Live from SAPinsider Studio: Citrix Systems on SAP Access Violation Management by Greenlight

Danielle Bass of Citrix Systems discusses her company’s use of SAP Access Violation Management (AVM) from Greenlight Technologies with Susan Stapleton of Greenlight at the 2016 SAPinsider GRC event in Las Vegas.

This is an edited version of the transcript:

Susan Stapleton, Greenlight Technologies: Hi, I’m Susan Stapleton with Greenlight Technologies. We’re here at the 2016 GRC SAPinsider conference in Las Vegas. With me today is Danielle Bass from Citrix. Danielle, do you want to introduce yourself?

Danielle Bass, Citrix: Hi Susan. Thank you. I’m Danielle Bass of Citrix Systems, my role there is I’m director of Global Accounting Systems. I work for the Chief Accounting Officer under Finance. We’re responsible for making sure our Finance team has solutions that can help them scale.

Susan: I know you’re a big champion within the IT Finance group to make sure the business has what they need to operate efficiently. And you are using SAP’s Access Violation Management from Greenlight, and you’re using that with your Ariba application.

Danielle: We are.

Susan: And how are you using that?

Danielle: We actually implemented GRC in 2013, and it was a really good solution for us, automated a lot of existing processes that had been manual. Then we had a project to implement Ariba which really brought us a huge amount of procurement efficiencies. However, we were moving a lot of functionality out of SAP into Ariba, things like generating invoices, creating PO’s, all that would now be done in Ariba and we have two challenges – our immediate challenge was we were implementing this fantastic system but needed a way to provision and de-provision access. We had spent a long time getting GRC right, making sure it worked well with provisioning and de-provisioning. Ariba, we didn’t have a way to do that. We didn’t want to go back to the manual processes we had before, tracking, the work a system administrator did – we had a tool to do that. So we just didn’t know how to connect that tool to Ariba. So we reached out to SAP, they suggested the Greenlight Access Violation Management (AVM) solution and it gave us a lot of benefits. It really allowed us to keep our processes the same across multiple systems, so we didn’t have to retrain our group that had been brought on to do provisioning and de-provisioning. SoD analysis, SoD mitigation, all that continued to be automated and AVM – Access Violation Management – was the connection between SAP and Ariba to let us continue with all those processes we had put in place and bring in a cloud-based solution into it. Another benefit that was very important to us was that even though we’re implementing Ariba and getting a lot of efficiencies there, compliance has to continue. But we really wanted that compliance process to continue to be as efficient as possible. AVM allowed us to do that. We were allowed to have a cloud technology with our SAP system, do cross-SoD analysis which for us having everything contained in one system, having our users have the same SoD analysis process, critical action, analysis process without having that have to change for Ariba was huge. And we didn’t have a learning curve for our users.

Susan: What about your SoD’s? Do you look within Ariba for SoD’s or across systems between Ariba and ECC?

Danielle: Across systems. We’re looking at Ariba with SAP. Yes, across systems and that’s important to us at Citrix. We don’t want separate processes to do that review.

Susan: And one other question I would have is did you use the global rule-set or did you add another rule-set?

Danielle: We didn’t have to add a new rule-set so we were able to take out Ariba into our existing global rule-set so that worked out well. So you have the one rule-set. And then long-term if we do decide to add other systems they’ll also be pulled into that one rule-set.

Susan: And then from a timeline process, how long did it take you to implement your Ariba integration?

Danielle: We did it along with our Ariba project and in total it took us about eight weeks but there were a lot of activities going on at the same time. Eight weeks for us, and we used Greenlight services to help with implementation so we were involved when we needed to be but it was pretty quick. It wasn’t anything close to the GRC implementation. We were actually able to use a lot of the same testing scripts, we were able to pull them out from our GRC implementation and use them again when we tested with Ariba.

Susan: Thanks Danielle for joining us today and talking about how you’re leveraging Access Control and integrating your Ariba application with SAP Access Violation Management. We really appreciate your time and I hope you enjoy the rest of your days in Las Vegas.

Danielle: Thank you, Susan.