IT GRC (GOVERNANCE, RISK AND

COMPLIANCE)
ACCESS CONTROL SOLUTIONS

By

NORMAN MALIGA
Student No: 20226594

Minor thesis submitted in partial fulfilment of the

requirements for the

BTech: Information Technology

In the Faculty of Applied and Computer Science

VAAL UNIVERSITY OF TECHNOLOGY

Supervisor: Dr A Maneschijn

Johannesburg
June 2011

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 1

DECLARATION

I, Norman Maliga declare that the contents of this minor thesis represent
my own unaided work, and that it has not previously been submitted for
academic examination towards any qualification. Furthermore, it
represents my own opinions and not necessarily those of the Vaal
University of Technology.

..........................................................................
.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 2

Abstract

Technology and Applications evolved over the past decades, to become valued
assets to organizations. It is clear that managing resources manually has
proven not to be a favourable way for a business to gain a competitive
advantage. It is in this light, that most organizations came to realize this
obstacle to business performance, and opted for the implementation of an
automated system, like the IT GRC system, as a means to be more efficient and
productive.

This study explores SAP GRC’s capabilities and tests the users’ knowledge
around the benefits that the system holds for automated organizational
management. SAP GRC is an access control system that has the capabilities of
managing organizations’ resources, and assures better utilization of
information, in order to assist in critical business decisions.

In this study several independent methods were used to affirm the benefits that
IT GRC provides to the business, throughout many stakeholders, within
organizations that are currently using this tool. Results have showed how
contented most organizations are with the benefits, and they are confident to
assure that proper implementation of SAP GRC can lead to a greater success.

Effective management of risks, compliance and policies have been the priority
outcomes of this study. Companies are able to save cost, effort and time through
this automated access control system, hence they can concentrate on
capitalizing on opportunities and achieve their main profitability objective.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 3

ACKNOWLEDGEMENTS

I wish to thank:

 My supervisor, Dr A Maneschijn for his guidance, encouragement and

support.
 Management and staff of the companies studied for their time and
honesty in the structured interviews and survey completion.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 4

 TABLE OF CONTENTS

Contents Page No

Chapter 1
1. Introduction 6
1.1 Research Questions 8

Chapter 2
2. Literature Survey 9
2.1. Introduction 10
2.2. In context 10
2.3. Conclusion 15

Chapter 3
3. Methodology 17

Chapter 4
4. Results and Findings 21

Chapter 5
5. Conclusions and Recommendations 26

Chapter 6
6. Bibliography 28
Annexure 30

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 5

1. INTRODUCTION

Technology has become a key factor for business success. Organizations seek
technology for various reasons; i.e. to stay competitive, to achieve operational
efficiencies objectives or to counter a certain deficiency within the business.

One of the latest inventions that is yet to prove its capabilities is IT Governance,
Risk management and Compliance (IT GRC). With the need for companies to
align the business objectives with technology, IT GRC has become the favourite
tool to accomplish this objective. It is clear that not all companies successfully
implement the tool in its totality, it can therefore be derived that the system’s
success is yet to be realised. IT GRC combines three distinct disciplines that in
the past have existed in silos within organizations, namely Governance, Risk
management and Compliance.

IT governance (e.g. Cobit and King III) focuses on internal policies,

performance of information systems and assures that the investments in IT
generate business value. Compliance focuses more on external regulations,
standards and legislations such, as International organizations for
standardizations (ISO), Sarbanes-Oxley Act (SOX) and more. Although some
standards have direct effects on businesses, they also impose restrictions in the
IT environment. Risk management involves managing all activities that can
threaten the achievement of risk mitigation objectives within the organization.
Overall, the governance of the company corresponds with the governance of IT,
the control of risk by IT serves to control risk to the business and regulatory
compliance directly affects IT (John, 2008).

