In the next few years, more and more organizations will make the switch from SAP ECC to SAP S/4HANA, and start using the SAP BTP platform. However, as organizations pursue this transformation, they often overlook important security and control considerations. System Integrators often focus too heavily on the technical aspects of an SAP S/4HANA implementation, and consequently, overlook the impact on security, controls and GRC and IAM tooling support.
This lack of attention on security and controls can be particularly problematic since a lack of controls could result in data and security breaches, fraudulent transactions, and for example, data integrity issues, which could result in reputational damage and financial losses.
KPMG’s ‘Trusted SAP’ approach addresses these critical security and control requirements by integrating relevant security and control components into the project from the beginning (control by design):
SAP authentication is a critical component in securing access to SAP applications and data. It includes a range of methods, including password-based authentication, multi-factor authentication (MFA), and the use of strong authentication protocols. Well-implemented SAP authentication helps to protect sensitive information while allowing authorized users to efficiently and securely access resources.
SAP authorizations determine which actions users are permitted to perform within the SAP environment, thereby protecting data and ensuring transactional security. Authorizations are also crucial for implementing a required segregation of duties within the SAP S/4HANA system. An important starting point is the definition of a (cross-system) segregation of duties matrix, which must be set up inside the system. Often, we see that this starting point has not been considered, because of which many roles and user assignments conflict with the segregation of duties after go-live. The SAP authorization concept needs to be designed and developed as an integrated part of the implementation project. The standard roles in an application usually do not fit your organization!
The risk and control workstream focusses on identifying the key risks within a business process that is supported by SAP applications. For mitigating these business risks, internal control must be designed, implemented and tested. Examples of controls that need to be designed are the IT general controls (ITGCs), the business process controls and data integrity controls. When developing a business risk and control framework, one should always try to identify the potential to automate the testing of controls. In the long term, this will reduce the manual effort of testing the operational effectiveness. Incorporating a business risk and control framework at the start of the SAP S/4HANA project will make sure that controls are designed and implemented within the SAP S/4HANA system, reducing surprises and possible rework or issues after go-live. It further ensures that custom-developed BTP apps also contain expected security and control mechanisms.
With an increasingly integrated IT landscape, the need for robust platform security has never been more obvious. The system hardening process is crucial for strengthening the security of SAP systems. To address this challenge in a comprehensive way, a strategic approach is taken at multiple levels, focussing on protecting SAP applications against unauthorized access and potential data and privacy breaches. This defense-in-depth strategy is designed to seamlessly integrate SAP products and platforms with enterprise-level cybersecurity and privacy and security monitoring solutions.
Through the support of SAP GRC and Cyber solutions, it is possible to manage and organize the different types of (internal and external) risks and controls. The various solutions are integrated over SAP functions and processes, helping organizations to ensure the completeness and accuracy of data, and enabling them to trust the integrity of processes that are supported by SAP S/4HANA. Often, these kinds of products (such as SAP GRC, IAG, and ETD) are relevant to organizations, but they are not automatically included in an SAP S/4HANA implementation or migration project. If these solutions are already in use, it is important to identify how the SAP S/4HANA migration impacts them and to make sure that they are configured alongside the SAP S/4HANA project. An example of this is an SAP IAG solution to manage users and business role assignments. Such an IGA solution needs to be configured to make sure the new users and roles in SAP S/4HANA can be provisioned after go-live. Other examples are SAP Process Control, which can be used to support the testing of internal controls, and SAP Access Controls, which is used to monitor possible segregation of duty conflicts during role building and also directly after go-live.
By leveraging our Trusted SAP approach, organizations can integrate or further improve the necessary security and control measures from the start and safeguard their SAP S/4HANA and BTP Landscape. Simply because all companies want their new application to be a Trusted application!
Contact us
Dennis Hallemeesch
Partner, GRC Technology & Controls Integration
KPMG in the Netherlands