Global Law Firm Motions to Eliminate Risk
How Linklaters Called to Order SAP System Access
Linklaters LLP, a global corporate law firm with 29 offices in 20 countries, stresses the importance of risk mitigation to its worldwide client base. And with a risk department made up of more than 50 in-house lawyers and advisers to support partners and senior managers in complying with all rules and regulations for each local office, it practices what it preaches with regular risk reviews to help identify and address any potential issues.
Linklaters’ focus on risk is not solely centered on legal risk; reviews also cover concerns around internal risk that relate to access and the use of the firm’s SAP solutions, including SAP ERP, SAP Customer Relationship Management, SAP Business Warehouse, SAP ERP Human Capital Management (SAP ERP HCM), SAP Solution Manager, SAP BusinessObjects solutions, and SAP ERP Financials. The firm regularly runs reports to verify user access information — such as precisely what users have access to and how they’re using those systems — and to flag any potential segregation of duties (SoD) conflicts.
Until recently, the firm used an external tool and spreadsheets to extract user data and analyze its roughly 5,300 SAP user environment. “Using standard tools was drawn out and difficult, and our existing processes around reporting to our finance and internal audit teams regarding whether there was a risk, or whether a user actually required the access they had, was becoming less and less sustainable,” says Richard Butt, SAP Team Leader at Linklaters. “We wanted a more accurate and less time-consuming process to ensure that we stay clean and in control.
In 2015, partly at the request of the firm’s internal audit and finance departments, Linklaters started evaluating governance, risk, and compliance (GRC) solutions as the basis for a more stringent SoD strategy. With a list of system requirements and considerations that included cost, installation, configuration, back-up, and disaster recovery (DR), the firm embarked on a vendor search and selected Security Weaver, an SAP partner, from a list of three finalists.
Two main factors made Security Weaver stand out from the competition, according to Butt. One was across-the-board positive customer references, specifically one from another UK-based professional services firm. The second was the fact that Security Weaver’s controls platform is offered as a modular set of applications that does not require additional hardware or infrastructure expense.
“We liked the fact Security Weaver sits inside our main SAP systems, resulting in processes such as DR and back-up being covered in existing SAP systems rather than having to create new processes for a separate system.” Butt says. (For more information about Security Weaver’s solutions, refer to the sidebar at the end of the article.)
Using standard tools was drawn out and difficult, and our existing processes around reporting to our finance and internal audit teams regarding whether there was a risk, or whether a user actually required the access they had, was becoming less and less sustainable. We wanted a more accurate and less time-consuming process to ensure that we stay clean and in control.
— Richard Butt, SAP Team Leader, Linklaters
Reams of Evidence
After running a proof of concept, Linklaters chose to purchase and roll out five Security Weaver solutions: Separations Enforcer, Emergency Repair, Process Auditor, Transaction Archive, and License Management. Security Weaver delivers the platform via SAP transports to install into development and quality assurance (QA) systems before running in production.
The firm started with Transaction Archive, which Butt says was up and running in production the day after the firm signed the contract. Transaction Archive — part of the Role Lifecycle Management set of solutions — gathers, compresses, stores, and analyzes SAP transaction code execution history, which customers then use to improve end-user management, training, and security.
Transaction Archive also eliminated the firm’s reliance on limited batches of sample data to flag SoD conflicts and to check transaction history. With complete visibility into user transaction code history, dating back 18 months since it rolled out the application, Linklaters can now instead run random spot checks on users to check compliance, set a baseline for specific roles, or better predict and manage licensing needs.
“I say that Transaction Archive is ‘GOLD’ because based on that user activity information we can now make numerous decisions by simply highlighting whether they really need their current access,” Butt says. “We didn’t truly understand the full impact of Transaction Archive until we started using the data. It is invaluable.”
Mitigation of Malfeasance
The Separations Enforcer application, which automates SoD checks, pairs well with Transaction Archive because the transaction execution data provides companies with more information to plug into the application’s function-based matrix to analyze, manage, and reduce conflicts. Reporting templates provide fast analysis and documented compliance. According to Butt, Linklaters is leaning heavily on the application to help expand a financial shared services center in Warsaw, Poland. “Separations Enforcer has helped divide roles so no one has more access than they need,” he says. “And by centralizing some of our finance functions by funneling all the work to one team, we have increased SoD exposure.”
