The GRC Consultant

In a regulated economy, success is measured on the speed, transparency, integrity and compliance capabilities of the organization’s business processes and  the system landscape. The key to success, would then translate into an effective audit of the organization’s SAP system, with specific focus on security and control. General Controls specialists reviewing Application  Controls may not deliver the desired level of comfort in identifying control weaknesses in an SAP environment. This requires knowledge of the SAP system  security,  auditability, risks  and  controls.  The  introduction  of  SAP  Netweaver  has  further enhanced  the  need  for  having  a  better  understanding  on  the  key  aspects  of  security,  user authentication and authorization, across platforms.
To get into the GRC space, I do believe that consultants must have a fair understanding of:
- the main business processes in the mySAP Business Suite covering the Purchase to Pay Cycle, Order to Cash Cycle, Inventory Management, Accounting etc.
- SAP Basis Security covering User Management and Authorizations, Roles, Infrastructure Security, Netweaver Security, Single Sign-On in Heterogeneous Landscapes etc
- SAP tools like MIC, AIS, Compliance Calibrator etc
- regulatory requirements like SOX, JSOX, Basel II etc
- compliance frameworks like COSO, Cobit etc
- auditing standards like AS1, AS2, AS3, AS4 from SEC
- international accounting standards
- risk assessment and risk management in enterprises
- preventive, detective, corrective and deterrent controls to mitigate risks
The GRC initiative from SAP is definitely a step in the right direction. I do believe that exchange of ideas through this forum will be a catalyst to good governance and will definitely help organizations in meeting their compliance objectives.

Greetings to the Forum and Babu,
It is indeed a pleasure that SAP has started this forum and has heavyweights like Babu involved and participating.
SAP has been a front runner in the GRC space and is indeed doing a tremendous job to further the cause of a unified and holistic approach towards GRC, justifiably, the industry is perceiving the other players as laggards in this space.
I am attempting to provide a laundry list of all the resources available on the internet pertaining to GRC in general and SAP GRC in particular.I am passionate and committed to SAP GRC and would like to see this forum grow by leaps and bounds.
<b>Generic information on GRC and regulations</b>
1.  http://www.isaca.org/ for CISA and Systems Auditing and a whole range of subjects in GRC
2. http://www.aicpa.org/ for SOX
3. http://www.sec.gov/ for SOX
4. http://pcaobus.org/ for SOX
5. http://www.theiia.org/ for Internal Audit
6. https://www.isc2.org/ for Security
7. http://www.sebi.gov.in/ for Clause 49
8. http://www.fsa.go.jp/ for J SOX
9. http://www.frc.org.uk/corporate/internalcontrol.cfm for Turnbull guidance on Internal control
10 http://www.osc.gov.on.ca/ for Bill 198/CSOX.
11. Apart from these there are numerous other regulations like Kon Traag, FDA, ROHS, WEEE  all of which are part of the Governance, Risk and Compliance Ecosystem.
In my next post I will give a laundry list of all resorces available for the SAP GRC ecosystem.
Thankyou,
Happy blogging!

Similar Messages

  • How much is a GRC consultant paid per hour?

    I know that in USA, for FICO consultants the rate per hour is in the range of 100 -150 dollars per hour. Will a GRC consultant get more than this or less?
    There is a qualification called CISA. Is this GRC anyway realted to this?
    Is a GRC consultant involved in SOC compliance?What does he exactly do?

    Hi Suchita,
       This community meant for technical and BPX discussion and not to discuss hourly rates. You may find them from google search.
    Rgds,
    Asok

  • Roles are not updating in the GRC 10.0 System.

    Hi
    We had created Z role in ECC system and Ran the Sync Jobs in the GRC 10.0 System .
    But the role created in backend System(ECC) was not updating in the roles of the GRC system.
    Can any one provide right solution.
    Thanks

    Hi Wipro Basis Team
    On running the sync job what are you expecting to occur when you say the roles are not updating in GRC System? I wonder if you are expecting a different outcome to the purpose of the sync jobs.
    Regards
    Colleen

  • Removing Role expert from the GRC Pad

    Hi Guys
    we are using three products of GRC ie RAR , SUP and Compliance user provisioning but NOT the Role Expert. Is there any way that I can show only these three tools in the GRC pad and remove the Role expert. At the moment it is grey out but still there.
    Parveen

    Hi Praveen,
    All capabilities are integrated into Launch Pad which are part of VIRACLP****.ear file. And there is no way we can take it out for the current release.
    Best Regards,
    Sirish Gullapalli.

  • Access to update the GRC rule set is limited

    Hello - What is the process (tcode) to see who has access to update the GRC rule set?
    Thanks!

