Approva - Arch Chemicals Streamlines SOX Control and Compliance Processes in SAP

Toolbar Navigation

Next Steps

Case Study: Arch Chemicals

Arch Chemicals Streamlines SOX Control and Compliance Processes in SAP

Headquartered in Norwalk, Connecticut (USA), Arch Chemicals, Inc. is a global biocides company with annual sales of approximately $1.5 billion. Arch and its subsidiaries provide innovative, chemistry-based solutions to control the growth of harmful microbes. The company’s concentration is in water, hair and skin care, treated wood, paints and coatings, building products and health and hygiene applications. Arch Chemicals operates in two segments: Treatment Products and Performance Products. Together with its subsidiaries, Arch has approximately 3,000 employees and manufacturing and customer-support facilities in North and South America, Europe, Asia, Australia and Africa.

We knew we couldn’t do the job without some kind of tool. We selected Approva BizRights as the best solution to overcome the initial SoD challenges in our SAP environment, and to help us avoid any control and compliance concerns in the future.

- Cory Heiden, Director, Business Systems, Arch Chemicals

Business Challenge

Arch Chemicals was among the first organizations in the United States to implement an SAP enterprise resource planning (ERP) system, rolling out version R2 in the 1980s, and later upgrading to R3. The company now has approximately 1,200 users worldwide, working off a single instance of version 4.7. In recent years, Arch Chemicals has expanded its manufacturing base largely through acquisition of sites in a variety of global locations, and the SAP system has been introduced to new sites as part of the standard operating process. The company’s SAP security officers are responsible for managing user access requests, role assignments and t-code changes. Prior to this project, the security officers used manual checks to analyze new requests and monitor the system for potential conflicts or risks. The security team also helped prepare for the company’s annual audits. When Arch Chemicals began updating its processes to satisfy the requirements of the Sarbanes-Oxley (SOX) legislation, it became clear that its approach to control and compliance within the SAP system needed to be modified. Arch Chemicals therefore initiated an SAP security project, with the primary objective of moving from a profile-based security model to a role-based system. This complex exercise involved creating a comprehensive set of defined roles that could support the company’s global businesses, while at the same time ensuring that there were no segregation of duty (SoD) conflicts. Checking for potential conflicts in an exercise of this scale was a mammoth task, involving detailed knowledge of the SAP system at role-, menu- and t-code levels-, so it was clear that a manual process would not be viable.

Approva's Approach

Arch Chemicals realized that the success of the security project depended on finding a solution that would enable them to understand and correct any potential SoD conflicts associated with the new roles. “We knew we couldn’t do the job without some kind of tool,” said Cory Heiden, Director of Business Systems, Arch Chemicals. “We selected Approva BizRights as the best solution to overcome the initial SoD challenges in our SAP environment, and to help us avoid any control and compliance concerns in the future.” The company implemented Approva’s BizRights Platform and Application Controls Suite to allow them to analyze and test each of the new SAP roles created as part of the project, working with a newly created group of SOX compliance officers who represented each business group. The basic set of roles was tested in the Approva solution, and where an SoD violation was detected, it was discussed with the relevant stakeholders. The need for compensating controls was reviewed on a site-by-site basis with the appropriate compliance officer, and, if were required, the details were documented in the Approva solution for future reference and auditing. After the project was completed, Arch Chemicals utilized the capabilities provided by the Approva solution to revise a number of its security processes related to user access. Requests for changes in role are now sent directly to the SAP security team, so that the t-code addition can be analyzed using the “what if?” functionality in BizRights. If a conflict is detected, the security officer recommends a compensating control to the compliance officer, who can either accept or reject the change. The Approva software is also used for the ongoing management and monitoring of controls and compliance, providing reports on a continuous basis to highlight any SoD conflicts in the SAP environment so that they can be immediately resolved. The improved visibility of controls through the regular reports has also streamlined the process of preparing for the annual SAP audit, and the internal auditors are able to use the Approva solution to monitor controls performance as required. Once the external auditors were satisfied with the rule-set that had been applied in the BizRights software, they were able to concentrate on whether the compensating controls were being executed properly. This had the effect of removing a significant number of manual checks and simplifying the audit cycle.

Results

The security project within Arch Chemicals had an immediate impact, effectively eliminating all of the SoD concerns within the SAP environment. The company was then able to use the Approva solution to continuously monitor the company’s controls and security performance, which has delivered a number of ongoing benefits including:

improved visibility of security and compliance issues
reduced risk of SOX issues and fraudulent activities
more secure provisioning process
faster, more efficient audit cycle

Download the full case study

Approva Corporation - Controls Intelligence Software