Why do SAP access control deployment and SAP access profile redesign projects fail?
Cláudio Rocha - 01/10/2019
The basic rules for ensuring project success are worth for SAP Access Control deployment projects and for SAP Access Profile Redesign projects and / or projects that contemplate the 2 scenarios at the same time.
Usually the need for a project to deploy the SAP Access Control and SAP Access Profile Redraw almost always arises after the execution of internal audits or independent audits (external audits), which in many cases indicate Non-conformities with SoD (Segregation of Functions) users' access profiles. When this occurs, the IT area responsible for managing SAP access profiles is held accountable for the results of audits and sometimes even unfairly.
The IT area then takes on the role of putting the SAP Access Control and SAP Access Profile Redesign project into practice and begins planning and defining the scope. And it is from this point that the main mistakes that lead to the failures of projects of this nature occur and, almost always, influenced by the lack of "GRC" skills that IT teams generally do not have, otherwise, nonconformities would not have been pointed out. So, what should be done to avoid the failures mentioned and the failure of projects of this nature?
Applying the following ground rules ensures the reduction of most major failures in SAP Access Control and SAP Access Profiling Redesign projects. Are they:
Specialized Workforce: Defining a good team implementing or consulting services with excellence in the subject is fundamental to having a project without surprises. However, the service provider alone does not guarantee the success of the project. Involvement of the contracting company is critical to making the definitions that best meet the organization's culture and requirements. Specialization in this area of service rendering in GRC is an enormous differential that must be sought by companies, in addition to proven experience in previous similar projects.
Requirements Mapping: If the organization has chosen GRC expertise for the project definition process, the mapping of requirements will be determined by the advisor prioritizing the organization's budget, culture and goals. It is essential to identify the following items:
Sponsor Determination: Because it is a project that involves different areas of the organization (business area, technical area, internal controls, auditing, etc.), it is necessary to involve someone with representation in the organizational structure, such as CFO, CIO etc., to act as a sponsor and facilitator for the engagement of those involved in other impacted areas. SAP Access Control and SAP Access Profiling Redesign Projects Require Top Management Sponsor!