The customer uses a global solution for the segregation of duties (SoD). This is based on the SAP solution GRC (Government - Risk - Compliance).
The customer has a distinct SAP landscape. The SAP role model is used for authorisation management. In addition to basic knowledge of the standard FI processes, knowledge of the basic SD and MM processes is necessary. For supplier master data maintenance, there is an SRM system upstream of the ERP system. In addition to the controls in the ERP system, controls also exist in the HCM system.
Access controls - i.e. internal controls - are used to detect critical tasks/activities in SAP systems but also in upstream or downstream IT systems, which do not necessarily have to be SAP systems. If critical actions are discovered, they must be checked and evaluated. There are different checks that have to be carried out monthly, quarterly, semi-annually or annually. The SAP SoD Dashboard, which is used globally, is at the centre. User conflicts can be detected here. User conflicts can be resolved by separating them, i.e. withdrawing authorisations from the users in the form of roles, or by mitigating them, i.e. it is possible to defuse the conflicts. An SoD violation can be detected via a mitigating control and is therefore also traceable.