10 Tips to Ensure Compliance Doesn’t Slip After a GRC 10.0 Go-Live

  • by Nicola White, Director, Turnkey Consulting Ltd.
  • August 5, 2011
When you are designing controls as part of an implementation of version 10.0 of SAP BusinessObjects GRC solutions, give some thought about how your organization will be able to maintain levels of compliance six months or one year later. It is easy to become noncompliant almost immediately post go-live. These best practices can help you avoid that pitfall.
Key Concept
Version 10.0 of SAP BusinessObjects GRC solutions offers increasing opportunities to manage compliance not just across multiple SAP environments, but also across ERP providers – for example, Oracle. Version 10.0 of  SAP BusinessObjects GRC solutions provides organizations with a better understanding of their risk exposure and also highlights risks that, although always there, had never been identified previously.

Version 10.0 of SAP BusinessObjects GRC offers greater functionality, but without careful planning you can face both immediate and long-term maintenance challenges post go-live. Risk analysis and remediation (RAR) is a good example. Increased automation and pressure from external audits can lure organizations into defining a constantly increasing number of key controls against which to manage. Maintaining a conflict-free environment may seem easy, but the sheer volume of controls can become tough to handle.

Another problem, far more difficult to address, is that of capability. SAP BusinessObjects GRC solutions make it relatively easy to increase the quality of both the controls and the reporting. However, it can be difficult to find staff with the skills and capability to match the technology in place, outside of the project team.

The organization risks noncompliance if controllers are unable to interpret the monitoring information they are provided. An example is the use of firefighter (emergency access management in version 10.0 of SAP BusinessObjects Access Control) whereby reviewers are required to examine audit logs post-usage. Finding staff with the requisite functional and technical expertise to conduct more than just a superficial review can prove daunting. Performing a detailed review of firefighter usage is laborious and often underestimated in terms of time, effort, and pre-existing knowledge.

Another challenge is that an organization’s environment can be perceived as less compliant after an implementation of SAP BusinessObjects GRC solutions, purely because of the greater visibility of control weaknesses that they provide. This may lead to business units refusing to accept the new functionality. However, the risks are not greater than before; rather, now everyone can see the gaps.

So what can you do to avoid falling into the trap of noncompliance post go-live? Here are 10 tips to consider.

1. When you define the controls, do not introduce high volumes of new controls at the start. Focus instead on the real business risks. An SAP system provides the ability to define access at a more granular level compared with other applications. Therefore, it is always tempting to create high volumes of controls at the same level (for example, document types). If you intend to define a greater number of risks as part of your ruleset, for example, then you should categorize them and focus only on critical and high business risks. Your auditors may encourage you to record all your risks, but if you know they are not business critical (i.e., the business will accept the risk), then you may want to avoid them initially.

Nicola White

Nicola White is a director with Turnkey Consulting Ltd., (www.turnkeyconsulting.com), which is a specialist IT security company focused on combining business consulting with technical implementation to deliver information security solutions for SAP systems.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.