Our series in 2014 will focus on real customer experiences. Actual results and problems will be described so you can use the information, comment, question or just share with others.
What is the business case for an Upgrade to SAP GRC 10?
Like many customers, this customer was on an older version of SAP GRC and their maintenance was to expire in 2014. The customer was faced with either paying a higher extended maintenance fee to stay on the existing version or upgrade to the newer version and pay the regular maintenance fee. In fact, the oldest version for some customers on the “Virsa” 4.0 version will no longer be supported as of December 2013. For the 5.x versions, the approximate increase in annual fees for extended maintenance amounts to about $3,000 per $100,000 of license costs for most customers. Taking this into account upgrading to the new version avoided an increased license cost of up to $40,000. This was the first part of their business case for their upgrade project.
In addition, there were two overdue tasks, which had been ignored but were necessary to bring their system up-to-date. One was the addition of custom transactions, which were added to their system, into their SoD matrix. Best practices call for this to be part of the change management process so new transactions can be added as they are implemented. However, there were many that had occurred since the original installation and catching up would take quite a bit of research and testing time. The approximate cost for research and testing were $300 per transaction based on internal IT and Business personnel costs. In this case there were 20 transactions and would make the cost $6,000.
Another area, which required some updating, was mitigating controls. Another best practice process is to provide a regular cycle to review mitigating controls to ensure they are still adequate to cover the users who have to execute SoD transactions. This is an area, which gets scrutinized during external audits. Common findings during audits often are mitigating control is ignored or inadequate for the risks. In addition, auditors are looking at controls over the rule changes. In the new version there are automated steps, which help track and approve rule changes. And the review and updating of mitigating controls could amount to $500 per mitigating control based on the internal costs of both IT and business personnel’s time to review and update. And the review of existing rules could involve at least a week and drafting a process for change control. Another key aspect is the integration with Process Control for mitigating controls. Older versions required duplicate maintenance for SoD mitigating controls. However, many times these are the same controls. And if Process Control is implemented the validation of the controls periodically is done as a regular part of the internal control testing. Another manual task for maintenance eliminated.
So both mitigating control reviews and rule change tracking are essential to pass upcoming audits. The internal costs associated with the review and updating of these two issues based on internal costs, which could be avoided and completed as part of the upgrade. The following were the principal costs against which the Return on Investment from an upgrade could be calculated:
Extended Maintenance Costs: $40,000
Rule Review, Enhancements for Custom transactions: $11, 000
Mitigating Control review and updating: $50,000
These costs will be higher the bigger the organization. The factors are the number of rules, and mitigating controls. Other customers may want to look at these costs when deciding to justify their upgrade to their management. Some of the same metrics apply to companies who have older versions on Process Control as well. Perhaps there are other costs that you might suggest to others as well. Please do so by posting a comment!