    Hi Sam,
       What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
    The process to change a rule set is as below:
    1) Creats Function
    2) Create risk
    3) Create Rule
    Regards,
    Alpesh

  • Responsibilities of the BPS consultant

    Hey BPS Gurus,
    I am actually a BI consultant but i got a new assignment for BPS
    I am joining an BPS project for my company, I would like to know the responsibilities of the BPS  Consultant
    I mean what king of work he will do technically and functionally
    Please help me
    Thanks in Advance
    Regards
    AK

    hi
    as a BPS Consultant: Configure the system by Modeling different plans at different planning levels.(eg: Segment Wise, Division Wise, Product Wise etc.) Creating User Interfaces (Planning Folders / Web Inteface Builder) for Planners / End Users.
    Planning Folders are configured as per the user / planner: We group set of input / output layouts with variables used and planning functions for automatic planning.
    Implemenation of Status And Tracking System for entering planning data for all the users involved in the planning session.
    we create planning functions & Layouts for entering plan data or viewing on the basis of Functional Requirements given by client strategic group / stake holders.
    srin

  • Issue with Launch of the GRC 10.0 Data Export Application

    We are in process of upgrading our AC system from 5.3 to 10.0.
    As a prerequisite, we have upgrade our AC 5.3 system SP from SP9 to
    SP15.
    After this, we are trying to access the Datamigration tool from link:
    http://<hostname>:5<instance>00/webdynpro/dispatcher/sap.com/grc~acmigapl/GRC2010Migration
    as suggested in the migration guide.
    However we are getting below error:
    Application error occurred during request processing.
    Details:
    com.sap.tc.webdynpro.services.sal.core.DispatcherException: The
    requested deployable object 'sap.com/grc~acmigapl' and
    application 'GRC2010Migration' are not deployed on the server. Please
    check the used URL for typos.
    Exception id: [00145EC74D9A00510000007B0014E0AA0004ACE5DCE73B71]
    Please suggest if anyone do have any idea about this error.

    You need to deploy the GRC2010Migration.sda file in the 5.3 system. This file is part of the 10.0 package you downloaded from SMP

  • Table to see the GRC request description

    Hello Experts,
    Do you know the table in which GRC request description stores? I checked GRAC* tables but couldn't find one.
    Thanks in advance
    Hari

    Hi Hari,
    if you look for the comments provided to requests there are stored in STXH table (as this is SAP script), to read data from this table you need to use READ_TEXT function (e.g. via SE37 -> Test module).
    Regards, Andrzej

  • Month activities pertains to the mm consultant

    Hi gurus,
    Can u plz explain the month activies MM consultant has to perfom. Here Interfacing is also carrying out. you can give the valuable steps in my email Id. [email protected]
    please help me in this.This is in urgent requirement.
    Thanks in advance
    Prabhullachandran

    Hi,
    You will get lot of information in this forum with simple search.
    Ref the link below for eg.
    Need of Month end process (MMPV & MMRV).
    Regards
    K.M.Arun

  • Should Plus members of the Apple Consultants Network  get Leopard seeds?

    This was the best subforum I could think of to get an opinion on this. It is not Administration related obviously.
    Who thinks ACN Plus members should get OS X beta seeds much like developers?
    As apple moves further and further into the business arena I think it is to the advantages of those us who support these networks of machines to test the new OS releases much as developers do in planning the future of our environments. Other thoughts appreciated. Let apple know!
        ACSA, ACTC, ACN

    This was the best subforum I could think of to get an opinion on this. It is not Administration related obviously.
    Who thinks ACN Plus members should get OS X beta seeds much like developers?
    As apple moves further and further into the business arena I think it is to the advantages of those us who support these networks of machines to test the new OS releases much as developers do in planning the future of our environments. Other thoughts appreciated. Let apple know!
        ACSA, ACTC, ACN

  • GRC AC Access Request

    Hello all!
    1 - We are implementing GRC AC for a client and this is our first project. Basically the client needs the default workflow to add new roles for a user (Change Account) with only one extra need, add a "Manager Approval". In this case, to concede a role for a user he need 3 approvals, firstly the Manager Approval, if he approves the request, then the "Role Content Approver"  and "Assignment Approver" are requested. In my thoughts, probably we should add a new step for the "Manager Approval" in the workflow.
    I´m a little lost. Someone can clarify for me if I can do this trough MSMP, BRF+. Am I thinking right? Any suggestion is really appreciated.
    Thanks in advance,
    SAP Legend

    Dear The True SAP Legend
    GRC component has a program in the IMG that automates the creation of the rules (including BRF+). The GRC300 and solutions encourage the use of decision tables. Within the GRC space some solution and steps have been posted for more complex BRF+ via use of decision tables. Once you start getting towards more complex rules, then having an ABAPer or a Workflow specialist would be of benefit. What takes you days may take them minutes. At the same time, if you're on a project and don't have resources available then the more you teach yourself the better you will be to deliver.
    MSMP is designed to be configured by the GRC consultant. Again, someone who can work with you to map out process flows for decision points will help you to identify the best way to create the initiator rule and route the requests.
    Regards
    Colleen

  • Role of functional consultants in GRC Process Control

    Can anybody provide his/her thoughts on the role played by functional consultants (especially FI, MM) in GRC Process Control assignments/projects?

