With a strong focus on customer service and attention to detail, Multiquip, Inc. manufactures and supplies medium-sized construction equipment, power generators, lighting towers, and other industrial products for customers worldwide in industries such as aerospace, oil and gas exploration, telecom, and entertainment. From its humble beginnings in the early 1970s, when a single salesperson traveled throughout the US selling construction equipment out of a van, the business has experienced consistent growth, with numerous business units serving a global customer base from facilities all over the world. After the construction industry was hit particularly hard by the economic crisis of 2008, coupled with a maturation of the market, Multiquip opted to change its business strategy to rededicate itself to customer satisfaction. The strategy entailed the consolidation of some business units as well as streamlining its IT landscape.
A Time to Upgrade
Multiquip was under significant pressure to upgrade both its SAP ERP environment and its governance, risk, and compliance (GRC) platform. As a longtime SAP customer, the company’s IT department was well versed in new releases and enhancement packages for SAP solutions, so it knew that a full upgrade to SAP ERP 6.0 would help drive more efficiencies than the 4.6 version could meet. The motivation to upgrade to SAP ERP 6.0 included new general ledger (G/L) accounting capabilities; improved procurement processes from the integration of SAP ERP purchasing functions with SAP Supplier Relationship Management (SAP SRM) functions; extended warehouse management functionality; and Unicode compatibility. In addition, significant performance gains were expected by leveraging the 64-bit platform. These benefits were important to Multiquip because it planned to expand into China and needed to meet international financial and regulatory obligations.
Michael Hanken, Multiquip’s VP of IT, who has been working with SAP software for more than 20 years, explains the business driver for the upgrade in 2012. “In comparison to the 4.6 version, this platform is much better suited to dealing with enhancement packages and patches,” he says. “Overall, the agility it provides will allow us to move faster in directions we weren’t previously able to pursue. It was also important that we continued to honor our compliance obligations and support those auditors required to verify and validate our compliance.”
There were three reasons Multiquip wanted to upgrade its GRC controls environment: the existing controls platform was becoming increasingly costly to maintain, it was not keeping up with regulatory mandates, and the vendor’s support was quickly becoming an acute audit risk. Because Multiquip was (and continues to be) a subsidiary of ITOCHU Corporation, a global trading company based in Tokyo, it was required to meet operational performance targets and ensure proper controls for meeting International Finance Reporting Standards (IFRS) as well as Japan’s Financial Instruments and Exchange Law, commonly referred to as J-SOX (the Asia-Pacific version of Sarbanes-Oxley). Multiquip simply could not afford to continue with the existing controls platform, given the poor support and cost structure.
Between a Rock and a Hard Place
In anticipating the need for a more agile, cost-effective, and functionally complete platform, Multiquip also foresaw a key challenge: as a midsize company, did the business possess the necessary financial and personnel resources for a seamless upgrade? With the resources of a smaller company but the IT complexity of a multinational conglomerate, Multiquip recognized it faced challenges similar to those that many IT organizations face as midsize companies expand geographically. Regardless, the business couldn’t afford to miss the mark by spending too much to satisfy auditors in both the US and Japan — nor could it take on too much risk and fail to meet compliance requirements.
Within this context, Multiquip decided to migrate off of its current controls platform and move to a hosted model for its SAP applications. Hanken cites limited resources, budget, and speed as the decisive factors. “We came to the conclusion that the old-fashioned way of having consultants on board and testing and re-testing was just too expensive and outdated,” he says. “We just didn’t have the in-house resources.”
Regarding the determination to migrate off the existing third-party GRC solution, according to Hanken, the business was in transition and its compliance was soon to be affected. “We couldn’t get the data out of the system anymore without heartache, which significantly affected the controls framework,” he says. “Due to our audit requirements, there wasn’t room for error. We needed to find a solution quickly. Because we’re an SAP shop and understand SAP software, we decided to look for a technology that was embedded into the software with native code. We felt more comfortable with a single-platform solution instead of a bolt-on, stand-alongside architecture.”
Another factor in moving to a new platform was the hard savings Multiquip calculated as part of the due diligence process. When hardware, support, and staffing costs were taken into account, the return on investment for the GRC migration was very positive. “Our anticipated savings going with a new GRC solution were compelling,” says Hanken. “Even after factoring in the new licenses and services required for the implementation, we saw that we would be saving more by migrating than by staying with our legacy solution.”
From the Perfect Storm to the Perfect Fit
A search led the company to hone in on Security Weaver. Its optimization for SAP landscapes, as well as the fact that Multiquip auditors were familiar with and confident in the toolset, meant a rapid implementation and a trusted solution when it was up and running. Both speed and confidence were essential requirements for Multiquip. The performance and reporting capabilities of Security Weaver also exceeded those of the previous GRC tool. (For more information about Security Weaver and its offerings, refer to the sidebar at the end of the article.)
“We have fairly intense operational management reporting, and it was important to us to meet the same workflow,” says Hanken. “It turned out to be much better, because the language in the conflict description now is much clearer than our previous tool. I know a little bit about the SAP landscape, and as far as performance goes, Security Weaver is remarkable.”
