March 2014 ERP MAESTRO Automated Security & Access Controls Through the Cloud Solution Viewpoint Governance, Risk Management & Compliance Insight INNOVATOR 2014
Table of Contents Executive Summary.... 3 Growing Need for Access Control and Segregation of Duties... 3 However, Existing Access Control/SoD Solutions are Out of Reach for Many... 4 ERP Maestro: An Integrated Capability for GRC Management & Analytics 4 The Value of ERP Maestro... 4 Capabilities of ERP Maestro... 6 Considerations About ERP Maestro... 6 GRC 20/20 s Final Perspective...... 7 TALK TO US... We look forward to hearing from you and learning what you think about GRC 20/20 research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.
ERP MAESTRO Automated Security & Access Controls Through the Cloud EXECUTIVE SUMMARY Organizations face increased pressure to ensure business applications such as Enterprise Resource Planning (ERP) systems are secure and access control risks are managed in the context of a dynamic business environment. Segregation of Duties (SoD), inherited rights, critical and super user access, and changes to roles are too much for today s organization to manage adequately in manual processes involving spreadsheets, documents, and email as they are time-consuming, prone to mistakes and errors, and can leave the business exposed. By automating access controls, organizations take a proactive approach to avoiding risk while cutting down the cost and time required maintaining controls, being compliant, and mitigating risk. However, automated access control/sod solutions are known to be exorbitantly expensive and take a considerable amount of consulting resources and time to implement. ERP Maestro is an innovative access control/sod solution that GRC 20/20 has researched that takes a cost effective approach by using the cloud to make automated access control/sod efficient and agile as well as effective. ERP Maestro has proven that it is as or more effective in access control and SoD as its competitors but it does this at a fraction of the cost to implement and maintain. GROWING NEED FOR ACCESS CONTROL AND SEGREGATION OF DUTIES Business is all about change. Change is the single greatest governance, risk management, and compliance (GRC) challenge today. Today s organization is in a continuous state of change as with shifting employees: new ones are hired, others change roles, while others leave or are terminated. As your business relationships change with suppliers, vendors, contractors, outsourcers, service providers and temporary workers, each will have access to internal systems at different times. These businesses also have constantly changing employees. Business processes and technology change at a rapid pace. In the context of change, internal controls over financial reporting, regulatory requirements (e.g., SOX), internal and external auditors, and fraud risk put increased pressure on corporations to ensure ERP systems are secure and access control risks are managed in the context of a dynamic business environment. Growing exposure to risk and increasing regulations require greater oversight of access to critical ERP systems with audit validation. Access control is not just about compliance; it is also about consistent operations. The organization needs segregated and defined responsibilities and processes that are reliable and behave consistently. Access control delivers a structured system of access governance that enables processes to work as intended without malicious or inadvertent issues. To address access control risk, organizations are establishing a strategy for access control and SoD with process and technology to build and maintain an access control program that balances business agility, control, and security to mitigate risk, reduce loss/exposure, and satisfy auditors and regulators while enabling users to perform their jobs. SoD, inherited rights, critical and super user access, and changes to roles are too much for today s organization to manage adequately in manual processes involving spreadsheets and email. The Bottom Line: Manual approaches to managing access in the ERP environment are timeconsuming, prone to mistakes and errors, and leave the business exposed. By automating access controls, organizations take a proactive approach to avoiding risk while cutting down the cost and time required maintaining controls, being compliant, and mitigating risk 2014 GRC 20/20, LLC; Licensed to ERP Maestro for Redistribution Solution Viewpoint www.grc2020.com 3
Surprisingly, many organizations still use these document centric and manual processes to manage access control and SoD risk. This is primarily done through spreadsheets, word processing documents, and email. Not only are these approaches inefficient and ineffective, slowing the business down, but they introduce greater exposure to risk and noncompliance, as it is nearly impossible to keep up with the changing pace of the business. The challenge of managing access control in the ERP environment is burdensome when done with manual and document centric approaches. The typical organization runs a combination of security and access reports, and compiles access information into documents and spreadsheets that are sent out via email (used as an improvised workflow tool) for review and analysis. At the end of the day, significant time is spent running reports and compiling and integrating that information into documents and spreadsheets to send out for review. This ends up costing the organization in wasted resources, errors in manual reporting, and audit time drilling into configurations and testing access controls in the ERP environment. Organizations often miss things, as there is no structure of accountability with audit trails. This approach is not scalable and becomes unmanageable over time. It leads to a false sense of control due to reliance on