Why does GRC action usage stats show usage of transactions that are not available to the user?

The GRC action usage job reads STAD data. STAD includes dialog and non-dialog (update) processes of transactions called indirectly through the start transaction. Non dialog processes may not necessarily require the user to have access to the indirectly called transaction. These non dialog calls will NOT appear on the security audit log but will appear on STAD. This is not to be confused with DIALOG processes that appear on the security audit log but are not available to the user auth buffer, in these instances the check on the called transaction has been disabled (transaction SE97) per business requirements.