- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SoD Mitigation Controls design
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SoD Mitigation Controls design
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2014 9:27 AM
Dear all,
Im responsible for the design of the Segregation of Duties matrix in our company, which I have already built the Matrix, and it has also been reviewed by our external Auditors.
the problem that Im facing at the moment is the reports to support the mitigation controls. We had a discussion with our internal IS developers and apparently the effort to build up such reports will be too much expensive, therefore I need to come up with some alternative.
My first thoughts were to redesign the mitigation controls, but again Im not very much familiar with the availiable reports in the ERP.
Is there anyone there, that could give me some tips on mitigation controls that somehow use standard reports from SAP ? any suggestion is very much appreciated.
The SoD risk matrix covers all aeras, FICO, MM, PM, PS, CRM, SRM...
Thanks a lot.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2014 9:10 PM
Jose,
We are not live yet (SP12), but I have been running some of the standard reports in our test system, and both the Mitigation Control report and the Mitigated Objects report seem to be adequate and appear to report our mitigations accurately. What were your auditors looking for that is not included in those standard reports?
Cheers,
Gretchen
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 8:04 AM
Dear Gretchen,
As I said Im not very much familiar with the Standard reports in ECC. I had a discussion with our External Auditors and they suggest to run some reports from the tables in ABAP, but the problem is that those reports are not much friendly, specially considering that the Business Manager would be then runing and checking it.
Would you be able to maybe provide me with a list of standard reports, so I can review it and check if it helps.
Appreciate it.
Thank you very much,
Cheers
Marcos
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 1:27 PM
Jose,
You have lost me completely. I thought you were asking about reports in GRC; if you need to help with reports in ECC, this may not be the best forum for such discussions. GRC reports are right where you would expect them to be, on the Reports and Analytics tab.
Good luck,
Gretchen
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 1:36 PM
Thank you everyone for your input and help.. I guess I confused you all with my question
I need reports that can support us to monitore the controls we have designed.
For example we have a SoD risk with Vendor master data maintenance and Posting vendor invoice. For this risk our control designed is to review the vendor master data change report and validate that all changes in the Bank account fields are correct.
Thank you anyway for your help,
Marcos
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 2:05 PM
Jose,
Ahh, *now* your question makes sense. In my humble opionion, the business in this scenario is trying to dodge their responsibility. The business must own their mitigations. If they think that they can mitigate an SOD risk with a monitoring report, it is their responsibility to work with their functional experts to identify which report would be suitable. In my experience, GRC implementers are not expected to be experts in reporting in every ECC module; some of us have some functional experience in a module, but many do not. As Andrzej mentioned, many standard SAP reports are on report trees, and the functional experts from FI/CO, MM, etc, should know which ones could be used to monitor their processes. They would also know which custom reports were already created.
Good luck!
Gretchen
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 10:05 AM
Hi Jose
Can you share what kind of reports are you looking from SRM perspective and would you be able to create a custom report by using "joins" to combine data from multiple tables
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 10:10 AM
Dear Marcos,
you need SAP GRC reports, or standard SAP ECC reports to be used for monitoring of mitigating controls?
The easiest way to get standard report from SAP is just to go through report tree or get with description from TSTC table. From practical perspective we normally ask business to provide respective reports for each control.... not sure what input you exactly need...
Best regards, Andrzej
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 1:44 PM
Hi,
implement process controls (GRC PC) and give link mitigating controls report to the controls in PC, than ECC reports
- SAP Managed Tags:
- Security
