I am SAP Security and GRC (technical) consultant. I am helping my client on changing the
1. SOD rule set analysis from transaction level to authorization object level (to remove false positives)
2. Implementing Organizational rules (to remove false positives)
For option 2 initially business told me that they would like to remove the false positives for conflicting transactions for example FV50 and F.14. The real conflict comes only when a user has access to same company code if not there is no risk. Thats fine. I can get into the respective function of that associated risk enable the org level and create a org level rule ID for that particular risk.
For my client the risks are already defined. So there were more transactions in that particular risk. So I requsted business(Internal Audit & SOX Compliance) to confirm whether all the other trasnsactions in that particular risk is also valid for teh business condition which they requested. I got a reply saying the organizational rule should be applied for all transations. I presented a demo explaining what is the risk if we blindly apply the rules but Internal Audit & SOX Compliance still could not understand. Then I told them to give me the list of transactions for which they would liek to apply the organizational rules but they are asking me to identify myself.
I would like to seek your suggestion on this.
My understanding is Business process differ for each and every organization. I am a technical person came to enhance the client's exisiting CC4 tool. How do I know that for what transactions the organizational rule should be applied?
Will there be someone who would be knowing in an organization apart from Internal Audit & SOX Compliance team.
I will appreciate your answer.