PC 10.1

Creating Organizations
You can create an organization to group or define business units.
Procedure
1. Based on the version of the application you have licensed, open the Organizations screen as follows:
 From the Setup work center, choose Organizations.
 From the Master Data work center, Organizations.
The Organizations screen appears.
2. Choose Add, and then choose New.
3. Choose Create New Organization and then choose OK.
The Create Organization window appears.
4. Enter information in the required fields.
 Name
 Valid From
 Valid To
 Currency
5. Choose Save.
The organization that you created is added to the list on the Organizations screen.
Mitigating Controls
You can use Mitigating Controls to associate controls with risks, and assign them to users, roles, profiles, or HR
objects. You can then define individuals as control monitors, or approvers, and assign them to specific controls. You
can also create organizations and business processes to help categorize mitigating controls.
Using the Mitigating Controls section, you can complete the following tasks:
 Create mitigating controls (that you cannot remove)
 Assign mitigating controls to users, roles, and profiles that contain a risk
 Establish a period of time during which the control is valid
 Specify steps to monitor conflicting actions associated with the risk
 Create administrator, control monitors, approvers, and risk owners, and assign them to mitigating controls
Creating Mitigating Controls

You can use Mitigating Controls to associate controls with risks, and assign them to users, roles, profiles, or HR
objects.
Procedure
1. Choose Mitigating Controls Mitigating Controls .
The Mitigating Controls screen opens.
2. Choose the Create push button.
3. In the Mitigating Control ID field, enter a unique alphanumeric identification for the mitigating control ID.
4. In the Name field, enter a short description for the mitigating control.
5. In the Description field, enter a long description for the mitigating control.
6. In the Organization field, enter or select an organization.
7. In the Process field, enter or select a business process.
8. In the Subprocess field, enter or select a subprocess for the business process.
9. In the Associated Risks tab, choose Add Row to add an Access Risk ID and Rule ID.
10. In the Owners tab, choose Add Row to add Approvers and Monitors.
11. In the Reports tab, choose Add Row to add the System, Action, Monitor, and Frequency.
12. Choose Save.
Rule Setup
The Rule Setup work center provides a central location to create and manage rules to mitigate access request risks.
Note
The Rule Setup work center is shared by the Access Control, Process Control, and Risk Management products in the
GRC 10.0 application. The menu groups and quick links available on the screen are determined by the applications
you have licensed. The content in this topic covers the functions specific to Access Control. If you have licensed
additional products, such as Process Control or Risk Management, refer to the relevant topics below for the
application-specific functions.
The Rule Setup work center contains the following sections:
 Access Rule Maintenance
 Critical Access Rules
 Exception Access Rules
 Generated Rules
Rule Setup
The Rule Setup work center is shared by the Access Control, Process Control, and Risk Management products in the
GRC Application. The menu groups and quick links available on the screen are determined by the applications you
have licensed. The content in this topic covers the functions specific to Process Control. If you have licensed
additional products, such as Access Control or Risk Management, refer to the relevant topics below for the
application-specific functions.
The Process Control Rule Setup work center provides links to the following areas:
 Continuous Monitoring
 Scheduling
 Legacy Automated Monitoring
 Reports
Continuous Monitoring
Depending on the products you have licensed, the Continuous Monitoring section of the Rule Setup work center
gives you access to the following:
 Data Sources
 Business Rules
 Business Rule Assignment
Creating and Changing Data Sources

A data source is a set of fields that provides the information for Continuous Monitoring. From a technical viewpoint,
the data source is a set of logically-related fields that retrieve a flat structure from a system, such as an ERP system,
that is monitored.
Data sources supply the metadata description of source data. They extract the data description (including name, type,
and a source path from a source system). They are the foundation to create a Continuous Monitoring business rule.
 Data source — records what is monitored, and where and how to load the information.
 Business rule — contains information about how to filter the data and detect deficiencies.
The subscenarios of the data source are the following:
 ABAP Report
 SoD Integration
 BW Query
 Configurable
 Event
 External Partner
 Process Integration
 Programmed
 SAP Query
 HANA
Integration
To perform this function, you must be assigned to the Data Source Specialist role. Different subscenarios require
different prerequisites.
Subscenario Create and Register Other Prerequisites
Connection
ABAP Report X Qualified and Register reports by transaction code /n/GRCPI/OVERVIEWin ERP
system
SoD No connector required. SAP Access Control has been activated

Integration
BW Query X The BW query exists with the following rules:

 The BI characteristics must be arranged in rows area.
 The BI key figure must be arranged in columns area.
 Only Single Value and Selection Option Filters are supported.
 Filter has to be set to optional.
 There are no aggregation rows in the query output.
Configurable X GRC plug-in (RTA) is installed on the ERP system.
Note
SAP ERP 4.6 C and below are not supported. These connectors are not shown in the list.
Event No connector required. You Define the event definition in the Customizing activities.
are receiving the event from
another system.
External X For external partners who implement Web service based on Web Service Definition
Partner Language (WDSL) provided by SAP. Create a logical port.
Process No connector required Process Integration development is done. The proxy must contain both import and export
Integration parameter.
Programmed X GRC10.0 plug-in is installed in ERP
SAP Query X SAP query (not implemented by logical database). Use transaction code SQ01 to choose a
valid query.
HANA X HANA DB is ready. The connection between GRC system to HANA DB need to be
established. See SAP Note1597627 for details. This subscenario can only consume
Calculation View stored in HANA DB. These views should be prepared already.
1. Choose Rule Setup Continuous Monitoring Data Sources . The Data Source List screen
displays.
2. Choose one of the following options:
 Create — Use this option to create a data source.
 Open — Use this option to view or edit an existing data source. You cannot change a data source that a
business rule is using.
 Delete — Use this option to delimit a data source. You cannot delete a data source a business rule is using.
 Copy — Use this option to copy an existing data source and change it.
3. On the General tab, enter or edit the parameters as shown in the following table:
Parameter Instructions
Data Name the data source.

