Woulda Coulda Shoulda
After completing one of our projects, the customer was amazed that the project was actually completed in the original time frame. And many customers finish a project and then talk to another customer and find out that it was done in less time. But all customers are different, they say! Here is a story about a customer who did not do their homework before embarking on their upgrade project. In fact the company hired the least costly alternative. The project was completed but seemed to drag on and on. On the next upgrade, the customer started to look at independent consultants in addition to the familiar big firms. At first glance the independent consultant’s rate per hour was almost as high. However, the experience and know-how of the consultant required much less time to accomplish the upgrade. And there was only one resource not multiple resources. There were several firms who also quoted multiple resources. However, the project required only one resource and less time with the Smart Independent Consultant. The customer hired the independent consultant and remarked how quickly and inexpensively it was accomplished compared to the last upgrade.
We have seen variance in estimates for upgrades from $85,000 to $225,000. There is no difference in scope but do the rates really matter here?
The moral of the story is the firms who do their homework and get a good handle on how much time is required for a task will spend less money and have a better chance of succeeding. Working smarter enables the customer to get more for their money. The more the customer knows about the task , the better, because there are two factors at work the rate and the time to complete.
What is your experience with GRC AC implementations / upgrades? Did you require multiple consultants? Was the project completed in weeks or years?
This week I am giving one example of a customer who had unexpected audit findings on their existing GRC implementation. Many companies treat their GRC journey like a project. However, we know it is a journey and in need of ongoing processes to provide regular maintenance and enhancements to sustain alignment with changes in the business and technology deployment. In the absence of these ongoing processes, the customers’ rules, and procedures can become outdated.
In this case, their external auditors identified insufficient rules for Segregation of Duty and Critical Access monitoring. Some of the rules contained irrelevant risks and in other cases custom transactions and new transactions were not reviewed or evaluated for relevance. In addition, there were instances when users were shown with risks that were not correct. In these cases the standard rule set delivered by SAP had not been adequately tested. And changes were not documented or justified.
The rule deficiency led the auditors to challenge the analysis and they found erroneous results. Some risks were being erroneously reported. In addition, there were thousands of mitigating controls which had been created for risks. Many of these were found by audit to be bogus or not being executed. The mitigating controls were responsible for suppressing many legitimate risks from reports.
Rule Maintenance and Mitigating control processes are two important processes on most audit checklists. So don't get surprised!
Assorted Members of the CAG Team providing insightful information on current topics related to GRC, Security, and Audit.