Governance, Risk, and Compliance (GRC) with SAP S/4HANA Cloud 2008
This blog provides you with the latest and greatest innovations that our SAP S/4HANA Cloud 2008 release has in store for you in the area of Governance, Risk, and Compliance. As illustrated in my last blog on Governance, Risk, and Compliance (GRC) with SAP S/4HANA Cloud 2005, we continue to deliver exiting new business cases regarding the automated provisioning of business users and roles with SAP Cloud Identity Access Governance and the detection of privacy risks with SAP Privacy Governance. When it comes to International Trade, we introduce sales orders without charge as a new document type for our trade compliance checks.
Watch my video to get a quick overview of our SAP S/4HANA Cloud 2008 highlights for Governance, Risk, and Compliance:
In this blog, I will illustrate the following topics:
- Enhanced Automated Provisioning via SAP Cloud Identity Access Governance
- Out-of-the-Box Rule Sets for Access Risk Analysis
Let’s start right off with the first topic which is the enhanced automated provisioning via SAP Cloud Identity Access Governance. The corresponding scope item is called 3AB. You might remember this innovation from the 2005 release. If you are interested in a quick introduction into SAP Cloud Identity Access Governance and/or the business cases covered with the 2005 release, I highly recommend you to read my 2005 GRC blog.
With 2008, the number of supported HR events in SAP SuccessFactors that can trigger the automated provisioning of business users and roles from SAP Cloud Identity Access Governance to SAP S/4HANA Cloud has been extended with international transfers, global assignments, concurrent employments, and contingent workers.
In the case of international transfers, the first step is that the employee’s old employment in SuccessFactors is terminated. This leads to the result that the business roles are unassigned from the business user and the business user itself is deleted in SAP S/4HANA Cloud. It is recommended to implement the international transfer of employees to a new country and different legal entity within the company’s organization by means of a termination of the old employment and a rehirement of the new employment. This is due to the fact that most payroll systems don’t accept legal entity changes within an active employment.
Fig. 2: With SAP S/4HANA Cloud 2008, the enhanced automated provisioning via SAP Cloud Identity Access Governance enables the automated provisioning of users and roles in SAP S/4HANA Cloud based on employee events in SAP SuccessFactors.
My next topic are the new preconfigured cross-system rule sets for access risk analysis in Cloud Identity Access Governance for SAP S/4HANA Cloud, SAP Cloud SuccessFactors, and SAP Ariba. These predefined rule sets are important for access risk analysis which is one of the services of Identity Access Governance. The beauty of these rule sets is that they allow you to jump-start your activtiies around access risk analysis across the intelligent enterprise meaning across SAP S/4HANA, SuccessFactors and Ariba. Rule sets define categories or groupings of rules. A rule set is used mainly for determining the group of access risks that are to be used when running an access risk analysis.
With the Access Risk Analysis service, you can e.g. review employee access as part of your quarter-end audit. From the Access Analysis Overview Dashboard, you can analyze e.g. risks by risk level and risk trends by quarter and users by risk score. You can drill down on users for more detailed information such as which business roles are assigned to that user and which risks are associated with these roles. You can see the role effectiveness meaning how often the user has used the respective role. In addition, you can display the compliance score of the user which tells you to what extent the risks associated with the roles that the user has been assigned to have been addressed. You can remediate these risks as they make the company vulnerable and you can refine them to reduce the risk. The service proposes solutions e.g. to remove business roles which are used infrequently or not at all. For other risks, you can e.g. assign controls to monitor the risk periodically.
Fig. 3: With SAP S/4HANA Cloud 2008, you can benefit from out-of-the-box rule sets in SAP Cloud Identity Access Governance for SAP S/4HANA Cloud, SAP SuccessFactors, and SAP Ariba
My next topic is privacy risk detection with SAP Privacy Governance. The corresponding scope item is called 3KX. Similar to my first highlight, you might remember this topic from the 2005 release. If you are interested in a quick introduction of SAP Privacy Governance and/or the business cases included in the 2005 release, I highly recommend you to read my 2005 GRC blog.
Privacy risk detection with SAP Privacy Governance is about detecting breaches against data privacy regulations in SAP S/4HANA by integrating SAP S/4HANA Cloud with SAP Privacy Governance. As we all know, the use of personal information is strictly regulated by various data privacy regulations such as GDPR and the California Consumer Privacy Act (CCPA) and companies face privacy risks and potentially large fines when collecting and processing personal information inappropriately. By integrating SAP S/4HANA Cloud with SAP Privacy Governance, you can automatically detect data privacy anomalies in your connected SAP S/4HANA system as Privacy Governance can retrieve data from S/4HANA Cloud through an OData service for later processing and analysis.
