Automating SAP User Access Reviews

Automating SAP User Access Reviews

User Access Reviews are pervasive controls that are always very difficult for organizations to manage. If performed incorrectly or infrequently, they can lead to material weaknesses in a company. Inappropriate access for material transactions and material areas of your ERP system can jeopardize not only the audit, but a company’s entire operations leading to misstatement, fraud, misappropriation, and misuse of access.

Considering User Access Reviews are the final line of defense for all IT controls, the lack of standardized procedures surrounding this key control can be concerning. For many IT, Finance and Accounting organizations, rolling out and administering User Access Reviews on a periodic basis is an all-consuming project and can be extremely painful.

Below are the Top 5 Pain Points of User Access Reviews, as noted by CTOs, CIOs and Internal Audit Teams:

1. Manual & Time-Consuming

Extracting information out of your ERP system to automatically highlight the risk areas, users, and profiles that need to be segregated is a manual, lengthy process that is time-consuming and can drain internal resource hours.

2. Tracking

Once information is obtained, the UAR Project Admin ends up with anywhere from an average of 30 to 50 reviews that have to be validated by the appropriate Managers and Supervisors. This process is typically facilitated manually through email and requires the UAR Project Admin to babysit the process to closure, which can be time-consuming and painful.

3. Lack of Standardization

Currently, there is a lack of desktop procedures and best practices for this process, and no checklist of items that require sign off. This leads to a lack of audit trail and higher rate of errors.

4. Requires a Dedicated Champion

No one ever wants to manage the UAR project simply because it’s an admin heavy effort requiring significant hours to complete properly. Rounding up various parties to get the reviews completed is an incredibly burdensome task to already stretched teams, whether it’s the IT team or the Finance Accounting team.

5. Lack of Visibility

Even with a formal User Access Reviews process in place, there are still many gaps. From the minute you kick off the User Access Reviews process, getting responses back can take weeks or in bad cases, months. This is far from an ideal situation for UAR Project Admins, who would today have to manually track progress and notification emails.

The ideal solution is one that provides timely status, timely action items, and facilitates a workflow with proper sign off procedures to track the User Access Reviews process to close in a clear and automated way.

SOXHUB & ERP Maestro Team Up to Provide Fully Automated SAP User Access Reviews

SOXHUB is partnering with ERP Maestro to make this ideal solution a reality. With this new integration, SAP clients can leverage ERP Maestro’s automated platform to gain access to User Access Review listings, which will automatically become populated into SOXHUB. Those User Access Reviews will automatically kick off and create tasks in SOXHUB’s workflow automation tool, and automatically assign preparers and reviewers their due dates.

Benefits of this integration will include:

  • Dashboard that funnels up to the CFO/CTO highlights on a day-to-day, real-time basis, showing where the User Access Review status is, and who is responsible for the gaps. ( See ERP Maestro Reporting )
  • Automatic Workflow and Notification Reminders. If the tasks are not completed by the due date, reviewers will automatically receive reminder notifications.
  • Desktop Procedures. All requirements the end user has to sign off on are included, as well as accompanying desktop procedures and any questions or exceptions
  • Full Visibility into the risk profiles of areas where the User Access Review is not being performed for – by business entity, users, or departments. Instant visibility into noted issues as identified by the Reviewers.
  • Save Resource Hours. SOXHUB and ERP Maestro’s integrated solution will eliminate the need for a UAR Project Admin to manage and administrate the User Access Review process for 1-2 months at a time. Now this individual can focus more on value-add issues around UAR and SOD, such as highlighting the key risk areas to the CFO.

The purpose of the partnership between AuditBoard’s WorkStream and ERP Maestro is to provide fully automated tasks and solutions for User Access Reviews. This integrated solution is something that can be consistently rolled out with consistent results, in a very short amount of time. Find out how you can automate User Access Reviews, Request a Demo Today.


Art Turrubiartes, CPA, is the VP of Product Solutions at AuditBoard. Before joining AuditBoard, Art was a Risk consultant at EY, and has 5 years of internal audit experience within the Technology and Media & Entertainment sectors. Art’s focus at AuditBoard is to help internal audit teams drive efficiency in their programs and ultimately provide the best product solutions to clients. Connect with Art on LinkedIn.