Segregation of duties and access control - Leveraging SAP GRC to meet the challenges
Why segregation of duties and access control?
With the heightened focus on corporate governance and internal controls in today’s business environment, organisations need to implement effective measures for achieving regulatory compliance and meeting a variety of stakeholder demands – among them the demands for a better and effective Governance, Risk management and Compliance (GRC) programme.
Implementing effective and efficient internal controls is an important aspect of a GRC programme. Internal controls are mechanisms to help organisations achieve their business objectives while containing risks, which may lead to financial, operational and reputational losses. Effective and efficient internal controls are directly correlated to an organisation’s ability to execute business transactions, ensure productivity, profitability and sustainability.
Internal controls in a business environment are often enforced through segregation of duties in business processes. Different roles and responsibilities are assigned to each individual to provide a check-and-balance environment appropriate to the risk level of the business. Segregation of duties is naturally embedded into the hierarchical and compartmentalised structure of any business organisation.
However, there is often a blind-spot – access to computer systems. With the advent of computer systems in almost every aspect of business, organisations are increasingly reliant on technology-based access control to enforce segregation of duties. Without proper and adequate access control, organisations may find out the hard way that segregation of duties is bypassed and controls no longer work.
Addressing the key issues
Many organisations do have difficulties managing segregation of duties and access controls. These realisations often arise through inspections and audits, or in some cases, fraud investigations. The three common issues are:
These three issues cannot be addressed effectively without the support of access control technology.
SAP GRC Access Control enables you to achieve:
The importance of a holistic GRC approach
Building and implementing segregation of duties and access control requires a holistic approach that is woven into the fabric of the organisation, often viewed as part of a larger GRC programme. Under this view, an effective governance structure is put in place, and roles and responsibilities are clearly defined. Risk identification, assessment and mitigation are closely tied to the achievement of the organisation’s business objectives. Executives and management have ready access to timely, accurate, relevant information about controls, and their impact on risk exposure. In other words, segregation of duties and access control are not the responsibility of one or two departments; it is a concerted effort of everyone in the organisation, from the Board right down to the staff on the ground.
PwC is the specialist in SoD and access control
As one of the largest and most experienced global providers of GRC services, PwC has been working closely with technology providers such as SAP to help organisations create integrated, sustainable GRC programmes.
PwC’s proven methodology and approach ensure that organisations implement and operate SAP GRC Access Control using proper Strategy, Structure, Process, People and Technology.
Our approach recognises that technology is not a solution but an enabler, a tool to efficiently gather and analyse data and support people and processes. With one of the largest available global resource pools of SAP GRC technologies, we work with organisations to address a wide range of GRC issues. We can help you:
The effect of tightening SoD and access controls
Organisations that have gone through this exercise typically experience the following:
For general enquiries, please email to firstname.lastname@example.org