"As being faced with numerous SAP R/3 authorization conflicts, at Delhaize Corporate Financial Systems, we decided to contact [...] the largest authorizations company in Belgium, providing services in audit, control and security. The challenges were threefold; first of all an incomplete authorizations set-up needed to be replaced with a future-proof concept supporting Delhaize Group's anticipated growth path."
Willem Baelde
SAP Centre of Excellence Manager
Delhaize Group
Secondly as SAP platforms are planned to be merged, the authorization redesign needed to meet this business challenge as well, not to ignore SOX compliancy requirements as Delhaize quotes on New York Stock Exchange. Finally, from day 1 the project team was very sensitive to project scope adherence and timely delivery with highest quality to be delivered at all times.
Once both finance and audit department agreed on the project scope and methodology the project kicked off mid 2007 with the CSI Authorization Auditor analysis followed by workshops for all functional domains in countries in scope. Modules in scope for the SAP ERP Central Component 5.0 application are Finance, Controlling, Retail, Basic Components and Workflow for 3 countries: Romania, Greece and Belgium.
The workshops were organized in the different countries with the key users and the management. The information of these workshops together with the statistics of the transactions used, served as a first input for the building of the tasks. Using the CSI tools and a rule set, Segregation of Duties (SoD) conflict free tasks have been designed. These tasks were tested thoroughly by both the business and consultants; period during which the support from the CSI consultants was fast and efficient. Once tested, the tasks are combined in real business functions that need finally to be assigned to users. These functions are as close to the organizational functions of the end users as possible.
As Delhaize Group deliberately decided for running concurrent projects, the function testing on authorizations has been combined with the functional integration testing of the ongoing platform migration project.In the meantime, all SOD conflicts have been analyzed and together with management and internal audit, mitigating controls are put in place. Simultaneously business procedures for user creation, authorization management and specific corporate tasks have been updated, allowing monitoring as well as enforcement.
CSI implemented a SOX compliant SAP authorization concept at Delhaize Group. The first go live (01/08) was part of the Romanian (Mega Image banner) migration to the European SAP platform; for Greece (AB banner and the new acquisition Hellas Plus) the implementation was a standalone project and was carried out on April 2008 and in a third phase, Belgium (Delhaize Le Lion) will be migrated to the European platform by January 2009
Willem Baelde
SAP Centre of Excellence Manager
Delhaize Group