India’s Goods and Services Tax, the most significant tax reform initiative since the nation became independent 70 years ago, was rolled out a month ago on July 1st, 2017. GST has impacted every enterprise IT team in India. It has reprioritized work for IT and business operations and has driven service offerings for accounting firms, system integrators, and supply chain consultants.
To implement GST, organizations have had to analyze and adjust operations based on cash flow implications from GST, re-engineer their supply chain as tax rates have standardized across states, pick the ASP/GSP that would best meet their unique needs, integrate their IT systems via their chosen ASP/GSP (or directly with the G2B portal), normalize invoice, purchasing, and other relevant data for upload into GSTN, and define their reconciliation reports and processes to ensure every tax credit was captured. No small task.
After all the work to go live on GSTN – months of dedicated focus and overtime and countless hours of managing consultants – companies might be tempted to celebrate going live and maybe even take a little break. But can a company who has gone live on GST consider that the end of the project?
Not if it is running SAP.
Why? Because doing so might leave the enterprise open to unnecessary risks and potentially harm the competitive position of the company – especially if it is running a modern ERP platform like SAP.
So instead of patting themselves on the back and risking complacency, smart enterprises quickly turn their focus to five key areas as soon as they go live with GST:
1. Cleaning up access risks to financial systems
2. Reconciling SAP user and indirect license allocations
3. Implementing process controls to ensure that GST compliance requirements are maintained in a cost-effective way
4. Automating emergency access management (EAM) so adjustments can be made quickly
5. Conducting an after-action review to learn from what went well and what could have been done better so that the next major change project will be even more successful
In this installment, we will focus on the first three key areas businesses should tackle post-GST: cleaning up access risks, reconciling licenses, and implementing process controls. In a subsequent post we will finish with the final two key areas, automating emergency access and conducting an after-action review.
Clean up access
In preparation for the GST roll-out, many IT teams engaged contractors and consultants and gave them broad access to their financial systems to bring IT and accounting systems into compliance with GSTN registration and meet the ongoing requirements of GST. They also expanded the roles of existing IT staff and gave them exceptional privileges within SAP.
At the time, it was necessary to grant exceptional access to get the work done. But what about after the GST project wrapped up? Do those consultants and staff members still need the broad access given to them during the project? Consider the possibility that a disgruntled consultant or contractor decides to perpetrate fraud with that access. With such broad access, will they be able to effectively cover their tracks, or are there controls in place to alert someone to the issue?
And what about sensitive access? Are there people who now have access that gives them insight into the company’s performance and capitalization structure? And do any of those people have contacts within competing companies with whom they could share inside information? If your CEO and CFO knew about this risk, what would their reaction be?
These are all questions that must be answered even beyond GST compliance. When preparing for GST, many companies rightly worried about the sensitive financial data that would be uploaded to an ASP/GSP. These same companies insisted on knowing how the ASP/GSP would protect that data. Now that companies have gone live with the ASP/GSP of their choice, it is important that they ask the same question of themselves: What are they doing internally to protect access to sensitive transactions and data?
Understanding access risks is not the hard part. The hard part is deciding, as an organization, to put resources toward gaining that understanding. Once they understand their risks, organizations can then assess if they now have more risk than is acceptable. If too much risk exists, then they can rationally start to pull back access to their financial systems and IT environments in a way that makes sense and does not impair user productivity.
To learn more about how to understand and manage access cost efficiently click here.
Also, stay tuned for upcoming posts covering topics on how to minimize the costs of access management by using a function based SOD rule matrix, how to efficiently manage custom transactions that are SOD relevant, how to delight auditors and your IT team with efficient “push-button” audits, and how to radically save time and money by automating mitigations and prioritizing access risks based on the actual financial exposure of each risk.
