SAP termination of employee/system access 2120

  • Hi,
    I’m at a client where during the processing of a termination action in SAP, HR is at the same time end dating an employee record (infotype 0105) that is effectively ending the employee’s access to any of the SAP systems.
    This is not the approach I’ve seen taken at any other client. Usually HR performs the termination. This is the trigger to close down the employee’s various accounts (e-mail, SAP, etc). If manual, it would be the IT folks, not HR, that terminate system access (ie, delimiting user master record in SU01). Only makes sense…since IT creates the user account when employee is hired, they should be the ones to terminate the account when employee is terminated. It’s like HR is doing IT’s job for them. And if HR makes a mistake, terminated employee retains access to system.
    As I know little about SOX compliance, is what my client currently doing a violation of SOX? More importantly, does anybody have any documentation or info I can reference, so I can back my thoughts up when I discuss this with the client?
    Thanks, Vlad

  • I beg to differ
    Hr initiates creation of a user in the organization( even logically) and they are the ones who initiate terminations as well.
    If the workflow in SAP is set such that a termination of user in SAP HR module would terminate the SAP logical access then it seems to be fair.
    However, i guess your question is about logical access to other systems and the corporate network(AD i guess). This being so, i am pretty sure, they will be having a mechanism to terminate the logical access of the user in other systems.
    would be great if you chek on this.

  • Hi and welcome to the forums 🙂
    NC shares some excellent concerns to ensure a comprehensive approach is implemented. As long as all other access is terminated to company systems (e.g., network/worktation access, email access, web apps, etc), than the HR automated triggering of the process should work okay.
    SOX 404 entails a risk management assessment of financial IT controls and if HR approach triggers action by the security department to act on all access privileges, this approach should work well 🙂

  • Hi,
    You are both talking about HR triggering a system account termination that gets performed by IT.
    But that is precisely my concern…HR is not doing such a trigger and IT is not terminating the SAP account. It is HR themselves that is effectively terminating SAP account with no involvement by IT. And they are doing this manually. There is no automation. If HR fails to do this, who is ultimately to blame? IT has effectively transferred ownership of SAP account termination over to HR.

  • Hi Vlad - Based on your reply, I’m on the same page now 😉 Yes, I think that termination process should be moved to back to IT security .
    After seeing more precisely what the HR issues are, I’d suggest the following:

    1. More risk for things to go wrong in the process is incurred when security functions are done outside the control of IT security (e.g., weakens the control). For example, what if folks in HR don’t follow the right prompts and accidently leave someone’s account open.
    2. IT security admins are the ‘experts’ and have had significant training in the complex skill sets needed for IT security. As I noted earlier, they will clean up all access rights beyond those just for SAP (e.g., email, network, remote access, etc) . Would you want someone who has been terminated dialing into your network?
    3. IT should keep domain or other admins to a minimum and appointing folks outside their area of control could create accidental errors or issues.
    4. While intentional fraud should be a very low risk in the companies we work for, it does occasionally happen. Hopefully, we all hire ethical trustworthy individuals. Still as I think about risks associated with HR folks having ADMIN power, you don’t want exposures for folks who could potentially write checks to themselves, set up false employee accounts, delete audit trails, etc.
    5. HR should still trigger the process and send an email to IT security – but they shouldn’t be ‘chief, cook, and bottlewasher’ for the entire process. Also, as a supplemental control active employee lists should be sent from IT to HR routinely (e.g., monthly or quarterly), so they can verify the active list and ensure no accounts are left open.

  • On a similar line, we have an automated system whereby when HR enter a users termination date into our HR Management System it automatically feeds this information into AD prompted the system to terminate the network account (and any application accounts also integrated with this process).%0AWhilst this works 100% of the time, the problem we experience is that HR are not always notified by the managers of the employee leaving, therefore the termination process is not triggered.%0AIn the past we have always stated that where a user still has an active account within a financial application that is detected after a few weeks or at one of the quarterly reviews, that the risk is mitigated by the users account being terminated at the network level - which is obviously not the case in all situations.%0AWe could easily arrange for a report to produce a list of all users that have not logged in to their account in the last 5 weeks which would ensure we do not catch people out on long vacations or mid-term sickness, but in my mind the most vulnerable time for a user to ‘try’ and access their old account would be in the first couple of weeks following their termination.%0AI believe that in this situation it is the responsibility of HR to put additional controls in place as once the information is entered into their system, the rest of the process is automatic.%0AMy query is what IT controls we could implement to cover the risk in this situation? Would a regular report really be sufficient as you still potentially have a 5 week period where the account is left active.

