When to Use Organization Rules and Reporting in Compliance Calibrator

  • by Jayne Gibbon, Director of Customer Care, SAP
  • February 15, 2008
Find out if your company should use organization rules for eliminating false positives from reports.
Key Concept

You use organization rules to provide an additional layer of segregation of duties (SoD) analysis to remove false positives that may result from segregating based on organization levels. You perform this analysis on top of your core Compliance Calibrator SoD analysis. The organization rules allow a company to define the combination of organization levels that result in a true SoD conflict. Companies should not institute organization rules until the remediation phase of their project. It is only after identifying a possible organization rule scenario that you should create the organization rules. You should not use organization rules for grouping users into reports by organization levels to distribute SoD reports to various management levels.

The first time a company runs its segregation of duties (SoD) analysis using Compliance Calibrator, a tool that identifies and eliminates risks while maintaining preventive controls, it may have thousands, if not millions, of conflicts. Remediating these issues can seem overwhelming. Many times, a company’s initial reaction is that the reports simply cannot be accurate and must include false positives, meaning users are reported that don’t actually have the conflict. Most companies upon review, however, realize that the majority of conflicts are true conflicts and work to remediate through reassignment of access. That said, there are sometimes false positives in the reports. One cause of these false positives may be the company’s institution of segregation via organization levels.

Within Compliance Calibrator, SAP created organization rule functionality to eliminate these false positives based on organization level restrictions. It is important to understand that you should only use organization rules in those specific situations in which a company has made a conscious decision to segregate via organization levels.

In my experience, many companies think they have organizational segregation, but really they do not. I’ll discuss the business cases that justify using organization rules, but also reinforce that the functionality comes with a cost, so companies should perform analysis prior to implementation to ensure their situation warrants the use of organization rules. You can also use organization level reporting to consolidate reports of conflicts for a specific organizational unit to assist in distributing reports to the risk owners of each area. I’ll look at this later in the article. First, I’ll go through organization rules.

Jayne Gibbon

Jayne Gibbon, CPA, has been implementing SAP applications since 1996 and is currently a director in the Chief Customer Office at SAP. Jayne’s focus is making customers successful with their SAP HANA deployments. She has helped more than 100 customers drive business value with SAP HANA. Prior to joining SAP in 2007, Jayne worked for two multinational manufacturing companies based in Wisconsin. While an SAP customer, Jayne led the very first implementation of Virsa’s Compliance Calibrator, which is now part of SAP Access Control. Jayne’s experience includes internal audit; computer security; governance, risk, and compliance; SAP HANA; and SAP analytics.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.