I am striking a discussion away from the technical aspects of GRC. The reason being, it is interesting to know how all the technical build-up and maintenance actually helps the organizations. I have a very basic and limited understanding in this area, that I have put across here and would really like to get more information to understand the overall picture.
From the purpose of SAP GRC, it is clear that it caters to regulatory compliance based on certain legal acts / laws. These are specific to industries and geographies. We usually implement SAP GRC Access Control with majorly separation / segregation of duties in mind. This primarily in turn caters to help comply with certain regulatory laws. For example, the major one we hear of – SOX (Sarbanes-Oxley) Act.
Now, SOX Act consists of over 50 legal sections. Most of which are not specifically IT related. SAP GRC Access Control’s Separation of duties caters to the SOX Act’s Section 404, which deals with Internal controls. This requires the management of an organization to have enough internal controls to assess risks and prevent frauds. Similarly, having approval logs, audit logs as part of SAP GRC features caters to the SOX Act’s section 802, which deals with altering documents. This requires that no documents is altered in the due course of business in an organization.
I, having worked specifically on Access Control part of SAP GRC, usually get to only look at the side of the separation of duty policies heavily. I know that Process Control does cater to specific regulatory compliance much more than what Access Control does, that being its purpose.
So, please share your experiences, regarding how you have used SAP GRC Access Control or Process Control to cater to which regulatory compliance and how.