SAP Governance, Risk and Compliance — specifically SAP Access Control (AC) and SAP Process Control (PC) — is the compliance backbone for thousands of large organisations that require Sarbanes-Oxley access certification, Segregation of Duties enforcement, and automated control monitoring across their SAP ECC and S/4HANA landscapes. SAP GRC 10.1 and 12.0 encode years of role configuration, ruleset development, and audit workflow investment. For SOX-regulated organisations, the GRC platform is as business-critical as the ERP itself — auditors rely on it, internal audit depends on it, and the CFO signs off on the control documentation it produces.
SAP's account teams are pushing SAP Cloud Identity Access Governance (Cloud IAG) as the replacement for on-premise SAP GRC — and using every maintenance renewal to apply that pressure. The pitch emphasises Cloud IAG's modern UI, cross-system access visibility beyond SAP, and embedded analytics. What the pitch omits is the revalidation cost: migrating your entire SAP GRC ruleset, role management configuration, and access request workflow to Cloud IAG requires rebuilding SOX evidence trails, revalidating control mappings, and re-establishing the documented link between Cloud IAG output and your SOX IT general control framework. For any SOX-regulated organisation, this is a multi-year compliance project — not a technology upgrade. Third-party support on your existing SAP GRC environment cuts support costs 50–65% and removes SAP's compliance leverage entirely.
Running SAP? See how much you can save before your next renewal. Free analysis, no commitment.
500+ enterprise clients · Est. 2016 · 15-min response · No commitment
SAP GRC 10.1 mainstream maintenance ended December 2022. SAP GRC 12.0 mainstream maintenance extends to December 2027, with extended maintenance to December 2030 — but only for organisations on current SP levels. Many SAP GRC 10.1 customers are in the largest TPS cohort: their GRC platform is stable, their rulesets are configured, and their SOX audit process is proven — the only reason to pay SAP's 22% standard support is the absence of a better option. See our SAP TPS complete guide for the broader maintenance context.
SAP Cloud IAG Migration — The Compliance Revalidation Trap
SAP Cloud Identity Access Governance is a genuine product with cross-system access visibility beyond SAP — it can connect to Active Directory, cloud applications, and non-SAP systems in addition to SAP ECC and S/4HANA. For organisations implementing a GRC programme from scratch with a mixed application landscape, Cloud IAG has legitimate appeal. For organisations with mature SAP GRC 10.1 or 12.0 environments, the migration triggers a compliance revalidation cycle that SAP's product team never mentions in its migration pitch.
A SOX-regulated organisation migrating from SAP GRC Access Control to Cloud IAG must: re-map all SoD rulesets from the Business Rule Framework (BRFplus) ruleset structure in GRC AC to Cloud IAG's access risk analysis model; re-configure all access request workflows (ARM) in the Cloud IAG request management framework; re-establish role management (RAM) configuration for business roles and business role templates; re-run access certification campaigns in the new environment to generate a clean SOX baseline; and update IT general control documentation to reflect the new platform. The SOX auditor review of this migration — verifying that controls are equivalent and that the evidence chain is unbroken — adds a further 3–6 months. System integrator estimates for a mid-size GRC 10.1 migration (50–150 SoD functions, 2,000–5,000 roles) range from £350K–£1.2M. Third-party support on the existing GRC environment costs a fraction of that — annually. See our audit defence service for the full GRC compliance support framework.
