what-is-grc-software-e1463060559464Governance, Risk and Compliance (GRC) software is a set of tools designed to integrate compliance into everyday business processes like user provisioning, role management, emergency access management, and periodic risk assessment.  GRC software automates routine audit and compliance processes while reducing the risk of fraud or malicious activity in Enterprise Resource Planning (ERP) systems. GRC programs monitor user privileges and access, and alert the organization when a user has a level of access or performs an action that may violate compliance requirements or indicate fraud. They also maintain audit logs and compile reports to facilitate auditing, risk analysis, and other GRC processes. Finally, they serve as a repository for controls, allowing the compliance team to prove that documented policies and procedures are followed.

 

Expert Insight: Scott Goolik, VP of Compliance and Security

Organizations have a huge number of agents involved in accessing and processing information. Workers, business partners, clients, providers and customers all need access to some potentially sensitive information, including:

 

  • Invoices
  • HR records
  • Financial reports

 

Stakeholders also need to be able to perform business processes such as:

 

  • Ordering new stock
  • Paying vendors
  • Counting inventory

 

But someone with too much access or the wrong combination of privileges can violate compliance or pose an unacceptable risk. If a user can create and pay a vendor, for example, they can steal money. If the admins who run a hospital’s server can access ePHI, they can cause a HIPAA breach, potentially leading to a multi-million dollar fine, complex corrective measures, damage to reputation and increased regulatory scrutiny.

 

GRC refers to the policies and procedures companies use to address these problems. Traditionally, it has been done manually by randomly sampling internal data. Compliance teams pour over documents and transactions, compile information into spreadsheets, make reports and recommend changes.

 

These manual compliance techniques are incredibly time consuming, and miss a lot. Companies can spend thousands of hours on GRC, and see just a small fraction of what’s happening internally. Only part of the data is examined, which means individual cases or even patterns of fraud or non-compliance can sometimes slip past auditors and internal controllers.

 

Additionally, even the most meticulous people aren’t immune from errors; somewhere in the hundreds of pages of tables and reports, mistakes are bound to creep in. And as companies and compliance rules continue to grow in complexity, the situation only gets worse for manual compliance teams.

 

GRC software vastly simplifies compliance and risk analysis by automatically analyzing data within ERP. That saves huge amounts of time, prevents errors and provides better visibility and reporting.

 

What is GRC software able to do for my company?

The difference between GRC software and manual compliance is like the difference between building a sophisticated radar systems, and hiring people to look up at the sky and write quarterly reports about what planes they’ve seen. GRC programs continuously monitor and log access to data and roles, instantly informing administrators of issues — something document-based teams can’t do.

 

For example, if there’s a Segregation of Duties (SoD) conflict where a user has a combination of roles that could violate compliance policies, the computer can spot it in minutes. On the other hand, a manual compliance process could take months. GRC software also automates much of the reporting process, which enables organizations to use more current data and provide deeper analysis at a fraction of the workload.

 

How can GRC software help my company grow?

As companies get bigger, they inevitably face tougher compliance requirements and more complex risks. Regulatory scrutiny from SOX, PCI and other compliance regimes increases, and organizations face a greater range of national and international compliance requirements. Auditors will demand more information, which requires much better reporting and analysis.

 

Additionally, the complexity of managing risks across the workforce increases. This is particularly true when companies introduce new departments or facilities, or optimize business processes to benefit from scale.

 

For example, imagine a financial company rolling out its first warehouse management system. Would the compliance staff understand new segregation of duties requirements, such as separating cycle counting and inventory handling? How much trial and error would they have to go through to provide the right level of access, and what risks and inefficiencies would they face while figuring it out? Without GRC software to ease the transition, they could face months of setbacks and elevated compliance risks.

 

What are the pitfalls of GRC software?

Most companies fail to consider the needs of all stakeholders when selecting GRC software. Organizations often choose GRC products that look good on paper, but produce output no one understands. Compliance officers and execs look at a few reports, and give up when they can’t make heads or tails of the data.

 

Not only does this waste time and money as well as take resources from manual GRC during implementation — it undermines future compliance as well. The compliance team is forced to rely on the new software, which makes it harder for them to catch issues or provide useful data to auditors.

 

Insufficient support is another major problem. Configuring GRC in a complex environment such as SAP HANA® requires people who understand:

 

  • The technical layer (e.g. SAP Basis administration)
  • The security model (e.g. SAP Security administration)
  • Compliance
  • Business processes
  • The culture, goals and structure of the organization

 

Additionally, the team needs soft skills to train people and earn buy-in across the organization. This is often easier said than done.

 

How can I make a successful transition to GRC software?

Vendor support is indispensable when it comes to implementing governance, risk and compliance software. At the very least, organizations need help with installation, configuration and training. Many companies also require some level of ongoing support, from basic tech support to complete managed services.

 

In SAP governance, risk and compliance, ControlPanelGRC from Symmetry is the true turnkey software solution. ControlPanelGRC provides the right information for all stakeholders: high-level, plain-English output for managers, graphical reporting to help executives understand potential risks and root cause analysis for the technicians who need to remediate the risks. That means improved buy-in, easier audits and better short-term and long-term success.

 

Symmetry will:

 

  • Meet with your audit team
  • Install and configure ControlPanelGRC
  • Train your staff in the software
  • Provide continuing education and IT managed services, if required

 

Whether you need initial setup and occasional technical assistance, or want to outsource your entire compliance program, Symmetry is up for the task.

 

How much support do I need to run ControlPanelGRC?

Listen to your auditors — the level of success your compliance program has had is a good indication of how much support you will need. If your company repeatedly fails audits, or has trouble answering auditor questions from both a software and an internal resources perspective, you’ll benefit from continuous training and support.

 

Your compliance department also needs to be dynamically advancing their skill set. If your auditors have major new concerns every year, it could be a sign that your team isn’t able to keep up with new requirements, and needs a managed services partner.

 

Switching to ControlPanelGRC is also a good time to evaluate other managed services needs, especially in the areas of security and compliance. Symmetry offers SAP security services to maintain compliant user access and monitor controls, cyber security services with 24-hour eyes-on-glass monitoring and incident response, and regulatory compliance support for your entire organization.

 

You didn’t go into business to worry about compliance. Every hour you and your employees spend pouring through compliance reports, meeting with auditors and sitting through risk remediation meetings is an hour you don’t get to spend developing innovative products and services. ControlPanelGRC drastically reduces the time requirements of GRC tasks, while providing continuous visibility and deeper insight into organizational vulnerabilities. Whether you’re looking for a new tool to help your internal auditors, ongoing security and compliance support, or an ERP services partner to host and manage your entire IT infrastructure, Symmetry can help.

 

Learn more about what ControlPanelGRC can do for your organization.

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.