Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

What’s the best way to become a GRC expert in SAP?

  • Font size: Larger Smaller
  • Hits: 10889
  • Print

It’s hard to start a career in any field, particularly the highly specialized field of GRC in SAP. The good news is that you know this is a direction you’d like to take. The question is how. 


I recently read this article by Andy Greig from SAP. Basically, the article promotes the SAP education platform by saying, “So what is the best way to involve yourself and train your mind to think like a SAP guru? Through SAP Education offerings!”

This got me thinking.

Now, I don’t know Mr. Greig and I don’t criticize his point of view, but I’d like to offer an alternative answer to the question of, How can you become a GRC expert in SAP, if you’re starting from scratch?

(By the way, if you’re like many customers who put SAP Authorizations in the same category as SAP GRC, the question can also be, How can you become an SAP Authorization expert, if you’re starting from scratch?)

From my involvement in the field, educational knowledge is just not enough if you wish to become a GRC expert in SAP. The secret is experience. Now, you might be nodding your head and saying, “Yeah sure, but knowledge is easy to obtain. How can you obtain experience just as easily if you’re a beginner?

From the people that I have witnessed who were anxious to get into the SAP world (in my case the SAP authorization world) and succeeded, these are the three take-aways that I found:

1. Find a project

Even if you have to work for a very, very low salary, if you find a good project, it’s probably worth it.

Ensure that you’re in a position where you can be trained and gain experience – but make sure it’s a live project, because being involved in a live project is crucial for your learning curve.

Why are “live” projects so crucial? Just imagine that you’re in the “maintenance” phase of a project that ended two years ago, (i.e., not a “live” project). All the SAP authorizations are already set, the Segregation of Duties are solved or mitigated, and you only need to maintain an SoD rule once in a blue moon or change an authorization every other week. Not so exciting. Not the way to learn. And not a good reason for waiving a normal salary.

Without going through GRC “boot camp” there’s no way you can become a GRC expert in SAP. I can’t express how important this is for your next, or in fact first, serious project. Use your connections, ask for favors, work hard, but get your “first GRC project in SAP” on your resume.

2. Find a mentor

Search out a person who can be your advisor when you have questions or don’t know what to do. It’s better that this person is in a senior position at your organization, but it can also be a professional who’s an expert in the field that you’re interested in.

Great places to look for a GRC mentor are at the Big Four Audit Firms: Deloitte, PwC, Ernst & Young, and KPMG. They all have senior consultants who love to mentor ambitious people.

If you need more pointers, start by listening to this episode about mentoring from “Coffee Break with Game-Changers,” http://www.voiceamerica.com/episode/77292/mentoring-done-right-everybody-wins, with the great host, Bonnie D. Graham.

3. Don’t neglect learning

Just like the blog image says, the common acronym “ASK: Always Seek Knowledge” is good advice here too.

While on the project, try to keep reading books, web articles, Q&A forums and more. These LinkedIn Groups that can be very informative and help you network: GRCXchange SAP GRC Network, SAP Security & GRC Consultant’s, Global Corporate Fraud and Compliance Professionals.

By the way, you can use the SAP education platform as mentioned above, but don’t only count on that.

Try to be the smartest, most up-to-date person in your area of GRC; although I do advise that for your first project and for your first year – just listen.

If you are already a GRC expert in SAP, I would love to hear your best advice on how to get started. Please share it below.

Moshe Panzer is the founder and CEO of Xpandion. He has over 18 years' experience as a recognized SAP expert, having worked as a senior SAP & ERP consultant, project advisor, project leader and development manager for large private corporations worldwide. You can read more about Moshe on Xpandion's Management page.


  • Guest
    SAP Solution Team 27/05/2014

    Hi Moshe,

    This is truely an inspiring article, but i personally believe that it is not that easy to find a project just like that. We are a group of 5-6 people having expertise in areas of SAP BASIS, SAP Security, GRC and IDM. I have been looking for a project from last 6 months, but I am really clueless how we should get some. Please guide me through this phase, if possible.

    Your help will be greatly appreicated.

    SAP Solution Team

  • Guest
    Moshe Panzer 28/05/2014

    I understand. Finding a good project to kick-start your career can be challenging. Here are my thoughts: first, see if you know someone from the industry and ask for help – this is the best way to start. Then search for jobs at companies that are just starting to implement SAP. Many times system integrators issue press releases announcing that they were chosen for a new SAP implementation at company X – write to the system integrator and to company X. You can also check if there’s an internship program at the corporation itself, the company doing the implementation (Accenture, etc.) or the consulting company (KPMG, Deloitte, etc.). Be ready to compromise on salary, location and job title. Don’t lose hope. It might take 20-30 different tries but eventually it will happen.

  • Guest
    Tekson IT 12/08/2014

    Thanks for Sharing such a Wonderful Information....

    Learn SAP BASIS through Online for Details Please go through the Link


  • Guest
    Teksonit 01/10/2014

    A great information regarding SAP GRC, it is interesting and people should understand easily who are looking to take certification course in SAP GRC,Job Assistance and find out some more information in the site SAP GRC Online Training with free Demo class in USA | UK | INDIA | SINGAPORE | Australia | Canada.

  • Guest
    emy 13/01/2016

    Thanks for sharing and it was very informative..I need more tips from your side..I am working in Erp Software Companies In India

  • Guest
    malathy m 08/03/2016

    Thanks for sharing great information in your blog. Got to learn new things from your Blog. It was very nice blog to learn about sap basis training in chennai

Leave your comment

Guest 21/07/2017


in Security & AuthorizationsPosted by Yoav Michaeli

Support Package Upgrade: How to Update SAP Authorization Roles, Part 1

If you haven’t already noticed, in some SAP support packages several T-Codes have been replaced with other T-Codes. These changes create a challenge in maintaining your company’s authorizations, and there are also implications to the GRC module. So, what do you do?

in Security & AuthorizationsPosted by Dror Aviv

My Bonnie Lies Over The Ocean. Which SAP Authorizations Should He Have?

Many small and medium sized companies struggle with this challenge. Let’s say they have a sales representative who’s located in another country. Which authorizations should he get? Should he have access to the SAP system at all? If so, should he be allowed to only see SAP reports (“view only”) or sh...
in Security & AuthorizationsPosted by Dror Aviv

What Are The 3 Most Important SAP Authorizations Related Tasks For Q3?

What? It’s already the third quarter? Yes, it is. We suddenly realized it ourselves, and wanted to make sure to remind you authorization managers and CISOs what you’ll be facing during this second half of the year. We’re assuming that these three things are already on your task list for Q3/Q4 (and i...
in Security & AuthorizationsPosted by Yoav Michaeli

How to Eliminate "Deceiving" Authorization Roles

  What Are Deceiving Authorization Roles? The term “deceiving authorization role” describes an authorization role that possesses a name or description that incorrectly describes its content. This situation is often caused by human error, due to the difficulties of maintaining authorization ...
in Security & AuthorizationsPosted by Yoav Michaeli

The Three Most Sensitive T-Codes Ever: What Are They?

What are your organization’s top three most sensitive T-Codes; the ones that you’re really careful about granting? You’ve had to think about this before, either during an authorization-inspection project, a GRC project or when asked by an auditor. Can you name the “top three?” I’m sure you can. And ...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


3310 W Braker Lane Suite 300-253

Austin, TX 78758, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India