BPX and GRC
The subject of my blog is a jumble of alphabets! Since we are all from the SAP space we understand what it stands for!
I want to delve into one area of SAP GRC and that is Segregation of Duties (SOD). Let us first try and understand the scenario in which most organizations work in. The responsibility for Security and Authorizations has evolved over a period of time and the staff that normally handles this function have been ‘upgraded’ from a Basis background. Most of them are hard core techies and excel in the tech space. Business tcodes for them is nothing but a jumble of alphanumeric characters! It can be MM01, FB01 or VK01, it does not matter since they are not aware of the business process and the impact of the related risk, if there is an SOD violation. The reality is that they do not have business exposure and we do not expect them to know. Some techies have picked up this business knowledge over the years and I give them full credit for going that extra mile!
The fundamental principle of SOD is to ensure that in any business process the tasks of “Initiating”, “Authorizing”, “Recording”, “Processing” and “Reporting” are segregated so that no employee has access to any 2 tasks. The underlying assumption being that if they do, the potential of doing any fraudulent activity increases.
Let me give you an example to drive my point. Create Material Master Record ‘MM01’ conflicts with Create Purchase Order ‘ME21’, as per Compliance Calibrator or RAR in GRC Access Control. The risk is that the employee who has this access can create a Material and a Purchase Order. The Mitigation Control could be that a Release Strategy has been configured for the Purchase Order to be released, which is given to another employee. It is extremely important that the individual who is reviewing this and granting the authorizations is aware of the risk and whether the mitigation control actually mitigates the risk. If the individual granting authorizations is not aware, the possibility of the organization living with this risk cannot be ignored.
I am only trying to highlight the importance of individuals responsible for “Authorizations” being fully aware of business processes and its related risks. If this does not happen the organization could be exposed to potential risks which the auditors will definitely point out.
The convergence of BPX with GRC could be a solution!