- April 6, 2017
- Posted by: selva
- Category: GRC Software, SAP Access Control, SAP Process Control
SAP ECC system is complex and the first step will be to have a Risk management process to address your SAP Audit Compliance. This could be an Access Control or Process Control Solution. Both solutions can give you some level of risk management solution which helps the internal auditor. But there is a huge difference in their results and value it can provide.
Access Controls: Provides information on the Transaction assigned
Access Control can provide you with the access violations with the access of a SAP user or SAP role. Here you purely look at the transaction access. This can give you valuable insight into the Potential risk in your SAP ECC System. But it does mean the risk actually happened. With New SPA GRC Version you can even look at the number of times the risk was executed. But this is a false sense of hope given to the auditors, as it does not provide the changes or risk which really happened.
Process Control: Risk with Dollar value assigned
With process control, you can really see the actual risk which has happened in the system and potential loss it could have for your company. In this case, the auditor can really see exact transaction changes which have happened in the vendor master or customer master or invoice payment. This way he or she is not really not relying on Just execution but also on the transactions which have posted in the system and the potential loss which could happen if the changes are nor investigated. The process control tool for SAP Properly configured can give you the exceptions only based on rules you have defined.
The example in finance could be Maintaining the account and posting it. In the Access Control Scenario, you can only see that the combined transactions were executed.
Key Benefits of the Process Control Solution
- Real-time audit checks for business processes
- Flags transactions out of the normal
- Immediate ROI: detection of errors, fraud, inefficiencies => avoid losses
- Root cause analysis on problematic transactions identify issues caused by weak processes, outside organizations etc.
- Workflows: reduce overhead in detection, investigation, documentation
- Improve internal control system, compliance; ease audits (evidence controls, follow-up