As the company expands and the technology evolves, managing these

disciplines becomes one of the challenges that most companies currently face.
This imposes threats to companies’ performance objectives and goals.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 6

Risks are not effectively managed; new threats that are inherited with new
technology are difficult to track. There is no compliance to internal and external
policies, legislations and standards, because they are manually managed. This
has led to the misuse of organizational resources, and loss of control within the
organization. Processes are not followed, which makes it more difficult for
management to clearly make informed business decisions. All this result in the
company losing money, assets and time.

Adopting the unified IT Governance, Risk management and Compliance (IT

GRC) solution will help the organization in managing and monitoring
associated activities from a single point of view. Furthermore, it will ensure
accountability within the organization.

IT GRC will enable the three areas to effectively work together. This tool
ensures that the operation of each field is managed centrally and is automated.
Once the tool is in place there will be less opportunity for fraud or any
irregularities to occur. The tool will be able to monitor all the activities and
individuals, making sure that there are no conflicting roles. Again, it will be
useful during auditing periods as the company will be complying with the
relevant standards, processes and policies that are prevailing.

This research study will help clarify whether this tool will be of assistance to an
organization by making it more efficient and effective. With the capability of
this system to harmonize and monitor the activities, the company would then
measure and gauge if the tool support its strategy.

Furthermore, the Researcher will focus on exploring the IT GRC technology on

the ERP (Enterprise resource planning) system (i.e. SAP). What will be
investigated its components, and operations, whilst also evaluating its
capabilities and limitations.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 7

This research study will be conducted through internet search, survey analysis
and directly approaching companies that are using this solution, through
structured interviews. After the research, an evaluation will be conducted to see
whether GRC solutions reduce the company’s predicament and assist the
company in achieving its objectives.

After listing the capabilities and the roles that GRC will play, implementation
recommendations will be made, which will be available to the selected
individuals. A proper workshop will be run to educate the business. Considering
the reality, that without proper research and assessment any project could fail,
depriving the organization of business performance. Every possibility will be
considered and examined closely to minimize all related risks.

The success of this research and evaluation of lesson learned within the
expected period can put any organization ahead of its competitors.

1.1 Research Questions

Will the organization be more efficient and productive after implementation of

IT GRC on SAP system?

Capabilities and limitations of IT GRC are fully explored.

This project will focus on implementation of IT GRC on a SAP integrated
environment which will address issues such as fraud, unauthorized access
throughout the enterprise by intelligently managing resources across IT
environments, allowing authorized exceptions, and accelerating resolution of
any violations, all while reducing costs.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 8

2. LITERATURE REVIEW

2.1. Introduction

According to Joseph (quoted by Crisp, 2010), it was found that it is much easier
to reinforce compliance and promote IT security awareness throughout all
departments of an organization when IT GRC (Governance, Risk and
Compliance) is in place. IT GRC enables these three disciplines to work
together as there are many similarities. When used together, they are able to
provide a good view of an IT environment and ensure accountability within a
company (Kark, 2008). According to The Metric Stream (2011), the reliance of
business operations on Information Technology increases continually. The more
this reliance increases; the IT environment becomes more complex, exposing
the organization to many threats, risks and vulnerabilities which directly affects
the performance of an organization.

The Metric Stream (2011) also mentioned that, several regulations have
emerged in the past which requires the companies to comply, especially in the
IT environment. This has caused CIO’s (Chief Information Officers) and IT
executives today, to make IT GRC a top priority in their organizations. This is
due to several reasons. (SAPDOC, Not Dated) mentions that the primary role
for IT GRC was to prevent fraud by making sure that financial reports are
accurate and that money is not leaking out of the business due to unforeseen
irregularities. Furthermore The Metric Stream (2011) describe the role of IT
GRC as activities such as managing IT governance and policies, IT Assets
tracking, assessing and responding to IT risks, implementation of IT controls,
measuring compliance with the IT controls and regulation requirements. This is
not all, as technology evolves, new GRC benefits are still to be discovered as
companies explore this tool. Currently the main concerns are the security and
the need to mitigate the risks.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 9

Organizations are becoming more and more faced with regulations that are
introduced because of these concerns. King III is one of the regulations which
can lead to criminal charges if compliance is compromised.

