GRC Process Controls is a very interesting subject and is widely gaining visibility due to it’s reach on more wider areas of Security Governance.
Controls play a pivotal part in many GRC PC applications, such as Assessments. And not all fields are suitable or sufficient to represent the organization’s requirement or assessments.
This article outlines the high-level steps for adding Custom fields to Controls. which are as below.
1. Custom fields to be encapsulated in Structure.
a. Create Data Domains in SPRO > Governance Risk and Compliance > General Settings > > User defined fields> HR-User defined fields > Create Data Elements in the ABAP Dictionary. Select Radio button as Domain, provide a name and click Create.
Developer Key will be required during creation of Data Domain. Custom package will be required for transport. And Value ranges need can be given, so that the fields associated to these domains inherit these values. Attributes such as Data Type and Length are to be provided as required.
b. Create Data elements in the same above path in SPRO. Choose Data and assign them the respective Data Domain(created above). Filed label needs to be provided as required.
2. The data elements need to be assigned to a structure. Structure contains the no. of the InfoType
a. In the same above path, select Data Type, and then enter the name as HRI9nnn, for example, HRI9101. Choose Create. Select Structure. Assign the fields created in tab Components
3. Assignment of Infotypes to Control
a. Navigate to the path and select the below Node. Enter the Infotype number and click Create
b. This Structure has the Infotype 9101. This Infotype needs to be tagged to entity Control. The table entry T777I
c. Select New Entries and provide the Infotype number and provide P2(Local Control) and P5(Central Control), in Time Constraint and Infotypes per Object type.
d. Assign SubTypes to InfoType created. Eg. SOX and FDA as Regulation.
e. Assign SubTypes to InfoType created. Eg. SOX and FDA as Regulation.
4. Entities such as Organization, Subprocess, Control are maintained through GRFN_STR_CHANGE and GRFN_STR_DISPLAY. The Custom fields are made available by making the Infotype available as one of the tabs in these 2 transactions.
a. Create New Entries for new ‘Tab’ for adding the Custom fields. As per naming convention, ZIT should be appended before the Infotype number. Eg. ZIT9101 is the tab page.
Select ‘Scenario Definition(Hirerachy Framework) and GRCP0’.
b. Select ‘Tab Page in Scenario for each Object Type’. And click New Entries. Add the Tab page (eg. ZIT9101) with a sequence number.
c. Next, the Custom fields can be checked for necessary correction through the program GRFN_CHECK_CDF . This is available in the below node
5. The Custom fields can be included in Reports through below steps
a. Fields are added to structure CI_GRPC_CONTROL
b. Fields are added to the particular report, through SE11. Enter the structure name of the report and add the fields
Add the custom fields in the reports through the below steps
c. Select the report and double-click on Columns. Click on new entries and add the Custom fields.