Source (required)
Description Enter the description or purpose of the data source.
Valid Enter the start date for the validity period of the data source.
From (required)
Valid To (required) Enter the end date for the validity period of the data source.
Note
The Valid To date must be later than the Valid From date.
Status Select the data source status from the dropdown menu. You can select one of the following options:
 New – The data source is a draft. From this status, you can only change it to In Review.
 In Review – The data source is in review. From this status, you can only change it to Active.
 Active - Once a data source is Active, you can assign it to a business rule. You can set the status to In
Review to make any changes. From this status, you can change it to Inactive or In Review.
 Inactive - The data source is no longer in use. From this status, you can only change it to In Review.
Note
A data source must be Active before you can assign a business rule to it.
Search Term Enter a term to search for a data source.
Example
You can search for data sources that are classified with search terms, such as SOX or FDA.
4. On the Object fields tab, enter or edit the parameters as shown below:
Parameter Instructions
Subscenario Name the subscenario and connection type of the data source. The connection type is automatically entered if there
is only one connection type.
Parameters Different subscenarios contain different parameters. The parameters search for the specific query, tables, or proxy.
Fields List the fields of the data source, such as their type, amount or quantity, description, and so on. You can change the
field descriptions to make them more useful for your business needs.
5. On the Connector tab, maintain additional connectors. By default, the main connector retrieves the backend
metadata such as query fields and field descriptions.
Note
On the Ad Hoc Query tab (only applicable to the Configurable subscenario), you ensure the tables and joins used
retrieve the expected data.
6. On the Attachments and Links tab, attach a file or link to the rule.
7. Select Save. The system displays a message to confirm that all data was saved.
Creating a Business Rule
Prerequisites
To perform this function, you must be assigned to the Business Rule Specialist role. You must have already created
a data source. For more information, see Creating and Changing Data Sources.
Procedure
A business rule provides a scalable user interface, which can support various data sources such as configurable rules,
programmed rules, SAP Query and BI Query.
1. Select Rule Step Business Rule (in the Continuous Monitoring section) . The Business Rule
Overview screen appears.
2. Choose Create.
3. Choose a Data Source. Only data sources with a status of Active are valid. If you do not know the name of the
data source, search by name, subscenario, connection type, search term, or validity date. ChooseSearch Data
Source. After you have selected the data source, choose OK.
4. Choose Start to create a Business Rule.
Based on the subscenario defined in the data source, the guided activity has different steps. Provide the input
required for your data source's subscenario.
Configurable Programmed ABAP SAP Query Event SoD BW query External Process
Report Integration Partner Integration
Basic Basic Basic Basic Basic Basic Basic Basic Basic

Information Information Information Information Information Information Information Information Information
Data for Filter Criteria Filter Filter Deficiency Filter Filter Filter Filter
Analysis Criteria Criteria Criteria Criteria Criteria Criteria Criteria
Filter Criteria Deficiency Technical Deficiency Conditions Technical Deficiency Deficiency Deficiency
Criteria Settings Criteria and Settings Criteria Criteria Criteria
Calculations
Deficiency Output Attachments Conditions Output Attachments Conditions Output Conditions

Criteria Format and Links and Format and Links and Format and
Calculations Calculations Calculations
Conditions Technical Confirmation Output Technical Confirmation Output Technical Output

and Settings Format Settings Format Settings Format
Calculations
Output Ad Hoc Technical Attachments Technical Attachments Technical

Format Query Settings and Links Settings and Links Settings
Technical Attachments Ad Hoc Confirmation Ad Hoc Confirmation Ad Hoc

Configurable Programmed ABAP SAP Query Event SoD BW query External Process
Report Integration Partner Integration
Settings and Links Query Query Query
Ad Hoc Confirmation Attachments Attachments Attachments

Query and Links and Links and Links
Attachments Confirmation Confirmation Confirmation

and Links
Confirmation
 Basic Information
— Enter the required fields (Name, Description, Category, Analysis Type, Valid From, Valid to,and Status)
and any optional fields that apply to your business rule.
Note
The values of Category and Analysis depend on the subscenario defined in the Data Source. The only two
statuses that are eligible at this stage (New and In Review).
To determine which connectors are applied to this business rule, select Applied in the Connectors table. The
default is the main connector designated by the data source.
 Data for Analysis (only applicable to the Configurable subscenario)
— Choose a subset of fields in the data source to be analyzed in the business rule.
 Filter Criteria — Select fields as filters and enter the values in each filter field. For example, you might
look at records over a certain amount (for example, purchase orders over 1,000 euros). If the criteria must be
determined at runtime and the field type is date, you can select Runtime Value Determination and choose the
runtime method.
Note
In some subscenarios (such as Programmed), the filter fields are predefined and cannot be changed.
 Deficiency Criteria
— Select fields as deficiencies. Enter the deficiency thresholds or indicator to each deficiency field. If
the Field Analysis type is Changes or Blank Check, the deficiency value is Indicator (High, Medium, Low).
If the Field Analysis type is another type, the deficiency value is Threshold.
Note
In some subscenarios (such as Programmed), the deficiency fields are predefined and cannot be changed.
In some subscenarios, the Calculated Field is visible. You can create a calculated field as an additional
deficiency field. Then the calculations function is defined in the Conditions and Calculations step.
 Conditions and Calculations

— There are several SAP pre-delivered conditions and calculation functions that can be applied to each
deficiency field.
o For deficiency fields (not additional calculated fields), only conditions can be applied.
o For calculated deficiency fields, both conditions and calculation functions can be applied.
Note
The Currency Conversion calculation function is available only for the data type Amount.
For the Event subscenario, you can choose Send Notification and/or Trigger a Monitoring Job.
 Output Format
— Each deficiency field with an exception is generated as a job result. The output columns of the job result
can be adjusted here. You can choose which columns to hide or display. You can also change the sequence
number to set the order of the columns displayed. For example, a sequence number of 001 would appear to
the left of 002.
 Technical Settings
— These settings are for users with a technical background. They are for runtime usage and vary based on
each subscenario. Default values are defined for each parameter, but you can override the value to adjust the
behavior or outcome of the job result during runtime.
 Ad Hoc Query
— You can query the data from the system that is defined in the target connector. This can be useful to test
your query without scheduling a job. To view the results list, use one of the following:
o Data Collection: Raw data is presented, based on the filter criteria.
o Apply Rule: Deficiency Criteria and Conditions and Calculations defined in previous steps are applied to
the result.
 Attachments and Links
— You can attach documents and links related to the business rule in this step.
5. Choose Save. A confirmation message appears. If more changes are needed, choose the Change the Business
Rule link to navigate to the same business rule in change mode.
Assigning a Business Rule to a Control

