cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Top High Risk Conflicts for a Mining Company

Former Member

on ‎02-26-2013 2:47 PM

0 Kudos

Please advise whether there is a generic list of the key SOD conflicts in the following processes:

FI/CO

MM Purchasing

MM Logistics

PS

HCM

SD

PM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎02-26-2013 3:28 PM
0 Kudos

Karina,

I would have expected all of those process areas to be covered sufficiently in the standard SOD rule set that comes delivered with the GRC Access Control solution. Are they not, in your view, or perhaps you have not bought it yet? I'm not sure anyone is going to be willing to give it away, since it is part of the value of buying the solution. Most consultancies active in GRC have their own rule sets as well, but I would not expect them to give them away either, since they are proprietary intellectual property. If you need assistance in winnowing down the standard rule set to what is applicable in your industry, I would bet that both SAP's GRC consultants and the certified GRC partner consultancies would be happy to send you quotes for such an engagement.

Regards,

Gretchen

Show replies
Show replies
Former Member
‎02-26-2013 5:17 PM
0 Kudos

Hi Gretchen,

We have implemented GRC AC and based our ruleset on the SAP standard ruleset. Some of the risks have been deactivated and we have also included additional custom risks of which some include custom tcodes.

I form part of the project assurance team and as such I have already noted that the ruleset includes some false positive SOD risks (such as ME23N and MIGO). Taking this into account, I would like to ensure that the ruleset includes at the very least the key/top high risk SODs. Please advise whether there is an alternate method for me to follow in this regard?

Kind regards

Karina

Former Member
‎02-26-2013 5:27 PM
0 Kudos

Karina,

If you are getting false positives from your risk analysis, the authorizations (permissions) in the the rules may not be set correctly to align with how those transactions (actions) are being used in your processes. Certainly those transactions are two I would expect to see in risks in an SOD rule set. If you do not have internal resources with the skillset to do that rule configuration review, again I am sure that SAP and any number of consultancies would be happy to do such a project.

Good luck!

Gretchen

Former Member
‎03-01-2013 3:33 PM
0 Kudos

Hi Karina,

I would carry on with the approach you and your assurance team have taken. If, like many customers, you are unsure of what you deem is an acceptable rule set for the business, I would implement the SAP standard one and run a few reports and weed out the "False Positives". the delivered rule set contains the most common and highly regarded SOD and Critical risk definitions. If i am not mistaken, these rules were identified by SAP and some of the "Big4" auditing companies. Not sure if this is still the case.

What I mean by "weeding out" is either disable the risk definition if it is not applicable at all for the organisation (as you have already pointed out the ME23n/MIGO scenario), or refine the permission settings to reflect realistic risk situations for the business. A good example of this is maybe your business may only deem it a risk for a certain billing type to be processed with a certain transaction code. 

As time goes, your refined rule set will be tailored to work for you. I am also glad to read that you are incorporating Custom transaction codes into your rule set.

It may be worth getting the rule set checked as a Quality Assurance piece of engagement by a decent consulting firm prior to Audit. But I am sure your efforts of modifying the SAP delivered rule set should pay off.

All the best.

Ask a Question