Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

On May 23rd and 24th, SAP and our partner conference producer – T|A|C Events, hosted the Governance, Risk, and Compliance business focused event composed of 2 tracks: Internal Control, Compliance and Risk Management, and Cybersecurity and Data Protection. And it was great!

I thought I would write a blog for those who couldn’t attend to share some of the key learnings from customer and partner presentations but also SAP expert colleagues as well.

To do so, I have asked the 4 conference chairs to share their inputs and feedback on the responses to the various live surveys and polls that were carried out during the conference.

Starting with Anna Otto. Anna was co-chair for the cyber track.

How do you manage the end-user access governance on your landscape?

Thomas: when asked how they managed the end-user access governance in hybrid landscape, 39% of respondents mentioned that there was an automated process for OnPremise applications but that it was manual for Cloud. And 33% mentioned that this was a central, harmonized and automated process for both OnPremise and Cloud applications. From what you have heard during the conference, do you think the proportions might change in the near future?

Anna: I sincerely hope so, there are business critical processes managed in cloud services. A central, harmonized and automated end-user access governance would be key to safeguard these processes. We had several presentations during the conference, from customers and partners, on how to achieve this and I hope it helps other customers to start or proceed in their journey.

With SAP Cloud Identity Access Governance we have a service that is easy to implement and supports end-user access governance throughout hybrid landscapes. Also, I recommend for all customers, those with mature processes and those just starting the journey, to take a look at the presented service Augmented Access Control. That brings AI into the access request process, with big improvements for end-users, when it comes to finding the right authorizations, and streamlining the approval process, by providing more information to approvers.


I have also asked Marie-Luise Wagener-Kirchner about her feedback, more specifically around internal audit findings since Marie-Luise was co-chair on the internal control, compliance and risk management track.

What are the main challenges of internal audit in your organization?

Thomas: when asked for the main challenges internal audit departments were facing, 43% responded “Balancing priorities” (i.e.: must do statutory audits vs value add insights to management) as the principal hurdle. The second response was “Keeping up with technology” which was selected by 23% of the respondents, even before “Timely communication of audit report, findings and recommendations to stakeholders”. Did these results surprise you or is this aligned with what speakers at the conference have also shared?

Marie-Luise: Not a surprise at all. We can observe competing objectives in pretty much all business areas, and it would have rather been a surprise if that was not observed in audit as well. The workload is increasing rather than decreasing. Technology continues to evolve in high speed as we can see following the discussions around openAI. Already with the pandemic, the focus has shifted further towards digitization. Subsequently, audit has to follow the path and keep up with adapting to new business processes as well as supporting technologies to stay relevant. The challenges remain on, but this also makes this field of activity so appealing – you never run out of learning opportunities and can continue to grow 😉


To get some more inputs on the Cybersecurity track, I have also asked Vincent Doux, who was the other co-chair and also the lead for this track.

Within you organization, who is managing the SAP security monitoring operations?

Thomas: 75% of the audience mentioned that it was an internal team only in charge of SAP security monitoring and threat detection, and 20% even responded that there was no dedicated team for this purpose. I know that there were some passionate debates between presenters and attendees. Does this result reflect the opinion shared during the sessions you moderated?

Vincent: Our discussions highlighted several crucial points. One of them emphasized that in the context of a cloud landscape, security monitoring primarily focuses on the application layer and API monitoring, as the responsibility for infrastructure layers lies with the cloud provider. Additionally, regulations and auditors are increasingly urging organizations to incorporate the business applications layer into their Security Operation Center (SOC) to ensure comprehensive protection. This shift is driven by the growing tendency of hackers to target the application layer, bypassing security measures deployed on the infrastructure layer, using identity theft or compromised super-user accounts.

However, deploying and operating effective SAP security monitoring and threat detection processes necessitates collaboration between the SOC team, the Internal control department, and the SAP competency center. This task presents challenges due to differences in vocabulary and experiences among these stakeholders. The discussions highlighted the critical need for not only integrated solutions but also to provide best practices content and managed services to establish efficient governance models in this complex landscape.


Finally, I have reached out to Michael Heckner for his insight. Michael was not only the co-chair on the internal control, compliance and risk management track, but he is also the lead for the overall conference since its inception in 2018.

What positive feedback did you receive in the context of control implementation?

Thomas: in relation to benefits of control implementation, 53% cited “Increased transparency”, followed by 32% who selected “Increased risk awareness” and 12% for “Stabilized business processes”. I was personally surprised to see that only 3% selected “Improved business performance”. Would you say that this is aligned with the experiences shared by the presenters on stage?

Michael: This is no surprise. Often GRC initiatives are started with a must-do compliance angle. Be it for compliance over financial reporting, GDPR or sustainability standards. And hence GRC is seen as a cost center, with the associated KPIs of cost reduction.

But as organizations embark on these initiatives they realize, that risk and control initiatives can drive efficiency and effectiveness of business processes. As the speaker from Equinor reported a while back: “my business users are telling me: you are making internal controls fun again”.

And by that they mean that risk and control Information to business stakeholders at the onset of anomalies or problems can help with rapid discussion making and problem correction – long before a bigger challenge develops.


On my side, I wanted to conclude this blog with a statement made by the presenter from Vestas that really resonated with me and summarized pretty well a general sentiment that was shared by many presenters as well. “The idea was not to implement a GRC tool, but bring accountability and transparency in the compliance process".

I couldn’t agree more! If the final objective of the implementation of a GRC software is just to have a nice software solution in place, then chances are high that it won’t be a successful initiative!

If you attended the conference, I would be very interested in reading your comments either in this blog or on Twitter @TFrenehard

And it you weren’t able to attend in 2023, I hope that this short summary has piqued your interest and that you will consider joining us next year.