“Turnkey is a professional, efficient and trust-worthy organisation.”
— Marek Prachar, Information Services Manager
The company wanted to improve their audit compliance record and segregation of duties (SOD) in order to reduce conflicts of interest. A number of issues had recently been identified by the organisation’s audit firm resulting in a substantial audit and a dramatic increase in the auditor’s fees.
Having failed their audit twice in a row, the organisation did not wish to repeat the same mistakes and it was agreed that a process was needed to manage SAP business roles with no conflict of interest. In addition a process was required to prevent the IT support organisation from having elevated access within the production environment 24/7 as used to be the case.
The organisation was already working with a Security Architect from Turnkey Consulting to design business roles for the SAP implementation. At this point, Turnkey recommended SAP GRC to help them keep the business roles conflict-free and also to introduce a governance process. This would ensure that any changes introduced would be assessed for SoD conflicts on an on-going basis to keep the system watertight.
Marek Prachar, Information Services Manager says “We had confidence in Turnkey Consulting because we were already using them in a security role. It was a natural progression to use Turnkey Consulting to help us with the SoD issue that we were experiencing and the elevated access of support staff within the production environment, including SAP staff. This was a particular issue that the auditors had picked up on.”
Turnkey Consulting presented the Access Risk Analysis and Emergency Access Management modules to the team, together with estimated costings and timings. Prachar comments “The cost to implement was pretty much in line with the audit fees that we were facing if we did not fix the situation. So it was a question of do this once, versus year-on-year of escalating audit fees.”
The long term objective was for the auditors to accept the business roles and governance process that would be built within the SAP GRC solution, founded on the checks and recommendations from the auditors.
The company appointed a project manager to work with Turnkey Consulting, with Turnkey being the driving force of the implementation. In addition, two members of the team were allocated to help drive the business user workshops, where the governance process was explained, and to ensure that roles were cleaned up without any major impact to business operations. The workshops also helped users to understand the risks related to their business area and that sign-off on the changes that were being made would be required.
Prachar expands “The workshops ran very smoothly, considering we were changing access for business users and there was an impact on the way they worked.” Up to 600 users were affected across the organisation, mainly in the back office, finance and support teams.
The project approach proved to be successful. It was divided into two parts; the first was the implementation of the emergency access management module, mainly for BIS support staff. Once the parameters were established, it was implemented within two months, successfully tested internally and rolled out. Secondly the business users were engaged to review and design the business roles.
In addition, GRC had highlighted that there was no internal controls framework, which is needed in order to mitigate risk, and as a result of the implementation an internal controls framework was established and adopted.
Prachar adds “From my own point of view the implementation was very quick and without any major hiccups or noise from the business users. Rapid deployment occurred thanks to the SAP GRC expertise of Turnkey Consulting in combination with our resources that enabled us to implement the project within a matter of weeks. It was one of the few projects that finished on time and within budget.”
Elevated access where required: The organisation now has an auditable process for granting elevated access to their support staff in line with the new governance process.
Prior to the project implementation staff did not have a clear view on how SAP GRC would fit within the audit landscape. The company went through a steep learning curve in order to get on the same page.
Prachar summarises “Previously every time somebody mentioned audit, it was a very stressful and time consuming period. There were always things that were coming out of the woodwork. Now it is turning into a non-event, and I no longer have to waste my time going through meetings sorting out issues. Once we had designed the roles and put processes and systems in place to keep them clean, it is now very rare that we have an issue or a conflict. That is the biggest benefit.”
Prachar concludes “One of the reasons we chose Turnkey to implement GRC was that they successfully supported us in the past. They had helped to implement SAP Identity Management and a SAP Business Role concept that enabled us to provision the roles throughout the SAP landscape, but unfortunately these technologies could not help us to maintain the control and consistency of the design over time as changes were introduced to the original design. That’s where SAP GRC comes in.”
He adds “Turnkey is a professional, efficient and trust-worthy organisation. They were always trying to help us as we went through this process with the security architect and all the pain was shared.” Finally, the company was really pleased with the rapid deployment of the project that was complete within six months of initial discussions to closing the project.