Here are 5 amazing facts based on our vast experience with SAP customers required to maintain SOX compliance, GRC consultants and auditing firms.
1. The focus is on compensating controls much more than on eliminating risk.
…and it should be the opposite.
Many people, when they do find an SoD Conflict, don’t want to solve it for two reasons – either they’ll have to reduce the number of authorizations for the user, which will upset the user, or they’ll have to consult with external consultants, which is expensive. Focusing on compensating controls is the “more comfortable” solution for those who don’t want to face confrontation with their users and auditors.
Instead, they’ll apply a compensating control. An example of this would be a report detailing all the people who create vendors and pay those vendors, and having the report approved. But what’s ironic here is that over time, in many cases, the approval process takes much more time (i.e., more costs), than solving the conflict would have taken, and the risk is not removed.
2. Many times, the only people that really care about eliminating GRC risks are Risk Assessment Managers and Auditors.
Like ISO standards, GRC is there for good reason. It decreases the chance of fraud and makes for good business processes.
Nonetheless, most people treat it like the dentist. They whine and complain and put it off until it’s time for the appointment. And then 10 minutes before, they’ll floss for the first time in six months. Or, in the case of SOX compliance, they might take out Power Users with SAP_ALL right before the audit and then put them back in right after. They just want to get through the audit. Shocking.
One would expect that people would treat GRC more seriously and with better manners. Remember, the regulations weren’t written to make life miserable, but for the greater good.
3. After go-live, own developments are not treated properly.
When a company develops a new activity, like handling invoices, for instance, it needs to be put in the right activity group. However, if the GRC project is already in place and the implementation is already over – it usually isn’t. Most people set groups of activities in the initial GRC project’s implementation and do not maintain them regularly, typically because they’ve forgotten about them. The results? Potential hidden violations to Segregation of Duties rules.
It’s vital to add and update groups of activities over time, but it’s nearly impossible to remember to do this on your own. That’s why we have alerts about new T-Codes in the production system – so the T-code will be noticed, and one can consider if it’s relevant to any of the groups they’re maintaining.
4. Getting a high-priced GRC solution without inspecting the implementation and maintenance costs is a mistake.
If you think getting a free lunch will put a feather on your cap, remember there’s no such thing as a free lunch.
Getting a “free” high-priced GRC solution and not considering implementation time and overall costs is like getting a huge Turnpike Truck with two 48 ft. trailers (maximum weight up to 147,000 lbs. or 67,000 kg) for free and forgetting its outrageous fuel consumption and enormous maintenance costs. You’ll discover that it’s an especially expensive toy if you just need to handle regular tasks. Plus, it might take a year and cost a fortune to even get it to your garage in the first place.
You may just find that paying for a more efficient GRC solution upfront may be a better choice from the standpoints of implementation time, the chances of going live successfully, and overall costs.
5. Even large organizations only need about 60 effective SoD rules.
We learned this amazing fact from our consulting firm partners. Customers tend to think that as they get bigger they need more rules for SoD, and this is not necessarily correct.
If companies are managed properly, the main business processes, like issuing an invoice or paying a vendor are not so different between large enterprises and small organizations. So, if you define the SoD rules well, their number shouldn’t grow even if the organization grows.
Sure, large enterprises are more complex by nature and have more “activities” to operate, but the activities still fall into the same “activity groups” that a smaller company might use. Pick your GRC consultants carefully and inspect your SoD rules thoroughly to see that they fit your organization’s needs. Don’t over complicate the process because it will get cumbersome and excessively costly.