For smaller companies, purchasing and implementing a GRC solution can be very costly. However, not being compliant and having a lot of risks can be more costly over time if someone with excessive access commits fraudulent activities.
During one of our assessments, we noticed that one of the system administrator wanted to give access to a transaction that allows to maintain data to a end-user who requested that specific transaction, but believing it was a display transaction. Most likely, the user did remember an incorrect transaction code as the one the user requested is not related to what the user wanted to do.
The administrator suggested to give access to the transaction anyways as the user may need it and that someone may have suggested this particular transaction. The access had been approved by a VP was another reason why the admin wanted still go to ahead with this request. Today, this transaction may not be an issue as the user will request another one after finding out that the transaction was not what they really wanted. The bad thing about this is, that new transactions are introduced which the user may never need and may cause Segregation of Duties conflicts down the road and cause additional usage analysis cleanup efforts in the future.
If this sounds familiar, you may want to consider a complimentary Risk Analysis for up to 100 users to see how many risks your organization has. Please contact us for more information.