You can assign business rules for compliance initiatives. You assign rules to controls for automated testing and
monitoring. You can also specify the testing frequency of a rule that has been assigned to a control.
Prerequisites
 A business rule has been created, its status is active, and is in a valid period.
 A control has been created.
 (Optional) The Customizing activity Set Number of Business Rules Assigned to Each Control has been
completed. The activity is located at Governance, Risk, and Compliance Common Component Settings
Continuous Monitoring Set Number of Business Rules Assigned to Each Control . If the activity is not
completed, the default limit of the number of business rules assigned to each control is 10.
Procedure
1. In the Entity field, select Control.
2. Enter the date when the business rule assignment is valid. The default value is the first calendar day of the
current year. Select Apply.
Caution
This value impacts all subsequent operations and business rule assignments. Business Rule Assignment uses the
valid period concept (like HR master data). For every business rule assigned to a control, the assignment
relationship period is the intersection of the valid period of the control, the business rule, and this date value
(taken as a Valid From value).
3. Search for the control to assign to the business rule. You can search by Organization, Process, Subprocess,
Control, or Business Rule.
In the Control Search Result table, controls are displayed with Control, Description, Organization, Process,
Subprocess, Test Automation, and Trigger. The system only lists semiautomated and automated controls
(manual controls cannot be used). One row is selected by default. Highlight a row to select a control. If business
rules have already been assigned to this control, the rules display in the Common Business Rulesor Regulation-
Specific Business Rules tabs.
Note
The Control's Trigger field is required. The value of this attribute field determines which business rules can be
assigned to the control:
 If the Trigger value is Date, only nonevent based business rules can be assigned to it.
 If the Trigger value is Event, only business rules with a subscenario of Event can be assigned to it.
4. Add (or remove) a business rule's assignment to a control.
Note
If the control has no regulation assigned, only common business rules can be added. The regulation-specific
business rule cannot be added to a cross-regulation control.
1. Assign a specific business rule to a the control.
 For a control that has no regulation assigned, only the Common Business Rules tab displays.
Choose Add to select a business rule.
 For a control that has been assigned to a regulation, two tabs display: Common Business Rulesand
the Regulation-specific Business Rule tab. You can use the common business rule data or assign
regulation-specific business rules to the control. To assign a regulation-specific business rule, choose
the Regulation-specific Business Rule tab. Select the Maintain Regulation-specific Business
Rules button. The command buttons appear. Choose Add.
2. The window Select Business Rule displays. You can search by Business Rule name and/or by a
search term associated to the business rule. Highlight the desired business rule and select OK.
3. Choose Save to save all your changes to this control’s business rule assignment.
5. Maintain the frequency of the assigned business rule for date-based controls. This step does not apply to event-
based controls.
0. Select Modify.
1. On the Common Business Rules or Regulation-specific Business Rules tab, highlight to select a
business rule under a date-based control.
Note
You can maintain separate schedules for monitoring and compliance purposes.
6. Choose Professional View to view the business rule assignment information. The Professional Viewprovides
detailed business rule assignment information such as the assignment valid period for monitoring or compliance
separately.
Scheduling
The Scheduling section of the Rule Setup work center enables you to maintain schedules for continuous control
monitoring, and track job progress in the areas of monitoring and automated testing. This functionality pertains to
Process Control and Risk Management. It contains the following links:
 Automated Monitoring — provides an overview of all scheduled jobs.
 Job Monitor — allows you to view the execution status of automated testing jobs that were scheduled using the
Continuous Monitoring or the Legacy Automated Monitoring. It also displays whether a scheduled job
performed successfully and shows results of executed tests.
 Event Queue — Events from external systems are placed in the event queue. The event queue is used to monitor
the status of events, and which job has processed which events.
Compliance-Specific Compliance Structure

You maintain your compliance structure by assigning the relevant processes and controls, as well as Indirect Entity-
Level Controls, to organizations.
Note
Organizations contain some master data that only applies at the compliance-specific level.
Activities
Maintaining an organization
At the compliance-specific level, you can perform the following activities:
 Assign subprocesses to one or more organizations
For more information, see Assigning Subprocesses to Organizations.
 Assign Indirect Entity-Level Controls to one or more organizations.
 Designate organizations as being subject to certification sign-off, if so configured, or as being in scope of
assessments.
 Set a deficiency analysis flag for an organization.
 Maintain review and retesting settings for Indirect Entity-Level Controls.
 Control data access based on organization structure and assignment of compliance-specific user roles.
Note
You must perform the following features at the global organization level:
 Set up an organization hierarchy based on your company–specific requirements
 Set up organizations as shared service providers whose subprocesses can be used by other organizations
For more information about maintaining global organizations, see Organizations.
Compliance-Specific User Access

