Implementing SAP Security and Controls on a global scale

“There are many companies that could make our system sing, but Turnkey Consulting could also work out what tune we needed to play."

— Arthur Williamson, Lead

Challenge

“Although the company had nearly 100 separate implementations of SAP to support different businesses in different countries, we realised we needed a single global HR system,” says Arthur Williamson, Lead Programme Manager. Although the group had a lot of SAP skills internally, they found that none of their suppliers could provide competent people in all the areas needed. This was particularly prevalent in the controls and authorisations area. “We had to rely on word of mouth, and this is how we identified Turnkey Consulting,” continues Williamson. “Really good authorisations consultants are rare, and it was refreshing to find an organisation that could support our global HR implementation.”

In particular, the challenge was to manage what an employee or supervisor can do or see (a hierarchical view) alongside what an administrator can see or do. Everything is controlled by the role and, to further complicate this situation, the role of administration also exists. These are individuals who execute processes for large groups of people such as running a payroll or executing the holiday leave process. “As well as being employees, these administrators can also be supervisors. Conceptually this was technically difficult to make happen,” explains Williamson.

This complexity is further compounded by the need to take into account data privacy rules for each country. Although there are standards in place, there are always exceptions to the rule, and  these needed to be dealt with in SAP. 

Solution

Turnkey’s client needed people at the peak of their technical expertise, who could understand the processes, navigate the politics and appreciate the legislative challenges of working in a global environment. Williamson goes on to say, “We turned to Turnkey in 2005 to work with our project teams, advising on the impact of the design choices being made around privacy and access control.”

Turnkey was also asked to design the organisational hierarchy within the system, and assign the different scenarios needed to execute different transactions and access different populations. While really understanding how the organisation and process design needed to work, Turnkey also supported the change managers and business stakeholders, providing the information needed to configure the system correctly

Global compliance 

Turnkey used their in-house rule set and quick start accelerators to help Sodexo get the basic system in place quickly, with the system going live in under 3 months. The foundation rule set provided a platform to build on, making it a much quicker approach than having to build the rule set from nothing.

Sodexo has now implemented SAP GRC Access Control including emergency access and risk analysis. They are moving onto remediation projects, and will then implement the automated workflow provisioning.

Emergency Access

Turnkey ensured the systems were compliant with data privacy requirements across all countries, while ensuring users had the right access to the system. “For example Turnkey ensured the correct Segregation of Duties (SoD) were in place to support our payroll, so people running payrolls couldn’t change bank details, and people who change bank details, couldn’t run payrolls,” explains Williamson. Turnkey built SAP roles and groups of SAP access to support the business operationally, whilst managing SoD risk, and supporting internal controls. This included the configuration of SoD monitoring tools to ensure this was enforced.

Williamson emphasises the overall problem solving element of the task in hand. “It is a lot more than a technical activity. It’s 
problem definition, solution design and change management combined in one, and Turnkey ensured their expertise was 
leveraged.” It was a major exercise to configure the system. With thousands of roles, Turnkey needed to think how to  rationalise and maintain the huge amount of configuration data.

Global template

During the HR rollout, Turnkey was instrumental in defining a “cookie cutter” approach. Instead of each country being treated 
independently, they aligned the security rollout with the overall global rollout. “Turnkey ensured each country adopted the 
standard methodology, with accelerators to help speed up the process,” says Williamson. “By running a workshop with each 
country, everyone understood the template, what was expected of them and the choices they needed to make.” By the end of the workshop, they would know who should be mapped to each role.

Ongoing projects

Following the core HR rollout, Turnkey was engaged in the upgrade programme, ensuring all aspects of security were successfully upgraded to SAP ECC6. This included the SAP access roles and new functionality, as well as scoping and defining the new roles needed and upgrading the global data privacy requirements. Their credibility has meant Turnkey has been engaged in a number of security streams across the organisation. “We trust Turnkey, and have been more than happy for them to take accountability and ownership for these series of steps in the process. They have certainly earned the increased responsibility,” highlights Williamson.

Benefits 

• Global scale: From the outset, Turnkey has defined the global security and access requirements instilling confidence in the overall implementation. “With such a huge undertaking, Turnkey has understood our SoD requirements and has helped define our roles across the globe,” says Williamson.
• Problem solvers: Turnkey provides the brainpower behind the complexity. “They approach technical challenges in a  different way to other organisations, and come up with really pragmatic solutions.” says Williamson. 
• Customer focus: Turnkey understands their customer and values the relationship. “With a focus on delivery and quality 
  and the intimacy they have with our business, it positions them ahead of other partners,” highlights Williamson. “They 
  always advise on the right route, despite the consequences for 
  their own organisation.”
• Total confidence: With millions and millions of dollars processed on a regular basis, the organisation needed 
  confidence in their security solution. “Turnkey ensured we had the right access privileges and control mechanisms in place across the world,” says Williamson.
• Control foundations: Without Turnkey’s solution, the organisation would have had a significant number of control 
  failures and incidents. Individuals would have had access and visibility of information they shouldn’t have had.
• Audit friendly: Through experience, Turnkey has maintained a regular view on what auditors are looking for, and not just 
  what their customers’ policies require. With their expertise in governance, risk and compliance, they have ensured the necessary controls are in place and the audit reports are available.
• Data privacy: With a unified template, it was easy to see the value Turnkey brought to the implementation, responding to 
  our data privacy requirements globally,” says Williamson.

Summary

“We are happy to outsource the basic administrative tasks of our system, but as soon as we hit anything difficult in our roles and authorisations, we immediately turn to Turnkey,” explains Williamson. “If it’s not routine, you need the next level of expertise.”

Williamson concludes, “Their priority is always our best interests. Turnkey is a very honourable consultancy ensuring we get value for money at every step. As experts in the field of authorisations and controls, I take pleasure in recommending them.”