As companies transition to SAP's S/4HANA, crucial security measures are often overlooked, exposing them to potential fraud. Technology can simplify complex jargon, fostering informed decisions and a risk-aware culture
Tens of thousands of companies are upgrading from SAP’s ECC Enterprise Resource & Planning solution to SAP’s latest offering, S/4HANA, before the former is phased out in 2027.
SAP S/4HANA leverages the power of in-memory computing to process vast amounts of data and support advanced technologies such as artificial intelligence, machine learning, the Internet of Things (IoT), and advanced analytics – the building blocks of modern digital enterprise.
Surveys suggest that CFOs and finance directors responsible for the SAP transition, which can take anywhere from 1 to 3 years for a complete system re-implementation, are finding it trickier than expected, citing the scale of change management and skills availability as major obstacles.
In the face of mounting deadline pressure and intense competition for the necessary resources and expertise, Governance, Risk and Compliance (GRC) and security considerations crucial to the organisation’s operations are often left to the last minute.
“Large digital transformation projects often encounter delays, and the focus shifts to ensuring that the configuration is completed on time, i.e. that the SAP system will perform as intended,” explains Dudley Cartwright, CEO at Soterion, who has been assisting customers in securing their SAP environments for more than a decade.
“Resources are allocated accordingly, with project managers determining that security can be dealt with later.”
When implemented early and correctly, access control (GRC) solutions can save finance directors significant amounts of time and money – ensuring employees are assigned appropriate access to the correct system when being onboarded, and expired privileges are revoked when they transition to new roles or exit the company entirely.
“The SAP security (authorisation) concept is very technical and complex, resulting in it being difficult to ensure appropriate access is assigned to all users,” Cartwright notes.
“Without an access control (GRC) solution, identifying which SAP users have inappropriate access is near impossible. If an organisation goes live with an inappropriate SAP role design, users may not have the functionality they require to perform their job function, resulting in in-efficiencies and a negative perception of the S/4HANA project. Alternatively, if SAP users are assigned too much access, this places the organisation at fraud risk and unfavourable audit findings.”
Access control (GRC) solutions highlight Segregation of Duty (SoD) and Sensitive Access risks: roles that are problematic in that they allow the SAP user to perform functions that should be segregated to reduce the potential for fraud.
Typical access control solutions are technical and complex in nature, making it difficult for the business users to perform their compliance tasks and/or interpret the access risk (SoD) results.
Soterion differentiates from many GRC solutions by converting the technical GRC language into a language the business users can understand using business process flow illustrations that make it easier for line managers (role owners), who are responsible for approving access to make informed decisions.
“Access risk is business risk – although GRC solutions are IT solutions, the owners of the data are business users,” Cartwright adds.
Business risks are growing all the time, with the potential for both external security breaches and internal fraud on the rise as hackers become more sophisticated and cost-of-living pressures intensify.
Barely a week goes by without another high-profile news item highlighting the financial and reputational risk attached to leaving software vulnerabilities unpatched.
Capita’s recent £25 million quarterly loss because of the Black Basta ransomware group’s hack of its Microsoft Office 365 software, which mined the personal data of staff working for the company and its clients, is a prime example.
Indeed, threat actors’ agility is improving as cloud systems extend potential software vulnerabilities across millions of machines, commoditised hacking tools proliferate, and cyber criminals hide their tracks using obfuscation-as-a-service proxies, according to PwC’s “Cyber Threats 2022: A Year in Retrospect” report.
The heightened threat environment has spawned increased uptake of real-time monitoring and detection solutions such as Splunk, Onapsis and Security Bridge.
Meanwhile, SAP security audits conducted by the Big Four are becoming more rigorous, amid greater regulatory scrutiny and more stringent financial penalties for sub-standard audits, as well as improvements in auditors’ ability to assess companies’ access control risks and real-time threat detection capabilities.
Organisations are under pressure to illustrate to their auditors and shareholders that the necessary internal controls are not only in place, but that these controls are effective. Coupled with this, organisations are being required to meet rapidly evolving regulatory requirements, ranging from the EU’s GDPR data privacy legislation to internal financial reporting rules such as Sarbanes-Oxley in the United States and J-SOX in Japan.
“As new regulations are introduced and audits become stricter, costs increase, either in the form of additional security resources to administer solutions, or lack of productivity as end-users spend more time on compliance tasks,” Cartwright says.
While many user access management responsibilities fall within the realm of what would traditionally be labelled as IT, finance directors know only too well that the onus is on them to address access and audit risks.
Even with outside assistance, many SAP implementation partners lack the experience necessary to advise clients on S/4HANA functionality, particularly as regards security and change control, ensuring that boardroom pressure is only likely to intensify once SAP ECC is phased out.
“Soterion’s SAP access control solution presents risk results in an easy-to-consume manner for the less technical business users. This ensures more informed decision making and better business buy-in, resulting in a more risk aware organisation. Compliance tasks are performed more efficiently, and as these are no longer done merely to tick an audit box, they actually start adding real value to the organisation “, Cartwright says.
The solution can thus help create a business environment in which key performance indicators, and the rewards associated with meeting them, are linked to security and compliance tasks, incentivising staff to perform them correctly.
The upshot is simple: as audit risks and requirements intensify and SAP software evolves, implementing a business-centric GRC solution simply cannot afford to wait.
