Understanding SAP S/4HANA implementation risks with RSM—Part three: Experience matters
Meet the Authors
As organizations begin their SAP S/4HANA implementation processes, planning out a roadmap should be the first step. As discussed in the first part of this series, some organizations may not have enough experience with these types of implementations to lay out a fully thought-out roadmap that avoids implementation risks and optimizes the security and control features of SAP. These companies cannot afford to wait until too close to the 2027 deadline, or they risk missing out on engaging the partners they need to execute their plans—researchers are already predicting a shortage in qualified consultants.
Companies, particularly those that are publicly traded or in a regulated industry, may be tempted to rely on their internal project team and their chosen system integrator to help them implement a compliant solution. Because of the constantly changing regulatory landscape combined with ongoing control features and improvements introduced by SAP, this often leads to an implementation that addresses basic audit and compliance requirements, but in a sub-optimal way. Fortunately, there is a solution.
There is no substitute for experience
While there are a lot of implementation firms that do a good job of getting SAP S/4HANA set up in a way that allows businesses to run, many do not have the depth of internal control and audit assurance experience to optimize your internal control environment during the implementation. Many are not up-to-date on hot topics introduced by the Public Company Accounting Oversight Board (PCAOB) and other regulators, because that’s not a large portion of their core business. That’s OK, as long as you recognize that gap and supplement it with additional partners.
Explore related questions
Just like it would be normal to seek a specialist when improving aspects of your overall health, it should also be normal to seek a specialist when dealing with the complex security and control features of SAP S/4HANA. Not only can these specialists help you understand the hundreds of configurable control options in SAP (many of which are not enabled by default), they can also help you document and test those controls during the implementation in a way that can be relied upon for internal and external audit purposes, thus reducing your overall cost of compliance.
Meeting the Market
RSM has significant experience in successfully transitioning and optimizing the internal control environment of customers to SAP S/4HANA. This experience informs the ability to craft a deliberate methodology that sets up companies for long-term success. For example, on a recent implementation RSM worked alongside the organizations internal resources and system integrator to help document and design roughly 100 configurable control settings, test those controls during SIT and UAT cycles, and obtain buy-in from the organizations external audit firm to rely on automated testing of numerous controls for Sarbanes-Oxley (SOX) compliance. In the annual audit following go-live, zero control defects were identified—something typically unheard of after an implementation.
Steve Biskie, principal for national SAP risk and automation services leader at RSM, says that one of his organization’s key differentiators is that it can help clients know what areas of their organizations and SAP landscape need to be addressed, largely because his team is dedicated specifically to security and control functionality with SAP S/4HANA and prior versions of the system.
“There are some areas where we can come in and quickly dig into some key business processes to say, ‘In the vendor master file or customer master file was there any discussion around dual control over sensitive fields? Did anyone talk about tolerances that can be set up for inventory adjustments?’ It’s all about knowing where to look and then helping clients drive those conversations and say is this something you should even be talking about on the implementation?” said Biskie.
What this means for SAPinsiders
It is much cheaper to go-live with an optimal security and internal control environment than to try to retrofit security and controls after-the-fact. Doing so can also reduce the organization’s overall cost of compliance, yet many teams do not have experience with these specific types of decisions or even an understanding of useful control features that can reduce risk and increase efficiency. Companies must find experienced partners like those at RSM to support them through this aspect of the implementation process to minimize risk and ensure success.
