The Complete Guide for

Conducting a Successful
SAP® Authorization
Review
Introduction
What is an Authorization Review, & Why You Need It
Why should I be performing authorization reviews?
The process of reviewing authorizations enables
enterprises to verify that authorizations granted to
employees are still valid. This process entails that a
manager goes through each authorization allocated
to each of his/her employees, and decide whether to
remove or keep it. In some cases, the authorization
review process ends after a single manager’s approval.
In other cases, additional approval steps from
senior management are required. At the end of the
process, a list is produced of all the employees whose
authorizations were not approved and therefore needs
to be removed.
The authorization review process is required by
SOX and equivalent regulations, so companies need
to perform the review at least once a year. Many
organizations perform these reviews twice a year or
even quarterly, depending on legal obligations and the
requirements of the company’s auditors.
“Authorization Review” is also often called “Access
Review” or the “Authorization Inspection” process. Only
after achieving a complete view of all authorizations
can organizations remove unused ones.
The Importance of the Authorization Review Process
The importance of the authorization review process
is not only related to financial regulations like
SOX. In addition to being a regulatory obligation, a
periodic review ensures that employees are holding
authorizations for justifiable reasons. Over time, a full
overview of employee authorizations is achieved via a
comprehensive list detailing all of the authorizations,
the usage pattern per each authorization, and
the name of the manager that approved the
authorizations.
After achieving a complete view of the authorizations,
organizations can:
• Remove unused authorizations
• Identify usage of sensitive authorizations
• Investigate irregular behavior
• Comply with SOX regulations
White Paper | Conducting a Successful Authorization Review
Terms & Definitions
User/User Account
The employee’s account in a specific system. For
example, JOHN_S in the ERP system, or account john.
smith@xpandion.com in the Active Directory system.
Employee
The term used in information systems for the logical
entity that represents the human employee. An
employee can have a number of user accounts in
a number of different systems. For example, the
employee John Smith has a user account JOHN_S in
the SAP ERP system and the user account JOHN_SM
in the CRM system.
Organization’s Auditor
External or internal auditors. In general, the
requirement for conducting an authorization review
process and its related follow-up actions come from
the organization’s auditor. Therefore, this document
refers to both types of auditors interchangeably.
Provisioning
Performing an actual change in authorizations
using an automated method for adding or removing
authorizations to users.
Organizations with more than one system
and 500+ employees should definitely
utilize an automated tool for reviewing
authorizations.
An effective automated tool sends reminder
emails to managers that did not perform
the review in accordance to the defined
timeframe.
2
Related Processes
In general, the authorization review process is one
of four significant authorization-related workflow
processes:
1. Authorization Review - the process discussed in
this document.
2. Authorization Request - the process in which
an employee requests additional permanent
authorizations to answer a specific long term
business need, or a temporary authorization due to
organizational needs such as replacing someone
on vacation. The process begins with an employee
requesting an authorization to a certain system
and ends with either granting or rejecting the
request.
3. New Employee/Account Creation - the process of
creating a new record in the HR system for a new
employee, then creating usernames in the relevant
systems and allocating the required authorizations
according to organizational needs for the purpose
of commencing work. In most organizations,
creating new accounts for an employee is
performed by copying an existing employee’s
account, which can result in replicating many
unnecessary authorizations.
4. Closing Employee’s User Account - the process of
closing all user accounts in the event an employee
leaves the organization. The term “closing”
changes from system to system according to a
company’s standards for saving data. Some user
accounts are erased, some are only locked, and
others receive an expiration date earlier than the
current date. The trigger for this process is the
event of an employee leaving or prior notice from
the HR department.
Emergency Access
The emergency access process interfaces with the
four previous processes and deals with the immediate
need to perform an irregular task in the production
environment. SOX regulations require enterprises to do
this only by enabling privileged and timely access into
the production systems.
Emergency access in response to a situation where
an employee who is not supposed to access the
production environment needs access for a limited
amount of time and for a specific ad hoc reason (for
example, to inspect a bug or train an end-user for a
specific purpose). Rather than allowing IT users to
freely log into the production system
White Paper | Conducting a Successful Authorization Review
(creating unnecessary user accounts and the
possibility for security breaches), it is recommended to
implement an emergency access process.
Emergency Access Process Flow
1. Employee opens a request for immediate,
privileged access and provides a reason for this
request.
2. Supervisor grants defined, privileged access or
additional authorizations to the specific user
account.
3. Employee logs into the production system and
performs the required task.
