- SAP Community
- Products and Technology
- Additional Q&A
- GRC 10: Input needed on how to address Risk# F031 ...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC 10: Input needed on how to address Risk# F031 in ARA
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 09-26-2012 1:19 PM
Hi,
I have analyzed some of the users in the system with the help of ARA. I got risk violation for the below risk:
Risk#F031: Adjust the AR subsidiary balance using billing documents and then conceal with journal entries
The conflicting tcodes are: F.81,VF11, FBS1
Can anybody help me in addressing this? I mean, I am quite clueless on how to handle this? Either to mitigate it or do something else...
Please suggest.
Regards,
Faisal
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Faisal,
You asked for a suggestion, so here is mine: if you do not understand the business processes there well enough to know how to deal with this SOD conflict, in my estimation you are not the right person to be making such decisions. A designated qualified business process expert, such as a Finance Manager, should be making the choice between removing tcodes, redesigning the risk, or using a mitigation. A qualified consultant (or IT support admin) should be competent enough to make recommendations on an appropriate resolution, but at the end of the day, it is still the business's decision.
If you can't even make a recommendation, and you were configuring my employer's GRC system, it would be my responsibility to have a meeting with the project sponsor, about needing a change in the project staffing. Sorry if that sounds harsh, but it is the truth.
Gretchen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Gretchen,
Thanks for suggestion. I respect that!
I am a technical person who is taking the responsibility to configure GRC system. At the same time, I need to suggest business on these risks as well. However, I am not quite familiar with these business process and terminologies...therefore was checking if any one could guide me in at least proposing my recommendations to the business.
Still waiting for any suggestion!
Regards,
Faisal
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Gretchen,
I respectfully disagree with your assessment.
The standard ruleset delivered with SAP Access Control in many areas falls short of describing in an understandable manner what the actual "risk" (or rather: the impact) is. While a lot of care has been put into the technical SoD definitions themselves, the detailed descriptions often only paraphrase the two functions leading to the conflict.
Obviously, if a GRC project builds their SoD ruleset from scratch, there is little danger the resulting risk definitions are not understood by the persons involved. However, if the project team decides (and there is good reasons for and against this) to leverage the standard ruleset, they may sooner or later run into a situation where all participants (be it business process experts or GRC implementation consultants who may not have run a project like this for dozens of times...) question the relevance of a particular SoD risk without fully understanding its implications.
In my opinion, it is perfectly valid to ask for clarification of specific standard SoD risks in such as case, as these questions may have been discussed in detail by other teams. After all, that's what a forum like this is meant to be for in the first place.
Suggesting to the original poster to ask for their resignation from the project is - in my view - indeed a little harsh and by no means "the truth", but rather a pretty personal view. 😉
Now I hope someone can help Faisal with F031...
Cheers
Patrick
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Faisal,
But that is just it: no one on SCN, unless they work for that business, is going to be able to tell you what to do. It could be that the risk is not configured correctly per the business process. It could be that there is a report that is used to monitor such conflicts and could be used as a mitigation. It could be that one or more roles need to be redesigned. All of those are plausible solutions, but none of us can tell you which is best for that business.
This is exactly why I firmly believe that people with business process experience make better security/ compliance staff than people who are strictly technical. I know that does not help you right at this moment, it is just an observation.
So my opinion is: a public discussion forum is not the right place for such questions.
Perhaps someone else here believes differently and will join the discussion to argue with me
. As for me, I have to get back to work. Good luck!
Gretchen
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Answers (0)
- Integrating Smart contracts with SAPUI5 in Technology Blogs by Members
- Extract blob data (PDF) from CAPM using python library of Document information extraction service. in Technology Blogs by Members
- PM Notification Configuration from DMC to ERP in Technology Blogs by Members
- SAP Sustainability for Financial Services - Portfolio and Solutions in Financial Management Blogs by SAP
- Business Partner customizing for Automotive Industry in Technology Blogs by Members
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.