By Fred Donovan, Senior Editor, SAPinsider
A poorly executed SAP security redesign can have significant effects on an organization: unauthorized access increased potential for fraud, inefficient access provisioning for end-users, and audit issues.
To avoid this scenario and improve security, more companies are combining their SAP security redesigns with updates to their SAP GRC solutions, observes Adam Fattorini, Senior Manager, PwC SAP Advisory, SAP Security, and GRC.
“In the past, we’d see clients doing these things separately. They might have a security redesign and then put SAP GRC in place. After that, they’d have insight as to what exposure they had from segregation of duties (SoD) perspective and have to go back and do a security redesign again,” he says. Now the focus is on efficiency and getting it all right the first time, Fattorini explains.
Redesigning Security and Updating GRC at the Same Time
Companies are beginning to understand that SAP’s security and GRC tools go together. “Why would I design security without a tool that can check for SoDs or can keep users clean and provision them? I might as well bucket those together. It’s going to be a little bit more expensive upfront, but over the long run, you’re going to save time and money,” Fattorini says.
“It really does come down to cost savings and synergy, especially in the U.S. where public companies are regulated by Sarbanes-Oxley (SOX),” he says.
SOX requires public companies to have proper internal control structures to ensure that their financial statements accurately reflect their financial results. It also mandates formal data security policies as well as communication about and consistent enforcement of those policies. As a result, there are business and operational risks that come from SOX that companies need to consider.
“When a company goes through a security redesign, it really looks great from a security perspective. But as soon as they have a tool that grants visibility into SOX or other regulatory risks, they start to see that they should have built roles differently,” Fattorini says.
If the company had done both a security redesign and GRC update at the same time, there would have been meetings with all of the business owners to talk about T codes and authorization objects as well as SOX compliance and business risks, he adds.
Continuous Control Monitoring Saves Time and Costs
More PwC customers are implementing SAP Process Control’s continuous control monitoring (CCM). CCM is the process and technology used to detect compliance, risk, and control issues associated with a company’s financial and operational environment.
Benefits of using CCM include cost reductions, improved efficiency and effectiveness, increased test coverage and timeliness, reduced risk velocity and remediation cost, greater visibility, and improved consistency. SAP’s CCM helps organizations prioritize control activities, ensure GRC information is updated, and achieve sustainable compliance at a lower cost.
“If you are willing to go the extra mile, you can now continuously monitor controls, or you can do policy management or set up a test control repository,” Fattorini says.
“I’m spending upwards of 5,000 hours a year managing an entire suite of controls where we could replace that with CCM, and all of that activity that people were completing manually would be automated,” he says.
“With CCM, all those hours can go back into the business to get repurposed for other projects, such as hardware upgrades. It is a huge time and cost saver,” he adds.
Fattorini offers some lessons learned from working with customers on SAP security and GRC tools.
“One of the lessons I’ve learned is that it’s important to understand your audience and make sure that you target your message appropriately. That way they get what they need, and they understand what you’re talking about so that you get value back from them,” he explains.
“Another big lesson learned involves SAP Access Control. It sounds easy when you’re talking about provisioning, rulesets, and these other functionalities. But for some people, access control can be a difficult concept for them to grasp, Fattorini says.
“It’s important to explain to people up front what the tool does. Additionally, be prepared to answer relevant questions. Who are the economic buyers? Why is the company buying the tool? These are the types of questions people may ask, he says.
“As we worked through different projects, the customers are getting a better understanding of the value that they get, and they have buy-in,” he adds.
What Does This Mean for SAPinsiders
- Combine your SAP security redesign with your GRC update. This will boost your security, reduce costs, increase efficiency, and improve compliance.
- Hold meetings with stakeholders throughout the company when redesigning your security environment. Including all stakeholders in the process helps ensure that security and GRC issues won’t be overlooked, and compliance and business risks will be assessed accurately.
- Automate your control activities by employing CCM. The SAP Process Control tool can prioritize control activities, ensure GRC information is updated, and achieve sustainable compliance at a lower cost.
MEET THE EXPERTS
Adam Fattorini is a Senior Manager in PwC's SAP Security and GRC Access Control practice. Fattorini has more than 15 years of experience working with SAP GRC implementations, upgrades, IdM integration, SOD ruleset designs, SAP security and controls implementation, and review services. His breadth of experience ranges across multiple industry sectors and Fortune 100-, 500- and 1000-level companies. His experience also includes managing both internal and external audit projects from an IT perspective.