Process Auditor and Emergency Repair likewise help ease a transition to shared services by delivering both process-based and role-based controls — the former installed for contractors, third-party vendors, and temporary users, while the latter provides users with spot access for a limited time frame (often referred to as a “firefighter” tool).
Butt says that Linklaters uses Process Auditor mostly for giving third-party users temporary SAP access. “We built controls to monitor access to the systems,” he says. “It’s like Transaction Archive in that it documents what people are doing in the system, but it also allowed us to build a control around that access so we are now alerted if users exceed their allotted transactions.”
Linklaters uses Emergency Repair primarily to grant temporary exceptional access to users who need it to perform functions beyond their usual duties and only for a specific time, such as month-end activities. Emergency Repair monitors and manages this access via the recording of all necessary approvals, the access itself, and the automatic removal of the access at the expiration of the pre-set time limit. Approvers and managers can then go into the system to approve the transaction log. Emergency Repair also includes customizable workflows, which gave Linklaters the flexibility to fit it to the firm’s particular requirements.
Like the other Security Weaver products, Emergency Repair is installed directly in the SAP system; this precludes the need to set up the emergency access under a separate account, like many competitors’ firefighter tools. “Because Emergency Repair provides access to the normal user ID for only the period requested, there is less work on the part of the auditor,” Butt says. “Our auditors have been thrilled with the risk control and the way we have used the application.”
Security Beyond a Reasonable Doubt
Butt says that a big benefit is how Transaction Archive, Separations Enforcer, and Emergency Repair work with an earlier installation of Security Weaver’s Role Recertification solution, which along with Separations Enforcer and Emergency Repair is in the Access Management suite. Role Recertification, as its name suggests, automates recertification for SAP user access, a traditionally labor-intensive project that organizations usually perform biannually as part of Sarbanes-Oxley regulations. The firm plans to use Role Recertification as a complementary solution with Transaction Archive, using data from the latter product to inform decisions surrounding recertification.
“Our finance manager is very keen on Role Recertification as a product that it will control access management,” Butt says. “As people change jobs within the organization or as we continue to centralize, this application will help us avoid access creep, which is where people by default keep the access they’ve had in the past. We will be able to recertify based on how active a user has been against certain transactions or against a particular role, which is how it works with Transaction Archive.”
The data from Transaction Archive has also informed Linklaters in its use of the License Management product. With such a rich supply of user access data combined with License Management’s role recommendation reports and automated role re-allocation features, Linklaters is better able to make informed decisions regarding current and future licensing needs.
The Verdict Is In
The Security Weaver platform touches nearly all the firm’s roughly 5,300 employees. Beyond finance and marketing users, this includes the 2,800 or so partners and lawyers who use employee self-service and other SAP ERP HCM functionality. Linklaters installed the five Security Weaver solutions in its controls suite in a relatively condensed timeline: only three months. The quick turnaround was due in part to the fact that the solutions were already running in a QA environment. The firm chose a controlled rollout because of resource allocation, but also to allow time to resolve any potential setbacks.
One minor challenge, according to Butt, was that the firm’s custom installation language didn’t work seamlessly with the SAP transports, but Security Weaver technical support worked with the internal Basis team at Linklaters to straighten out the problem. “The implementation was pretty easy, largely due to the proof of concept we ran beforehand,” Butt says. “We got through most of the issues before ever going into production.”
Having 18 months of data in Transaction Archive was a foundational springboard for how the firm transformed access management, license optimization, continuous controls, and security analytics in less than two years, according to Butt. “The main business reason for implementing Security Weaver was to reduce the risks that were highlighted by auditors, and a lot of the benefits we’ve seen — such as being able to highlight when users have access they shouldn’t, mitigating SoD exposure, and managing license adherence — all stem from Transaction Archive,” he says. “Once Transaction Archive starts to record transactions, everything else kind of spins off that.”