What is GRC? GRC stands for Governance Risk and Compliance. This is a very broad spectrum of ideas and concepts however they can all be joined together to get a complete Controls check of your SAP system and beyond.

The Access Control Suite is part of SAP?s GRC Product. It allows Companies to audit their own system to check if there are any Segregation of Duty issues within their ERP system. Internal and External audits can be expensive to run, however within this solution, the audit can be done on an adhoc basis enabling the IS team to take more control of their systems and reducing the costs of external agencies auditing the systems.

The key word is CONTROL. Do you want to know that your business is being run correctly and that a user does not have authorizations to commit fraud? Do you want to know that the current business processes you utilize daily are consistent and don?t lead your organization to RISK. Some organizations feel that auditors are taking up too much of their time. The GRC suite once implemented will reduce the amount of time internal and external audits for Segregation of Duty.

Failure to meet SoD issues will lead to a note being forced onto your accounts and if you are a listed Company this will affect your share price, potentially wiping 2 or 3% of your market capitalisation which could equate to 100?s of millions.

The solution is broken down into four products:

• Compliance Calibrator: Checks all authorizations to make sure there are no SoD issues
• Fire-fighter: Controls when a user is given a greater authorization in an emergency
• Role Expert: Makes creating roles easier, checking for SoD issues
• Access Enforcer: Checks for SoD issues as individuals move and change roles

Key Business Benefits

The methodology of these products falls in line with SOX. It not only enables the business to run real time audits as and when, but it provides information about how to rectify situations where Segregation of Duty has failed. Moreover the products allow continuous processes to make sure future roles are correct and it has the ability to add new rules. As per the document below there will be a substantial reduction in terms of resource effort relating to being SoD complaint and the methodology of creating user profiles. Lastly the hot topic of authorizations for support staff is addressed, removing the need for SAP ALL in the Production environment.

Our Approach

• Meet with Client.
• Introduce them to the concepts of the Compliance Calibrator.
• Run it on our Demo system to show them how the product works.
• Agree a project and which products the client will take from the Access Controls Suite.
• Install the products in the Dev and QA environments.
• Run it in a Test environment.
• Install the products on the Production environment.
• Ask the client to be a case study for Bluefin and SAP.

Next Steps

Bluefin, together with SAP are looking at offering a complete solution to Segregation of Duties issues within your ERP systems. We offer workshops, seminars and one to one sessions with clients to work out the best options and roadmap for improvements in the future. Look out for our up and coming seminars that will include detail on the SAP GRC.