“Turnkey has excellent GRC capability, and their understanding of SAP security is impressive. Our project came under budget and this project has laid the foundation for us to expand this to our wider ERP landscape, allowing for further streamlining user admin processes and related cost reduction.”
— Dirk Tel, Group Internal Control Manager at Imperial Brands PLC
Imperial Brands had previously worked with Turnkey Consulting on a GRC programme to address the firm’s concerns around Segregation of Duties in its SAP landscape.
This compliance project provided much more transparency and granularity to its SoD reporting, effectively reducing the gap between the external auditors’ expectations of what the definitions should be and how the firm had been managing SoD in its main SAP system.
Although the reporting was now in line with auditing requirements, Imperial Brands was aware that its existing role-based access design was increasingly outdated, not having changed for over 10 years. The access profiles had been inherited and there were a significant number of conflicts with the new rule set. Most of the role descriptions were unrecognisable, not in plain English and therefore difficult for line managers to understand and work with.
Imperial Brands turned to Turnkey to help them refresh and re-design the role-based access design globally, to bring it in line with the business’ current operating models as well as the new SoD definitions.
Without standard business processes or organisational structures to go on, usage analytics from the SAP GRC toolset was obtained providing a detailed view of aggregated end-user usage behaviour over a prolonged period of time. The list of user transactions provided key insight into the areas that staff were currently accessing and provided a focus for the scope of the re-design.
By filtering and re-defining new profiles for access controls, the list of ‘everyday’ individual transactions reduced from 3,500 to 2,500 which then provided the basis for allocating these to logical groups of activities which should go together into a single task role.
The result of the re-design provided Imperial Brands with a landscape of around 125 global roles that could be used for its 1,700 users, with the ability to restrict roles geographically as required. Additionally, around 44 country-specific roles were created, mainly for local customised activities.
Turnkey kept project delivery costs minimal by leveraging the existing capabilities with the SAP GRC toolkit and the use of its off-shore team in Kuala Lumpur. These tools allowed Turnkey to very quickly design and build new roles and accelerate the project delivery. Scripting and mass maintenance tools, along with Turnkey’s application of previous project experience meant the project was completed within 5 months, on time and on budget.
Dirk Tel, Group Internal Control Manager at Imperial Brands PLC said, “Through their in-depth knowledge and the accelerators available within SAP, Turnkey was able to deliver a full role re-design in a period of 5 months instead of the usual year timeline.”