SAP Process Control vs. ServiceNow Governance, Risk, and Compliance

In my opinion, SAP Process Control is well suited for bigger companies with an already mature Internal Control System as well as for bigger companies who want to completely new/redesign the internal control system. The size of the company, as well as the budget, is quite important when thinking about the implementation of SAP Process Control. A smaller company with e.g., 150 people should think more about implementing SAP FCM.

Incentivized

Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation. ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.

Incentivized

• Native connection to SAP applications
• Automated monitoring process of SAP applications
• Workflow capabilities for control testing

Incentivized

• Finding reported by the auditor. GRC helps us identify, assign, and track the resolution of this.
• Exception to information security policy. These require quarterly reviews and setting up reminders to revisit these.
• Building out new projects and baking security and compliance into the project and tracking it in GRC to ensure we deliver a compliant product on day one

Incentivized

• Default delivery of controls could be done by SAP on some basic controls like client openings, password controls, etc
• The messaging or customization of messages in different workflows is limited, which could be introduced to enhance the product
• SAP Process control does not have the capability for cloud product monitoring which is required with more SAP cloud products available right now

• Delivering more out of the box functionality that rivals other GRC platforms. The bare bones approach may not help companies that do not have expertise or capabilities to build effective GRC processes.
• Easier way to implement workflow.
• Offering better metrics without buying add-on tools.

Incentivized

I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.

Incentivized

It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.

Incentivized

The connectivity with other SAP products out of the SAP GRC suite, like Access Control and so on, was key for the decision. Also we had an already mature SAP System landscape as well as having internal processes that were similar to the SAP Process Control standard processes helped us with the decision to implement SAP Process Control.

Incentivized

We just recently started using TrustArc for data privacy requests and I can already speak to the fact that TrustArc is a more confusing platform once there. The positives of ServiceNow would be that a majority of our URL's drive to owned websites which our employees are very comfortable with using versus pushing them to another website that feels unsafe.

Incentivized

• Automated alerts for controls issues
• Workflow capabilities; however, there's natively only 2 levels of review. More layers would be beneficial.

Incentivized

• Effective Enterprise Risk Management
• Holistic Real-time Monitoring of your technology and Risk
• Negative - Asset Management has some issues and Ghost / Shadow IT is big issue