GRC Tuesdays: The Power of Analyzing IT Information and Business Transactions Together
As organizations set up processes to detect suspicious transactions as part of any audit or compliance initiative, the initial focus is usually on transactions involving expenses and disbursement such as invoices, payments, and T&E (travel and expense). In addition to these business activities, there is also IT-related information such as user access, authentication, transaction frequency, and breached data that can be analyzed together with the business transactions to have a more holistic view and identify any suspicious activity more effectively.
For example, if a user had some authentication failures, and if a particular transaction frequency is higher than usual, these IT indicators might mean that the business transactions associated with this user are suspicious, even though the business transactions themselves might not seem out of the ordinary.
How the SAP Solutions in the GRC Portfolio Fit In
The solutions available in SAP’s GRC portfolio provide insights into a broad range of IT information as well as business transactions, and help organizations determine if an alert needs to be created to trigger an investigation based on the suspicious activity identified from analyzing all this data.
Solutions such as SAP Access Control and SAP Enterprise Threat Detection monitor user access, authentication, and activity. The information gathered by these solutions provides additional context to the analysis of business transactions by SAP Business Integrity Screening, and this allows organizations to have a comprehensive detection approach that leverages both IT and business data to identify potential exceptions.
Once alerts are triggered by SAP Business Integrity Screening, an investigation workflow will get started, allowing supporting documentation and other information to be captured before a final decision is made about the case. If indeed the case proves to be a confirmed exception (which could range from fraudulent activity to errors due to improper staff training), this information can be communicated to SAP Process Control to assess whether or not a control needs to be created or enhanced to address similar situations in the future.
Ultimately the success of a detection solution will be determined by its ability to address the specific requirements of an organization. SAP Business Integrity Screening is a flexible platform that can be expanded with customer-specific rules, and provides multiple detection approaches that complement each other to ensure business transactions across the enterprise together with IT information get monitored effectively to get a comprehensive view of any suspicious activity.