-
Featured services
Think beyond the robots
The successful integration of AI and IoT in manufacturing will depend on effective change management, upskilling and rethinking business models.
Read the blog -
Services
Nutzen Sie unsere Fähigkeiten, um die Transformation Ihres Unternehmens zu beschleunigen.
-
Services
Network-Services
Beliebte Produkte
-
Private 5G
Unser Cloud-nativer Secure-by-Design-Ansatz gewährleistet eine 24/7-Überwachung durch unsere Global Operations Centers, die Ihre Netzwerke und Geräte auf einer „As-a-Service“-Basis verwalten.
-
Verwaltete Campus-Netzwerke
Unsere Managed Campus Networks Services transformieren Campusnetzwerke, Unternehmensnetzwerke sowie miteinander verbundene lokale Netzwerke und vernetzen intelligente Orte und Branchen.
-
-
Services
Cloud
Beliebte Produkte
-
Services
Consulting
-
Edge as a Service
-
Services
Data und Artificial Intelligence
-
-
Services
Data Center Services
-
Services
Digital Collaboration und CX
-
Services
Application Services
-
Services
Sustainability Services
-
Services
Digital Workplace
-
Services
Business Process Services
IDC MarketScape: Anbieterbewertung für Rechenzentrumsservices weltweit 2023
Wir glauben, dass Marktführer zu sein eine weitere Bestätigung unseres umfassenden Angebotes im Bereich Rechenzentren ist.
Holen Sie sich den IDC MarketScape -
-
Erkenntnisse
Erfahren Sie, wie die Technologie Unternehmen, die Industrie und die Gesellschaft prägt.
-
Erkenntnisse
Ausgewählte Einblicke
-
Die Zukunft des Networking
-
Using the cloud to cut costs needs the right approach
When organizations focus on transformation, a move to the cloud can deliver cost savings – but they often need expert advice to help them along their journey
-
So funktioniert Zero-Trust-Sicherheit für Ihr Unternehmen
Sorgen Sie dafür, dass Zero-Trust-Sicherheit für Ihr Unternehmen in hybriden Arbeitsumgebungen funktioniert.
-
-
Erkenntnisse
Copilot für Microsoft 365
Jeder kann mit einem leistungsstarken KI-Tool für die tägliche Arbeit intelligenter arbeiten.
Copilot noch heute entdecken -
-
Lösungen
Wir helfen Ihnen dabei, den Anforderungen an kontinuierliche Innovation und Transformation gerecht zu werden
Global Employee Experience Trends Report
Excel in EX mit Forschung basierend auf Interviews mit über 1.400 Entscheidungsträger:innen auf der ganzen Welt.
Besorgen Sie sich den EX-Report -
Erfahren Sie, wie wir Ihre Geschäftstransformation beschleunigen können
-
Über uns
Neueste Kundenberichte
-
Liantis
Im Laufe der Zeit hatte Liantis, ein etabliertes HR-Unternehmen in Belgien, Dateninseln und isolierte Lösungen als Teil seines Legacysystems aufgebaut.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
-
NTT DATA und HEINEKEN
HEINEKEN revolutioniert die Mitarbeitererfahrung und die Zusammenarbeit mit einem hybriden Arbeitsplatzmodell.
Lesen Sie die Geschichte von HEINEKEN -
- Karriere
Topics in this article
It’s been about 19 years since the passage of the Sarbanes-Oxley Act (SOX), enacted in the wake of corporate accounting scandals at Enron and WorldCom. The goal of SOX was to make publicly traded companies more accountable for the accuracy and integrity of their financial reporting. As a result, in the last nearly two decades, SOX has had a major impact on the way companies handle their governance, risk management and compliance (GRC) duties.
Considering the central role of SAP systems in accounting, SAP GRC controls are essential when evaluating your SOX compliance checklist.
Background first: what is SOX compliance?
The Sarbanes-Oxley law has many elements. Two sections are most relevant to IT, finance and GRC professionals.
- Section 302 states that the CEO and CFO are directly responsible for ensuring that financial reports (e.g., the 10Q and 10K) are accurate and well-documented. It also holds that these executives are responsible for the company’s internal control structure.
- Section 404 takes this further, obligating the company to assert it has adequate internal controls in place, and that they are operational and effective. Registered external auditors must then attest to the accuracy of management’s assertion.
To comply, you need to understand how transactions flow through your SAP landscape, calculate risks of fraud and error, put in necessary controls, and evaluate and report on the effectiveness of those controls. Whether this is a Herculean task or a trivial one depends on your SAP SOX compliance checklist, and the
SOX internal controls
SAP GRC software you use to implement it.
