First Advisor

Kuhn, Darl


College for Professional Studies

Degree Name

MS Software and Information Systems


School of Computer and Information Sciences

Document Type

Thesis - Open Access

Number of Pages

68 pages


The reality of the Sarbanes-Oxley Act, is that it is among the most visible and farreaching regulations that organizations face today. Failure to comply can result in significant loss of market capitalization and shareholder trust, as well as criminal liability for corporate executives. In this thesis the author focused on the implementation of SAP security software including the development of several ongoing production environments that will have a formalized security strategy to achieve SOX compliance. Spacely Chemicals, just as many other SAP customers understands the importance of SOX compliance. In the past Spacely Chemicals has not implemented the appropriate policies to enforce procedures within the business that would easily allow for IT controls and audit of the existing SAP R/3 application. This thesis includes the SPACELY Chemicals implementation of the latest suite of SAP applications. SAP is complex software that offers many levels of security design and control options. It will also cover procedures for securing SAP systems and their external interfaces, focusing primarily on scenarios for user and role maintenance. It discusses user maintenance procedures and documented for issues relative to requesting changes to user access because of job change, project responsibility change and employee or contractor terminations. In addition, role maintenance procedures are documented including the security architectural role strategy, naming conventions and procedures for identifying ownership and approvals for all security components. Both user maintenance and role maintenance procedures pay particular attention to ensuring the requirement for segregation of duties (SOD) and SOX compliance is not jeopardized. The application security implementation will be outlined and defined through appropriate controls such as policies and procedures. The procedures for managing the level of access granted to users and managing the level of access in job roles must be outlined through policies as well. By following the guidelines and recommendations from the Control Objectives for Information and Related Technologies (COBIT), the SAP applications discussed in this thesis will help SAP customers meet and maintain SOX compliance.

Date of Award

Spring 2006

Location (Creation)

Denver, Colorado

Rights Statement

All content in this Collection is owned by and subject to the exclusive control of Regis University and the authors of the materials. It is available only for research purposes and may not be used in violation of copyright laws or for unlawful purposes. The materials may not be downloaded in whole or in part without permission of the copyright holder or as otherwise authorized in the “fair use” standards of the U.S. copyright laws and regulations.