SAP Process Controls

SAP Process Controls
SAP Process Controls

How Can Internal Audit and Compliance Functions Support S/4HANA Projects?


SAP S/4HANA is the next generation of SAP’s enterprise suite. This new version brings significant capabilities around analytics and reporting, features simplified accounting processes, and is architected to connect people, devices and business networks in real time, enabling the flexibility of applications across desktop computers, tablets and smartphones.

Many companies are treating S/4HANA projects as a business transformation opportunity and are creating large-scale implementation initiatives that require the attention and buy-in of various functions across the organization. This calls on the internal audit and compliance departments to play a vital role in ensuring that the project risks and key business objectives are defined, managed and addressed across all functions and throughout the implementation timeline.

Areas Affected by S/4HANA Implementations/Migrations

Key Changes
Risk/Compliance Implication

System Architecture

  • New database model
  • Cloud deployment and mobility options
  • Changes to information technology general controls
  • Cybersecurity risks

Security and User Experience 

  • 250+ Fiori applications
  • 200+ new transactions to be considered for sensitive access and SoD monitoring
  • New segregation of duties (SoD) and sensitive access requirements
  • Changes to SoD rulesets in SAP Access Control

Financial Reporting and Process Simplification

  • Introduction of Central Finance, SAP® S/4HANA Finance, and consolidation of FICO modules
  • 100+ automated controls added/changed
  • Changes to chart of accounts, financial close and accounting processes
  • Changes to internal control frameworks


How Can Internal Audit and Compliance Functions Support S/4HANA Projects?

The internal audit and compliance teams can play a key role in the success of S/4HANA implementation or migration projects. These teams should facilitate communication and visibility to key project stakeholders and the audit committee, identifying key risk indicators and recommendations to ensure project success. What kind of role these functions will play varies depending on their size and organizational structure, and may include:

  • Consultative Role – Providing input throughout the implementation  phases,  bridging potential gaps around user requirements, project documentation, segregation of duties and controls, and making sure implementation and long-term  business objectives are considered.
  • Project Risk Management – Performing ongoing and independent project reviews to assess milestone progress and identify potential risks to the project’s success.

The following table is an overview of the most common S/4HANA implementation risks, and the key questions the internal audit and compliance functions should be asking project stakeholders to determine whether the project risk is changing and how.

S/4HANA Key Risks

Potential Risks 
Key Questions to Ask 

 Project Management

Inability to effectively monitor and address evolving project risks leads to an unsuccessful implementation.

  • Does the project have the right level of sponsorship to succeed?
  • Does the implementation team have the right business process and technical S/4HANA and SAP HANA skill sets?
  • How is the project risk management approach defined?

Business Process Design

Ineffective or poorly designed business processes fail to meet stakeholder objectives and do not generate the expected efficiencies

  • Is our organization designing the S/4HANA solution in alignment with our business objectives and operational priorities (reporting, growth, scalability)?
  • Is our organization on track to realize process optimization benefits?
  • What are the internal control framework changes?

System Infrastructure

Failure to address new risks stemming from infrastructure changes (e.g., cloud, on-premise or hybrid installation) leads to system instability or data integrity issues.

  • Is there an understanding of the new risks and the controls needed to monitor the system’s new infrastructure?


Failure to address new security risks introduced by changes in system design and landscape leads to inappropriate access to sensitive data and systems and infrastructure weaknesses.

  • Is the IT team prepared to manage a more complex security model?
  • Is security set up in a way that prevents and monitors new cybersecurity risks?
  • Have we considered the S/4HANA impact to our existing SoD ruleset and security provisioning process?

Organizational Change Enablement

Ineffective communication and change management processes fail to engage the organization and result in poor system design and low adoption/end user satisfaction.

  • How aware and informed is the end-user community about the project’s objectives, timelines and changes?
  • Have we assessed the impact of the changes on business processes and will new skill sets and training be required?

Data Strategy

Poor data quality leads to poor reporting, financial misstatements, or impaired decision-making.

  • Is there a well-defined and documented data strategy, including real-time analytics and data visualization?
  • Are there plans to centralize, standardize and govern master data elements?
  • Is the business involved in validating the data conversion and reporting strategy?


How Protiviti Can Help

Protiviti supports S/4HANA implementation and migration projects beyond the work typically performed by system integrators. With an extensive risk and compliance background, we are in a unique position to help companies identify and mitigate risks around their S/4HANA projects. We bring:

  • A proven methodology and approach to assess project readiness, organizational change management and risks throughout SAP® S/4HANA implementations and migrations
  • A comprehensive strategy for data readiness, governance and reporting around SAP HANA® data models
  • Automated tools to assess and build application security (Assure Security™) and automated controls (Assure Controls™)
  • Optimized business process and security design, including new requirements around Fiori and HANA database security
  • SAP Access Control and SAP Process Control expertise for SAP® S/4HANA environments
  • A library of predefined SAP Process Control continuous control monitoring (CCM) controls for SAP® S/4HANA


Toni Lastella – New York
[email protected]
John Harrison – Houston
[email protected]
Carol Raimo – New York
[email protected]
Steve Cabello – Los Angeles
[email protected]
Aric Quinones – Atlanta
[email protected]
Ronan O’Shea – San Francisco
[email protected]
Thomas Luick – Chicago
[email protected]

Ready to work with us?

Yailky Ubieda
Yailky Ubieda
+1 786-264-7174