    Hi Abhijeet,
    Process Control means controls to be implemented in a given Process.
    Now what is the Process?
    Flow of activities which can be tracked one end to other. Best example:: Procure- to- Pay or Order- to- Cash.
    Procure to Pay is one process which starts with Procurement and involves MM-Purchase, and FI-AP mainly. Similarly , Order to Cash cycle starts from SD and stops at FI-AR.
    Controls in these processes has to be built at several stages,i.e., at sub-process levels. For Instance, in Procur-to-Pay , more controls are required for Vendor related Transactions.- Person allowed to create vendor should not be allowed to process the Vendor. Internal control on Duplicate Invoices . Payment maintenace of vendor like Bank details changes  in Vendor Master should be cross checked by two tier Authorisation or Composite Role method via Basis.
    Henceforth the functinal consultants has more role to identify/design/implement the controls.
    There is no readymade tool so far to guide us as to what are the Processes where we need the Controls in SAP. It calls for pure expertise in the domain and vast exposure in building the controls.
    Most of the people are embedding controls today  to Comply with various Regulations (SOX/J-SOX/COSO guidelines, etc.). Few are exercising it to avoid Frauds.
    Let me know what is <i>your</i> actual concern and where exactly you are looking for the GRC Process Controls? Is it for Audit  or for Implentation ? May be then this forum can be more helpful.
    Regards,
    Sudhanshu
    My points....
    Message was edited by:
            Sudhanshu Shekhar Tiwary

  • GRC AC 10.0: Info about rejected roles in the CUP Email

    Hello all,
    the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
    When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
    We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
    Right now we have the following setting:
    Thanks,
    regards Sabrina

    Hi Sabrina,
    To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
    You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
    Hope this helps, Let us know if you face any issues.
    Regards,
    Ameet

  • What are the roles & responsibilites of consultant in SAP upgradation or mi

    Hello ,
    Would you please any dody help me to provide the role & responsibilities of consultant in SAP upgradation or migration project.Thanks.
    Regards,
    Sampally

    Hello,
    If the project is of technical up gradation then with no functionality changed, Then the job of abap consultant is critical, right from creating spdd and spau, interfaces, debug the new programs and fix the bugs if exists in the new programs. The functional consultant has to test the new system from functions point of view; functional consultant is responsible for taking user acceptance test before going on live to the new system.
    Regards,
    Vivek

  • What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?

    Experts,
    1) What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?
    2) Do ABAPers perform the Conversions/Transformations/Mappings etc?
    3) Are the data imports and exports done by ABAPers?
    NW

    >
    NW wrote:
    > Experts,
    >
    > 1) What's the role of a Technical Consultant (ABAPer) in BPC/OutlookSoft?
    > 2) Do ABAPers perform the Conversions/Transformations/Mappings etc?
    > 3) Are the data imports and exports done by ABAPers?
    >
    > NW
    Some of the planning functions require script writing or coding. ABAper is helpful in creating such codes.
    In our scenario, ABAPers created the conversion/ transformation as per mapping prepared by the Functional Consultant.
    The functional / business users do upload and download of data (imports and exports) wherever required.

Maybe you are looking for

  • BW DS Extractors for FI Tables

    Hi everybody, can anybody please tell me the standard extractors (BW Datasources) for following tables - GLT3 - GLPCT - FAGLFLEXT Thanks a lot

  • Multiple vendor line items during IR with different withholding tax status

    Business scenario:  During IR, several vendor line items are being processed, some are stock materials, others are service materials (using material group).  Only the service materials are subject to withholding tax. Problem:  Since the withholding t

  • HP Scanjet 3970 can't get to work in Leopard

    The installer package simply unexpectedly quits. The old software which I had installed also does too. If I knew where all the dependent files were for it, maybe I could get the scanner software reinstalled since the uninstaller thinks the installati

  • Filters for video and FPS on mobile devices

    Hi, I tried to apply a filter to a video on mobile phones and had a strange effect: When I apply the filter to a 24 FPS source video the resulting frame-rate after applying the filter drops to about 7 FPS. But if I use a 8 FPS source video the frame-

  • [IDC S5] Run a script - get the extension Folder

    Hi All I'm novice in Extension Builder and may be my questions seems stupid... I want to run a JSX for ID, located in a sub folder of my extension. I use the "doscript()" method but I don't know how to refer to my ".jsx" If I set a File variable what