Skip to Content

A number of vendors offer solutions for continuous controls monitoring, but few are linked to the management of risks. Ideal is to be able to use a top-down and risk-based approach.

Rather than going straight to testing controls or monitoring data (which is what most products actually do), start with identifying the risks for which you want to obtain assurance. Then and only then identify and test the controls relied upon to manage those risks.

SAP’s strategy is just that and more. In fact, it starts with the organization’s strategies, identifies risks to their achievement, and then links those risks to the controls and tests them.

This analyst review comments on the value of such an approach. http://www.ovum.com/news/euronews.asp?id=8016.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Babu Jayendran
    I am sure that auditors and compliance professionals will welcome the direction of SAP to have “….a holistic and integrated GRC framework…”

    From a risk management perspective, the difficult part for an auditor is to figure out the business processes and controls configured for an organization, in SAP. Ideally, the GRC tools should identify the processes configured in IMG and highlight the risks that arise due to certain built in SAP controls not being configured.

    For example, if we consider a simplistic scenario in Sales Order Processing, the GRC tool should:

    – automatically extract the business processes configured in IMG
    – identify the follow on documents
    – highlight the risk that credit control check has not been configured
    – suggest a mitigating control

    Automation can definitely help auditors and compliance professionals spend their time more effectively in analyzing the facts rather than extracting the data for review.

    (0) 

Leave a Reply