4. The account is automatically locked when the
defined time for the privileged access is over.
5. A detailed report of all activities performed in the
production environment is sent to the supervisor
for approval/inspection.
Individual Authorization Review
In many companies an authorization review is
performed immediately after an employee changes
positions. This is because when an employee
switches positions, the organization must verify that
all authorizations from the previous position are still
relevant for the new position. If not, changes must
be made immediately to the current authorizations
in order to adjust them to the responsibilities of the
new position. Other organizations adopt more strict
approach, removing all authorizations first and only
then allocating the required authorizations, as if they
are dealing with a new employee.
While the latter method makes sense, it may
disturb the employee and/or company’s proper
and functional performance, as many employees
receive authorizations outside their formal position,
such as access to personal network folders and
the ability to execute special queries. An individual
authorization review that is performed automatically
after an employee switches positions is strongly
recommended. Such a process prevents unpleasant
surprises that tend to occur during a periodic
authorization review.
3
Authorization Review Process - Manual
vs Automated
Choosing between a manual or automated
authorization review process is dependent on the
amount of available resources and the complexity of
the project. The more systems an organization has, the
more complicated the authorization review process
can be, and the more resources are needed. Therefore,
in such a case, an automated process adds great value
to a company, saving time and unnecessary hassle.
Similarly, if an auditor demands complex requirements
for the review process (such as exact documentation
for each step, the reason behind each authorization,
second approval by senior level management, etc.) an
automated tool becomes a must. In addition to the
great savings in time and resources, authorization-
related information is more up to date and can be
documented easily, which pleases auditors and
management alike.
Furthermore, an automated tool allows for the process
to be repeated easily (based on previous reviews)
without requiring additional resources and without
depending on the organization’s experts.
Many small organizations with just one system
also prefer using an automated tool in order to
be prepared at all times for any changes or new
requirements. Changes can include a new auditor, a
new organizational structure, a request to view records
from a previous process, etc. Small companies also
see the value in an automated tool for improving the
quality of the process and for obtaining accurate
cross-organizational information so they can perform
the review in the most professional way.
From a departmental point of view, an automated
tool enables the process-owner and the auditor to
know the exact status of the review by business
units or business processes at any given moment.
The process owners can be in control and easily see
different views: how many authorizations need to be
reviewed, how many authorizations have already been
reviewed by second level management, and how many
authorizations have not yet been reviewed. With an
automated tool, departments are able to control the
entire process, provide clear reports to management
and reach accurate decisions.
White Paper | Conducting a Successful Authorization Review
Authorization Review Tool - Installed
Locally vs Cloud
In general, Cloud-based applications usually do
not involve continuous connection between the
organization’s internal systems and the Cloud; rather
they require loading data occasionally to the Cloud. For
example, a CRM system in the Cloud, like Salesforce.
com, means, in most cases, that employees work only
in the Cloud and do not use data from internal systems
inside the organization. Therefore, there is usually
no need for continuous connection between Cloud
applications and the organizational network.
Surprisingly or not, due to the many services available
in the Cloud, more and more organizations are
reviewing their employee’s authorizations of the
internal systems using the Cloud. The data is obtained
from the internal network (either automatically or
manually) and then transferred to the Cloud. Emails
are sent to managers via a server in the Cloud, and
managers work on web pages that are located in the
Cloud and not inside the organization internal system.
The main advantage of performing an authorization
review process using the Cloud is the fact that no
hardware is needed. When servers are not installed
within an organization, there are no installation costs,
no need for ongoing maintenance, nor determining
password policies, as well as no need for technicians
if something goes wrong. In addition, working in the
Cloud facilitates organizations to allocate resources
exactly as needed. The Cloud entails payment only
for the exact amount of time required to complete the
process and saves upholding hardware costs after the
review ends.
What about the data itself? The most common belief
is that data is not totally secure in the Cloud. However,
even if we ignore the robust security methods of the
Cloud, (like SSL access, security reviews, penetration
tests, etc.), most Information-Security Managers will
agree that exposing data required for the authorization-
review process such as usernames and roles, cannot
be compared to the larger risk of exposing business-
related information. Not that exposing usernames
and authorizations should be taken lightly, but in most
cases the risk is minimal compared to the potential
benefit.
4
In the end, in regards to authorization review, the
choice between on premises installation or Cloud
is mainly based on the organization’s policy and
its approach to innovation. The more traditional
organizations, such as banks and insurance
companies, are expected to choose classic installation.
