

What is an SoD Report ?
The SoD report is a key element in the internal security audit of companies. It allows you to update, ensure and improve your Segregation of
All the challenges of risk management, compliance and governance in businesses. Our article presents the tools and best practices for implementing an effective GRC strategy. Optimize your business management and strengthen regulatory compliance with our practical guide
28/03/2022
10 minutes read
It may not ring a bell to you, but this term was invented in the early 2000s and is today not-to-be-missed in the business world, in particular in the SAP ecosystem.
Think about Enron, this American company in the energy sector which bankrupted in 2001 due to some speculative operations and a massive distortion of its bank accounts.
Would it end like that if the company has a complete GRC approach? No one could know. Nevertheless, it would have changed the destiny of this big company.
Today, in a changing environment with the boom of modern technologies and innovations, companies must reorganize, anticipate possible risks, and be conformed with the current regulation.
The GRC application within your ERP SAP is the ideal management solution that helps you to face it.
GRC takes part in business management. It refers to three specific ideas :
It is all the tools implemented to lead and control your organization and its infrastructures such as ERP like SAP. Efficient governance involves controlling and coordinating resources and empowering the employees.
There are always unpredictable actions or events that might postpone or prevent you from reaching your goals. For a long time, the most important risks were the financial ones (e.g. fraud or misappropriation of money).
We must add nowadays all risks linked to cybersecurity and malign attacks on the internet. Though it is very important to have a complete and efficient program of risk management.
Are you currently working in a start-up? An SMI? A big company? It doesn’t change anything: You have to be aware of the regulations in place.
Moreover, these past years, investors put a lot of pressure on companies for internal controls to be more regular and efficient to improve stakeholder confidence. Otherwise, you could be exposed to sanctions such as substantial fines.
Thus, GRC is the general term for all the measures and processes which help companies to complete their control goals, identify possible risks, and correct them while they respect applicable laws or rules.
GRC is based on controls and audit logic. It can take various forms such as supervising the daily operation, processes, or complete dashboards. A software can provide a complete GRC Access Control solution.
Theoretically, every solution should supply a detailed report of the compliance process thanks to real-time risk cartography. The analysis of this last gives many options to decide and assure better productivity for the company.
Even if you don’t know yet, your current company is aligned with a GRC framework. However, the framework may randomly operates with many software with dashboards that don’t even integrate. It would be necessary to give a clear picture of what you have.
Then, think about your targets and your demands to bring to light your business processes that could be more affected by risks and compliance issues. The only way for your decision maker to choose the appropriate GRC approach in the SAP ERP for your company is an evaluation of deficiencies and security holes.
The process can take a long time and can be expensive. Despite all, it is a long-term investment. An efficient GRC solution adapted to your company will help your employees and managers to be more focused on the development and productivity of the company.
VASPP offers certified solutions which improve the use of your current SAP GRC Access Control tool.
Once you have selected your GRC solution and identified your security roadmap (e.g SAP GRC Access Control, one of the most popular tools today), you’ll only have to implement it within your company. It induces :
Management and evaluation of the risks are mandatory. You will always have some potential threats. A company can’t eliminate them all. A good prioritization would allow you to understand better what you have to do (separation of duties, sensitive access tracking, workflow activation) but also to prove the impact of every risk on the organization.
this ranking should be shared with decision-makers in order to ensure optimal investment from all the stakeholders. It triggers the decision process to identify what you have to protect, and where you have to free your resources.
Thus, the relationship between decision-makers and the other members of the organization must be lasting and confidence based. Leadership is one of the key successes for change. It includes the following actions :
The answer is simple: everybody can take part in a successful adaptation of GRC. Governance, risk, and compliance elements spread from the top level of the organization to departments and work teams.
Board members are not responsible to address all the details of risk management, however, the high level of risk management tracking must be a critical part of their key indicators, SoD monitoring should be part of it, as well as controlling global risks and process compliance.
We could classify companies according to three levels of maturity :
Nowadays, most companies could be classified into the first two levels of maturity, either they are working with only manual processes, and correcting issues when they appear, and the other level with the assistance of tools like SAP GRC Access Control.
Only a few companies have rolled out a preventive approach with deep and complete automated rules with GRC Process Control and Risk Management tools.
In terms of SAP Access control, and cybersecurity management for cloud access (SaaS), there remain several gaps to fill to cover this type of access rights, and authorizations.
Regardless of the size of your company, an active practice of the GRC is compulsory. Obviously, it won’t be the same if you work in a small company or a very large enterprise.
Thus, according to a 2009 study published by the French anti-corruption agency (in La fonction conformité anticorruption dans l’entreprise), 72% of CAC 40 companies had created a function of compliance within their organization.
Some are totally independent whereas others are related to risk service and intern control. This tendency highlights an evolution for the company (more mature).
For the smaller companies, it’s most of the time the juridic direction who is in charge of the compliance and possibly even from the financial department. But this could bring drawbacks as these people are not getting used to interacting with other departments (internal control, human resources, IT, …)
Considered as the central element of a company today, GRC applies in different forms. Nevertheless, it needs to respect some rules and can be optimized.
To understand the process better, we would advise clearing one of the various certifications. We are going to help us to get a clearer picture of the existing options.
There are all kinds of certifications in the market. Each one possesses its characteristics. Here is our list of five different certifications :
These certifications address all IT professionals, security specialists, business analysts and of course, compliance responsible. Some could only interest one specific position such as the CRMA for risk managers.
Until the beginning of the 90s, GRC wasn’t really recognized with a law. The first two internal control referrals came from the United States. Thus, the COSO (Committee Of Sponsoring Organizations of the Treadway Commission) and the COBIT (Control Objectives for Information and Related Technology), created respectively in 1992 and 1993 were the first true frameworks for the internal control and its audit evaluation.
Finally, in France, big financial scandals in the 2000s lead to the creation of one institution and the vote of two laws that still govern GRC today :
At VASPP, we do everything we can to assist and support your company toward the implementation of GRC solutions aligned to your risk and control needs.
Our GRC add-ons for SAP GRC Access Control offer practical, efficient, and optimized solutions for access management and risk analysis, making it easier for end-users and GRC managers to work while improving the security and governance of your company.
These add-ons include features such as access request management, SoD risk analysis, detailed documentation for each risk with fraud scenario and control objective, validation of privileged access, and more.
To learn more, visit our dedicated page for GRC Access Enforced.
Our solution provides a comprehensive and detailed view of the risks and best security practices within the company. It provides dashboards and audit reports to help companies better understand and analyze risks. It also allows for accurate monitoring of SoD risks and efficient management of permissions granted to users.
In addition, it provides clear and transparent tracking of access requests as well as emergency activities carried out via FireFighter.
Find out more about our GRC Smart Analytics solution.
Discovers more VASPP articles
The SoD report is a key element in the internal security audit of companies. It allows you to update, ensure and improve your Segregation of
Discover in this article practical tips for improving the control process in your company. Learn how to set up an effective monitoring and tracking system
SoD risk assessment has become an essential and fundamental analysis to identify security vulnerabilities in SAP, and reduce the risk of fraud for internal control
Vasppletter
Découvrez nos solutions VASPP et les nouveautés SAP !