By Fred Donovan, Senior Editor, SAPinsider
Many have heard the story about how HP began. Bill Hewlett and David Packard began making electronic equipment in their one-car garage in Palo Alto, California, in 1939. The garage is now a famous California historic landmark and is credited with being the birthplace of Silicon Valley.
HP has come a long way since its humble beginnings in that garage. It would grow into a multinational corporation and eventually split into two companies: HP Inc. and Hewlett Packard Enterprise.
In 2018, HP Inc. launched a strategic effort with three goals in mind: Make it easier for its customers to do business with the company; improve its internal processes for employees; and ultimately, gain an advantage over its competitors. Migrating to SAP S/4HANA was selected as the means to simplify its sprawling corporate systems, which were made up of a variety of SAP ERP Central Component (SAP ECC) platforms and other legacy systems.
Prior to the migration the computer maker faced a significant technical debt and high total cost of ownership for IT and operations with different systems and processes that prevented a consistent customer experience.
HP wanted instead a standardized platform that reduced IT duplication and simplified the application landscape. The SAP S/4HANA migration has proven to be a three-year odyssey.
A key component of the migration has been ensuring compliance with internal rules and external regulations, such as the Sarbanes-Oxley Act (SOX) and various data privacy laws.
“Our goal is to make it easier for our customers to do business with HP. We’re completely transforming our business processes and workflows internally to improve efficiencies and enhance how we do our business,” explains Carrie Gilstrap, IT Audit Manager, HP.
The company is still in the process of rolling out SAP S/4HANA to all its business units and regions, a process that Gilstrap expects to be completed in 2021. HP has more than 200 subsidiaries in 70 countries.
The company’s first go-live occurred in July 2018, followed by go-lives every six months.
Rethinking User Access and SoD Ruleset
As part of the company’s digital transformation, HP set up a new governance, risk, and compliance (GRC) system, including rethinking its user access processes and segregation of duties (SoD) ruleset.
In the past HP relied on a homegrown tool for access control but implemented SAP Access Control and SAP Process Control as part of the SAP S/4HANA migration. HP conducts user access reviews twice a year, and much of the process is now automated through the SAP GRC solutions.
“We did a ground up build of the user provisioning processes and segregation of duties. We held SoD workshops where we had input from business stakeholders in order to build our SoD matrix from scratch,” says Gilstrap.
HP also scanned the new business roles for SoD. “We had a lot of processes around scanning the new business roles for SoDs before we went live, making sure that we were comfortable with the level of SoDs that we had, and meeting rating controls already identified,” she says.
According to Gilstrap, HP set a goal of achieving zero SoD conflicts within a role. “Even though the business will want to push you on that, you just can’t allow it. One of the benefits of the new implementation is starting new and hashing out SoD issues that existed in the past,” she explains.
Continuous Control Monitoring
SAP Process Control’s continuous control monitoring helps organizations prioritize control activities, ensure GRC information is up to date, and achieve sustainable compliance at a lower cost.
Continuous control monitoring is an “area of focus internally that we are still building out. What SAP GRC solutions offer that our homegrown tool did not is the workflow capabilities. That has been new for us,” Gilstrap notes.
Her team talked with other shops that had implemented continuous control monitoring and they cautioned about a deluge of notification that might result. Through those conversations HP was able to anticipate this effect and organize the notifications in a way that helped the team achieve audit efficiency.
“We use the tools to monitor our application controls, benchmark and monitor for change, and improve efficiency. It made our IT general controls easy by consolidating data from our legacy systems into one view,” she says.
Deloitte is HP’s primary SAP S/4HANA implementation partner, while PwC helps with compliance and controls. Gilstrap recommends that companies bring external auditors into the process as early as possible to get them familiar with the additional tools and the change in auditing approach.
“PwC helped us develop new risk and control matrices for each business process. They helped with our first set of continuous control monitoring tools, and they helped on our application controls testing prior to go-live,” she relates.
The migration to SAP S/4HANA represents a massive change to HP’s data center storage. “We worked with SAP to understand which data centers we were hosted out of and get the right system and organization controls (SOC) reports from the appropriate data centers,” she adds.
Gilstrap recommends that companies maintain a level of independence on compliance and controls by having a separate workstream in charge of this area that isn’t part of the main system integrator. This can be a separate team within the company or an outside auditing firm. Project teams are deadline and budget driven, so there’s always a temptation to cut corners on controls and compliance.
In addition, “we really wanted to automate controls as much as possible. We opted for configurable controls over manual controls when presented with the two options. That was one of the drivers of the project,” she says.
One of the lessons learned, according to Gilstrap, is to set up a separate group, or “tower,” to oversee the security and controls aspect of the SAP S/4HANA migration. “That helped drive a focus on compliance and controls,” she says. The security and controls tower worked alongside the procure-to-pay, order-to-cash, and other towers in the SAP S/4HANA implementation project.
“It’s helpful to have dedicated people who are budgeted as part of the project team – especially someone with internal audit experience,” she notes.
Gilstrap points out that “SAP S/4HANA is probably the most important system in the company, so you have to make sure you have those SOC reports lined up. You should have conversations about SOC reports with the vendor from the outset, making sure the reports give you what you need. It took a lot of calendar time to get that straight.”
What Does This Mean for SAPinsiders
- Empower project teams to assign focus to compliance too, not just cost and deadlines. Assign a dedicated team to compliance along the way when migrating to SAP S/4HANA and make compliance a priority early in the process.
- During the migration, have conversations with the vendor to ensure that SOC reports are lined up properly. Not having these conversations can add time and frustration to the SAP S/4HANA migration process.
- Continuous control monitoring is an important tool for a digital enterprise, so push for robust capabilities during the SAP S/4HANA implementation. Continuous control monitoring can help you prioritize control processes, confirm your GRC data is up to date, and reach sustainable compliance at a lower cost.
- Headquarters: Palo Alto, California
- Industry: Computer and printer maker
- Employees: 53,000
- Annual revenue: 56.6 billion US dollars
- Company details: HP Inc. was formed in 2015 by the split of Hewlett Packard into two companies: HP Inc. makes personal computing, printers, and other devices, and Hewlett Packard Enterprise provides enterprise products and services.
- HP is the second largest PC maker by unit sales. It has more than 200 subsidiaries around the world.
- SAP Solutions: SAP ERP Central Component, SAP S/4HANA, SAP Access Control, SAP Process Control, SAP 360 Customer.
Watch a short video featuring Carrie Gilstrap.
MEET THE EXPERTS
Carrie is an experienced IT Audit Manager with 20+ years of experience in the information technology and services industry. She is skilled in Business Process, Internal Audit, SAP, GRC, SOX Compliance, Operational IT Audits, Continuous Auditing and Audit Tools development. CISA certified and holds an MBA (focused in Organizational Leadership) from Santa Clara University.