Monthly GRC Ruleset Review & Completeness - Audit Review Guideance Request

Dear Friends, We are in the process of building a process to review changes done with GRC rule set ( as per below audit request ).

Topic: Custom T-Codes: - Validation of custom T-Codes being included in the Ruleset: -

When Business Owners determine an SOD conflict does exist for a new custom t-code they are to add it to the ruleset.
Build a review for ruleset and to validate custom t-codes causing SOD conflicts are included and tracked in the ruleset.

Current process: -

A. How do we perform changes to your rule set?
Ans: - Currently it is manually done in D, Q and P.

B. Do you change in dev/quality and transport to prod?
Ans: - It's not done via transport but manually it's updated.

I would request your insights for: -

* What should be reviewed \ captured to find the changes done with GRC ruleset for a specific month year.

* What are the aspects which need to be included \ captured in monthly GRC ruleset completeness and accuracy documentation.

Or

* Please reference any SAP help documentation which would help in building process for this monthly review.

Thanks
Raj

PS: -

GRC 12.0 SP05 is current version of GRC