HI Kevin
Just of curiosity if the business do come to the SAP GRC consultant on advising on the update of a ruleset And whether they can advice on it, should they answer back to point at the internal auditors?
Your organisation needs to define the roles and responsibilities for managing risk (such as a RACI model). Define who maintains the ruleset, who executes the reports, who reviews them, etc.
my final point, can we just ignore the ruleset and not update it has the transactions are already in our existing ruleset which went live 6 months ago?
It's not a case of ignore or not. SAP provides the updates and this is most likely when they identify new risk or changes to existing. This could be driven by:
- new functionality - SAP builds a new program and transaction code
- change in code - development change made add additional authorisation checks that strengthen the security. If you have that transaction in scope you may want to check your function definition to reduce false positives if users do not have access
- general review - they find other combinations or continue to tweak
The rule set is a starting point or guideline. Depending on what your company has done your ruleset will be different as it all depends on what you have implemented. You may have inherent system controls that remove the risk already and therefore do not need to report on it
Really, you're not ignoring the update - you review and determine if it is applicable to your system
Regards
Colleen