Setting global GRC standards

“Turnkey Consulting is a real expert in SAP security. With little guidance, they over delivered on the brief. They not only delivered the policies required, but also delivered really useful step by step implementation guides."

— Warren Burns, Global Technology Risk Manager

Challenge

To ensure continued success across the world, the company enjoys the standardised and flexible functionality in their SAP® ERP application. It is a product that supports their total commitment to exceptional standards of performance and productivity in everything they do. However, with such a large global rollout, the organisation was particularly keen to ensure the application was closely controlled across the entire implementation.

With overall responsibility for SAP security, Warren Burns, the Global Technology Risk Manager explains, “We were keen to ensure that any possible fraudulent activities were identified and dealt with, and the segregation of duty conflicts managed effectively.”

After a secondment to the Far East, focused on roles and authorisation methodologies, Burns spent time collating the relevant project documentation, and brought it back to the UK with the intention of turning it into a more formal company policy and methodology. “This would formalise the way we approached this problem going forward,” continues Burns. “We wanted to publish a process and ensure it was fully signed off. It needed to become the standard that future SAP implementations could follow in the same way.”

Initial engagement

Following an introduction at an SAP conference in America, Burns identified Turnkey Consulting as the organisation with the right specialist skills needed to help him with his SAP Security requirements. “We engaged with Turnkey to help set our standards and policies around Governance, Risk and Compliance (GRC),” says Burns. “We needed it produced to a sufficient level of detail for the different implementation teams to use around the world.” Turnkey was asked to work on two different projects; The SAP Access Controls Framework and Setting SAP Security Role Design Standards.

SAP Access Controls Framework

Turnkey’s involvement ensured a high standard and consistency from all partners responsible for implementing the SAP Access Controls Framework across the organisation.

This component focused on the process around deploying SAP GRC Access Controls to support User Provisioning, Emergency Access Management and Segregation of Duties Monitoring. Turnkey delivered the framework, the templates and the methodology to ensure clarity across the following three areas:

Risk Analysis & Remediation. Turnkey defined an implementation framework that used examples of Unilever best practice and enhanced those practices with detailed work instructions and a comprehensive governance process. “Problems could occur if, for example, someone with one role can raise a purchase order, create a vendor and pay a purchase order. A combination of these types of access could enable someone to defraud an organisation.” The identification and automation of risks pertinent to Unilever’s business processes has improved the productivity of the Risk Managers.

Superuser Privilege Management. Turnkey helped define how emergency access should be used to support the business. Burns goes on to say, “When you’ve gone live with newly defined roles, quite often an individual needs riskier access to solve an issue. This tool makes it possible to assign a user with very high levels of access,.” With strictly monitored and documented emergency access to get someone cleared fast, Burns goes on to say, “It’s used in the intensive care process straight after go live, providing a good litmus test to see how few issues there are.”

Compliant User Provisioning. User administration is a costly part of business operations for many companies running ERP systems. This tool automates the user administration activities while enforcing risk-based approval workflows and Segmentation of Duty checks. Using the SAP tool suite, and the clients Operations Controls Catalogue, Turnkey has supported their client to implement SAP GRC Access Controls. Following the successful Asian implementation, this framework has been rolled out to North America and across Europe as a global standard. “It is a set of baseline standards by which they can measure each of their SAP systems,” highlights Burns.

SAP Security Role Design Standards 

Turnkey was also engaged to define the standards and development methodology for role design within the clients SAP environments. It was necessary to work closely with business process and control owners to define the scope of user access and the most effective way to meet functional and control requirements. Burns continues, “With this detailed set of roles, it pays dividends when it comes to testing, as it causes fewer issues, and therefore less resource.” The different regions were encouraged to document their processes in as much detail as possible, ensuring they achieved these benefits.

Turnkey Consulting defined and documented the processes from each region. This included how to build roles, what documentation was required and the level of process detail needed. “Turnkey defined the processes right down to the transaction level, emphasising the importance of identifying risks associated with the segregation of duties as an early part of the design,” says Burns. “It’s something that needs to be thought about from the outset.” Using the high level documentation available and the existing data in place, Turnkey defined the global standards that are now adhered to across the organisation. “The challenge was to provide security consultant guidelines, whilst having enough flexibility for each project to interpret in their own way,” says Burns.

Benefits 

• Frameworks are enforced: “The Access Control Framework has been fully documented as an implementation guide,” says Burns. “It is very clear, ensuring the implementation teams know exactly what is expected of them.” With 26 go lives over a 5 year period ongoing, it really has made the SAP roll out much easier. 
• Reduced testing needed: Across the organisation, roles have been clearly defined, thereby reducing the amount of testing that needs to be done, and making each “Go Live” a less stressful process.
• Role design standards: With clearly documented business processes and associated roles, the “Go Lives” across each country were much easier, and the ongoing maintenance is now lower.
• Efficient risk control: With automated controls in place, controlling risk has become cheaper and more efficient, with minimal need for manual input.
• Best Practice: Turnkey’s client now has leading edge security standards in place. GRC has been rolled out globally, and Turnkey has captured implementation best practice, and put it into a “cookie cutter” methodology for each subsequent implementation. 

Turnkey was engaged to set the standards and policies around the implementation of SAP Security and GRC Access Controls to a sufficient level of detail for the SAP implementation teams to use. Recognising the added value to support these teams, without the overhead to interpret them, Burns goes on to say, “Turnkey Consulting is a real expert in SAP security. With little guidance, they over delivered on the brief. They not only delivered the policies required, but also delivered really useful step by step implementation guides.” The project teams could follow these guides at the same time as reading and understanding the company policy. These policies, processes and associated documentation are now all part of the global ERP implementation toolkit that is given to each new SAP project.

Confident in Turnkey’s abilities, Burns concludes, “I would definitely recommend Turnkey Consulting to other organisations. It is a small business that punches above its weight.”