testing of configurable controls. No initiative will succeed without business involvement, training and education.
Engaging the business can be challenging for a variety of reasons:
Our team of consultants are able to bring their audit and technical experience and translate this into business language.
Examples of where we can add value are:
We are focussed on achieving the right level of business ownership throughout projects to ensure our clients are fully engaged with their SAP solution.