Interview Questions.

SAP GRC Interview Questions and Answers


SAP GRC Interview Questions and Answers

Q1. What is using  SAP GRC?

Ans: SAP Governance, Risk and Compliance solution enables agency to control guidelines and compliance and get rid of any threat in dealing with companies key operations. As consistent with converting marketplace situation groups are growing and hastily converting and inappropriate documents, spreadsheets are not suitable for outside auditors and regulators.

Q2. What are the exceptional sports that you can carry out in SAP GRC?

Ans: SAP GRC facilitates employer to manage their rules and compliance and you could carry out following sports

Easy integration of GRC sports into current manner and automating key GRC sports.

Low complexity and handling danger efficiently.

Improve chance management activities.

Managing fraud in commercial enterprise processed and audit control efficaciously.

Organizations carry out higher and agencies can guard their values.

SAP GRC answer consists of three essential areas: Analyze, manage and screen.

Q3. What are the special GRC modules you have got worked on?

SAP GRC Access Control

SAP GRC Process Control

SAP GRC Risk Management

SAP GRC Audit Management

SAP GRC Fraud Management

GRC Global Trade Services

Q4. What are the important thing activities below SAP GRC Access Control?

Ans: To mitigate threat in an enterprise, it's far required to perform chance manage as part of compliance and law exercise. Responsibilities have to be really described, dealing with function provisioning and managing get admission to for first-rate consumer is critical for dealing with danger in an organization.

Q5. How Process Control isn't the same as Access Control in SAP GRC?

Ans: SAP GRC Process control is used to monitor assignment and reports in actual time and you can generate compliance status of controls in location as in keeping with commercial enterprise tactics and aligning business processes to perform chance prevention and mitigation.

Q6.What is the use of GRC Risk Management?

Ans: SAP GRC Risk control permits you to control threat control sports. You can do advance making plans to discover risk in commercial enterprise and put into effect measures to manage risk and will let you make higher selection that improves the performance of enterprise.

Q7. What are the unique varieties of Risk?


Risks are available in many paperwork −

Operational Risk

Strategic Risk

Compliance Risk

Financial Risk

Q8.What is SAP GRC Audit management?

Ans: This is used to improve the audit management system in an company by documenting artifacts, organizing work papers, and developing audit reports. You can without problems integrate with other governance, chance and compliance answer and allows companies to align audit control regulations with commercial enterprise goals.

Q9. What is SAP GRC Fraud Management?

Ans: SAP GRC Fraud control tool enables companies to detect and prevent frauds at early stage and as a result lowering minimizing the commercial enterprise loss. Scans can be completed on big quantity of information in actual time with extra accuracy and fraudent activities may be easily identified.

Q10. What are the important thing abilities of Fraud management module?

Ans: SAP Fraud control software program can assist companies with following capabilities

Easy research and documentation of fraud cases.

Increase the machine alert and responsiveness to save you fraudent activities to show up extra often in future.

Easy scanning of high volumes of transactions and enterprise information.

Q11. What is Global Trade Services?

Ans: SAP GRC GTS software program facilitates companies to enhance cross border supply within limits of international change control. It allows in reducing the penalty of risks from International Trade Regulation government.

It offers centralize international change control technique with a single repository for all compliance grasp data and content material no matter size of an organisation.

HubSpot Video

Q12. Is it feasible to lock all of the users at identical time in SAP machine?

Ans: Yes, using T-code: EWZ5

Q13. What is Authorization object and authorization object magnificence?

Ans: Authorization items are corporations of authorization area which are used to adjust activities in SAP gadget. All the objects come beneath Authorization class and grouped by means of distinctive useful areas like Finance, accounting, and so on.

Q14. How do you perform user authorization in SAP machine the usage of GRC get entry to manage?

Ans: SAP GRC get admission to control uses UME roles to control the consumer authorization in the device. An administrator can use actions which represents the smallest entity of UME position that a person can use to build get entry to rights.

One UME role can incorporate actions from one or extra packages. You should assign UME roles to customers in User control engine (UME).

Q15. What is UME and the way it works?

Ans: User control engine (UME). When a user does now not have get admission to to a sure tab, the tab will not show upon person logon whilst person try and get entry to that tab. When a UME action for a tab is assigned to that specific user, most effective then he can be capable of access that feature.

All available wellknown UME moves for CC tabs may be discovered inside the tab “Assigned Actions” of the Admin User.

Q16. What are CC roles that may be created at time of implementation?



Description: Compliance Calibrator Display and Reporting


Description: Compliance Calibrator Rule Maintenance


Description: Compliance Calibrator Mitigation Maintenance


Description: Compliance Calibrator Administration and Basis Configuration

Q17. What is Risk Analysis and Remediation beneath Access Control?

Ans: Risk Analysis and Remediation (RAR) 

In GRC get admission to manage, you could use Risk Analysis and Remediation (RAR) capability to perform protection audit and segregation of obligations (SoD) evaluation. It is a tool which can be used to become aware of, examine, and remedy danger and audit troubles related to regulatory compliance.

