the 5 most astonishing mistakes made during grc projects in sap environments
DESCRIPTION
In this entertaining presentation, read about the five most common mistakes people make during GRC projects in SAP environments. In the world of GRC and SOX regulations, organizations must work very hard and efficiently to keep their systems clean from violations. With Xpandion's With ProfileTailor Dynamics GRC, you can identify and solve existing violations, be notified when a new violation occurs, and keep your status clean with ongoing processes.TRANSCRIPT
5 Astonishing Mistakes Made
During GRC Projects
in SAP Environments
Created by Xpandion
SAP® is a registered trademark of SAP AG in Germany and in several other countries
Moshe Panzer CEO, Xpandion
Author
Xpandion has software to quickly maintain GRC
Prevent fraud, save costs, quickly ensure SoD/SOX compliance.
•Automate in-house and outsourced auditing tasks. •Receive alerts about unusual activities. •Prevent security breaches, fraud and leakage of information. •Save an average of 30% on auditing costs. •Ensure a successful audit.
Get a free demonstration of Xpandion’s ProfileTailor GRC software to see what makes Xpandion different.
Mistake #1: The focus is on compensating controls, not
on eliminating risk.
People don’t want to solve SoD conflicts either because they fear upsetting the
user, or because they don’t want to pay for external consultants.
Focusing on compensating
controls may be “more comfortable” but it doesn’t solve
risk.
The solution: Focus on solving the risks. Arm yourself with management support, GRC auditors and good
consultants – but don’t be tempted to add compensating controls too quickly. Each control should be inspected
first and then regularly inspected to ensure it’s still valid.
Mistake #2: Only Risk
Assessment Managers &
Auditors care about
eliminating GRC risks.
GRC is a good thing. Its purpose is to
decrease fraud and improve business
processes. But, most people hate dealing
with it. In the case of SOX compliance,
many remove Power Users right before the audit and put them back right
after. Anything to just get through.
Shocking.
The solution: Get organized and gain management support
by working your way up the GRC project ladder.
Step 1: SoD inspection Step 2: Narrow Power
User authorizations Step 3: Track sensitive
activities usage Step 4: Implement one-step emergency access process with auditing
reports Step 5: Implement
authorization-request process
Mistake #3: After go-live,
own developments
are not treated
properly.
Most people set groups of activities in the initial GRC project implementation and do not maintain them regularly, typically
because they’ve forgotten about them.
This results in potential hidden violations to Segregation of Duties rules.
The solution: Make it clear to management that the GRC project won’t be over at
go-live as someone needs to keep an eye on the configuration, including enhancing the rule-sets according to new developments.
It’s vital to add and update groups of activities over time. Use alerting software and get an alert when new objects appear in
production. Then update the rule-set accordingly. Find out about Xpandion’s alerting software.
Mistake #4: Getting a GRC solution “for free”
without inspecting implementation and maintenance costs.
Getting a “free” GRC solution and not
considering implementation time
and overall costs is like getting a free, huge
truck with two 48 ft. trailers and forgetting
its outrageous fuel consumption and
maintenance costs. It’s an expensive toy for
handling regular tasks, and it could take a year
and cost a fortune to even get it to your
garage.
The solution: It needs to be
mentioned that GRC project costs are
comprised much more by implementation and maintenance costs than on the initial purchase.
See for yourself by asking those that chose “free” GRC solutions what the total costs of
their projects were.
Ask Xpandion about cost effective GRC
solutions. You will be surprised.
Mistake #5: The need for many, many SoD rules.
People think that because their company is large, its rule-set should include 1,000 or even 10,000 SoD rules. Not so. This
creates the need for never-ending consulting and maintenance work and decreases the chance of finishing a successful SoD
project on time.
The solution: Usually, only about 60 effective SoD rules are needed.
If managed properly, the main business processes are not so different between large and small enterprises. So, if SoD rules are
defined well, they shouldn’t grow even if the company does.
Get Xpandion’s software to control
GRC.
Click here for a demo