Producing the records that auditors need in order to certify a company’s books and its processes can take up to months if done manually. Automated governance, risk and compliance (GRC) management solutions offer two major benefits: they can substantially reduce the cost of an audit, and auditors tend to look less deeply into automated record reports.
This week I spoke to Jeff Rishel, vice president of IT at Graham Packaging Co., a manufacturer headquartered in York, Pa., about his company’s GRC efforts. The company, which has 80 plants in 16 countries, has been an SAP user since 1999.
Rishel said that Graham purchased SAP Virsa in the early 2000s to help with Sarbanes-Oxley compliance. But even with Virsa, he said, there was one big problem: His team still had to gather all the information manually from various sources to give to the auditors.
Graham eventually replaced Virsa with ControlPanelGRC from SymSoft Corp., hoping to reduce the time spent on audit preparation, attain better SOX compliance and to streamline the Segregation of Duties (SOD) process.
All three goals were accomplished. The two weeks spent preparing for the audit process was reduced to one, and Rishel said that he personally no longer has to spend two hours a month doing SOD reporting. Much of the savings in time are because of the workflow engine embedded in ControlPanelGRC. The engine automates not just SOD but many IT business processes, allowing repetitive manual tasks to be done automatically with a workflow that tracks who requested changes, who developed, who tested, who approved, etc.
But the product has other features, including a bunch of utilities that make the day-to-day lives of security administrators and SAP technical administrators easier. “It’s not software you dust off once a year to get through an audit,” said Dan Wilhelms, president and founder of SymSoft, and a leading Basis consultant.
At SAP TechEd 2009, I attended a session on compliance tips for security administrators given by Maria Jenkins, SAP’s GRC senior technical architect. During her presentation, she said, “Auditors are like accountants, they always say, ‘Show me the money.'” She went on to say that there’s really only one way to keep the auditors happy, and that’s documentation. “Documentation is the most important thing that a security administrator can provide for SOX and security compliance.”
I asked Rishel about that, and he agreed that documentation is vital. “If we have SODs we can’t resolve, they require a lot of documentation,” he said.
SAP recently announced that it will work more closely with Novell to extend GRC to more of the IT infrastructure. If you’re an SAP security administrator, what do you think of that? I’d like to hear from other SAP administrators about the GRC issues they’re facing.