Controls Rationalization
Client: Global Pharmaceutical Company
Client Situation
A global pharmaceutical company used Approva, an Access Controls tool, to identify and track segregation of duties and controls violations. After a large Finance Transformation effort that included a divestiture, the company had numerous and redundant Access Controls in place; as a result, Access Controls reporting was producing a large number of issues that were difficult to manage. The AddVantage Group was engaged to rationalize the overall access controls environment and enable reliable controls violation reporting.
- The Global Access Controls needed to be rationalized across all international regions
- Leadership required a status on the issues to report to external and internal auditors
- Staff did not have an approach, skill set or the time to perform a review of the access rule set due to competing responsibilities
Our Approach
- Developed an overall approach, including timeline, resource requirements and project plan to rationalize the rule set
- Performed full review of high-level risks covered by the existing Access Controls
- Led the corporate staff thru a streamlined approach to resolve issues in phases due to their limited availability
- Developed client staff and identified updated team responsibilities by training staff on the tool including reporting functionality, access controls development and understanding of technical security in SAP
- Identified process and knowledge gaps in the current environment relating to Access Controls
- Provided subject matter expertise to support the ongoing reporting and tool updates as well as impacts to security post-implemetation
Outcomes
- Drove the development of a comprehensive set of global rules, while adjusting for regional process differences with regional rule sets
- Updated library of compensating controls for North America while working within the framework of a global controls environment
- Developed robust rule set allowing for more effective evaluation of SAP security/access requests while still providing/applying controls oversight and expertise
- Evaluated 5000+ custom SAP Screens (transactions), and consideration of 800+ for inclusion into global/regional rules
- Reduced violation counts from over 30,000 to under 100
- Achieved the company’s SOX compliance/regulatory requirements