The Challenge

Ipiranga faced an environment highly sensitive to compliance risks, with an extensive SoX perimeter, strong dependence on customized programs in the JDE, and limited documentation in the ABADI repository. Among the main problems, the following stand out:

• High volume of Segregation of Duties (SoD) conflicts;
• Excessive and unnecessary permissions;
• Presence of false positives and unmapped conflicts;
• Significant gaps in access controls;
• Fragility in the process of granting, reviewing, and revoking access.
‍

Purpose of the Solution

‍

Establish an ongoing access and identity management operation, focusing on regulating critical processes and increasing the maturity of internal controls. The strategy was built based on IAM (Identity and Access Management) best practices, involving:
‍

• Clear definition of roles, responsibilities and chain of ownership;
• Structuring of internal controls and SoD matrix with updated rules;
• Development of workflows for granting and revoking access;
• Strict treatment of privileged access;
• Implementation of new risk approval and validation steps.
‍

Implemented Solution

‍

We mobilize a specialized cell in identity and access management, dedicated to the continuous operation of:

• SoD analysis for user maintenance calls, positions, and profiles;
• Active monitoring of the JDE environment to identify and mitigate risks;
• Systematic updating of the risk matrix and compensatory controls;
• Technical and strategic support to the area of internal controls.
‍

Achieved Results

‍

• Mapped, documented, and standardized processes, raising the level of governance and compliance;
• Creation and implementation of workflows tailored to the client's reality;
• Significant reduction of access conflicts and false positives, with improvement in the assertiveness of controls;
• Establishment of a continuous, sustainable and auditable access management structure.

‍