“What Turnkey brings to the table is a set of people who are top of class. I think they provide a service that is real world and reflects what customers are looking for and the challenges that we face."
— Scott Waller, GRC Programme Manager
“As a global company, trading on the New York Stock Exchange, we must comply with regulations around the state of our financial reporting and internal controls,” says Scott Waller, the overall programme manager of the GRC programme. “But a lot of the internal management processes are seen as onerous, costly and a burden on our business”. The challenge was to improve their Governance, Risk and Compliance (GRC) processes to make them as simplified, standardised and automated as possible. They needed to be compliant but doing it in the most cost-effective manner.
The company was already committed to using SAP systems to help them conduct their business but they wanted to improve and expand this in the area of GRC.
“Putting together a successful GRC team requires a number of different skill sets, including finance, auditing and IT systems’ knowledge. That blend of skill set is very difficult to find on the marketplace,” continues Waller. “That's really where Turnkey came in, as they have the relevant skills and expertise to be able to identify the opportunities for efficiencies and then actually implement and deliver them.”
Turnkey Consulting had worked with the organisation before and had demonstrated a good internal track record. They were also recognised as a cost competitive solution. Waller goes on to say, “Talking to peers in other companies, I found there was a very positive perception about Turnkey Consulting in the GRC space.”
Turnkey was brought in to deliver two major aspects of the GRC upgrade, focusing on emergency and high privileged access and segregation of duties.
Turnkey’s approach was first to understand what it was that their client was trying to deliver from the project. This involved understanding the overall objectives, the structure of the project and their role in it. Turnkey then carried out a major business analysis to review the current systems to determine how, through the GRC tooling, the organisation could optimise their processes based on workflow and automation. Turnkey was then responsible for implementing it. Waller explains, “With GRC tooling there is a large degree of optionality around what is and isn't used. Turnkey was able to assess our business needs, help document the requirements and then map the technical solution design to the requirements, to ensure we were getting something that was fit for purpose.”
The company needed a standardised solution for managing external supplier access to their SAP systems. “The E&HP process is there, in essence, for IT suppliers who support our infrastructure, our SAP platforms and some of the sensitive areas within our ERP system. The process is crucial because it is the entry point in the event of a break-fix scenario. If our system goes down or if there are any instability issues, then this process is used to restore service,” explains Waller. “There is a real need to get it right, but it's a balance between service restoration and managing the risk to restore the service. In these situations we have to give away a level of access that we usually wouldn't be comfortable with. It needs to be done in a controlled manner with a full audit trail.”
Building on the existing SAP GRC tool, incorporating CUP (Compliant User Provisioning), SPM (Super-User Privilege Management) and RAR (Risk Analysis and Remediation), Turnkey designed a solution that optimised the process from a manual one that was time consuming and open to human error, to one that was more robust and automated.
The other element of the project focused on segregation of duties. Turnkey assisted in optimising the SoD rule-set, advising on best practice and highlighting what the auditors would focus on. Waller explains: “This was very helpful as it provided us with an internal critique and challenge. We are trying to move the company towards the top quartile in this area, while at the same time having something that is fit for purpose”. Turnkey was responsible for establishing revisions to the rule-set based on their knowledge and experience. “Their detailed expertise around SAP security and authorisation is certainly, I would say, market leading,” expands Waller. “It's a differentiator because typically with a GRC consultant, you get functional GRC skills, you don't necessarily get the detailed SAP security knowledge. We felt like that was really value-add.”
Global standardisation: “This was also a huge achievement. We actually implemented this across multiple global systems in multiple businesses, yet we've maintained a standard solution,” highlights Waller. “This has improved the external supplier experience when accessing the company’s systems, making it simpler and less likely to cause process failure."
“Turnkey was able to assess our business need and design a fit for purpose technical solution that was focused on those needs but that was also able to be maintained and supported in-house, making it future-proof and stable.”
Waller concludes by saying, “What Turnkey brings to the table is a set of people who are top of class. The profile of Turnkey's staff reflects having worked in a range of large multinationals and that was very attractive.”