Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

3 mins to read

Planning for an SAP S/4HANA Upgrade: Security and Controls

Kyle Wechsler

Managing Director - Business Platform Transformation

Views
Larger Font
3 minutes to read

With SAP extending its support of SAP ECC through the end of 2027, many companies are finding themselves now starting their S/4HANA upgrade project in a race against the deadline.  It seems timely to refresh a previous blog as these considerations are still relevant to those on the S/4HANA journey including companies on the RISE with SAP program.  As a reminder, getting these areas right upfront will prevent having to retrofit after the initial upgrade, which will end up costing significantly more time, money and user disruption: 

  • Security and Access Control    
  • Configuration (Automated) Controls  
  • SAP Process Control and SOD Transaction Monitoring (Quantification)   
  • Cloud and Cybersecurity 
  • Data Governance and Classification 
  • Updating Risk Universe and Internal Control Matrices 

While the core considerations above have not changed and are still relevant today, there are some additional focus areas as companies have evolved and matured in recent years (and notably, where we see external auditors expanding their scope).  These additional areas should be discussed as part of the S/4HANA journey and overall SAP roadmap as it will help strengthen the overall control environment. 

Access control beyond SAP S/4HANA 

Many companies today have a tool such as SAP Access Control or equivalent for automating access management of their SAP ERP. For those who do not already have a solution in place, it is critical to implement a tool as part of the journey. Since this has become the expected norm, the broader focus has been on extending access management capabilities to the ERP’s ancillary systems such as Ariba, Concur, etc.  This extension allows for greater visibility and transparency into access risks within the SAP ecosystem, provides a more holistic and consolidated view and provides a centralized hub for access management functions. 

Segregation of duties (SOD) ruleset and cross-system risks 

To build on the above concept, as the transition to S/4HANA is underway, often companies implement Fiori to enhance the overall user experience with its sleeker user interface (moving away from the antiquated SAP GUI screens). With the move to Fiori, it is critical to ensure the risk ruleset in the access management tool is updated to consider any new Fiori applications and transaction codes.  To take it one step further, it is becoming more common to perform segregation of duties checks between two systems (i.e., cross-system risks).  A typical scenario we see is a user with access to both S/4HANA for Finance responsibilities and access to Ariba for Procurement responsibilities – being able to analyze the access cross-system will help understand the holistic risk exposures. 

Organizational change management and training 

This area is often not thought about early enough in the project, which prevents the proper planning and time commitment it requires.  However, it is important to understand how the end user experience will change and plan accordingly upfront (e.g., introducing a new Fiori app which changes the end user’s interaction with the tool).  A robust change management and communication plan should be developed, including creating or updating any training materials and policy/process documents. It is easy to miss these details while in project mode and teams are heads down executing – however, this often comes back to haunt IT teams in the form of more hypercare issues and tickets. 

While it may seem like these additional considerations add complexity to a simple project, it is in fact the prime time to discuss and evaluate the user impact.  It is equally important to consider these factors even if your organization is upgrading through the SAP with RISE program.  While it is structured to be an accelerated migration and modernization program, it can be easy to overlook these key considerations or assume they are prebuilt in.  Incorporating these factors now and doing it right the first time, will absolutely be more efficient than circling back and retrofitting any one afterwards. It would only cost the organization more time and money in the long run if left unaddressed (and depending on the severity of the issues, potential audit deficiencies as well). 

Readers may also be interested in this recent blog: Rising to the Challenge: RISE with SAP Automation with UiPath.   

To learn more about our SAP consulting servicescontact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

Yeurd Ng

By Yeurd Ng

Verified Expert at Protiviti

Visit Yeurd Ng's profile

Kyle Wechsler

By Kyle Wechsler

Verified Expert at Protiviti

Visit Kyle Wechsler's profile

Sara Kenn

By Sara Kenn

Verified Expert at Protiviti

Visit Sara Kenn's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

Throughout 2024, our SAP experts addressed the hottest topics in the SAP space. Here’s our wrap-up of the five most...

Article

What is it about

The upstream oil and gas industry is characterized by complex operations and significant financial transactions. SAP S/4HANA supports these operations...

Article

What is it about

Growth is good. But too much of a good thing can present challenges to any well-established business. In this case,...