System Integrator or Security Specialist: Who Should Be Responsible for Implementing S/4HANA Security and Controls?

In the dynamic landscape of SAP S/4HANA implementations, the critical aspects of security, governance, risk and compliance (GRC) and controls demand meticulous attention. Transformation of business processes presents an opportunity to revamp the enterprise application security to stay compliant and secure, in effect satisfying the needs of the auditors and business stakeholders. IT leaders know that the fine balance of maintaining a secure, yet effective solution is not always easy to achieve, specifically due to ever-changing audit and regulatory compliance changes. There has never been a more critical time to ensure that systems are implemented with leading practices to safeguard the integrity and usability of the enterprise system.

Value driven and cost-effective solutions

As organizations look to embark on an SAP transformation journey, they have critical decisions to make, including which vendors to pick for the various components of their journey. Typically, cost is a significant driver of the decision-making process that determines which vendors are chosen. Specifically, within the realm of the SAP security, GRC and controls domains, the path of least resistance may be to go with the systems integrator (SI) that is helping to implement the solution. Although this may seem to be the “cost-effective” option, there may be many adverse implications to this approach. We have seen the most success when organizations select a partner that has experience in developing strategic SAP security and access governance initiatives that will help generate long-term value and cost savings. Features to look for when building a best-in-class security architecture include:

• Scalable design for long-term cost savings: The project team should have purpose designed and scalable access model repositories that can fit the needs of complex organizations and their requirements. This scalable solution is essential as it can be adapted and extended throughout the lifetime of the enterprise application as the business undergoes further transformation which can be fueled by regulatory changes, organic growth, and mergers and acquisitions to name a few. This scalability not only ensures immediate savings but also translates into a lower total cost of ownership over the long term.
• Mitigating audit findings for cost efficiency: As illustrated in another Protiviti blog, a specialized risk consulting partner should be uniquely positioned with capabilities that span internal audit all the way through technology implementations. This allows for project teams to design and deploy robust risk control frameworks as well as SAP security roles that have been vetted for segregation of duties (SoD) risks to ensure that only appropriate access is granted to users within a production environment. Risk mitigation within the security role architecture is baked into the baseline security role design and is validated through the build, test and deploy phases of a given implementation to ensure that only accepted risks are present within security roles. By addressing vulnerabilities early in the process, organizations can significantly reduce the fees associated with fixing audit findings. This not only leads to immediate cost savings but also establishes a foundation for ongoing compliance.
• Enhanced productivity through streamlined access: A robust security and GRC access model extends beyond cost savings, as a well designed and built solution will also have an impact on the application’s user productivity. In a production environment, end-users should not have to spend valuable time submitting incidents or navigating access request forms for issues that stem from a poorly implemented security or GRC model. Ideally, the access that is deployed to end-users would be vetted for defects while ensuring the key security principles are adhered to maintain a compliant production environment. Through thorough requirement gathering workshops, as well as end-to-end security testing performed by business testers as part of user acceptance testing (UAT), issues will be documented and addressed proactively prior to deploying the solution to the end-users.

Value of independence

Independence should be a driver in the decision to identify the right partner for this journey. Typically, an SI is selling multiple services as part of the proposal, which is generally going to be billed on a fixed fee structure. This will have a major impact on how funds are allocated for the work at hand, which will mean that domains such as security, GRC and controls may not be the top priority of the SI as the end goal is stand up a functioning system (rather than a security and controls compliant environment).

An independent security, GRC and controls team provides an unbiased perspective on the organization’s SAP requirements, ensuring optimal outcomes. Through collaborative discussions, solutions are explored to address issues and enhance organizational value. This impartiality ensures the right approach is maintained, effectively keeping SIs honest throughout the planning, design, build, test and deployment phases. Additionally, collaboration with internal controls and access governance teams guarantees timely reporting of security and compliance status, with swift issue escalation for effective project governance. Overall outcomes will be tracked and reported with the respective project management office (PMO) to ensure program level outcomes are also being achieved.

Subject matter experts (SMEs) that have deep knowledge of SAP security, GRC and controls will enable deeper level discussions, allowing for the best possible decisions to be made regarding complex scenarios.