SAP GRC Interview Questions and Answers

SAP Governance, Risk, and Compliance (SAP GRC) is a powerful software tool that can be used to ensure your company meets data security and authorization standards. It reduces the risk of fraud by automating routine compliance processes. The product suite contains a set of tools which allow risk and compliance teams to effectively, proactively, and pervasively manage risks and controls within a single platform.

Here, G – Governance, R-Risk and C – Compliance

Governance improves the alignment of risk activities to the strategic objectives of the business.

Risk management embeds risk activities into business functions and processes and helps to ensure optimization across the enterprise.

Compliance facilitates controls and processes to meet regulatory and business requirements.

Some SAP GRC products are:

1. Access Control
2. Process Control
3. Risk Management
4. Audit Management
5. Enterprise Threat Detection (ETD)
6. Information Lifecycle Management (ILM)
7. Business Integrity Screening (BIS) (formerly known as SAP Fraud Management)
8. Identity Management (IDM)
9. Read Access Logging (RAL)
10. Dynamic Authorisation Management (DAM)
11. Information Lifecycle Management (ILM)
12. Cloud Identity Access Governance
13. Privacy Governance
14. Single Sign-On
15. Capability Model
16. Global Trade Services
17. UI Logging and Masking
18. Snow Optimizer for SAP
19. SAP Watch List Screening
20. Tax Compliance

SAP GRC Access Control is a one of the important tools created to help organizations automate process of managing users’ access and to monitor SoD (Segregation of Duties) risk violations. It allows to personalize and customize processes related to user’s access management, business roles management, analysis and monitoring of the risk of SoD, privileged / Firefighter access and periodical reviews of access to specific, individual requirements of each enterprise.

ARA      Access Risk Analysis

EAM     Emergency Access Management

BRM      Business Role Management

ARM      Access Request Management

UAR        User Access Review

SAP GRC Risk Management provides a comprehensive, enterprise-wide solution for managing all types of your risks and driving collaboration and consistency across risk management in organization. Application will allow you to identify and assess the risks that drive business value. Create continuous insight by tracking Key Risk Indicators (KRIs), aligning emerging risk events with their potential consequences – and make responsible and defensible risk-aware business decisions.

Reduce  cost

Easy communication between different line of business

Foster collaboration risk evaluation within Risk Experts group

digital signatures and state-of-the-art encryption.

SAP Tax Compliance is a fully integrated internal control system with workflows that can be embedded directly into your operational SAP system. SAP Tax Compliance solution automatically screens transactions for potential tax issues. Use it to rapidly calculate tax liabilities and ensure compliance for indirect taxes, sales tax, VAT, good and services tax (GST), and others.

Key Benefits:

Extended and more comprehensive documentation about remediation simplifies internal and external audits

Better classification and reporting of hits for better improvements of processes and data quality

Simplification of tax declarations in Advanced Compliance Reporting thru direct access to status of hits in Tax Compliance

Audit Management is an enterprise platform for internal audit management. It is an addition to Governance, Risk, and Compliance (GRC) offering dedicated to internal audit modules. It is fully mobile solution, with audit management software improving quality and automating internal auditing procedures. This in-memory audit software makes it quick and easy to document evidence, organize working papers, and create audit reports. It provides the analytical capabilities to shift the focus of internal audit from basic assurance to providing insight and advice. Software leverage the power of the SAP HANA in-memory database, integrate with other governance, risk, and compliance (GRC) solutions, and align internal audit with overall business goals

SAP GRC Process Control is a key part of SAP’s GRC software. It helps organizations to manage their compliance processes more effectively. The objective of Process Control is to provide automated risk and control monitoring, testing and analytical capabilities across the entire enterprise and to improve the effectiveness of a overall compliance program.

ARR stands for Audit Risk rating. It is used to define the criteria for an organization to find risk rating and establish ranking for risk rating. Each audible entity is rated as per management feedback in ARR. You can use ARR to perform the below −

You can find set of auditable entities and risk factors

Define and evaluate risk scores for risk factor in each auditable entity.

As per risk score, you can rate the auditable entity.

You can also generate an Audit plan from ARR by comparing risk scores for different auditable entities. Selecting the high risk score auditable entities and generate audit proposal and audit plan proposal.

Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.

In every business, it is required to perform Segregation of Duties risk management starting from Risk recognition to rule building validation and various other risk management activities to follow continuous compliance. As per different roles, there is need to perform Segregation of Duties in GRC system.

ARM provides the workflow engine to drive user and role maintenance processes within the SAP environment. These processes are auditable and verifiable, with clear, configurable processes for approval, SoD checking and provisioning.

You need to assign following roles to user to login to GRS system −

Portal authorization

Applicable PFCG roles

PFCG roles for access control, process control and risk management

SAP Single Sign-On: This SSO solution gives users a better experience and increases security. In addition, it supports strong authentication, digital signatures and state-of-the-art encryption.

SAP standard workflow. This will allow you to check the current Workflow and Task numbers. If the MSMP Instance Runtime shows the workflow is completed but SWIA is not completed then there is an issue with the workflow configuration. Check Marketplace in case there is a correction.

SAP GRC Access Controls uses a job scheduler via NWBC. SM36 jobs for connector sync, etc can be set up via SM36.

Collection of rules is nothing but rule set. There is a default rule set in GRC called Global Rule Set.

IN SAP BI

Reporting Users – Analysis Authorization using transaction

RSECADMIN, to maintain authorizations for reporting users.

RSECADMIN – To maintain analysis authorization and role

assignment to user.

Offline Mode Risk Analysis process is performed with the help of Risk Identification and Remediation module in SAP GRC Access Control Suite. Offline mode Analysis helps in identifying SOD Violations in an ERP System remotely. The data from system is exported to flat files and then it can be imported into the CC instance with the help of data extractor utility. It can also be used to remotely analyse an ERP system which may be present in a different ERP Landscape.

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed). This table also determines which authorization checks are maintained in the Profile Generator.

The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator

PFCG is used to create maintain and modify the roles.

PFCG_TIME_DEPENDENCY is a background job of PFUD.

PFUD is used for mass user comparison but the difference is if you set the background job daily basis it will do mass user comparison automatically

Emergency Access Management, better known as firefighting, is a tool which gives the user emergency access for a limited amount of time. One of the advantages of this tool is that the access can be tracked and monitored by a defined controlling level.