potentially inaccurate and misleading results from errors produced by manual access control processes. Access control and SoD issues multiply when you consider the complex interrelationship of different ERP instances and access across the business environment. Organizations struggle to manage access risk within one instance of ERP; managing access across multiple ERP systems causes an exponential growth in time and resources when done by a manual and document-centric approach. In a heterogeneous environment, these challenges only become more complicated. The bottom line: manual approaches to managing access in the ERP environment are time-consuming, prone to mistakes and errors, and leave the business exposed. By automating access controls, organizations take a proactive approach to avoiding risk while cutting down the cost and time required maintaining controls, being compliant, and mitigating risk. HOWEVER, EXISTING ACCESS CONTROL/SOD SOLUTIONS ARE OUT OF REACH FOR MANY To meet this challenge there are robust and effective access control/sod solutions on the market. However, they have only been effective for large organizations with the budget to embrace them. While effective in these circumstances, these solutions are not efficient (e.g., human and financial capital) or agile. Automated access control/sod solutions are known to be exorbitantly expensive and take a considerable amount of consulting resources and time to implement. These solutions remain out of reach for many organizations while the pressure from auditors to be thorough in access control and SoD controls continues to build. The large software fees, hardware costs, consultant fees and complex training projects remain a challenge today for organizations of all sizes, particularly the small to medium sized organizations, to implement access control/sod solutions. Existing solutions, while often effective in addressing the SoD and access control risk, cost too much in capital and time to implement. Average costs to implement these solutions has been similar to the following: Software. These solutions come with initial product price tags of $300,000 - $500,000 (in many cases even more). That is just to purchase the solutions and implementation, maintenance, and upgrade costs add to this. Consulting. Consulting time to implement these solutions can take up to 6 months or more to complete at an additional cost of $200,000 - $300,000 (or more). Hardware & IT resources. There are also hardware and IT resource costs, as these solutions require the use of capital-intensive corporate servers, and IT staff to oversee the installation, operations, and maintenance of these solutions. ERP MAESTRO: AN INTEGRATED CAPABILITY FOR GRC MANAGEMENT & ANALYTICS ERP Maestro is a GRC (governance, risk management, and complianc) solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in distributed and dynamic business environments. The solution is innovative as it takes a cost effective approach by using the cloud to make automated access control/ SoD efficient and agile as well as effective. ERP Maestro delivers on GRC value by enabling management of access governance, risk management, and compliance across the SAP ERP environment. THE VALUE OF ERP MAESTRO Successful GRC delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and the agility meet the demands of a changing business environment. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, less costly, more flexible business environment. Focusing on the challenge of managing access in ERP environments, GRC 20/20 interviewed several organizations using ERP Maestro to determine their overall experience. 4 www.grc2020.com Solution Viewpoint 2014 GRC 20/20, LLC; Licensed to ERP Maestro for Redistribution
These interviews included a Big 4 advisory/accounting firm, a global security & asset protection company with 69,000 employees, and a global post-ipo manufacturer. Each articulated value they have achieved in greater efficiency, effectiveness, and agility to their business and its operations. By consolidating a variety of approaches - from manual processes, documents, spreadsheets, and e-mail as workflow to custom-developed solutions or other software solutions, they were able to drive greater levels of efficiency, effectiveness, and agility in their ERP environment and related business processes. GRC Efficiency GRC solutions provide efficiency and savings in human and financial capital resources. Technology solutions that support business and GRC processes reduce operational costs by automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations. The organizations researched by GRC 20/20 identified the following efficiencies in their access control and SoD processes as a direct result of implementing ERP Maestro: Minimized staff resources and time in addressing access controls and segregation of duties in their ERP environment. Reduced implementation time & cost by leveraging ERP Maestro s cloud approach. Automation of provisioning, certification, and review by the business. Reduction in internal audit time to assure that access controls and SoD is enforced in the ERP environment. Expectation of potential reduction in external audit fees in evaluating access control and SoD in providing assurance. Of particular note: automated access control and SoD solutions are known to be exorbitantly expensive and take a considerable amount of resources to implement. ERP Maestro s solution provides access control, SoD and sensitive access analytics and reporting over a completely cloud-based architecture. With a cloud-based access control solution customers receive cost benefits of a multi-tenant environment as well as the exclusivity and security of a dedicated server. GRC Effectiveness GRC solutions achieve effectiveness in risk, control, compliance, audit, and business process. This is delivered through greater