SAP Blog

Planning for an SAP S/4HANA Upgrade: Security and Controls

With SAP extending its support of SAP ECC through the end of 2027, many companies are finding themselves now starting their S/4HANA upgrade project in a race against the deadline.  It seems timely to refresh a previous blog as these considerations are still relevant to those on the S/4HANA journey including companies on the RISE with SAP program.  As a reminder, getting these areas right upfront will prevent having to retrofit after the initial upgrade, which will end up costing significantly more time, money and user disruption: 

  • Security and Access Control    
  • Configuration (Automated) Controls  
  • SAP Process Control and SOD Transaction Monitoring (Quantification)   
  • Cloud and Cybersecurity 
  • Data Governance and Classification 
  • Updating Risk Universe and Internal Control Matrices 

While the core considerations above have not changed and are still relevant today, there are some additional focus areas as companies have evolved and matured in recent years (and notably, where we see external auditors expanding their scope).  These additional areas should be discussed as part of the S/4HANA journey and overall SAP roadmap as it will help strengthen the overall control environment. 

Access control beyond SAP S/4HANA 

Many companies today have a tool such as SAP Access Control or equivalent for automating access management of their SAP ERP. For those who do not already have a solution in place, it is critical to implement a tool as part of the journey. Since this has become the expected norm, the broader focus has been on extending access management capabilities to the ERP’s ancillary systems such as Ariba, Concur, etc.  This extension allows for greater visibility and transparency into access risks within the SAP ecosystem, provides a more holistic and consolidated view and provides a centralized hub for access management functions. 

Segregation of duties (SOD) ruleset and cross-system risks 

To build on the above concept, as the transition to S/4HANA is underway, often companies implement Fiori to enhance the overall user experience with its sleeker user interface (moving away from the antiquated SAP GUI screens). With the move to Fiori, it is critical to ensure the risk ruleset in the access management tool is updated to consider any new Fiori applications and transaction codes.  To take it one step further, it is becoming more common to perform segregation of duties checks between two systems (i.e., cross-system risks).  A typical scenario we see is a user with access to both S/4HANA for Finance responsibilities and access to Ariba for Procurement responsibilities – being able to analyze the access cross-system will help understand the holistic risk exposures. 

Organizational change management and training 

This area is often not thought about early enough in the project, which prevents the proper planning and time commitment it requires.  However, it is important to understand how the end user experience will change and plan accordingly upfront (e.g., introducing a new Fiori app which changes the end user’s interaction with the tool).  A robust change management and communication plan should be developed, including creating or updating any training materials and policy/process documents. It is easy to miss these details while in project mode and teams are heads down executing – however, this often comes back to haunt IT teams in the form of more hypercare issues and tickets. 

While it may seem like these additional considerations add complexity to a simple project, it is in fact the prime time to discuss and evaluate the user impact.  It is equally important to consider these factors even if your organization is upgrading through the SAP with RISE program.  While it is structured to be an accelerated migration and modernization program, it can be easy to overlook these key considerations or assume they are prebuilt in.  Incorporating these factors now and doing it right the first time, will absolutely be more efficient than circling back and retrofitting any one afterwards. It would only cost the organization more time and money in the long run if left unaddressed (and depending on the severity of the issues, potential audit deficiencies as well). 

Readers may also be interested in this recent blog: Rising to the Challenge: RISE with SAP Automation with UiPath.   

 

To learn more about our SAP consulting services, contact us 

Kyle Wechsler

Managing Director
Business Platform Transformation

Yeurd Ng

Director
Business Platform Transformation

Sara Kenn

Senior Manager
Business Platform Transformation