Regulatory compliance can be overwhelming for IT departments torn between outsourcing and in-house management, but there is a middle way, according to UK food and drink firm Princes.
The Japanese-owned firm's IT department was struggling to meet that country's regulatory requirements for proof of segregation of duties (SoD) of users of the SAP enterprise software.
The regulations, modelled on the US Sarbanes Oxley and known as J-SOX, require companies to review user permissions continually to ensure SoD.
The requirement is aimed at ensuring there is no conflict of interest between the kinds of permissions users have. Those who set up payees may not approve payments, for example.
"We lacked the staff resources to use the SAP governance, risk and compliance tool, but were unwilling to outsource the process entirely," said Neil Crew, IT director at Princes.
The SAP GRC tool is technically and commercially better suited to organisations with teams dedicated to managing permission allocation and review, he said.
"We were stuck in the middle looking for a way to balance regulatory requirements with staff and financial resources," said Crew.
Two years later, Princes has adopted a phased approach to reviewing permissions for more than 600 SAP users.
The IT department has cut the process of identifying and resolving potential SoD problems from a four-month job by a dedicated member of staff to under a month a year.
The company expects to cut the process to just one week's work once it has completed the project with SAP GRC and security consultancy su53.
"The managed services route has ticked all the boxes and transformed the J-SOX audit into an opportunity to improve efficiency by understanding exactly how SAP is used," said Crew.
Users who have found more efficient ways of using the system to do their job are able to share those best practices with colleagues across the organisation, he said.
"We have learned that organisations do not have to be afraid of regulatory audits, but can use them to improve the use and support of the SAP system," Crew said.
The advantage of the managed services approach using a software-as-a-service model is that for 90% of changes IT staff can use the framework and tools provided by su53, he said.
This enables the IT department to retain control on a day-to-day basis and manage user permissions independently for most of the year, said Crew.
"For the remaining 10% and at key times in the year, su53 is on hand to provide the expert help and advice we need without incurring any additional cost," he said.
Crew is to share the lessons learned at Princes in a presentation at the coming SAP UK & Ireland User Group Conference 2009 in Manchester, from 23 to 24 November.