Reconcile license allocations
Granting access to SAP or other financially sensitive applications not only creates risks but also directly drives up costs if the additional access triggers a licensing requirement. If an additional user is added to a company’s SAP environment, they will almost certainly consume an additional user license. If that user is an active dialogue user with broad access, then the incremental license consumed will almost certainly be an expensive license such as a developer or full professional license type. And any time an existing user is given expanded authorizations and materially increases their interactions with SAP software, it is wise for IT and procurement to understand the licensing implications. They may need to move that user from a limited professional to a full professional license or change the allocated license type from full professional to developer. License reconciliation is further complicated for SAP environments because usually the quantity of a given license type must be kept within a ratio of the overall population of licenses. If that ratio is violated additional licenses may need to be purchased even if there are no users to allocate them to.
Few companies considered the licensing implications of opening their SAP environments to consultants and contracts before July 1st. This is no surprise. Everyone was focused on meeting the GST go live date. But now, smart companies are not claiming the GST project is over until they have cleaned up access and reconciled user license allocations. They know if they don’t do it now, they may fail their next software license audit and trigger a surprisingly significant budget expense that destroys both their credibility and their investment roadmap.
For companies running SAP, license compliance not only requires them to consider users with a user ID, the license type of each user, and the consumption ratio of different license types, but they must also consider any integrations with non-SAP software that may allow users of the application to change data in SAP indirectly. These indirect users must also be accounted for and properly licensed. Consequently, smart IT teams are also cataloging every integration rolled out as part of GST and assessing the SAP licensing implications for any users of the integrated application.
To learn more about how to optimize your SAP licenses and reduce the work required to pass your SAP license audits, please read our License Management data sheet by clicking here.
If you would like to see a demo send us an email by clicking here.
Implement process controls
In addition to cleaning up access risks and licensing requirements, it is important to implement a reasonable set of process controls. A reasonable set of process oriented controls is the only way to ensure that compliance with GST requirements is maintained cost effectively, that new processes and supply chain requirements are followed consistently, that consultants and contractors fully transfer their expertise back to the company, that evidence proving compliance is easily and continuously produced so that audits are efficient and comprehensive, and that all tax credits are fully captured.
Smart enterprises understand that the set of controls they need will be a mix of automated and manual controls. Automated controls include those controls SAP offers as part of its platform and add-on controls that augment or extend the SAP environment.
In building a good set of controls, the first step is to identify where things can go wrong and then how to best prevent or quickly catch those deviations. Some examples are:
How will your enterprise ensure the proper GSTIN is used so that subsequent tax credits can be automatically matched by the government and ultimately credited back to your enterprise?
Where are the different places an error around GSTIN can get into the system and what controls can be applied to each?
What controls need to be added to ensure the newly engineered supply chain is functioning as designed?
Since small vendors are exempt from having a GST identification number (GSTIN), what controls will ensure that in three months, if they grow and are no longer small enough to qualify for the exception, you get their GSTIN and update transactions before having to forfeit a material amount in taxes?
Other areas where process controls can help involve identifying revenue leaks in the new supply chain , managing specific dimensions of your ASP’s performance, and monitoring credit worthiness and performance of supply chain partners.
Smart enterprises also know that manual controls may be necessary initially, but given the speed of business, they are not a sustainable solution. Only automated controls will provide alerts and remediation quickly enough. Also, manual controls are susceptible to human error and limited human capabilities, so they can never be as consistent, complex, or comprehensive as automated controls. Ultimately, manual controls are neither cost effective, trustworthy, nor something your people want to use. Most talented IT staff know that their career goes nowhere when they must spend time doing things that could have been easily automated.
Once an automated controls platform is implemented the cost to maintain it is fair less expensive than the cost to maintain a manual control. The incremental cost to implement one more automated controls goes down with each new control added to the controls platform, whereas the cost of each additional manual control goes up. This is due to the cost to train and manage the person responsible for the control as well as the ongoing cost of paying the person to run the control.
If you would like to learn more about how processes controls can help you cost effectively maintain GST compliance and optimize the value of your tax credits, we would be happy to share with you some of the best practices in the industry today. Send us an email to request a meeting by clicking here.
Next up: we will detail two more integral post-GST tasks that smart enterprises are implementing. Our next post will discuss the importance of automating emergency access and conducting an after-action review, and how these final tasks will give you the peace of mind to confidently close out your GST project and prepare for the challenges ahead.