Beam Global Services and Millicom
Transforming access controls for Sarbanes-Oxley compliance at Millicom
Case Study · 7 minute read · 28 March 2026
As part of Millicom's Global Business Controls team, Beam Global Services led a series of access control projects across Europe, the USA and South America, transforming the processes and systems behind a successful Sarbanes-Oxley (SOX) compliance programme.
- Client
- Millicom
- Industry
- Telecommunications
- Our role
- SOX access controls, RBAC, SoD & GRC transformation
- Featuring
- SafePaaS · Oracle & SAP ERP
Millicom needed to achieve and sustain Sarbanes-Oxley (SOX) compliance across entities in Europe, the USA and South America. That meant overhauling IT access controls for key headquarters applications, including the Oracle and SAP ERP systems, and standing up the governance to keep those controls effective.
Beam led the engagement across the full lifecycle: a multi-year access controls strategy, a global Role Based Access Control (RBAC) model, the implementation of a SaaS GRC platform, and a new operating model that centralised the ERP access request process.
“We took SOX access controls all the way from a multi-year strategy to go-live, agreeing the SoD matrix with Ernst & Young and PwC, and centralising access management across eight countries.”
Situation
SOX compliance across three continents.
SOX sets strict expectations for IT access controls, Segregation of Duties, user provisioning, privileged access and recurring certification all have to be demonstrably effective. Millicom needed this across a complex estate of HQ and country entities running Oracle and SAP, spanning Europe, the USA and South America.
Achieving it demanded more than technical controls. It required global stakeholder buy-in and a new operating model for how access is requested, granted and governed across many countries at once.
Solution
Strategy, RBAC, SoD and GRC, end to end.
Beam led the programme from strategy through to go-live: drafting the Segregation of Duties policy with Internal Audit, building a Role Based Access Control model across HQ, shared-service and country entities, agreeing the SoD matrix with the external auditors, implementing the SafePaaS GRC platform, and transforming the ERP access request operating model.
How we delivered
Project milestones
- 01
Access Controls & Segregation of Duties Strategy
- Developed a multi-year strategy with the Director of Business Controls to ensure the effectiveness of critical SOX IT access controls for key HQ applications such as the Oracle and SAP ERP systems.
- Drafted the Segregation of Duties Policy for global enterprise systems, working closely with the Internal Audit team.
- 02
Role Based Access Control (RBAC)
- Developed an RBAC model for the Oracle ERP system across a 100-member Shared Service Centre in El Salvador, HQ entities (USA, UK, Luxembourg) and country entities (Bolivia, Paraguay, Honduras, El Salvador, Guatemala, Costa Rica).
- Implemented the new RBAC model by working closely with Finance and IT leadership in each entity.
- Led a team of multi-lingual outsourced subject-matter experts and in-house technology staff to build, test and deploy the new access controls model globally, using a mix of Agile and traditional delivery.
- 03
Segregation of Duties (SoD)
- Developed a SoD Matrix for the Oracle and SAP ERP systems, defining the SoD principles that govern segregation of access and the separation of roles.
- Agreed the SoD Matrix with the external auditors, Ernst & Young, and the PwC SOX Advisory team.
- Cleaned all SoD conflicts in the Oracle ERP system to ensure data and access segregation.
- 04
SOX Compliance
- Despite tight timelines, implemented the access controls needed to achieve successful SOX compliance, including quarterly review of Segregation of Duties conflicts, a defined process for requesting user access, an access control security policy, and quarterly re-certification of privileged access.
- 05
Global Stakeholder Management
- Led engagement with C-level stakeholders across multiple geographies (Luxembourg, USA, Colombia, Bolivia, Paraguay, Guatemala, Honduras, El Salvador) to generate buy-in for radically new access management processes.
- Influenced country Finance and IT teams to collaborate with the HQ Business Controls team to roll out new applications for key risk management processes such as user access administration.
- 06
Governance, Risk & Compliance (GRC)
- Led the implementation of a new SaaS-based GRC tool, from business case, to vendor selection, to solution design, to operating model transformation, to go-live.
- Led the definition of the Statement of Work and tracked supplier delivery against budget.
- The GRC tool, SafePaaS, transformed access controls delivery for back-office processes in eight countries.
- 07
Business Transformation
- Led a business transformation programme to centralise the ERP access request process by changing the operating model of the local IT function in seven different countries.
- Overcame significant resistance from mid-level IT managers in local and regional teams with a well-defined approach to business change management.
At a glance
Engagement at a glance
- Client
- Millicom
- Our role
- SOX access controls & GRC transformation
- Platforms
- Oracle & SAP ERP
- GRC tool
- SafePaaS
- Regions
- Europe, USA & South America
- Auditors
- Ernst & Young; PwC SOX Advisory
Safepass Implementation
Unified, cloud-based SafePaaS GRC, access governance, risk, compliance and process controls configured to your processes.
Explore the serviceMore success storiesExplore all case studies
See how Beam Global Services helps clients strengthen control and get the most from their GRC investments.
View all case studies
Let's talk
Have a similar challenge?
Tell us about your Oracle, GRC or controls goals and our team will help you find the right path.