This means that companies without this automated IT GRC are performing
manual management of documents, testing and checking things like compliance
which has proven to be very costly and time consuming. (SAPDOC not dated).
Eseyin (2011) added by saying that the main reasons most executives support
this tool within their business, is because it make their lives easier, which is a
true reflection of technology - making everyone’s lives lot easier.

2.2 In context

As the companies are struggling to reduce the technology barriers, IT GRC has
proved and became one of the most effective software solutions.

IT GRC has become a new attraction in the IT market in such a way that most
ERP vendors are investing more in this solution (Kevin et al., 2008). Patrick
(2007) argued that not only ERP vendors and IT companies are gaining from
this tool. Banks and other financial institutions have certain regulations that
govern them. They face various challenges that compel them to invest in IT
GRC tool in order to automate processes, manage compliance and security risk
in an understandable manner.

He further more stated that financial service industries like banks highly
appreciate and embrace IT GRC as they deal with sensitive data and given that
whenever there is money there are concerns and need to tighten the controls and
mitigate the risks. IT GRC makes it easier for financial institutions to comply
with different regulations such as SOX, Cobit, FFIEC and GLBA.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 10

He also emphasizes that most of the banks spent 80 percent of their time trying
to develop, implement and test controls and trying to find solutions to the failed
controls. IT GRC addresses such issues where managing information,
applications, systems and network becomes less complex and understandable. It
provides a methodology that is able to help the banks reduces time, cost and
ensuring that the institution is complying with related regulations.

And again Patrick (2007) stated that if IT GRC is successful implemented

within any organization, it can results in a meaningful competitive advantage.
He also mentioned that other factors that makes compliance complex within
banking institutions is their dependence on outsourcing, especially IT Service
providers. This not only becomes a challenge with compliance. It also becomes
difficult to manage security risks across outsourced operations and brings new
accountability challenges. This can be a challenge to any organization
outsourcing services from a 3rd party.

Thus he also found that any organization that is receiving services from 3rd
parties should review their current approach to managing their 3 rd party vendors,
and ensure that compliance and risk data can be encapsulated and aggregated
with their own data easily.

My study will focus on SAP which I believe to be the leading ERP system at the
moment and is applicable to any sort of industry. According to Eseyin (2011),
SAP offers different types of GRC solutions. This includes SAP GRC Risk
Management, SAP GRC Process Control, SAP GRC Access Control, SAP GRC
Global Trade Services, SAP Environmental, and Health & Safety (SAP EH&S).
This study will focus on exploring SAP GRC Access Control which Eseyin
believes is more about ensuring and enforcing the segregation of duties in an
organization.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 11

 According to Brett (2010) who stretched it further mentioned that SAP GRC
Access Control is also about sensitive access management and security
monitoring solution. He further more highlighted how SAP GRC helps the
business strategically and operationally. This includes centrally managing all
the risk types such as Financial, Strategic, operational and compliance risks in
an automated way.

SAP GRC Access Control is mainly divided into four parts, namely Risk
Analysis & Remediation (RA&R), Compliant User Provisioning (CUP), Super
Privilege Management (SUP) and Enterprise Role Management (ERM) (TWC,
2010).

According to John (2009) SUP is used providing super user access when there
is an emergency, RA&R is used to identify and remove issues related to
Segregation of Duties and monitor controls, CUP is used to provide user access
to SAP system and management of workflow approval and, ERM to manage
and create the roles before they are assigned to users with inherit risks.

Finally he mentioned the capability of reporting within SAP GRC where one is
able to visibly draw a report about risks, violations, mitigations and actions
performed on a system.

Having all of these components installed does not guarantee the success of SAP
GRC project. John (2009) described some of the challenges that auditors
encounter: excessive access to the system, maintaining segregation of duties
and managing system access on the entire SAP landscape seems to be on top of
auditor’s list.

Brett (2010), in one of his presentations outlined common challenges that can
affect how GRC Access control can add value to the business.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 12

Technical and implementations challenges:

 When only one module like RA&R is installed and the timeline for other
access control modules has not been established.

