Segregation of duties in SAP and Implementation

IN SAP segregation of duties is the process of

1. Defining the roles of the users based on their work areas.

2. Identifying the access requirement for these roles like the transactions to which the users need access and the level of authorizations the users need.

3. Identify risks (conflicting actions) i.e identifying the combination of actions which any user should not be able to perform. Determine ways to limit these risks.

A scenario is if access is not managed correctly A Payroll admin who maintains master data (basic pay and other salary details) can change his own salary details to his own advantage.

4. Not all risks can be removed from the system. So put controls in place to make sure that usage of all the critical actions/transactions are closely monitored / only assigned to users for a limited period based on requirement. Usage logs of these critical transactions should be maintained to make sure they can be audited as and when needed

SAP GRC Access control provides tools to accomplish these tasks in a systematic manner.

Introduction to SAP ERP


SAP (System Application & Products) is an ERP (Enterprise Resource Planning) software.

SAP has become popular due to it Stability,scalability,reliability,customizability and robustness.

SAP has packaged all the major functions performed by various departments of a Company like Human Resource management, Data Warehousing, Material Management, Finance, Sales and others in the form of modules. This tremondusly reduces the total cost to the company as the manual resources and the record keeping costs for each department is reduced. And all the data is available centrally for Reporting and Auditing.

This feature of SAP makes it one of the most reliable ERP softwares around.

SOX Laws relavent for SAP Security Professionals


Sarbanes & Oxley Act (SOX) is a set of Sections (Guidelines) that the Publicly traded Companies in US need to adhear to. These are designed to make sure that the conducts its activities in a systematic manner and the risk of fraud is minimised and to bring in accountability.

Section 302 and 404 are the main sections which are relevant to Sap Internal Auditors/security administrators.


Section 302
It relates to disclosure of Financial reports by CEO/CFO on quarterly basis and they need to certify that all the information provided is correct and should own responsibility for any false doings.

section 404
Relates to disclosure by management that required Internal controls have been put in place and disclosure of the internal controls adopted. It also required the attestation of the External Auditors report on the Internal controls and their effectiveness and weaknesses.


Section 301 and 409 also have some relevance.

Section 301 :
It relates to responsibility of the companies auditing team put the required controls in place for the companies employees to anonymously and confidentially submit theirs concerns regarding any questionable accounting and auditing procedures in place.


Section 409:
Refers to Disclosure by Audit committee of the company to the public about any financial or Operational changes in an easily understandable way to the public.