Sticking to the Rules

Bearingpoint verwendet SAP BusinessObjects Access Control
BearingPoint uses SAP BusinessObjects Access Control

Management and technology consultancy BearingPoint employees some 3,500 people throughout Europe. For the Frankfurt, Germany-headquartered company, meeting compliance requirements and governance standards – such as the U.S. Sarbanes-Oxley Act – is a complex, resource-consuming, and therefore expensive task. “Until recently, our IT team spent several weeks a year just preparing the compliance audit,” says Bettina Gaab, EMEA IT director at BearingPoint. “This meant that our day-to-day work could often only be done on the side. We definitely wanted to change this – and managed to do so by implementing the SAP BusinessObjects Access Control application and developing the iGRC Cockpit.”

Around 20% less time needed

By optimizing compliance processes with the right IT tools and targeted enhancements, BearingPoint succeeded in reducing the time required for audits by around 20%. This means that now, fewer resources are tied up with compliance tasks. The project was led by the company’s internal SAP IT department with support from the SAP Advisory Team in BearingPoint’s Germany practice.

In regular internal and external audits, BearingPoint must confirm that it complies with the U.S. Sarbanes-Oxley Act. To generate governance and compliance reports, the IT team needs to access different SAP systems, such as the SAP ERP application and the SAP Solution Manager application management solution. Until recently, reports were invariably created manually – a task made more difficult because the data was complex and wasn’t integrated. This made preparing and executing audits for external auditors or the internal auditing department a time-consuming and expensive activity. And the results were often vague and arcane.
To achieve the project objectives, BearingPoint decided to implement SAP BusinessObjects Access Control. In addition, the company set about creating a management cockpit enhancement, known as iGRC. The one-year project kicked off in early 2009 and was divided into three phases.

Next Page: The iGRC cockpit

BearingPoint Mitarbeiterportal iGRC Cockpit
BearingPoint iGRC Cockpit (graphic: BearingPoint)

The iGRC cockpit

By combining SAP BusinessObjects Access Control functions with homegrown developments, BearingPoint managed to optimize compliance processes considerably. Let’s take a look at the main benefits:

  • Simple and structured display of reports and key figures using graphics and diagrams
  • Aggregation of raw data to produce key figures in line with requirements
  • Extensible pool of compliance-relevant reports and key figures
  • Immediate and long-term reduction of costs for compliance:
  • Less work required to identify the compliance status and to remedy any possible weak points
  • Faster and more straightforward internal and external audits
  • Easier consolidation of irregular reports

Next Page: The three phases of the implementation

iGRC Cockpit technischer Aufbau
iGRC Cockpit technical structure (graphic: BearingPoint)

Phase 1: analyzing the compliance process and selecting software

In the first, two-month project phase, the compliance process was analyzed and potential for optimization was determined. Based on these results, a list of requirements was drawn up for the future compliance software and for the iGRC cockpit. After evaluating various tools, the company opted for SAP. “The IT landscape at BearingPoint is dominated by SAP systems,” explains Simone Körber, senior manager at BearingPoint. “The ease with which SAP BusinessObjects AccessControl can be integrated into this landscape was therefore one of the deciding factors in our choice of tool.”

Phase 2: implementation and start of the iGRC cockpit development

In the second, three-month project phase, SAP BusinessObjects Access Control was implemented, starting with the functions for risk analysis and remediation. This was followed by compliant user provisioning, enterprise role management, and superuser privilege management. “Initially, our main focus was on creating the risk matrix, which forms the basis of the compliance evaluations in the module for risk analysis and remediation,” Gaab explains. At the same time, BearingPoint started work on the technical specifications and business blueprint for the iGRC cockpit, and then on its development.

The iGRC cockpit gives users central, target group-specific access to compliance information, which is taken from the IT systems in the form of key figures and diagrams and then displayed clearly. BearingPoint’s iGRC cockpit collates information from SAP BusinessObjects Access Control, SAP Solution Manager, and SAP ERP, and subsequently generates meaningful key figures from the raw data. Most data is presented graphically, so that it can be interpreted quickly and is easy to grasp at a glance. Based on this information, the iGRC cockpit enables users to monitor the current compliance status fast and efficiently.

Phase 3: testing and rollout

In the final project phase, the various SAP BusinessObjects Access Control functions were thoroughly tested. What’s more, the iGRC cockpit was hooked up to BearingPoint’s employee portal for all of Europe. SAP BusinessObjects Access Control and the iGRC cockpit were implemented country-by-country, and the rollout is slated for completion by the end of 2009.

Looking ahead

Acceptance among the employees responsible for compliance was very high, so BearingPoint is planning to add additional reports and functions to the iGRC cockpit. What’s more, there are plans to integrate further systems and applications.

Next on BearingPoint’s agenda is the implementation of the SAP BusinessObjects Process Control application, so that the company can automatically monitor compliance with business process controls.