By Fred Donovan, Senior Editor, SAPinsider
Imperial Brands is one of the largest tobacco products companies in the world, behind only Philip Morris, British American Tobacco, and Japan Tobacco. It employs more than 32,000 employees, sells more than 320 billion cigarettes per year in 160 countries, has 51 factories world-wide, and generates $45 billion in revenue.
The company currently runs SAP ECC and is planning an interim deployment of SAP S/4HANA for central finance before an eventual move to SAP S/4HANA.
Imperial Brands saw an opportunity to reduce fraud risk and third-party IT costs by closing a gap in its segregation of duties (SoD) compliance.
The SoD compliance gap became apparent when its external auditors reported discrepancies in the company’s own SoD audit results versus the SoD results by external audit. It decided to update its process and SoD ruleset to improve transparency and granularity of its SoD reporting.
This update enabled the company to bring its SoD reporting in line with auditing requirements. However, the update revealed that its existing role-based access design was outdated.
“We realized very quickly that the role design itself in our main SAP system needed to be restarted from scratch,” Dirk Tel, Group Internal Control Manager at Imperial Brands, says.
Thus, Imperial Brands undertook an update of its role-based access profiles to avoid a conflict with the new SoD ruleset. The company’s first step was to obtain and analyze the data generated by SAP Access Control and identify unused or infrequently used transaction codes (T codes). Imperial Brands found that it had nearly 10,000 T codes in role design, with 1,300 actively used and only 800 used more than four or five times per year.
“We’ve been running with SAP GRC for the last seven or eight years. The great thing with SAP GRC is that it collects usage data — T code by T code, user by user, second by second, right down to the terminal. That is what we used as our starting point to redesign our roles,” Tel says.
Aligning Roles with SoD Functions
With these stats in hand, Imperial Brands trimmed the number of T codes and ensured task roles aligned to SoD functions defined in its ruleset, with one-to-one mapping of role to SoD function as the goal. This greatly simplified user access provisioning as roles now “do what they say on the tin.” This then allowed the business to be in charge of the user access approval process by using SAP Access Control’s request management functionality as the main, workflow-based provisioning solution.
“We wanted to make sure that the business owners were the approvers of access. Now, our role access request process starts with an end-user raising a service ticket in our ServiceNow solution. The ticket reaches a local service desk person who can translate what the user wants into the role the user needs. They create the request ticket that flows through the workflow to the role approver, who is usually a senior finance person,” Tel relates.
As a result of the role-based access redesign, Imperial Brands was able to reduce SoD conflicts by 75%. By eliminating third-party IT support for user provisioning requests, the costs of IT support were reduced by 70%.
SAP Access Control Provides ‘Intuitive’ User Provisioning
In implementing the role-based user access redesign, Imperial Brands found that the SAP Access Control was “pretty intuitive,” Tel comments.
“The business and local IT support help desks caught on quickly on how to use it. User access provisioning has become second nature to our business. Now our external auditors are asking us to bring the SAP systems that are not part of the program into the redesigned process, which we are working on,” he says.
The redesign also streamlined the process for deactivating users and removing roles by eliminating the need for secondary approvals.
For the role-based access redesign as well as its earlier SoD ruleset update, Imperial Brands worked with Turnkey Consulting. Turnkey designed and built new roles and provided scripting and mass maintenance tools to accelerate project delivery.
Imperial Brands has completed its role-based access redesign at its main operations in Europe and is working on deploying the new design principles within the rest of its SAP estate.
For the company, the role-based access control project reduced costs, improved security, and enhanced accountability within the multinational’s local entities.
What Does This Mean for SAPinsiders
- Data and analytics can be a powerful tool for overhauling your GRC processes. The data and analytics provided by SAP Access Control enabled Imperial Brands to transform its role-based user provisioning. Companies should take advantage of this feature whenever they can to streamline their processes.
- Put the business owners in charge of user access approvals. Business owners know their shop best, so put them in charge of processes impacting their people. This eliminates waste and improves productivity and security.
- Streamlining processes can save lots of money in third-party IT support costs. Antiquated, manual user provisioning can result in expensive third-party IT support to handle the number of service tickets generated by users. Take the time to analyze the inefficiencies and redundancies to achieve dramatic cost reductions.
Watch a short video to hear how Imperial Brands used SAP Access Control to redesign its role-based access control program.
MEET THE EXPERTS
Dirk Tel is a senior risk, internal control, and assurance manager with 19 years of experience in the fast-moving consumer goods (FMCG), telecom, and professional services industries, helping organizations manage risks through strategic planning, assurance, and control implementation. He currently serves as Group Internal Control Manager at Imperial Brands. He has a solid background in design, implementation, and assurance within large-scale and medium-sized commercial organizations. He is passionate for ensuring topics are addressed from different angles (commercial, operational, and technological) and across different stakeholders throughout all levels within the organization to ensure fresh perspectives and positive outcomes to complex problems. His specialties include ERP controls implementation and review, internal audit, IT strategy, SOX compliance, modelling, logical access control, and non-financial KPI assurance.