Why Migrate Now?
SAP S/4 HANA adds predictive analytics, simplified data models and in-memory database for faster processing. SAP ERP Central Component (ECC) is SAP’s legacy ERP platform and mainstream support for SAP ECC ends in 2027. There are optional paid extensions available until 2030, although delaying migration may increase costs and expose organizations to significant audit and compliance risks.
Challenges of Delaying Migration
Financial Reporting Risks
When SAP ECC is no longer supported, organizations lose access to regular updates, patches, and security fixes. This may increase the risk of undetected transaction or data errors which can have downstream effects on the financial statements and other reporting. Additionally, the lack of updates can cause compatibility issues with other systems, potentially impacting the accuracy and completeness of financial reporting, and may result in increased vulnerability to cyber-attacks.
Internal Control (e.g. ICFR, SOX, FDICIA, other) Risks
Unsupported software may compromise critical internal controls over financial reporting, such as access management, change management, and data integrity. If these controls fail, it could result in control deficiencies which may need to be disclosed to regulators and investors. Many ICFR and SOX controls rely on automated processes within SAP, without ongoing maintenance, the reliability of these controls is jeopardized.
Compliance Risks
Using unsupported SAP ECC software may violate industry regulations like GDPR, HIPAA, or PCI DSS, which require systems to be up-to-date and secure. Outdated systems are more vulnerable to data breaches, which could lead to data exfiltration and cyber audit risk. Furthermore, many business partners and customers require compliance with specific IT standards, and running unsupported ECC may breach these contractual obligations.
Additional Considerations
Opting for extended maintenance or custom support from SAP is costly and may not fully address all risks associated with unsupported systems.
Typical SAP ECC to SAP S4 HANA Migration Timelines
Total Duration
*18–36 months (varies by organizational complexity, implementation approach and management preference for public vs. private cloud implementation)
SAP Activate Phase for S/4 HANA, Implementation | Key Management Activity Phases | System Implementation Approach and *Typical Timeline | ||
Brownfield | Greenfield | Hybrid | ||
| Discover | Identify business needs, explore solution options | 6 to 12+ | 8 to 18+ | 18 to 36 |
| Prepare | Finalize project scope, plans, resources | |||
| Explore | Conduct fit-to-standard workshops, analyze gaps, prepare master data | |||
| Realize | Configure, build, test, and validate the solution, including data migration, and training | |||
| Deploy | Cut over to the new system, perform final data loads, set up production, and transition to go-live. | |||
| Run | Operate the live system, provide hyper-care support | |||
Brownfield = upgrading current system Greenfield = building new system from scratch Hybrid = selectively integrating new features with the old system | *Key factors impacting timelines are system implementation approach – Brownfield, Greenfield, or Hybrid – and whether management is planning to implement in a public vs. private cloud. Public cloud implementations range from 9-12 months while private cloud implementations range from 12 – 18 months depending on the complexities of the customization and size of the company. For large companies (i.e., mostly fortune 100) with multi locations and global presence, the global implementation of SAP on private cloud can range from 18 months – 36 months. | |||
Take Action
Begin your S/4 HANA migration now to avoid audit, compliance, and operational risks. Reach out to BDO to talk about a phased approach in assessing the SAP ECC to S/4 HANA migration. The following two phased approaches are available for management to select from:
Pre and Post Implementation Assessment
A more traditional approach whereby the BDO – as the external auditor – tests management’s system implementation and conversion controls after the control activities have already taken place, and present findings, if any, to management. This approach does not allow for an opportunity to remediate findings prior to fiscal year-end.
Real-Time System Implementation Assessment (RTSA)
BDO – as the external auditor – performs an assessment of management’s system implementation & conversion controls in real-time – at defined points in the project – as the controls are initiated, allowing for early identification and subsequent remediation of potential audit and control-related issues. This reduces the chances of “surprises” and identifies opportunities for the use of more effective and cost-efficient automated application controls. Additionally, an RTSA includes an assessment of IT general controls, application controls, and reports / IPE management plans on implementing, as part of the suite of internal controls over financial reporting, to ensure risks are being appropriately addressed. This reduces the amount of postimplementation work.
The main difference between the two approaches is the timing of BDO’s independent assessment procedures, and the incremental cost associated with an RTSA as it requires more experienced resources.