Multiquip implemented two modules right away, Separations Enforcer and Emergency Repair. Separations Enforcer provides segregation-of-duties (SoD) definitions and requirements that are auditable, traceable, and easily maintained. It supports simulation capabilities to identify conflicts before they are assigned, and it also enables the SoD rules matrix to be dynamically enhanced to automatically identify custom transaction codes that are SoD relevant, even if the custom transaction codes are not explicitly included in the rules matrix. Emergency Repair provides an auditable and secure way to control users needing temporary access. It ensures elevated access is in accordance with workflow requirements and provides controls to ensure activities performed during the period of temporary access are properly reviewed. Like Separations Enforcer, the module integrates with SAP ERP in a fully controlled, documented, and auditable manner.
“With any tool that requires extraction of data, we lose control because of that additional layer, so there is always at least a sliver of doubt. That’s not the case with Security Weaver. It lives and breathes inside SAP ERP.”
— Michael Hanken, Vice President of IT, Multiquip
According to Hanken, this integration was a key differentiator between Security Weaver and the previous third-party tool. “Security Weaver has created a much more stable environment. There are no extraction issues because it’s all written in ABAP code native to SAP software,” he says. “The level of integration is a tremendous advantage because we now have confidence that our solution provides a single source of the truth. With any tool that requires extraction of data, we lose control because of that additional layer, so there is always at least a sliver of doubt. That’s not the case with Security Weaver. It lives and breathes inside SAP ERP.”
Multiquip’s position as a midsize business made Emergency Repair a valuable part of the toolbox. “As a mid-market company, we have situations with only a limited number of people charged with certain duties, and if one person is out, someone else has to take over those duties,” says Hanken. “We run into temporary SoD situations commonly, and it would have been nearly impossible to build this control in a way that would satisfy auditors in Japan.”
Beyond the technology, one of the concerns Multiquip had with its previous GRC solution provider was the quality of support. According to Hanken, Security Weaver’s level of support and quality of implementation are a huge improvement. “The functionality worked as promised on day one, and the implementation required very limited resources from Multiquip,” he says. “And, now we receive outstanding support, which is just one small part of why Security Weaver is the right partner for us. In my 30 years of IT experience, I’ve not seen many implementations with a better than expected outcome — and this was definitely one of them.”
From a technical perspective, the project was certainly a challenge but also a resounding success. “Being in the trenches during the migration, I started to worry we had bitten off more than we could chew,” says Vyerah Yende, Senior SAP Developer at Multiquip. “But the tool’s usability, the immediate familiarity of the environment, and the support we received quickly allayed any concerns, and the project went more smoothly than I could have imagined.”
And from an auditing point of view, the internal auditors are already reaping benefits. “The more we get familiar with the Security Weaver solution, the more pleased we are with it,” says Anne Gordon, Head of Internal Audit at Multiquip. “From the start of the implementation, this has definitely been a close partnership between audit and IT. The solution allows internal audit to take full ownership and, because it helps us all get our jobs done faster, it also helps us appreciate each other more.”
A Business and IT Merger
While Multiquip’s ERP upgrade, its move to a hosted environment, and its Security Weaver adoption were, in effect, three separate projects, they all conferred some of the same advantages: additional stability, control, reduction in staff hours, and agility. Hanken reports this was instrumental in helping to effect an overall change in mindset within the broader organization. These benefits led the business to view IT as more than an agent to enable automation — IT is now seen as an actual business function.
According to Hanken, this shift in perspective started with the upgrade, and was supported by the move to a hosted environment and an offshore shared service center. “Because the project went so well and only took 10 weeks, the perception of the SAP platform as a big, clunky tool changed,” he says. “Seeing that the project didn’t result in a single business interruption, there is now more buy-in from the top down. This success was also noticed by Americas’ SAP Users’ Group (ASUG), which recognized Multiquip with an Impact Award that was presented at the annual SAPPHIRE NOW event. These points were driven home further with the adoption of the Security Weaver controls platform, which executed without a hitch in a critical situation under a looming threat of audit failure. Both the SAP and Security Weaver platforms are viewed as something operations wants to use and not just seen as a tool for IT.”
Security Weaver is also part of Multiquip’s longer-term GRC controls platform strategy, which did not happen by accident, according to Hanken. “It’s a trickle-down mindset that takes time, so we wanted to capitalize on that mindset for our next project, and Security Weaver was a nice fit,” he says. “We involved our internal auditing teams from the outset, and let them know it would be their tool moving forward.”
The new solutions also save time and resources that IT can devote to other value-add projects. According to Hanken’s estimation, Emergency Repair saves his team roughly 60 hours a month in providing temporary access for more than 300 users, with Separations Enforcer cutting down audit preparation time by approximately 40%.
“The Security Weaver project was near and dear to my heart because it created a mindset that allows us to remove IT as being responsible for the policing of the company, which, in many ways, really isn’t our role,” he says. “And by having the business own what it should be owning, it alters the ideas of what IT can accomplish because IT will have fewer constraints.”