Risk acknowledgment: Identify all the sensitive and high risk transactions in the system. Then classify the transactions based on their risk in low, medium and high. Segregate transactions which needs to be centrally Maintained (Material master, customer Master, vendor master). Also identify the process for assigning and approving access to the user who use the high risk and master data transaction. Disable risks which are not relevant to your business
Rule structure and substantiation: Look at the rule set which come out of the box. Most of the companies will be able to use the standard rule set from SAP GRC. The rule set needs to be updated with custom transactions codes. If the standard rule set does not satisfy the requirement then custom rule set can be built
Examination: Estimate the amount of work to become compliant. Review the remediation effort to fix roles and users. Modify the SOD rules if there are any missing rules.
Remediation / Mitigation: Determine the alternatives for changing the roles. Create a project plan to fix the transactions or object values in the roles. Include time for testing and acceptance. Propose mitigation if remediation is not an option
Continuous Compliance: Implements alerts for any risk introduced in the system. Change control process to prevent any new risks being introduced into the system. Process for always simulating risks in roles and users
OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409
Selva Kumar
Vice President- SAP Practice
OneAccess-UserManager for SAP
SAP Certified-Powered by Netweaver
http://www.softsquare.biz/oneaccess/
selva@softsquare.biz
Phone: 1 877 717 5487
Automate and Meditate
Add
Add
Comments