Are you confident that your SAP system and related processes are working as intended? Is this confidence based on opinion, or is it backed by fact?
Perhaps your talented SAP security team has been able to meet all of your security needs with standard SAP functionality, so you haven’t bothered to implement SAP Access Control. Your auditors rely on your manual testing procedures for compliance, so you haven’t implemented SAP Process Control. Your business users have no significant complaints, and you haven’t had a major process breakdown in several years.
These are achievements to be proud of, but they may not mean all is working as intended. Others in your position have also felt confident — until they were hit by fraud, process breakdown, or system failure resulting in public embarrassment, regulatory fines, and potentially even the loss of their job.
This fate can be avoided. An independent, in-depth SAP system assessment can help uncover issues that may be hidden from view by internal teams that are too close to the processes to be objective.
Hidden Issues in Systems
High Water Advisors regularly performs client system assessments to find these types of problems. Many organizations that we review have one key thing in common: They don’t believe they have an issue (often adamantly so). But we’ve found unexpected issues such as the following:
- Missing information: A standard report being relied upon for monitoring a key risk area was incompletely reporting results, preventing visibility into several significant risks that not only had serious compliance implications, but had actually been exploited.
- Overzealous contractors: A few external contractors had been giving themselves super-user privileges that had not been authorized, and were also using SAP default IDs (that should have been disabled) to perform critical business functions, unbeknownst to those in charge.
- Misplaced trust: Poor SAP NetWeaver configuration could have allowed any person connected to the client’s network to gain administrative privileges on a system administered and hosted by a well-respected third party.
- Generous relationships: Millions of dollars in unapplied credit memos, some of which were years old, were located. However, those same vendors were actively being paid from accounts payable (AP).
- Configuration confusion: Incorrectly configured payment tolerances resulted in quick payment of invoices when a vendor had overcharged. However, there was no ability to recognize an invoice difference that worked in the client’s favor.
- Potential fraud: Someone used an unmonitored back door to directly edit purchase orders at the table level.
An independent, in-depth SAP system assessment can help uncover issues that may be hidden from view.
These issues were not just present in one or two clients — they were widespread. This lack of knowledge of risks affecting the business is exactly why organizations should be looking to SAP solutions for governance, risk, and compliance (SAP solutions for GRC). Maybe you are in an organization that is not using SAP Access Control because you don’t think you have a security problem or you don’t have SAP Process Control because your control monitoring seems to be working fine without it. Perhaps you haven’t implemented SAP Fraud Management because you have good people. There may still be problems lurking beneath the surface that you can’t spot without focused attention.
If you want to know for sure if you need to add more robust GRC solutions to your landscape, consider an assessment by an independent expert. This review is not the same as a financial statement audit and it doesn’t need to be painful — it can be as short as a few hours or as long as a few days depending on the complexity of your SAP landscape. You will likely uncover issues that will make you glad you checked. For more information, visit www.highwateradvisors.com/content/sap-grc.