Question Re: Reports Tab - Mitigation Controls - GRC in Additional Q&A

Reports Tab - Mitigation Controls - GRC

Former Member — Sun, 02 Nov 2014 03:09:40 GMT

Dear GRC Experts,

Need some details about Mitigation Controls.

When creating Mitigation Controls, we will mention below details.

Risk ID

Mitigation Monitor and Mitigation Approver details

Frequency

Reports

As per my knowledge under REPORTS tab we will maintain a report name which need to be executed by Mitigation monitor within the frequency set in the mitigation control.

If monitor doesn't run this report in specified frequency, we can schedule Alert generation job which sends alerts to the monitor about it.

My Queries:

1. On what basis these reports are derived? Are these reports, standard or customized reports? Can someone give me an easy example to understand the purpose of the Report maintained in REPORTS tab.

2. When monitor executes theses reports what information is shown to them? On basis of that what is the understanding for the monitor?

Please help me to understand these details.

Thanks in advance

~ Madan

Re: Reports Tab - Mitigation Controls - GRC

Former Member — Sun, 02 Nov 2014 05:44:17 GMT

H Madan,

Yes youare right about the report tab usage.

Mitigation monitor is sole responsible yo keep checking whether or not the mitigation is being performed. This monitoring can be done either manually or by scheduling the alert generation.

Reports which are maintained in reports tab of mitigating control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned.

Alerts can be set through the program mentioned below by executing the Tcode GRAC_ALERT_GENERATE.

You can refer to:

And these reports are standard ones.

Let us know for any more concerns.

Regards,

Ameet

Re: Reports Tab - Mitigation Controls - GRC

Former Member — Sun, 02 Nov 2014 10:42:56 GMT

Hi Ameet,

Thanks for the details. I understand the functionality of Mitigation Controls, Reports and how alerts will be generated.

But how does I map a report to a risk ?

Generally Risk is combination of Functions and Function is combination of actions and permissions.

So, Report which we mention under reports tab while creating mitigation control what information does that provide to control monitor and this report is it linked to Action in the functions?

When monitor executes them what details will be shown to them?

~ Madan

Re: Reports Tab - Mitigation Controls - GRC

madhusap — Mon, 03 Nov 2014 07:15:08 GMT

Hi Madan,

I will give you details about the reports with one example of Mitigation control we are using.

Access Controls is used as a documental tool for Mitigating Controls, rather than a implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.

Action is for the t-code of the SAP Report. A brief explanation below will help in understanding

If you have a mitigation control that Mr. Z will run X report using Y t-code on a frequent basis of monthly or quarterly and reviews the report.

Then you need to give that Report name- X, in Action - Y T-code and frequency as Monthly/Quarterly. This helps for the system to check if the t-code has been executed or not in that frequency by the Monitor and generates an Alert [based on alert generation configuration]. If the monitor doesn't execute the action in backend in the set frequency, we will find an alert in Alert monitor- control monitoring, but if the monitor executes the action we will NOT get alert.

The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not mis-used it. Every Mitigation control, for this purpose has a Monitor attached to it who does this job.

Action - This is some tcode a monitor has to execute in backend to see that reports.

E.g. if someone is doing check payment entry(risk), and mitigation is done for a user/role, there must be a tcode where we can check what payments are made( sorry I am not well versed in FI Tcodes) , this tcode will be put in action tab and monitor will have to check it via that particular tcode.

Frequency is simply what the period you want to set within which a monitor must perform this activity - say one week or one month.

If a monitor doesn’t execute that action/tcode within that time, an alert will be generated and mail will be triggered to mitigation approver (indicating that supposed task is not being performed).

Example:

We have a mitigation control defined for Risk " To check if a user has created a fictituous GL account and generated Journal activity via positing entries".

So, we are giving this access to some of the users by defining a control on top of it.

So, our monitor will run the report everyday using the report for G/L accounts change log Tcode as mentioned in the control.

So, the Tcodes which we mention under ACTION field under reports tab actually depends on what are you trying to monitor if that access risk access is given to any user. This action which we mention can be standard ones or Customized reports.

Let me know if you have more queries about this.

Regards,

Madhu.

Re: Reports Tab - Mitigation Controls - GRC

Former Member — Mon, 03 Nov 2014 10:27:30 GMT

Hi Madhu,

Thanks for detailed explanation.

So shall I consider that "Reports" are not standard SAP reports alone which are maintained under mitigation control and these reports actually depend on the control objective of your mitigation control.

So I understood that maintaining REPORTS is optional.

Even if maintain it is just for documenting and auditing purpose.

So, if I have 100 mitigation controls, then may be I need to internally discuss with my Functional consultant and Business in understanding the objective of defining a control for that risk and if there is any standard report to monitor that risk or getting customized report created for it.

Correct me if my understanding is incorrect.

Once again thanks for detailed explanation.

~ Madan

Re: Reports Tab - Mitigation Controls - GRC

Former Member — Wed, 12 Nov 2014 23:13:29 GMT

Hi Madan

I agree with all the comments above, just a small addition;

The trick is to have mitigating controls which are as effective as possible. Its about quality, not quantity.

Some questions which need to be asked when creating / assigning mitigating controls:

Which control mitigates the risk better than others ? Is this control activity currently being performed ? Has this control been tested in the past by Internal Audit / External Audit ? Is this control due to mitigate a high / critical risk ?

The last thing you want, is to be over-controlled in some areas which are not considered a high and/or critical risk areas by the business.

Regards

Sam