topic Re: SoD Mitigation Controls design in Application Development and Automation Discussions

SoD Mitigation Controls design

Former Member — Tue, 28 Jan 2014 09:27:55 GMT

Dear all,

Im responsible for the design of the Segregation of Duties matrix in our company, which I have already built the Matrix, and it has also been reviewed by our external Auditors.

the problem that Im facing at the moment is the reports to support the mitigation controls. We had a discussion with our internal IS developers and apparently the effort to build up such reports will be too much expensive, therefore I need to come up with some alternative.

My first thoughts were to redesign the mitigation controls, but again Im not very much familiar with the availiable reports in the ERP.

Is there anyone there, that could give me some tips on mitigation controls that somehow use standard reports from SAP ? any suggestion is very much appreciated.

The SoD risk matrix covers all aeras, FICO, MM, PM, PS, CRM, SRM...

Thanks a lot.

Re: SoD Mitigation Controls design

Former Member — Fri, 31 Jan 2014 21:10:46 GMT

Jose,

We are not live yet (SP12), but I have been running some of the standard reports in our test system, and both the Mitigation Control report and the Mitigated Objects report seem to be adequate and appear to report our mitigations accurately. What were your auditors looking for that is not included in those standard reports?

Cheers,

Gretchen

Re: SoD Mitigation Controls design

Former Member — Mon, 03 Feb 2014 08:04:12 GMT

Dear Gretchen,

As I said Im not very much familiar with the Standard reports in ECC. I had a discussion with our External Auditors and they suggest to run some reports from the tables in ABAP, but the problem is that those reports are not much friendly, specially considering that the Business Manager would be then runing and checking it.

Would you be able to maybe provide me with a list of standard reports, so I can review it and check if it helps.

Appreciate it.

Thank you very much,

Cheers

Marcos

Re: SoD Mitigation Controls design

Former Member — Mon, 03 Feb 2014 10:05:29 GMT

Hi Jose

Can you share what kind of reports are you looking from SRM perspective and would you be able to create a custom report by using "joins" to combine data from multiple tables

Re: SoD Mitigation Controls design

AndrzejP — Mon, 03 Feb 2014 10:10:17 GMT

Dear Marcos,

you need SAP GRC reports, or standard SAP ECC reports to be used for monitoring of mitigating controls?

The easiest way to get standard report from SAP is just to go through report tree or get with description from TSTC table. From practical perspective we normally ask business to provide respective reports for each control.... not sure what input you exactly need...

Best regards, Andrzej

Re: SoD Mitigation Controls design

Former Member — Mon, 03 Feb 2014 13:27:45 GMT

Jose,

You have lost me completely. I thought you were asking about reports in GRC; if you need to help with reports in ECC, this may not be the best forum for such discussions. GRC reports are right where you would expect them to be, on the Reports and Analytics tab.

Good luck,

Gretchen

Re: SoD Mitigation Controls design

Former Member — Mon, 03 Feb 2014 13:36:45 GMT

Thank you everyone for your input and help.. I guess I confused you all with my question

I need reports that can support us to monitore the controls we have designed.

For example we have a SoD risk with Vendor master data maintenance and Posting vendor invoice. For this risk our control designed is to review the vendor master data change report and validate that all changes in the Bank account fields are correct.

Thank you anyway for your help,

Marcos

Re: SoD Mitigation Controls design

naveen_alluru — Mon, 03 Feb 2014 13:44:51 GMT

Hi,

implement process controls (GRC PC) and give link mitigating controls report to the controls in PC, than ECC reports

Re: SoD Mitigation Controls design

Former Member — Mon, 03 Feb 2014 14:05:59 GMT

Jose,

Ahh, *now* your question makes sense. In my humble opionion, the business in this scenario is trying to dodge their responsibility. The business must own their mitigations. If they think that they can mitigate an SOD risk with a monitoring report, it is their responsibility to work with their functional experts to identify which report would be suitable. In my experience, GRC implementers are not expected to be experts in reporting in every ECC module; some of us have some functional experience in a module, but many do not. As Andrzej mentioned, many standard SAP reports are on report trees, and the functional experts from FI/CO, MM, etc, should know which ones could be used to monitor their processes. They would also know which custom reports were already created.

Good luck!

Gretchen