assurance of the design and operational effectiveness of controls to mitigate risk, achieve performance, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators. The organizations GRC 20/20 interviewed reported the following effectiveness in their access control and SoD processes as a direct result of implementing ERP Maestro: Reduction in errors in reporting that were inherent in manual processes. Ease of integration and implementation with their ERP environment. Accuracy and elimination of false positives that competitive solutions had in the environment. Audit effectiveness in being complete in access control and SoD analysis as opposed to random sampling. Access risk intelligence to understand where risks were and be able to monitor them. Removal of manual processes that were ineffective at controls. Note, one organization set up five test cases when testing ERP Maestro thinking that is all it would find. ERP Maestro actually found six: it discovered another issue in the environment that the organization was entirely unaware of. GRC Agility GRC solutions deliver business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers and acquisitions) as well as the external environment (e.g. economic risk, new laws, and regulations). GRC agility is also achieved when organizations can identify and react quickly to control failures/weaknesses, non-compliance, and adverse events in a timely manner so that action can be taken. The organizations interviewed reported the following agilities in their access control and SoD processes as a direct result of implementing ERP Maestro: Speed of fulfilling access audits/assessments went from weeks in manual processes with random sampling to a matter of hours for complete review. 2014 GRC 20/20, LLC; Licensed to ERP Maestro for Redistribution Solution Viewpoint www.grc2020.com 5
Ability to quickly integrate new ERP systems using an easy to install agent with ERP Maestro s cloud-based architecture. Closed loop access control and elimination of partial random sampling. Agility through consistency in regular automated monitoring and reporting. Shared resources in the cloud-based architecture allow for scalability of processing when it is needed to get the job done quicker than what competitors offer. CAPABILITIES OF ERP MAESTRO The ERP Maestro Access Analyzer solution is innovative as it is contained within a cloud-based architecture that dynamically grows and shrinks based on demand. The solution provides SoD and sensitive access analytics and reporting over this completely cloud-based architecture. Their unique reporting graphically identifies risks and remediation paths. With a cloud-based delivery mechanism of an access control solution, customers receive cost benefits of a multi-tenant environment and the exclusivity and security of a dedicated server. The cost savings associated with on demand allocation of servers is passed on the subscribing customer, allowing small to medium enterprises to afford an enterprise Access Control solution. The solution is innovative as it pools a massive amount of cloud-based resources to provide on demand server allocation as a dedicated server when needed by the client, while dormant servers are deactivated or recycled to other customers. The solution is contained within a deployment that dynamically grows and shrinks based on its demand (number of organizations using the system). End users have anywhere, anytime access to a web interface that allows them to connect to their ERP system (SAP is the only ERP currently supported by ERP Maestro). The data is securely analyzed using an on demand, dedicated server located in a server farm, then the results are compiled into multiple reports for consumption. While cloud technology isn t new, ERP Maestro s ability to process analytics on hundreds/thousands of client simultaneously based on it analytics engine is indeed new and innovative technology, which empowers them to offer a premium service at a low subscription fee. Interestingly, this can serve as a bridge for companies implementing SAP GRC10. Large companies want a stopgap solution for the complex implementation process that represents GRC10. Some companies are waiting for budget approvals and/or developing a business case. ERP Maestro s solution price point allows it to serve, as that stopgap solution to address SoD needs until the SAP GRC solution ERP Maestro has proven that it is as or more effective in access control and SoD as its competitors but it does this at a fraction of the cost to implement and maintain. is implemented. ERP Maestro is of particular interest to small and medium sized organization that can now afford the implementation of an enterprise access control solution because of ERP Maestro s model. The entire process is no longer expensive, complex and drawn out, allowing funds to be focused on remediation efforts. The simplicity of their subscriptionbased service empowers companies that traditionally would not pursue an access control solution, to now proliferate the capability and manage the risk of SoD more effectively. Particular capabilities of the ERP Maestro solution allows the organization to: Identify Access Control Issues Remediate/Monitor/Resolve Access Risk Reduce Sensitive Access Risk Audit Access Authorizations Meet Regulatory Requirements Prevent Fraud & Embezzlement Manage & Mitigate User/Role Conflicts What-If User Simulations CONSIDERATIONS ABOUT ERP MAESTRO Every solution has its strengths and weaknesses, and may not be the ideal fit for all organizations in all situations. While GRC 20/20 has identified a lot of positive things about ERP Maestro and their innovative approach in access control and SoD analytics readers should not see this as a complete and unquestionable endorsement of ERP Maestro. ERP Maestro is a small solution provider that is young and has a lot of growth potential before it. Small vendors do bring risk as they have not fully established themselves, but ERP Maestro is already showing promising signs as the technology has proven itself in real world client implementations that were nearly flawless in implementation. 6 www.grc2020.com Solution Viewpoint 2014 GRC 20/20, LLC; Licensed to ERP Maestro for Redistribution
