- May 19, 2017
- Posted by: selva
- Category: SAP Access Control, SAP GRC, SAP Process Control
When you implement the SAP GRC for the first time you do not know what kind of results you are going to get. One type of result is there is minimum number of risk which basically means your roles are tightly controlled and users do not get excessive access. They just have what they need.
But Usually this is not the case most of the SAP Customers will see huge amount of risk within the users and roles. This is not surprise as these roles must have been developed long back and nothing has been done to cleanup.
Here are the common questions you will get when you send this kind of SAP SOD Violation report to your Auditor or Process Owner.
What does this report means to me and how to I interpret these results?
How do I clean up these roles to make them SAP SOD Free?
What is the monitory damage done to my SAP system and the risk be quantified
How are the SAP object values preventing or contributing to the risk?
How are we to go about removing the role or transaction from the users
All these transactions are part of our regular business how are we supposed to remove the access
We will need to hire additional people to manage SAP Roles at this granular level
What this all means is that your SAP User Access is never going to be cleaned up. There will be constant pushback from the Process team owners to stall the cleanup process. The upper management will also not want to take a decision unless there is a serious compliance violation.
With Process control automation tool for SAP
Can clearly show you the actual loss because of the access control violations. It not only shows you’re the actual transaction performed. This could be a good starting point for your CIO and CFO to understand the magnitude of the problem. This will in turn help you to get the upper management push to clean up the access it is creating loss to the company.