cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC risk analysis on HR system

Go to solution
SAPSupport
Employee
Employee

on ‎2024 Feb 21 10:48 PM

0 Kudos
521

The significant risks are those which allow access to infotypes info DIGITS (bank detail) incompatible with PA30 (or other transactions) of infotypes DIGITS (basic pay) or 14 (Recurring Payments/Deductions) or 15 (Additional Payments)

However, according to the GRC matrix, and just for example in one composite role name  access to infotype DIGITS (or DIGITS) – (function MAJ4) is a risk (H010) if it is associated with transaction PA62  (function MAJ2).

So why PA62 associated to infotype DIGITS or DIGITS is included in the GRC ruleset as a risk while for our business it is considered that it is not a risk? Could you confirm and explain why for SAP (GRC) this is a risk ? 


------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

SAPSupport
Employee
Employee
‎2024 Feb 21 10:49 PM
0 Kudos

Best practices for controls state that the company's environment is the primary consideration for establishing controls. This is the same for Segregation of Duty rules.

We provide a set of rules that we have found hit the majority of global requirements for the basic processes: Finance, Procure to Pay, Order to Cash, etc. Special rules have been provided for other specialty areas by working with partners and customers for CRM, HR, and ECC, S/4, etc. The whole purpose is to provide our customers a solid starter set rather than building rules from scratch.  The delivered ruleset is meant to cover the major risk areas present in the majority of customers. 

The time the company spends is to make sure the risks are appropriate for their implementation of SAP and adding custom related transactions, rather than starting from scratch.  You can modify the rules to meet your auditor and business analyst requirements simply by setting the functions or objects to inactive.

Show replies
Show replies

Answers (0)

Ask a Question