Post on 27-Mar-2018
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
Building an SAP Process Control Deployment Plan: Answers to Your Most Frequently Asked Implementation Questions
Steve Toshkoff Protiviti
1
In This Session
• Learn the key capabilities and automation areas of SAP Process Control (PC) and come
away with the knowledge to frame your implementation plan
Discover the ideal approach to build a business case for an SAP PC implementation
See examples of design requirements and scoping considerations for your initial
deployment and future rollouts
Find out the key decision points to consider as you progress through your
implementation roadmap
Understand the security role structure and learn how to leverage standard capabilities
Walk away with tips and tricks for the configuration of Continuous Control Monitoring
(CCM)
2
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
3
Understanding Whether You Need Process Control
Minimal enforcement of control ownership
Incomplete reporting
Lack of real-time reporting
Excessive or inconsistent manual controls
Time consuming control testing process
Difficult to benchmark control data
Lack of centralization
Spreadsheet version control of changes
Lack of automated controls
Unable to easily demonstrate compliance
Overall, an internal controls management process can be summarized with the following
potential pitfalls:
4
Understanding Whether You Need Process Control (cont.)
• Is the framework stored in a central location?
• Can changes to the framework be easily identified,
tracked, and audited?
• Is a continuous analysis performed on the framework
to ensure reliability and scalability?
Manage Controls
• Is the testing documentation stored in a central
location?
• Is the framework tested effectively and efficiently?
• Can controls be automatically tested on a continuous
basis?
Manage Testing Efforts
The central questions to ask when considering an automated control management system
should be:
How is the current internal control framework managed?
How is the current internal control framework tested?
5
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
6
SAP Process Control Overview
What is SAP Process Control (PC)?
Part of the GRC (Governance, Risk & Compliance) suite of tools
Resides on the same platform as SAP Access Control (AC)
Supports the lifecycle of the Internal Controls Framework
Provides end-to-end management of compliance initiatives (e.g., SOX 404)
What are the Key Automation Areas?
Workflow-driven changes to organizations, processes and controls
Workflow-driven manual testing of controls
Automated monitoring and testing of ERP system controls
Real-time identification of potential control issues
Ability for overall compliance reporting and sign-off
7
SAP Process Control Overview (cont.)
Key Automation D
OC
UM
EN
T
Centralized and Managed Control Framework
• Automate Compliance Management
• Manage Multiple Compliance Frameworks
Internal Controls Framework: Organization-Process-Risk-Control
TE
ST
Perform Assessments
Test Automated Controls
Test Manual Controls
IT Infrastructure
Business Processes
Testing of Controls Framework
• Testing of automated and manual controls
• Automated testing of labor intensive data
• Evaluate control design and control
effectiveness
MO
NIT
OR
Remediate Issues Monitor exceptions Monitoring and Remediation of Exceptions
• Perform automated, exception-based,
monitoring of controls
• Raise and remediate issues via workflows
CE
RT
IFY
Certify and Sign Off (e.g., 404, 302,…)
Dashboards and Executive Sign-Off
• Easier and consistent quantification of control
issues
Key Functionality
8
SAP Process Control Overview (cont.)
Key Functionalities of SAP Process Control
Documenting Organizational and Compliance Initiatives
Harmonize controls across regulations (multi-compliance framework)
Planning, Assessing, and Testing Control Effectiveness
Document control testing results by following pre-defined test steps
Automated Testing – Continuous Control Monitoring (CCM)
Automated monitoring of controls, delivering quick exception-based results
Policy Management
Manage the full lifecycle of policies, including review and acknowledgement
9
SAP Process Control Internal Control Framework
Key SAP PC master data elements and their relationships
Organization 1 Organization 2
Sub Process
Regulation A Regulation B
Business Process
Control 1
Control 2
Risk Evaluation & Testing
10
SAP Process Control Internal Control Framework (cont.)
1
3
4
8
6
1. Control Name / Description
2. Control Criticality
3. Control Automation / Purpose
4. Validation Dates / Trigger
6. Test Automation
5. Control Frequency
7 7. Assign Manual Test Plan
2
Documentation of control content and assignment of control objects
8. Assign Risk to Control
5
11
SAP Process Control Manual Test of Control Effectiveness
Manual testing of controls completed by documenting steps/tests and results
4. If final test result is a
“Fail,” the system
automatically requires a
tester to “Report Issue”
1. Testing can be
downloaded and
populated outside
of the system
2. Testing
documentation
can be uploaded
to test results
1
2
4
3. Populate
test results
3
12
SAP Process Control Overview Continuous Control Monitor (CCM)
3 Different Types of Monitoring Controls
Master Data Controls –
“preventive and process-driven”
Configurable Controls –
“preventive”
Transactional Controls –
“detective and process-driven”
Seamless connection to ERP systems allows for the continuous extraction of data.