ERP Maestro is also still growing in capabilities. They currently only support SAP but are working to add in other ERP solutions. Their solution also does not offer all of the features of some of their established competition but this is something they are also working on as they grow. They have current development projects in process to bring emergency access management and Oracle ERP support in the future. GRC 20/20 S FINAL PERSPECTIVE... There are successful access control and SoD solutions in the market today that organizations have found very effective though very expensive to implement and maintain. ERP Maestro is taking a fresh and innovative approach by using a cloud-based architecture to make access control and SoD efficient and agile as well as effective. The major point is efficiency. ERP Maestro has proven that it is as or more effective in access control and SoD as its competitors but it does this at a fraction of the cost to implement and maintain. Organizations have become conditioned that access control projects have to be costly, lengthy and complex and are not aware that new and innovative solutions overcome these obstacles. This makes ERP Maestro attractive to small to mid-sized organizations that have always seen access control and SoD solutions as needed, while previously out of reach. But it also makes ERP Maestro a competitive force for large organizations that want to be as effective in access control and SoD, but with less cost to implement and maintain. INNOVATOR 2014 ERP Maestro Awarded GRC 20/20 s 2014 GRC Technology Innovation Award 2014 GRC 20/20, LLC; Licensed to ERP Maestro for Redistribution Solution Viewpoint www.grc2020.com 7
ABOUT THE AUTHOR Michael Rasmussen, J.D., GRCP, CCEP and OCEG Fellow Chief GRC Pundit @ GRC 20/20 Research, LLC Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) with specific expertise on the topics of enterprise GRC strategy, process, and technologies. He helps organizations improve GRC processes and choose technologies that are effective, efficient and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the Father of GRC being the first to define and model the GRC market in February 2002. ABOUT GRC 20/20 GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem of GRC solution buyers, professional service firms, and solution providers. We serve the needs of organizations that seek clarity, guidance and advice in dealing with a dizzying array of disruptive issues, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Whether focused on a specific risk or regulatory issue, or even enterprise-wide GRC strategy, organizations seek clarity through GRC 20/20. This clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and the breadth of GRC solution providers. GRC 20/20 Research, LLC 4948 Bayfield Drive Waterford, WI 53185 USA +1.888.365.4560 info@grc2020.com www.grc2020.com RESEARCH METHODOLOGY GRC 20/20 research reports are written by experienced analysts with hands-on experience selecting, developing, and implementing GRC management systems and processes globally for international organizations across industries. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria, regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and best practices. Research facts and representations are verified with actual client references to validate accuracy. GRC solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion. GRC 20/20 uses a combination of sources to gather market intelligence. These include (but are not limited to): GRC Solutions Provider Evaluation Forms. A detailed set of questions covering functional and nonfunctional aspects of GRC solutions, as well as market factors. GRC Solution User Surveys. As part of its on-going research cycle, GRC 20/20 systematically surveys GRC solution users and buyers, eliciting feedback on solution providers, satisfaction levels, and preferences. Interviews with Subject Matter Experts. GRC 20/20 undertakes comprehensive interviews and briefing sessions with leading industry experts, academics, and consultants to provide insight into market trends, vendor solutions, and evaluation criteria. Customer Reference Checks. These are telephone and email reference checks with named customers of solution providers to validate strengths and weaknesses, and to assess experience and satisfaction levels. Vendor Briefings. These are face-to-face and/or web-based briefings and product demonstrations by solution providers. During these sessions, GRC 20/20 asks probing questions to understand the strengths and weaknesses of each provider. Third Party Sources. GRC 20/20 uses other third party sources of information such as conferences, academic and regulatory studies, collaboration with leading consulting firms, knowledge providers, and industry associations such as the Open Compliance and Ethics Group (www.oceg.org). 2013 GRC 20/20 Research, LLC. All rights reserved. No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of GRC 20/20. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable. Please note that the findings, conclusions and recommendations that GRC 20/20 delivers in this research is based on information gathered in good faith, whose accuracy we cannot guarantee and is subject to change. It also consists of opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does 2014 not provide GRC legal 20/20, advice LLC; Licensed or services to ERP and Maestro its research for Redistribution should not be construed or used as such. Solution Viewpoint www.grc2020.com 8