Requires Free Membership to View
When you register, you will start receiving targeted emails from my award-winning team of editorial writers. Our goal is to keep you informed on the hottest topics and biggest challenges faced by SAP professionals today.
Hannah Smalltree, Editorial Director
Very simple question. No. There are a number of rules, best practices,
and common sense that would argue in your favor. The norm is for support
people to have display access for most transactional functions, where
problems are noted so they should be replicable in your testing environment
(assuming you have a good QA process). The support personnel should then
find the solution for the problem, move it to test and then promote to
production. If you give support people production functional access, they
will start processing transactions and have both the knowledge and access
to violate most internal controls.Alternatively, I have seen some process teams identify specific transactions they need in production due to specific business rules (Tax rate updates, Monthly close support) and receive business sign-off. This is acceptable and warranted. There are always exceptions.
Furthermore, you should work with your audit community to understand your obligations under Sarbanes-Oxley Section 404 on internal and system controls. Your external auditor may not be willing to attest to the soundness of your control environment if multiple segregation of duty issues exists.
This was first published in June 2003