Customer Advisory Group

Think Big - Start Small - Work Smart with CAG

  • Home
  • About
    • Mission
  • Services
    • SAP & CAG Project Rise - ​Resilient Access Governance for the Transition to the Cloud
    • SAP Compliance Assessments and Roadmap Development
    • GRC - Access Control Implementations
    • GRC - Process Control Implementations
    • SAP Security Role Remediation and Re-design
    • GRC & Security Support Services (SmartSourcing)
    • SAP S/4 HANA Upgrade Services
    • Pathlock AVM Implementation Services
  • Testimonials
  • Events and Discounts
  • Contact Us
  • Blog
Let's Talk!

[email protected]

Call Toll Free: +1-888-477-4950
MENU
  • Home
  • About
    • Mission
  • Services
    • SAP & CAG Project Rise - ​Resilient Access Governance for the Transition to the Cloud
    • SAP Compliance Assessments and Roadmap Development
    • GRC - Access Control Implementations
    • GRC - Process Control Implementations
    • SAP Security Role Remediation and Re-design
    • GRC & Security Support Services (SmartSourcing)
    • SAP S/4 HANA Upgrade Services
    • Pathlock AVM Implementation Services
  • Testimonials
  • Events and Discounts
  • Contact Us
  • Blog

Our Blog

GRC Surprises

3/5/2014

2 Comments

 
Picture
This week I am giving one example of a customer who had unexpected audit findings on their existing GRC implementation. Many companies treat their GRC journey like a project.  However, we know it is a journey and in need of ongoing processes to provide regular maintenance and enhancements to sustain alignment with changes in the business and technology deployment.  In the absence of these ongoing processes, the customers’ rules, and procedures can become outdated.  
In this case, their external auditors identified insufficient rules for Segregation of Duty and Critical Access monitoring.  Some of the rules contained irrelevant risks and in other cases custom transactions and new transactions were not reviewed or evaluated for relevance.   In addition, there were instances when users were shown with risks that were not correct.  In these cases the standard rule set delivered by SAP had not been adequately tested.  And changes were not documented or justified.  

The rule deficiency led the auditors to challenge the analysis and they found erroneous results.  Some risks were being erroneously reported.  In addition, there were thousands of mitigating controls which had been created for risks.  Many of these were found by audit to be bogus or not being executed.  The mitigating controls were responsible for suppressing many legitimate risks from reports.  

Rule Maintenance and Mitigating control processes are two important processes on most audit checklists.  So don't get surprised!



2 Comments
Dina Shahin link
3/5/2014 05:41:49 pm

Great Blog, Gary!!!
It is also very important to be aware that a GRC-system being not properly maintained is more dangerous than no GRC-system at all BUT being aware of the risks one is facing!

Reply
Coycurrin R link
6/18/2016 12:40:47 am

Thank you for sharing this knowledge. Excellently written article <a href= “http://www.ithubonlinetraining.com/sap-grc-online-training/”> SAP GRC Online Training </a>

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    RSS Feed

    Picture

    Authors

    Assorted Members of the CAG Team providing insightful information on current topics related to GRC, Security, and Audit.

    Archives

    July 2016
    February 2016
    September 2014
    June 2014
    March 2014
    February 2014
    November 2013
    November 2012
    October 2012
    March 2012

    Categories

    All

Navigation

About Us
Our Mission
Our Services
CAG Blog
CAG Customer Forum

Contact Us

Picture

Customer Advisory Group © 2022  All Rights Reserved