The rationale was clear — to eliminate manual, inefficient processes, reduce unnecessary administrative costs, mitigate risks related to separation of duties (SoD), and improve the overall compliance position, especially in relation to Sarbanes Oxley (SOX).
Equally clear to the company was the opportunity to fully leverage the benefits of SAP® by engaging advisors with a strong record in SAP® implementations. The company selected KPMG in the US to lead the project, which involved several member firms, to support activities in controls integration, security, and the implementation of SAP® Governance Risk Compliance (GRC) modules. The KPMG engagement team had the requisite skills and experience to work closely with a range of service providers across multiple areas of the organization — a critical requirement for an enterprise-level project of this size and complexity.
For controls integration, the KPMG team was responsible for moving the company’s controls portfolio from a manual, detective system in the legacy environment to an automated, preventative system in SAP®. KPMG’s IT Advisory specialists also helped remediate issues, integrate controls activities into testing and cutover activities, operationalize controls, and transition project documentation into SOX documentation.
In the area of security, the KPMG team redefined and tightened data access based on SoD. The existing SAP® security role strategy was overly complex and granted excessive levels of access to SAP® users. The KPMG team designed and executed an easy-to-maintain and scalable strategy that limited excessive access by adhering to a least-privilege principle.
GRC activities supported by KPMG involved mitigating risk related to user access during the SAP® implementation. KPMG specialists designed and implemented a SAP® GRC tool suite that helped automate SoD analysis for SAP® roles and user assignments in addition to automating user provisioning and role approval processes. The KPMG team also implemented a password reset self-service solution using SAP® GRC tools.
The SAP® implementation was shown to mitigate risk and enhance the company’s compliance efforts. The central benefit, however, was a significant reduction in costs for security administration. This was driven by the automation of over 65 percent of SAP® controls and the reduction of SAP® security roles by more than 75 percent.
These cost reductions are expected to continue, based on implementation of automated workflows, streamlined procedures, improved compliance reporting and efficient self-service solutions, with the assistance of the KPMG team.