EVBox – Reduction of SAP risks via cleaning and authorisation redesign

EVBox is a Dutch provider of charging stations for electric vehicles. The company was founded in Almere in 2010 and in a few years has grown into one of the market leaders in the field of versatile charging systems. EVBox, based in Amsterdam, is one of the fast-growing products in the charging station industry. The Dutch charging station manufacturer produces high-quality, user-friendly, and easy-to-manage charging solutions for a wide range of users, from home use to the most complex business applications. In addition to a varied model range, EVBox also offers customers charge management, service, and various accessories. EVBox chargers are suitable for use at home, at work, and in public places.

EVBox is improving the IT controls, including the design and implementation of the IT General Controls and the improvement of the SAP authorization concept to mitigate risk related to the segregation of duties and critical access. You asked us to help you redesign your SAP roles and authorizations for the SAP HANA production environment.

In 2022, BR1GHT performed a baseline assessment to determine the risks of the SAP Authorisation design.  Based on this assessment, EVBox has decided to mitigate the risks by redesigning its SAP Authorisations. It is their ambition to have an SAP environment in which the key risks are mitigated and the fundament of the authorization concept is strong and robust.

The SAP Redesign consists of two phases:

• Fi related roles which will be go-live within 4 month
• The non FI related roles will go live within 2 month

The scope of the redesign is not limited to Finance, sales and purchasing, but is also FIORI apps are part of the scope of the project.

Within this redesign, we use the Soterion technology daily. To design and implement risk-free single roles, to simulate risks when combining roles in business workshops, and to analyse the quality of the result. Soterion is key in an efficient authorization redesign. Sound United has chosen to use the standard Soterion rule set, it is also possible to configure client-specific SoD and risk rule sets when desired.

We will deliver an authorization design with is has limited key risks and Sods. The SoDs which are in the system are approved by the business and mitigated controls are designed and implemented to reduce the risk.

Parallel to the get clean activities, EVBox emphasized the importance for the stay clean activities. Together we are defining task and responsibilities, processes, technology and we are defining a target operating model on how EVBox could stay clean.  We are going to discuss several alternatives including our shared service centre in South Africa which could support Sound United in the stay clean activities.