The more innovative companies, especially companies
that already use the Cloud for other services, may
consider conducting an authorization review process
using the Cloud.
Automated Authorization Review Tool -
Key Features
An effective automated authorization review tool
includes, at the very least, the following features and
abilities:
1. Review options
The tool must be able to support the following review
options:
• Review of all basic activities allocated to an
employee, such as opening supplier accounts,
updating records, etc.
• Only reviewing sensitive authorizations, per
employee (for immediate and rapid review).
• Only reviewing specific activities such as
financial activities, per employee.
• Reviewing authorization groups (roles)
allocated to employees. If there is a need for
a quick review, some objects can be removed
(but this will result in a less thorough review).
• Only reviewing some employees, a specific
user group, department, etc.
• Reviewing only changes in the authorization
allocation since the last successful review.
Advanced Reviews:
• Reviewing business such objects as
authorizations to warehouse, to company
codes, etc.
• Reviewing activities that haven’t been used.
• Reviewing authorizations according to position.
• Reviewing authorizations resulting from an
organizational change.
White Paper | Conducting a Successful Authorization Review
2. Requirements from a process point of view
• Support the ability to retrieve authorizations
data and maintain a centralized database for
employees in operational systems.
• Obtain the HR system’s organizational
structure and upload it to the main system.
• Email managers with a link to their employees’
authorization review.
• Allow managers the ability to highlight the
authorizations they want to cancel and keep,
according to the following options:
* Approve/reject authorizations per user
* Approve all authorizations in department
* Reject some authorizations & approve the rest
* Approve some authorizations & reject the rest
• Continuity of a Review. Permit managers to
review some authorizations, shut down their
computers, and return later to complete the
reviews of only the authorizations that are still
open.
• Requests to Cancel. Allow those authorizations
marked as canceled to be sent to a special
database where they can be handled by the
person responsible for the relevant system.
• Data owners must have the ability to
review authorizations. This means that
the key financial user reviews all financial
authorizations, the asset expert reviews all
authorizations related to asset accounting, etc.
Note: Even if this option is not relevant to your
current review requirements, it is important to
ensure that the tool supports it in order to allow
future modifications based on current reviews
and changes in the auditor’s direction.
• Quickly obtain authorizations data from the
various systems. In many organizations this
is done manually and repeatedly for each and
every system! By the time the data is fetched
from the last system, time has elapsed and the
information from the first system is no longer
100% accurate. Therefore the tool must be able
to repeat the process quickly, and to recover
data in case of a technical malfunction.
• Upload user and authorization data from Excel.
This feature is needed for systems that do not
support direct connectivity or if connecting
to them is complicated. It is very frustrating
to discover in the middle of the process that
there is a legacy system for which the auditor
demands a full review, yet there is no easy
option to upload the data from it to the main
system.
5
 • Current status of the review: It is critical to be
able to understand the status of the review at
a glance: how many authorizations need to
be reviewed, how many authorizations have
been reviewed and how many authorizations
still need to be reviewed? The status should be
divided into different views for departments,
managers, user groups, etc. Sage advice:
The report should be understood not only
by system technicians but also by business
managers.
Thorough documentation of the whole process for
easy access at a later date. The entire process, each
approval, rejection, change in definitions, and every
ticket for cancelling authorizations must be easily
accessible after the review, even after a long period of
time. Many times, during an audit or investigation, the
question “Who asked to remove this authorization, and
why?” arises, and the answer must be easy to find.
3. Requirements from a business performance point
of view
• Review employees, not users. Managers
tend to have a limited amount of time for
audit-related tasks and therefore need to be
able to review an employee’s authorizations
in all systems with one view. This is the key
to pleasing managers and to getting a quick
response from them. In other words – it should
be possible to review each employee and all of
his/her authorizations over the various systems
in one view.
• Resend a reminder or the full request again to
managers that did not perform or complete the
review. Many managers need a reminder or two
before taking the review seriously .
• Support “Cancellation Tickets.” Cancellation
requests need to be documented in relevant
tickets – one ticket per each cancellation
request. These tickets can then be handled
later by the Helpdesk or by the relevant
authorization managers. In many cases,
the auditor needs to see the full flow of the
cancellation request – therefore, supplying
cancellation requests by tickets is a rather
good solution.
