Show TOC

Process documentationUser Segregation of Duty (SoD) Reviews Locate this document in the navigation structure

 

SoD violations must be monitored and managed on an ongoing basis. Business managers and risk owners use the SoD review process to automate periodic reviews of SoD conflicts.

Once the Risk Analysis and Remediation capability identifies SoD conflicts, these conflicts must be remediated to ensure SOX compliance. The system uses Risk Analysis and Remediation batch analysis data to update management graphics and to generate SoD Review workflow requests in the CUP capability. When the system detects SoD violations, it automatically sends reports to managers so that they can take actions to either remove user access or to mitigate the SoD risks.

Reviewers can be either the user’s manager or the risk owner, as defined by the Rule Architect of Risk Analysis and Remediation. After the request has been created, the system sends an e-mail notification for any SoD violations to the Reviewer. Depending on your configuration, requests may contain unmitigated SoD conflicts only, or both unmitigated and mitigated conflicts.

Process

To complete the SoD process:

  1. The batch analysis jobs in Risk Analysis and Remediation and the Compliant User Provisioning background jobs for the SoD Review are scheduled and executed. This step is done by the SAP GRC Access Control administration team.

  2. The reviewers, either the manager or risk owner, receive e-mail notifications for each of the requests. Using the link in the e-mail, the reviewers logon to Compliant User Provisioning.

  3. The reviewer opens the request and reviews the SoD violation. Reviewers must address each SoD violation. They can either mitigate the risks or identify one or more functions to be removed from the user. If the conflict is already mitigated, the reviewer confirms the mitigation of the risk.

  4. When all SoD violations on the request are complete, the reviewer submits the request to the next stage of review.

    Note Note

    Based on configuration, items marked for removal can be sent to a detour path and go to another stage such as IT Security for review.

    End of the note.
  5. If there is a detour for role removals, for instance, to IT Security, the recipients receive e-mail notifications of the request and can use the link in the e-mail to log on to Compliant User Provisioning.

  6. IT Security reviews and analyzes what needs to be removed.

    1. If you use CUP to request user access, the security team enters a request to remove the unnecessary roles; the request then follows the appropriate workflow path.

    2. If you are not using CUP to request user access, the security team uses existing procedures to remove roles from the users.

    3. The security enters comments and approves the request.

Reviewers must address each line of the request by approving an existing control, identifying a new control, or by requesting removal of one or more of the functions that contribute to the risk.

Usage information consists of actions that the user has executed during the defined review period.