SAP GRC Terminology

SAP GRC Terminology

GRC - Governance, Risk, and Compliance

Risks

• SOD Risks - Critical combination of 2 or more specific activities
• Sensitive Access Risk - A risk that a user has access to a specific functional area

Ruleset Concept

• Rulesets are a grouping of risks
• Risks are made up of function groups
• Function group are made up of multiple t-codes and/or objects

Firefighter

• Address segregation of duties concerns by providing temporary elevated access that is controlled and monitored

Business Process - Used to classify risks, rules and rule sets by business function e.g. Order to Cash, Purchase to Pay, Record to Report are all types of Business Processes. All risks and functions are assigned to business functions.

Function - Identifies the tasks an employee performs to accomplish a specific portion of their job responsibilities. This can be analogous to a role, but more often a role comprises multiple functions.

Action - Known as Transactions in SAP. To perform a function, more than one action may be required to be performed.

Permission - Object in SAP, which form as part of Actions.

Risks - Identify potential problems your enterprise may encounter, which could cause error or irregularities within the system.

Rule Sets - Categorize and aggregate the rules generated from a risk, when you define a risk, you attribute one or more rule sets to that risk. Similar to business process.

SoD - Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk of errors or regulatory irregularities, identify problems, and ensure corrective action is taken. This is achieved by assuring no single individual has control over separate phases of a business transaction.

Business Process: Are the high level process areas where you want to report risk analysis. Examples of business process are Finance, Sales and Distribution, Production Planning, Human Resources etc

Function: Is grouping of one or more actions which are related to each other. Example functional area grouping could be vendor Master Maintain, Material master Maintain etc. These functions will have all the transactions relevant to vendor master and transaction relevant to material master.

Risk: Is identified as material, physical loss, fraud, disruption or production loss which could occur due to and individuals who could take advantage of the situation. The risk are generated due to conflicting function. Example risk could be "Maintain Fictitious G/L Account and hide activity Via postings"

Action: is an activity performed in the system in order to accomplish a specific function. Example of a action could be Create Vendor master, Create Customer master, approve payments etc

Permissions: Authorizations that allows the users to perform the particular activity in the system. Example Mass Update Material Master

System: Refers to the system in which the analysis will be performed. The system could be SAP ECC, SAP SRM, SAP CRM etc

User: An individual employee's technical access to the system

Superuser: An individual with technical access to all system features and all transactions

Role: Access to specific functions by virtue of the employee's job title or responsibilities.

Access Control: A means to control who does what in the system.

Transaction: A field or set of field used to perform an action in the system (for example, Set Up Vendor Account)

Event: An action performed by a user (for example, logging on, opening an application)