Constant Change Pressures GRC and Business Operations
Today’s organisations are constantly changing. Gone are the days of a static environment that slowly evolves. The digital economy demands rapid business transformation just to keep up, let alone get ahead. This transformation includes employee turnover, new business models, business expansion and increasing regulation in areas such as data protection and privacy. Constant change increases pressure on organisations to ensure their SAP systems are secure and compliant. Access and process controls must be managed in the context of this dynamic business environment. Organisations are wrestling with changing governance, risk and compliance (GRC) functions and non-stop pressure to establish consistent operations across their businesses to maintain the agility they need to adapt and grow.
Manual Processes Still Used to Manage Control and Access the SAP Environment
Despite these dynamic and fast-moving challenges, many businesses still use manual processes and documents to manage control of their SAP environment. The pervasive use of email, spreadsheets and documents is inefficient, ineffective and reduces an organisation’s flexibility. Considerable time and money are spent running reports, compiling information and integrating that information into documents and spreadsheets that are sent out via email for review.
This approach is not only slow and costly, it lacks a structure of accountability with no clear workflow or audit trails, which means things can fall through the cracks. It is worsened by the complex, interrelated web of different SAP instances across the business and exposes the organisation to risk and non-compliance. Issues with Segregation of Duties (SoD), inherited rights, process controls, configuration, critical and super-user access, transaction controls and changes to roles and access cannot be effectively managed with a manual approach. Organisations need to automate their GRC functions and embed risk analysis and mitigation into access and processes to avoid risk, reduce cost and cut the time required to maintain compliance.
Access Control is At the Heart of GRC Automation
While there are many areas within the SAP GRC environment that benefit from automation, such as process control, security configuration and basis controls, access control is where the need is historically greatest, especially with today’s fast-changing regulatory and audit pressures. A recent Gartner paper points out six key access control factors, with the focus on SoD, when considering automation tools. SoD risk analysis, compliant user provisioning, emergency access management, access certification, role management and transaction monitoring all work together to ensure organisations have the controls needed to increase the reliability of transactions, improve auditor trust and increase the effectiveness of anti-fraud controls.
Automating access control functions is very challenging because of complexity and the need for an integrated and harmonised end-to-end approach. SoD risk analysis requires the use of predefined rules to users and their associated roles in the SAP environment. Once risks have been clearly identified, access privileges must be carefully provisioned for new users to avoid reintroducing these risks. When emergencies occur, and they do, users must be allowed access to take responsibility for tasks outside their normal job functions. Roles must be periodically reviewed for any unauthorised modifications or “access creep”, and an access certification workflow is necessary to ensure users only have the access privileges required to do their jobs. Continuous monitoring is necessary to detect privilege conflicts and prevent unauthorised transactions. All these functions must be tied together seamlessly to make SAP GRC access control automation valuable to the organisation. Automation tools must be user-friendly and generate reports that can be understood and used by non-technical users.
The complexity and the requirement of an integrated, end-to-end approach, including analytics and reporting, leave many GRC tools lacking, as do complex implementations and licensing challenges. Many tools are not only difficult to deploy, but also lack user interfaces and reports that are easy to understand by non-technical users. These factors often cause businesses to abandon their GRC automation efforts.
ControlPanelGRC – A Better Solution for SAP GRC Access Control
Symmetry’s ControlPanelGRC meets these challenges with its Access Controls Suite, which includes an intuitive user interface and easy-to-read reports. The Access Controls Suite delivers the integrated approach necessary to identify and assess control failures, potential failures, SoD conflicts, as well as prevent excessive access to individuals beyond what they need in their role. Access Controls Suite provides continuous monitoring of access risk and SoD violations.
User access and transactions are reviewed regularly to streamline access rights, prevent issues of too much access, and manage and mitigate the cost of SAP licensing. This enables the organisation not only to manage SAP licensing, but also to address compensating controls for user access when unique situations of access come up by documenting and monitoring access when SoD and access is not possible. The Access Control Suite also provides emergency access management (EAM) by logging and tracking every activity each user performs during an SAP fire call session.
SAP user and role administration is streamlined by allowing the organisation to manage and process requests for new users and requests and changes for exiting user access. SoD checks are run against the access-provisioned and document-defined roles, and reports are generated for acceptance and sign-off. The organisation is now in a continual state of audit readiness through the automation and validation of SAP audit reports which provide assurance of controls.
The Symmetry Difference – Above and Beyond
Beyond the powerful features and capabilities of ControlPanelGRC, Symmetry delivers fast deployment backed with unparalleled support and managed services. Our industry-leading Net Promoter Score and 22 years of managing SAP systems mean that your ControlPanelGRC implementation will not only be successful, but that your time to value will be greatly accelerated. ControlPanelGRC has given our customers peace of mind by automating their GRC functions and streamlining their business operations to successfully meet the challenges of a rapidly changing business environment.
Talk to Symmetry to learn more about ControlPanelGRC and how the Access Controls Suite can turn GRC from a chore to a strategic asset.