ToggleNow Transforms SAP Access Reviews Beyond Checkbox Compliance

Periodic access reviews are vital for SAP compliance, but standard GRC tools often reduce them to checkbox exercises that satisfy auditors without improving security. In this interview, Raghu Boddu, CEO of ToggleNow, introduces ReviewNow, an enhanced user access review solution built to provide actionable insights, automate follow-ups, and deliver continuous audit readiness. By reframing access reviews as data-driven decisions rather than rote compliance, ReviewNow helps enterprises close critical governance gaps and improve risk management.

Could you walk us through ReviewNow, the ToggleNow Enhanced User Access Reviews product for SAP, its origins, and the specific challenges it was designed to address for users?

Based on my experience working with over 70 clients, I would say SAP GRC lacks an effective periodic access review mechanism. There are many limitations in performing and utilizing the User Access Review (UAR) and Segregation of Duties (SoD) reviews in SAP GRC. That’s where I see a real need or gap in providing the right data points to reviewers. Currently, in standard SAP UAR & SOD Reviews, it’s just a check-in-the-box process. Since auditor requirements mandate periodic reviews, companies comply, and reviewers simply confirm everything is reviewed. However, this doesn’t provide the necessary data points for reviewers to make a go or no-go decision.

We developed ReviewNow so that it provides key data points to the reviewer when a review is triggered. It indicates whether the user is truly utilizing all the transaction codes or Fiori apps within the respective role. It shows what the last usage was, how many times the user has used each transaction code or Fiori app, and whether there is a critical risk; specifically, if there is criticality involved with that transaction code. Additionally, it displays the licensing category that each transaction code belongs to.

Now that SAP has simplified the licensing concept with its STAR (SAP S/4HANA Trusted Authorization Review) rules for evaluating licensing category based on FUE (Full Use Equivalent), ReviewNow utilizes this. Using that SAP standard information, we evaluate the correct licensing category for that specific T-code based on the details maintained in the role and inform you whether this T-code is classified for developer, professional use, functional use, or productive use at both the individual user level and role level. These data points help the reviewer make a clear decision on whether that access should be retained for that user or removed.

From a security and audit perspective, how does it help organizations strengthen their compliance?

A useful feature of ReviewNow is that you can schedule recurring review processes. There are several options available. For example, you can conduct a sensitive access review, which can be set to occur every 15 days, 30 days, or as per the auditor requirement.

With ReviewNow, follow-ups will be handled automatically. After a certain number of follow-ups, you can take enforced actions, such as locking the user or removing roles awaiting review. You can choose the action you want to perform.

You can also set up a regular review so that it automatically occurs every three months. Once you schedule it, it will do so automatically. Everything is automated, and you can download detailed reports after each review.

Have you received feedback from auditors or regulators about its effectiveness?

Yes, we have already deployed it for several customers and demonstrated it to the Big Four auditors who were conducting the audits. They were pleased with the capabilities of the ReviewNow application. The reviews are more accurate and include all data points. From an auditor’s perspective, it provides a complete snapshot of each review—when it took place, who performed it, from which system, and how much time was spent.

What This Means for SAPinsiders

Access reviews become strategic rather than compliance theater. Technology executives can finally demonstrate measurable risk reduction to boards and auditors with data-driven access decisions instead of checkbox exercises.

Security teams shift from manual follow-ups to proactive governance. IT professionals will spend less time chasing reviewers for responses and more time analyzing usage patterns to optimize role designs and eliminate unused privileges.

Audit preparation transforms from reactive scrambling to continuous readiness. SAP administrators can provide real-time compliance evidence and detailed audit trails, reducing the stress and resource drain of annual audit cycles.