crneojrwiaaphgxIf you asked an enterprise executive if they manually process sales or add up accounts by hand, they’d probably look at you like you were crazy. Automation is considered mission critical in transaction processing, sales, accounting, logistics and pretty much every other area of business.

 

However, ask that same executive if they use governance, risk and compliance software to automate audits and remediation and you’re likely to get a much different response:

 

“Well, we do it with Excel spreadsheets these days,” or “we tried but no one could understand the output,” or just an uncomfortable, “we’re working on it.”

 

It’s understandable — it’s hard to know what the best GRC software for your organization is when you’re used to document-centric processes. Many compliance departments spend so much time and energy struggling to keep up with auditor demands, that revamping their process seems overwhelming. However, as with most business processes, the ROI on GRC automation massively outweighs the costs.

 

GRC Software Keeps You Safe and Compliant

Governance Risk and Compliance is a phrase that encompasses an incredibly broad range of processes, controls and oversight functions within an organization. However, GRC software refers specifically to auditory security and compliance within your ERP landscape. GRC software grew up as a concept within SAP security, but it refers to programs that manage, report and remediate risks in other landscapes as well.

 

The programs at the center of SAP GRC — Access and Process Control are designed to prevent fraud and mistakes by controlling how much access members have, and monitoring business processes for compliance. Regulations like Sarbanes-Oxley require Segregation of Duties (SoD) and other controls to prevent fraud. For example, a worker who can create a vendor shouldn’t be able to pay a vendor, because they could use that combination of roles to fraudulently funnel money out of the organization.

 

Organizations that don’t use SAP GRC use a document-centric process; they comb through transaction records for irregularity, and attempt to build remediation plans and update security models based on that data. This is incredibly time consuming. It can take months before a transaction is reviewed internally, and months more for the auditor to complete their own review. Additionally, transactions are often “sampled” meaning that only a small fraction are reviewed.

 

Without adequate security and compliance monitoring, vulnerabilities or outright fraud are rarely spotted quickly, and in many cases, completely slip through the cracks. Document-centric GRC also makes change control and remediation very difficult, often resulting in overly complicated and inefficient security models. This leads to a vicious circle, where organizations struggle through unsuccessful audit after unsuccessful audit until they’re completely overwhelmed.

 

The best GRC software can give organizations a new start. Herculean document reviews are replaced by continuous, real-time reporting. Libraries full of role definitions are turned into simple, automated rules. Change control is likewise automated, and documentation is linked straight to controls, drastically simplifying remediation.

 

For the compliance department, the changes are night and day. No one has to review thousands of pages of transaction logs — the system just spits out a report. Audits are completed quickly, and remediation plans can be implemented directly using the controls.

 

The best GRC software can make future audits even easier. The software continuously monitors the system, allowing speedy remediation of any security and compliance issues that pop up, long before they attract an auditor’s attention.

 

Choosing the Best GRC Software Starts with Functional Requirements

As you’d expect, GRC software has three main functions — governance, risk management and regulatory compliance. Governance functions align business processes with organizational business objectives. GRC software should use procedure and process management controls to support business policies.

 

These controls should be both powerful and comprehensible. The Best GRC software is configurable based on the needs of different stakeholders. Executives, for example, need high-level controls to set policies and sign off on changes, while IT and compliance staff will need granular controls to implement those policies.

 

Controls need to be supported by visibility and reporting functions that are also configured for stakeholder roles. This is one place where a lot of governance, risk and compliance software falls short. Instead of having high-level overviews for executives and technical insights for remediation staff, they bombard all stakeholders with the same output — usually laid out in an idiosyncratic, vendor specific format that’s very difficult to comprehend.

 

The best GRC software will be designed so that end users can understand what they’re looking at immediately. With tools like SAP Fiori bringing commercial-grade interfaces to business processes, there’s no reason to demand anything less from SAP GRC.

 

Risk management is facilitated by governance reporting and controls. One of the best GRC software benefits is the ability to automate risk detection and remediation, rather than forcing organizations to wait for auditors to do it. GRC software should alert staff to risks in real-time, provide the reporting to drill down to the cause, and furnish controls to quickly fix the issue.

 

Because of the close relationship between risk mitigation and compliance, those two functions need to be closely integrated at a software level. User-defined controls alone aren’t enough. In the best GRC software, those controls will be linked to compliance libraries and remediation programs. Look for features that simplify regulatory compliance — for example by allowing you to correlate similar laws across differing regimes to create a consistent, unified GRC program across your organization.

 

The Best GRC Software Will Integrate With Your Software

GRC software is tasked with overseeing compliance throughout your ERP landscape, which means it needs to interface with your enterprise applications and provide a standardized framework for analysis, reporting and controls. This enables automation, simplifies workflow and makes it much easier to ensure consistency across the organization.

 

However, just connecting the pieces isn’t enough. Many GRC programs that do well on functional traits fail to adequately streamline workflow. Tasks like compliance reports still waste time and effort, as compliance teams email reviews and reminders, collect signatures and so on. This makes responding to risks slower and more difficult, and it increases the risk of missed steps or errors along the way.

 

ControlPanelGRC AutoAuditor replaces this antiquated process with a cutting-edge GRC workflow automation tool that works with all aspects of SAP GRC. When a task like a periodic risk review is approaching, AutoAuditor executes the report and pushes it to the appropriate user for review. All stages of the approval process are automatically documented and stored, making authentication effortless and secure.

