Access to ERP and other financial systems frequently marks an area of vulnerability in Sarbanes-Oxley compliance and antifraud efforts. The problem is that most end users want their IT colleagues to quickly fix any financial system problems and/or to tweak the system in response to business process changes.

This desire often creates a cadre of “super users” — IT lingo for individuals who have access to make changes to numerous different parts of the system. Super users are both a blessing (they can quickly fix any part of a vast financial system) and a curse (their carte blanche creates potential internal control problems). If an individual support person has access to make changes to, say, the vendor master list and the accounts payable (A/P) functionality, this can raise problematic segregation of duties (SoD) issues.

To balance the needs of operational end users and risk-management rigor, Aera Energy developed a process whereby IT system experts “check out” super-user system access as if it were a library card. The process, which is now automated within SAP’s SuperUser Privilege Management functionality works as follows:

1. Extensive system access is created within a handful of user identifications (IDs)
2. IT analysts responding to an end user request check out an ID and log how they’re changing the system and why they are doing so (a specific ID can only be used by one person until it is checked back in)
3. The tool automatically generates e-mails to relevant process owners, alerting them to who is using the ID and why
4. The tool also records a log of all activities, generating hourly reports to IT about the activities for safekeeping (and, if necessary, a clear audit trail)