Regulatory compliance can be overwhelming for IT departments
torn between outsourcing and in-house management, but there is a
middle way, according to UK food and drink firmPrinces.
The Japanese-owned firm's IT department was struggling to meet
that country's regulatory requirements for proof of
segregation
of duties (SoD) of users of the SAP enterprise software.
The regulations, modelled on the US Sarbanes Oxley and known as
J-SOX, require
companies to review user permissions continually to ensure SoD.
The requirement is aimed at ensuring there is no conflict of
interest between the kinds of permissions users have. Those who set
up payees may not approve payments, for example.
"We lacked the staff resources to use the SAP governance, risk
and compliance tool, but were unwilling to outsource the process
entirely," said Neil Crew, IT director at Princes.
The SAP GRC tool is technically and commercially better suited
to organisations with teams dedicated to managing permission
allocation and review, he said.
"We were stuck in the middle looking for a way to balance
regulatory requirements with staff and financial resources," said
Crew.
Phased approach
Two years later, Princes has adopted a phased approach to
reviewing permissions for more than 600 SAP users.
The IT department has cut the process of identifying and
resolving potential SoD problems from a four-month job by a
dedicated member of staff to under a month a year.
The company expects to cut the process to just one week's work
once it has completed the project with SAP GRC and security
consultancy su53.
"The managed services route has ticked all the boxes and
transformed the J-SOX audit into an opportunity to improve
efficiency by understanding exactly how SAP is used," said
Crew.
Users who have found more efficient ways of using the system to
do their job are able to share those best practices with colleagues
across the organisation, he said.
"We have learned that organisations do not have to be afraid of
regulatory audits, but can use them to improve the use and support
of the SAP system," Crew said.
Retaining control
The advantage of the managed services approach using a
software-as-a-service model is that for 90% of changes IT staff can
use the framework and tools provided by su53, he said.
This enables the IT department to retain control on a day-to-day
basis and manage user permissions independently for most of the
year, said Crew.
"For the remaining 10% and at key times in the year, su53 is on
hand to provide the expert help and advice we need without
incurring any additional cost," he said.
Crew is to share the lessons learned at Princes in a
presentation at the coming
SAP UK
& Ireland User Group Conference 2009 in Manchester, from 23
to 24 November.