Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

4 mins to read

System Integrator or Security Specialist: Who Should Be Responsible for Implementing S/4HANA Security and Controls?

Mohammed Abdullahi

Senior Manager - Business Platform Transformation

Views
Larger Font
4 minutes to read

In the dynamic landscape of SAP S/4HANA implementations, the critical aspects of security, governance, risk and compliance (GRC) and controls demand meticulous attention. Transformation of business processes presents an opportunity to revamp the enterprise application security to stay compliant and secure, in effect satisfying the needs of the auditors and business stakeholders. IT leaders know that the fine balance of maintaining a secure, yet effective solution is not always easy to achieve, specifically due to ever-changing audit and regulatory compliance changes. There has never been a more critical time to ensure that systems are implemented with leading practices to safeguard the integrity and usability of the enterprise system.

Value driven and cost-effective solutions

As organizations look to embark on an SAP transformation journey, they have critical decisions to make, including which vendors to pick for the various components of their journey. Typically, cost is a significant driver of the decision-making process that determines which vendors are chosen. Specifically, within the realm of the SAP security, GRC and controls domains, the path of least resistance may be to go with the systems integrator (SI) that is helping to implement the solution. Although this may seem to be the “cost-effective” option, there may be many adverse implications to this approach. We have seen the most success when organizations select a partner that has experience in developing strategic SAP security and access governance initiatives that will help generate long-term value and cost savings. Features to look for when building a best-in-class security architecture include:

  • Scalable design for long-term cost savings: The project team should have purpose designed and scalable access model repositories that can fit the needs of complex organizations and their requirements. This scalable solution is essential as it can be adapted and extended throughout the lifetime of the enterprise application as the business undergoes further transformation which can be fueled by regulatory changes, organic growth, and mergers and acquisitions to name a few. This scalability not only ensures immediate savings but also translates into a lower total cost of ownership over the long term.
  • Mitigating audit findings for cost efficiency: As illustrated in another Protiviti blog, a specialized risk consulting partner should be uniquely positioned with capabilities that span internal audit all the way through technology implementations. This allows for project teams to design and deploy robust risk control frameworks as well as SAP security roles that have been vetted for segregation of duties (SoD) risks to ensure that only appropriate access is granted to users within a production environment. Risk mitigation within the security role architecture is baked into the baseline security role design and is validated through the build, test and deploy phases of a given implementation to ensure that only accepted risks are present within security roles. By addressing vulnerabilities early in the process, organizations can significantly reduce the fees associated with fixing audit findings. This not only leads to immediate cost savings but also establishes a foundation for ongoing compliance.
  • Enhanced productivity through streamlined access: A robust security and GRC access model extends beyond cost savings, as a well designed and built solution will also have an impact on the application’s user productivity. In a production environment, end-users should not have to spend valuable time submitting incidents or navigating access request forms for issues that stem from a poorly implemented security or GRC model. Ideally, the access that is deployed to end-users would be vetted for defects while ensuring the key security principles are adhered to maintain a compliant production environment. Through thorough requirement gathering workshops, as well as end-to-end security testing performed by business testers as part of user acceptance testing (UAT), issues will be documented and addressed proactively prior to deploying the solution to the end-users.

Value of independence

Independence should be a driver in the decision to identify the right partner for this journey. Typically, an SI is selling multiple services as part of the proposal, which is generally going to be billed on a fixed fee structure. This will have a major impact on how funds are allocated for the work at hand, which will mean that domains such as security, GRC and controls may not be the top priority of the SI as the end goal is stand up a functioning system (rather than a security and controls compliant environment).

An independent security, GRC and controls team provides an unbiased perspective on the organization’s SAP requirements, ensuring optimal outcomes. Through collaborative discussions, solutions are explored to address issues and enhance organizational value. This impartiality ensures the right approach is maintained, effectively keeping SIs honest throughout the planning, design, build, test and deployment phases. Additionally, collaboration with internal controls and access governance teams guarantees timely reporting of security and compliance status, with swift issue escalation for effective project governance. Overall outcomes will be tracked and reported with the respective project management office (PMO) to ensure program level outcomes are also being achieved.

Subject matter experts (SMEs) that have deep knowledge of SAP security, GRC and controls will enable deeper level discussions, allowing for the best possible decisions to be made regarding complex scenarios.

How Protiviti can help

As a Gold Partner and 7-time partner of the year, we help clients execute their S/4HANA journey by providing digital transformation and intelligent automation solutions across business processes, analytics, cloud, security, compliance, and managed services.

We deliver a range of SAP consulting services including comprehensive solutions that addresses the security, GRC and compliance requirements of organizations of all sizes. We bring strong methodologies and an array of accelerators that aid in the implementation of scalable security and GRC access models, along with control frameworks. To further ease the process of maintaining the solution, we help implement processes and governance policies that will ensure ongoing compliance, safeguarding the solution’s integrity.

To learn more about our SAP consulting services, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

Throughout 2024, our SAP experts addressed the hottest topics in the SAP space. Here’s our wrap-up of the five most...

Article

What is it about

The upstream oil and gas industry is characterized by complex operations and significant financial transactions. SAP S/4HANA supports these operations...

Article

What is it about

Growth is good. But too much of a good thing can present challenges to any well-established business. In this case,...