- July 2, 2017
- Posted by: selva
- Category: GRC Software, SAP GRC
Now you understand the risks within the SAP System, SAP GRC Mitigation Control / remediation is still the top challenge for SAP Customers.
So, what’s the risk compliance process that can allows you to understand how you need to tackle the risk in the SAP System. There are two options one is mitigation and the other is remediation
A SAP risk assessment not only gets the compliance process started, but it creates an environment for getting your SAP system clean with the set of guide lines and repeatable steps.
Therefore, I put so much time and effort into creating the compliance process with all the Audit Steps. And I’ve told you this before: When I started creating Auditing Process, my steps failed to hit the mark.
Now, I’ve fine-tuned the auditing process that allows me to quickly diagnose the risk and come up with the right solution.
Trust me, you can do it too, and I’ll show you exactly how.
In fact, I’ll give you specific formulas that you can use to craft your SAP GRC mitigation controls hour.
SAP GRC Mitigation Control
The breakdown of what we’ll cover:
Laying the Groundwork
Foundation is critical, especially if you want to design a perfect SAP GRC Mitigation control with will stand up to the scrutiny of the external auditors
Here are some of the key questions you need to answer before you design a mitigation control
Who is the right person to design the mitigation control?
Can we use existing reports to review the mitigation control or need develop a custom report?
What’s the frequency of executing the mitigation control?
Can the mitigation control be automated?
How do you document the mitigation control?
Step #1 – Know your options To Remediate or mitigate
When you want to mitigate then you are basically accepting the risk and you want to monitor the risk with a manual or automated or semi-automated control. The frequency of the control execution must decide based on the risk level. This must be decided based on the business risk to the SAP System.
For example, when a user can create a vendor and make a payment then you must either review all the payments or examine each vendor created. One of the option could be restricting the number of people who can create the vendor master record. Running an exception report, which shows anyone other than approved people creating a vendor master
User Based Mitigation Control:
This is one of the preferred method for most of the customers. This will suppress the risk at the at the user level.
Role Based Mitigation control:
This will suppress the risk at the role level This type of SAP GRC Mitigation control should be used if the risk needs to be suppressed to the all the users who are assigned to the roles. One of the analysis which needs to be done is the impact of the risk in the composite role and all the users in the system who have the role assigned to them.
Rule ID Based Mitigation Control:
In this case you want suppress transaction combination. When the risk is generated each risk has a unique number. This is called the rule id.
System Based Mitigation Control:
There are situation you want to disable the risk at the system level then you use this when this risk is has to be remediated.