In this case, their external auditors identified insufficient rules for Segregation of Duty and Critical Access monitoring. Some of the rules contained irrelevant risks and in other cases custom transactions and new transactions were not reviewed or evaluated for relevance. In addition, there were instances when users were shown with risks that were not correct. In these cases the standard rule set delivered by SAP had not been adequately tested. And changes were not documented or justified.
The rule deficiency led the auditors to challenge the analysis and they found erroneous results. Some risks were being erroneously reported. In addition, there were thousands of mitigating controls which had been created for risks. Many of these were found by audit to be bogus or not being executed. The mitigating controls were responsible for suppressing many legitimate risks from reports.
Rule Maintenance and Mitigating control processes are two important processes on most audit checklists. So don't get surprised!