SOX internal controls
An internal control is a rule or process (or combination of them) that is intended to prevent or detect actions that might affect the integrity of financial transactions. A simple example is the lock you see on a cash register, preventing unauthorized people from stealing from the till.
Controls in SOX are comparable, but much more sophisticated – running the gamut from basic accounting practices, such as bank account reconciliation, to IT controls, such as running regular system backups. Internal controls fall into two categories:
- A detective control detects if there is fraud or mistakes affecting reporting.
- A preventive control stops someone from committing fraud or making an error that would negatively impact accuracy of business operations.
The SOX compliance audit
The SOX audit is primarily involved with Section 404, and the process starts before external auditors arrive. Whoever is assigned to SOX compliance creates a list of internal controls (usually getting suggestions from the auditor beforehand). They go through the controls themselves first – checking them before the auditor gets to work. If the company has gone through SOX before, they typically update the previous year’s controls list and go from there.
The audit of internal controls looks at four main categories. These encompass all of a company’s IT assets, including:
- Access (both physical and virtual)
- Security
- Change management
- Backup procedures
The auditor also takes a careful look at the company’s segregation of duties (SoD) controls.
The SOX audit and overall compliance process are no longer manual affairs. Software, such as ControlPanelGRC, can quickly identify and mitigate risk, and automate audit readiness.
The SAP SOX compliance checklist:
Your checklist should address these areas:
1. Segregation of SOX compliance duties
Allowing a single user to create and pay a vendor, or order and receive inventory, increases the risk of fraud and embezzlement. SoD controls prevent users from obtaining multiple, incompatible roles. ControlPanelGRC Access Control contains a complete set of tools to automate the SoD tasks in your SAP SOX compliance checklist.
- The SoD Risk Analyzer module contains customizable SoD rules, as well as compliance monitoring and remediation controls to quickly identify and correct SoD conflicts.
- This works with the SAP User Provisioning and Role Management module, enabling your security admins to quickly provision new user assignments or positions without risking SAP SOX Compliance.
2. SAP GRC compliance monitoring
There are two choices for monitoring compliance: manually reviewing records for inconsistencies or implementing automation for SOX compliance in SAP. An SAP GRC solution will look for warning signs that could indicate fraud or missing controls, and report on them in real time. Manual reviewers will take months to sample a fraction of your records with far less accuracy.
3. Safeguard SOX audit trails against emergency access
SAP landscapes create a permanent, automated record of every transaction as it happens. Anytime someone creates a vendor, files a purchase order, or changes a customer record, it’s recorded in a tamper-proof system. The problem occurs when there’s an emergency, and generic firefighter IDs are used. This allows a consultant to go in and fix whatever has broken using a generic firefighter log, but it poses risks. It’s very difficult to track changes made by generic firefighters and compare them to the consultant’s regular ID.
It can go unnoticed if, for example, a consultant creates a vendor with a firefighter ID and then cuts a PO to the vendor with their regular ID. With this in mind, generic firefighters can make changes that harm the system, violate compliance rules or compromise audit trails. An SAP GRC solution like ControlPanelGRC can provide firefighter access without using generic logons and hold firefighters accountable for any changes they make.
4. Automate SAP audit reporting
SAP GRC software can eliminate the arduous task of hunting down and compiling data for auditors. ControlPanelGRC’s SAP Audit Management with AutoAuditor™ automatically executes reports and routes them for review based on your organization’s requirements. It integrates with your other SAP GRC modules, delivering a complete report for internal review or external audits. That integration facilitates remediation – allowing you to act on auditor findings immediately.
5. SOX compliance checklist for database
The SAP transaction data that underpins your financial reports should receive attention in the SOX compliance process. SOX Section 302.2 dictates, “Establish safeguards to prevent data tampering.” You’ll be audited to determine whether you’re meeting this criterion. The best practice is to implement GRC software for SAP that tracks user log-in access to any endpoint in the SAP landscape that has access to sensitive data. Section 302.4 adds to this, requiring that you “establish verifiable controls to track data access.”
6. An SAP SOX compliance checklist and solution in one
ControlPanelGRC automates every step of the SAP GRC SOX compliance process. It provides risk evaluation, real-time monitoring, and effortless reporting and risk remediation. Contact us for a free SAP GRC risk assessment to learn how your organization can remediate SoD risks and take the stress out of SAP SOX compliance.