SAP ERP Financials software includes some functions that are geared toward helping organizations comply with governmental and industry-specific regulatory mandates. But organizations in highly regulated industries sometimes require heavier lifting than ERP Financials alone can offer.
Those companies should consider integrating SAP ERP Financials with SAP governance, risk and compliance (GRC) software, according to experts.
With SAP ERP Financials, users get general ledger, accounts payable, accounts receivable and asset management functionality. The package also includes some regulatory reporting capabilities and tax reporting modules for assets, according to Ed Krakow, the principal SAP Financials consultant at Edward Krakow LLC.
What is SAP GRC?
SAP says its GRC software is designed to help organizations understand and manage risk positions while ensuring compliance with regulatory mandates. The software also helps organizations embed risk and compliance programs into overarching business strategies and operations. The company says that the benefits of SAP GRC software include fewer risk and compliance violations; minimized impact and duration of risk events; and lower total cost of risk, compliance and audit programs.
To learn more, read the Whatis.com definition of governance, risk and compliance.
By adding SAP GRC into the mix, organizations will gain additional process controls designed specifically for managing compliance initiatives, such as those stemming from The Sarbanes-Oxley Act (SOX) -- U.S. legislation passed in 2002 in the wake of the Enron financial scandal. The software can also be used to help companies comply with country-specific SOX equivalents, according to Michael Lortz, SAP's senior director of GRC marketing.
Prior to the release of SAP GRC, companies chiefly dealt with compliance issues through a combination of SAP features. This included ERP Financials, SAP Authorization Management and Strategic Enterprise Management software, said Lokesh Sikaria, CEO of Folsom, Calif.-based Sparta Consulting Inc., a Gold level member of SAP's partner program, which focuses on helping organizations implement and maintain SAP systems.
The problem, Sikaria said, was that Authorization Management requires heavy customization of business roles, and Strategic Enterprise Management software doesn't meet requirements related to things like separation of duties and automated risk monitoring.
"GRC is the best solution that SAP has finally come up with that addresses all the compliance requirements elegantly," Sikaria said.
Why SAP GRC?
Companies often hire auditing firms to assist with SOX compliance, and auditors need to be able to examine these companies' transactional records. The applications included in the SAP GRC suite can help auditors do their jobs correctly, said Craig Himmelberger, director of marketing for SAP's financial applications group.
If you don't understand where the risks are, you're not taking smart actions to mitigate them.
Chris McClean, Senior Analyst, Forrester Research
"All of the [applications] are built with compliance in mind so that the necessary compilation of necessary forms, statements and disclosures [have an] audit trail," Himmelberger said.
Companies can also use GRC to meet industry-specific regulations. For example, a pharmaceutical company might need to set up compliance initiatives to meet U.S. Food and Drug Administration regulations. GRC can also assist organizations in their attempts to comply with International Financial Reporting and Generally Accepted Accounting Principles (GAAP) standards, according to SAP.
Additionally, SAP GRC has a risk management component -- BusinessObjects Risk Management and BusinessObjects Process Control -- that gives users greater control over financial reporting, revenue generation, and health and safety issues.
Reasons to integrate Financials with GRC
A tight integration between Financials and GRC will help ensure that compliance-related information flows more seamlessly between the ERP system and reporting tools, as well as with other systems, according to SAP's Lortz.
With a Financials and GRC integration, many of a company's regulatory compliance requirements can be met "under one roof, and there's less interfacing," Lortz said.
Integration between the two suites can reduce or eliminate the time it takes to create and manually test compliance processes and controls. It can also reduce the time it takes to produce compliance reports for shareholders, C-level executives and government agencies.
"A tool like SAP GRC can pull data out of the system and say, 'Based on all our controls, here is what is operating correctly,'" said Chris McClean, senior analyst with Cambridge, Mass.-based Forrester Research Inc.
McClean said that the ability to check the state of compliance within a system can be a boon to auditors and risk management professionals who need to produce reports and review documented processes.
More on SAP Financials
Learn how one company consolidated financial reporting with SAP BPC
Get the low-down on asset accounting in SAP ERP Financials
"If there are areas you need to manually investigate, you can do that," he said, "but you don't have to manually investigate all the aspects of the control framework.
Another benefit of integrating GRC and Financials is that it ensures the separation of duties, the practice of separating job functions and access to systems among various individuals based on security, compliance or other requirements.
For example, Krackow explained, banks and financial services may want to restrict employee access to specific transactions. Firms may give accountants the ability to post transactions of up to $10,000, but may restrict access to transactions of higher value until CFO approval is obtained. The separation of duties aspects of Financials and GRC can help, he said.
Tips for integrating GRC and Financials
Prior to integrating SAP GRC and Financials, companies should make an effort to learn where the risks, control obligations and potential cracks are hiding in business processes and compliance efforts, said Forrester's McClean.
"If you don't understand where the risks are, you're not taking smart actions to mitigate them," he said.
Lortz added that companies should consider how they can institute their compliance program so it is not a separate and distinct silo from other processes or departments. He said organizations should be thinking about how to embed compliance requirements directly into other business processes as seamlessly as possible.
Krackow said organizations should take time to assess their current state of compliance and make sure the right people are up to date on all necessary reporting requirements, such as those stemming from GAAP standards and SOX.
"[These are] issues that need to be addressed to be compliant," he said, "particularly if your company is traded."