SAP Access Control Solution Buyer’s Guide:
What to Consider Before You Buy
Access controls are no longer just about governance, risk and compliance. They are a part of the bigger holistic cybersecurity strategy and enterprise risk management plan. Learn more before you buy.
If you’re reading this guide, you are most likely searching for or considering the use of an SAP access control solution for your ERP environment for the first time or are seeking a replacement for an existing system. Just like all technology selections, it’s a best practice to do your homework and understand all of the aspects that may impact your buying decision. Co-authored by four professionals having combined experience with KPMG, SAP and IBM, this guide will help you evaluate what you need, what should be weighted most heavily in your choice and what solutions provide the best long-term value.
Access controls are no longer just about governance, risk and compliance (GRC). They are a part of the bigger holistic cybersecurity strategy. Learn more before you buy and consider the following:
– How extensive should your controls be? ERPs don’t function in silos; there are many integrated systems that need protection, too.
– What functionality do you need most? How do you decide and who should decide?
– There are hidden costs you may not know about. Understand the full scope of ownership expense.
Don’t make your decision without first reading through this comprehensive guide! And use the decision-making worksheet included to help steer your needs assessment.
Internal Controls Needs Assessments
When making your SAP GRC solution selection, first determine what you need in a solution by evaluating your company’s requirements. There are four important points to keep in mind when doing this exercise:
A company should not complete this process in a vacuum with only one department, such as IT, security, finance or audit/compliance. Rather, the needs assessment should be part of a holistic cybersecurity strategy that includes both internal and external security needs, and it should be done cross-departmentally and with all stakeholders. Internal controls are both a means of achieving compliance and fraud prevention, as well as a security system to prevent access to or sharing of sensitive company data, which makes them an internal cyber defense tool. As such, this requires the weigh-in of decision makers across the enterprise. Even human resources professionals should understand the value of access controls and implications related to an organization’s people. Often, IT has the budget for the acquisition of internal controls technology but may have low understanding of the value. Compliance leaders know the value of controls, and finance and/or operations are the business owners who should be accountable for the risk. Choosing an automated solution requires all parties to acknowledge their roles and responsibilities and achieve consensus in the selection process.
Decision makers should consider the extent of access controls needed for the organization. The primary ERP application isn’t the only system that requires protection from internal threats. Many other systems may also integrate with a company’s ERP platform. A prime example is the recent changes with SAP’s product offering. With S/4HANA, some functionality, such as HR, supply chain, etc., that previously resided on a homogenous technology stack, now sits outside of the S/4HANA digital core in the form of cloud apps, like SAP SuccessFactors, SAP Concur, SAP Ariba and SAP Fieldglass — each with different architectures, security designs, and risks. To take advantage of the existing and growing number of cloud applications integrated within SAP’s ecosystem – as well as those external to it but that connect to S/4HANA – while also being able to have a cross-application view of access risks and manage segregation of duties (SoD) across all systems in the enterprise, SAP customers need to think about how to do that as simply and cost-effectively as possible with one solution. Instead of using disparate internal security solutions, organizations are moving to consolidate risk management for an all-inclusive, single view of risks.
Think about future requirements. When selecting new technologies, think beyond your present need to what you may require down the road. This entails two avenues of thought and a little forward thinking. First, how might the problem you are trying to solve today change over time, and what will you need in the solution to solve that potential future problem? Will the system you are acquiring have the agility and ability to adapt to future needs – without costing your business more money?
What is your company’s appetite for risk? You must consider this question in your assessment, and you should bear in mind compliance requirements as well as all of the facts around internal threats and fraud.
If your organization is a publicly traded company that must comply with the Sarbanes-Oxley Act (SOX) or another country’s version of SOX – J-SOX, C-SOX, etc. – how willing is your company to risk failed internal audits or audit errors and the subsequent fines, audit firm fees or even imprisonment of company officials?
SOX noncompliance can be costly. “Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.” Investment dollars and revenue are prone to shrink for a failure to comply as well.
SOX isn’t the only compliance mandate that can result in fines or imprisonment. The US Securities and Exchange Commission’s 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosure makes it clear that internal cyber threats are included in disclosing cybersecurity risks and incidents. Likewise, the Commission has increased its focus on holding executives personally accountable for incidents. In 2018 alone, the SEC charged individuals in more than 70 percent of the stand-alone enforcement actions it brought. Those charged included CEOs, CFOs, board members, as well as accountants, auditors, and other gatekeepers.
Merely disclosing a risk to the SEC is not sufficient. The Commission sent a loud message in January 2019 when it penalized four companies with total fines of approximately $450,000 for their internal control deficiencies. Each of the companies had previously disclosed their weaknesses but failed to fix them.
