on 05-15-2014 3:46 PM
hello everyone,
just a question regarding updating our ruleset as SAP have sent us a Q4 2013 ruleset update and it has around 12 updates from BASIS to Financial, some transactions we dont even have. What i was wondering as i need to better understand is MUST i implement this ruleset? we have been live now and everything is fine, so why should we add these?
must i do an impact analysis on this and what must i look for, i need to be able to advice back so that the business is 100% confirmed whether they update it or not.
our ruleset is fine and we worked on it for months and now they send us this, and we just think must we add it if not why shouldnt we or shy should we?
much appreciated,
thanks
K
Dear Kevin,
basically this question must be answered by your internal control responsible (and/or organization) and cannot be answered from SAP or the SCN community. SAP only offers best practise and gives you a first impression how your rule set can be defined. In the end your organization is responsible for your rule set and the responsible person has to decide wheather he wants to update the current rule set by implementing the update or go ahead with the current.
From my point of view, as a responsible for internal controls, I review the proposed changes from SAP and verify if they are applicable for my organization. Generally our organization, for example, doesn't have all risks proposed by SAP as they are not defined as critical and can be neglected.
Hope this helps.
Best regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Alessandro,
firstly many thanks for getting back so promptly and full marks coming to you.
the reason why I posted this was I thought it was the job of a GRC CONSULTANT and fellow managers have been asking a SAP Security and Authorisation consultant too who all have gone blank.
iI was only thinking as the ruleset had a few tcodes for HR BASIS, and BASIS tcodes. That's what I thought why would a sap security consultant be able to do a impact analysis and it didn't make sense why a SAP GRC consultant would also do a impact analysis before updating the ruleset.
Just of curiosity if the business do come to the SAP GRC consultant on advising on the update of a ruleset And whether they can advice on it, should they answer back to point at the internal auditors?
my final point, can we just ignore the ruleset and not update it has the transactions are already in our existing ruleset which went live 6 months ago?
Many thanks for your advice Alessandro
best regards
K
HI Kevin
Just of curiosity if the business do come to the SAP GRC consultant on advising on the update of a ruleset And whether they can advice on it, should they answer back to point at the internal auditors?
Your organisation needs to define the roles and responsibilities for managing risk (such as a RACI model). Define who maintains the ruleset, who executes the reports, who reviews them, etc.
my final point, can we just ignore the ruleset and not update it has the transactions are already in our existing ruleset which went live 6 months ago?
It's not a case of ignore or not. SAP provides the updates and this is most likely when they identify new risk or changes to existing. This could be driven by:
The rule set is a starting point or guideline. Depending on what your company has done your ruleset will be different as it all depends on what you have implemented. You may have inherent system controls that remove the risk already and therefore do not need to report on it
Really, you're not ignoring the update - you review and determine if it is applicable to your system
Regards
Colleen
Dear Kevin,
I am not sure whether you have checked the note:
http://service.sap.com/sap/support/notes/1960531
Attached to the note you can find a summary of all changes which gives you a clear statement of what has been changed.
If the change is a risk for your organization has to be decided by your business.
Hope this helps.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.