The 2018 GRC and Finance SAP Insider Conferences took place in mid-February in Las Vegas. Our SAP teams spent time attending conference sessions, and their observations on what’s trending across the industry are compiled here in a five-part series.
In part 2, we summarize the key SAP S/4HANA implementation considerations discussed at the conference. During this year’s GRC conference, there was a noticeable uptick of companies interested in learning about the journey to S/4HANA – how to fast-track the implementation, lessons learned from early adopters and how to increase user adoption. With the inevitable support of SAP ERP Central Component (ECC) winding down, companies are looking to get educated on this transition so they can proactively avoid the common implementation pitfalls (like going live with half the organization assigned “SAP_ALLmost”).
If you are like many of the attendees looking to learn more about the journey – here are a few considerations that resonated during the week:
- This is a business transformation project: The road to S/4HANA should be viewed as an opportunity for business transformation, fixing or improving poorly designed business processes. Rather than treat this as a technical project (“lift and shift”), take advantage of the new functionality and optimize or standardize existing processes. Take a step back and look at current processes and procedures to identify how they can be improved – and make that change. For example, is your organization decentralized in a certain process like accounts payable? It may make sense to centralize and standardize the invoicing and payables functions.
- Security is more complex: S/4HANA’s security architecture is very different from the traditional ECC environment. Rather than just one level of security at the application layer, we now have considerations at three different layers: 1) SAP Fiori®, 2) S/4HANA – application layer, and 3) HANA database. While each organization’s implementation roadmap will dictate how much impact this new architecture will have, it is definitely a decision point early on in the planning phase (e.g., will you grant access to your system through Fiori apps for a better user experience?).
- An additional point about security is that even if an organization decides against using Fiori and assigning end users access to the HANA DB – it is still not a simple “lift and shift” of security. There are both new and obsolete transactions and authorization objects to account for at the application layer.
- This is the time to automate configuration controls: Similar to the business transformation point above, this is an opportunity to identify and implement automated (configurable) controls within your business processes. These are a few examples of questions to ask the implementation teams as they make configuration decisions during the design process:
- Is there a purchase order-to-invoice tolerance limit that can be set to ensure there are no large variances, eliminating the need for certain manual reconciliations?
- How about configuring the criteria for SAP to identify a potential duplicate business partner – such as the name, address, and phone number fields?
These are two of hundreds (over 400!) of control points that can be turned on/off during the implementation process. Designing these upfront will save time and re-implementation efforts later on. Not only can these decisions automate manual controls that take hours to perform – but you are also ensuring the system is controlled and compliant; one way to keep the auditors at bay and potentially save on costs.
- Updating your Application Security monitoring – SAP Access Control (AC): Many organizations have already implemented this continuous controls monitoring tool. If you have (or haven’t) – don’t leave GRC behind. It is important for companies to be on a support pack level that is compatible with S/4HANA, Fiori, and HANA DB. You’ll want to make sure AC is connected to your future SAP landscape. More importantly, remember there are new transactions and Fiori apps that will need to be incorporated into the Access Risk Analysis risk ruleset to ensure the appropriate risks are captured within your organization.
These are just some of the key considerations discussed at the GRC/Financials conferences this year. While many organizations are both excited and apprehensive to start this journey, it is clear there is much to consider and it is best to start that discussion now. Remember that old saying, proper planning prevents poor performance (or in this case, a go-live where sales orders cannot ship out the door and end users are assigned “SAP_ALLmost”).