Compliance regulations aside, all companies, not just public companies, ought to objectively take into account the real impact of fraud and insider threats on a company. The Association of Certified Fraud Examiners (ACFE) estimates that a typical company loses five percent of annual revenue to fraud. To put that in perspective, an SMB company with $50 million in revenue or an enterprise with $1 billion in revenue may lose $2.5 and $50 million respectively to fraud. Worldwide, fraud amounts to approximately $3.5 trillion in losses.
One of the most problematic aspects of fraud is that it is difficult to detect and can go unnoticed for years without advanced internal controls. The ACFE reported in its 2018 Global Study on Occupational Fraud and Abuse that about half of fraud cases involved internal control weaknesses in which there were either no controls in place (30 percent) or employees were able to override controls (19 percent).
However, fraud isn’t the only risk that access controls can prevent. A rising number of employees access sensitive company data and steal it in order to give it away or for financial gain. Even more concerning is the escalating number of insider breaches. Insider threats are the cause of 60 percent of cyberattacks, according to the IBM X-Force Threat Intelligence Index. One source cites an even higher number of 75 percent.
In a report published by Deep Secure, nearly half of office employees would sell corporate information to people outside their organization. Additionally, £1,000 would be enough to tempt 25 percent of employees to give away company information and five percent would give it away for free. In another study, one in 10 employees said they would take as much company information with them as possible before leaving their job. Assuming you have a loyal, trustworthy workforce is folly.
Are these risks your company is willing to take? A company that wants to protect its assets and grow its bottom line as well as prevent reputational damage and loss of customer and investor trust will take the growing number of fraud and insider breach incidents seriously and take the proper steps to secure its systems with internal controls.
Top Requirements for Internal Controls
Once your company has established the need for internal controls and whether you need enterprisewide visibility and management of risk, move to the next step of determining your detailed system requirements. What controls are best for in-depth but rapid reporting, ease of deployment, agility, scale, automatic upgrades, integration and lowest total cost of ownership?
Undoubtedly, there may be cases when manual controls might suffice. Such instances may include very small companies, for example, with few employees who access the company’s ERP or other connected systems. Still, even in these situations, a business must take painstaking care to constantly monitor access and ensure that no one person has the ability to perform dual tasks that could result in fraud. The ACFE reports that the smallest organizations tend to suffer disproportionately large losses due to fraud. The biggest reason: they lack sophisticated internal controls and responsibility for bookkeeping, deposits, payments, reporting and auditing are not shared.
Types of fraud that are common for small businesses include:
• Wire transfer schemes • Expense reimbursement schemes
• Register disbursements • Payroll schemes
• Payroll schemes. • Cash larceny
• Check tampering • Financial statement fraud
• Corruption schemes • Billing schemes
This sort of fraud is prevalent in large enterprises equally. No company, large or small, is immune. Additionally, it’s not just malicious fraud companies need to prevent. They must also minimize opportunities for unintentional errors to occur, which also can be costly and damaging. The best preventative measures are adopting a zero-trust environment, deploying an internal control system that can provide instant, in-depth analysis of and visibility into risks, and not only designing but also maintaining the design of your logical access roles.
Roles and Rules
Role design and maintenance to align employee roles in the organization with the permission levels for access are central to any access control solution. Without those two components, any system will eventually fail. Equally important to roles are the rules that stipulate access rights for groups, users, roles or access objects.
Look for an access control solution with a top-rated rulebook created by audit professionals and vetted by the Big 4 accounting firms: Deloitte, EY, KPMG and PwC. Confirm that the rule book is editable and customizable for your specific transaction codes. Having such a rulebook will enable you to immediately run access controls with the confidence of industry-leading and tested rules. In the event that your company already has a rulebook, make sure your customized rulebook can be easily imported into the solution.
Secondary to rules and role design is the reporting associated with role permissions and analysis results. A chief complaint about many access control solutions is the lack of robust, comprehensive reporting that can be done rapidly with easily digestible results. Reporting – being able to pull and analyze data on users and their role-based access – is the foundation of access control systems and visibility into risks. What matters most when considering reporting capabilities? You should appraise the following:
• Is the reporting actionable business intelligence; can you quickly comprehend results and understand what actions need to be taken? Business owners, not IT, are the consumers of reports; therefore, the data should be easily understandable.
• How deep does the reporting go; can you drill down to generate reports at the authorization object field value level and create reports by user or role?
• How are reporting results presented; are you provided with data that you are left to sort and analyze further on your own or is there a dashboard that clearly explains the number and degree of risks in order to act upon and remediate them promptly?
