An Integrated Approach To SAP GRC Process Controls (Part 2)

Posted by Richard Hunt on 14 November 2012
Richard Hunt

In this blog I would like to follow up on my earlier entry around the benefits of including GRC in a greenfield implementation. Previously we explored this area in the context of access controls. We now look at the benefits of implementing Process Controls at the outset of your SAP journey.

Integrated Control Framework
An SAP control framework is something that will be developed over time by most organisations. Typically Internal Audit will have a control framework against which they test the company's existing controls. This will be updated by IA either during the initial SAP implementation or, more commonly, at the first audit cycle post go-live. The inclusion of process controls at the outset of the project enables an organisation to focus resource towards the adaptation of the control framework to suit the SAP environment. It also gives the opportunity to ensure that these controls are designed efficiently for SAP.
 
Automated Process Controls
With or without GRC technologies in place your SAP implementation will need to define business process controls to ensure the control and smooth running of your business processes. The inclusion of GRC technologies in your initial implementation scope will enable these controls to be defined and developed in the most efficient way possible, taking advantage of the latest controls automation technology to drive down the costs associated with operating and testing these controls post go-live.
 
Internal Audit Efficiencies
Testing an SAP environment can be a very labor intensive and inefficient process from an audit perspective. Investing effort to understand where these inefficiencies occur during the initial implementation will help to reduce these inefficiencies, ensuring that duplication of testing is minimised and control testing is automated wherever possible.
 
Familiarity with the SAP Environment
Ensuring that IA are familiar with controls in the SAP environment from the outset of the project is an important but difficult challenge. Without focused effort from IA to get up to speed on the various complexities of auditing an SAP environment they could find themselves playing catch up post go-live. The inclusion of PC in the implementation scope of GRC will give your audit team a natural 'home' on the project and enable them to develop the skills they need to audit the new SAP environment  over the course of the project.

Conclusion
Maturity in the GRC market and in the GRC applications available from SAP means that these solutions should be a consideration for any greenfield SAP implementation. Whilst it may not be in every project scope from the outset customers should consider the benefits of addressing some of the problems that GRC solves during their initial implementation. As we have seen in this blog entry, taking a proactive approach has a number of benefits and tackling your GRC challenges early will surely result in a stronger and more efficient control environment.

We would love to hear your views. Please leave a comment.