GRC (Governance, Risk and Compliance) for SAP S/4 HANA
Do you want to upgrade to the latest governance, risk and compliance (GRC) software?
This blog highlights about the minimum compatible GRC solution for SAP S/4 HANA and how the upgrade road map looks like?
Let us first explore SAP’s approach to GRC:
SAP governance, risk and compliance software is divided into four categories:
- Three Lines of Defense
- Access Governance
- International Trade
- Cyber Security
Although each are equally important, in this blog we will look at Three Lines of Defense and Access Governance. We will explore these under the headings of governance, risk and compliance solutions and assurance and compliance software solutions.
GRC for ECC
SAP Governance Risk and Compliance (GRC) solution comprises of:
- Access Control (AC)
- Process Control (PC)
- Risk Management (RM)
SAP Assurance and Compliance Software (ACS) solution comprises of:
- Audit Management (AM)
- Business Integrity Screening (BIS)
- Business Partner Screening (BPS)
- Tax Compliance
GRC 10.1 and ACS 1.2 solutions can be used for ECC and are the most up to date versions which can be rolled out on the same server. GRC 12 runs on SAP NetWeaver and ACS 1.3 runs on ABAP Foundation – it is possible to have them both on the same server, but only if you upgrade to GRC/ACS for SAP S/4 HANA, otherwise you will have to split them.
There is no upgrade path for older versions of GRC/ACS straight to GRC/ACS for SAP S/4 HANA.
GRC for SAP S/4 HANA
SAP GRC solution for SAP S/4 HANA comprises of:
- AC 10.1/12.0 for SAP S/4 HANA
- PC 10.1/12.0 for SAP S/4 HANA
- RM 10.1/12.0 for SAP S/4 HANA
SAP ACS solution for SAP S/4 HANA comprises of:
- AM 1.2/1.3 for SAP S/4 HANA
- BIS 1.2/1.3 for SAP S/4 HANA
- BPS 1.2/1.3 for SAP S/4 HANA
- Tax Compliance 1.2/1.3 for SAP S/4 HANA
Why upgrade? Key improvements.
- SAP Access Control – Increased system landscape security now covering SAP S/4 HANA
- SAP Process Control – Reduced compliance cost through optimized issue follow-up in control monitoring
- SAP Risk Management – Improved insight into enterprise risk through extended risk aggregation algorithms
- SAP Audit Management – Avoid double efforts through improved search (on past audits)
- SAP Tax Compliance – Cut audit costs through embedded documentation of identified tax issues and their remediation
Prerequisites to upgrade GRC/ACS for SAP S/4 HANA?
You must have SAP S/4 HANA Enterprise Management license (from release 1511 on).
Extra steps will be needed if GRC historically runs on non-SAP database and/or if you are planning on switching your deployment option (stand-alone vs. co-deployment).
If you already have GRC/ACS on ECC prior to GRC 10.x and ACS 1.2 versions, you must upgrade to this version first. You then migrate to GRC/ACS for SAP S/4 HANA on this version and finally you upgrade to the latest GRC/ACS versions for SAP S/4 HANA.
GRC for SAP S/4 HANA:
1. Co-Deployment – GRC installed on top of SAP S/4 HANA.
2. Side-by-Side – GRC Installed on stand-alone SAP NetWeaver with SAP database (DB)
ACS for SAP S/4 HANA:
The only option for ACS with regard to SAP S/4 HANA is co-deployment – ACS installed on top of SAP S/4 HANA.
How Will S/4 HANA Affect the Current GRC Environment?
The S/4 HANA architecture introduces complexities to the GRC environment resulting from the new and updated functionality, HANA database and Fiori front-end server (optional). The new HANA database and Fiori front-end raise important questions about security, including how to provision access to both Fiori and the HANA database, segregate conflicting responsibilities across systems, and manage temporary elevated access. Enhancing or enabling the Access Control functionality should be considered as part of the S/4 HANA implementation. Some questions to consider include:
- Are there new access risks or changes to existing access risks?
- How will additional systems (HANA database, Fiori) be integrated to ensure a complete and consistent provisioning process?
- How will elevated access be managed in the S/4 HANA, HANA and Fiori systems?
- How will existing security architecture and ownership change as a result of SAP’s role-based user experience strategy?
Integration of the New S/4 HANA Architecture With Access Control
Moving to S/4 HANA means that the new architecture will have to be integrated into the company’s existing Access Control environment. The ability to perform risk analysis and user provisioning activities to the HANA database has been available since the intro- duction of Access Control 10.1. With Fiori and HANA, end users may need access to additional security roles on the Fiori and HANA systems. Enabling provisioning functionality to these systems is imperative to ensure a consistent end-user experience and allow access to be requested and provisioned utilizing existing automated processes.
SAP.com – GRC Solutions Road Map
SAP Note 2229853 – GRC and SAP S/4HANA oP: compatibility information
2 Minute video – How to connect to SAP GRC WhatsApp Channel
SAP Community WIKI – Governance, Risk and Compliance Home
SAP Help Portal – SAP Solutions for Governance, Risk, and Compliance (GRC)
SAP Help Portal – SAP Assurance and Compliance Software for SAP S/4HANA
SAP Help Portal – SAP Access Control including upgrade guide
SAP Help Portal – SAP Risk Management upgrade guide
SAP Help Portal – SAP Process Control upgrade guide
SAP Help Portal – SAP Assurance and Compliance Software upgrade guide