You maintain role assignments and configure user authorizations in the User Access work center.
For more information about assigning Users to Roles,
Business Processes
Business processes in the Activities and Processes section of the Master Data work center enable you to
create a business process structure containing all your central business processes, to which individual
controls are assigned.
A process refers to a set of activities that relate to a function in an organization’s operations. These
activities, when carried out, produce the desired output or process result.
The activities detail the flow of material and information between the process steps and the business
decisions that determine how a process step is accomplished. A process can contain subsets of activities
called subprocesses.
A process includes controls to ensure that the process, and corresponding subprocesses, can be
performed according to the company’s requirements. These controls are activities designed to address
control objectives and to mitigate risks in the company’s internal control environment.
Example
An example of a process is the order-to-cash process, which starts with sales order creation and ends with receipt of
cash from customers for goods delivered or services rendered.
A subprocess for this activity can be sales order processing, which pertains to the receipt, processing, and execution
of a sales order.
A control activity within the subprocess can be the review of sales orders to ensure that only sales orders within the
customer’s authorized credit line are processed.
The process structure allows you to create processes, add subprocesses within a process, create
controls within a subprocess, and associate the relevant account groups and control objectives, or risks,
to specific subprocesses and controls.
 The process is the highest level node to which the subprocesses and controls are assigned.
 Each subprocess can have one or more controls assigned to it. Control objectives, account groups, risks, and
regulations are also assigned to subprocesses.
 Risks can be identified on subprocesses, control objectives, or account group assertions.
 Controls can be assigned to mitigate the risks identified.
The figure below shows the relationships between processes, subprocesses, controls, control objectives,
risks, and account groups:
Manual Test Plans
A manual test plan consists of a sequence of test steps that are performed during testing to determine that a control is
operating effectively. A manual test plan may test either a manual or an automated control. If you define the test
method as manual, a manual test plan applies.
When you create a manual test plan, you assign the following attributes to it:
 Test steps comprising the test plan and the required steps
 Sampling methodology and initial sample size
 Indicator that says whether or not a test step failure results in a failed control and requires further action
All required test steps must be completed, in sequence, before the final validation of a manual control.
Prerequisites
A control must be in place before a test plan can be assigned, and the control must have Test Automation set
toManual. For more information, see Business Processes.
Features
This function allows you to:
 Create, view, and edit manual test plans
 Assign manual test plans to controls at the global or at the compliance-specific level
 Set validity dates for test plans
 Assign manual test plans to one or more central controls
Note
You can assign manual test plans directly to controls while creating or editing a control.
Activities
 To create and assign attributes to a manual test plan, or to edit an existing plan, perform the steps inCreating and
Editing Manual Test Plans.
Creating and Editing Manual Test Plans
Procedure
Follow the steps below to create or edit a manual test plan:
1. Choose Assessments Manual Test Plans. .
The Manual Test Plans screen appears and shows a list of test plans and their associated controls.
2. Set the timeframe for the test plan and select Go.
3. Select Create to define a new test plan or Open to change an existing plan.
The Test Plan screen appears.
4. On the General tab, enter or change the following information:
Field Name Description
Test Name Enter the name of the manual test plan.
Description Enter a description for the manual test plan.
Valid From / Valid To Enter the date range for which the test plan is valid.
5. On the Test Steps pane, select Add to add new steps or, to delete an existing step, select the step and then
select Remove..
6. In the Step Name field, enter the name of the step for the manual test.
7. In the Step Description field, enter a short description for this step.
8. In the Step or Test dropdown menu, select either Step or Test to indicate if this step is for manual controls or is a
test for automated controls.
9. In the Required dropdown menu, select Yes or No to indicate whether or not this step is required.
10. In the Fail Ends Test dropdown menu, select Yes or No to indicate whether or not to end the test if this step fails.
11. In the Initial Sample field, enter a description for the initial sample.
12. In the Sampling Method dropdown menu, select the desired sampling method.
13. Optionally, select the Attachments and Links tab to attach files or links to your test plan.
14. Select Save when you have completed your plan definition or when you have finished your edits.
Surveys
A survey is a structured list of questions. Within GRC, surveys are used to obtain information about the existence
and evaluation of risks (RM) or the design or operational adequacy of controls (PC). Surveys are used to carry out
assessments of objects such as risks, activities, or policies, for example. These assessments are defined via plans in
the Planner.
Surveys are created and maintained in the Survey Library and sent via the workflow (which can be routed to an
inbox and/or e-mail).
For more information, see:
 Risk Management Planner
 Process Control Planner
Prerequisites
 To send e-mails with interactive PDF survey data, complete the Customizing activity Maintain Inbound E-Mail
Settings for Survey under Governance, Risk, and Compliance General Settings Workflow .
 Users who receive survey PDFs by e-mail must have stored their e-mail address in the GRC back-end system
(SU01) under System User Profile Own Data (Address Tab) .
 If you are creating a survey for a collaborative assessment, the role Contributor to Collaborative
Assessment must be maintained for the user in the Roles tab of the risk or risks involved.
 For risk assessment surveys, complete the Customizing activity Implement New Survey
Valuation under Governance, Risk, and Compliance Common Component Settings Surveys .
 The e-mail addresses of all users to whom the system sends a survey must be maintained.
 The role assignments must be maintained:
o Business users who receive survey responses and post responses in the system need the
rolesSAP_GRC_FN_BASE and SAP_GRC_FN_BUSINESS_USER.
o The SAPCONNECT user configures the e-mail notification settings in the back-end system, so the
rolesSAP_GRC_FN_BASE and SAP_GRC_FN_ALL are required.
For more information, see Standard Roles and Authorization Objects and the SAP Governance, Risk, and
Compliance Access Control 10.1, Process Control 10.1 and Risk Management 10.1 Security
Guide athttp://help.sap.com/grc.
 For workflow functions, maintain the Customizing activities under Governance, Risk, and Compliance
General Settings Workflow .
 If you want to be able to change the subject or body of the survey e-mail, then you must also make entries in
the Workflow Customizing activity Maintain Custom Notification Messages.
Survey:
Question Library
The Question Library lists the user-defined questions that you can use within your surveys. Each
question comprises the following information:
 Category: The category of the question.
 Question: The text of the question.
 Active: Specifies whether the question is active or inactive. Only active questions are
available for use in surveys.
 Answer Type: The type of answer (yes/no/NA, rating, and so on) expected from the person
taking the survey.
 Created By
 Created On
Using the Question Library, you can do the following:

 Create new questions. You can create a new question, or copy and change an existing
question.
 Open questions for editing. You can only edit questions that are not being used in a survey.
 Delete questions. You can only delete questions that have not been assigned to any survey.
 Upload questions from a file stored on your local machine.
Creating Questions for Surveys

