Integrated GRC systems not only have a system for managing access control
but they also have rules that take into account the thousands of specific
transactions inside an ERP system so that segregation of duties conflicts can
be avoided. In addition, GRC systems not only have systems for automating
the collection of information and the analysis of that information for controls,
but they come with a large set of commonly needed controls that are ready to
implement.Perhaps the largest benefit of GRC systems is that they come with a step-by-
step approach of the sort shown in Figure 1-6 that is proven through the
experience gathered at numerous companies.The general approach of one component of SAP’s solution, SAP GRC Process
Control, is to follow these steps:- Document the control environment.
What are you doing? What are your processes? Where are the risks? - Test: Implement the process and access controls needed to address
the risks identified. - Remediate: Resolve exceptions found by the controls.
- Analyze: Use the information gathered to gain a deeper understand-
ing of the business. - Optimize: Improve both GRC and business processes as insights are
gathered.
Define the
Control
EnvironmentCompliance Team &
Business Process
OwnersControl
Testers &
Internal AuditCompliance Team &
Business Process
OwnersExecutives,
Controllers,
Managers & AuditorsCompliance Team &
Business Process
OwnersDocument Test Remediate Analyze OptimizeAutomated
and Manual
Control
TestsResolve
ExceptionsReport
Financial
ResultsOptimize
ControlsRISK
Figure 1-6:
The steps
to GRC
implemen-
tation.