With 2005, we supported the processing of sales order and HR data.
Now, with 2008, we have added additional detection scenarios for purchase orders, purchasing info record and info types. So this means, you can:
- Detect purchasing info records which are not destroyed correctly based on the retention rules.
- Detect list of purchase orders which are not destroyed correctly based on the retention rules
- Check whether ILM policy/rule has been setup for Infotypes containing personal data.
As of 2008, we not only support this with S/4HANA Cloud but also with S/4HANA On Premise systems.
Fig. 4: With privacy risk detection with SAP Privacy Governance, compliance specialists can detect purchase orders in SAP S/4HANA Cloud which have not been destroyed correctly based on retention rules
If you are interested in a quick introduction into International Trade in SAP S/4HANA Cloud, I highly recommend you to read my last blog on Governance, Risk, and Compliance (GRC) with SAP S/4HANA Cloud 2005.
What is New with 2008
In the area of trade compliance, we offer three different checks for import and export processes: embargo checks, legal control, and SAP Watch List Screening. Now with SAP S/4HANA 2008, we introduce an additional document type to be included in our compliance checks on the export side: sales orders without charge.
Let’s look at embargo checks in a bit more detail: Currently, we support import embargo checks for purchase orders, purchasing contracts, as well as purchasing scheduling agreements. On the export side, we cover sales orders, sales contracts, outbound deliveries, and – as of SAP S/4HANA 2008 – sales orders without charge.
With legal control, the situation is as follows: Legal control allows you to manage legal control rules for white and black listing and provides you with an overview of assigned document items based on legal control licences. On the import side, we support purchase orders and purchasing scheduling agreements. When it comes to the export side of the house, we cover sales orders, outbound deliveries, stock transfer orders, and – as of SAP S/4HANA 2008 – sales orders without charge.
When it comes to SAP Watch List Screening, we support import checks for purchase orders, purchasing contracts, and purchasing scheduling agreements. Export checks are covered for sales, orders, sales contracts, outbound deliveries, and – as of SAP S/4HANA 2008 – sales orders without charge. Please note that for the usage of the Watch List Screening, a separate licence is required.
Fig. 5: With SAP S/4HANA Cloud 2008, International Trade supports trade compliance specialists with sales orders without charge as new document type
Detailed Explanation of Demo Video
In the attached demo video, you see how an internal sales representative creates a sales order without charge in the system. In the next step however, when we log on as a shipping specialist and try to create an outbound delivery with reference to the sales order, the system displays an error message saying the legal control functionality of international trade blocks schedule lines 001 and 002. The reason for this is that the product used in the sales order requires classification and license information.
Next, we log on to the system as a trade compliance specialist and open the ‘Resolve Blocked Documents – Trade Compliance’ app. I search for my sales order number to find out the blocking reason. I see that there is a classification missing. When I look at the details, I see that in this case, the commodity code and the custom tariff no. fields have not been filled in. After entering the respective information, the system automatically performs a background check to determine whether there is more additional information to be entered. In this case, there is still an official license number missing. I enter the respective license from the authorities which allows me to ship this product to a customer. After the saving, the document is gone from the list of blocked documents as all issues are solved. In the second app for trade compliance, the ‘Manage Documents – Trade Compliance’ app, I can display the status of legal controls, embargoes, and SAP Watch List Screening. In addition, I can display licenses that are assigned to the business transaction, and which classifications are present.
As a last step, I log on as a shipping specialist again and start to create an outbound delivery with reference to the sales order. This time the process works without interruption and we can save the outbound delivery.
For more information on SAP S/4HANA Cloud, check out the following links
- SAP S/4HANA Cloud release info: http://www.sap.com/s4-cloudrelease
- Sven Denecken’s SAP S/4HANA Cloud 2008 Release Blog
- Link Collection – Governance, Risk and Compliance (GRC) with SAP S/4HANA Cloud here
- Microlearnings for SAP S/4HANA Cloud here
- Inside SAP S/4HANA Podcast here
- Best practices for SAP S/4HANA Cloud here
- SAP S/4HANA Cloud Customer Community: register here
- Feature Scope Description here
- What’s New here
- Help Portal Product Page here
- Implementation Portal here