- SAP Community
- Products and Technology
- Additional Q&A
- GRC Audit activities
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC Audit activities
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 07-10-2008 11:18 PM
Hi All,
I am looking for the detailed activities that are involved in GRC Internal and External Audit ( SOX Audit ).
Any links or info. will be great.
Thanks in advance.
Rgds,
Raj.
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Raj,
Below given different people Roles and Responsibilities in SAP GRC implementation( Based on the given reference below).
1. Client Project Manager u2013 responsible for coordinating communications, clarifying requirements and reviewing deliverables during the project
2. Business Team -- personnel responsible for protecting the integrity of the information and processes supported by SAP. BPOs are responsible for the following:
u2022 Identifying risk and/or approving controls for monitoring risks
u2022 Approving remediation to address user access issues in SAP
u2022 Designing alternative controls to mitigate Segregation of duty issues
u2022 Communicating access assignments or role changes
Provides documentation of desired workflow components (including Approvers, conditions for workflow and rejections for each type of AE request)
3. Management Team -- approve or reject risks between business areas and approve mitigating controls for risks.
4. Security -- owners of the SOD management process and associated software products who facilitate decision making as well as alternative methods to manage SOD risks.
5. Business Process Analysts -- help security administrators define the technical rules for each business area for approved risk conditions and recommend alternatives to eliminate SOD risks in roles and user assignments.
6. Auditors -- perform risk assessments on a regular basis to identify new risks, perform periodic testing of rules and mitigating controls, and act as a liaison with external auditors.
7. Basis / DBA / Infrastructure - responsible for specifying the technical infrastructure components and selecting the systems to be included in the scope of the implementation. Completing the sizing requirements, hardware procurement, downloading and installing software.
8. CC Administrator u2013 Responsible for the configuration and loading of master data and documentation of processes for users of the capability
9. AE Administrator u2013 Responsible for the configuration and loading of master data and documentation of processes for users of the capability
10. FF Administrator - Responsible for the configuration and loading of master data and documentation of processes for users of the capability
11. RE Administrator - Responsible for the configuration and loading of master data and documentation of processes for users of the capability
Reference: SAP_GRC_52_Roles_and_responsibilities.doc from SAP Best Practices for Governance, Risk and Compliance-->SAP GRC Access Control Accelerators.
Thanks
Himadama
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Answers (4)
Answers (4)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Your external auditor will have the audit checklistfor reviewing AC 5.x and AC 4.0
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Want to close it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
HI Raj,
Well, in this case, dont have a list as such. Will revert back in case I get one.
Ciao!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Raj,
Majorly, the audit is to check how you have configured your GRC implementation for your organization. Broadly, to name a few, it will cover areas like:
1. The configuration that you have done and the mapping of your company processes in the same.
2. Checking up that you have taken care of all the SODs and the fuctions are defined in such a way that there are no conflicts within a process in your organization.
3. Looking up for proper controls for Mitigation.
4. User Acess provisioning.
5. Risk mitigation and Alert monitoring should be properly defined and logs should show proper execution for the alerts.
Each of these and other such tasks can be drilled bown to any level as desired by the audit, to check the health and stability of your implementation against frauds and SOD violations.
Regards,
Hersh.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Replication jobs running under my user ID. Security audit conflict. in Technology Q&A
- SAP BW/4 - revamp and true to the line 2024 in Technology Blogs by Members
- Advanced Returns Management for Supplier Returns in Spend Management Blogs by SAP
- SAP Fiori for SAP S/4HANA - Empowering Your Homepage: Enabling My Home for SAP S/4HANA 2023 FPS01 in Technology Blogs by SAP
- Display Security Audit Log App (F4204A) - S4HANA Public Cloud in Technology Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.