 When detailed process flow on how Access control GRC should be used.
Only a single department in the organization is aware that GRC is
purchased.

 When the auditors find out that there are issues like segregation of duties
and sensitive access but no plans to remediate them.

 Design is only based on one business unit which might not reflect the
requirements of other business units.”

 And whenever a new SAP functionality has been deployed, no one realize
the potential impact on access control configuration.

Brett further more mentioned that different teams should be involved early; this
includes business process owners, business analysts and audit team.

Also, executive management should be involved when making decisions

regarding global considerations. This is to prevent all these challenges from
causing organizations to compromise its value. Having mentioned all of those
challenges that can be experienced, IT GRC by far still brings good value to the
business. However, according to French, (2010), there have been a number of
people who are totally against this tool. They believe that IT GRC does more
harm than good and it is almost impossible to have these three disciplines
working together. He furthermore clarified by stating that like any other new
tool there will be opposition in their disposals. His final say is, “let’s not kill IT
GRC yet”. People need to understand that the fact that IT professionals and
Business realized that there are activities within the organization that have
similar characteristics and relationships, hence the discovery of IT GRC.
20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 13
A research organization by the name of Gartner Compliance & Risk
Management revealed that organizations should take a proactive approach to
reduce risks that GRC tool come with. Gartner’s agenda was more focused on
the tool, technology, strategy and tactics that are needed to improve the
Governance and, assess risk and ensure compliance within the organizations.
They emphasize that by taking this proactive action, GRC tool will stop
incurring costs and start creating value from both compliance and managing the
risks. And again it will build an effective governance structure for the
organization, which will help businesses in staying compliant and be able
capitalize on opportunities (Gartner, 2011)

Scott (2004), together with a new researcher from Enterprise Management

Associates (EMA) found that IT GRC management is becoming more linked to
the overall governance of an organization. Scott as a lead on the research
mentioned that IT Service management best practices plays a major role
towards the success of IT GRC.

He also mentioned that IT GRC has become one popular technology, which
shows that lack of this tool can yield unfavourable results for organizations. He
found that senior management that have limited knowledge about the tool end
up not fully supporting the system. Part of his research was to invite 224 IT and
non-IT professionals to complete the survey which was aimed at finding how
people feel about the IT GRC. He found that 13 percent of the people
mentioned that their organizations do not even have a strategy to ensure the
confidentiality to sensitive information within the business. In addition 29
percent showed that senior executives and board of directors do not properly
support the IT GRC initiatives. This strongly showed that numerous road shows
are needed to educate people about this wonderful tool in order to maximize the
benefits.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 14

Lack of IT GRC causes lack of controls which mean that several risks are
luckily to happen and restrict the ability of IT to deliver a tangible value to the
business.

2.3. Conclusions

SAP DOC (Not Dated) elaborate that the main goal for IT GRC is to assist
organizations to efficiently manage its policies and controls so that all its
compliance regulations are addressed while the same time putting together all
the information that helps the business to operate proactively. Furthermore this
document emphasize that IT GRC helps the business to gain competitive
advantage through understanding of risks and making decision on which
opportunities should be persuade. It also helps the organizations to keep track
and raise alerts when things starts to go off track (John, 2008).

IT GRC is not all about complying with certain standards, regulations for a
particular period when the organization is about to be audited.

This is an ongoing process that anyone involved should commit in order to

create a culture where compliance with external regulations, enforcement of
internal policies and risk management are automated as much as possible and
there is flexibility within the organization. Brett (2010) also emphasized that IT
GRC should not be viewed as an auditors tool nor IT tool. SAP DOC as a
representation of many others also argues that C in GRC should stand for
controls that help keeping the process of compliance in order and make it easier
to monitor process improvements.

Indeed, IT has become the most important aspect in every business. As the
business grows and become complex, there is a need to monitor business
activities and resources. IT GRC makes it possible for the company to stay
productive. Issues that threaten the company objectives are easily managed.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 15

This solution saves companies cost, time and assets, making it possible to focus
on other important aspects of the business.

