Skip to Content
Author's profile photo Steve Rumsby

Zero violations *is* possible!

We’ve been running Virsa/Compliance Callibrator/SAP GRC for quite a while now. When we first started the project and ran the first analysis it turned out that we were in much better shape than many people expected, certainly our external consultants. Apparently, many organisations end up with a 7-digit violation count first time around, if viewed at permission level. We had a little over 50,000. That’s been reducing slowly over the course of a couple of years now, until eventually, today, we got this:


Celebrations all round 🙂


Making big reductions in that number is always easy at first, and gets progressively harder as time goes on. We’ve been below 1,000 violations for the last 12 months, below 500 for 6 months, and below 100 for 4 months.


We’ve used a few mitigations, and in a handful of places had to use Firefighter where there just aren’t enough people, but mostly this is proper segregation of duties. If you are embarking on the same process and can’t see the light at the end of the tunnel, take heart – it is hard work, but zero violations is possible!


Next step – an upgrade to GRC 10.0…

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Susan Keohan
      Susan Keohan

      Steve, congratulations to you and your team! 

      Author's profile photo Former Member
      Former Member

      Hi Steve

      Yes congratulations well done. Never seen this before

      Author's profile photo Former Member
      Former Member

      Congratulations....but would be useful to know any further underlying facts such as how many mitigating controls were applied (if any), if any risks were deactivated in the rule set etc, etc. it would give great insight to many readers who struggle to make an impact with cleaning Access risks up in an organisations SAP systems. Either way, a good achievement and worth sharing to give hope to any ultra-clean-crazy Internal Controls person out there...;-)

      Author's profile photo Steve Rumsby
      Steve Rumsby
      Blog Post Author

      We certainly made changes to the default ruleset. The first stage of the project was to review every rule in the SAP ruleset with our internal audit team and senior finance staff. Many of SAP's rules were seen as not a risk for us, and some were seen as not a risk in the supplied form but were retained in modified form. In total 42 standard risks were disabled. 7 of them were replaced in modified form, and we added on completely new one.

      We have used mitigating controls in some cases where a department just does not have enough staff to properly segregate. We have also needed some mitigations to deal with situations where a risk can't quite be written properly and it works for most users but not all. We have 26 mitigating controls in all.

      Thanks for the suggestion of including more detail! I'll maybe try and do some more analysis and put it all in a blog in a few days.

      Author's profile photo Former Member
      Former Member

      Thank you very much for "liking" my suggestion and expanding on your efforts. I am sure this now gives a truer picture to any "Mavericks" out there who may think that cleaning up risks is a easy job. "Technically" it is (or as a customer once put it.."We will mitigate all risks for all users" 😕 ), but as a core business user, there are a lot of considerations to make in terms of the remediation effort and the application of sensible controls. That is the real challenge.

      I think your teams hard work over the years has paid off. Would be interested to see the chart again when a new risk is reported 😉