cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC Mitigating Controls

Former Member

on ‎07-17-2009 2:37 PM

0 Kudos

Hi,

We are putting together our mitigating controls for the SOD issues in GRC. We are having problems trying to identify the reports that would give us the information to ensure that no user has violated a control. For example: S001Chg credit limit of marginal cust & manage SOs in it's favor - we need to get a list of changes made to the credit limits for each customer by user and compare that to the list of sales orders created / chnaged by the same user for the same customer.

The table that stores te credit limit changes is very big and a query on this each month wold probably time out.

Does anyone have any suggestions or previous experience on setting up mitigating controls and can give a high level view of the approch to take - i.e. should we be looking at standard SAP reports or should we create the reports using ABAPs or are there any other alternatives?

Thanks

Loretta

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

hkaur
Advisor
Advisor
‎07-22-2009 7:53 AM
0 Kudos

Hello Loretta,

All you need to do to mitigate a risk is to 1) Create a mitigation control from the Mitigation tab

2) In the risk analysis report , select the risk and assign this mitigation control

Does this answer your query?

Harleen

GRC RIG

Show replies
Show replies
Former Member
‎11-11-2009 2:36 PM
0 Kudos

Hi Harleen,

I have a question for you about mitigating controls, and it's non technical. I have all the GRC functionality working, but my client wants to know a good way to manage the controls.

Do you have some best practice information on what sort of information should be collected/retained/defined in order to have a good mitigating control in place?

Thanks,

Santosh

hkaur
Advisor
Advisor
‎07-21-2009 11:04 AM
0 Kudos

Hello Loretta,

There are no reports that are run in GRC to mitigate. In GRC , assigning mitigation is continuation of the risk analysis report. When you perform risk analysis and if you click on the risk description then you will get three option : either to remove access from user, delimit access or mitigate the risk. If you will choose mitigate option, you will get the mitigation screen and you can assign mitigation control to a risk.

You can aslo create a mitigation control from here only or from the Mitigation tab of RAR.

This is all that we have in GRC for assigning mitigation controls. I am not aware of any reports in R/3 for assigning mitigation controls.

Is this what you are looking for?

Harleen

GRC RIG

Show replies
Show replies
Former Member
‎07-21-2009 11:42 AM
0 Kudos

Harleen,

I am looking for details on the mitigating controls - if you want to mitigate a risk in GRC what action do you take - for example - do you run a list of changes made by the user to master data and compare that to the list of sales orders created by the same user for the same customer for a sales risk. The details of the actions would constitute the mitigating control in GRC, it is this details that we need.

Thanks

Loretta

Former Member
‎07-21-2009 3:12 PM
0 Kudos

Hi Loretta,

First consider to remediatiate the risk. The golden rule is to segregate master data duties from transactional duties. I'm no SD funkie, but...

Does the Sales admin really need to maintain credit limits?

Can the changes be be reviewed and approved by a collegue or supervisor via WF?

Maybe you can split up that Admin A can process SO's for customers A-K and maintain credit limit for customers L-Z. Admin B would process SO's for costumers L-Z and maintain credit limit for costumers A-K.

To display changes to credit management you can run report S_ALR_87012215

Regards,

Vit

hkaur
Advisor
Advisor
‎07-21-2009 10:32 AM
0 Kudos

Hello Loretta,

Have you looked at the Alerts functionality in GRC RAR? I think that should resolve your issue.

You can set up Alerts in RAR for Mitigation Controls also; i.e. email alert if a particular report mentioned while creation of Mitigation controls is not run in a particular frequency of time.

Refer configuration guide for more information and see if it helps.

Harleen

SAP GRC RIG

Show replies
Show replies
Former Member
‎07-21-2009 10:49 AM
0 Kudos

Harleen,

Many thanks for your reply. The problem we are having is actually defining what reports to run to mitigate the risk. There are no standard R/3 reports that we are aware of that will give us the information that we require. We are looking at interrogating SAP tables and we feel that this is not the most efficient way. We are just wondering what reports other organisations use to mitigate risks in GRC such as risk S001.

Kind regards

Loretta

Ask a Question