Pre-defined deficiency criteria initiates query-driven monitoring to automatically identify control exceptions.
Business users assigned to the specific internal controls will be provided “real-time” notifications of control
exceptions.
Automated monitoring can ensure ERP data remains correct, immediately catching improper transactions.
CCMs allow for ERP systems to be automatically monitored for potential internal
control issues
13
SAP Process Control Overview Continuous Control Monitor (CCM) (cont.)
CREATE ERP CONNECTION
• Create connection to the ERP
system (e.g., SAP ECC) to allow
for the extraction of data
Data Source
IDENTIFY EVALUATION CRITERIA
• Identify deficiency criteria to be evaluated for effectiveness, with ability to assign ratings
Business Rule CONTINUOSLY MONITOR CONTROLS
• Assign deficiency criteria to the
automated control to initiate
continuous monitoring
CCM
How does Continuous Control Monitoring (CCM) really work?
14
SAP Process Control Overview Continuous Control Monitor (CCM) (cont.)
New customers added to SAP ECC can initiate orders without proper review and
approval from Credit or A/R.
The default credit limit for a new customer created in SAP ECC is configured at $1,
which automatically blocks initial customer purchases contingent on a credit review.
CCM: SAP ECC configuration is automatically and continuously monitored to
ensure users are notified if there’s a change to the assigned default credit limit.
Order-to-Cash Risk
Order-to-Cash Control
Data Source: SAP PC extracts the SAP ECC configurable data from the T014
(Credit Control Areas) table.
Business Rule: SAP PC is configured to review the default risk category and
default credit limit automatically assigned to new customer records.
The production support team inappropriately removes the default credit limit of $1. Order-to-Cash Control Issue
Credit or A/R team is
automatically notified
of the Order-to-Cash
control exception
What is an example of a CCM?
15
• Workflow support to
review and approve
policies
• Determine the relevant
recipients per policy
and organization
Review &
Approve Policy
• Workflow support to
distribute policies
across the
organization
• Receive confirmation
on acknowledgement
of policies
Publish &
Distribute Policy
• Centrally document
and define policies in
a policy library
• Separate policies by
organizations and
processes
Create &
Document Policy
• Monitor policy
acknowledgement
• Measure policy
understanding using
quizzes and surveys
Monitor Policy
Effectiveness
• "Out-of-the-box" online
reports on policy and
policy status
• Review policies linked
to controls
Report on Policies
Types of roles that can be defined for the management of policies
Policy Owner
Maintains access to the
overall policy in SAP PC
Policy Approver
Receives the workflow to
review and approve policy
versions in SAP PC
Policy Recipients
Receive policy in email
outside of the system and
send acknowledgement
Policy Viewer
Can view the overall
status of policies
SAP Process Control Overview Policy Management
Policy Lifecycle Management functionalities
Policy Viewer
Can view policy
acknowledgement and
survey results
16
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
17
Managing Compliance Initiatives
• Design Assessments of Sub-
Processes and Controls
• Control Self-Assessments
Assessment of Controls
Framework
Key Elements in Managing Compliance Initiatives
• Organizational Master Data
Structure
• Repository of Internal Controls
Management of Controls
Framework
• Manual and Automated Testing
of Control Effectiveness
• Continuous Control Monitoring
(CCM)
Testing of Controls
Framework
• Control Framework Reporting
• Certification and Sign-off
Reporting and Compliance
Certification
18
Managing Compliance Initiatives (cont.)
Assessment of Controls
Framework
Key Elements in Managing Compliance Initiatives
Management of Controls
Framework
Testing of Controls
Framework
Reporting and Compliance
Certification
Create a unified repository of all risks and controls that can be shared across different organizational units
Design an organizational hierarchy which aligns with all compliance initiatives and regulations to be
managed in SAP Process Control
Leverage G/L Account Groups to connect the controls with financial reporting requirements
19
Managing Compliance Initiatives (cont.)
Assessment of Controls
Framework
Key Elements in Managing Compliance Initiatives
Management of Controls
Framework
Testing of Controls
Framework
Reporting and Compliance
Certification
Allow Control Owners to evaluate their own controls by sending surveys with questions to be answered and
identify issues prior to executing formal test of effectiveness
Perform top-down risk assessments, such as materiality analysis or control risk assessment
Allow Internal Audit, Compliance, or Control Owners to conduct periodic assessments of the design and
structure of processes, sub-processes, and controls
20
Managing Compliance Initiatives (cont.)
Assessment of Controls
Framework
Key Elements in Managing Compliance Initiatives
Management of Controls
Framework
Testing of Controls
Framework
Reporting and Compliance
Certification
System-initiated automated testing of control effectiveness on a pre-determined schedule, with notifications
to Internal Audit of possible control exceptions
Enable Control Owners to automate the system monitoring and analysis of control data using system-driven
rules by leveraging Continuous Control Monitoring (CCM)
Allow Internal Audit to conduct periodic manual testing of control effectiveness using pre-defined test plans,
which include test steps with pass/fail ratings
21
Managing Compliance Initiatives (cont.)