Based on all the argument made by French (2010) of killing IT GRC, They are
by far out weighted by Gartner research organization which was conducted year
later in 2011, It seems most people or companies that are against this tool are
because of lack of knowledge in terms of how IT GRC originate and its
potential. Personally I find it difficult to understand that any successful
company with SAP integration could effectively operate without IT GRC
implemented.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 16

4. METHODOLOGY

IT GRC is not a new term. The combination of these three components (namely
Governance, Risk and Compliance) has made it possible for organizations to
manage their compliance resources more efficiently. The IT GRC tool can
interact with every department of the business, with many stakeholders at a
similar time interval. The method for finding out more about IT GRC involved
approaching different stakeholders: the Chief Information Officer (CIO),
auditor, SAP Managers and ordinary system users. The following main methods
where used in the research study:

Survey

Questions within the survey were formulated to collect relevant data for
different purposes. The survey targeted ordinary system users. The intention
was to gauge the impact of the system on their daily jobs. The survey was
divided into the following types of questions:

Awareness questions:

1. Have you ever heard of the systems? Yes or No.

This is aimed at finding if the users are aware of the system in use.

2. Have you ever used the system in the past? Yes or No.

This will assist to find out how much does the users already know about
the system.

Usefulness questions:

3. What benefit do you see IT GRC system bringing to your work? A total
of four options are given and the participant is asked to select one.

This will help gathering data about how GRC affects user’s daily job.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 17

 4. What benefits do you see IT GRC system bringing to your company? A
total of four options are given and the participant is asked to select one.

This aims at finding how much does the user know in terms of what the
system mean to the company as a whole.

5. According to your understanding of what IT GRC mean, arrange the

following words according to their importance: Security, Reliability,
Monitoring, Regulations, Reporting, Auditing, and Management.

This aims to gain an understanding into what aspects of the system users
values most.

6. Any additional comments and suggestions?

This is aiming at exploring any other issues that is not touched on the
survey that users might feel it’s necessary to mention.

The survey approach does however have a number of limitations:

 The credibility of data may not be accurate since some stakeholders

might feel that the questions are not applicable to their current situation.

 And due to the nature of survey some stakeholders might choose not to
participate which can lead to incomplete data provided.

 Participants to the survey would not have the opportunity to clarify any
questions which they might not fully understand. This would once again
influence the credibility of the results.

Stakeholders will be strongly advised to participate in this survey through

emphasizing the importance of the survey. This will involve phoning the users
and explaining the idea behind the survey sent to them.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 18

The results of the surveys are collected. All questions (apart from the last two
questions - i.e. questions 5 and 6) allow participants to choose one of a number
of options. For these questions, the number of responses for each option is
counted. These are assessed graphically.

For question 5, weightings are applied to each of the options in the priority
ranking. This again is aggregated and presented graphically.

It is not expected that many participants would provide additional comments

under question 6. Those that did provide would be collected and investigated to
identify whether there are any themes that should be further researched.

Interviews

Interviews were conducted. The interviews targeted SAP managers. The

following questions where used:

1. What does GRC mean to you and your team?

This question is intended to engage the managers to discuss their

expectations of the system and how it affects their operations.

2. How will the system be beneficial to you and your team?

This will help check whether the managers understand the need for the
system and whether they are supportive of it.

3. How will IT GRC bring value to the business?

This will engage discussion on the broader understanding of what the

system can do within the business.

The problem encounter on this method was the fact that some managers were
not available to do the interview. Consequently the sample size would be too
small to provide statistical credible results.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 19

As a consequence, the results of the interviews are more useful to provide
subjective information ration than statistical data.

The results from the interviews are documented and investigated to understand
whether there are any specific themes which should be highlighted or further
researched.

Internet

Given restricted access to the auditors and CIO’s, it was not possible to have
interviews or surveys completed by them. For this reason, further internet
searches were performed to see whether relevant information was available
representing stakeholders’ views. I found a survey which was conducted by
Scott (2008). The survey was focused in realizing the support that senior
management provide to IT GRC system. The limitations were that some senior
management did not clearly understand what IT GRC is. His research was on IT
professionals and Non IT professionals. At the time it was difficult for Non IT
professional to understand the concept of IT GRC and how it can assist the
business to gain competitive advantage.

