Mike Ayers, SAP Project Manager, Powell ElectronicsPowell Electronics is a wholesale electronics distributor based in Swedesboro, New Jersey, with operations in North America and Europe. A challenge common to SMEs, Powell’s employees often have multiple responsibilities, which means a single employee may have the ability to execute a combination of transactions that could result in error or fraud. Overly broad accesses in SAP was also a concern as a user could either accidentally or intentionally execute potentially harmful transactions outside of their job functions.

A Governance, Risk and Compliance Solution

Powell evaluated ControlPanelGRC from SymSoft Corporation. ControlPanelGRC is a second generation suite of modular, integrated GRC (Governance, Risk, and Compliance) applications that address the major areas of compliance concern at every level for SAP users.

Powell is using the following ControlPanelGRC modules for both security and SAP administration operations:

Risk Analyzer
User and Role Manager
Security Troubleshooter
Usage Analyzer
Batch Manager
Transport Manager

The installation was straightforward, taking one hour to complete. For training, Symmetry conducted several two-hour Webcasts tailored to the needs of Powell staff members. Ayars and other IT staff members would take what they learned and practice in a test environment with new questions posed during the review sessions.

“We fine-tuned our implementation based on our business requirements, roles and functions. The documentation has been very useful and a great training tool, too,” Ayars said.

“On the risk and security side, the product has been terrific,” Ayars said. “ControlPanelGRC acts as a force multiplier. Before, I didn’t have a good handle on how SAP security worked. The tools make it far easier for me to understand what’s going on.” Ayars added: “I’m able to manage users, their profiles, and all the security. This is the first time in six years that I feel I have a handle on security.”

ControlPanelGRC pulls data on an hourly basis and drills into any kind of history desired. About a week after ControlPanelGRC was installed, Ayars discovered that a Parts Picker in the company’s warehouse was running every SAP transaction he could, including financial transactions far outside his job responsibility. “We talked to him about it, and he said he was just curious. I applauded his initiative, but shuddered at what he could have done,” Ayars said. “Before ControlPanelGRC, we simply wouldn’t have known until much later.”

On the batch scheduling side, ControlPanelGRC gives IT executives a much more granular approach to controlling job scheduling. “It’s better than the native SAP tools because in real life, one needs to get granular with night and weekend scheduling,” said Dave McGuire, Powell’s SAP Scheduling and Operations Manager. “It tracks usage and job run-times, and let’s me know when there’s a problem via e-mail or workflow. It’s a very useful toolset.”

For example, a job slated to run for 45 minutes runs for just two seconds. SAP would say that the job has been completed successfully, when, in fact, nothing happened, McGuire said. ControlPanelGRC Batch Manager gives Powell better control if a job terminates unexpectedly early or runs unexpectedly long. The product lets McGuire look into what is actually happening with a given job in real-time. It also lets him know immediately if a critical job did not run so that he can determine next steps immediately and not learn of failures the next morning.

“I have visibility into scheduling,” McGuire said. “Batch Manager gives me screenshots of information right up front, indicating what’s happening with the jobs. We’re focused on the job flow, how programs are updating, and when they’re updating.”

“Is this product SME friendly?,” asked Ayars. “This is a very friendly SME product. It’s easy to get your arms around. No one can afford to make a six-figure purchasing mistake. Since ControlPanelGRC runs inside SAP, it does not require a great deal of support and maintenance.”

The Results

The benefits of using ControlPanelGRC have been easily discernable for Powell. The company has a clearer understanding of internal SAP security, and the issues surrounding it.

Now, when an end user has an authorization issue, the product executes a simple transaction which e-mails Ayars about the failure, what roles are applicable, and it gives him HTML screen shots of everything that’s going on.

“It used to take me an hour or two to sort through these issues. Now, it’s a two-minute process,” Ayars said. “I get pop-up notices if there are issues with SOD or sensitive transactions. We’ve just moved security from taking a lot of time to a simple thing. We’ve got our arms around security now and a better view of what’s happening.”

Even the company’s security consultant was impressed with ControlPanelGRC. “When I showed him screen shots of the data available to me, he was in awe,” Ayars said. “He said, ‘You don’t need me at all now.’ He was pretty impressed.”

ControlPanelGRC has enabled Ayars to make security less and less a portion of his daily work, enabling him to devote time to other important strategic issues. The product provides reporting tools that alert him if something is amiss, or an authorization that does not register.

“We’re fine-tuning our security, looking at authorizations that people have, tightening up controls on what people can do, what they are doing, and adjusting the tools to get more granular. As a small company, everyone theoretically can do everything. When you think about it, we’re hiring bright, high-level people for these jobs, and they are curious people by nature. Control and authorization mechanisms must be in place.”

The product has delivered some unexpected benefits, too. Because of its proven analytical capabilities, ControlPanelGRC lets Powell executives know where they have employee training issues.

“An employee may have 25 transaction capabilities at his disposal, but he’s only using four of them. I can now gain a view of employees using less functionality than they should be, talk to their business owners, and help them improve performance. That will be a continuing focus over the next year,” Ayars said.

Besides analytical tools for training, the ControlPanelGRC Executive Dashboard gives Powell’s C-level executives a detailed reporting device and screen shots of what’s transpiring in real-time. The CEO, in particular, has a pulse on the business to ensure fraud is not taking place. Some of the metrics include existing risks, mitigations to address those risks, and daily reports of transactions.

Among the company’s future plans are to transfer the rest of night scheduling into ControlPanelGRC Batch Manager, which enables better visibility, saves time, and streamlines the processes for daily and nightly jobs. “We’re working globally now, so there’s no such thing as night anymore,” McGuire said.

Overall, the true value of ControlPanelGRC for Powell and other SMEs is the “peace of mind” it brings to the C-level suite. Executives, like Powell’s, care passionately about eliminating the risk of fraud in their enterprises. ControlPanelGRC gives them the visibility to help them sleep better at night. It’s hard to place an ROI figure on that.

“Our CEO walked in and said he wanted to know what’s going on within the organization and what can he see,” Ayars said. “Before ControlPanelGRC, I couldn’t answer those questions. Now, I can show him a spreadsheet in the space of two minutes delineating what transactions are being run, who is running them, and their frequency. There are absolutely no issues. Before, he couldn’t gain access to sensitive information when he wanted it, which was one of his big concerns. Now he can see everything very clearly. That was priceless.”

For more information about ControlPanelGRC, visit