EN
FR DE EN ES IT
| Contact Us
 
382592_BSI-Success-Story_Landing-page-1_V2

BSI sets the standard for SAP access risks and SoD

Governance, Risk and Compliance (GRC) solutions from EPI-USE Labs’ partner Soterion enable theBritish Standards Institution (BSI) to manage and report on their user access risks and SoD effectively.

85% reduction in potential risks

Improved auditor trust

Provisioning and monitoring of wide access to users

Customisable and userfriendly reports

About BSI

The British Standards Institution (BSI) is the national standards body for the United Kingdom. BSI produces technical standards on a wide range of products and services, and supplies certification and standards-related services to businesses. Their purpose is to deliver and bring together every aspect of society, delivering through consensus independent, robust, and expert best practice that enhances: 

  • Innovation
  • Productivity
  • Sustainability
  • Safety

Download success story   Get free GRC assessment

Thanks to Soterion, I can ensure that our estate is secure, the data is secure, what people can and can’t do is secure. And the ability to report on that means that I feel secure, and we are doing the best for the organisation.

Zaki Mouden
Global Head of EnterpriseApplications, BSI

The challenge: Minimal access and SoD controls

BSI has an SAP ECC6 system with around 1 200 users. They had very few controls in place to manage risks of user access, reporting and Segregation of Duties (SoD) in their SAP environment. When they received a request for an internal audit of their finance system, they extracted all the requested reports by a long and manual process, and they found different high- and medium-risk areas. 

They identified five challenges in their internal access control processes:

  • Directive controls: Periodic reviews of their user access rights were not performed consistently.
  • System reporting: Their existing user access reporting tool did not provide sufficient detail to perform an effective review process.
  • Third-party users: Third-party users received similar access to internal employees, without sufficient monitoring.
  • Super-users: Super-access rights were granted to members of internal teams: Finance System, SAP Experts, and Data and Reporting Integrity. This needed to be checked.
  • Inappropriate user access rights: Access rights were not allocated correctly, and SoD was inadequate.

Extracting reports manually was a painful process, and we found a number of risk areas we needed to address. We realised that Soterion could solve our needs with their out-of-the-box solutions.

Zaki Mouden
Global Head of Enterprise Applications, BSI

Soterion solutions: mitigating all risk areas

To overcome and resolve the risk areas, BSI’s options included:

  • doing nothing, using existing reports to extract data, and then manually manipulating it in Excel to produce required reports.
  • building custom reports in SAP, using the existing ABAP-developed programmes and customising them (assuming the risks that comes with this approach).
  • finding a tool that could help them overcome and resolve risks.

BSI decided to adopt the solutions from EPI-USE Labs’ partner Soterion, which solves GRC for SAP clients. Soterion provides them with a list of all the risks within SAP, and they can run reports about which individuals should have specific access, using the built-in SoD parameters. This allowed them to develop a best-practice process, rather than falling back on historical ways of operating.

Compared to other systems I’ve used, it’s a lot simpler. It took us around a week to get it up and running. Support is amazing; Roy from EPI-USE Labs is our go-to person, he is always available and willing to help. It’s not what you normally get from large organisations.

Zaki Mouden
Global Head of Enterprise Applications, BSI

Solving GRC for BSI

BSI is putting Soterion’s solutions to good use, including:

  • Allowing business users to extract their reports based on their roles and responsibilities. Not everyone needs SAP access. They have amended access to ensure that everyone can access what they need to for their specific roles, without exposing and risking company information.
  • Amending transaction codes based on Soterion’s reports.
Benefits_Icons_Blue-01
85% reduction of potential risks		 Benefits_Icons_Blue-02
Detailed reporting of all access risks		 Benefits_Icons_Blue-03
Reporting of risks in a business-friendly user interface
Benefits_Icons_Blue-04
Full audit log of activities performed by user		 Benefits_Icons_Blue-05
Implementation in one week		 Benefits_Icons_Blue-06
Costs savings, autonomy, no need for Basis assistance

We’ve had a lot of positive feedback from the end-users. We’ve given access to each individual department within Finance, so they can run their own reports, and they’ve all said it’s user friendly, intuitive and simple. You don’t need Basis to change anything, and it’s a much lower cost as we can maintain it ourselves.

Zaki Mouden
Global Head of Enterprise Applications, BSI
Group Elephant a member of Group Elephant
beyond corporate purpose ERP

Manage your sap environment

Optimize your SAP Landscape

Maximize your SAP HCM Systems

Simplify your SAP Security & Compliance

Tools & Knowledge Resources

Get Support