Key Insights Blog

Read the latest insights from our experts on GRC and risk management.

SAP GRC – Turning An Obligation Into A Benefit

Posted by Richard Hunt on 27 June 2013
Richard Hunt

Maintaining SAP Security and supporting Audit processes is often seen by many companies as an obligation that does not generate any profit. Therefore these mandatory tasks often do not get the required attention and resources to support, streamline and integrate the necessary tasks and processes with an integrated IT solution. As a result, a lot of time, money, manpower and quality get lost in redundant efforts, disintegrated processes, ineffective idle-time and continuous erosion of implemented concepts.

In my opinion the GRC 10.0 Application Suite is the only integrated solution, that is able to integrate and streamline all SAP Security and Audit related processes and reduce the operation and process cost significantly, as well as protect a company’s investment in the SAP security structure. Please allow me to explain how various ways of investment into an SAP GRC System can be quickly turned into a profit – from an obligation into a benefit.


Example 1: Reducing IT administration costs: GRC 10.0 User Access Management (UAM) and Emergency Access Management (EAM) support an automated user provisioning. Approved access requests for business users as well as emergency users do not need to be posted manually into the SAP back end system now. The saving potentials are here as much the reduction of IT support cost and the acceleration of the provisioning process and therefore reduction of idle time. The SAP Access Support can now be granted 24/7 without exorbitant bills from IT supporters. The integrated Identity Management (IDM) is able to support a complete starters and leavers workflow through all SAP and also non-SAP systems. For example we recently completed an ROI estimate identifying potential savings of €100,000.00 annually for the European operation of an international consumer electronics company.

Example 2: Accelerating business processes. The GRC 10.0 UAM also accelerated the processes for the business due to a system and device independent approval workflow supported by browser and mobile app technology. The workflow contains various substitute and escalation rules, ensuring that approval processes do not get stuck. The password self-service minimized idle time due to forgotten or mistyped passwords. GRC 10.0 enables the business as well to perform a risks analysis before creating or approving access requests and to mitigate the risks instantly. This saves time analyzing, reviewing and mitigating access risks on the long run.

Example 3: Reducing internal and external audit effort. The GRC Access Control applications are always available, any and all audit-relevant information: instantly and up-to-date. It does not require long analysis runs by external audit companies anymore to get a picture of the risks in the authorization’s environment, the data can be retrieved immediately. Any log or required process approval documentation can directly be retrieved from the GRC system to prove compliance without time-consuming browsing of the different applications and documents.

The GRC process controls application support all audit activities directly and provides many useful functionalities around the necessary controls. All relevant controls can be centrally managed and many controls can be automated. Interactive surveys with the user community can be run and analyzed also in complex organizational structures. Automated controls for SAP and non-SAP environments can continuously be performed and the results are always up-to-date. This various functionalities reduce the workload and time for internal as much as external audit and the business involvement into the audit process significantly. An analysis done by Turnkey Consulting for a European operation of an international consumer electronics company identified saving potentials of €200,000.00 for audit support.

Example 4: Protecting investments in SAP Security Concepts. SAP security concepts often take a large part of SAP project implementation costs. Roles are being developed in workshops with the business; testing and go-live support is provided by SAP security consultants. Once the developed roles are handed over to the support team, dynamic business requirements and needs for quick fixes often lead to a slow disintegration of the initial role concept – and therefore the customer’s investment. GRC AC Business Role Framework provides the transparency over the authorization roles that allow the development team to ensure a continuous high quality of the companies’ authorization concept. Possible risks within roles can be directly identified during the development, and the role change process is support by an approval process – therefore a high level of compliance can be enforced without additional effort, making sure that the role concept remains clean even after years of working with SAP.

Example 5: Reducing License fees and development costs: Many SAP access approval workflows are supported by third party workflows systems like Lotus Notes or SharePoint. The development in these environments can be expensive and are always disintegrated with the SAP environment. The user community has to have access to the proprietary workflow; clients and workarounds have to be provided if some user comes from external systems. The GRC AC User Access Management workflow provides a seamless integration from any possible client or mail system directly into the SAP back end systems. It simply requires a SMTP interface to an e-mail system and a web browser on the users front-end to forward, approved and post SAP access workflow or Emergency user workflows into SAP. No additional license fees or development costs for third party systems are required. The GRC Multi-Stage-Multi-Path workflow is easy to configure without ABAP/ development skills.

Example 6: Avoiding loss of money due to fraud: The main objective of the SAP Governance, Risk & Compliance Application Suite is of course to ensure security in access and processes. The rule-set provided by SAP for access controls is based on recommendations from the Big Four auditing firms to avoid possible fraud or fraudulent manipulations with the SAP supported business processes. It enforces segregation of duties or at least the assignment of mitigating controls. The transparency that SAP GRC AC provides to identify potential fraudulent activities helps saving companies large amounts of money that otherwise might get lost unnoticeably.

The latest version SAP GRC 10.1 Fraud Control now takes compliance to a new level: Fraudulent patterns within the online ERP data can be permanently monitored in a real time mode using SAPs latest HANA in memory technology. If patterns are detected business processes can be immediately be stopped and the responsibles will be informed. This prevents fraud without restricting access rights.

GRC process Controls support additional controls to processes outside of SAP from audit driven controls to physical controls and production and quality controls. The continuous awareness and transparency help companies safeguard against various financial damages.

Example 7: Avoiding capital loss by Risk Management. Companies often have some vague ideas about what the business, operational and security risks are that they need to tackle and which controls they need to put in place. The highly integrated approach of the SAP GRC application suite allows evaluating and classifying all possible risk and controls. This includes the access and process risks maintained in the GRC AC and PC applications as central master data as well as additional risks identified and categorized. The results of different risks analysis can be provided to the management in heat maps and other graphical charts. They provided visibility and transparency of the companies’ situation often assisting the management in making the right decisions to keep the company from large capital losses.

Summary: Investing into the implementation of a SAP GRC system turns for various reasons quickly into a profitable return of investment. It’s high integration through all GRC applications and also into SAP and many non-SAP systems help accelerating processes, reducing IT and audit costs and preventing the company from many financial risks. On the other hand, the costs for an implementation are moderate and very well assessable by using the available Rapid Deployment Solutions and experienced consultants from specialized companies like Turnkey Consulting. SAP GRC comes with many pre-configured features and easy-to-use workflows. In addition, the central master data concept helps avoid redundant efforts.

We would love to hear your thoughts. Please leave a comment.

We can let you know when we have a new blog - subscribe here

* We respect your privacy and personal data. By submitting your details and downloading our document you are accepting Turnkey Consulting's privacy policy which can be found here.


For a 3 minute Introduction to Turnkey Consulting, Download Our 18 Page Flipboard Guide