 For each type of survey, you can create user-defined questions to be attached. You can create
questions in theQuestion Library, or you can open a specific survey in the Survey Library and
create questions for it. Furthermore, you can define your own answer types, which you can
attach to question or survey categories if necessary.
 Note
 If a question is already being used in a survey, you cannot change any data for it, but you can
deactivate it.
 Prerequisites
 Complete the Customizing activity Define Ratings for Survey Questions, found
under Governance, Risk, and Compliance Common Component Settings Surveys .
 Procedure
 To create a question:
 Go to Assessments Surveys Question Library .
 A list of all existing questions is displayed. When you choose Create, a dialog box opens in
which you can create your own question.
 Select the category of the question from the dropdown options and enter text describing the
question.
 Specify whether the question is active or not. Active means that it can be used in a survey.
 Note
 If you are not finished formulating the question, or if you want to make a question obsolete,
deactivate the question. You cannot delete questions that are already used in surveys.
 Enter one of the following answer types (answer types vary based upon the survey category):
 Answer  Meaning & Type of Entry Required
Type
 Rating  Requires the entry of a rating type. If you select this answer type, you are
asked if the answer requires a comment.
 Yes / No /  Requires a Yes, No, or Not Applicable (NA) answer. If you select this
NA answer type, you are asked if the answer requires a comment.
 Text  Requires a text entry by user.
 Percentage  Requires the entry of a percentage.
 Amount  Requires the entry of an amount.
 Choice  A user-defined question in which you can define the answer options and the
scores. If you select this answer type, you are asked if the answer requires a
comment.
 Probability  Requires the entry of a probability level. If you select this answer type, you
Level are asked if the answer requires a comment.
 Impact Level  Requires the entry of an impact level. If you select this answer type, you are
asked if the answer requires a comment.
 Speed of  Requires the entry of a speed of onset value. If you select this answer type,
Onset you are asked if the answer requires a comment.
 Note
 The answer types Yes/No/NA, Rating and Choice support user-defined scoring for each
answer option. A number score is assigned to each answer option at the design time. At
runtime, users receive the scores according to their selections. A final score is based on
aggregating the scores from each question.
 For the answer type Rating, scores are defined during the Customizing activity, Define
Ratings for Survey Questions, located under Governance, Risk and Compliance Common
Component Settings Surveys .
 For the answer type Choice, scores are defined in the frontend.
 For the answer type Yes/No/NA, question scores are defined when the survey is defined.
 Recommendation
 For more information, see Score-Based Valuation for Surveys and Questions.
 If you are creating a question directly from a survey, choose Actions Create Question .
On theCreate Question screen, you can specify if the question is local (only used for this
survey). If you chooseNo, the question can be used in other surveys.
 Save your data.
Creating Surveys
Prerequisites
Procedure
To create a survey:
1. Choose Assessments Surveys Survey Library .
2. Choose Create. The Create Survey dialog box appears.
3. On the General tab, select a survey category, a title for the survey, and a description
(optional).
4. If necessary, specify the valuation type. The entries defined here are used for surveys,
question categories, and answer types.
Note
Using valuation for risk analyses requires additional settings through the Customizing
activities. Complete the activities listed under Governance, Risk, and Compliance
Common Component Settings Surveys .
5. Specify whether the survey is to be activated or not.
Note
You cannot activate a survey without first creating one or more questions for it.
6. In the lower screen section, you can add questions as follows:
 Choose Add to add questions that were previously defined.
 Under the Actions menu, you can navigate within the questions (if there are many) or
create a new question.
7. Set the valuation or scoring, if used, for the survey questions. For more information,
see Valuation and Scoring for Surveys and Questions.
 Answer types Yes/No/NA, Rating and Choice support reconfiguring user-defined scores.
If you select score based valuation for Valuation, you can view and change the predefined
scores for each question. Select the Set Score link in the Set Score column.
 The total score of one survey is the sum of scores for each question.
Example
Survey A has two questions (Q1 and Q2). The answers and scores are defined as
following:
o Question 1: Answers: 1.1 = 50; Answer 1.2 = 0
o Question 2: Answers: 2.1 = 0; Answer 2.2 = 0; Answer 2.3 = 50
The total score of the survey is the sum of all the answers. In the example, a submission
with answers Q1 – Answer 1.1 + Q2 – Answer 2.1 = 50 as a total score. The highest
possible score for this survey would be 100.
8. Save the survey. Your survey can now be included in a plan when you call up the Planner.
Note
 Your survey becomes visible on the Survey tab of the Risk or Activity screen after you
create a plan in the Planner and have sent out the survey.
 You can display the results of the survey by running the Survey Results report
under Reports and Analytics Compliance .
Score-Based Valuation for Surveys and

Questions
You can use the valuation and scoring function built into survey and question creation to assist in risk analysis and
process control evaluation.
 Surveys can be created with the type No Valuation or Score-Based Valuation. If you choose Score-Based
Valuation, a Set Score link appears on the right side of each line for all score-based questions that you have
created or that you have added from the Question Library.
Note
Certain question types, such as those requiring a text entry, cannot be scored. The Set Score link will not appear
next to these kinds of questions. For more information about the different question types, seeCreating Questions
for Surveys.
 When you choose the Set Score link, an Override Question Score window appears. You can choose to use any
maintained values that were preset through the Customizing activities, or you can override those values with
those of your own choosing.
Note
If you override the preset values, the values you enter are valid only for this instance of the question. If you use
the same question type for another question in a survey, the default values are assigned to it unless you override
them again.
 If you wish to revert to the values set in the Customizing activities, click the Reset button in the Override
Question Score window.
 You can indicate whether a question is to be local (one-time only for a survey) or if it is to be global (stored in
the Question Library after creation). The default setting is global.
Survey Category
SAP Process Control currently provides the following categories of surveys in the Survey Library for evaluations of
different purposes:
 Self-assessment
 Control Design
 Disclosure Survey
 Indirect Entity-level Control
 Policy
 Subprocess Design
 Sign-off
Sign-Off Monitor
This functionality monitors the sign-off process. The sign-off monitor shows the full organization hierarchy.
For organizations marked as subject to sign-off, the sign-off begins with the lower organizations and proceeds to the
higher organizations in the hierarchy. You can see if an organization has been signed off or not, the sign-off date,
and any attachments.
Activities
The following selection criteria are available for the sign-off monitor:
 Timeframe, Timeframe Year — You can choose which timeframe you want to see.
 Regulation — The sign-off is regulation specific. You can choose which regulation data you want to see.
The sign-off monitor displays the organization hierarchy, and the following information for each organization:
 If the organization is subject to sign off. The values are Yes or No.
 The sign-off user name, and the sign-off date (if the sign-off has been done).
 Any attached or linked files (attached during sign-off).
Standard Roles and Authorization Objects
The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some general
SAP standard roles are delivered with Process Control as described below.
You can copy and adjust these default roles in the Customizing activities under SAP NetWeaver Application
Server System Administration Users and Authorizations Maintain Authorizations and Profiles using Profile
Generator Maintain Roles (transaction PFCG).
In the Process Control application, the power user can assign these roles to the corresponding entities.
Features
The standard roles that are delivered are:
 Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use Risk Management or
Process Control. This role contains all necessary authorizations to make the necessary Customizing settings for
this application. This role does not contain any authorizations for the portal interface.
 Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform
operations on assigned entities. We recommend that a user with this role also be assigned a portal role for in
order to use the web interface of the application.
 Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also has
authorization for administrative functions through the Customizing activities, such as the definition of
organizations.
Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If the power user needs to delegate his authorization to others, he must ask the IT department to assign the
PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity dependent. For more information,
see My Delegation Overview.
 Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all data in the portal. This role is
useful for external auditors, for example. We recommend using this role in addition to the business user role.
Regulations
In the regulation hierarchy, you document which compliance initiatives your company supports. For each
compliance initiative, you can document the regulation and its requirements. After defining a new regulation, you
specify the subprocesses and controls that are relevant to that regulation.
The Regulations section allows you to:
 Document and review your compliance initiatives in one place
 Organize your compliance initiatives into groups
Prerequisites
Complete the following Customizing activities according to your business needs:
 Maintain Regulation Role Assignments under Governance, Risk, and Compliance Process Control
Authorizations
 Relate Regulation to Plan Usage under Governance, Risk and Compliance Process Control Multiple
Compliance Framework
 Define Subtypes for Regulation Specific Attributes under Governance, Risk and Compliance Process
Control Multiple Compliance Framework
 Enable CAPA by Regulation Type under Governance, Risk, and Compliance Common Component
Settings Ad Hoc Issues
Example
You have a group of financial compliance initiatives that could include SOX, J-SOX, and IDS or a group of
operational compliance initiatives that include FDA and Life Sciences regulations.
Maintain your regulation hierarchy to the individual requirement level, if desired. For example, you can maintain
SOX compliance down to the regulation requirement SOX 302. If you maintain regulation requirements, you can
assign them to controls and track the affected requirements at the control level.
Policies
A policy is a set of principles, rules, and guidelines that are formulated or adopted by an organization to reach its
long-term goals. Policies are designed to influence major decisions and actions, and all activities take place within
the boundaries set by them. They are used in Process Control and Risk Management.
A policy contains a written description of an organization's position on important subjects and its response to
specific situations. Policies support managerial decision-making, to help the company achieve its objectives.
Policies are an element of a complete governance process. This process involves an analysis of regulations, best
practices, and corporate business objectives, after which they are codified into policies affecting the business actions
of all employees.
Policies need to be created, reviewed, approved, and distributed; there is an ongoing process of policy
acknowledgment, self-assessment, and updates. Policies must be managed throughout their lifecycle.
Prerequisites
According to your business needs, complete the Customizing activities under Governance, Risk, and
Compliance Common Component Settings Policy Management .
Activities and Processes
The Activities and Processes section in the Master Data work center is where you maintain your company's
activities, business processes, subprocesses, and controls. It contains the following links:
 Activity Hierarchy
 Business Processes
 Indirect Entity-Level Controls
Activity Hierarchy
In the Activities and Processes section of the Master Data work center, you can define a hierarchy to structure the
activities in your organization that involve risks. In this way, you can define the scope of risk management activities
within your company, making them transparent, in particular for reporting purposes. You do this by defining risk-
relevant activity categories. The research and development projects of your organization could be one activity
category, for example.
Note
If you want to see the processes of Process Control in the Risk Management activity hierarchy, proceed as described
in Reuse of PC Central Process Hierarchy in RM.
Prerequisites
In Customizing, you must maintain activity types for your organization.
Features
In the Activity Hierarchy section, you can do the following:
 Create and delete activity categories
 View and edit activity category details
 Assign risk and opportunity categories to an activity category
Example
Sample global activity hierarchy showing assigned risks

