Key Insights

Throughout our work, we've uncovered the most effective procedures, techniques, and methodologies for effectively delivering SAP Security and GRC solutions. We proactively share this knowledge through our Key Insights programme - a series of roundtables, webinars and thought leadership activities aimed at promoting discussion with peers and experts around best practice and to generate an informative forum for knowledge sharing.

Insight Events

How easy is it to attack an SAP system?

How easy is it to attack an SAP system?

Online Webinar

How easy is it to attack an SAP system? Join Turnkey Consulting and Virtual Forge as we exploit typical weak spots and hack an SAP system live, demonstrating at the source code and systems levels – with new hacks. For more information and to register click here.

Read more
UK & Ireland SAP User Group

UK & Ireland SAP User Group

ICC Birmingham

Turnkey Consulting will be exhibiting at the SAP UK and Ireland User Group. The 2015 UK & Ireland SAP User Group Conference will take place at the ICC, Birmingham and members can now book on to this event for £575 members rate or £875 non members rate by following this link and entering our exclusive promotional code turP615.

Read more



A 1-day SAP GRC Access Controls for Auditors training workshop will be conducted in Singapore by Turnkey Consulting on 27th November 2015. The workshop will cover how SAP GRC Access Controls can be used to conduct SAP audits more efficiently and effectively. Covering:  Overview of SAP GRC Product Suite  Overview of SAP GRC Access Controls  Key areas in auditing SAP GRC Access Controls Implementation   Please email us at for more details or to register.

Read more
Marc Jackson

Controls Automation – Controls Terminology and Traditional Controls - Part 1

2 Oct 2015

Posted by Marc Jackson

Increasingly the market is focused on automating controls to reduce the cost of compliance, improve the control environment, and realise efficiencies. More than ever now, organisations are completely information-driven and data has become the lifeblood of any business. In the past, organisations were able to manually verify and audit the accuracy, consistency and reliability of the information they used due to low-volumes and relatively stable mainframe-based information processing environments. However, with the advent of distributed technology, data volumes and compliance requirements have increased exponentially. As a result, the use of manual controls has become costly, obsolete and simply not sustainable.

Make a Comment
Richard Hunt

Raising the Bar in Data protection

17 Sep 2015

Posted by Richard Hunt




In EU law there is an important distinction between a Directive and a Regulation – a Directive must be implemented by each member state, a Regulation becomes law in all member states upon implementation. As a consequence this new UK data protection legislation will become far more stringent than it has ever been.

The good news is that the new regulation will not be fully in force until 2017/18 so there is still time to prepare. One of the key changes is the concept of privacy by design. Similar to the idea of the least access principle, privacy by design requires that a company’s IT systems have been designed with data privacy compliance in mind. In practice this means that SAP customers will need to ensure their access controls support compliance with the regulation and that access to personal or sensitive data is justifiable and restricted to those who need it for legitimate purposes.

Whilst compliance with the new regulation will affect access controls in a number of SAP modules and there will be a number of industry specific risks, it will be SAP HCM and/or Success Factors customers who will certainly be affected. The initial draft of GDPR has proposed a series of mandatory icons which will need to be used to provide an overview of the status of an organisation’s compliance to the regulation. These icons provide a useful summary of the key requirements:

 Image 1

This will provide a requirement to justify the purposes for which the data is being held and processed. The requirement will have a number of implications with regards to the collection and retention of customer and supplier data and will also affect data held on employees in an HCM context.

image 2

Data retention is an area where many SAP implementations are going to need to tighten up in order to achieve GDPR compliance. For example, holding the full HCM record of an employee after he/she has left the organisation could be considered a breach given that the company will have no justifiable reason to retain details such as dependents or next of kin.


This requirement has some interesting implications for predictive analytics and other Big Data applications. Was data collected by the organisation for these purposes and can this be considered a reasonable extension of the data usage?



Whilst organisations may not intend to disseminate, sell or rent the personal data, they hold an obligation to ensure their employees do not is also implied by this requirement. Therefore, access controls and the ability to restrict data downloads will become increasingly important.


Insisting on the encryption of an entire SAP database is likely to be met with significant resistance from the BASIS team for a number of reasons, not least of which is performance. HANA databases have been built with encryption capabilities as standard but for those SAP customers without the luxury of a HANA landscape, compliance to this obligation will be a significant challenge.

