Approva Corporation - Controls Intelligence Software

Business Challenge

In late 2004 UGS began preparing for the first formal audit of its internal controls as mandated by the Sarbanes-Oxley (SOX) legislation. One area of initial focus for UGS was to automate and strengthen security and access controls by implementing robust segregation of duties (SoD) in its SAP environment. The distributed nature of UGS’ operations presented a challenge for the finance and IT groups. While UGS maintains a single instance of SAP to support more than 6,000 worldwide users, there are over 25 different regional/geographical role assignments possible for each core activity group.

UGS’ executive management formed a cross-functional team to evaluate the company’s business controls and to make the necessary changes to achieve robust SoD enforced by access restrictions. The team quickly determined that it would be quite difficult and time consuming, if not impossible, to manage and monitor access controls using manual processes. “We had a lot of nice legacy security rules designed, but they hadn’t gone through the rigors of Sarbanes-Oxley,” said David Thompson, applications security officer with UGS. “We needed a tool to help us drive the design of SoD controls in the SAP landscape at a detailed level.”

After an initial assessment the team identified the following business challenges that needed to be addressed to prepare for the attestation surrounding internal controls, and to achieve UGS’ business goals:

• Remediating SoD violations within the SAP system
• Reducing the time and cost required to support the recurring SOX audit
• Reducing the time required to process new role requests
• Proactively preventing the creation of new SoD violations as business process owners approved role requests
• Providing business process owners with more information on those requests that trigger SoD implications, and provide alternative courses of action to avoid those conflicts.

In addition, rather than viewing the project as a short-term compliance issue, the UGS team wanted their controls to add value to the business. “Instead of having SoD and information system access be problem areas for us, as they are within many companies, we wanted to have them be a major strength of our compliance effort,” said Thomas Beitel, Director of Internal Audit. “The goal of our project was to have our SoD results be a very pervasive and compelling control mechanism, and to demonstrate that we hadn’t just achieved the minimum in compliance. We wanted to be near or at best in class in this area. This would then allow us to realize efficiencies in our compliance processes by relying on SoD enforced and monitored through Approva, instead of numerous manual compensating controls that would be required to offset SoD weaknesses”.

Approva's Approach

After consulting with its external advisors and evaluating several controls automation solutions, UGS selected Approva® BizRights® in early 2005. The initial focus of the rollout was to analyze and remediate the SoD conflicts in the five largest countries which generated over 75% of the company’s revenue. The UGS team loaded into Approva nearly forty detailed business rules that had been developed by management, in consultation with external advisors, in late 2004. Approva was then used to analyze the access rights of the SAP users and to determine which users had conflicting access rights that created control violations. The results showed that there were 3,000 SoD violations in the system.

The internal audit and application security team members began the remediation process by holding workshops with the finance managers in each of the five countries. “All of the decisions were finalized by the business leaders,” Thompson said. “It wasn’t an IT-driven project. It was led by the business and jointly executed with IT resources.”

Most of the role violations were a result of unnecessary or historical role assignments to users. In these cases, the UGS team removed access rights with no impact on the business process. In other cases, organizational design changes were necessary to redistribute roles and responsibilities among users to eliminate violations. Finally, in a few cases where roles and responsibilities could not be split up, the UGS team mitigated the violation by establishing and documenting compensating controls. Real-time reports provided by the Approva solution enabled the UGS team to track their progress on a daily basis.

By the end of 2005, the UGS team had eliminated nearly all SoD violations within its in-scope countries. The remaining violations are mitigated by compensating controls. One of the reasons why UGS was able to eliminate the SoD violations so quickly was because the Approva solution enabled internal audit and the business users to make adjustments to and monitor the rules directly rather than relying on the IT group to configure or write custom code for SoD compliance purposes. “It has been very user friendly,” said Beitel. “That’s a real plus. My team and I have been able to create easy and intuitive queries and standard reports to execute extensive segregation of duties and restricted access testing, including testing of sensitive authorization objects and transactions related to IT General Controls.”

UGS also integrated the Approva solution with its own commercially available SOX compliance solution, Team Center Community. The 150 Team Center Community users, including the external auditors, can view Approva reports and access compensating controls through hotlinks linking Approva and Team Center Community.

UGS also uses the Approva solution to automate the process for analyzing and approving role requests and changes to user access rights. “In the past, we had no assurance that there were no SoD issues with new role requests,” Thompson said. “The business process owner who approved the request couldn’t evaluate the access they were granting without doing role-by-role and transaction code by transaction code analysis, and that’s extremely time consuming. Now, it’s almost impossible to get a new violation into the company. Approva, in the hands of our security administration team, creates the gatekeeper that allows us to be confident that the items that are approved do not create new SoD violations.”

Results

Using the Approva solution, UGS was able to achieve its goal of eliminating substantially all SoD violations and has been recognized by its auditors for having best-in-class results in this area. “A lot of companies are in the mode of perpetual cleanup and remediation,” said Beitel. “With Approva’s BizRights solution we’re not only confident that we’ve achieved and are maintaining good SoD in our SAP environment, we’ve done it with a lot less cost and effort. We are on track to realize return on our investment of less than two years.”

Some of the specific business benefits that UGS has achieved include:

• Reduced the number of SoD violations from 3,000 to 180 in less than six months; established compensating controls for remaining violations.
• Reduced the time required to test and validate controls for its audit by 80%.
• Established a more comprehensive, centralized and sustainable process for monitoring business controls across its global SAP implementation.
• Automated the analysis and provisioning of new role and user access requests to ensure that new SoD violations are not added to the system.
• Shortened the response time to role request changes while reducing security administration resources.
• Empowered business process owners with increased information on the design, mitigation and monitoring of business controls.

“With their knowledge of and confidence in the Approva product, our external auditors were able to audit SoD in our SAP environment in less than 20 hours this year. They could quickly see and verify the rules that we’ve established, and the exclusions and justifications for each user and each rule,” said Beitel. “In the absence of an automated system like Approva, our external auditors had previously estimated at least 120 hours to perform their SoD review in 2005.”

Download the full case study