• Is the reporting audit-ready with digital signatures to simplify completeness and accuracy tests?
• How quickly can reporting be up and running in your environment?
• Does a large report slow or impact your ERP system performance; does the access control solution sit within the ERP environment and actually consume work processes, thereby slowing operation of the ERP platform?
• Can you generate reports at any time during the day without impacting the ERP system performance?
Ease of Deployment
When choosing an access control solution, deployment is a factor. Some implementations, especially on-premise implementations, can be lengthy, require consultants or teams and come with set-up or integration fees. One of the best deployment options is cloud. It can be quick and easy, and in some cases be implemented in under an hour and produce reports and analytics the same day.
Another deployment point to bear in mind is whether an access control solution is installed within the ERP environment and runs on the same servers as your ERP system, as mentioned above, or if it can be implemented without intrusion into your ERP. The former can require more implementation time and cost and can impact the processing power of the ERP solution itself, while the latter does not.
Upgrades and Maintenance
An implementation that involves software installation won’t only lack initial ease of deployment; future upgrades may require new migrations and deployments all over again, whereas such upgrades with a cloud solution are generally seamless, undisruptive, painless and free.
An on-premise internal control solution can place you in an upgrade trap in which every new version requires not only an upgrade fee but in many cases a migration of data – including migration of rules, role profiles, value mappings, workflows, user-based and object descriptions and more – or a change in platform.
Moreover, maintenance costs and resources are also something you need to examine and determine if you want to take them on or be free of the associated human resources, time and financial burden. On-premise systems will come with maintenance, support, system and server demands, but cloud solutions can eliminate them.
Agility and Scale
In addition to hassle-free upgrades and maintenance, companies should look for the same effortlessness when it comes to agility and scale. The ability to have quick processing and adaptability to the changes that might occur within the ERP technology are features of agility you’ll want. Ask vendors about the future vision for their access control products. You want to future-proof your controls as much as possible and make sure your vendor can enhance their offerings to align with whatever transformation might take place in your ERP environment.
A relevant example of such a transformation is the transition to SAP’s HANA and S/4HANA, which also requires access controls that are compatible with the new ERP as well as the other applications in the cloud. In some cases, an additional bridge solution is required to perform access risk analysis of all systems across the business.
Also, can the systems you are vetting scale with speed and flexibility? Make sure you are able to scale up or down according to what may happen in the future without difficulty and without any decrease in performance.
Both instances of agility and scale make a solid case for adopting a cloud solution that nearly always provides more versatility, in addition to more high-powered processing, storage and cost and time-savings.
Budget/Cost of Ownership
Even when you find the solution that meets your requirements, you’ll still have one final box to check: Does the access control product fit your budget? There are, however, two financial concerns to contemplate: annual budget and total cost of ownership.
Most decision makers focus on their budget and how much it will cost to deploy, support, upgrade and operate a solution in terms of annual spend. Although that is an important element, total cost of ownership (TCO) is a stronger predicator of long-term value and savings. See the cost comparison in table 1 below.
Some upgrades for on-premise actually constitute a migration to a new version. When that happens, the costs can be similar to an original deployment. Be aware that as you weigh pros and cons, think about the less visible expenses, such as hardware replacement (recommended every 3-5 years), firewalls, energy expenses and human resources needed to run on-premise systems. Also, keep in mind the potential cost if on-premise servers are damaged, wiped out or breached. Cloud providers usually invest more in protection and security for data centers than typical companies can afford.
Weighing The Options
When all of your research is done and you’re ready to decide, you will find that most solutions won’t have everything. That’s the nature of technology development. However, understanding a vendor’s road map can help you know when a feature is planned for release. Moreover, don’t hesitate to ask a provider if certain functionality can be moved up on the development time line to accommodate your needs. If possible, many vendors will work with you to enhance a product to your specifications, depending on cost and resources.
As noted throughout this eBook, there are multiple considerations in the selection process – some perhaps more critical than others. Make sure to consider the following factors:
• How future-proofed is the solution? Can you avoid upgrade costs, scale up or down easily, and feel comfortable with where development will go for the years ahead?
• Deployment can be a big deal and major expense, sometimes costing hundreds of thousands of dollars and taking weeks or months to complete. If implementation is that lengthy and pricey, it might be a signal of user costs over time.
• TCO over annual cost alone.
• Deep and cross-application risk analysis.
• Reporting is rapid and delivers immediate and actionable intelligence.
If you are on the fence about your choice of internal controls, do a trial run. Testing a solution isn’t really an option with on-premise solutions with longer implementation times, but cloud providers that can deploy and provide reporting the same day without disruption to your ERP environment can give you the added assurance of a test drive.