Having an Audit Expert on your GRC Implementation, Yay or Nay?

I wanted to thank everyone for all the great feedback I received on my last post regarding Tanya Duncan’s book, “The Essential SAP Career Guide.” I got a lot of questions about topics that are covered more extensively in the book and some that are not, which I answered in the replies section of the post.

However, one of my readers delved into some specifics on SAP GRC and Security and asked for advice on how to break into the SAP ecosystem, as someone with an audit background in information systems. His area of expertise include: SOX, ISO, SAS70, SSAE16 etc. The reader when on to assert that  he”was surprised to see that even management lacks understanding and determination to plan and leverage their investments in SAP. And SAP GRC for sure is a strong way out. Imagine a company paying hundred of dollars to run SAP is yet to incur good additional cost for compliance review and management, just because either they are not aware or have not analyzed and  formulated how to configure SAP GRC to address various governance and compliance needs.”

My answer to this reader is I agree to some extent and I disagree to some extent. There are many industry professionals and SAP implementation teams that are looking for resources that are well versed in your areas of expertise regarding audit methodologies and risk management. People who want to seek out such opportunities may want to align themselves with a specific industry of which they are particular knowledgeable. This will allow them to lead conversations regarding risks and process standards across the industry and convey these standards to upper-level managers and C-level executives. Additionally, a person who seeks such positions must have strong written and verbal communication skills as they will be articulating these requirements to the implementation team who must be able to translate these requirements into the rule-set.  As a matter of fact, I have worked on a project where we had a resource on hand to help us with customization of a rule-set based on industry-specific regulations and Sarbanes-Oxley. Most consulting firms who have a reliable GRC Practice will be able to offer advice on SAP Best Practices for governance, risk and compliance (GRC) in order to facilitate quick decision making regarding the design of critical processes in the work stream. People with such expertise are really valuable when implementing GRC Risk Management, Process Controls and GRC Access Controls for Access Risk Analysis. However, if a company only wants to utilize GRC Access Controls for automatic user provisioning, user access review, business role management, emergency access management and the standard global rule-set for access risk analysis, this type of advisory role may be unnecessary.

Any feedback is always welcome and appreciated.

Kudos to the reader who challenged me to write about this topic.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s