SAP User Access Review Best Practices

Why access review matters

User access review is the most directly testable IT general control in the financial reporting environment. The auditor selects a sample of users, requests the most recent manager attestation, verifies the attestation reflects current access, and traces sample access changes back to documented approvals. The control fails when attestation evidence is missing, stale, or inconsistent with access actually granted. The remediation cost of a failed user access review control is typically the largest single item in the SOX remediation budget.

This article documents the review scope, the manager workflow design, the evidence pack the review produces, and the audit defensible posture the cycle establishes. Reference the SAP security audit pillar, the compliance framework pillar, and the GRC and security expertise.

Review scope and review population

The review scope captures every user with access to systems in the SOX significance perimeter, every user with privileged access in any system, and every user assigned a role flagged for review by the SoD ruleset. The review population is the user list filtered by the scope criteria. The population is typically 30 to 50 percent of the total SAP active user count at most Fortune 500 customers. The remaining users carry low risk access that is reviewed annually rather than quarterly.

The customer position is to maintain a documented scope rationale rather than treat the review population as fixed. Reference the GRC implementation analysis, the user counting methodology, and the SoD conflicts analysis.

Manager workflow design

The manager workflow is the process by which each manager receives the list of direct reports in scope, the access summary for each direct report, the attestation question for each direct report, and a defined response window. The workflow design has three critical choices. First, the access summary granularity. Too detailed and the manager cannot review. Too summary and the attestation is meaningless. Second, the response window length. Too short and managers do not respond. Too long and the review delays. Third, the escalation flow when managers miss the window.

The customer position is to design the workflow once and operate it consistently rather than redesign each cycle. Reference the GRC implementation analysis, the authorization concepts analysis, and the firefighter ID analysis.

A response window of 10 business days with two reminders at day five and day eight produces 85 to 92 percent on time response rate, compared with 45 to 60 percent under a 15 business day window without reminders.

Evidence pack the review produces

The evidence pack the review produces has five elements. First, the manager attestation record for each user in scope, with documented attestation outcome. Second, the access change request for each removal decision, with documented approval. Third, the access change confirmation that the change was executed in the system. Fourth, the escalation log for managers who missed the window. Fifth, the summary that captures population, response rate, change rate, and exception rate. The pack is the artifact the auditor reviews.

The detail is in our license audit pillar (cross cluster reference), the audit readiness framework, and the evidence pack methodology. The authorization audit guide paper documents the full evidence pack template.

Audit defensible posture the cycle establishes

The audit defensible posture the access review cycle establishes has three components. First, the consistency of the cycle. Quarterly cycles operated on time over the SOX period are stronger evidence than late or skipped cycles. Second, the granularity of the attestation. Per user attestation with documented manager response is stronger than batch attestation. Third, the responsiveness of the change. Access removed within five business days of attestation decision is stronger than removals queued for the next cycle.

The implementation detail is in our role design analysis, the authorization concepts analysis, the SOX ITGC analysis, and the change management analysis. The SOX compliance expertise documents the full posture framework.