Case Study: T-Mobile
Developing a Governance, Risk & Compliance (GRC) Roadmap at T-Mobile
T-Mobile is one of the world’s largest mobile operators with more than 119 million customers worldwide and is the service provider of choice for 17.3 million customers in the UK, making it one of the largest networks. T-Mobile has a range of innovative products and services such as Flext, a unique tariff with flexible pricing; U-Fix, a tariff that combines pay-as-you- go and a monthly contract and web'n'walk, which enables customers to surf the internet on the move.
This is another huge success regarding our SOX compliance work! Well done everybody and thank you very much for the effort. It is highly appreciated.
- Johannes Schmidt Schultes, Finance Director, UK
Business Challenge
As a subsidiary of Deutsche Telecom, T-Mobile is subject to Sarbanes-Oxley (SOX) as an overseas registrant on the NYSE. In 2005 the company made a decision to invest in a controls intelligence solution that would help them address control issues within SAP in order to be SOX compliant. Some of the key compliance objectives that T-Mobile UK had to meet were:
- Automating controls monitoring & provisioning for ERP users
- Pushing ownership of controls out to business owners
- Identifying and resolving all segregation of duties (SoD) conflicts
- Removing inappropriate and unnecessary access to financial systems
- Preventing new SoD issues
- Automating controls for procurement processes
Approva's Approach
T-Mobile UK chose to take an automated approach to their SAP controls monitoring by implementing Approva’sControls Intelligence Suite. Within six months the company identified over 83,000 SoD violations using the Approva solution. “When we first ran the Approva tool in March, I fell off my chair,” said, Shelly Sethi, SAP NetWeaver and security manager, T-Mobile UK.
Approva prioritized the SoD violations into high, medium and informational an enabled T-Mobile to scrutinize and eliminate the majority of the high and medium priority SoD violations within three months of identifying those violations. The telecom provider further expanded Approva’s continuous controls monitoring capabilities to a much broader company-wide GRC initiative, moving beyond SoD monitoring to transaction-level monitoring. “We have gone from a largely uncontrolled systems environment to one where we have full control over access and can identify and prevent future issues before they happen,” said, Tony Fitton, T-Mobile UK’s head of accounting.
Results
In addition toeliminating 83,000 SoD violations within their SAP system and strengthening their regulatory compliance, T-Mobile UK realized the following key benefits with Approva’s controls intelligence solution:
- Establishing business stewardship over SAP access
- Achieving their goal of zero unmitigated SoD violations
- Ongoing monitoring of changes to SAP access
- Reducing effort required for SOX compliance
- Increasing business confidence in SAP
- Automating the SAP user access request and approval process
- Setting an example for other T-Mobile divisions, who are now following suit