Most organisations will have implemented a variety of audit and compliance control checks, or 'process controls', of one sort or another, whether they be weekly checks on which accounts have SAP_ALL access (none of course!); daily checks that the SAP live client is closed; or perhaps more sophisticated process controls such as periodical user access review and recertification. Such checks are fundamental to reducing risks within your business, and they will also significantly reduce the costs of preparing for and performing external audits.

However, the majority of such process controls that we see are very much manual affairs which often involve creating bespoke reports or exports of data from SAP. These reports then get manually eMailed around to testers or approvers in an 'editable format' (Auditors hate these words!) and then of course the long process of chasing them up to get them signed off begins. Manual methods also mean that there is no centralized view of the status of any of your compliance controls.

So how can this all get automated, centralized and protected, along with a full history that we can show to the auditors?

A number of our ProfileTailor™ Dynamics (PTD) customers have started to use the tool’s built-in capabilities to both formalise and automate various types of process controls providing the business with a centralized, documented and audited account of each time the process control was run and signed-off. PTD Process Controls can run daily, weekly, monthly, quarterly, annually or they can be dynamically triggered based upon an event occurring. Event driven PTD Process Controls can be really effective - for instance triggering an ‘authorisation and access review’ process whenever any employee movement is detected - or perhaps triggering a GDPR data access alert and escalation workflow if ProfileTailor detects a potential breach of personal data.


There are essentially four types of Process Control available within ProfileTailor:


Scheduled Control Test

A Scheduled Control Test can be thought of as a recurring to-do item that prompts the designated process control 'tester' to perform a task such as checking that the SAP live client is not open for changes. Once they have checked or tested the process control then they can digitally sign it off.

You can also add test procedures and instructions to the PTD Process Control definition to inform the 'tester' how they should carry out the process control test. For instance "log into SAP, go to transaction code SCC4 and check that the client status is set to 'no changes allowed'"


Static Report

Existing ProfileTailor users will know how easy it is to set up scheduled reports within the system - for instance, keystroke level usage reports of direct table access via SE16.

Converting such a report into a more formalized PTD Process Control would take only a few minutes but would give you the added advantage of retaining an online history of the report which is kept inside ProfileTailor in an uneditable format along with an audit trail of each time the report was created, the reason why direct access was used, who reviewed their actions and then signed it off.


Interactive Report

Some types of process control will be report based but you may want the ability to approve or reject the contents on a line by line basis - for instance when you are reviewing an employee's SAP roles and authorisations. This is where ProfileTailor interactive on-line reports come in handy as they allow you to approve or reject a report on a line-by-line basis such as choosing which roles and authorisations an employee should lose or keep during an access review.


Custom Workflow

When a PTD Process Control runs, whether that be on a regular schedule or via a dynamic trigger, it essentially executes a pre-configured workflow in the background. However, ProfileTailor’s workflow engine is incredibly powerful - it can do things such as execute SAP commands, provision/de-provision users and authorisations, or even interact with non-SAP environments such as Active Directory or cloud systems. This means that you can create some sophisticated automation as part of your process controls - perhaps forcing off a user account that has unusually accessed personal data. As part of a workflow you can also specify that a document must be uploaded (perhaps a signed chitty) before the process control can be completed.


Visibility and Management of your Process Controls


As you would expect with a tool like ProfileTailor Dynamics you also get a Process Control dashboard which allows you to see the current status and audit history of all of your process controls and whether they are complete, rejected or pending. They can also be grouped into logical Business Processes such as Procure to Pay, SAP Security or Order to Cash.



ProfileTailor will even send out reminders or perform automated escalations if PTD Process Controls haven’t been completed within an alloted timeframe.

 


To find out more...

Why not arrange a demo with us? Please use the following link to contact us and we will be happy to set something up


Contact Us

View Brochure

Go to ProfileTailor Web Pages

You can also share this page via the following buttons: