Many small and medium sized companies struggle with this challenge. Let’s say they have a sales representative who’s located in another country. Which authorizations should he get? Should he have access to the SAP system at all? If so, should he be allowed to only see SAP reports (“view only”) or should he issue sales documents too? The answer is not easy, and might involve solving or remediating Segregation of Duties violations during the analysis process.
Who is this person?
Many organizations will relocate a business development guy or a senior sales person into another country to be their local representative. Others will recruit him directly in the remote country as a local agent. No matter how it’s done, the first decision that relates to authorizations is to determine which business functions he should perform and thus which permissions he should have. In most cases, the answer will be one of the following business functions:
1. Access to corporate email and the organization’s calendar
2. Access to SAP and other core business applications for self-service activities (such as asking for a vacation or to report his hours & tasks) and for viewing reports
3. Access to SAP for issuing sales-proposals (while the approval of the sales-proposal is done by other managers)
4. Access to SAP for issuing sales-proposals, approving them, issuing customers invoices and handling payments
According to the answer to the above questions, this person will get the suitable permissions to use the network and the SAP system.
While options 1, 2 and even 3 are quite straightforward from an SAP authorizations point of view, the most interesting and the only challenging option in regards to SAP authorizations is the fourth one. In this case, the representative is essentially a full-service office abroad, serving customers from A to Z. This is the most risky situation from a fraud point-of-view: If a single person can do “everything” in terms of taking care of customers, he is probably violating some SoD rules and the organization is obligated to track his activity. Furthermore, he is probably able to commit fraud much more easily than any other employee in the organization who doesn’t have this expanse of business functions.
Controlling the remote “one man show”
So in the situation of a remote “one man show,” you should do the following:
1. Identify the exact required business functions and define the right authorizations for this person
2. Check if there are any SoD rule violations and, if so, consult with your SOX managers or with your auditors on how to handle them.
• In most cases, if there are SoD violations, you will be required to mitigate the risks by defining reports for each risk.
• In this situation it is also recommended to track this person’s activity because sometime in the future, an auditor might come and ask, “How do you track this person’s activity?” You need to be prepared.
3. From time to time, inspect this person’s authorizations and verify that they are still valid.
Which permissions should he have?
From a security point of view, granting a large amount of authorizations for a remote sales person who is taking care of all the business functions in a territory can be very stressful. Although it is a very common situation, each person is an individual with a mind of his own, and no two cases are the same. Might be best to implement a compensating control to safeguard your company from any possibility of fraud.
If you have this situation in your organization, please share below how you handle it and which policies you implement.