Specifically, the Stamford, Conn.-based research firm said the GRC suite lacks an application that will provide the management functions needed to find areas that require remediation and provide reports that ensure compliance.
SAP needs something like Oracle's GRC Manager for internal auditors, compliance managers and executives to highlight areas of remediation and provide up-to-date documentation on what's going on, French Caldwell, research vice president with Gartner, said. He wrote the research note following SAP's recent Sapphire event. SAP also needs a common repository that can share data among risk management, compliance management, audit management and policy management, the report says.
"No vendor is going to be able to cover the entire corporate governance spectrum," Caldwell said. "But if you cannot prove it and report it, then you might as well not be doing it as far as an auditor is concerned."
SAP denounced the findings and recommendations.
"Where do you start?" said Jim Dunham, who is group president of GRC Solutions Management at SAP. "This was so far off, it's not even funny."
SAP says its GRC applications, five in all, are one step ahead of making sure companies are in compliance. What Caldwell is calling for in a separate application is already built into SAP's GRC solutions, Dunham said.
SAP views compliance from an automation and continuous policy management standpoint, Dunham said, so there's no need for extensive, physical reporting. Because problems are highlighted and corrected as they arise, there's no need for extensive documentation.
"The only way we saw you could [ensure compliance] is through some form of automation," Dunham said. "[Caldwell is] asking for the support, for a more intensive paper approach, more intensive audit management. We fundamentally have a completely different approach. It's almost like an easy button."
Some of SAP's biggest GRC customers agree.
"If you get into GRC as a whole, we're going to start seeing more of that. It's going to be about the integration," said Dale Timmons, managing director at UHY Advisors Tax and Business Consultants, a Houston-based business that uses SAP's Enterprise Risk Management module. "They're probably the closest to working at continuous compliance. SAP, I think, is way ahead of everybody else."
Lee Dittmar, principal of Deloitte Consulting LLP, agreed.
"We're moving away from discrete tools for specific compliance and risk domains," Dittmar said. "The whole topic of risk and compliance doesn't make sense to live a separate life from performance management. The systems that will enable efficient risk and compliance management may need to be part of an integrated solution. If you look discretely only at one product, you're missing the point."
In his note, Caldwell advises customers to look at other solutions for GRC management functionality – including Oracle's GRC Manager, OpenPages, Paisley and MetricStream.
"SAP needs to put urgency into fleshing out its GRC management capabilities to match its vision of being a leading GRC vendor across the spectrum of GRC markets, not just the segregation of duties and financial control markets," Caldwell wrote. "Until SAP does so, [enterprise] GRC (EGRC) platform buyers should look to Oracle and the many best-of-breed EGRC platform vendors."
Predictably, SAP doesn't think so.
"We're very clearly the market leader as it relates to this space," Dunham said, adding that SAP has added 700 net new customers since 2007.
SAP and Gartner do, however, seem to agree on one thing.
"There's a difference of opinion between SAP and Gartner on this," Caldwell said. "I think that's a healthy thing."