by Susan Fisher, Contributing Writer, SAPinsider The mention of Hershey might bring to mind an image of chocolate and it should, but there is a lot more to discover: a chocolate and confectionary leader, The Hershey Company has over 90 brands. Hershey is continuously challenged to innovate and at speed to meet changing consumer preferences and in a global context, like a shift to better-for-you healthy eating, and omnichannel shopping experiences. The need for greater efficiency in core business processes and controls, better data, analytics and insights, and increased organizational agility, has never been stronger. These are some of the drivers behind the level of resourcing and engagement across and up the organization to realize value for the business, including increased collaboration, restructuring of teams, and a move to SAP S/4HANA. Hershey’s move to SAP S/4HANA is partially forcing a re-evaluation and redesign of key business processes — a change that requires audit and controls to keep pace, map their structure and processes accordingly, and avoid significant and costly consequences if their considerations are left until the end. “We’ve had very mature processes for a long time,” Mike Rosten, Manager of Internal Audit, says. “One of our challenges was to step outside of that and ask ourselves how we could adapt to some of these new strategies to best fit our end goals. SAP S/4HANA really gives us that opportunity with a clean slate, to validate best practice and benchmark against other industry leaders.”

Internal Audit’s Strategic Advantage

The implementation will include a high degree of change in processes and technology. Hershey’s control strategy is evolving to ensure compliance through the transition and begs the question: how to best integrate controls throughout all phases to support governance, risk, and compliance (GRC) integrity? The answer, according to Jon Laubenstine, Senior Director, Internal Audit, is both simple and complex. “If you are responsible for controls or audit, you must have a seat at the table and early, and fully integrate into the project. It provides the opportunity to be informed, to move and flex, and better define your strategy. You are seeing progress in the project and seeing everything in real time,” he says. Laubenstine is also a member of the Project Management Office for the implementation, attending related board and audit, as well as executive committee meetings.   Jon Laubenstine, Senior Director, Internal Audit, Hershey   Hershey has had to adopt the whole model for maintaining and updating its internal controls, and a control mindset, to best deploy Internal Audit (IA) to provide independent, objective assurance and advice that promotes and facilitates innovation and improvement. It’s working well. IA resources were reviewed, restructured and baked into the SAP S/4HANA project plan upfront, ensuring audit and control resources were specifically dedicated to the implementation. The team used an Agile implementation approach to build controls into the process along the way, check performance, learn, and then adapt quickly when necessary, leveraging SAP Access Control and SAP Process Control. SAP’s GRC solutions provide Hershey with control integration across its SAP and non-SAP system landscape, enabling transparency and accountability, driving more cost-effective compliance, and simplifying both process execution and cross functional risk management. “Getting involved proactively, especially with an Agile approach, has given us the opportunity to really influence the future design of the process so that controls are innately embedded,” Laubenstine says. “We want controls that support the business’s ability to be nimble and profitable.”

Measuring the Success of Hershey’s New Strategies

From a control’s perspective, Hershey has set objectives based on best practices and benchmarking against other leading consumer packaged goods companies to understand where it sits, how mature its processes are, and what is realistic. Hershey will deploy SAP S/4HANA one region at a time. This phased approach will allow IA to look at adoption rates, whether control failures went up or down, and understand to what extent IA is leveraging GRC. Using SAP Process Control, rationalization of manual controls is targeted at 35% and control automation is expected to increase from 20% to over 50%. “We’re working on getting a hard target on how much time we are giving back to the business since less time is being spent executing manual controls and reporting,” Laubenstine says, “and then also from the audit standpoint, how much time we are saving through automation while doing an effective test of these controls simply by going to GRC. Because everything’s in one spot, we don’t have to run populations, send emails, follow-up, and request documentation. While this is a little bit further out, we’re looking at building benchmarks against this.”   Mike Rosten, Manager of Internal Audit, Hershey  

Technology & Partners

Hershey runs SAP Access Control and SAP Process Control and has upgraded to the new GRC 12.0 version allowing it to monitor privileged access at a database level, getting the organization ready to control access even from an SAP Fiori standpoint. SAP Fiori represents the new interface for SAP S/4HANA and future SAP solutions. Hershey needs to prepare for those solutions, which carry with it some unique administration and security requirements. This is a prerequisite for its SAP HANA and GRC core. “Our focus is also on data analytics tools to compile, cleanse, and visualize data that we use in our audits selecting more of an analytical base sample, looking for anomalies and process gaps or exceptions to processes that we can potentially come up with a solution to close and make them part of our standard process or create a workaround for them,” Rosten says. Analytical tools and data visualization are significant in reporting to senior management who might not be focused on the underlying details. Alteryx supports data cleansing and extraction for Internal Audit at Hershey. Accenture is Hershey’s system integrator, leading the overall implementation through the Agile approach, bringing best practices forward and helping Hershey think through the overarching system landscape and what makes sense on a go-forward basis. PwC was Hershey’s partner when they initially implemented SAP Process Control, and the organization continues to leverage PwC’s expertise, their understanding of Hershey’s environment and landscape, and familiarity with the SAP S/4HANA system as it relates to control. “Their internal training helped us create experts in that space, in terms of how to use the technology and build tools,” Laubenstine says. Hershey has been talking about bringing continuous monitoring and continuous auditing to the organization for years to reduce security, technology and process risks, significantly improve efficiencies and compliance, identify deviations, and monitor data integrity and adherence to process controls. With SAP S/4HANA as an enabler, this is becoming a reality and the end result will be greater business resilience and ongoing innovation.

What Does This Mean for SAPinsiders

• Understand early and prepare for the process impact of a move to SAP S/4HANA. Process redesign and standardization bring business benefits but also impact audit and process controls.
• Get out in front of the process with your business partners so you can inform and co-create, making them aware of control considerations that will impact their decisions.
• Challenge your current processes and leverage technology and external expertise to support adoption and behaviour change. Asking questions like “what is your biggest pain point” and “how do we benchmark against our peers” is important.

Watch a short video to hear how  Hershey integrates security and control initiatives within major systems implementations, and demonstrates the strategic value of controls and compliance.    For Premium Members — >> Watch the full on-demand session, “How Hershey is Leveraging GRC to Increase Control Automation with SAP S/4HANA,“ at the SAPinsider 2021 Financials, GRC and Cypersecurity event.   >> Become a Premium Member and gain the insider advantage  SAPinsider is the largest, most influential and fastest growing global membership group of SAP professionals.