Many companies who outsource their SAP security and authorisations are faced with the challenge of accountability. The question that needs to be addressed is: Who bears the responsibility for access-related changes that introduce risk?
Without an SAP access risk tool, the company as well as the outsource partner are flying blind when dealing with access risks. The company mistakenly assumes the outsource partner will flag potential access risks before implementing changes in SAP.
This led Cashbuild, South Africa’s largest retailer of building materials and associated products, to look for more than just an outsourced solution. They felt they needed the benefits of an on-premise access risk solution as well as access to Governance, Risk and Compliance (GRC) expertise in a cost-effective manner that was relative to their size and risk exposure. They found the right fit by upgrading their SAP authorisation outsource model to a GRC managed service model.
By implementing Soterion’s GRC Managed Service module, Cashbuild are now able to see the risk impact of each SAP access change request performed by the service provider prior to it being applied in SAP. This enhanced visibility provides reassurance to Cashbuild and the service provider that access risk is being managed effectively.
“Where the SAP authorisation outsourcing model is simply order taking, GRC as a managed service involves proactive risk management by the service provider. A much more value-add service,” says David Johnstone, Senior Manager – Financial Services.
Companies are transitioning to a GRC managed service model for similar reasons:
- Although on-premise GRC tools are prohibitively expensive, business nevertheless require some tool to allow visibility into their SAP access risk exposure.
- Limited in-house GRC expertise, as well as challenges in retaining GRC specialists.
- GRC is complex and needs to be pro-actively managed with clear accountability.
- The need to limit exposure to fraud and address audit concerns in a way that is financially size-sensible.
For Cashbuild, this all came together in a GRC managed service relationship with Soterion allowing them to focus on their business, knowing that their SAP security is comprehensively taken care of.
To read the full case study, click here
For more information please email us at [email protected]