Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

5 Astonishing Truths about GRC in SAP Environments

  • Font size: Larger Smaller
  • Hits: 10099
  • Print

Here are 5 amazing facts based on our vast experience with SAP customers required to maintain SOX compliance, GRC consultants and auditing firms. 


1. The focus is on compensating controls much more than on eliminating risk.

…and it should be the opposite. 

Many people, when they do find an SoD Conflict, don’t want to solve it for two reasons – either they’ll have to reduce the number of authorizations for the user, which will upset the user, or they’ll have to consult with external consultants, which is expensive. Focusing on compensating controls is the “more comfortable” solution for those who don’t want to face confrontation with their users and auditors.

Instead, they’ll apply a compensating control. An example of this would be a report detailing all the people who create vendors and pay those vendors, and having the report approved. But what’s ironic here is that over time, in many cases, the approval process takes much more time (i.e., more costs), than solving the conflict would have taken, and the risk is not removed.

For those that do want to actually solve risk, ask us about ProfileTailor ConflictResolver – it’s the effective and pain-free solution.

2. Many times, the only people that really care about eliminating GRC risks are Risk Assessment Managers and Auditors.

Like ISO standards, GRC is there for good reason. It decreases the chance of fraud and makes for good business processes.

Nonetheless, most people treat it like the dentist. They whine and complain and put it off until it’s time for the appointment. And then 10 minutes before, they’ll floss for the first time in six months. Or, in the case of SOX compliance, they might take out Power Users with SAP_ALL right before the audit and then put them back in right after. They just want to get through the audit. Shocking. 

One would expect that people would treat GRC more seriously and with better manners. Remember, the regulations weren’t written to make life miserable, but for the greater good.

For more information regarding controlling GRC and SoD in your organization, see this post.

3. After go-live, own developments are not treated properly.

When a company develops a new activity, like handling invoices, for instance, it needs to be put in the right activity group. However, if the GRC project is already in place and the implementation is already over – it usually isn’t. Most people set groups of activities in the initial GRC project’s implementation and do not maintain them regularly, typically because they’ve forgotten about them. The results? Potential hidden violations to Segregation of Duties rules.

It’s vital to add and update groups of activities over time, but it’s nearly impossible to remember to do this on your own. That’s why we have alerts about new T-Codes in the production system – so the T-code will be noticed, and one can consider if it’s relevant to any of the groups they’re maintaining.

4. Getting a high-priced GRC solution without inspecting the implementation and maintenance costs is a mistake.

If you think getting a free lunch will put a feather on your cap, remember there’s no such thing as a free lunch. 

Getting a “free” high-priced GRC solution and not considering implementation time and overall costs is like getting a huge Turnpike Truck with two 48 ft. trailers (maximum weight up to 147,000 lbs. or 67,000 kg) for free and forgetting its outrageous fuel consumption and enormous maintenance costs. You’ll discover that it’s an especially expensive toy if you just need to handle regular tasks. Plus, it might take a year and cost a fortune to even get it to your garage in the first place.

You may just find that paying for a more efficient GRC solution upfront may be a better choice from the standpoints of implementation time, the chances of going live successfully, and overall costs.

5. Even large organizations only need about 60 effective SoD rules.

We learned this amazing fact from our consulting firm partners. Customers tend to think that as they get bigger they need more rules for SoD, and this is not necessarily correct. 

If companies are managed properly, the main business processes, like issuing an invoice or paying a vendor are not so different between large enterprises and small organizations. So, if you define the SoD rules well, their number shouldn’t grow even if the organization grows. 

Sure, large enterprises are more complex by nature and have more “activities” to operate, but the activities still fall into the same “activity groups” that a smaller company might use. Pick your GRC consultants carefully and inspect your SoD rules thoroughly to see that they fit your organization’s needs. Don’t over complicate the process because it will get cumbersome and excessively costly.

What are your thoughts on these points? Please leave a comment below.

Xpandion is the leading provider of GRC software solutions for ERP. If you have any questions or concerns about your GRC, contact us now.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • Guest
    Denis Lipov 07/09/2014

    Very relevant observations. Another interesting practice is to "hide" SOD risk through defining it as intersection of three or more activity groups. Such risks are rare and does not "bother" while SOD risks on intersection of two of three activity groups are not identified and therefore are not prevented.

  • Guest
    Debra Greenstein 07/09/2014

    Hi Denis, Very true. Thank you for your comment.

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Dror Aviv

My Bonnie Lies Over The Ocean. Which SAP Authorizations Should He Have?

Many small and medium sized companies struggle with this challenge. Let’s say they have a sales representative who’s located in another country. Which authorizations should he get? Should he have access to the SAP system at all? If so, should he be allowed to only see SAP reports (“view only”) or sh...
in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.


in Security & AuthorizationsPosted by Yoav Michaeli

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was...
in Security & AuthorizationsPosted by Dror Aviv

Take Your Hands off of SAP T-Code SU01!

In many organizations, the access to the sensitive SAP T-Code SU01 is much wider than needed. Let's explore why.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India