The above example shows how risks are assigned. First, the activity type defined in Customizing called business
processes is used to create an activity category called Financials. Then for Organizational Unit 1, this activity
category is used to define the two activities of budgeting and consolidation. The budgeting activity has two risks
allocated to it: Overspending and Budget not approved.
Top-Down, Risk-Based Compliance

The Process Control risk model allows you to identify the subprocesses and account groups or assertions to be
audited, based on risks assigned to the account groups or assertions, and to the controls. Relationships can be
associated between account groups or assertions, as well as between subprocesses and control objectives.
Compliance efforts are directed to areas that present the highest risk, such as the financial statement close process,
and controls that are designed to prevent fraud.
The top-down, risk-based approach of the application comprises materiality analysis, risk assessment, control
risk assessment, and level of evidence determination.
The following table summarizes the approach:
Aspect Description
Identify significant accounts and assertions Consider materiality, likelihood of errors or fraud, accounting and reporting complexities,
and subjectivity.
Identify risks of financial misstatements To determine the sources and likelihood of misstatements, ask: “What could go wrong?”
Identify significant locations and processes Consider significant accounts and assertions plus other risks of financial misstatements
Assess the financial reporting risks Rate the risks, considering the impact and likelihood of material misstatements in financial
reports.
Identify controls to address financial Consider entity-level, transaction, IT, and monitoring controls.
reporting risks
Evaluate control operating effectiveness Consider control risk factors to determine the nature, extent, and timing of evaluations.
Process Control uses the following mechanisms to develop a testing strategy and level of evidence:
 Materiality analysis: Organizations and subprocesses in scope of assessments
o Consolidated Balances
o Accounts
 Control risk assessment and level of evidence
o The Customizing activity Set Level of Evidence Value under Governance, Risk and Compliance Process
Control Scoping
o Business Processes
o Reports and Analytics
Control Objectives
Control objectives define statements of desired results or purposes. You assign these statements to the relevant
subprocesses. Control objectives document the objectives that are relevant for the specific subprocess.
Activities
Creating Control Objectives

Perform the steps below to define your control objectives.
1. Choose Master Data Objectives Control Objectives
The Control Objective Catalog displays. The left pane shows a list of available control objectives. The right pane
shows the general information and related subprocesses of the control objective that is highlighted in the left
pane.
2. Choose Create.
The Create Control Objective dialog box displays.
3. On the General tab, enter the following information:
Field Name Description
Control Objective - Enter a name for the control objective. This is a 40-character text field that the system uses in reports that are
required related to control objectives.
Objective Select the objective category from the dropdown menu. This value is used with the control type attribute
Category - required within the control. Your choices include the following categories:
 Compliance and Regulations
 Financial Reporting and Disclosures
 Operations
To define your own values through the Customizing activity, choose Governance, Risk, and Compliance
Process Control Edit Attribute Values . In the left pane, select Attributes with Dependent Attributes. In
the right pane, select the row for CO-OBJCAT. Then select the values under Attributes with Dependent
Attributes and maintain your entries.
Description – Enter a description for the control objective.

