GRC 10 and Access Control Risk Analysis

  Introduction

                   GRC offers an effective continuous monitoring solution to help maintain proper segregation of duties (SOD) enabling the organization to confidently prevent fraud throughout the organization and control excessive access.

Governance: Here Senior Executives direct & controls the overall Management Systems. So that the Information reaching to team is accurate, complete and in timely manner.

Risk management: Here Process for identification, Analyses and response to the Risks is taking place. Risk may be of any type technology, financial, information etc.

Compliance: Here necessary corrective actions are taking place if the requirements defined are not in stated condition.

  

Difference between GRC5.3 and GRC10

Properties	GRC 5.3	GRC 10
Name Change	SAP GRC Business objects Access control	SAP Access Control (from May 2012)
Risk Analysis	Risk analysis and remediation	Access Risk Analysis
Emergency	Super user Privilege Management	Emergency Access Management
Role Assignment	Compliant User Provisioning(CUP)	Access Request Management
Role built Workflow	Enterprise Role Management	Business Role Management
Technology	Java	ABAP
End User Access	Any Browser ( Internet Explorer )	NWBC ( Net weaver Business Client) Or Through Portal Browser

GRC 10 Architecture:

GRC10 Modules:

  

 A.   Access Control

·         Access Control Proactively protects information and prevents fraud through automated access Risk analysis, remediation and mitigation processes

·         Enables to automate the continuous control of access and authorization across the enterprise.

 B.   Process Control

·         Process control is for automated continuous control, monitoring across policies and regulatory requirements

·         Delivers cross system visibility and unified repository of compliance information for an efficient management

      C.    Risk management:

·         Risk Management provides a complete Risk visibility, Key risk indicators, Risk Intelligence through dash boards and surveys.

      D.   GRC Global Trade services:

·         Identify, manage and prioritize risk exposure across global supply chains.

·         Automates export license management and electronics customs communication.

Access Control:

Components of Access Control:

•    ARA- Access Risk Analysis
•    EAM- Emergency Access Management
•    ARM- Access Request Management

Access Risk Analysis:

       The Access Risk Analysis (ARA) module is used for preventive and ongoing monitoring of SOD risks, critical transactions and mitigation controls.

ARA Lifecycle:

                               

Identification of Risk:

          When we assess uses, role or profile against given rule set, it identifies SOD. This Process is called Access risk Analysis (ARA).

ARA can be run at:

           1.    User Level

           2.    Role Level

           3.    Profile Level

           4.    HR Object

Eliminating the Risk:

There are Two Approaches for Eliminating the Risk provided by the sox team Remediation and Mitigation. Below flowchart helps to understand the process flow.

Remediation                                               Mitigation