PwC and SAP Alliance

Managing hidden risks in a technical SAP S/4HANA migration

  • Blog
  • 10 minute read
  • January 17, 2025

Elizabeth McNichol

Principal, Enterprise Technology Solutions Leader, Cyber, Risk and Regulatory, PwC US

Email

Jason Colo

Principal, Cyber, Risk and Regulatory, PwC US

Email

Why security, controls, and GRC matter during your SAP ECC upgrade

With SAP’s mainstream support for ECC ending in 2027, many organizations are opting for a technical upgrade to SAP S/4HANA, also known as the brownfield approach. This method often allows businesses to migrate their existing system and data to S/4HANA more quickly and with minimal disruption to their core operations, in contrast to the greenfield (complete redesign) or bluefield (selective transformation) approaches.

While a technical upgrade can generally be a simpler route, we encourage business and IT leaders to be cautious of the idea that this can be a purely technical exercise, particularly when it comes to security, controls, and GRC (Governance Risk and Compliance). Even with a "lift and shift" approach, SAP S/4HANA introduces new functionalities, different technologies, and architectural changes that can have significant impacts on security, controls, and GRC. For business leaders and IT professionals, the stakes are often high — how you manage these elements can significantly impact the success of the migration and ongoing operations. Treating this upgrade as purely technical could lead to overlooked risks, resulting in potential audit issues, security vulnerabilities, and missed opportunities to improve your control environment.

This is the first in a series of articles where we’ll explore why an intentional focus on security, controls, and GRC should be a key element of your SAP S/4HANA migration strategy. Below, we outline five important takeaways to help you navigate the complexities and risks of an SAP S/4HANA technical migration, preparing you for compliance and audit requirements while also capturing the opportunity to improve your organization’s security and controls framework as you transition.

1. New system, new risks

Although the migration might be positioned as a “technical upgrade,” it’s far more than just a lift and shift. Even if you’re not redesigning business processes or adding new applications, S/4HANA is a new system, not just a patched version of your old system. Like any new system, it should be imperative to address security and controls as part of the go-live. Key considerations include:

  • A new system means new infrastructure, which requires reevaluation of your IT general controls (ITGC). Controls over access to programs and data, change management, and computer operations should be reassessed for alignment with the new system's architecture. Whether it’s a new database (HANA DB), new technology platform (SAP BTP), or a cloud-hosted environment, these areas often need fresh scrutiny.
  • Custom code developed in previous systems should be thoroughly tested in the new environment. This builds confidence that it integrates correctly without creating security vulnerabilities or bypassing established controls. Customizations can behave differently in new systems, and even seemingly small changes can result in control gaps if not properly validated. For example, custom reports used to support key controls will often require some level of validation to confirm that previously established baselines stay valid in proving completeness and accuracy.
  • When migrating to a new system, new integrations should be designed, implemented and tested. Each integration should be risk-assessed to identify where key data is flowing, what controls are needed, and whether those controls are effectively mitigating risks related to the completeness and accuracy of data transferred from source to target.
  • Even with a decision to lift and shift your existing data from ECC to S/4, data from your ECC environment should be converted. With this there’s the risk that master data from ECC doesn't achieve the intended design or use of data in S/4, that duplicate records from ECC will also be duplicated in S/4, and that stale or unnecessary records from ECC will be included in S/4. Proper data conversion and migration controls are often needed to mitigate these risks and should be evidenced to satisfy your system development lifecycle control requirements.

Ignoring these changes can expose organizations to financial and operational risks. By proactively reassessing controls and updating security roles, you can achieve day one security and compliance goals.

2. Preparing for SAP S/4HANA’s mandatory changes

SAP S/4HANA isn’t just an upgrade of ECC — it’s a reimagined platform with new functionality and architectural shifts. From the retirement of credit management in favor of financial supply chain management (FSCM) to the introduction of features like the universal journal and the Fiori user experience (UX), S/4HANA can radically change how processes are executed and controlled, making it essential to revisit your existing control framework. Just a few examples of changes impactful to security, controls, and GRC include:

  • The introduction of business partners, which consolidates vendors, customers, and employees into a single entity. This change has control impacts, including for role-based access controls such as segregation of duties (SoD) and sensitive access (SA). Your ruleset often requires updates to reflect these changes and continue reporting completely and accurately. Security roles should also be updated as certain legacy transactions will no longer work in S/4HANA and should be replaced by new transactions.
  • The Fiori UX changes the way users access the system, introducing different security needs around user management, authentication, and provisioning. These changes can affect segregation of duties (SoD) and sensitive access risk management, requiring updates to GRC rulesets to prevent under-reporting of risks.
  • The introduction of new S/4HANA data structures such as the universal journal and new pricing table may require revisions to reports and analytics used to support key controls.

