James Thew - Fotolia
Mention the words compliance audit to an SAP administrator, and he will likely cringe at the prospect of the time and effort involved in ensuring the SAP system is compliant with regulations like Sarbanes-Oxley.
For Steelcase, a firm based in Grand Rapids, Mich., that manufactures and sells office furniture and office environments around the globe, the demands of compliance auditing for its expanding SAP environment grew beyond the cringe factor. The company found relief in ControlPanelGRC -- a governance, risk and compliance (GRC) application from Symmetry.
Steelcase, an SAP user for a number of years, has seen the company's SAP landscape grow in size and complexity. What began with one SAP ERP Central Component instance and SAP Business Warehouse now includes a diverse assortment of systems, and as the company acquired companies, it implemented SAP systems in all of them, according to Jacquie Dutcher, Steelcase consulting IT security, risk and compliance analyst.
Growing SAP landscape leads to more complexity
"We started with SAP in 2004 and currently use SAP across our entire environment -- from our manufacturing plant on SAP ERP, our HR system, financials. Overall, everything comes through SAP for us," Dutcher said. "We have multiple instances around the globe -- in North America, in Europe, in APAC [Asia-Pacific] -- and they are all running different versions, but the Europe and APAC implementations will be merged soon."
When the SAP landscape was simpler, the work of preparing for Sarbanes-Oxley audits was manageable, if tedious. This began to change, however, as the complexity and scope of the SAP system grew. Not only that, but Steelcase also changed its external auditing firm to Deloitte, which implemented more exacting auditing standards that required much more detailed levels of data.
This meant that the Steelcase security auditing team had to do far more tedious and demanding work without increasing the number of analysts, Dutcher said.
After considering other GRC tools, including SAP's, Steelcase implemented Symmetry's ControlPanelGRC, a GRC application designed for SAP systems. ControlPanelGRC consists of four suites – Access Control, Process Control, Security Acceleration and Basis Control -- that accelerate routine tasks and automate routine processes, according to Scott Goolik, Symmetry vice president of compliance and security.
Automation means more efficiency
Automating processes leads to more efficient compliance, Goolik said.
"If you follow self-documenting workflows and you've got task automation, then you're going to get the compliance for free," he said. "You're always audit-ready because you can always pull up who approved this or when did this hit production."
This was just what Steelcase was looking for to improve its compliance auditing processes, according to Dutcher, who explained that the security team was being overwhelmed with work just building and evaluating reports in SAP each compliance quarter.
"So, we looked at Symmetry to help with that because we also had to test all of our systems … and it also made us way more efficient," she said.
While Steelcase first used the ControlPanelGRC application primarily for Sarbanes-Oxley auditing compliance, it eventually began to use other modules, according to Dirk Dykstra, Steelcase NetWeaver technical services.
"By moving into [the ControlPanelGRC application], we now test 15 instances instead of four instances, and we do it faster because IT can self-assess," Dykstra said. "We're now using even more of the ControlPanel, from Risk Analyzer, Usage Analyzer, Emergency Access, Transport Manager -- it's all helped to reduce our deficiencies down to zero. We're able to have checkpoints all along the way so all the right people approve stuff, whereas, before, it all just kind of happened, so it allowed us to become a tighter ship and also be able to get answers for questions faster and more accurately."
Once the Steelcase auditing team set up reports in the system, they could run them regularly, saving many hours of work that had been done manually. ControlPanelGRC also provides one central location for the auditing data.
"You don't need to go to 15 different systems to get the information; you can go right into there and gather it," Dykstra said. "They have reporting features where you can slice and dice, pull up different reports, change reports, things like that, but it's all gathered in one central location."
More detailed and accurate data
A major benefit is the reports produced for compliance audits by ControlPanelGRC, Dykstra said, noting that they are more detailed and accurate than what Steelcase was able to produce previously.
The kinds of information that the ControlPanelGRC application provides for auditors includes data like who has high-level access, whether changes to the systems were documented appropriately, whether the changes were approved properly and in a timely manner, whether the right people have the appropriate access level that they need and whether the transport system has backup documentation and alerts.
"There's all kinds of reporting that we can do now that helps us catch things quicker if something breaks, and we can find the reason [it happened] and [a] way to fix it quicker. And stuff that used to take 60 hours for four systems is now a day or two for 15 systems," Dykstra said. "We've been able to prove for Deloitte that it's accurate so that makes it even quicker for them because they can just go in and get the information themselves, rather than having us go in and get it for them."