TIPS for Reviewing your SAP GRC Rule Set for Completeness and Relevance
SAP GRC provides rule is provided out of the box and relevant for most of the companies. The rule has to be reviewed regularly as your business need and functionality in the SAP system changes. Here some tips for reviewing your SAP GRC Rule Set
Industry Specific Rule Set:
SAP GRC Rule set does not cover all the specific industry niches. So you may have transactions which are specific to a specific industry and you may not be analyzing the risk based on your industry specific transactions.
For example in the Federal Government area most of the risks are not based on Sales but by the funds management. So some of the risks have to be turned off and new SAP GRC Risks have to be added to the Rule set.
Functionality Specific Rule Set:
There are two schools of thought here. One option is to turn off the risks if you are not implementing a specific functionality. Other option is keep them ON, so you can see why people are having the risk when the functionality is not being used.
It is better to keep the risks turned on so you can see if the risks are showing up within the SAP users or SAP Roles. If you are not using HR Functionality and if 50 % of your users are showing SAP HR Risks then there is a bigger problem.
This indicates that your role design is out of sink and transaction belonging to the functionality which has not been implemented has been included in your roles.
Customer Specific Rule Set:
In this scenario you will have custom SAP transactions or Standard SAP transactions which have been configured to behave differently. These transactions have to be added or removed based on the situation.
One of key areas to focus on is the Custom SAP Transactions developed internally which is usually ignored.