![Page 1: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/1.jpg)
5 Astonishing Mistakes Made
During GRC Projects
in SAP Environments
Created by Xpandion
SAP® is a registered trademark of SAP AG in Germany and in several other countries
![Page 2: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/2.jpg)
Moshe Panzer CEO, Xpandion
Author
![Page 3: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/3.jpg)
Xpandion has software to quickly maintain GRC
Prevent fraud, save costs, quickly ensure SoD/SOX compliance.
•Automate in-house and outsourced auditing tasks. •Receive alerts about unusual activities. •Prevent security breaches, fraud and leakage of information. •Save an average of 30% on auditing costs. •Ensure a successful audit.
Get a free demonstration of Xpandion’s ProfileTailor GRC software to see what makes Xpandion different.
![Page 4: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/4.jpg)
Mistake #1: The focus is on compensating controls, not
on eliminating risk.
![Page 5: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/5.jpg)
People don’t want to solve SoD conflicts either because they fear upsetting the
user, or because they don’t want to pay for external consultants.
Focusing on compensating
controls may be “more comfortable” but it doesn’t solve
risk.
![Page 6: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/6.jpg)
The solution: Focus on solving the risks. Arm yourself with management support, GRC auditors and good
consultants – but don’t be tempted to add compensating controls too quickly. Each control should be inspected
first and then regularly inspected to ensure it’s still valid.
![Page 7: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/7.jpg)
Mistake #2: Only Risk
Assessment Managers &
Auditors care about
eliminating GRC risks.
![Page 8: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/8.jpg)
GRC is a good thing. Its purpose is to
decrease fraud and improve business
processes. But, most people hate dealing
with it. In the case of SOX compliance,
many remove Power Users right before the audit and put them back right
after. Anything to just get through.
Shocking.
![Page 9: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/9.jpg)
The solution: Get organized and gain management support
by working your way up the GRC project ladder.
Step 1: SoD inspection Step 2: Narrow Power
User authorizations Step 3: Track sensitive
activities usage Step 4: Implement one-step emergency access process with auditing
reports Step 5: Implement
authorization-request process
![Page 10: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/10.jpg)
Mistake #3: After go-live,
own developments
are not treated
properly.
![Page 11: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/11.jpg)
Most people set groups of activities in the initial GRC project implementation and do not maintain them regularly, typically
because they’ve forgotten about them.
This results in potential hidden violations to Segregation of Duties rules.
![Page 12: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/12.jpg)
The solution: Make it clear to management that the GRC project won’t be over at
go-live as someone needs to keep an eye on the configuration, including enhancing the rule-sets according to new developments.
It’s vital to add and update groups of activities over time. Use alerting software and get an alert when new objects appear in
production. Then update the rule-set accordingly. Find out about Xpandion’s alerting software.
![Page 13: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/13.jpg)
Mistake #4: Getting a GRC solution “for free”
without inspecting implementation and maintenance costs.
![Page 14: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/14.jpg)
Getting a “free” GRC solution and not
considering implementation time
and overall costs is like getting a free, huge
truck with two 48 ft. trailers and forgetting
its outrageous fuel consumption and
maintenance costs. It’s an expensive toy for
handling regular tasks, and it could take a year
and cost a fortune to even get it to your
garage.
![Page 15: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/15.jpg)
The solution: It needs to be
mentioned that GRC project costs are
comprised much more by implementation and maintenance costs than on the initial purchase.
See for yourself by asking those that chose “free” GRC solutions what the total costs of
their projects were.
Ask Xpandion about cost effective GRC
solutions. You will be surprised.
![Page 16: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/16.jpg)
Mistake #5: The need for many, many SoD rules.
![Page 17: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/17.jpg)
People think that because their company is large, its rule-set should include 1,000 or even 10,000 SoD rules. Not so. This
creates the need for never-ending consulting and maintenance work and decreases the chance of finishing a successful SoD
project on time.
![Page 18: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/18.jpg)
The solution: Usually, only about 60 effective SoD rules are needed.
If managed properly, the main business processes are not so different between large and small enterprises. So, if SoD rules are
defined well, they shouldn’t grow even if the company does.
![Page 19: The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments](https://reader033.vdocuments.mx/reader033/viewer/2022052508/559b6e4a1a28ab036b8b4611/html5/thumbnails/19.jpg)
Get Xpandion’s software to control
GRC.
Click here for a demo