Skip to Content
avatar image
Former Member

Basis Ruleset - Standard vs Customized

Hi Experts,

I have one query regarding rulset ( Only for Basis) -

Earlier there were manual controls in place in our company which were based upon the observations of Basis Critical Tcodes. We used to refer manual rulebook while doing authorizations calls. around 100 + tcodes were identified as Basis Critical Tcodes and listed to check any risk.

At the time of GRC Implementation, we adopted the same rulebook. Now there are queries and concerns from the auditors that GRC SAP Standard rulebook should be used . Our concern is that if we don't use some tcodes at all still we include it in the ruleset, it may increase the number of rules drastically and it may will have performance implications.

Please suggest the best practices regarding Basis Ruleset which other organizations are following.

Thanks & Regards,

Sabita

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 15, 2010 at 04:44 PM

    Hi Sabita,

    I would challenge your auditors. Tell them the history of the development of your company specific rulebook and why you have GRC configured in that manner. The SAP standard ruleset is monsterous and is a guide but all risks defined in the ruleset may not be relevant to your company. Did the auditors sign off on the original rulebook?

    Thanks,

    Grace Rae

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 15, 2010 at 05:53 PM

    Hi Sabita,

    The auditors would usually agree to a SAP ruleset to be used, but if they don't, I would suggest that you create a whole new ruleset just for BASIS rather than modifying the standard one.

    Thanks,

    Chinmaya

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 17, 2010 at 06:37 AM

    Hi Sabita,

    If Sizing was done properly, i don't see any performance issue with increase in rules.

    Standard SAP rules are being enchanced since 91 (VIRSA -> SAP).

    They are very robust and good. Almost all the risks are covered.

    Kindly refer to standard rules.

    Regards,

    Surpreet

    Add comment
    10|10000 characters needed characters exceeded