recommended This is a text field that is included in some reports that present control objectives.
Valid To and Valid Enter a date range for the control objective to be valid or accept the default Valid To date of December 31,
From - required 9999 (preferred).
4. On the Subprocesses tab, choose Add to associate the desired subprocesses to your control objective.
5. On the Risks tab, select Add to associate the risks with your control objective.
6. On the Attachments and Links tab, choose Add to associate documents or links to your control objective.
7. Choose Save.
Reports (Assessments)
Assessment reports pertain to all design assessments and tests of effectiveness. Which reports are available varies by
person, based upon the role assigned.
Note
The Case Selection field is used in several Assessment Reports. Use this field to see evaluation cases of:
 All in reporting timeframe: The report shows all evaluation cases per evaluation type that occurred in the
reporting timeframe.
 One per evaluation timeframe: The report only shows one evaluation case per evaluation type for each
evaluation timeframe, according to the setting in Include Assessment.
 One per reporting timeframe: The report only shows one evaluation case per evaluation type for the reporting
timeframe, according to the setting in Include Assessment.
Example
If there are three control effectiveness tests:
Case 1: planned for timeframe January 2012, performed on 2012.1.10
Case 2: planned for timeframe January 2012, performed on 2012.1.20
Case 3: planned for timeframe Year 2012, performed on 2012.1.30 and Include Assessments is set to Most Recent
Assessments/Tests in Timeframe. Run report in timeframe Year 2012, regarding to different selections in Case
selection:
 If All in reporting timeframe, all three cases are shown.
 If One per evaluation timeframe, case 2 and case 3 are shown, because they are planned for different evaluation
timeframes.
 If One per reporting timeframe, case 1 is shown, because it is the most recent in the reporting timeframe.
The following are assessment reports:
Assessment Report Description
Evaluation Results by This report provides a hierarchical view into the evaluation results of different types of organizations. You can
Organization review this report to understand the evaluation status of controls and subprocesses for each evaluation type.
You can focus on failed controls and processes and drilldown to see if further remediation actions must be
taken.
Evaluation Management This report provides a list of organizations that have not yet performed certain evaluations in a specific
timeframe. You can review this report to understand the evaluation coverage gaps to see if further assessments
or tests must be planned.
Indirect Entity-Level This report provides indirect entity-level control evaluation results by iELCs by organization. You can review
Control (iELC) this report to understand the evaluation status of iELCs for each evaluation type. You can focus on failed
Evaluations iELCs and drilldown to see if further remediation actions must be taken.
Indirect Entity-Level This report provides a hierarchical view of indirect entity-level control evaluation results by organization. You
Control (iELC) can review this report to understand the evaluation status of iELCs for each evaluation type. You can focus on
Evaluations by failed iELCs and drilldown to see if further remediation actions must be taken.
Organization
Subprocess Design This report provides visibility into subprocess design assessment by organization and process. For each
Assessment subprocess, it shows the results of the performed subprocess design assessment. You can review this report and
focus on failed subprocesses and drilldown to see if further remediation actions must be taken.
Control Ratings This report provides visibility into the control evaluation results of different evaluation types by organization
and process. You can review this report to understand the evaluation status of controls for each control
evaluation type. You can focus on failed controls and drilldown to see if further remediation actions must be
taken.
Control Test History This report provides visibility into control testing results by controls by organization and process for multiple
with Ratings periods (if available). You can review this report to understand the testing status of controls. You can focus on
controls that failed the effectiveness test and drilldown to see if further remediation actions must be taken.
Test Step Status This report provides visibility into the test step details of control testing results for each organization and
process. For each effectiveness test, it shows results for each test step. You can review this report to understand
what step failures contribute to the overall test deficiency.
Risk Coverage with This report focuses on evaluation results with risk coverage by controls by organization and process. You can
Evaluations review this report to understand, for each risk, whether or not the control assigned for mitigation is designed
and executed correctly. This could help see if another control is needed or further remediation actions must be
taken.
Risk Coverage with This report shows evaluation results risk coverage in a hierarchical layout. You can review this report to
Ratings by Organization understand, for each risk, whether or not the control assigned for mitigation is designed and executed correctly.
This could help determine if another control is needed or further remediation actions must be taken.
Assessment Survey This report provides visibility into assessment results of each evaluation type by control for each organization
Results and process. For each control or subprocess, it shows the evaluation results of the performed subprocess design,
control design, and self-assessment. You can review this report and focus on failed subprocesses and controls.
You can drilldown to see if further remediation actions must be taken.
Issue Status This report provides visibility into issue statuses of each evaluation type. You can review this report to find out
whether there are open issues under specific organizations, processes, subprocesses, or controls and drilldown
to open the issue details.
CAPA Status This report provides visibility into CAPA plan statuses of each evaluation type, if applicable. You can review
this report to check whether all addressed CAPA plans are processed in a timely fashion. You can also
drilldown to see the CAPA plan details.
Recommendation
For more information, see Key Assessment Report: CAPA Status Report.
Remediation Status This report shows the status of the remediation plan for each evaluation type. You can review this report to see
whether all addressed remediation plans are processed in a timely fashion and drilldown to see remediation
plan details.
Test Status by This report provides a hierarchical view into high level statistics on evaluation status by organization. For each
Organization organization, it shows the total number of key controls as well as the evaluation pass rate of each evaluation
type. You can review this report to compare internal control compliance status among different organizations.
Test Status by Process This report provides a hierarchical view into high-level statistics on evaluation status by process. For each
organization and process, it shows the total number of key controls as well as the evaluation pass rate on each
evaluation type. You can review this report to compare the internal control compliance status among different
processes.
Scoping Coverage This report provides a hierarchical view into the result of consolidated materiality analysis by accounts group.
For each central accounts group, it shows the consolidated accounts group significance decisions together with
account groups balance and materiality threshold. Additionally, this report shows the overall scoping coverage
status, in terms of scope control numbers and risk coverage. You can review this report to see if more account
groups must be added to the scope.
Organization-Level This report provides a hierarchical view into the result of organization-level materiality analysis by
Materiality Analysis organization and accounts group. For each local accounts group, it shows the organization-level accounts group
Results significance decisions together with the accounts group balance and materiality threshold. You can review this
report to see if further accounts group, process, and controls must be added to the scope.
Testing Strategy by This report provides visibility into the results of control risk assessment results by control by organization and
Control process. For each control, it shows the value of control risk rating from assessment as well as the level of
evidence calculation result. A use could review this report and understand the decisions of testing strategy
suggestion to each control following the risk-based compliance approach.
Risk Assessment This report provides visibility into the results of risk assessment results by risk by organization and process. For
Results each risk, it shows the assessed value of probability, impact level, and overall risk level. You can review this
report and use its output as evidence for risk-based compliance.
Organizational Sign-off This report provides visibility into the status of sign-off by organization. You can review this report to find out
Status whether business owners have performed the sign-off for their areas of responsibility. You can drilldown for
the detailed sign-off results.
Aggregation of This report provides visibility into the status of aggregation of deficiency by organization. You can review this
Deficiency (AOD) report to find out whether business owners have performed aggregation of deficiency for their areas of
Status responsibility and drilldown to check the detailed AOD results.
Policy Profile This report provides an overall summary of the policy, its current status and where it is currently in the
workflow.
Policy Distribution This report provides visibility into the results of policy distribution on question and answer level. You can
Survey Results review this report for audit trail purpose or you can perform analytics on the feedback from specific survey
questions.
Policy and Issue Status This report provides an overall summary of all issues (both evaluation and ad hoc) related to a specific policy.
You can review this report to help evaluate the effectiveness of a policy based on the evaluation issues of
controls in the policy scope or on the ad hoc issues of the policy.
Ad Hoc Issue Report This report provides an overall summary of the ad hoc issues.
questions.
questions.
questions.
questions.
Remediating Evaluation Issues