Q18. What are the important thing activities that Process Control share with Access Control in GRC?

Ans: Access manipulate and procedure control stocks the compliance shape in underneath regions

In procedure manipulate solution, controls are used as mitigation manipulate in get entry to control underneath SAP GRC 10.0 solution.

Access control and procedure control percentage same enterprise.

In technique manage, processes are used as commercial enterprise techniques in access manage.

Process manage and access manipulate are integrated with get admission to risk evaluation to reveal segregation of duties SoD.

Q19. What are special Process Control areas which can be shared with Risk management?

GRC Role challenge

Process Control planner

Risk Management Planner

Central Delegation

Q20. What is IAM Internal audit control?

Ans: Internal audit control lets in you to manner the facts from Risk management and Process control to apply in audit making plans. Audit idea can be transferred to audit control for processing when required and audit objects may be used to generate issues for reporting. IAM gives you an area where you can carry out whole audit making plans, create audit objects, define audit universe and create and consider audit reviews and audit problems.

Q21. What are the distinctive sports that may be carried out beneath IAM?

Ans: In Internal Audit Management work middle you may perform diverse activities

Audit Universe carries auditable entities

Audit Risk Rating

Audit planning to outline procedure for audit compliance

Audit issues from audit actions

Audit reviews to look what risks are there on auditable entities

Q22. What is an Audit Universe?

Ans: Audit Universe incorporates audit entities which can be categorized as Business units, Lob’s or departments. Audit entities define the audit planning strategy and those may be related to Process manipulate and Risk management to discover dangers, controls, and many others.

Q23. What is Audit Risk Rating ARR?

Ans: Audit Risk score is used to outline the criteria for an company to discover chance rating and set up ranking for hazard rating. Each audible entity is rated as according to control comments in ARR. You can use ARR to carry out the beneath

You can locate set of auditable entities and danger factors

Define and compare danger rankings for hazard issue in every auditable entity.

As consistent with danger score, you can rate the auditable entity.

You can also generate an Audit plan from ARR by means of comparing threat ratings for exceptional auditable entities. Selecting the high threat rating auditable entities and generate audit thought and audit plan notion.

Q24. What is the usage of Report and Analytics Work Center in GRC?

Ans: Reports and Analytics Work center is shared with the aid of Process Control, Risk control and access manipulate. The Process Control Reports and Analytics work middle includes Compliance section in GRC software.

Q25. What are the extraordinary reviews under Process Control?

Ans: In compliance phase, you may create diverse reviews underneath Process Control.

Evaluation Status Dashboard

Shows a excessive-degree photograph of the overall popularity of corporate compliance all through exceptional commercial enterprise entities and affords analytics and drilldown skills to view facts on different stages and dimensions.

Survey Results

Displays the outcomes of surveys.


Provides comprehensive statistics on grasp information, evaluation, and remediation activities for subprocesses and controls.

Q26. What is SoD Risk Management?

Ans: In each enterprise, it is required to carry out Segregation of Duties chance management beginning from Risk popularity to rule building validation and various other chance control activities to comply with continuous compliance.

As consistent with extraordinary roles, there's want to perform Segregation of Duties in GRC system.

Q27. Based on SoD, what are the commonplace roles and their key duties?

Ans:  Business Process Owners

Identify risks and approve dangers for monitoring.

Approve remediation related to consumer access.

Design controls to mitigate conflicts.

Communicate get admission to assignments or function changes.

Perform proactive non-stop compliance.

Senior Officers

Approve or reject risks guess ween commercial enterprise regions

Approve mitigation controls for selected dangers

Security Administrators

Assume possession of GRC equipment and protection system

Design and hold regulations to identify danger situations

Customize GRC roles to put into effect roles and obligations

Analyze and remediate SoD conflicts at position stage


Perform hazard assessment on a ordinary foundation

Provide unique necessities for audit functions

Perform periodic trying out of guidelines and mitigation controls

Act as liaison guess ween external auditors

SoD Rule Keeper

Perform GRC device configuration and administration

Maintain controls over policies to make sure integrity

Act as liaison bet ween foundation and GRC guide center

Q28.What are the exclusive phases in GRC Risk Management?

Ans: There are diverse stages in hazard control manner

Risk Recognition

Rule Building and Validation




Continuous Compliance

Q29.What are the exclusive phases beneath Risk management in GRC?


Risk Recognition

Rule Building and Validation




Continuous Compliance

Q30.What is rule constructing and validation underneath Risk Management?


Reference the nice practices policies for surroundings

Validating the guidelines

Customize rules and check

Verify in opposition to take a look at user and position cases

Q31.How do you carry out Risk type? What is distinction between low, medium and high danger type?


