Addressing five common SAP governance, risk and compliance problems

When it comes to SAP governance, risk management and compliance (GRC), things don’t always go so smoothly. With the right tools, team and approach, you can automate audit readiness, save money and improve productivity. Here are five common SAP GRC problems, along with ways to solve them.

1. Your SAP GRC software doesn’t live up to your expectations

With some SAP GRC software solutions, many companies never achieve a base level of functionality. The first step in addressing this problem is resetting expectations. SAP GRC software is supposed to be enterprise-grade. It shouldn’t have gaps or glitches that require endless tinkering or elaborate workarounds — it should solve your problems.

Sit down with your compliance team or bring in a GRC consulting partner. Think about questions like: How is our current SAP GRC solution falling short? What effect is it having on audit results? What extra work is it creating internally? And what would it take for an SAP GRC solution to meet all our needs?

2. You’re struggling with consistently poor SAP audit findings

All too often, a poor audit – or several of them – is what forces a company to face how broken its GRC processes and software are. Organizations find themselves in a cycle of poor audits and unsuccessful remediation, wasting money and resources while maintaining an unacceptable level of legal risk.

That was the situation a leading manufacturing company and supplier of premium building materials found itself in when it first approached NTT’s Managed Services division. The company had already invested in trying to address negative auditor findings, but remediation efforts had failed — and efforts at manual remediation made the situation worse.

It turned out to be much easier to implement something new. With ControlPanelGRC – implemented in just one week – the company completed its entire remediation project in under four months. Benefits included:

• 80% lower security consulting costs
• 75% reduction in annual SAP security administration costs
• 50% lower external audit costs

3. Your SAP GRC software produces unusable output

SAP GRC solutions should produce output that supports the needs of a range of stakeholders. Business users must have clear, navigable tools that allow them to self-assess; technical users need to be able to get into the nuts and bolts; and auditors need comprehensive reporting that enables both a high-level view and detailed analysis.

To fix this problem, you need to prioritize usability in your SAP GRC software. You should have a range of stakeholders involved in the purchase decision so that you can verify your solution will work for everyone before you commit. Make sure your vendor can answer all stakeholders’ questions, and demonstrate excellent ease of use and visibility.

4. You lack SAP GRC automation

When you need to send a message to a coworker, do you run and post a sticky note on their door? When you’re holding a meeting, do you have everyone send you a letter to confirm they’re coming? Of course not. With SAP GRC, many companies are still doing things the ‘old’ and manual way. They print out emails and records to report to auditors. They pore through thousands of pages of report data by hand, instead of having the computer automatically screen it for GRC issues.

This isn’t only hugely wasteful and inefficient – it’s also risky when you factor in human error.

Pervasive compliance automation is a must. Your GRC automation tool should monitor your system in real-time and flag potential conflicts for review, as soon as they’re detected. It should run reports, route them for review and document approvals, so you don’t have to chase signatures down. That way, when it’s time for your SAP audit, you won’t have to scramble to collect documents — everything will be ready for your auditor to review.

5. You lack sufficient GRC vendor support

If your SAP GRC program is broken and always has been, it’s hard to know in advance what it will take to fix it. Experts can help. You need a vendor who’s focused on your success and can provide you as much (or as little) support as you need.

Look for a vendor who provides comprehensive managed SAP compliance and security services, in addition to GRC software. At NTT’s Managed Services division, we’re committed to providing a solution tailored to your needs. Whether you want a completely managed GRC solution, or just someone to set up the software and provide occasional technical assistance, we’re here for you.

Want to learn if ControlPanelGRC is right for your business? Talk to one of our representatives today.

Scott Goolik is the vice president of SAP security and compliance at the Managed Services division of NTT Ltd., Americas.