It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Governance, Risk and Compliance (GRC) is not a new concept but it’s not uncommon to be asked, “What is GRC software?” After all, our ControlPanelGRC solution is one the leading GRC solutions on the market today. GRC software is a set of tools designed to integrate compliance into everyday business processes like user provisioning, role management, emergency access management, and periodic risk assessment. GRC software streamlines routine audit and compliance processes while reducing the risk of fraud or malicious activity in Enterprise Resource Planning (ERP) systems.
It will monitor user privileges and access, and alert the organization when a user has a level of access or performs an action that may violate compliance requirements or indicate fraud. They also maintain audit logs and compile reports to facilitate auditing, risk analysis, and other GRC processes. Finally, they serve as a repository for controls, allowing the compliance team to prove that documented policies and procedures are followed.
First, What Does “GRC” Mean in 2019
GRC has different meanings depending on where you sit in an organization. There’s a huge number of agents involved in accessing and processing information.
For the IT department and related teams in security and compliance, GRC is much more operational and pragmatic in nature. It’s about establishing policies and practices to minimize compliance risk and then following through to make sure these policies are enforced. Audits for regulations like Sarbanes-Oxley are the milestones by which GRC operates at the IT department level. Workers, business partners, clients, providers and customers all need access to some potentially sensitive information, including:
- HR records
- Financial reports
At the level of the Board of Directors, GRC is about how the company is run (i.e. “governed”). This has to do with the Board’s obligation to protect shareholder assets against risk. At the Board level, compliance is about making sure the company doesn’t run afoul of any laws, including SEC rules, OSHA and environmental regulations to name a few. These stakeholders also need to be able to perform business processes like:
- Ordering new stock
- Paying vendors
- Counting inventory
Compliance policies exist at the level of software and data. Companies run on software. Rules affecting financial reporting and accounting are therefore embedded in the computer systems that underpin these workflows. In many companies, this means SAP. On a day to day basis, therefore, GRC is mostly a matter of defining and enforcing compliance policies within the SAP landscape.
What is GRC Software?
GRC software facilitates and usually automates the process of dealing with GRC. It exists because the alternative, manual management of GRC, is not a viable option. It may have been once, but in 2019, it’s almost reckless to consider trying to stay on top of compliance and risk management with spreadsheets and legal pads.
In practical terms, GRC software comprises a set of tools that are designed to integrate compliance into everyday business processes. The software automates routine audit and compliance processes. It reduces the risk of fraud or malicious activity in SAP and other Enterprise Resource Planning (ERP) systems.
GRC software monitors user privileges and access, alerting admins when a user’s access level or actions could be violating compliance requirements. It can even flag suspected fraud. The software also maintains audit logs and generates reports to aid in auditing, risk analysis and other GRC processes. Ultimately, they’re a repository for controls. The compliance team can reference the GRC software to demonstrate how the company is following documented policies and procedures.
Modern Day GRC Threats and Challenges
Compliance requirements tend to be cumulative. Like, when GDPR came into effect, it didn’t push Sarbanes-Oxley away. Now, you have to do both. As a result, managing GRC is a never-ending game of catch up.
At the same time, threats that used to seem remote and improbable now look more serious. For example, having a policy to revoke system access privileges for a departing employee was a satisfactory control against unauthorized access. Today, companies have to worry about current employees selling their ERP login credentials on the dark web. Stronger GRC monitoring, along with robust security practices, are needed to mitigate such risks.
Then, there are inevitable changes in system architecture and applications that affect GRC. For instance, many companies are now adopting SAP HANA and S/4HANA. This move will (or should) trigger some changes in GRC processes. GRC configuration in an SAP HANA environment requires people who understand the technical layer (e.g. SAP Basis administration), the security model (e.g. SAP Security administration), compliance and business processes.
Changes in GRC Software
New requirements drive changes in GRC software. For instance, we now support GRC for SAP for Business on the S/4HANA platform as well as for new applications developed using SAP Fiori tools. These may accidentally expose compliance risks and gaps. Cloud migrations also affect GRC, so GRC tools must keep up. Thus, as part of the AWS Solution Space, ControlPanelGRC users can now spin up access controls for their SAP environment in AWS.
How Much Support Do I Need to Run GRC Software?
Listen to your auditors. The previous level of success your compliance program has is a good indication of how much support you’ll need. If your company repeatedly fails audits, or has trouble answering auditor questions from both a software and an internal resources perspective — you’ll benefit from continuous training and support.
Your compliance department needs to continually advance their skill set. The implementation and ongoing administration of the toolsets are also critical. If your auditors have significant concerns every year, it could be a sign your team isn’t able to keep up with new requirements and needs a managed services partner to help.
Implementing GRC Software Solutions
For SAP governance, risk and compliance software, ControlPanelGRC offers a truly turnkey solution. It provides meaningful information for each stakeholder group, along with easy remediation of risks. Managers receive high-level, plain-English outputs. Executives can see graphical reports to better understand potential risks. Technicians have access to root cause analysis to help them remediate risks. All this means improved buy-in, easier audits and better short-term and long-term success.
The Symmetry team will:
- Meet with your audit/compliance team
- Install and configure ControlPanelGRC
- Train your staff in the software
- Provide continuing education and IT managed services, if required
Whether you need initial setup and occasional technical assistance, or prefer outsourcing your entire compliance program, Symmetry is up for the task. Implementing ControlPanelGRC is also a good time to evaluate other managed services needs, especially in the areas of security and compliance. Symmetry offers SAP security services to maintain compliant user access and monitor controls, cyber security services with 24-hour eyes-on-glass monitoring and incident response, and regulatory compliance support for your entire organization.
You didn’t go into business to worry about compliance. Every hour spent pouring through compliance reports, meeting with auditors and sitting through risk remediation meetings is an hour you’re not developing innovative products and services. ControlPanelGRC drastically reduces the time requirements of GRC tasks, while providing continuous visibility and deep insight into organizational vulnerabilities. Whether you’re looking for a new tool to help your internal auditors, ongoing security and compliance support, or an SAP services partner to host and manage your entire IT infrastructure, Symmetry can help.