cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compliance Calibrator V4 - Organizational rules

Former Member

on ‎02-23-2011 8:50 PM

0 Kudos

Dear experts

I am SAP Security and GRC (technical) consultant. I am helping my client on changing the

1. SOD rule set analysis from transaction level to authorization object level (to remove false positives)

2. Implementing Organizational rules (to remove false positives)

For option 2 initially business told me that they would like to remove the false positives for conflicting transactions for example FV50 and F.14. The real conflict comes only when a user has access to same company code if not there is no risk. Thats fine. I can get into the respective function of that associated risk enable the org level and create a org level rule ID for that particular risk.

For my client the risks are already defined. So there were more transactions in that particular risk. So I requsted business(Internal Audit & SOX Compliance) to confirm whether all the other trasnsactions in that particular risk is also valid for teh business condition which they requested. I got a reply saying the organizational rule should be applied for all transations. I presented a demo explaining what is the risk if we blindly apply the rules but Internal Audit & SOX Compliance still could not understand. Then I told them to give me the list of transactions for which they would liek to apply the organizational rules but they are asking me to identify myself.

I would like to seek your suggestion on this.

My understanding is Business process differ for each and every organization. I am a technical person came to enhance the client's exisiting CC4 tool. How do I know that for what transactions the organizational rule should be applied?

Will there be someone who would be knowing in an organization apart from Internal Audit & SOX Compliance team.

I will appreciate your answer.

Sincerely

Rajesh

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

jwalant_prafuldalal
Explorer
‎02-24-2011 6:27 AM
0 Kudos

Hi Rajesh,

The SoD violations or Risk arises only when a user has access to perform the transaction end to end. Take example in your case also if a person has authority for Create Purchase order for Plant X and also autority to release PO for plant X then only it shouldbe and SoD violation. In case the given authorities are for two different plants it is not SoD violation. In the absence of organisational rules configuration it will appear as SoD violations, which will result in false positive.

Hence I would suggest to have the organisational rules configured for all the transactions. However you have to activate organisation elements in the transactions included in Functions.

regards,

Jwalant

Show replies
Show replies
Former Member
‎02-24-2011 11:38 AM
0 Kudos

Dear Jwalant

Thank you for your response. I do agree thatu2019s the reason I proposed to implement the organizational rules. Like you said in your case the real risk at plant level. The example which I have given is at company code level. In standard SAP rule set, For process vendor invoices and AP payments the risk at the combination of plants and company code.

The risk varies based on organizational setup and business process. If the payment process taken care by some third party company then the general risks which are mentioned in standard sap risk may not be applicable for the company as you rightly said there is no end to end process. Those are all fine.

My question is who is responsible for providing the risk details saying that in any company, process vendor invoices and AP payments is risk at what organizatinal level whether company code, plant, sales org, purchase org etc incase if they really would like to get rid of false positives? Is it technical team or Business/Internal Audit & SOX Compliance?

Regards

Rajeshkumar

Ask a Question