 

The Best GRC Software Companies are Customer-Focused

The complexity of GRC software means that you can’t look at the product in isolation. If a vendor offers a program with minimal support, look for a different vendor — one who is ready to give your team the support it needs for a successful implementation. Unless they’re ready to help you completely revamp your regulatory compliance program, they’re not ready to provide the software.

 

Because the reality is, most manual GRC programs are a mess. There’s a good chance that your compliance department is like a cluttered garage, packed with confusing reports, failed remediation programs and excessively complex security models. Before you can streamline and automate it, you need to clear out the clutter — and that requires a partner, not just a vendor.

 

Our work with Carlisle Construction Materials which won us the GRC20/20 2016 Value Award is a perfect example. The customer had spent months unsuccessfully trying to correct security and compliance issues. Their SoD tools were nonfunctional, their audits were time-consuming, pricey and consistently poor and their mitigation processes were not getting the results they needed.

 

And when they tried to create a better security model on their own, things only got worse; by the time their SAP security consultant was done, they had 3,000 distinct roles — for only 700 users! They didn’t just come to us for SAP GRC software, they came to us to solve a security and compliance problem that was spiraling out of control.

 

We did that, supplying ControlPanel Access Control Suite, an Accelerated Remediation Toolkit to meet their timeline and lots of support. We completely revamped their SAP security model, cutting it to a manageable 70 roles, installed and trained them on the software, and set them off on the path to successful, painless compliance.

 

That same high-touch, flexible customer service works for everyone — if you have a functional internal GRC program, we’ll stand up the software, train you and be available as a resource. But if you need more help, we can provide complete security and compliance support on an ongoing basis.

 

Our Security Complete PlusGRC program provides a complete managed services approach to protecting your data and business processes. We’ll work with you to identify risks, pain points and goals, then implement a complete GRC solution. Our powerful reporting will give business users, technical users and auditors complete optics, supporting rapid remediation and continuous improvement in your GRC processes. And we’ll back it all with 24x7x365 monitoring and incident response to keep your system safe from both internal and external threats.

 

Choose the Best Type of GRC Software for Your Needs

    • SAP Access Control: If you’re new to GRC automation, an access control solution like ControlPanelGRC SAP Access Control Suite is ideal. Access control focuses on what users can do within the system. It provides powerful tools to evaluate SoD conflicts and other risks, and institute compliant role management. It also speeds IT security administration tasks, decreasing workloads and freeing up staff for more mission critical work.Access control also can address sensitive roles, even when they don’t pose direct SoD conflicts. Every business has users with access inside the SAP system that could — either maliciously or inadvertently — cause harm.

       

      ControlPanelGRC Access Control Suite minimizes these risks through audit trails, reporting and powerful controls. Our Access Certification Manager automates SAP user access reviews. It generates comprehensive reports on the access rights, roles, and on individual users, and speeds remediation by allowing you to initiate the process right from the report.

       

      ControlPanelGRC even helps keep you safe during firecalls, when admins are granted heightened access to fix critical system issues. The SAP Emergency Access Manager module pre-approves emergency roles and provides complete tracking and auditing of emergency access. Users are also required to thoroughly document the reason for the firecall, providing accountability as well as legal cover in an emergency.

       

      And, like other ControlPanelGRC tools, the Access Control Suite facilitates SAP Audit Management with AutoAuditor functionality, reducing administrative burdens and ensuring regular reviews are completed quickly and correctly.

 

    • SAP Process Control: A process control solution like the ControlPanelGRC SAP Process Control Suite adds an extra layer of protection to more mature SAP security and compliance programs.Process Control analyzes business processes in real time and looks for irregularities that may indicate fraud or compliance issues. For example, the SAP Procure to Pay Process Analyzer looks for issues like duplicate invoices or POs that have been modified after approval, generates instantaneous alerts and provides powerful tools for investigation and remediation.

       

      ControlPanelGRC process control software also has an Enterprise Risk Management module to ensure controls are working properly in SAP. With sophisticated documentation and testing functionality, it also simplifies alignment of controls with SOX, HIPAA and other audit regimes.

 

    • SAP Security Acceleration: ControlPanelGRC offers exclusive tools aimed at speeding and simplifying the backend of SAP security and compliance. The ControlPanelGRC SAP Security Acceleration Suite automates routine security tasks. It helps diagnose issues encountered when migrating role changes to production, provides version control to speed role change management, speeds SAP security testing and even provides guidance for license optimization.

 

  • SAP Basis Control: The ControlPanelGRC SAP Basis Control Suite automates SAP Basis tasks in transport management and batch job management. This saves admins a huge amount of time, and can eliminate one of the biggest causes of security breaches: delayed or inadequate patching. Particularly in companies with overstretched internal IT staff, speeding up Basis tasks can prevent delays that lead to system instability and vulnerability.

 

ControlPanelGRC Makes Compliance Effortless

Every day in thousands of companies, workers waste their talent on outdated compliance tasks. The best GRC software can break the endless cycle of poor audits and failed remediation. That means your best and brightest can spend less time shuffling paper, and more time making your company great.

 

Contact us to learn how we can take the pain out of compliance.

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.