If your company has already been audited, you know the importance of managing access to corporate systems, especially when it involves critical systems or those subject to audit, such as SAP S/4HANA, SAP ECC, SAP HCM, TOTVS Protheus, TOTVS Datasul, TOTVS PIMs, Oracle ERP, MS AD, ARIBA, CRM systems, SAP CCS, among others, with a focus on segregation of duties.


Critical systems and audited systems are those that generally process the organization’s business transactions related to financial, commercial movement, materials, purchases, etc. Obtaining and/or granting access to these systems with security and control may not be such a simple task.


Granting access to an organization’s systems requires specific care to avoid errors, fraud or GAPs with auditing and security. The most common practices before establishing an access granting procedure is to observe the degree of maturity of the security governance required by the business. The following list brings together the main points to be considered as requirements or practices for a good access control process:

  • Does my company intend to go public and, consequently, will it have to demonstrate greater access control to corporate systems?
  • My company is already publicly traded and, consequently, needs to remain compliant with SOx, CVM, JSOX, etc.?
  • My company does not intend to go public, but wants to use the best governance practices IBGC, COSO, COBIT, etc.?
  • Does my company have internal control, risk, security and audit practices that require effective governance?
  • Does my company have audit GAPs, related to segregation of duties or traceability of the use of critical functions?
  • Does my company have a history of leaks and fraud in corporate systems, as a result of access that allowed such losses?
  • Does my company understand the risks of a lack of effective access control governance and needs to establish greater control?
  • Does my company not have role segregation risk management, related to the access granted?

Addressing the points above will not necessarily guarantee an effective access control process to avoid GAPs with SOx, CVM auditing and compliance, etc. Behind this tangle of acronyms, concepts, practices and requirements, there is still a need to put together all the pieces of this “puzzle” and establish governance that guarantees the best access control process, without burdening the operational cost or “placing “the company’s processes.


An effective access control process may require artifacts that require time to prepare and implement. Depending on the situation, the organization may not have the minimum time necessary to address the mandatory artifacts for minimum compliance with governance controls. The list below mentions the main artifacts inherent to the access management process, considered mandatory when seeking control effectiveness and the establishment of a preventive process:

  • Risk matrix for segregation of duties (SoD – Segregation of Duties);
  • Risk matrix for critical transactions (SAT – Sensitive Access Transaction);
  • Catalog of compensatory controls;
  • Procedures for risk analysis and risk mitigation control;
  • Flow of approval and granting of systemic access;
  • Visibility of exposure to SoD and SAT risks, during the access approval flow.

Observing the market and evaluating the main artifacts mentioned above, Porttus Compliance Solutions developed the SaaS GRC Builder solution, so that organizations can maintain focus on their business, leaving the governance and compliance of access management to those who have this competence in their DNA. The GRC Builder solution incorporates all the main requirements and best market practices regarding access management and SoD and SAT risk monitoring.


Contact us and request a budget. Understand why large corporations chose the GRC Builder SaaS solution.

sales@porttus.com  |    Porttus.com

Abrir bate-papo
Podemos ajudá-lo?