2025-07-17
 grc  sod  risk  assessment  sap

Practical SAP Security

A Collaborative Approach to Addressing Segregation of Duties Risks

Managing segregation of duties (SoD) risks in complex SAP environments is a common challenge many organizations face. Yet many organizations are still overlooking this control or do not possess the proper tooling to support this activity. A recent project collaboration between MTC Skopos and Protiviti the Netherlands' SAP Security team provides a practical example of how the right tools and expertise can help address audit findings efficiently.

The Situation

Audit Findings Require Systematic Response Our client, a multinational company, implemented an SAP authorization concept years ago but did not invest in tools to maintain or monitor it. Over time, role changes occurred without SoD or critical access controls, leading to significant SoD and critical access risks. Their external auditor neither relied on the IT environment nor conducted thorough risk analyses, leaving these issues undetected and potentially exposing the company to financial loss or system errors. Like many organizations, they need to:

Address specific audit findings within reasonable timeframes

  • Understand their current authorization landscape better
  • Receive insights and detailed reports to aid decision-making at the executive level
  • Design sustainable controls to prevent similar issues
  • Plan remediation activities

The Approach

Combining Analysis Tools with Consulting Experience Protiviti The Netherlands partnered with MTC Skopos to conduct a thorough assessment of the client's SAP authorization structure (Business & IT Risks). This combination brought together practical analysis capabilities with experienced SAP security consulting.

Risk Analysis with MTC Skopos

Protiviti loaded their global golden rulesets to MTC Skopos. The tool assisted us in:
Identify Conflicts: We identified SoD violations and Critical Access in the client's role and user assignments.
Analyze Cross-System Access: The assessment covered access patterns spanning multiple systems, providing a comprehensive view of potential risk areas.
Reporting: As a result of the analysis a "ready-to-import" report enable direct visualization on Power-Bi to transform risk analysis results into Business-oriented insights.
Remediation insights: Thanks to usage data being available in the environment we could easily determine users' behaviors and better understand how business activities are performed.
Test Remediation Options: Using the simulation feature, we could evaluate different remediation approaches to ensure business continuity.

SAP Security Expertise from Protiviti NL

Protiviti's team brought the SAP Security and IT Audit knowledge needed to interpret findings and develop practical remediation strategies. Their experience helped ensure recommendations were realistic and aligned with business needs. The collaboration produced practical results:

Rapid Risk Assessment: The comprehensive analysis was completed within days of project initiation, giving the client immediate visibility into their security posture when they needed it most.
Precision-Focused Strategy: Rather than recommending sweeping system changes, the team identified specific high-risk areas requiring immediate attention, enabling surgical remediation that minimized business disruption.
Comprehensive Governance Framework: The client received a complete overview of their current access risk landscape, along with detailed recommendations for achieving and maintaining control. A structured roadmap defined the path forward, with the initial phases of the "Remediation as a Service" offering clearly outlined for immediate implementation.

Remediation as a Service is Protiviti Netherlands' specialized offering designed to systematically resolve segregation of duties conflicts and critical access issues. The service goes beyond identification and delivers actual solutions through comprehensive analysis of conflict patterns and user behavior data. The remediation process involves strategic role restructuring and user-role assignment optimization, with each change carefully planned to minimize business disruption. At project initiation, key success criteria are established collaboratively with the client, including project timeline, target remediation percentage, required business stakeholder involvement, and acceptable levels of operational impact. This structured approach ensures that remediation efforts are not only technically effective but also aligned with business continuity requirements and organizational change management capabilities.

Moving Forward

Whether addressing current audit findings or improving ongoing security governance, having the right combination of tools and expertise can make the process more manageable. The collaboration between MTC Skopos and Protiviti demonstrates how practical analysis tools combined with experienced consulting can help organizations address SAP security challenges effectively. For organizations dealing with similar challenges, consider how proper analysis tools and experienced guidance can help you better understand and manage your authorization risks.

We can help whether you're:

Preparing for your next IT audit Looking to remediate SoD conflicts with minimum business disruption Wanting to evaluate FUE licenses based on actual user authorizations

« All posts