How do I prepare my SAP environment for UK SOX?

18 June 2021
Written by Salomé Jaussaud

Salomé is a Cloud and Security Marketing Specialist for Europe. She completed her master degree through Microsoft before joining the EPI-USE Labs team. Her goal is to research different challenges in the market and share SAP knowledge with the IT industry.

Blog-UK-SoX-Soterion---Hero-Image_V2

Just as the 2001 Enron scandal led to the enactment of the Sarbanes-Oxley (SOX) legislation in the US, so major business failures in the UK ‒ such as the large contractor Carillion, the retailer BHS and Patisserie Valerie ‒ have hastened the Government’s decision to put SOX in place here. The aim is to ensure that management is reporting an accurate view of the business to the auditors and shareholders.

 

If your SAP® system is relied on for your financial reporting, then you must be certain that the information that it holds is a faithful reflection of the organisation’s real accounts. That means that all access to the system must be aligned closely to the user’s job functions and it must be regularly verified, to ensure the integrity and confidentiality of the data. This is, of course, also very much in line with the GDPR requirement of ‘Privacy by Design’, which needs to be applied when providing access to information systems such as SAP.

GRC for SAP challenges
GRC for SAP challenges_V4

What are the UK SOX directives?

Brydon published a report “Restoring trust in audit and corporate governance” proposing guidelines to strengthen the UK framework for large companies and the way they are audited. The estimated date for these new rules to enter into force is December 2023. Here are the key findings from the report:

The CEO and CFO must provide an annual attestation to the board of directors as to the effectiveness of the company’s internal controls over financial reporting and that this attestation be guided by new principles on internal controls reporting to be developed by the Audit Committee Chairs Independent Forum and endorsed by ARGA. [2.8.3] “.

Companies will be required to disclose when any material failure of their internal controls has taken place. A disclosed failure would lead to the CEO/CFO attestation being subject to audit for the following three reporting years. [2.8.4] “.

This means that manual processes such as excel spreadsheets will probably no longer be allowed. Companies using SAP will be invited to move their manual processes into automated GRC applications for SAP. UK SOX also means that the management team must quickly identify who made changes in the SAP systems and when.

What should your GRC tool include to comply with UK SOX?

Basics of SOX Compliance_V2
Building the best GRC for SAP strategy for your organisation requires a flexible and business-centric tool with the following capabilities:

Identify access risks: The ability to identify SAP access risk exposure and show clean-up opportunities via a user-friendly web application.


Review access alignment: Check that users’ access is limited to what they actually need to do for their job and identify superfluous access.


Periodic review of users’ access:
Allow your business users to review the SAP users’ access risk in your SAP systems periodically with ease and efficiency. This process will significantly improve the visibility of your GRC environment, and may be an audit and statutory requirement for your organisation.


Provide emergency access
: When a user’s access is closely aligned to their daily job requirements, there may well be a need for temporary or emergency access for a limited period – often called firefighter access. You should be able to do this efficiently, and provide a complete audit trail.


Trust relationships: Allow monitoring of terminals where users login and the times, in order to discover anomalies that might indicate unauthorised or inappropriate use.


Provide full audit trail: Store a complete audit trail of all changes made to users’ access in the SAP system.

It should be remembered that the GRC tool is just one part of an overall GRC strategy that must be designed and implemented to ensure that all regulatory requirements can be met:

  • There needs to be an effective Enterprise Risk Management process in place.
  • Security and role design must be easy to maintain and support the compliance environment.
  • Internal controls must be designed to cover all residual risk in the environment.

This strategy enables the GRC tool to do an effective job of maintaining and monitoring the SAP system.

 

Curious for more information? Find out about GRC for SAP solutions and request a demo.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: