While growth through acquisition is generally a sign of strategic success, such events open up a number of decision points for companies. How these decisions are handled can have both financial and audit consequences, and prove to be either painful or transformative for the organization.
For a large publishing company, a newly acquired line of business provided a good opportunity to implement SAP’s latest version, S/4HANA, and a customer relationship management (CRM) platform. Management knew that all business lines would need to be migrated to an upgraded S/4HANA system over time. Starting with the newly acquired business and then gradually moving the rest made sense for the company.
The wrinkle in this plan was time. The former parent company wanted the business line moved off its environment quickly. It was done, but it left proper security and audit as an afterthought of the project. The system, integrated on time, was now riddled with excessive access issues. Auditors made clear they needed to see the segregation of duties (SoD) violations resolved by year-end. The company was now looking at a full redesign of the access they had just built out.
With a tight deadline looming and uncertainty about the necessary expertise available internally to resolve the SoD issues, the company turned to an external vendor for guidance and execution. Management decided to invest in a remediation project led by Protiviti that went beyond the immediate need for redesigned access for SoD violations and offered long-term sustainability of SoD and access management.
With that decision made, the first step was to develop a customized ruleset for the new S/4HANA environment and integrate it into the company’s existing governance, risk and compliance (GRC) system. That enabled the organization to quantify SoD violations independently and quickly in the new S/4HANA and CRM systems, further validating the need for security redesign.
The company also realized that defined ownership of access was required to sustain appropriate access in the future. The access owner is responsible for determining role content, approving role changes and approving role access requests. Access ownership became a project priority. It enabled the primary SAP users within the business and IT organizations to drive the design of the company’s access, with Protiviti providing guidance on best practices. When questions of appropriate ownership arose, the audit and compliance teams were brought in to help make decisions quickly.
The next necessary step was a redesign of the emergency access in both the S/4HANA and CRM systems. For the company’s CRM environment, this was a brand new endeavor aimed at removing highly sensitive access from users’ everyday utilization of the CRM system and creating procedures to grant emergency access when needed. To control the emergency access request process better, the company decided to replace their currently manual process with an automated one. The existing GRC Access Control system was used to implement this automated process, streamlining the request, approval, monitoring and review of emergency access.
Due to the project’s time constraints, the usual integrated access testing was replaced with a pilot go-live in the production environment involving 10 percent of the user base. This small population was hand-selected to represent the majority of SoD violations and most aspects of the business and IT organizations. The pilot allowed go-live issues to be resolved with minimal risk to the company and in a short amount of time.
One of the key pieces tying the company’s remediation efforts together was the establishment of a governance committee. The committee was initiated by the company to define top-down policies and procedures and monitor the integrity of the newly established S/4HANA and CRM environments. Protiviti worked with the committee to develop high-level policies around role management, access management, emergency access management and SoD management.
The project yielded measurable results for the company and won the approval of the external audit team. From a quantitative perspective, the role access was now 100-percent SoD violation free. At the user level, where conflicting role assignments were inevitable due to business process, the company saw SoD violations reduced by 83 percent and 98 percent in the S/4HANA and CRM systems, respectively.
From a qualitative perspective, the company saw even more benefits. The organization now has a best-practice, simplified access design, free of inherent SoD violations and owned by the primary users, which facilitates better decision making around requests and maintenance. Following the successful pilot, the system went live in the production environment with minimal business disruptions. The smooth go-live afforded extra time to focus on knowledge transfer: working alongside the company’s SAP security team on proper maintenance and bridging a knowledge gap for CRM security.
The automated emergency access also follows a best-practice design. It minimizes manual touchpoints in the process, facilitates quicker turnaround for emergency access requests and promotes accountability for the approvals and reviews.
A major factor ensuring the success of the project is the newly established governance committee, which now has defined roles and responsibilities in the organization to perform monitoring and effect change moving forward.
What started out as a post-acquisition “growing pain” for the company, with a need for quick resolution, became an opportunity to drive immediate change with lasting sustainability. The organization is now better prepared for its future growth.