Controls Rationalization

Fluoxetine capsules

Client: Global Pharmaceutical Company

Client Situation

A global pharmaceutical company used Approva, an Access Controls tool, to identify and track segregation of duties and controls violations. After a large Finance Transformation effort that included a divestiture, the company had numerous and redundant Access Controls in place; as a result, Access Controls reporting was producing a large number of issues that were difficult to manage. The AddVantage Group was engaged to rationalize the overall access controls environment and enable reliable controls violation reporting.

  • The Global Access Controls needed to be rationalized across all international regions
  • Leadership required a status on the issues to report to external and internal auditors
  • Staff did not have an approach, skill set or the time to perform a review of the access rule set due to competing responsibilities

Our Approach

  • Developed an overall approach, including timeline, resource requirements and project plan to rationalize the rule set
  • Performed  full review of high-level risks covered by the  existing Access Controls
  • Led the corporate staff thru a streamlined approach to resolve issues in phases due to their limited availability
  • Developed client staff and identified updated team responsibilities by training staff on the tool including reporting functionality, access controls development and understanding of technical security in SAP
  • Identified process and knowledge gaps in the current environment relating to Access Controls
  • Provided subject matter expertise to support the ongoing reporting and tool updates as well as impacts to security post-implemetation


  • Drove the development of a comprehensive set of global rules, while adjusting for regional process differences with regional rule sets
  • Updated library of compensating controls for North America while working within the framework of a global controls environment
  • Developed robust rule set allowing for more effective evaluation of SAP security/access requests while still providing/applying controls oversight and expertise
  • Evaluated 5000+ custom SAP Screens (transactions), and consideration of 800+ for inclusion into global/regional rules
  • Reduced violation counts from over 30,000 to under 100
  • Achieved the company’s SOX compliance/regulatory requirements