Five Common Problems with GRC Solutions for SAP
May 6, 2021
Compliance processes shouldn’t involve a lot of stress or resources. You set a policy, put some controls in place, and get on with the business of running your company until the next review – right?
Unfortunately, things don’t always go that smoothly when it comes to SAP governance, risk management and compliance (GRC). If you’re relying on manual processes or using the wrong solution, you may be sinking tons of time and money into IT security administration processes and compliance reporting – only to end up with a poor audit regardless.
All that hassle can make GRC for SAP seem like an unwinnable battle. But it’s not. With the right tools, team and approach, you can automate audit readiness, save money and improve productivity. Doing so requires an honest assessment of the problems you’re facing before you consider a solution. Here are five common SAP GRC problems, along with ways to solve them.
1. Your GRC Software Doesn’t Live up to Your Expectations
With some GRC software solutions for SAP, many companies never achieve a base level of functionality. From the beginning, it’s broken – the software might work with some applications but not others, or only meet the needs of certain stakeholders. It might be able to detect segregation of duties (SoD) conflicts in SAP GUI but not Fiori, or it might just lack important functionality.
The first step in addressing this problem is resetting expectations. GRC software for SAP is supposed to be enterprise-grade. It shouldn’t have gaps or glitches that require endless tinkering or elaborate workarounds — it should solve your problems.
Sit down with your compliance team or bring in a GRC consulting partner. Think about questions like: How is our current GRC solution falling short? What effect is it having on audit results? What extra work is it creating internally? And what would it take for an SAP GRC solution to meet all our needs?
2. You’re Struggling with Consistently Poor SAP Audit Findings
All too often, a poor audit – or several of them – is what forces a company to face how broken its GRC processes and software are. Organizations often find themselves in a cycle of poor audits and unsuccessful remediation, wasting money and resources while maintaining an unacceptable level of legal risk. In some cases, trying to fix the problem only makes it worse, and by the time companies start shopping for a new GRC solution, things are nearing a breaking point.
That was the situation a leading manufacturing company and supplier of premium building materials found itself in when it first approached NTT Managed Services. The company had already invested in trying to address negative auditor findings, but remediation efforts had failed — and efforts at manual remediation actually made the situation worse.
It turned out to be much easier to implement something new. With ControlPanelGRC – implemented in just one week – the company completed its entire remediation project in under four months. Benefits included:
- 80% lower security consulting costs
- 75% reduction in annual SAP security administration costs
- 50% lower external audit costs
3. Your GRC Software Solution for SAP Produces Unusable Output
GRC solutions for SAP should produce output that supports the needs of a range of stakeholders. Business users must have clear, navigable tools that allow them to self-assess; technical users need to be able to get into the nuts and bolts; and auditors need comprehensive reporting that enables both a high-level view and detailed analysis.
Unfortunately, many GRC software products have poor usability and spit out incomprehensible streams of data. Not only does this make it more time-consuming and costly to run an effective GRC program, but it also severely reduces visibility – increasing the risks of undetected SoD conflicts and other issues.
To fix this problem, you need to prioritize usability in your GRC software for SAP. You should have a range of stakeholders involved in the purchase decision so that you can verify your solution will work for everyone before you commit. Make sure your vendor can answer all stakeholders’ questions, and demonstrate excellent ease of use and visibility.
4. You Lack GRC Automation
When you need to send a message to a coworker, do you run and post a sticky note on their door? When you’re holding a meeting, do you have everyone send you a letter to confirm they’re coming? Of course not. It’s much more efficient to email, text or use a messaging app.
But for governance, risk management and compliance for SAP, many companies are still doing things the “old” and manual way. They hound co-workers to chase down missing signatures. They print emails and records to report to auditors. They pour through thousands of pages of report data by hand, instead of using the computer to automatically screen for GRC issues.
This isn’t only hugely wasteful and inefficient – it’s also risky. Computers are very good at sorting through mounds of data and flagging potential problems, but people aren’t. In addition, computers can scan for SoD conflicts in real time, while document-centric GRC departments often go six months without checking – and then only review a fragment of the data.
Pervasive compliance automation is a must. Your GRC automation tool should monitor your system in real time and flag potential conflicts for review, as soon as they’re detected. It should run reports, route them for review and document approvals, so you don’t have to chase signatures down. That way, when it’s time for your SAP audit, you won’t have to scramble to collect documents — everything will be ready for your auditor to review.
5. You Lack Sufficient GRC Vendor Support
If your GRC program for SAP is broken and always has been, it’s hard to know in advance what it will take to fix it. Experts can help. You need a vendor who is focused on your success, and can provide you as much (or as little) support as you need.
Look for a vendor who provides comprehensive managed SAP compliance and security services, in addition to GRC software. At NTT Managed Services, we’re committed to providing a solution tailored to your needs. Whether you want a completely managed GRC solution, or just someone to set up the software and provide occasional technical assistance, we’re here for you.
Do you want to learn if ControlPanelGRC is right for your business? Request a free risk assessment today.
Scott Goolik is the vice president of SAP security and compliance at the Managed Services division of NTT Ltd., Americas.