Our concept of a GRC system assumes treating an ERP system as the company's control center. Thanks to its functionality, an ERP system can efficiently and cost-effectively support managing key organization risks and significantly mitigate the risk of abuse. The most common GRC issue in companies is ensuring the right segregation of duties and reducing privilege redundancy in IT systems (ERP in particular).
The risks related to the importance of privilege redundancy analysis and with the elimination of SoD conflicts are taken into account in the best industry practices (such as Control Objectives for Information and related Technology (CobIT) drawn up by ISACA and IT Governance Institute) and in law as well (e.g. PCAOB Guidelines for SOx – Sarbanes-Oxley Act – Section 404).
Conflicts in the segregation of duties arise when one user can perform in an ERP, or between different systems, tasks which, in terms of the internal company control, security of company's processes, good business practices and legal regulations, should be separated and performed by at least two employees.