  • My query is what IT controls we could implement to cover the risk in this situation? Would a regular report really be sufficient as you still potentially have a 5 week period where the account is left active.
    Hi Cadmanm - The controls you’ve implemented are well done, as the automated HR trigger on termination dates should take care of most situations. You’re right that folks would most likely try with a day or so of leaving the company, rather than 5 weeks later. Most terminated employees won’t attempt this based on my own experiences in the security field (or at least in the companies I’ve worked for)
    Some ideas are noted below:

    • I’d recommend HR strengthening controls for all managers to promptly report terminations (e.g., are terminated employees who are not being reported promptly getting paid for extra weeks?). Maybe an awareness email or policy from HR (or better yet senior management) could be formulated.
    • Make sure HR is aware of the role they play in SOX compliancy, so that they don’t wait a day or so in marking any terminations
    • You could also use the 5 week inactivity log as a vehicle to spot check for issues. If you come up clean continually that’s actually a measured check you can share with SOX auditors.
    • Based on my own experiences, I wouldn’t have managers contact both your area and HR … Single points of contact always work best and it’s more logical that HR be the ‘keeper of the keys’ on this one.

  • Agree with much of what has been said already. However there are a couple of things you can’t get away from, the termination process to be truly effective requires:

    • managers to notify HR on employee termination - and best practice would be to notify HR before you terminate someone to ensure you get the admin done properly and don’t create potential grievances. This isn’t for any security concern as most terminations are routine - first and foremost you want to get people removed from the payroll, have their final salary and leave, etc calculated properly and so on.
    • HR to trigger the IT process as previously discussed, and this should be part of their routine process, leaver chacklists, etc.
      If you don’t control these two things then there is no combination of sophisticated IT techniques that will make up for it.

  • I’m having a lively ‘discussion’ with the external auditor right now, in the throes of SOX testing.
    Background : IT removes access in response to urgent notifications by HR of employee high-risk terminations (e.g., escort out the door). For all other terminations (e.g., resignations), IT responds to remove access by the next business day after being notified via a daily HR termination notification report.
    Issue : There can be delays by business managers in sending the info to HR. In those cases, the HR record contains a notification date and also a back-dated effective date. The external is testing the SOX ITGC for access controls and is calling the control ineffective for a particular application because of the occasion of field-to-HR notification delays. This is a large company with >30,000 domain users and many thousands of users on each in-scope SOX application (seven of them).
    Management response is that for resignations, if there is a delay, so what. The risk of sabotage or abuse is higher during the ‘two week notice’ period than after the employee physically leaves, even if access is still theoretically available for a couple weeks. The external is holding fast on the SOX deficiency.
    I am responsible for SOX ITGC testing for the company. I say that if high-risk terminations are processed immediately, the other access removals can be done with a delay tolerance of, say, 2 weeks to cover mgmt vacations, etc. without causing financial risk to the business.
    What do you say :?:

  • Hi Will - I agree with your recommendations along with the external auditor comments that termination notification delays from the business side are unacceptable. Below are a few quick ideas, that may or may not be applicable for your situation:

    1. While there are risks in disgruntled employees tampering with information, in my 35 year IT career, I’ve not seen this occur often. Most folks know better and work out their 2 week period. Most are focused on moving to ‘greener pastures’ than revenge.
    2. The greater risks occur when someone is terminated unexpectantly (e.g., fired or layoffs). That’s the more high risk situation that needs to be communicated IMMEDIATELY. If they feel they were unfairly treated, they may try to ‘burn some bridges’ and let their emotions over rule logic.
    3. IT professionals with special security access or users with access to sensitive data also fall into the high risk category (not due to frequency but severity of the exposure). Companies always need to ‘trust but verify’
    4. HR and senior management need to own this issue and update their policies and procedures accordingly. Maybe meeting with HR is the answer. If the termination is a mutually agreeable departure (e.g., moving on to greener pastures or other life change like retirement), the IT security department can diary this and make the removal of system access effective at the close of the employee’s last day.
    5. If management is unwilling to change current procedures to better address SOX IT compliancy needs, then letting the external auditor’s comments stand is perhaps the only way to put this need in the best interest of senior management. I would notify HR and the manager you report to, that if the issue isn’t addressed, it will show up as a weakness in meeting SOX 404 compliancy

  • Hello Harry - good comments all. Much appreciated.

  • Great information, but i have a question regarding the secondary report being generated, the one that details who has not logged into the system for a span of 5 weeks. My question is, why is this neccessary. Wouldnt it be enough to simple spot check the first report, the one detailing system users. That should show all the users and their related privilages, wouldnt that be enough. Im really not understanding the point of the cross reference between the 2 reports.
    Thanks for any clarification you can add.

  • Hi JL - I believe the 5 week report would be a subset of the much larger full access control report (e.g., thinking about huge companies where there are 000’s of users potentially). Thus it’d be a much smaller and more focused listing to work from.

  • Oh ok, in that context that makes sense. Thanks for the clearing that up for me.

Log in to reply