The main disadvantage of this approach is the fact that information that is
publicly available would be limited. I have been able to include one relevant
reference on the topic.

Throughout my findings from all these sources, the study aims to find out how
this automated IT GRC can simplify the monitoring systems and provide an
accurate report to support management decisions.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 20

5. RESULTS AND FINDINGS

1. Introduction

The following section provides an analysis of the research results collected from
the sample population related to this study. The results are drawn from all three
research methods (Survey, Interview, and Internet Search) used. This analysis
will focus on providing general findings relating to the awareness, usefulness
and in-depth knowledge of the IT GRC System, as collected through all three
methods.

The survey and interviews are correlated as a primary source of data collection.
Internet search is used as secondary to support information that is collected
from the main sources.

Survey

Six questions were asked in the survey.

Target number 20 Number of responses 17 % of responses 85%

1.1 User awareness of the system

Question 1 was designed to test the user’s awareness of the IT GRC tool and the
results are graphically represented below by figure1

Figure1:

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 21

 1. Have you ever heard of the IT GRC system?
100%
90%
80%
70%
60%
50%
40%
30%
20%
10% 8% 92%
0%
No Yes

Data indicate that 92% of the users are aware of the IT GRC tool; therefore they
have a general knowledge of the functionality used with the organization.
Hence, it is highly unlikely to report abuse of resources when users are aware of
its capability. 8% of the respondents indicated that they are not aware of the IT
GRC tool (Reason being because they are still new to the company). Hence,
there is a need for a continuous awareness program. Perceived knowledge was
that this tool is usually used by management.

1.2 Pre-existing knowledge

Question 2 aimed to find out whether the current users have pre-existing
exposure and knowledge of the IT GRC tool and the findings are represented
below by figure2.

Figure 2:

2. Have you ever used the system in the past?

100%
90%
80%
70%
60%
50%
40%
30%
20%
10% 12% 88%
0%
Yes No

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 22

Data indicates that 88% of current users of the IT GRC system does not have
previous working knowledge of the system, whereas 12% indicated that they
have previously used the system.

Further general comments indicated that most people who have previously used
the system, seem more familiar with the Risk Analysis & Remediation (RA&R)
functionality, hence the segregations of duties in order to reduce company risks.

1.3 Perceived benefits of IT GRC System

Questions 3 and 4 were posed to find out what perceived benefits current users
are seeing within the existing system.

The general data indicates 80% of the current users are not aware of the benefits
that the system can provide to their work and organization. They perceive
automated tracking of their activities and online generated reports as a way to
make their lives difficult while making management’s job easier. 20% of the
respondents indicated that they are aware of the benefits of the system and they
see manners and performance of the company improving. Hence, it shows that
not all the user’s knows the objective’s of the organization and the supportive
tools.

1.4 System functionalities valued most

Question 5 was posed to understand the aspects of the system that users values
most. Figure 3 indicate the results.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 23

 Figure 3:
5. According to your understanding of the IT GRC meaning,
arrange the following words according to their importance
35%
29%
30%
25% 24%
20% 18%
15% 12% 12%
10% 6%
5%
0%
Security Monitoring Auditing Regulations Reporting Reliability

IT GRC fulfils different roles for different people; most people concur that this
tool’s most prominent purpose is security. It is therefore clear that 29% of users
selected security as the top usage value. Monitoring (24%) and auditing (18%)
followed and form part of the top 3 functionalities.

It can therefore be concluded that whilst the system offers a wide range of
functionalities, the researched companies are only utilising certain of the
functionalities of the system.

Judging from the responses represented in the survey. There is a need for
awareness programmes to be conducted to all stakeholders before the rollout of
the system.

