What is your approval process in your company?
Do you have formal change control process which tracks all these changes and approval process?
Are the approvers based on particular role or risk or just by team?
What is Risk tolerance policy for risks within the users and roles?
How do you document the exception and where it is document?
What is the process of periodic monitoring and review process?
Who approves assigning a mitigating control and what is the policy on monitoring the mitigating control?
Who defines the risk/function and approves changes?
How do you manage the transaction within the functions? Like which transaction are enabled or disabled.
What is the process to identify new functionality added to the system like new Transactions, New modules or Custom objects?
How do you perform impact analysis of the new addition and what is the process of updating the rule set?
How often do you review changes to the rule set and compare against the approved changes?
What are your policy on managing SU24 and the impact on the SAP GRC Rule set?
Do you compare the inactive transactions in the rule Set but active in the roles?
What are transactions added specific to your industry or line of business or just using the default rule set?
The primary focus of this SAP GRC is to implement and manage user access controls within SAP and other business systems through the SAP GRC Access Control Module As Part of the Audit Process we also Performs risk assessments and executes tests of the SAP system to ensure proper access controls, separation of duties, and adherence to our security policies. Tests for adherence to standard work for operational security of the SAP environments.