It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Compliance processes shouldn’t be a big source of stress or resources — in fact, if anything, they should help you avoid stress and conserve resources. You set a policy, put some controls in place, and get on with the business of running your company until the next review.
But somehow, your SAP governance, risk and compliance program never works out that way. Your team invests in pricey, sophisticated GRC software, only to find out that the output is completely inscrutable. When you find SOD conflicts, it’s a struggle to put effective SOD remediation in place, or keep your remediation controls in good working order. You throw tons of time and money at the problem, and end up with another lousy audit anyway. SAP governance, risk and compliance sucks up more and more resources with fewer and fewer results.
All that hassle messes with your perspective, and makes it seem like SAP GRC is an unwinnable battle. It’s not. You really can make GRC into a lean, automated, effective product with the right tools, team and approach. Here’s how to solve the most common problems.
1. Your SAP GRC Software Doesn’t Live Up to Your Expectations
When a customer places an order, your environment records it, processes it and routes it for fulfilment. Assuming your team is maintaining your SAP landscape well, the software just does its job — you wouldn’t be in business if it didn’t.
But when it comes to SAP governance, risk and compliance, many companies never achieve that base level of functionality. From the beginning, it’s broken. The software might work with some applications and not others, or only meet the needs of certain stakeholders. It might be able to detect SOD conflicts in SAP GUI but not Fiori, or just be missing needed functionality.
The first step in solving the process is resetting expectations. SAP GRC software is supposed to be enterprise-grade software. It shouldn’t have gaps or glitches that require endless tinkering or elaborate workarounds — it should solve your problems.
Sit down with your compliance team or bring in a GRC consulting partner, and think about what that entails. How is your current SAP governance, risk and compliance solution falling short? What effect is it having on your audit results? What extra work is it creating internally? And what would it take for an SAP GRC solution to meet all those needs?
2. You’re Struggling With Consistently Poor SAP Audit Findings
For many companies, a poor audit (or several) is what makes them finally face how broken their GRC software is. Organizations often find themselves in a cycle of poor audits and unsuccessful remediation, wasting money and resources while maintaining an unacceptable level of legal risk. In some cases, trying to fix it only makes the problem worse and by the time they start shopping for a new SAP GRC solution, things are nearing a breaking point.
That was the situation Carlisle Construction Materials (CCM) found itself in when they first approached Symmetry. They had already invested in trying to address negative auditor findings, but their remediation efforts had failed — in fact they had actually made things worse. When they tried to manually remediate the issue, their SAP resource painstakingly built an extremely complex security model, with more than 3,000 roles for just 700 users, and it didn’t even fix the problem.
Ultimately, Carlisle had reached a point where their GRC processes were too broken to be patched or fixed. Their GRC and SAP security model had a rotten foundation, and it turned out to be much easier to knock it all down and rebuild from scratch. With ControlPanelGRC, they were able to remediate much more rapidly. We implemented the solution in just one week, and completed the entire remediation project in under four months. And they ended up with a much leaner, more cost-effective system with:
- 80% lower security consulting costs
- 75% reduction in annual SAP security administration costs
- 50% lower external audit costs
And best of all, no one starts sweating when the auditor comes around anymore.
3. Your SAP GRC Software Produces Unusable Output
SAP GRC solutions need output that supports the needs of a range of stakeholders. Business users must have clear, navigable tools that allow them to self-assess; technical users need to be able to get into the nuts and bolts; and auditors need comprehensive reporting that enables both a high-level view and detailed analysis.
Unfortunately, most SAP governance, risk and compliance software products have poor usability. They spit out incomprehensible streams of data that make things impossible for business users, and challenging even for technical users and auditors. Not only does this make it more time-consuming and costly to run an effective GRC program, it also severely reduces visibility, increasing the risks of undetected SoD conflicts and other issues.
To fix this problem, you need to prioritize usability in your SAP GRC software. You should have a range of stakeholders involved in the decision so that you can verify your new solution works for everyone before you commit. Make sure your vendor can answer everyone’s questions and demonstrate excellent ease of use and visibility before you commit.
4. You Lack SAP GRC Automation
When you need to send a message to a coworker who is out of office, do you run across the building and post a sticky note on their door? When you’re holding a meeting, do you have everyone send you a letter to confirm they’re coming? Of course not. It’s much more efficient to email, text or use a messaging app.
But with SAP governance, risk and compliance, many companies are still doing things the old way. They hound coworkers to chase down missing signatures. They print out emails and records to report to auditors. They pore through thousands of pages of reporting data by hand instead of having the computer automatically screen it for GRC issues.
This isn’t only hugely wasteful and inefficient — it’s also risky. Computers are very good at sorting through data and flagging potential problems, but people aren’t. Computers can scan for SoD conflicts in real time, while document-centric GRC departments often go six months without checking, and then only review a fragment of the data.
Pervasive compliance automation is a must for enterprises. Your GRC software should monitor your system in real-time and flag potential conflicts for review, as soon as they’re detected. It should run reports, route them for review and document approvals, so you don’t have to chase signatures down. That way, when it’s time for your SAP audit, you won’t have to scramble around, collecting documents — everything will be ready for your auditor to review.
5. You Lack Sufficient GRC Vendor Support
If your SAP GRC program is broken and has always been broken, it’s hard to know in advance what it will take to fix it. Standing up and running SAP GRC software requires deep knowledge of SAP, specific audit requirements, business processes and the software solution itself.
You need a vendor who is focused on your success, and can provide you as much (or as little) support as you need.
Look for a vendor who provides comprehensive managed SAP compliance and security services in addition to GRC software. MSPs want to keep your business on an ongoing basis, not just sell you a product and get out as quickly as possible. It’s in our interest to stand up a solution that meets your needs perfectly, and provide high-touch support on an ongoing basis. Whether you want a complete managed GRC solution, or just someone to setup the software and provide occasional technical assistance, we’re here for you.