Assessment of Controls
Framework
Key Elements in Managing Compliance Initiatives
Management of Controls
Framework
Testing of Controls
Framework
Reporting and Compliance
Certification
Provide external auditors with visibility into control framework and testing efforts related to compliance
requirements
Initiate formal certification and sign-off process; the sign-off begins with the lower organizations and
proceeds to the higher organizations in the hierarchy
Understand overall status of the corporate compliance globally and throughout different business units
22
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
23
Building a Comprehensive Business Case
• COSO 2013 reflects the increased relevance
of technology
• Technology can impact how all components of
internal control are implemented, including the
control management system
• Management may exercise judgment in
assessing trade-offs between:
Cost of achieving perfection
Benefits of seeking to operate at various
lower levels of performance
• There is no “one-size-fits-all” approach in
designing a control management system
24
Building a Comprehensive Business Case (cont.)
Includes realistic goals (Short-term vs. long-term goals)
Includes qualitative & quantitative drivers
Includes benefits to both Internal Audit and Management
• Implementing Continuous Auditing systems is necessary and important to effectively manage risk and quickly
resolve potential issues
• However, there is difficulty in building a business case to implement and deploy a control management system
• It is important to build a business case that:
25
Building a Comprehensive Business Case (cont.)
The ideal approach to build a business case is to use proven methods and leverage benchmarks.
• Set short term goals to include full
understanding of all functionalities
• Set long term goals by outlining step-
by-step plan for control system
expansion
• Consider if a control re-design is
necessary prior to system
implementation
Set Realistic Goals
• Great way to communicate intangible
benefits (e.g., better reporting, more
intuitive use of systems, etc.)
• Great way to outline key
functionalities and make the most
suited selection
• No investment and cost consideration
Perform Qualitative Analysis
• Find the right and key value drivers,
methodology, and calculations to
come up with an accurate and
appropriate ROI
• Quick and cost effective way to
benchmark specific improvement
opportunities and calculate benefits
Perform Quantitative Analysis
Approach to Building a Business Case:
26
Building a Comprehensive Business Case (cont.)
Short-term goals should be initiated by creating a vision for the tool
Ensure a thorough understanding of the SAP PC functionalities
Spend considerable time understanding how SAP PC can fit into your organization
Determine whether your internal control environment is appropriately managed
Consider starting with a Pilot implementation or Proof of Concept to evaluate the system
Long term goals should ensure a detailed roadmap and project plan
Consider performing a control re-design to increase automated controls
Determine automated controls which can be migrated to CCMs
Categorize controls based on level of effort required to implement
Determine additional functionalities to be implemented and appropriate timing
Set Realistic Goals
27
Building a Comprehensive Business Case (cont.)
Central repository of all controls, with easy view of changes to organizational structure
No need to manually track changes to organizational structure and control assignments
SAP PC can segregate duties for the maintenance and provides “out-of-the-box” reporting for
organizational structure and control updates
Real-time notifications of changes to ERP system data and configuration
No need to wait until testing of automated controls is manually performed during audits
SAP PC can provide real time notifications to business users when changes occur in the ERP
system
Automated workflow for the manual testing of controls
No need to manually track testing progress and results in spreadsheets
SAP PC can provide notifications when testing should be initiated and “out-of-the-box” reporting
when testing is completed
Perform Qualitative Analysis
28
Building a Comprehensive Business Case (cont.)
Example 1 – Re-designing manual controls can lead to tangible cost savings:
Perform Quantitative Analysis
Example 2 – Leveraging automated control testing tools can lead to tangible cost savings:
29
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
30
Implementation Approach and Roadmap
• Transition to managing the full lifecycle
of controls in SAP PC
• Leverage PC for compliance initiatives
‒ Manual and Automated controls
‒ Certifications
• Automate the testing of manual
controls by leveraging Continuous
Control Monitoring (CCM) functionality
• Consider limiting scope to one
regulation (e.g., SOX 404)
• Consider re-designing control
framework
Define, Expand, and Test Controls
• Implement other compliancy and
regulation areas/structures
• Expand SAP PC use to operational-
and fraud-related areas
• Consider additional continuous
monitoring functionalities and tools:
‒ Fraud Management
‒ Access Violation Management
(AVM)
Identify Additional Value Areas
• Define short- and long-term GRC
roadmap
• Understand effort and timing required
• Understand value and capabilities
implemented
• Establish key metrics
• Develop strategy for master data
structure
• Pilot single process (e.g., IT General
Controls)
• Limit the number of initial controls
configured
Identify Strategy and Pilot System
Implementation approach and considerations
31
Implementation Approach and Roadmap (cont.)