3. Cloud migration: Security, controls, and GRC implications of moving to SAP RISE or the private cloud

A technical migration to SAP S/4HANA often coincides with a decision to move from an on-premise infrastructure to a cloud-hosted environment, such as SAP RISE* or another cloud provider. While this shift can offer operational flexibility and cost savings, it also introduces new cybersecurity and compliance risks. The cloud environment fundamentally changes how data is stored, accessed, and managed, necessitating new controls and monitoring mechanisms. Key considerations include:

  • In a cloud-hosted environment, the shared responsibility model applies, where the cloud provider manages certain aspects of security, but your organization remains responsible for data protection and regulatory compliance. Cybersecurity measures should be enhanced to address risks such as unauthorized access, data breaches, and availability concerns.
  • Continuous monitoring and real-time threat detection are essential to maintain control over cloud-based operations and confirm compliance with data protection regulations such as GDPR or CCPA.
  • As part of migrating to a cloud environment, it’s essential to thoroughly review the contract and understand the obligations and responsibilities of both the cloud provider and your organization. This includes analyzing the cloud provider’s SOC 1 report to evaluate the scope as well as the design and operating effectiveness of their controls over financial reporting and to identify any “user entity controls” your organization is expected to implement. Clear understanding and implementation of these responsibilities is essential to prevent compliance gaps and reduce the risk of audit issues. Additionally, relevant security or confidentiality considerations can often be found in the provider’s SOC 2 report, which should also be reviewed to address broader risk concerns.

Cloud migrations can introduce new vulnerabilities, and if not properly managed, can expose organizations to security breaches or data loss. Building a strong cloud security framework, including monitoring and incident response plans, can help mitigate these risks to achieve compliance in the new environment.

4. Selective transformation: Addressing pain points and moving to standard processes

Even in a technical migration, many organizations take the opportunity to selectively transform parts of their processes, especially when they have identified significant pain points or want to move away from customized processes to SAP’s standard offerings. While this “selective transformation” approach can bring efficiencies, it can also disrupt existing controls if not carefully managed. Key considerations include:

  • Processes that are modified during the migration should be evaluated for control impacts to obtain comfort that key risks are properly mitigated by effectively designed controls. Without this evaluation, process changes could unintentionally introduce control gaps leading to operational inefficiencies and potential audit findings.
  • Early engagement of security and GRC teams in the design phase is critical to confirm that new processes and systems are considering control requirements.
  • Process automation, if properly implemented, can reduce the manual burden of compliance by embedding controls directly into the system.

Selective transformation introduces both risk and opportunity. The risk comes from missing control gaps that can arise from process changes, but the opportunity lies in leveraging automation to enhance controls and reduce long-term compliance costs. Early collaboration between IT, business, and GRC teams is essential to capture the overall potential of the upgrade.

5. Auditor expectations: What should your auditors expect during the migration?

Understanding and meeting auditor expectations is often a crucial part of any technical migration. Your auditors will likely expect to see how your organization has adapted its internal controls, security, and GRC frameworks to the new SAP S/4HANA environment and could require evidence of testing and validation of controls before go-live, especially for automated controls and custom reports. Key considerations include:

  • How ITGCs, including change management, access controls, and data migration controls, were updated for the new environment.
  • Custom reports and automated configuration controls that were effective in ECC should be revalidated or redesigned (if impacted by new functionality or data models) for SAP S/4HANA.
  • System development lifecycle controls (SDLC) should be evidenced, including data migration controls confirming the completeness and accuracy of data moved from ECC to S/4HANA, which are essential to validating that critical data is available and remains reliable in the new system.
  • The hypercare period post go-live is a critical, high-risk phase — even for a technical upgrade. During this time, elevated access, frequent adjustments, and rapid troubleshooting are common as the new SAP S/4HANA environment stabilizes. Without oversight and control, these activities can introduce security risks and potential control breakdowns.

Early engagement with your internal and external auditors can help clarify their expectations and prevent surprises down the line. Failure to provide evidence of control effectiveness and testing could result in costly rework, delays, and potential deficiencies. Organizations should aim to document key control updates and demonstrate effectiveness throughout the migration process.

Conclusion

Even with a technical migration or “lift and shift” approach from SAP ECC to SAP S/4HANA, organizations should invest in intentional focus on security, controls, and GRC during the upgrade. The upgrade can also present an opportunity to enhance your compliance environment for targeted areas, identifying where security can be simplified or improved, and where controls can be automated. By proactively addressing these areas, organizations can not only achieve a smooth and compliant transition but also improve their compliance environment to reduce long-term costs.

Our Enterprise Technology Solutions (ETS) team is here to help. Whether you're in the early planning stages or approaching go-live, we can guide you through the common misconceptions and complexities of an S/4 technical migration. Reach out to start the conversation on how we can support your migration journey and help you navigate the risks and opportunities associated with an upgrade to SAP S/4HANA.

Follow us