Any SAP S/4HANA program that doesn’t prioritize security, controls and compliance into the overall design is never going to yield the return the investment deserves. In today’s digital age, it’s simply not enough to effectively implement enterprise applications to support business operations. Companies are also expected to address cybersecurity, application security, financial and data privacy controls, among other areas for the constantly changing regulatory environment (e.g. SOX, GDPR, CCPA, etc.), all using intelligent and highly automated solutions that strike a balance with management’s budget.
I distinctly remember the Chief Accounting Officer at a technology company telling me their main reason for using a “design-in” approach to SAP security and controls during their S/4HANA implementation was because they did not want to risk the ever feared “MW” from their external auditors, potentially impacting billions in market cap. Or another company, where the Chief Information Officer learned one of their leadership team members had been issuing millions of dollars of customer refunds to themselves, while slipping through the supposedly “effective” mitigations in place to capture these kinds of events. These real stories are too common and very similar to stories we regularly hear from our clients.
The truth is that there are many reasons to embed security and controls into the S/4HANA journey, more so than just the hidden longer-term cost of using the “retro-fit” approach where companies find themselves spending way too many resources later on with re-work to address these key concerns of today’s senior executives across finance, accounting, IT, and internal controls and audit. Simply said, using the “design-in” approach is the right thing for management to do while fostering a culture of integrity, advancing enterprise digital initiatives, and to help establish operating efficiencies with integrated decisions around risk management.
No matter where an organization is in its S/4HANA journey – planning to begin or already underway — we highly recommend that senior executives and program leadership establish a Security and Controls (S&C) workstream as part of the SAP S/4HANA implementation program. The S&C team should have a combination of S/4HANA technical and risk management skills and tools/accelerators as this team will both independently champion and lead the design and implementation of an effective and highly automated S&C solution while working seamlessly with the core delivery team for S/4HANA related components.
The role of the S&C team should include:
- Establishing an effective S&C design that results in strong controls, a high degree of automation and efficient maintenance processes as reflected by target metrics such as:
- High level of control automation (e.g., 65%+)
- Conflict-free roles (task-based)
- Negligible number of unauthorized conflicts at go-live
- Efficient user access and data confidentially provisioning, terminations and review cycles
- Working with the business control owners through the implementation program so that the new/updated controls are clearly understood and effective at go-live, minimizing the risk of control operating deficiencies.
- Providing recommended practices for security and controls optimization with the use of the inherent system functionality of SAP S/4HANA applications, and SAP GRC Access Control and GRC Process Control, and/or other Security and GRC tools.
- Leading the S&C design, testing and deployment with tight integration with all other workstreams so that the user community will enjoy a seamless experience and their time on the project will be efficiently used – single design sign-off, integrated testing cycle, etc.
- Designing and validating a comprehensive and pragmatic set of System Development Life Cycle (SDLC) controls governing the program implementation, integrated with the core S/4HANA delivery methodology, that allows management and the external auditor to rely on the new system.
It’s also important to point out that, the S&C workstream should typically not appear on the critical path of the program. While retaining its mandate to deliver on its S&C objectives, the S&C team must remain flexible to support changes in the timing and sequencing of the S/4HANA core delivery program.
In many cases, Protiviti will offer a workshop with our subject specialists and the project key stakeholders (including the system integrator) to discuss security and controls leading practices within an S/4HANA environment and our recommended approach for many of our clients. Every customer that used this approach during their S/4HANA planning has told us the workshop significantly helped them in finalizing their S&C strategy, approach and roadmap.
In closing, I would like to highlight what my mother-in-law once wisely told me that, “if you buy a house with a pool, make sure there is a fence securing the perimeter – and don’t forget a safety cover for the young kids.” Very wise, indeed. To me, that was simply a no-brainer to protect what I treasure the most. The same can be applied to the S/4HANA journey, ensuring there is proper decision making, early-on, around what role security and controls will play, along with developing a corresponding strategy to protect the business from today’s real key financial risks.
If you are interested in having a workshop or would like to discuss further the topics provided in this blog, please contact me directly.
Visit Protiviti’s SAP consulting services page for more information on our solutions.
About the Author
John is a Managing Director in the SAP practice of Protiviti Inc., based out of the San Francisco office. He is responsible for SAP Security and GRC transformation in the US west region.