Interestingly GDPR compliance will apply a test that will look familiar to those of us with an audit background:


  1. it must be designed so the controller is compliant if it is followed; and
  2. it must allow it to demonstrate such compliance to SAs and to data subjects

This is basically the test of design and operational effectiveness applied to controls during an audit. Roles and authorisations clearly play an important part in the implementation of a GDPR compliant solution but other tools will also be useful:


GRC Process Controls

Tools such as SAP GRC Process Controls will be very useful in the implementation of a GDPR compliance programme:


  • Documentation of the organisation’s GDPR compliance procedures
  • Assignment of control ownership and operation of these controls using PC workflows
  • Documenting and issuing Data Protection policies and amendments using the Policy Management component
  • Issue management and remediation
  • Demonstration of GDPR related compliance activities
  • GDPR compliance sign-off

 Read access logging

The new Read Access Logging functionality inherent in SAP Netweaver will be extremely useful in the implementation of monitoring controls. Allowing access to sensitive data to be monitored at a more detailed level will provide an alternative where an access controls solution would be too restrictive.



Make a Comment
Tom Venables

Do you have trust issues?

6 Aug 2015

Posted by Tom Venables




So, knowing that trust is defined as “having confidence in the veracity, integrity or other virtues of someone or something”, how would you rate the trust you have in the following:

  • The accuracy of your data?
  • Integrity of the systems which store your data?
  • Security of communication between systems?
  • The integrity of the people in your organisation?
  • The organisations which work to support you?
  • The processes which are in place?

If any of the above gave you pause for thought, you are probably not alone! I have seen examples of all of these being called into question at some point and, like all of us, have worked to improve the trust in the people, companies, systems and processes involved.

Once trust or confidence has begun to be eroded, it can be extremely difficult to re-establish, if it can be regained at all. It is possible to handle a lack of trust, establishing proper governance and control processes, supported by tools can help us to continue to operate in environments where trust is an issue.

Trusting the people

We trust the employees in our company with the data they require to perform their job function. We do, however, still establish mechanisms to protect both the organisation and the employees themselves from the ability to realise risk. It is important that this protection is understood to work both ways – the company can have faith that “John Doe” cannot commit fraud and “John” is confident that he will be blameless in the event that fraud were to happen. Establishing the employees’ responsibilities in managing risk are key to achieving our governance and compliance goals.

Maintaining control of segregation of duties risks, whether through role design, or supplemented with GRC access controls, is one mechanism by which we can establish trust between the employer and the employee. This is even more relevant for managed service organisations, where they are being trusted as the custodians and protectors of their clients’ business-critical information and systems.

Trusting the systems

Ensuring the integrity of the systems and data your business relies upon is key. Anything which undermines confidence in those systems needs to be addressed and there are a number of procedures which can improve the reliability of, and confidence in, those systems.

Ensuring correct change controls are in place for enhancements should ensure that nothing untoward is introduced into the live systems, however this needs to be backed up by robust testing from the correct stakeholders, with particular emphasis on integration testing, as nothing will erode trust in new systems faster than negative UAT or live issues.

We often see cases where functionality tested (and working) in isolation in pre-production systems does not “play well” with live data, or other functionality. Making sure that issues with integration are addressed before go-live will increase business confidence in the IT systems and the organisation which supports them.

The bottom line is: Ensure you have the processes in place to protect the people and systems your business needs, supported by the appropriate tools and you will improve the trust, truth and confidence in those people, systems and your own organisation.

Please feel free to comment on your own trust issues, or examples of what’s worked well using the link below:

Make a Comment

"The Key Insight sessions are an ideal way of sense checking your current ways of working."

Chris Haigh, Global SAP Security Specialist, Kimberly Clark Corporation & Chairman of SAP GRC User Group

"I found the session to be very useful, informative and well facilitated."

Olu Adeosun, Compliance Manager Enterprise Systems, BP plc

"The session I attended was indeed very interesting with a lively and stimulating round table discussion."

SAP Project Manager - Global Petrochemical company

"It was a well facilitated event, would happily recommend future events to others and would hope to attend again."

Mike Bonsor, Head of Project Management, SThree Plc

"I took away some good knowledge and would clear my diary to attend another one of the sessions."

Olu Adeosun, Compliance Manager Enterprise Systems, BP plc

"Key Insights added significantly to my knowledge of the topic discussed."

SAP Project Manager - Global Petrochemical company

"The points debated were most useful in applying to our own circumstances"

Mike Bonsor, Head of Project Management, SThree Plc

"Key Insights allows you to find out from others what does and does not work well."

Chris Haigh, Global SAP Security Specialist, Kimberly Clark Corporation & Chairman of SAP GRC User Group

"The points debated gave the opportunity to avoid pitfalls that others had made."

Mike Bonsor, Head of Project Management, SThree Plc

"The session I attended was indeed very interesting with a lively and stimulating round table discussion."

SAP Project Manager - Global Petrochemical company