Implementing a New GRC Environment for Process Control and Efficiency
Meet the Authors
Key Takeaways
⇨ A global leader in the food and beverage and health and wellness sectors, expanded its market presence through M&As which increased its SOX systems from four to 20 SAP landscapes and also doubled its workforce.
⇨ To manage the complexity of the new SAP landscape, the company partnered with Protiviti to implement a unified GRC system, focusing on enhancing access control and process control capabilities across its expanded network.
⇨ Key project achievements included automation of GRC processes, improvement in user provisioning workflows, and significant enhancements to access governance, ultimately improving efficiency in managing IT SOX controls.
A global leader in the food and beverage, home and personal care, and health and wellness sectors, expanded its market presence through substantial mergers and acquisitions. This growth not only increased its SOX systems from four to 20 SAP landscapes, but also nearly doubled its workforce, from 13,600 to 24,600 employees.
The rapid expansion created a complex SAP landscape, necessitating the consolidation and streamlining of various systems and processes into a single SAP GRC system. To achieve a unified governance and standardization model, the company partnered with Protiviti to implement a new GRC environment that aimed to enhance access control functionality and enable process control capabilities across the newly expanded corporate network.
As the project began, several challenges were identified, including systems nearing end-of-life support, the need for GRC ruleset upgrades, and the transition from legacy systems to new platforms. The client’s new system was built on SAP’s GRC 12.0 platform, designed to replace two outdated SAP GRC 10.1 environments. The project scope included access risk analysis, emergency access management, access request management, and user access review (UAR). Key initiatives also involved unifying governance environments, standardizing access governance processes, integrating segregation of duties (SoD) rulesets, and connecting 20 target systems from different subsidiaries to centralize control over access management. Additionally, Protiviti’s team focused on connecting a new SAP Central Finance (CFIN) system to enhance the SoD ruleset and improve audit readiness.
With the completion of the first phase, the team shifted their focus to enhancing access control functionality and enabling process control capabilities. Eight critical milestones were achieved, including improvements to user provisioning workflows, customization of ARM workflows, and streamlining the SAP NetWeaver Business Client (NWBC) UAR experience. The project also included automating GRC backend user locking, enhancing email notifications, identifying cross-system SoD conflicts, and implementing transactional Fiori apps. To further enable SAP Process Control features, the team automated IT SOX controls using ABAP report sub-scenarios and SoD integration, reducing manual efforts and improving efficiency in managing IT SOX controls.
The client achieved significant value by enhancing access control and enabling process control capabilities, including improved EAM firefighter log review workflows, streamlined ARM user provisioning, a custom Fiori app for UAR, implementation of five transactional Fiori apps for GRC Access Control, activation of automated monitoring sub-scenarios, and configuring automated processes for nine IT controls and 56 business controls managed by control owners.
Read the full case study here.