Mastering Compliance and Efficiency with SAP GRC Access and Process Control

This company is a world leader in various consumer domains. Over the past several years, major merger and acquisition activity helped this client significantly grow its business. As a result, SOX systems increased from four to 20 SAP landscapes and its employee base nearly doubled, growing from 13,600 to 24,600.  

Disparate systems, upgrades and end-of-life

This rapid growth resulted in the client’s Director of Information Security Architecture engaging Protiviti to help get the company to one GRC system. In addition to standing up a new GRC environment, the company wanted to enhance access control functionality and enable process control capabilities across the new, larger corporate network.

As the work began, several challenges were identified including systems nearing end-of-life support, GRC ruleset upgrades needed, moving from acquired legacy to new systems, streamlining tools for SAP access, and more.  

The project’s steering committee included the company’s CIO, CISO and representatives from the company’s infrastructure, helping ensure all impacted end users and their leaders would be aware of impending upgrades and changes.

Implementing a new GRC system

SAP’s GRC 12.0 platform formed the foundation of the client’s new system.  The overall objective was to design and implement SAP GRC 12.0 to replace two end-of-life SAP GRC 10.1 environments, with a project scope that included access risk analysis, emergency access management, access request management and user access review (UAR).

To address system compatibility between SAP GRC and SAP S/4HANA, the team focused on bringing these various elements, previously housed separately, together in the new platform:

• Unifying governance environments within the platform, combining two GRC 10.1 environments into the GRC 12.0 environment. Benefits of this enhancement include simplified administration, reduced maintenance costs and an improved user experience in the unified governance framework.
• Standardizing and streamlining access governance processes, which had differed across the previous two SAP GRC 10.1 environments, into unified processes in the new 12.0 environment. This minimized risks, improved compliance and streamlined user access management, ensuring consistent governance practices across the company.
• Integrating the segregation of duties (SoD) and sensitive access rulesets into one consolidated ruleset enabling enhanced security and improved audit readiness.
• Building customization around access provisioning, user termination and search criteria to meet the client’s requirements for different user IDs for the same user within different SAP systems enhancing user experience and improving accuracy.
• Connecting 20 target systems from three different subsidiaries/acquisitions to enhance consistency and centralize control over the access management process.
• Connecting a new SAP CFIN system to GRC 12.0 and enhancing the SoD ruleset to incorporate SAP CFIN transactions to increase accuracy in identifying and mitigating SoD violations within CFIN transactions.

Enhance access control and enable process control functionality

With phase one completed, the team was then able to focus on enhancing access control functionality and enabling process control capabilities. There were eight critical milestones:  

First, the project team enhanced user provisioning workflow by mandating the inclusion of mitigated risks and enabling auto-population of RFD approvers to ensure permanent retention of those mitigated risks. Then, we enhanced ARM workflow by building a custom API-based rule, which directed requests for non-SOX systems to an alternate path where risk analysis was not mandatory. The SAP NetWeaver Business Client (NWBC) UAR experience was streamlined, eliminating extra steps; a custom Fiori UAR app was also implemented. Both improve customer experience and completion time for UAR reviews and tasks.

Consecutively, the team automated GRC backend user locking improving security measures, enhanced email notifications increasing readability, identified cross-system SoD conflicts reducing compliance violations and implemented transactional Fiori apps improving accessibility, responsiveness and user experience.  

To enable SAP Process Control features the team focused on two key areas including:

• Automating IT SOX controls with ABAP report sub-scenario – Leveraged standard SAP reports to automatically extract data from SAP environments and reduce time manually performing the tasks.
• Automating IT SOX controls with SoD integration sub-scenario - Leveraged existing GRC ruleset capability to add privileged access criteria and reduce time manually performing/testing IT SOX controls.

The client realized the following value enhancing access control and enabling process control capabilities.

• Enhancing EAM firefighter log review workflows to obtain additional information from users.
• Enhancing ARM user provisioning workflows to remove risk analysis for non-SOX systems and locking terminated users.
• Enhancing UAR through a custom Fiori app.  
• Implementing five transactional Fiori apps for GRC Access Control.
• Activating relevant automated monitoring sub-scenarios with connection to target environments.
• Configuring automated processes for nine IT controls and 56 business controls to be managed by control owners.

Lessons learned

This multi-year journey presented numerous learning opportunities for the client. Among the lessons learned the project leader shared with us are:

• Understanding the business’s pain points in advance of beginning any work is critical​.
• Emphasize the user experience early on to ensure user adoption and minimize pushback and impact to key SOX processes.
• Quickly reach alignment on technical dependencies to accelerate planning activities.​
• Ensure thorough testing is performed to uncover potential issues.​
• Train the user population and have recordings readily available for additional training reinforcement.

Impact by the Numbers: