Using Security Software To Assist Compliance

A natural gas distributor and oil producer implemented software that reports the actions individual employees undertake on its ERP system.
Energen, a Birmingham, Ala.-based diversified energy company, is taking reporting software it acquired for internal security monitoring purposes and plans to use it to assist its compliance with the Sarbanes-Oxley act.

The $842 million natural gas distributor and oil producer in May implemented software from Approva, Vienna, Va., that it uses to report the actions individual employees undertake through its SAP enterprise resource planning system. Energen is now testing the software, called BizRights, on a separate SAP system containing duplicated ERP data that the company uses for training and quality assurance.

The Approva software is also expected to help publicly traded Energen comply with the demands of Sarbanes-Oxley. "The objective is to say, we need to know what access each user has when they get into this [ERP] system," said Sage Wagner, Energen's SAP security administrator.

Energen has been an SAP shop for about two years, and about 500 of its 1,200 employees use the ERP to do their jobs, Wagner said. Each user is assigned roles that allow them to carry out specific transaction codes, such as the creation of a purchase order or invoice. The ERP further enables employees to carry out "authorization objects," which might for instance involve the filling of an individual data field within a transaction code screen.

Energen can use the Approva software to link to the ERP and track which of Energen's 2,000 transaction codes and, more specifically, which authorization objects individual employees use. BizRights creates reports for Energen's security, audit department or CFO that can show, for example, which employees have been updating the company's production tables.

That flexibility of use has made the software viable as a compliance tool as well as a security package. Individual duties and employees are segregated within BizRights workflows to ensure that only staff members who are cleared to carry out specific duties attempt to do so.

"If a person requests new access for a new role in SAP, they will go through [BizRights] and go through the automated workflow," Wagner said. "The first thing the software does is check to see if the request violates the segregation of duties that we've identified."

Energen has teamed with Approva to test an upcoming element of the application that will take the software's current capabilities further by adding alerts capability. Wagner expects such preventative functionality to further improve Energen's ability to comply with Sarbanes-Oxley.

Approva charges $150,000 for a BizRights package that monitors up to 5,000 employees on an ERP system. Costs increase for more users, and annual maintenance is 18 percent.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing