Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to Translate SOX into SAP

Former Member

‎04-23-2008 9:46 AM

0 Kudos

My company is currently implementing SAP. We are a SOX compliant company. My problem now lies in doing the SOD to creating the SOD matrix. So I guess, first we identify our processes and risks. How is this done? And then how do you translate it into SAP terms specially in terms of roles?

Your inputs are highly appreciated.

3 REPLIES 3

Former Member

‎04-23-2008 11:33 AM

0 Kudos

Hi,

Best start is to do a search on this forum for SOD or segregation of duties. There have been a few detailed posts about how to approach this from the perspective of rule definition and applying that during the design phase of an implementation. There are links to templates too which may help with your identification of risks etc.

If you are SOX compliant already then this should have already been done to some extent (in your legacy apps) so it might be worth talking to your internal audit/controls team about how it was done in the past. The applications will change but the principles remain the same.

Good luck, if you can't find anything let me know & I will try to dig out some posts. You may find some info in the FAQ at the top of the page too.

Former Member
In response to Former Member

‎04-23-2008 12:34 PM

0 Kudos

Most important is to identify the tasks that should not be performrd by a single person (SoD Matrix). Preferable this is done as part of the process description that should be created as one of the first steps in the implementation, this matrix should be approved by a senior finance manager (CFO) . The SOX part here is nothing else than that you must be able to prove that you adhere to your own SoD and other rules. There should be a Security Strategy in your company and form there you must derive a SAP security Strategy. This is a big team effort where the SAP security consultant plays only a small role, Internal Audit is to be in the Lead here.

Former Member
In response to Former Member

‎04-23-2008 3:35 PM

0 Kudos

> 

> This is a big team effort where the SAP security consultant plays only a small role, Internal Audit is to be in the Lead here.

I agree. Best for Internal Audit to lead unless you are reasonably experienced in defining & implementing SOD. Even then, they will be people you work very closely with.