In most complex systems, especially those like SAP that handle enormous amounts of transaction data, defining an approach to governance, risk and compliance (GRC) can feel overwhelming. But SAP GRC has never been more important. According to a new survey from ERP Maestro, “Studies indicate that data breaches were up by 44.7 percent in 2017 and nearly $2 billion [worth of] records containing personal and sensitive data were compromised.”
Unfortunately, organizations often presume that their SAP systems are more secure than they actually are; thus, they fail to adopt enterprise resource planning (ERP) security solutions despite the threats to the enterprise. In May 2018, America’s SAP Users’ Group (ASUG) conducted a survey of IT, security and audit professionals using SAP. The survey, sponsored by ERP Maestro, found that 82 percent of respondents reported their SAP systems have only minor vulnerabilities and generally good access controls.
Bridging the SAP GRC Awareness Gap
Despite this optimism, 80 percent of respondents in security or GRC roles said they were either extremely or very concerned with the level of security around their SAP data systems. That statistic suggests there is a disconnect when it comes to understanding how to improve GRC.
To explain what it means to achieve GRC in SAP, Jody Paterson, CEO of ERP Maestro, said, “What we find is that when organizations are implementing large, complex financial systems, the question of how to design these systems to reduce risk to the organization is an afterthought.”
One obstacle for many organizations is that not every aspect of implementation is defined by a blueprint. Many organizations end up scrambling or trying to ram in security so they can start using ERPs. The result is a mess of a security infrastructure, which ends up full of access risks.
Limiting Internal Access
Governance, risk and compliance extends well beyond SAP, and achieving GRC requires that organizations begin addressing the risk of fraud. “Seventy-five percent of all threats are insider attacks,” Paterson said. “The majority of fraud comes from internal actors. There is huge potential for fraud that results from a lack of internal controls around access to the systems.”
Considering that 5 percent of revenue is lost to fraud — and that most organizations don’t even know they are losing it — that’s pretty substantial. What often happens, Paterson said, is that companies end up overstating expenses because they have so much access. The result is a lower bottom line without knowing they are losing to fraud.
Identifying Enterprise Risk
“Pick the right solution. Get the right visibility and have well-defined rules,” Paterson advised. Perhaps a more important starting point is to first know what risks you should be looking at. While there are standard risks within systems, oftentimes the issue is that organizations don’t know if they are looking for the right risks.
Let’s use the example of two distinctly different companies — a pharmaceutical company and a beverage company. The pharmaceutical company cares much more about inventory than the beverage company. Why? Because for the beverage company to lose enough inventory to be material to finances, a criminal would need to roll in and ship out 10 truckloads of soft drinks.
For the beverage company, attention to inventory is lower, which means that the standard set of rules doesn’t work. “Rationalizing to make sure you are looking for the right things will help you set the rule books up,” Paterson said. Yet rules and risks spill off a huge amount of work, the results of which can often be astounding.
Achieving GRC starts with the upfront work of getting everything in line and setting a clean stage. But once you’re clean, how do you stay that way? Paterson offered these five tips for developing a successful SAP GRC strategy:
1. Establish Ongoing Controls
Use preventative controls and ongoing access analysis to maintain a continuous process. Implement periodic access reviews and controls around provisioning. Staying clean requires continuous compliance procedures. In addition, assess risks — which requires accurate visibility — and all possible scenarios that could occur in the event of a breach, then create well-defined rules based on industry best practices.
It’s important to have GRC knowledge at every level of the organization, especially given the survey’s finding that a distinct disparity exists between the security concerns of executives and those of frontline IT and security employees. Only 25 percent of executives reported being either very or extremely concerned about security, compared with 80 percent of the latter.
Communicating and training across the company is critical. Organizations need to train managers and employees on GRC so that all are aware of their part in achieving compliance. Given the increased risks that arise when security concerns aren’t taken seriously at the executive-level, organizations should seek outside counsel if help is needed to help increase understanding across the company.
4. Create a Strategy
The survey showed that a third of companies using SAP don’t have a GRC strategy in place, which is why it is critical to involve the C-suite as well as the frontline employees in developing a strategy. Then, keep both internal and external auditors informed of your strategy and of any changes.
5. Leverage Frameworks and Automation
To help map controls that are relevant to the business, leverage security and compliance frameworks like NIST, COBIT and ISO. Enforce compliance by conducting ongoing access reviews and automate these where possible. Automation reduces the GRC burden on both IT and audit teams.
It’s an unavoidable reality that GRC frameworks must be completely integrated into organizational structures and roles from the top down to be successful. Although establishing the most effective strategy is a steep uphill battle, once you reach the summit, it’s merely a matter of maintenance and continued education.