Interviews

From the structured interviews conducted, which was in correlation to the

survey, it was identified that management are aware of the benefits of IT GRC
and there is a clear perception that all users are also aware of the tool and its
benefits. The analysed data from the survey contradict management’s
generalisation that all users are aware of the IT GRC System and the benefits to
the organization.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 24

Internet

Getting to conduct an interview with the Auditors and CIO’s was not that easy
due to their availability. Therefore the internet was used to get their view on this
matter. Scott (2008) conducted an interview targeting senior management and
auditors. He found out that management need to fully understand the system as
they play an influential role to the success of the project. Several senior
managers mentioned that the system saved them from external compliance that
their company had to abide. Auditors elaborated on how effective their role
becomes when auditing an environment with SAP GRC in place. Some of the
finding not discussed in details includes:

 Activating and integrating all the components of IT GRC.

 Better utilization of IT GRC with SAP.

 Using IT GRC with other applications other than SAP.

After analysing all the results of these methods, it clearly shows that IT GRC
has a different meaning to stakeholders; however there is relation that needs to
be established for the business to get the best out of the tool.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 25

7. CONCLUSIONS AND RECOMMENDATIONS

Today’s enterprises are acknowledging the importance of technology. As much

as technology plays an important role in organizations, there has been an equal
chance of risks that comes with it. These risks have made it impossible for
organization with manually managed systems to fully take advantage of
technology.

Re-visiting the purpose of the study which was to address weather organization
will be more efficient and productive after implementations of the IT GRC tool
on top of SAP application.

The study shows how the IT GRC System can assist a company to be more
efficient and effective by monitoring its policies as well as providing an insight
into the components, and operations whilst looking at its capabilities and
limitations.

Throughout the findings, it can be concluded that the automated IT GRC system
can simplify the monitoring systems and provide accurate reports to support
management’s decisions. Moreover the IT GRC system would play a major role
in helping the company by eliminating risk threats and promotes monitoring and
reporting with ease. Also auditing becomes much easier as controls will be
easily managed with automated systems and all associated risks will be visible.

The study further indicates that organizations will benefit not only with the
reduced workloads of the manual tasks, since the company’s resources will be
auto managed and monitored. It will increase accountability within the
organization. This results in profit increasing while reducing the costs. Ethical
behaviour will be promoted due to monitoring function. Flow of information
will be lucid making it easier for a company to achieve its objectives.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 26

Recommendations

It is believed that the learning from this study can be applied within an
organization that considers implementing this system. Whilst there are many
benefits, the following aspects need to be in place prior to implementation:

 Users need to be fully introduced into the capabilities and functionalities

of the system;

 The full range of the functionalities should be utilised in order to ensure

the proper usage of all automated functionalities;

 The system capabilities should be linked to the company strategy in order

to ensure that proper application and management takes place;

 Users should be fully trained in order to ensure operational efficiency and

effectiveness.

Through the implementation of the SAP GRC tool, effort, time and cost would
be saved, leading the business to capitalize on opportunities and achieve its
main goal of profitability, with ease.

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 27

6. BIBLIOGRAPHY

1. John, W. 2008. SAP GRC for Dummies. [Online] Available from:

http://www.researchandmarkets.com/reports/612669/sap_grc_for_dummi
es.pdf [Accessed: 2011-03-07]

2. Crisp, M. 2010. Light wave Security Introduces IT-GRC Solution for

State, Local Government. [Online] Available from:
http://www.earthtimes.org/articles/show/lightwave-security-introduces-it-
grc-solution-for-state-local-governments,1183952.shtml [Accessed:
2011-04-02].

3. Kark, K. 2008. IT GRC: Combining disciplines for better enterprise

security. [Online] Available from:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1294206,00.ht
ml [Accessed: 2011-04-02].

4. MetricStream. 2011. IT GRC Software Solution [Online] Available form:

http://www.metricstream.com/solutions/it_grc.htm [Accessed: 2011-04-
29].

5. SAP DOCS. Not dated. What is GRC? [Online] Available from:

http://sapdocs.info/sap/grc/what-is-grc/comment-page-1/#comment-1457
[Accessed: 2011-03-22].

