Navigating Security and GRC Optimisation during an SAP S/4HANA Conversion Client Snapshot Profile This midstream service provider helps deliver essential energy and inputs and is focused on ensuring the reliability and performance of its systems, creating sustainable cost efficiencies, enhancing its safety culture and protecting the environment. Situation This client was embarking on an SAP upgrade to enhance business processes and improve data visibility. This involved replacing a highly customised SAP R/3 environment with a new SAP S/4HANA environment designed specifically for a midstream business. Work Performed Protiviti had four areas of focus within the SAP transformation project: redesigning roles in SAP S/4HANA and Fiori, implementing security for Success Factors, Ariba, and Business Warehouse, implementing GRC Access Control, and conducting an S/4HANA Automated Controls assessment. Outcome/Benefits The client now has aligned SAP production security roles to a leading practice design, reducing Segregation of Duties (SoD) conflicts by 99% at the single role level. An enhanced SoD ruleset and implemented automated user provisioning process with preventive SoD checks built-in is also now in place. Staying ahead of the curve is critical for any business to succeed, but particularly in the oil and gas industry, where rapidly changing market factors can quickly alter an organisation’s course. As this company launched an organisation-wide business transformation, its leadership team determined the time was right to upgrade their SAP platform, an evolution that would streamline business processes and improve data visibility to enable better business decisions.The client was looking for a partner to support the security and controls aspects of replacing its highly customised SAP R/3 environment, designed and implemented for an integrated oil company, with a new SAP environment, now designed specifically for this midstream business. A comprehensive approach to security and controlsFollowing our initial consultations with the client’s leadership team, it was determined we would support four key areas to provide the appropriate level of focus on security and controls:S/4HANA and Fiori security designSuccessFactors, Ariba and Business Warehouse security designGRC Access Control implementationS/4HANA Automated Controls assessmentS/4HANA and Fiori security designThe S/4HANA and Fiori security design included designing end-user production access roles for all business processes in scope for the organisation-wide transformation project. The objectives of the S/4HANA and Fiori Security Design included:Designing and implementing new end-user security roles in S/4HANA and Fiori to support production security access at go-live as well as future access needsEnabling a least privilege access approach, reducing excessive access and restricting sensitive accessMinimising Segregation of Duties (SOD) conflicts Streamlining the alignment of roles to the organisationTo accomplish these objectives, we analysed transaction code and Fiori app requirements provided by functional teams, extracted legacy ECC usage data as an additional reference and created a preliminary task role design based on best practice templates. We conducted design workshops with all business process teams to review, including data restrictions and business role requirements.SuccessFactors, Ariba and Business Warehouse security designThe objectives of this security design included:Designing and implementing new end-user security roles and groups in SuccessFactors and Ariba to support production security access at go-live and future access needsDesigning and replicating task-based Business Warehouse roles for in-scope transactions and reports and incorporating those into the appropriate business rolesEnabling a least privilege access approach, reducing excessive access and restricting sensitive accessFor SuccessFactors, we designed and configured role-based permissions according to the security requirements for Employee Central and onboarding functionality and created source and target groups to control access to specific data and populations. For Ariba, the business roles and groups were designed and built to meet security requirements and to reflect feedback from design workshops. User-to-group and user-to-business role mapping was also a step in this process. For Business Warehouse, we replicated and adjusted existing end-user production roles in the upgraded environment, performed technical upgrade steps and incorporated changes into the replicated roles and dynamic data restrictions into those roles.GRC Access Control implementationThe GRC Access Control implementation consisted of configuring, testing, and implementing GRC Access Control 12.0 as an embedded component on the S/4HANA stack. This included:Designing and implementing Access Risk Analysis, Emergency Access Management (Firefighter), Access Request Management and User Access Review functionalityDesigning a customised, leading-practice SOD ruleset which included custom transactions, Fiori apps and new S/4 transactions with signoffs from business ownersConfiguring business roles through business role management to simplify the user provisioning processBuilding HR trigger integration through SuccessFactors to automate birthright provisioning and user terminationsBuilding a custom programme to populate personnel numbers in user master records to enhance the time entry user experience The client needed to replace its highly customised SAP R/3 environment with a new SAP environment, designed specifically for this midstream business. S/4HANA automated controls assessmentThe S/4HANA automated controls assessment included discovery and planning, focused on creating a preliminary list of leading practices and high-criticality S/4HANA controls. This was followed by several rounds of configuration validation in SAP and Ariba to ensure the internal controls were effectively implemented through the implementation lifecycle. Throughout each transformation phase, we performed benchmarking of system configurations against best practices to maximise automated controls implementation. Lessons learned throughout the transformationThroughout each engagement, we regularly meet with the client to determine the key lessons learned. For this client, our learnings focused on ensuring compliance issues were addressed and a sustainable controls environment was established, including some of the following considerations: Incorporate the security workstream early in the project so it is considered in functional design decisionsStress the importance of stakeholder involvement and engagement in design discussionsMinimise the acceptance of design changes past the design phase to prevent re-work that may cause delays in later phasesConsider all integration points and dependencies when designing the user access provisioning processEnsure contractual requirements for the system integrator to include your control requirements in the configuration and allocate time in the project plan to make the changes Topics Risk Management and Regulatory Compliance Technology Enablement We recommend these resources Pro Document Consent Securing the Production Revenue Accounting and Joint Venture Accounting Modules in S/4HANA: Essentials for Upstream Oil and Gas The upstream oil and gas industry is characterised by complex operations and significant financial transactions. SAP S/4HANA supports these operations through its specialised modules: Production Revenue Accounting (PRA) and Joint Venture Accounting (JVA). Pro Document Stack Oil, Gas & Mining We are deeply embedded in the Oil & Gas and Mining business. Our global industry team is geographically dispersed in the key O&G and Mining business centers around the world, which enables constant contact with the major players in the industry.