• Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

GRC Compliance: Better to Play Defense or Offense?

  • Font size: Larger Smaller
  • Hits: 6659
  • Print

When it comes to handling GRC conflicts, is it better to use an alerting tool or a simulation tool? They both manage conflicts, but one is predictive and the other happens after the fact. Well, there is no one solution; the key is to use them in combination to promise a peaceful process and clean GRC audit report.


The inception of GRC and SoD

When GRC and particularly Segregation of Duties regulations first arose, they were very simple to understand. There were rules about functions that couldn’t be executed by a single user because they would then create an “SoD Conflict.” For example, if you put “Create Purchase Order” and “Approve Purchase Order” together in a rule and use this rule to check for users that have both of these functions together, the results will be a list of users who violate this SoD rule and the situation should be resolved or explained (i.e. “mitigated”).

Authorizations are not static and neither are violations

Authorizations are not static, and as users progress or change positions within the organization, they are granted with more authorizations. This means that the violations aren’t static either. Organizations that check their SoD violations every six months or year are surprised to discover, audit after audit, that their inspection reports include new SoD violations.

So, people got smart. They created a tool that simulates granting authorizations to users. The tool includes all the SoD rules and inspects whether to grant users with specific authorizations before they are actually granted (the simulation). If the simulation results in a violation of one or more SoD rules, then the authorization will not be granted and the organization will stay clean from having more violations.

Now, why doesn’t this work? In many cases people ignore the simulation – either they don’t perform it or they just ignore the results. It’s just not dependable enough.

Defense and offense together

If the organization truly wants to defend itself, it must have something that constantly scans all existing authorizations and alerts about new SoD violations. This way, even if a user manages to bypass or ignore the simulation process, the system will alert about any newly created violation, and someone will have to be accountable for it.

Staying clean

The concept of “Stay Clean” or “Staying Clean” from SoD violations was embraced by many, including all of the Big Four consulting firms. Staying clean from SoD violations is achieved with a combination of predictive tools (i.e. simulation), alerting after tools (i.e. alerts), and conflict resolving.

Have you implemented an alerting tool for your GRC demands? See how ProfileTailor Dynamics can help you with your GRC.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 25/06/2017



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India