All of the evaluations, assessment surveys, manual test plans, automated and semi-automated control testing, and
control monitoring, follow these basic steps:
1. Evaluation
Note
This process does not apply to ad hoc issues.
2. Identification and creation of issues
3. Remediation of open issues
4. Reevaluation (for manual evaluations only). This is dependent upon the configuration done through the
Customizing activities.
Prerequisites
You have created an evaluation with an issue and it has been approved, if review is required.
Process
1. The tester receives the task to perform the manual test of effectiveness.
2. The tester performs the test and submits it. If the test passes, the task is complete.
3. If the test fails, the tester creates an issue and assigns it to an issue owner.
4. The issue owner assigns the remediation task to an owner and submits it.
5. The remediation owner creates, executes, and completes the remediation plan.
6. The issue owner reviews the remediation and closes the issue.
7. The tester performs the test of effectiveness again and submits it. If the test passes, the task is complete.
8. If the test fails, the tester creates an issue and assigns it to an issue owner.
The process continues until issues are closed.
Note
The process flow above is an example of manual tests of effectiveness and does not include Review
Requirednor Forwarding functionality. See Performing Tasks Related to Remediation.
Performing Tasks Related to Remediation
Prerequisites
Complete the Customizing activities under Governance, Risk, and Compliance Process Control Evaluation
Setup .
Procedure
1. From the My Home work center, navigate to Work Inbox.
2. View the task. The system sends the Start Issue Remediation task to the issue owner.
3. Select the task.
A screen displays the issue details. The system presents the following options:
 Assign Remediation Plan / Assign CAPA (if CAPA is enabled for the regulation of the issue)
If the issue requires a remediation plan, you must assign a remediation plan owner, start date, due date, and
description. To do so, select OK and Submit.
 Close Without Plan
If permitted, you can close the issue without a remediation plan. For example, you can use this option for a
minor change. To do so, enter remediation comments and select OK to save and close the issue. Then
select Submit.
 Reassign the Issue
You can reassign the issue to another user. To do so, select a user and choose OK. Then selectSubmit. The
issue is rerouted to the selected user.
 Void
If the issue must be canceled, select Void and enter comments. The system changes the status toCanceled.
Select Submit.
4. The system sends the Enter Details for Remediation Plan task to the remediation plan owner. Depending on
whether you set Review Required during the configuration or maintenance of local objects, one of two process
flows occurs: With Plan Review or Without Plan Review.
With Plan Review has the following options:
 Reassign the Plan
If you want to direct the remediation plan to another user, you can reassign the plan. Select a user and
choose OK. Then select Submit.
 Review
This option allows you to document your remediation plan and submit it for review. Enter the details in the
description text box and attach or link any documents. Select Submit.
The system sends the Review Remediation Plan Details task to the reviewer who then has the following
options:
o Reject
Selecting this option returns the plan to the plan owner for rework. Select Reject and enter review
comments. Select OK and Submit.
o Approve
Selecting this option initiates the next remediation activity. Select Approve and enter review comments,
if desired. Select OK and Submit.
Without Plan Review has the following options:
 Reassign the Plan
If you want to direct the plan to another user, you can reassign it. Choose a user, select OK, andSubmit.
5. To initiate the next remediation activity, select Next. The system sends the Update Remediation Plan
Progress task to the remediation plan owner who performs the following activities:
 Selects the task
 Enters the plan progress in the Description Text box (optional)
 Updates the percentage of completion and chooses one of the following:
o Submit to record the current status of the plan. The owner continues to update the task until it is
complete.
o Complete and Submit.
6. The system sends the Review and Close Remediation Plan task to the issue owner who has the following
options:
 Reopen – This restarts the remediation process and sends the workflow to the remediation plan owner.
 Close – This closes the issue. The status of the Remediation Plan and the Issue changes toClosed. No further
activity can be performed on this task.
Note
If the issue owner and the remediation owner are the same user, the workflow is streamlined.
Phase 1: Project Preparation - The purpose of this phase is to provide initial planning and preparation for your SAP
project.
Phase 2: Business Blueprint - The purpose of this phase is to achieve a common understanding of how the company
intends to run its business within the SAP System. The result is the Business Blueprint, a detailed documentation of
the results gathered during requirements workshops. The Business Blueprint document represents the business
process requirements of the company. It is the agreed statement of how the company intends to run its business
within the SAP System.
Phase 3: Realization - The purpose of this phase is to implement all the business process requirements based on the
Business Blueprint. The system configuration methodology is provided in two work packages: Baseline (major
scope); and Final configuration (remaining scope).
Phase 4: Final Preparation - The purpose of this phase is to complete the final preparation (including testing, end
user training, system management and cutover activities) to finalize your readiness to go live. The Final Preparation
phase also serves to resolve all critical open issues. On successful completion of this phase, you are ready to run
your business in your live SAP System.
Phase 5: Go Live & Support - The purpose of this phase is to move from a project-oriented, pre-production
environment to live production operation.

PC 10.1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PC 10.1

Hochgeladen von

Copyright:

Verfügbare Formate

Creating Organizations

You can create an organization to group or define business units.

Creating Mitigating Controls

Creating and Changing Data Sources

SoD No connector required. SAP Access Control has been activated

BW Query X The BW query exists with the following rules:

Configurable X GRC plug-in (RTA) is installed on the ERP system.

Programmed X GRC10.0 plug-in is installed in ERP

Data Name the data source.

Description Enter the description or purpose of the data source.

Search Term Enter a term to search for a data source.

Basic Basic Basic Basic Basic Basic Basic Basic Basic

Deficiency Output Attachments Conditions Output Attachments Conditions Output Conditions

Conditions Technical Confirmation Output Technical Confirmation Output Technical Output

Output Ad Hoc Technical Attachments Technical Attachments Technical

Technical Attachments Ad Hoc Confirmation Ad Hoc Confirmation Ad Hoc

Settings and Links Query Query Query

Ad Hoc Confirmation Attachments Attachments Attachments

Attachments Confirmation Confirmation Confirmation

 Conditions and Calculations

Assigning a Business Rule to a Control

Compliance-Specific Compliance Structure

Compliance-Specific User Access

Creating and Editing Manual Test Plans

Test Name Enter the name of the manual test plan.

Description Enter a description for the manual test plan.

Using the Question Library, you can do the following:

Creating Questions for Surveys

Score-Based Valuation for Surveys and

Sample global activity hierarchy showing assigned risks

Top-Down, Risk-Based Compliance

Creating Control Objectives

Description – Enter a description for the control objective.

Remediating Evaluation Issues

Das könnte Ihnen auch gefallen