6. Eseyin, K. 2011. A Review of SAP Solution Offerings for GRC. [Online]

Available from: http://it.toolbox.com/blogs/sap-library/a-review-of-sap-
solution-offerings-for-grc-31769 [Accessed 2011-03-29].

7. Kevin, D., Heckel, D. & Touche, L.L.P 2008. Exploring GRC and Tools
Discussion. [Online] Available from:
http://www.isaca-neohio.org/Presentations/GRC%20and%20Technology
%20ISACA%20.pdf [Downloaded: 2011-04-04].

8. Patrick, C. 2007. Embrace This Acronym: IT GRC. It Could Save Banks

a Bundle.[Online] Available from:
http://www.americanbanker.com/usb_issues/117_11/-336014-1.html
[Accessed: 2011-03-23]

9. Brett, T. 2010. Maximizing SAP GRC Access Controls. [Online]

Available from: http://www.isaca-canberra.org.au/Events/folder.2008-05-

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 28

 14.2443119389/SAP%20GRC%20AC%20ISACA%20Presentation
%2020100517.03.pdf [Downloaded: 2011-04-04]

10.TWC. 2010. SAP Governance, Risk & Compliance(GRC) Access

Control(AC) Administrator Training Manual

11.French, C. 2010. We Come to Kill GRC, Not to Praise IT. [Online]

Available from: http://blogs.gartner.com/french_caldwell/2010/01/12/we-
come-to-kill-grc-not-to-praise-it/ [Accessed: 2011-04-20].

12. Gartner.2011. Gartner Compliance & Risk Management Summit 2008.

[Online] Available from: http: //www. gartner.com/it/summits/risk2/
overview.jsp [Accessed: 2011-03-17].

13. Scott, C. 2008. Study identifies key success factors for IT governance,
risk and compliance management. [Online] Available from:
http://www.continuitycentral.com/news03954.htm [Accessed: 2011-03-
22]

14. John, G. 2009. SAP GRC, Should we really be using it?[Online]

Available from:
http://www.oxygenforbusiness.com/images/uploads/SAP_GRC_-
Should_we_really_be_using_it.pdf [Downloaded: 2011-04-06]

15. Wikipedia. 2011. Governance, risk management, and compliance

[Online] Available from:
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compli
ance [Accessed: 2011-03-29].

16. Campaniello, J. 2010. Do Securities Firms Need a CGO? [Online]

Available from: http://www.lumigent.com/blog/?tag=john-h-capobianco
[Accessed: 2010-03-02].

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 29

 ANNEXTURE

IT GRC (Governance, Risk and Compliance) Survey

Questions within the survey were formulated to collect relevant data for
different purposes. This survey targets the system user or prospective user.

 To measure the impact the system will have on user’s daily jobs.

 To gauge how much the user already know about the system

 To introduce basic IT GRC capabilities

The survey is divided into following types of questions: Awareness and

Usefulness questions.

Awareness questions:

7. Have you ever heard of the IT GRC system? Yes or No.

If yes, please specify where?

8. Have you ever used the system in the past? Yes or No.

If yes, please specify the component used?

20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 30

Usefulness questions:

9. What benefit do you see IT GRC system bringing to your work?

a) Promote business processes to be followed

b) Eliminates confusion between job roles and descriptions

c) Reduce risks likelihood within my area.

d) Automated monitoring of employee activities reducing supervisor

time spent on monitoring.

e) Not sure how the system will benefit me.

10.What are the main benefits you see IT GRC system bringing to your
company?

a) Company will be compliant with external regulations

b) Company reports will be more precise with fewer errors

c) It’s good for auditing purposes

d) Business decisions will be better informed.

e) Not sure how the system will benefit me.

11.According to your understanding of the IT GRC meaning, arrange the

following words according to their importance:

a) Security, b) Reliability, c) Monitoring, d) Regulations, e)

Reporting, f) Auditing.

12.Any additional comments and suggestions?

13.
20226594_Maliga_Norman_Project4 (AIPRJ4B) Page 31