An ERP System’s Customization Made Managing Access, Roles and Permissions Complex and Raised the Risk of Segregation of Duties Conflicts.

At A Glance

Company Type: Public company, mid-market

Industry: Biotech, medical device manufacturing

Solution Area: Corporate Governance, Sarbanes-Oxley Compliance (SOX)

About The Client

A fast-growing medical device company that makes surgical robotics for minimally invasive procedures.

Challenge

This medical device manufacturer was stymied by the complexities in assessing potential segregation of duties (SoD) in its highly customized ERP system. They faced three key challenges:

1. Understanding complex ERP configurations: The company’s operational needs are distinct, and its ERP needs are too—it incorporates hundreds of permissions and numerous users, creating a level of complexity that makes managing and securing the system intricate.
2. Identifying and resolving segregation of duties conflicts: User access reviewers were not fully aware of combinations of access roles—raising the risk of undetected conflicts in segregation of duties (SoD).
3. Removing unnecessary access and limiting ongoing access: Instead of rotely building new access from existing users’ access profiles, the company needed to limit users’ access to only essential permissions. SoD exposure had grown amid unknown access paths, opening up the potential for more deficiencies.

Solution

ZRG implemented two tailored tools plus a comprehensive process for managing the company’s SoD risk.

• Uncover existing SoD conflicts:
  • An identification and evaluation tool analyzes the ERP security configuration and pinpoints scenarios where conflicting access rights could arise.
• Streamline the process for access requests:
  • ZRG introduced a user-friendly, and quick, way to accurately assess permissions while proactively identifying—and preventing—potential SoD conflicts from new access requests.
• Align users’ access needs with permissions:
  • We created a workable framework for access reviewers to evaluate an acceptable level of SoD risk and to target specific permissions for removal—ultimately reducing SoD risk to that acceptable threshold.

Results

The tools and framework ZRG provided enabled the company to effectively take note of and address any SoD conflicts:

• Effectively identify, evaluate and limit access within the ERP system
• Comprehensively evaluate SoD specific to the company’s ERP configuration and demonstrate conclusions to auditors
• Review and approve new user access requests without worrying about increasing SoD exposure beyond an accepted level
• Proactively manage ERP SoD challenges and foster a SOX-compliant organization

“ZRG really helped simplify a complex area. Managing SoD in our environment was a very time-consuming project and became much more manageable with the tools and framework they developed for us.”

- VP, Controller

‍