Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

GRC Compliance: Better to Play Defense or Offense?

  • Font size: Larger Smaller
  • Hits: 6658
  • Print

When it comes to handling GRC conflicts, is it better to use an alerting tool or a simulation tool? They both manage conflicts, but one is predictive and the other happens after the fact. Well, there is no one solution; the key is to use them in combination to promise a peaceful process and clean GRC audit report.


The inception of GRC and SoD

When GRC and particularly Segregation of Duties regulations first arose, they were very simple to understand. There were rules about functions that couldn’t be executed by a single user because they would then create an “SoD Conflict.” For example, if you put “Create Purchase Order” and “Approve Purchase Order” together in a rule and use this rule to check for users that have both of these functions together, the results will be a list of users who violate this SoD rule and the situation should be resolved or explained (i.e. “mitigated”).

Authorizations are not static and neither are violations

Authorizations are not static, and as users progress or change positions within the organization, they are granted with more authorizations. This means that the violations aren’t static either. Organizations that check their SoD violations every six months or year are surprised to discover, audit after audit, that their inspection reports include new SoD violations.

So, people got smart. They created a tool that simulates granting authorizations to users. The tool includes all the SoD rules and inspects whether to grant users with specific authorizations before they are actually granted (the simulation). If the simulation results in a violation of one or more SoD rules, then the authorization will not be granted and the organization will stay clean from having more violations.

Now, why doesn’t this work? In many cases people ignore the simulation – either they don’t perform it or they just ignore the results. It’s just not dependable enough.

Defense and offense together

If the organization truly wants to defend itself, it must have something that constantly scans all existing authorizations and alerts about new SoD violations. This way, even if a user manages to bypass or ignore the simulation process, the system will alert about any newly created violation, and someone will have to be accountable for it.

Staying clean

The concept of “Stay Clean” or “Staying Clean” from SoD violations was embraced by many, including all of the Big Four consulting firms. Staying clean from SoD violations is achieved with a combination of predictive tools (i.e. simulation), alerting after tools (i.e. alerts), and conflict resolving.

Have you implemented an alerting tool for your GRC demands? See how ProfileTailor Dynamics can help you with your GRC.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 25/06/2017


in Security & AuthorizationsPosted by Yoav Michaeli

The Three Most Sensitive T-Codes Ever: What Are They?

What are your organization’s top three most sensitive T-Codes; the ones that you’re really careful about granting? You’ve had to think about this before, either during an authorization-inspection project, a GRC project or when asked by an auditor. Can you name the “top three?” I’m sure you can. And ...
in Security & AuthorizationsPosted by Yoav Michaeli

Support Package Upgrade: How to Update SAP Authorization Roles, Part 1

If you haven’t already noticed, in some SAP support packages several T-Codes have been replaced with other T-Codes. These changes create a challenge in maintaining your company’s authorizations, and there are also implications to the GRC module. So, what do you do?

in Security & AuthorizationsPosted by Yoav Michaeli

How to Become a Successful Security/Authorization Manager

The more Security and SAP Licensing Managers that Xpandion works with, the more confirmation we receive that there is a distinct difference in the actions taken by successful managers vs.  unsuccessful managers.  Using ProfileTailor Dynamics/ LicenseAuditor these successful managers implem...
in Security & AuthorizationsPosted by Dror Aviv

My Bonnie Lies Over The Ocean. Which SAP Authorizations Should He Have?

Many small and medium sized companies struggle with this challenge. Let’s say they have a sales representative who’s located in another country. Which authorizations should he get? Should he have access to the SAP system at all? If so, should he be allowed to only see SAP reports (“view only”) or sh...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India