In this podcast Simon Persin, senior manager and GRC solution lead at Turnkey Consulting, discusses the benefits of becoming certified in SAP GRC Access Control as well as how to ensure your compliance solutions are compliant. For more information on Persin's session at GRC 2013, visit GRC2013.com.
Dave Hannon, SAPinsider: Hello, this is Dave Hannon with SAPinsider. Joining me now is Simon Persin, a Senior Manager and GRC Solution Lead at Turnkey Consulting. Simon’s also a presenter at the upcoming GRC 2013 conference in Amsterdam, June 11-13th.
Simon Persin, Turnkey Consulting: Hi Dave.
Dave: Simon, I know at the GRC2013 conference, you’re going to be hosting a discussion form on SAP Access Control certification. I want to start by asking you why that certification in particular is important to organizations running SAP Access Control today.
Simon: That’s quite a good question. It’s not a massively easy answer, to be honest. But, I suppose it depends on the nature of the organization themselves.
Certainly with the people that I’m seeing out of the marketplace and the customers that we’re working with, we see it differently depending on whether the customer is actually an end user of SAP or a consultancy in their own right.
If I take them both separately…
For customers of SAP - and that’s your end users - the value of the certification is more to provide that assurance that the people they’re employing and the consultancies that they’re using are accredited and have the actual skills that they need to implement the solutions properly.
Looking at it from the consultancy perspective, it’s one of the easiest differentiators for why you do or you do not win work. It is something tangible that the end users can looks for.
Depending on where they are with the SAP technology, then it can mean different things to different people.
Dave: Is there a benefit of Access Control certification you think an individual might not be aware of?
Simon: I think so. Certainly for people who are working at end user sites, then it can contribute massively to some personal development plans and career progression. It can be an easy objective to get on the CV and to demonstrate that you’re learning and growing within the organization. Even to the organizations, it’s quite an easy way of approving to your employees that you value them and you’re progressing them through their career as well.
Again, for consultants, it’s a useful certification to gain. It’s not the easiest one to achieve, so it does demonstrate that you are gaining credible knowledge and able to use those skills on a customer site to implement the technology properly.
Dave: At the conference, you’ll also be hosting a session on “the compliance of your compliance solutions.” Could you provide an example of a time when compliance solutions may be out of compliance and what the potential impact to the business may be?
Simon: That’s one of my hot topics at the moment.
As a Senior Manager, I go around and I see a lot of implementations of GRC. I get involved in a lot of system reviews and some quality assurance checks as well. It’s become one of my favorite topics, to look at the actual controls in place around the GRC solution. It’s always put in as the solution to issues in SAP systems, and it’s very easy for people to forget that the GRC solution is actually an SAP system in its own right as well -- especially with the technology shift back to ABAP from version 10 release and forward from there.
Often, we’re looking at the same conditions that would be in place for SAP and just making sure that they are still in place for GRC as well: looking for GRC to have the capability to run SAP checks on itself, looking to see that there is GRC-specific content applied to the system to make sure that there aren’t any gaps in the control environment, and introducing any back doors that the GRC system can exploit.
The most common example for that is the use of the Firefighter component. We’re always looking to see that the privileged access and the unrestricted access to GRC is controlled. And the easiest way of doing that is to actually make use of the available GRC tools, such as Firefighter.
Also, because GRC has connections into most of the production SAP systems, we’re also making sure that the access around administration of the RFC destinations and all of the other Basis-level checks are still activated and secure.
Otherwise, you’re introducing potential risk to your organization from GRC as an application tool.
Dave: Who typically within an organization is responsible for monitoring the compliance of the GRC solutions?
Simon: That’s an interesting question, and one that’s been had on numerous different client sites that we’ve been working with. Trying to set up the governance around GRC and the organization that supports it is a really interesting topic and one that we have also get involved with quite regularly.
In our view at Turnkey, you need to take a more holistic approach to the whole governance and security area. A lot of people think that you can just shoehorn GRC in alongside security and the authorizations teams as an offshoot to the basis activities, when in actual fact, the skillset is significantly different. You need to have much more of a compliance idea and more of an oversight as to what’s going on in the business rather than just technical knowledge of what an authorization issue is or what a technical risk is.
We do like to see a separate GRC team, which is responsible for managing the GRC solution, but that could have a shared reporting line into a technical architect or a GRC architect in its own right, which may well then have links into wider internal audit compliance or a more financially focused remit to guarantee the internal controls are working in the solution.
That becomes even more important if you widen out the technology to include things like process controls and risk management as well. So then rather than just being an Access Control system, you’re starting to look at more organizational compliance, organizational risk management, and really beefing up the technology behind those particular skills.
The governance side of things ultimately still reports into the top CXOs, CFOs, and CIOs for different types of reporting lines, but on the ground, there does need to be that segregation to realize that GRC is slightly different.
Dave: Lastly, what should companies consider when implementing GRC solutions to make sure that they are compliant down the road?
Simon: There are a lot of tips in my presentation in Amsterdam, so I don’t want to give away all of the crown jewels up front, but... I think the main overriding theme is really that the same rules apply. There shouldn’t be any excuses for putting GRC in without an eye toward compliant processes and procedures.
The technology is similar to the old ABAP stack that SAP has been on for a number of years. With the amounts of experience consultants in that area, the same rules should apply and be rigorously enforced. I know that the auditors, certainly the big four, are starting to look for those sorts of checks, and no longer are the excuses being held that GRC can’t be done in that manner. People are really starting to catch up and therefore, the same rules apply to GRC as you would expect to be anywhere else in your SAP estate.
Dave: Great. To find out more about Simon’s presentations at GRC 2013, you can visit GRC2013.com. Simmon Persin, a General Manager and GRC Solution Lead at Turnkey Consulting, thank you very much for joining us today.
Simon: No problem, thank you.