SAP GRC Version Matrix — TPS Eligibility
| SAP GRC Version | Components | SAP Mainstream Maintenance | TPS Available |
|---|---|---|---|
| SAP GRC 10.0 | AC, PC, RM, FM | Ended Dec 2020 | ✓ Yes — ideal TPS candidate |
| SAP GRC 10.1 | AC, PC, RM, FM, BCM | Ended Dec 2022 | ✓ Yes — largest GRC TPS cohort |
| SAP GRC 12.0 (SP01–SP07) | AC, PC, RM, FM, BCM, EAM | Mainstream to Dec 2027 | ✓ Yes |
| SAP GRC 12.0 (SP08+) | Full suite with S/4HANA connector | Mainstream to Dec 2027, Extended to Dec 2030 | ✓ Yes |
| SAP Cloud IAG | Cloud — access risk, request, certification | SaaS — always current | N/A — SaaS product |
GoVendorFree TPS Coverage for SAP GRC
GoVendorFree's SAP TPS covers the full SAP GRC stack — Access Control (SoD analysis, access request, role management, access certification), Process Control (automated control monitoring), Risk Management, and the GRC NetWeaver infrastructure. Coverage includes:
- SAP GRC Access Control (AC): Access Risk Analysis (ARA) — SoD ruleset stability and BRFplus rule management; Access Request Management (ARM) — workflow stability, MSMP approvals, provisioning integration with SAP HR and role management; Business Role Management (BRM) — business role template, role composition, and role lifecycle management; Emergency Access Management (EAM / Firefighter) — firefighter ID provisioning, log review workflow, and audit trail integrity
- Access Certification (CAAM): Campaign configuration and execution stability; campaign type management (user-level, role-level, object-level); sign-off workflow; access violation remediation workflow; certification evidence export for SOX auditors; LDAP/HR-driven user population synchronisation
- SAP GRC Process Control (PC): Automated control monitoring (SCMO) stability; continuous control monitoring rule management; SAP transaction usage monitoring; manual control scheduling and sign-off; issue and remediation management; regulatory mapping (SOX, GDPR, ISO 27001)
- Risk Management (RM): Risk and control library maintenance; risk assessment workflow; heat map and risk register reporting; integration with Process Control for control effectiveness evidence
- GRC Infrastructure (NetWeaver ABAP): GRC plug-in connector stability (GRCPINW, GRCPIERP) for ECC and S/4HANA targets; RFC connection management; ALE/IDOC synchronisation for role and user data; GRC user synchronisation jobs; GRC system monitoring (job scheduling, background work processes)
- SOX Compliance Advisory: ITGC control documentation templates for GRC on TPS; SOX auditor communication support; SAP GRC configuration documentation for IT audit files; SoD ruleset regulatory mapping updates (COSO 2013, ISO 27001 Annex A)
SOX Audit Continuity Under TPS — What Your Auditors Need to Know
The most consistent concern raised by SAP GRC customers considering TPS is the question of SOX audit continuity: will your external auditors accept a SAP GRC environment maintained by an independent support provider? The answer, in the experience of GoVendorFree clients across financial services, manufacturing, and healthcare, is yes — provided the IT general control documentation correctly describes the support arrangement and the ITGC testing scope covers the GRC platform itself.
SOX auditors assess IT general controls at the process and control level, not at the vendor support contract level. What matters to the auditor is that: access changes are authorised and provisioned correctly (Access Request Management workflow); SoD conflicts are identified and remediated or risk-accepted (Access Risk Analysis); privileged access is logged and reviewed (Emergency Access Management); and the evidence trail for all of the above is complete and tamper-evident. GoVendorFree TPS maintains the GRC platform stability that produces this evidence. The support provider relationship is disclosed in the ITGC documentation — the same way any third-party technology service provider would be disclosed. See our SAP Audit Defence Playbook for specific ITGC documentation language and auditor communication templates for SAP GRC TPS environments.
SAP Licence Audit Risk and GRC
SAP GRC customers on TPS face one specific SAP commercial risk that is worth addressing directly: the question of whether transitioning GRC support to a third party increases SAP licence audit risk on the underlying ERP system. The short answer is no — SAP's licence audit (LAW) process is triggered by contract terms, usage data transmission, and account team relationships, not by the support provider relationship on GRC or any other module. However, organisations moving to TPS across their SAP landscape (ECC/S/4HANA, GRC, HR, BW) should conduct a pre-TPS licence position review to confirm their licence position is documented and defensible before removing SAP's standard support as the primary relationship channel. Our audit defence service includes a pre-TPS SAP licence position review as standard for GRC customers. See the SAP Basis support guide for the broader licence and audit risk context.