White Paper | Conducting a Successful Authorization Review
• Provisioning. For certain systems in an
organization, such as the main systems,
provisioning is strongly recommended for
changing authorizations automatically and for
documenting the actions in the appropriate
ticket. This ensures that no one will make
manual mistakes during the tedious process of
removing authorizations, and simultaneously
increases the level of security.
• Multi-language user interface support. It is
proven that responsiveness to the authorization
review process is significantly higher when
the user interface is in the manager’s native
language.
• Simple and clear language. The language of
the user interface needs to be understandable
by business managers so they can make
educated and accurate decisions. Role
names like ZLO_NOCHANGE provide little
or no information to non-technical people,
so managers may inadvertently sign
authorization reviews without really knowing if
the authorizations are required, which causes
a rubber stamp situation. Instead of unclear
names, use role descriptions that have a
meaning, like “Logistic authorizations: reports
only, no change options.”
• Employee details. Employee details like names
and positions must be displayed clearly
because managers usually refer to employees
by personal information and not by user
accounts.
• Automatically indicates sensitive authorizations
in the full authorization list. This is critical,
because when managers can visually identify
sensitive authorizations, they can focus on
them quickly and make smarter decisions.
For example, “opening an account entry” can
be defined as a risky action that should be
highlighted clearly in the manager’s review
page.
• Display last usage for each authorization. If the
system being reviewed includes usage records,
the review needs to provide information
regarding the last time the authorization
was actually used. Managers find it easier to
remove an authorization from an employee
when they see that the last time it was used
was over a year ago, as opposed to one that is
being used frequently.
6
4. Additional Requirements
The tool should also have these important capabilities:
• Delegation option. One manager can transfer
the review to another manager, as in the case
when an employee does not work directly
under said manager. In addition, delegation
should be permitted for authorizations that
have more than one appropriate manager to
approve them.
• Saving the data to a file. The output can be
saved to external files, such as saving audit
reports to Excel and user forms to Word or PDF.
Managers and many other users require saving
capabilities, usually for backup purposes, and
the tool should enable this action. The output
must be able to be saved in a nice, graphical
style to guarantee user satisfaction.
6 Recommendations From Our Customers
The following useful suggestions come straight from
customers and consultants that have implemented
an automated authorization review process in their
organizations:
Tip 1: Prepare enough time in advance
The average time for the first implementation is
between two weeks to three months. The length of
time depends on the number of systems, the readiness
of the databases and the organizational culture.
Therefore, it is recommended to be prepared ahead
of time, especially if additional resources need to be
included.
Tip 2: Get top management support
It is essential that higher managers like the CEO
and CFO support this process. Involving senior
management and sending them status reports ensures
that the review will end on time and successfully.
Tip 3: Involve the auditor
At the end of the day, the auditor is the real customer
in this process. It is recommended to involve them
along the way to receive professional guidance and
to increase their level of satisfaction and confidence
in the process. It is also a good idea for the auditor to
appoint a representative to participate in regular status
meetings, while the auditor him/herself should be
present in the company’s executive meetings.
White Paper | Conducting a Successful Authorization Review
Tip 4: Prepare proper infrastructure
To avoid issues that might slow down the
implementation process, and to maintain an
atmosphere of success, it is important to prepare
proper infrastructure. The infrastructure may include
the required hardware, additional software programs
(such as Microsoft Office in a certain situations,
graphical elements, etc.), preliminary installations
(database, Windows), and allocation of authorizations
to the different systems.
A delay in any of the above will postpone the
implementation and the auditor might disqualify the
authorization review for that period. Preparing the
proper infrastructure shortens implementation time,
improves the level of satisfaction and enables the
review to begin as scheduled.
Tip 5: Hold regular status meetings
During the implementation process, from the
beginning and until the end of the review, it’s a good
idea to conduct status meetings. In these meetings,
the timetable and remaining tasks should be reviewed.
This is to ensure that enough time is left to complete
the authorization review and to implement any
changes.
Tip 6: Train the reviewers
Conduct a training session in the organization for all
managers that are supposed to use the authorization
review tool. The meeting should be run by the person in
charge of the tool (ideally, an internal employee), with
the goal of increasing the managers’ confidence in the
process. Professional training equals high satisfaction
and fast authorization reviews.
Summary
By following the requirements, advice and guidelines
in this guide, enterprises will be able to verify that
authorizations granted to employees are valid and
comply with regulations. They will also be able to
increase their control of employee authorizations.
Conducting the review at least once a year will ensure
that employees hold authorizations for justifiable
reasons and allow the organization to make the proper
decisions regarding its authorization compliance.
7