This week I am giving one example of a customer who had unexpected audit findings on their existing GRC implementation. Many companies treat their GRC journey like a project. However, we know it is a journey and in need of ongoing processes to provide regular maintenance and enhancements to sustain alignment with changes in the business and technology deployment. In the absence of these ongoing processes, the customers’ rules, and procedures can become outdated.
In this case, their external auditors identified insufficient rules for Segregation of Duty and Critical Access monitoring. Some of the rules contained irrelevant risks and in other cases custom transactions and new transactions were not reviewed or evaluated for relevance. In addition, there were instances when users were shown with risks that were not correct. In these cases the standard rule set delivered by SAP had not been adequately tested. And changes were not documented or justified.
The rule deficiency led the auditors to challenge the analysis and they found erroneous results. Some risks were being erroneously reported. In addition, there were thousands of mitigating controls which had been created for risks. Many of these were found by audit to be bogus or not being executed. The mitigating controls were responsible for suppressing many legitimate risks from reports.
Rule Maintenance and Mitigating control processes are two important processes on most audit checklists. So don't get surprised!