Skip to Content

Are you ready for SAP GRC 10.0?

I will confess that I am one of the people who have been eagerly awaiting SAP’s GRC 10.0, primarily for the move back to the ABAP platform, but also for other anticipated improvements. For several months I have been working on a GRC 10 ramp up deployment of Access Controls, and it has been a very interesting project. Since it is not yet in general availability, there are not very many specifics I can share. However, I do suggest that if your organization has taken a wait-and-see approach, there are still things you could be doing to get ready for a GRC 10 Access Controls deployment. My suggestion is to consider doing some advance work for your deployment; thinking ahead could get you a good jump on this important effort.

Unless you are a brand new SAP shop, chances are good that you already have some kind of compliance/ rule tool in use. Even if it is just a spreadsheet of conflicting and/or sensitive transaction codes, it is a place to start. Whatever kind of compliance solutions you are using, you’ve got something to build on, so don’t stress about starting over at ground zero, unless audit findings have suggested taking a clean slate approach. The project that I have been working on took a mixed approach that included leveraging the segregation of duties (SOD) and sensitive access (SA) rules that were in the solution in use for some of the SAP systems, and leveraging the SAP delivered rules along with rule recommendations from the implementation partner for other systems. If leveraging a controls solution already in use is a possibility, be sure to ask your potential implementation partners about their experience in this area.

 One of the keys to good SOD and SA rules is ensuring that they are based on the processes in your SAP landscape, and that is likely to require input from your process experts. Out-of-the-box rules from SAP and recommendations from your implementation partner are not going to account for customizations and unique situations such as cross-system processes. The good news is that GRC 10.0  can accommodate such processes, but the rules must be designed accurately.  Are the process experts easily identified in your organization? If not, identifying the people who understand the processes and roles might be a good place to do some advance work.

If you have been keeping up with your SU24 maintenance, including your custom transactions, congratulations, you are in a better position for building accurate rules at the permission (authorization value) level. On the other hand, if you have been doing manual inserts in your security roles and not keeping up with SU24, you are going to have some extra work ahead of you. Advance work you can get done on SU24 clean up particularly on SOD and sensitive transactions will pay off later, both for your GRC build and for future role maintenance.

With some advance planning, you can be ready for your deployment or upgrade to GRC 10, so start thinking about where you are now and what you might need to do in order to be in a better position for a smooth GRC project.

You must be Logged on to comment or reply to a post.
  • I appreciate the advice.

    We haven’t looked at GRC yet so this is all new good information to know.

    Thank you for sharing.

  • Hi

    I agree!

    I think that a company which is considering or already in the process of starting a GRC – RAR review really should be establishing a group of functional process people. They will be entrusted to define the various swim lanes and approved access before any work is instigated using the SAP delivered ruleset.

    If this isn’t done in advance then it can mean spending months(if not years)arguing about the reports not meeting the business needs. Mitigations being set up where not practical and business processes changed incurring massive costs and disengaging the business reps who initially bought into the concept.


    • David,

      Thanks for letting me know that you agree with my suggestions. I have to suspect that the lack of knowledgeable process experts can be one of the biggest risks to GRC deployments these days after so many organizations have outsourced or laid off the very people whose institutional process expertise would have helped ensure the success of these projects.

      Thanks for sharing your views.


  • Did you ever work with AC 5.3? If so it would be good to hear about the major changes / improvements coming with AC 10.0.
    • Dennia,
      My experience with 5.3 is pretty limited; the only things I can comment on are some changes I observed in Superuser Privilege Management. Improved features that caught my eye included the centralized logon, the enhanced reporting via workflow, and the ability to request additional information from the requester.
      If you have not yet seen the Mentor Monday web cast that was offered when the 10.0 release went into ramp up, which included an overview of what’s new in GRC 10.0, I encourage you to watch it.
      Webinar Replay: 


  • 1. Adjust the subsidiary balance using the vendor invoice entry and then cover it up using journal entries.

    2. Adjust the subsidiary balance using the AR payment transaction. and then cover it up using journal entries

    could you give me some business scenarios for making the business undrstand the risk & take appropriate actions.

    • Naveen,
      I am a little bit perplexed as to why any experienced business person would fail to understand the risk in those scenarios. Perhaps there is something I am missing here. To me, they are both clearly at risk for fraud, which is why those functions would ordinarily fall under segregation of duties rules. Possible mitigations for those risks would include the account reconciliation process, monitoring high value entries and limiting security access to change functionality and periodic reviews of the appropriateness of that access.
      If I misunderstood your question, I apologize; please enlighten me.
      • Dear Gretchen

        Thank you for your remarks on way to treat the risk.

        I am a GRC techno functional resource, working with different FMCG business around the middle east.

        i guess the business is not understanding the SAP Defintion of the above risks.

        I am trying to come up with a business scenario which can make the business easily understand the risk

        Pls let me know if you have come across scenarios to explain the same.

        i have searched a lot in the web, to find the repository of the risk explanations..

        i think if we can prepare a white paper explaining all the risks in simple terms.. then it would be very helpful for techincal GRC consultants to explain the RAR report to the business, rather than just give the report to business & let them handle it.