5 Astonishing Mistakes Made

During GRC Projects

in SAP Environments

Created by Xpandion

SAP® is a registered trademark of SAP AG in Germany and in several other countries

Moshe Panzer CEO, Xpandion

Author

Xpandion has software to quickly maintain GRC

Prevent fraud, save costs, quickly ensure SoD/SOX compliance.

•Automate in-house and outsourced auditing tasks. •Receive alerts about unusual activities. •Prevent security breaches, fraud and leakage of information. •Save an average of 30% on auditing costs. •Ensure a successful audit.

Get a free demonstration of Xpandion’s ProfileTailor GRC software to see what makes Xpandion different.

Mistake #1: The focus is on compensating controls, not

on eliminating risk.

People don’t want to solve SoD conflicts either because they fear upsetting the

user, or because they don’t want to pay for external consultants.

Focusing on compensating

controls may be “more comfortable” but it doesn’t solve

risk.

The solution: Focus on solving the risks. Arm yourself with management support, GRC auditors and good

consultants – but don’t be tempted to add compensating controls too quickly. Each control should be inspected

first and then regularly inspected to ensure it’s still valid.

Mistake #2: Only Risk

Assessment Managers &

Auditors care about

eliminating GRC risks.

GRC is a good thing. Its purpose is to

decrease fraud and improve business

processes. But, most people hate dealing

with it. In the case of SOX compliance,

many remove Power Users right before the audit and put them back right

after. Anything to just get through.

Shocking.

The solution: Get organized and gain management support

by working your way up the GRC project ladder.

Step 1: SoD inspection Step 2: Narrow Power

User authorizations Step 3: Track sensitive

activities usage Step 4: Implement one-step emergency access process with auditing

reports Step 5: Implement

authorization-request process

Mistake #3: After go-live,

own developments

are not treated

properly.

Most people set groups of activities in the initial GRC project implementation and do not maintain them regularly, typically

because they’ve forgotten about them.

This results in potential hidden violations to Segregation of Duties rules.

The solution: Make it clear to management that the GRC project won’t be over at

go-live as someone needs to keep an eye on the configuration, including enhancing the rule-sets according to new developments.

It’s vital to add and update groups of activities over time. Use alerting software and get an alert when new objects appear in

production. Then update the rule-set accordingly. Find out about Xpandion’s alerting software.

Mistake #4: Getting a GRC solution “for free”

without inspecting implementation and maintenance costs.

Getting a “free” GRC solution and not

considering implementation time

and overall costs is like getting a free, huge

truck with two 48 ft. trailers and forgetting

its outrageous fuel consumption and

maintenance costs. It’s an expensive toy for

handling regular tasks, and it could take a year

and cost a fortune to even get it to your

garage.

The solution: It needs to be

mentioned that GRC project costs are

comprised much more by implementation and maintenance costs than on the initial purchase.

See for yourself by asking those that chose “free” GRC solutions what the total costs of

their projects were.

Ask Xpandion about cost effective GRC

solutions. You will be surprised.

Mistake #5: The need for many, many SoD rules.

People think that because their company is large, its rule-set should include 1,000 or even 10,000 SoD rules. Not so. This

creates the need for never-ending consulting and maintenance work and decreases the chance of finishing a successful SoD

project on time.

The solution: Usually, only about 60 effective SoD rules are needed.

If managed properly, the main business processes are not so different between large and small enterprises. So, if SoD rules are

defined well, they shouldn’t grow even if the company does.

Get Xpandion’s software to control

GRC.

Click here for a demo