Implementing SAP GRC Access Control 10.0 solution to improve internal control and deliver process improvements

“As a result of this project, we have greatly increased the scope of our controls with a state-of-the-art solution.”

— Paul Robbins, Global IT Manager responsible for SAP

Challenge

Following a review of its security software solutions, the Infineum Group was looking to replace its ageing access control and segregation of duties monitoring system. “We weren’t really feeling any pain, other than we just recognised the system we were using was coming to end of life and we needed to replace it,” explains Paul Robbins, Global IT Manager responsible for SAP.

In addition to its age, the existing system also had a limited scope in terms of the checks it was performing. Infineum also wanted an access control solution that would enable them to move away from having to do annual audit reviews to an evergreen process. Robbins explains, “With our old controls process we would have an access review once a year and I wanted to get away from that and move towards an evergreen process where you’re not creating issues in the first place.”

Infineum had worked with Turnkey Consulting before on another engagement for continuous compliance monitoring, so when they were looking for a new implementation partner to support their SAP strategy, Turnkey was a natural choice. “It’s a fairly small market and they knew we were trying to implement GRC Access Control,” comments Robbins. “Following a number of detailed conversations we decided to abandon our original approach and go with Turnkey Consulting.”

The biggest challenge with this project was that the company had begun a GRC implementation that had not gone live due to technical issues and their current version of the software was almost out of date.

Solution

Following Turnkey Consulting’s appointment as the implementation partner for GRC, its consultants conducted an analysis of the Infineum’s business requirements providing timely and important advice. They recommended that rather than proceed with a solution based on version 5.3, and then have to redesign the processes in version 10, Infineum should only continue with the modules that could be migrated into the new version.

Robbins comments, “When we engaged Turnkey, they looked at what we were doing and what the future held and advised us we’d be better to upgrade and go live on version 10. The upgrade path for 5.3 to version 10 wasn’t possible for some of the modules, so we would effectively be wasting money going live with those in version 5.3.”

Although they were effectively delivering technology advice that was not in their interests, as it would reduce the amount of money they would earn, the Turnkey consultants recommended the strategy that was the best fit for the client. “That’s exactly why you bring in external consultants – to tell you what the options are, and what they would recommend,” says Robbins.

Turnkey’s team worked very hard to get the modules running on GRC version 5.3 live within a couple of months and then progressed with the technical implementation of version 10. They partnered effectively with the Infineum project team to design an automated provisioning solution that aligned with Infineum’s access approval process.

The GRC access controls implementation was carried out efficiently and in line with Infineum’s expectations. Robbins comments, “From a project sponsor and management perspective it’s a good implementation because the project is live, on time and on budget.”

Benefits 

• Solution tailored to client’s best interests: Turnkey Consulting took time to understand the context in which the technology would be used and gave Infineum strategic advice on how to implement the solution for maximum effectiveness. Because the organisation was looking to leverage other GRC tools later on, Turnkey advised them to implement version 10 of GRC to give them a strategic technology platform ready for any future enhancements.
• Cost savings due to expert advice: Turnkey advised Infineum to go ahead and implement version 10 rather than finish the project they had been working on in version 5.3. “Although this advice that was not necessarily in the consultants’ interests it was the right approach for Infineum because they ensured the project went live on the right technology platform,” highlights Robbins. “This saved Infineum a considerable amount of time and significant additional costs.”
• Speed of implementation: The original GRC project had been delayed for some time, which is why the technology was almost out of date. Turnkey helped to get the project live within a couple of months ensuring that the original work in version 5.3 was not wasted and enabling Infineum to begin role remediation activities in preparation for the next phase of the project. 

• Solid audit trail ensures compliance: The access controls solution provides Infineum with a very streamlined emergency access process. This gives them automated provisioning of emergency access, an audit trail of approval for emergency access and compliance with Infineum’s rules around privileged access. “Infineum now has a solid audit trail all round from an audit compliance perspective,” says Robbins.

• Increased scope of controls: One of the original drivers for this project was that Infineum’s existing system had a limited scope of the checks it was performing. The new tool has a much broader scope and is producing much better results. Robbins comments, “We’ve implemented a tool that’s checking from a controls perspective a much wider set of controls and risks than we were before. We are looking at this now with a magnifying glass whereas before we were just staring at it”. 
• Eliminated need for annual detective reviews – an evergreen process: Another key aim the company had as part of this implementation was to create an evergreen access review process that eliminated the need for annual reviews. The existing access controls system required an annual review to ‘mop up’ the mistakes that had been made during the year - the new system has allowed the company to ‘get clean and stay clean’ by conducting ongoing reviews, embedding compliance into Infineum’s business processes.

Summary

Turnkey’s technical expertise and specific in-depth knowledge of SAP GRC combined with their understanding of the context in which the tools would be used produced a solution that was designed to deliver the best possible results for Infineum.

“As a result of this project, we have greatly increased the scope of our controls with a state-of-the-art solution,” comments Robbins. “We have an audit trail of approval for emergency access, a much broader scope of risk checking and a process that eliminates the need for repeat checking by the auditors.”