Risk need to be labeled as in keeping with the corporation policy. There are diverse risk classifications that you can outline as per threat priority and agency coverage


Critical classification is performed for dangers that includes corporation’s crucial property which might be very in all likelihood to be compromised with the aid of fraud or machine disruptions.


This includes physical or monetary loss or system-huge disruption includes fraud, lack of any asset or failure of a system.


This consists of multiple gadget disruption like overwriting grasp facts inside the device.


This consists of hazard in which the productivity losses or gadget failures compromised by way of fraud or device disruptions and loss is minimal.

Q32.You have created a custom position method to your firefight associated safety roles. However, while you create a selected firefight related security function, the anticipated methodology isn't always carried out. What could be the cause?

Ans: The BRFplus selection table does no longer comprise the best condition.

Q33.What is difference among preventive mitigation controls and detective mitigation controls?

Ans: Preventive mitigation manipulate is used to lessen the effect of risk earlier than it without a doubt occurs. There are various sports that you can carry out below preventive mitigation manipulate


User Exits


Defining workflow

Custom Objects

Detective Mitigation Controls

Detective mitigation control is used when an alert is acquired and a risk occurs. In this situation the person that is responsible to provoke corrective measure to mitigate the risk.

There are numerous sports that you can carry out beneath detective mitigation manage

Activity Reports

Comparison of plan vs real review

Budget review


Q34. What is using Superuser privilege management in GRC?

Ans: In SAP GRC 10.0 Superuser privilege management desires to be applied on your organisation to dispose of the immoderate authorizations and dangers that your organization studies with the cutting-edge emergency user technique.

Q35. Is it possible that first-rate user can act as Firefighter?

Ans: Superuser can act as firefighter and feature the subsequent additional skills

It can be used to carry out duties out of doors of their normal position or profile in an emergency scenario.

Only sure people (owners) can assign Firefighter IDs

It permits an prolonged functionality is furnished to customers at the same time as growing an auditing layer to monitor and document usage.

Q36. What is difference between Administrator and Owner fashionable role beneath Superuser Privilege?

Ans: You can use following preferred roles can be used for first-rate consumer privilege management.


Ability to configure Firefighter

Assign Firefighter position proprietors and controllers to Firefighter IDs

Run Reports


Assign Firefighter IDs to Firefighter customers

Upload, download, and think about Firefighter history log

Q37. How do you take a look at Superuser logs?

Ans: Use T-Code: Transaction: /n/VIRSA/ZVFAT_V01

Q38. What are the benefits of using Global Trade Services?

Ans: Below are the important thing blessings of the use of Global Trade Services

It facilitates in lowering the cost and effort of dealing with compliance for global trading.

It can ease time-consuming manual responsibilities and enables in improving the productiveness.

Reduces the penalties for trade compliance violations

It lets you create and enhance the logo and picture and avoid change with sanctioned or denied events.

Better Customer satisfaction and improve the first-rate of provider.

It fastens the inbound and outbound techniques via performing customs clearance and also enables in removing pointless delays.

Q39. What is difference among unmarried and derived roles?

Ans: For Single function, you could upload/delete Transaction codes while in derived roles you can’t add T-codes.

Q40. What do you understand through person buffers?

Ans: User buffer stores all of the authorization of a user.

Q41. What is the most variety of Transaction codes that can be assigned to a person?

Ans: You can assign 14000 transactions to a position.

Q42. How do you delete vintage safety logs?

Ans: Using SM18 Transaction Codes.

Q43. How do you enforce firefighter’s identification in SAP GRC device?

Ans: Implementing firefighter ID’s includes following steps

Creating Firefighter ID’s for every enterprise manner vicinity

Next is to assign vital roles and profiles to hold firefighting duties.

You shouldn’t assign profile SAP_ALL

Q44. What do you understand by ruleset? What is default rule set in GRC system?

Ans: Collection of a couple of policies is known as rule set. In GRC, we've got default rule set called Global rule set.

Q45. How do you perform Role modification in SAP system?

Ans: Using PFCG_TIME_DEPENDANCY again floor activity.

Q46. What is the panorama of GRC device?

Ans: GRC landscape has 2 systems


SAP GRC PRD and there is no great gadget.

Q47. What is using Segregation of responsibilities in SAP gadget?

Ans: SOD is applied in SAP device to discover and reveal fraud in enterprise transactions.

Q48. What is the desk name to store illegal password info in SAP gadget?

Ans: Table USR40 is used to save all illegal password information.

Q49. How do configure a person to login to SAP GRC gadget?

Ans: You need to assign following roles to person to login to GRS machine

Portal authorization

Applicable PFCG roles

PFCG roles for get admission to manipulate, process manipulate and threat control

Q50. What are the key abilties that you could perform using Superuser privilege control?

You can permit Superuser to perform emergency sports within a controlled and auditable surroundings

Using Superuser, you may document all of the user sports getting access to higher authorization privileges.

You can generates an audit trail, which can be used to record reasons for the use of better get entry to privileges.

This Audit path may be used for SOX compliance