SAP HCM & Payroll
SAP Landscape & Test Data Management
Support & Training
SAP Data Privacy & Security
SAP HCM & Payroll
Client-specific development
SAP Landscape Transformation
SAP Data Privacy & Security
Cloud and Application Managed Services
Ultimate Guides
Company
Get in touch
Search
Contact us Explore
EN
FR DE EN ES IT KO

BSI sets the standard for SAP access risks and SoD

Governance, Risk and Compliance (GRC) solutions from EPI-USE Labs’ partner Soterion enable the British Standard Institution (BSI) to manage and report on their user access risks and SoD effectively.

Labs_Coloured_blocks
2025 BSI Icons 1
85% reduction in potential risks
2025 BSI Icons 2
Improved auditor trust
2025 BSI Icons 3
Provisioning and monitoring of wide access to users
2025 BSI Icons 4
Customisable and userfriendly reports
Play video

Thanks to Soterion, I can ensure that our estate is secure, the data is secure, what people can and can’t do is secure. And the ability to report on that means that I feel secure, and we are doing the best for the organisation.

Zaki Mouden, Global Head of EnterpriseApplications, BSI
testimonial-quote

 

The challenge: Minimal access and SoD controls

BSI has an SAP ECC6 system with around 1 200 users. They had very few controls in place to manage risks of
user access, reporting and Segregation of Duties (SoD) in their SAP environment. When they received a request
for an internal audit of their finance system, they extracted all the requested reports by a long and manual
process, and they found different high- and medium-risk areas.

They identified five challenges in their internal access control processes:

  • Directive controls: Periodic reviews of their user access rights were not performed
    consistently.
  • System reporting: Their existing user access reporting tool did not provide sufficient detail to
    perform an effective review process.
  • Third-party users: Third-party users received similar access to internal employees, without
    sufficient monitoring.
  • Super-users: Super-access rights were granted to members of internal teams: Finance
    System, SAP Experts, and Data and Reporting Integrity. This needed to be checked.
  • Inappropriate user access rights: Access rights were not allocated correctly, and SoD was
    inadequate.

Extracting reports manually was a painful process, and we found a number of risk areas we needed to address. We realised that Soterion could solve our needs with their out-of-the-box solutions.

Zaki Mouden, Global Head of Enterprise Applications, BSI
testimonial-quote

Soterion solutions: mitigating all risk areas

To overcome and resolve the risk areas, BSI’s options included:

  • doing nothing, using existing reports to extract data, and then manually manipulating it in
    Excel to produce required reports.
  • building custom reports in SAP, using the existing ABAP-developed programmes and
    customising them (assuming the risks that comes with this approach).
  • finding a tool that could help them overcome and resolve risks.

BSI decided to adopt the solutions from EPI-USE Labs’ partner Soterion, which solves GRC for SAP clients.
Soterion provides them with a list of all the risks within SAP, and they can run reports about which individuals
should have specific access, using the built-in SoD parameters. This allowed them to develop a best-practice
process, rather than falling back on historical ways of operating.

 

Compared to other systems I’ve used, it’s a lot simpler. It took us around a week to get it up and running. Support is amazing; Roy from EPI-USE Labs is our go-to person, he is always available and willing to help. It’s not what you normally get from large organisations.

Zaki Mouden, Global Head of Enterprise Applications, BSI
testimonial-quote

Solving GRC for BSI

BSI is putting Soterion’s solutions to good use, including:

  • Allowing business users to extract their reports based on their roles and responsibilities. Not
    everyone needs SAP access. They have amended access to ensure that everyone can access
    what they need to for their specific roles, without exposing and risking company information.
  • Amending transaction codes based on Soterion’s reports.BSI decided to adopt the solutions from EPI-USE Labs’ partner Soterion, which solves GRC for SAP clients.

 

Solving GRC for BSI Icon 1

85% reduction of potential risks

Solving GRC for BSI Icon 2

Detailed reporting of all access risks

Solving GRC for BSI Icon 3

Reporting of risks in a business-friendly user interface

Solving GRC for BSI Icon 4

Full audit log of activities performed by user

Solving GRC for BSI Icon 5

Implementation in one week

Solving GRC for BSI Icon 6

Costs savings, autonomy, no need for Basis assistance

We’ve had a lot of positive feedback from the end-users. We’ve given access to each individual department within Finance, so they can run their own reports, and they’ve all said it’s user friendly, intuitive and simple. You don’t need Basis to change anything, and it’s a much lower cost as we can maintain it ourselves.

Zaki Mouden, Global Head of Enterprise Applications, BSI
testimonial-quote

Industry: Professional services

Solution: Soterion

About BSI

The British Standards Institution (BSI) is the national standards body for the United Kingdom. BSI produces technical standards on a wide range of products and services, and supplies certification and standards-related services to businesses. Their purpose is to deliver and bring together every aspect of society, delivering through consensus independent, robust, and expert best practice that enhances:

  • Innovation
  • Productivity
  • Sustainability
  • Safety
Labs_Coloured_blocks
Soterion's SAP Access Risk/GRC Assessment

Get immediate visibility of your exposure

Similar stories you might want to read: