It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
When business managers talk about “Governance, Risk Management and Compliance” (GRC), the subtext is usually that the phrase should be accompanied by the warning, “May cause drowsiness. Do not operate heavy machinery while using GRC.” Yes, GRC can be a rather dry topic, but it is critical for responsible and successful business leadership just the same. Multiple stakeholders are involved. The Board of Directors is ultimately accountable for GRC, but IT departments are its implementers. In this context, S4/HANA and GRC come together as IT does the work of executing board-level GRC policies.
What is GRC?
GRC combines three related areas of corporate management. Governance refers to the general rules and policies that define how a corporation is governed, or run as a corporate entity. For example, governance covers the shape and structure of the Board of Directors, corporate bylaws and so forth. Risk management is a discipline focused on identifying risks to the business (e.g. product liability) and mitigating them through rules and policies as well as insurance and the like. Compliance is about adhering to legal regulations like Sarbanes Oxley (SOX) and HIPAA that affect operations.
To keep things simple and relative, think of GRC as riding shotgun on the shareholders’ cash. A corporation’s executives and board of directors have a fiduciary duty to protect shareholder assets, including cash, plant and equipment as well as intangible assets like reputation and brand name. Everything else is detail and nuance.
GRC is the vehicle for riding shotgun on the cash. In modern parlance, though, the GRC acronym almost always refers to software designed to help corporations manage their governance, risk management and compliance. Though the G, R and C are separate concepts, GRC ties them together in a single solution. GRC is designed to let companies (especially those that are publicly traded) to integrate and manage IT operations subject to regulations like SOX.
What does GRC have to do with S/4HANA?
If GRC is the process of riding shotgun on shareholder cash, then SAP is the cash box. An SAP-run corporation relies on the SAP platform to manage its finances, operations, inventories, supplier relationships and so forth. SAP is the vessel that holds shareholder assets. When executives exercise their fiduciary duty to shareholders, they’re invariably doing so through SAP technologies.
As corporations shift from SAP for Business to the new S4/HANA platform, along with new applications developed using the Fiori tools, they may accidentally expose risks and gaps in compliance in the process. For instance, a gap might arise in Segregation of Duties (SoD) in financial transactions.
SoD is about splitting up approval tasks when spending or receiving money so that no one employee has the ability to execute every step of a transaction – a recipe for fraud, abuse and errors. In an SAP environment, SoD is controlled by access rules and role-based application permissions. Most businesses that need to comply with SOX must establish and attest to the efficacy of SoD as a financial control.
Virtually all public companies using SAP have diligently designed and implemented SoD and comparable controls in their SAP environments. This way, they can audit and report on the SAP instance to validate the existence and efficacy of the controls. Now, however, with the same business functions migrating to S/4HANA and new interfaces built using Fiori, SoD controls may get lost or damaged.
Addressing GRC Requirements in S/4HANA Environments
IT and the Board of Directors should care about S/4HANA and GRC. The Board expects IT to implement all SoD and other controls needed for GRC to S/4HANA. IT is obligated to make this happen. At the same time, if IT can save time and money with GRC on S/4HANA, the Board will be that much more pleased.
This is where we often enter the conversation. As we have seen with many clients, the move to S/4HANA precipitates a look into remediating unexpected GRC exposure. There may also be a request for new ways to secure and automate access controls, compliance reporting and SAP’s audit-readiness.
We address these needs through ControlPanelGRC® , our software solution for GRC. ControlPanelGRC® provides comprehensive compliance automation for SAP environments. This includes SAP Fiori applications along with SAP GUI transactions. And, it does so without the kind of lengthy implementation cycle or training that often comes with such moves. We supplement ControlPanelGRC with our SAP security and controls consultants and managed services to ensure that your systems are managed according to industry standards, auditor guidance and, SAP best practices.
ControlPanelGRC is also the first access control platform to offer actionable, out-of-the-box SoD rules for S/4HANA and Fiori applications. It helps close GRC gaps in existing SAP GUI transactions. ControlPanelGRC offers a simple way to include SAP Fiori Applications into SoD rulesets. The solution provides an automated discovery process that captures usage of Fiori applications. Then, ControlPanelGRC pushes comprehensible SoD data to the right person in the business so he or she can review and modify or remove them as needed.
If you are migrating to S/4HANA and Fiori, we can help you determine whether your controls are migrating effectively the in the process. Your GRC health depends on having all the right controls in place in the new environment. To learn more about Symmetry’s GRC solutions for S/4HANA, read the press release: Symmetry ControlPanelGRC® Is First SAP® Access Control Platform with Segregation of Duties Rules for S/4HANA and Fiori Applications.