SAP GRC Mitigation Control

Now you understand the risks within the SAP System, SAP GRC Mitigation Control / remediation is still the top challenge for SAP Customers.

So, what’s the risk compliance process that can allows you to understand how you need to tackle the risk in the SAP System. There are two options one is mitigation and the other is remediation

Risk Assessment.

A SAP risk assessment not only gets the compliance process started, but it creates an environment for getting your SAP system clean with the set of guide lines and repeatable steps.

Therefore, I put so much time and effort into creating the compliance process with all the Audit Steps. And I’ve told you this before: When I started creating Auditing Process, my steps failed to hit the mark.

Now, I’ve fine-tuned the auditing process that allows me to quickly diagnose the risk and come up with the right solution.

Trust me, you can do it too, and I’ll show you exactly how.

In fact, I’ll give you specific formulas that you can use to craft your SAP GRC mitigation controls hour.

SAP GRC Mitigation Control

SAP GRC Mitigation Control


The breakdown of what we’ll cover:

Laying the Groundwork

Foundation is critical, especially if you want to design a perfect SAP GRC Mitigation control with will stand up to the scrutiny of the external auditors 

Here are some of the key questions you need to answer before you design a mitigation control

Who is the right person to design the mitigation control?

Can we use existing reports to review the mitigation control or need develop a custom report?

What’s the frequency of executing the mitigation control?

Can the mitigation control be automated?

How do you document the mitigation control? 


SAP GRC Mitigation Control
SAP GRC Mitigation Control


Step #1 – Know your options To Remediate or mitigate


When you want to mitigate then you are basically accepting the risk and you want to monitor the risk with a manual or automated or semi-automated control. The frequency of the control execution must decide based on the risk level. This must be decided based on the business risk to the SAP System.

For example, when a user can create a vendor and make a payment then you must either review all the payments or examine each vendor created. One of the option could be restricting the number of people who can create the vendor master record. Running an exception report, which shows anyone other than approved people creating a vendor master

User Based Mitigation Control:

This is one of the preferred method for most of the customers. This will suppress the risk at the at the user level.

Role Based Mitigation control:

This will suppress the risk at the role level This type of SAP GRC Mitigation control should be used if the risk needs to be suppressed to the all the users who are assigned to the roles. One of the analysis which needs to be done is the impact of the risk in the composite role and all the users in the system who have the role assigned to them.

Rule ID Based Mitigation Control:

In this case you want suppress transaction combination. When the risk is generated each risk has a unique number. This is called the rule id.  

System Based Mitigation Control: 

There are situation you want to disable the risk at the system level then you use this when this risk is has to be remediated.


So when you develop a Mitigation control you need to make sure the mitigation control will it is designed so that the external auditors will accept your design and monitoring of the control. It is advisable to put the mitigation control on the User Level. When you have Risk not valid for a system then put the mitigation control on the system level.

Free Step by Step SAP License Optimization Guide

SAP Customer is liable to pay 70 Million additional SAP licensing fees as a result of what is broadly known as Indirect Access.

Free SAP GRC 10.0 Step by Step Guide

Are you fed up with being not able to get job? Tired of being disappointed in yourself, because you just can’t seem to get started in the career as SAP  GRC Consultant?

Financial Loss due to Fraud Risk

Using the right kind of SAP Controls in the right way can be trans formative for any SAP System

Leave a Reply

Contact Person WhatsApp us