One A&D Leader’s Strategic Risk Approach to S4HANA SoD Remediation

A leading aerospace and defense organization faced a critical challenge during its SAP S/4HANA implementation: excessive user access and unresolved segregation of duties (SoD) conflicts. These issues emerged due to compressed project timelines and competing priorities during the system’s go-live. Despite initial plans to deploy a robust user access management process and remediate security roles before launching, the organization was unable to complete the necessary clean-up in time.

Recognizing the potential risks posed by unmitigated SoD violations, particularly in a highly regulated industry with stringent data privacy and compliance requirements, the client engaged Protiviti to lead a comprehensive remediation initiative. The goal was to quantify actual SoD violations, assess the effectiveness of existing controls, and establish a sustainable governance framework to support long-term access management.

Conquering a complex beast

The organization faced several critical challenges. First, it struggled with disparate data systems that hindered seamless integration across its supply chain, finance, and production functions. These siloed systems created inefficiencies, reduced visibility into operations, and complicated decision-making processes. Additionally, the existing SAP infrastructure required an upgrade to align with evolving business needs and to fully leverage advanced functionalities offered by SAP S/4HANA. The transition involved blending vast amounts of historical data with new, future-state configurations, all complicated by determining where the business process controls reside, stringent timelines, and the need to minimize disruptions to ongoing operations.

User adoption posed another significant challenge. With thousands of employees across multiple locations, ensuring that the workforce could effectively utilize the new system was critical.

A strategic intervention

Protiviti, already engaged with the organization on an SAP financial advisory project, expanded our role to lead this important implementation effort. We partnered with the client to design and execute a multi-phase remediation strategy. The first step involved quantifying user-level SoD risks by distinguishing between “can-do” access conflicts (potential violations based on role assignments) and “did-do” transactional violations (actual occurrences), enabling the organization to move beyond theoretical risk and focus on real exposure.

Using transactional and master data, we identified high-risk SoD combinations such as the ability to create vendors and process payments or maintain bank master data and execute AP payments. These risks were prioritized based on dollar value and frequency of violations. For example, one SoD conflict involving invoice and payment processing totaled over $11 million in transactions, underscoring the urgency of remediation.

The team then mapped IT Application Controls (ITACs) and IT General Controls (ITGCs) to the identified SoD risks. These mitigating controls were uploaded into SAP GRC Access Control, enabling automated monitoring and reporting. A security role assessment was conducted to determine whether existing roles could be adjusted or required full redesign.

SAP S/4HANA modules were configured to align with specific requirements, including enhancements to supply chain management, production planning, and financial reporting capabilities. Custom workflows and dashboards were developed to provide real-time insights, enabling better decision-making and improved operational efficiency. Additionally:

• Quantified risk exposure: Actual SoD violations were identified and tied to specific users and dollar amounts, enabling targeted remediation.
• Mitigated high-risk conflicts: Key SoD risks were addressed through control mapping and role adjustments, reducing exposure to inappropriate transactions.
• Enhanced audit readiness: Comprehensive documentation and executive-level reporting improved external auditor confidence.
• Established governance: A formal CoE was introduced access management, ensuring ongoing compliance and continuous improvement.

User adoption was a critical success factor, so the team designed a comprehensive change management program, including targeted training sessions, user manuals, and ongoing support. 
Throughout the implementation, Protiviti adopted an agile approach, allowing for iterative testing and adjustments based on feedback. Regular progress reviews ensured alignment with project goals, while robust monitoring mechanisms were put in place to identify and address potential issues proactively.

Future state vision

The SAP implementation delivered transformative results for the organization, positioning it for sustained success in a competitive industry. Key outcomes included:

• Improved controls:
  • Embedded automated business process controls across 100% of the SAP functionality used; documented and validated over 121 configuration control points, reducing the need/reliance on manual controls.
  • Identified and mapped mitigating controls for 100% of the segregation of duties access risks that remained in the system – ensuring complete mitigation and visibility into system access.
• Improved data visibility and decision-making: Real-time analytics and reporting capabilities provided by SAP S/4HANA provide actionable insights, improving decision-making across all levels.
• Increased user adoption rates: Change management initiatives led to high levels of user engagement and adoption, contributing to smoother operations and faster realization of benefits.

The modernized SAP infrastructure equipped the organization to adapt to future business needs and technological advancements. The system’s scalability ensured that it could seamlessly integrate new acquisitions and expand into emerging markets.

Looking ahead, the organization is focused on achieving an ideal access management future state, including ongoing SoD rule maintenance, elevated access controls, automated user provisioning, and periodic access reviews. With Protiviti’s support, the organization has laid the foundation for a secure, compliant, and scalable SAP S/4HANA environment.