In Part 1, we introduced the first four of the seven key areas of business responsibilities during an SAP S/4HANA or Central Finance transformation journey. Today, we cover the remaining three: user acceptance testing, reporting and analytics, and security and controls.
User Acceptance Testing (UAT)
UAT is the final and most critical phase of system testing, and it validates that the new system design can support the business. UAT is even more critical as more projects are delivered through agile-like methodologies like SAP Activate, as there is typically not a clear requirements document but a collection of user stories that define the requirements. The business plays a vital role in this testing phase and should assume responsibility to ensure all business requirements and user stories are met. For any user stories that are not met, the business must identify a resolution or workaround to support the process. Business participation is necessary during UAT to confirm the end-to-end, future state processes that the new system will support are operating as expected and that all critical user stories have been addressed. Successful UAT testing increases user adoption rates with a thoroughly tested and functional system at go-live, reduces go-live risk by ensuring the system is working as designed and reduces post live support requirements by surfacing issues early and allowing for resolution. Common gaps in UAT are a lack of comprehensive, well-designed test scripts to fully address end-to-end testing, lack of defined metrics (entrance/exit criteria) and understanding of workstream dependencies.
Below are key responsibilities of the business during UAT:
- Develop test scenarios based on the solution design, business requirements and user stories that address all business processes end-to-end
- Plan UAT execution schedule, identify appropriate testers and the sequence of user stories and scenarios
- Identify dependencies on the other tracks (such as data conversion and interfaces) to ensure efficient coordination across workstreams for testing
- Clearly communicate issues and defects and coordinate with all appropriate personnel.
Reporting and Analytics
During an S/4HANA or CFIN transformation, the reporting workstream is usually limited in nature and focused on leveraging standard reports. A comprehensive analytics strategy is often an afterthought. While standard reports may meet some business requirements, it does not consider the holistic reporting needs of the organization. Organizations taking on transformation journeys today should focus on identifying and developing the key analytics vision and requirements that the organization will need to stay competitive. This may include predictive or prescriptive analytics, leveraging big data and KPI dashboards. This analytics vision is a critical element of most transformations and must happen early in the process to help inform solution design, data requirements and tools selection.
The business can achieve these goals by:
- Creating a complete vision for the future state analytics environment
- Mapping and defining the user personas and how those personas need to interact with data to achieve the promised gains of S/4 HANA
- Creating an inventory of key reports needed for go-live based on stakeholder input
- Reviewing and validating the process for developing additional reports immediately after go-live
- Reviewing and validating the overall architecture and the tools or technologies in place for reporting to ensure they will meet future business needs.
Security and Controls
Due to a variety of competing project management priorities during S/4HANA and CFIN implementations, it is common to prioritize functional readiness over system security and internal control requirements. This means that the technical security and compliance workstreams are scrambling to build and test their deliverables just prior to go-live, leading to a rushed and unsustainable system security architecture, excessive user access and lack of configurable controls. In such cases, significant compliance gaps are often discovered during post-implementation audits, creating the need for costly security and controls redesign projects to remediate large risk exposures.
The key to avoiding this common project pitfall is to obtain the adequate level of support from C-level management and the project steering committee to appropriately resource the security and compliance workstreams and ensure there are key security and compliance checkpoints throughout the project timeline, starting no later than the design phase. It is critical to develop strong collaboration with the functional workstreams, financial compliance and internal audit teams to ensure shared responsibility for the successful completion of the security and controls deliverables.
The business should consider these key security and controls deliverables:
- Developing an enterprise security and internal control strategy and obtaining buy-in from key stakeholders, including an IT general controls framework, a business controls framework, data privacy and protection, regulatory compliance, relevant corporate policies and a knowledge transfer plan
- Establishing key checkpoints with internal audit and other compliance teams to confirm alignment and sign-off of roles and responsibilities, scope and desired outcomes
- Obtaining the sign-off of security and controls subject-matter experts for all final business process blueprint documents, ensuring the business process and solution design is influenced by a control mindset
- Documenting detailed security operating policies and procedures (e.g., role, user access and emergency access management) that govern all security administration processes for both production and non-production systems in scope
- Integrating security and internal controls into the integration testing plan
- Evaluating an enterprise GRC solution.
It is imperative that companies understand their role when preparing for a business transformation initiative powered by S/4HANA or CFIN. Active business involvement in business process readiness and solution design, program governance and management, organizational change enablement, data conversion and governance, user acceptance testing, reporting and analytics and security and controls will help drive a successful transformation. Appropriate knowledge of the role the business will play throughout the project lifecycle helps avoid common mistakes and supports a successful transformation journey.
To learn more about our SAP capabilities, contact us or visit Protiviti’s SAP consulting services.