Can manual
testing of
controls be
automated?
Stage 0
Innovation
Strategy
Stage 2
Document
Stage 3
Test
Stage 4
Manage
Stage 5
Optimize
Create focused
strategy; Develop
detailed roadmap
and vision
Stage 1
Pilot the
System
Does the
concept and
system merit
full feasibility?
How can we
reduce reliance
on manual
controls?
What do we
want to
innovate?
How else
can we
improve?
How can we
expand
further?
Corporate
Strategy
User
Requirements
Pilot PC
functionalities
to understand
complexities
Migrate and
continue improving
controls framework
Define test steps;
Consider control
testing automation
Continue identifying system
improvements; Reduce
reliance on manual controls
Compliance
Roadmap
Determine the best approach to reduce time, labor, cost, and gain efficiencies
32
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
33
Implementation Considerations Design Requirements
Master Data Planning Spend considerable time on planning your master data (e.g. regulations, organizations, etc.) for future
sustainability. Consider overall nomenclature when structuring your Master Data.
Unique Control Classifications If there’s unique requirement for control classification, consider leveraging an existing field that your company is
not using. Most drop downs/radio buttons are configurable.
Phased Automated Testing
Rollout
Consider a phased rollout of automated controls beginning with the most manual SOX/Financially relevant
controls. There is a learning curve for users so start with a “quick wins” deployment to ensure buy-in.
Key Design Requirements to be Considered before Implementation
Continuous Control
Monitoring (CCMs)
Leverage Continuous Control Monitoring (CCMs) to reduce manual IT Configurable Control (ITGC) testing
efforts. Consider the time and effort required to implement every type of CCM; there are limitations.
Transport Functionality Consider the values of system copies and use of transport functionality, ensuring an effective change
management process is in place.
Integrate Access Control
and Process Control
Discontinue use of the SAP AC Mitigating Control library and utilize SAP PC controls to mitigate SAP AC risks.
The Control Test of Effectiveness will ensure a mitigating control can actually be relied upon.
34
Consider the following additional scoping considerations that are significant time and cost drivers of SAP
Process Control implementations:
Number of automated and manual controls configured Number of custom queries for CCMs
Complexity of automated controls to be configured Number of custom security roles to be created
Number of design and self-assessments to be built /
migrated Amount of expected workflow customization
Internal control master data to be built / migrated (e.g.
processes, control objectives, tests, risks, etc.) Number of policies to be built / migrated
Number of organizational, regulation, accounting hierarchies
utilized and configured Number of customer-defined fields
Implementation Considerations Scoping Considerations
35
Help define relevant
risks, controls, and
remediation strategy
for the various
business areas
Provide expertise and
assist with the
implementation,
documentation, and
issue resolution
Steer the project and
ensure risk and control
processes meet audit
requirements
Responsible for
technical tasks
pertaining to the
implementation and
infrastructure support
Implementation Considerations Key Roles and Responsibilities
SAP
Process
Control
SAP Process
Control
Administrator
IT Basis/
Technology Team
Business Users/
Control Owners
Compliance/
Internal Audit
Team
Functional and
Technical Team
Responsible for ongoing
configuration and administration of
the SAP PC system
36
Help define relevant
risks, controls, and
remediation strategy
for the various
business areas
Provide expertise and
assist with the
implementation,
documentation, and
issue resolution
Steer the project and
ensure risk and control
processes meet audit
requirements
Responsible for
technical tasks
pertaining to the
implementation and
infrastructure support
Implementation Considerations Key Roles and Responsibilities (cont.)
SAP
Process
Control
IT Basis/
Technology Team
Business Users/
Control Owners
Compliance/
Internal Audit
Team
Functional and
Technical Team
SAP Process
Control
Administrator
Responsible for ongoing
configuration and administration
of the SAP PC system
Remember to consider
an Administrator for the
SAP PC system
37
It is important to review the user access security roles for SAP Process Control. Unlike designing SAP ECC
security roles, there are additional layers of access that should be considered.
Key Security Roles Considerations
Back-end Security – Users must have the appropriate authorization objects and values assigned to complete PC
functions, which also affects and controls the specific views within PC. 1
Workflow Events Configuration – To enable successful workflow-driven scenarios, workflow events need to be
configured to determine the appropriate recipients of SAP Process Control business events. User roles must be
mapped to configured workflow events to determine the sequence of steps to evaluate continuous monitoring results
or other types of assessments.
2
Organizational and Process Master Data Configuration – User ownership and responsibilities must be maintained
in master data elements (organization, process, control, etc.) with the SAP Business Client (BC). 3
Implementation Considerations Security Roles Design
38
Create security roles
Create workflow business events
Assign security roles to the business events
Assign users in the Organizational Master
Data Elements
Assign User IDs the security roles
Implementation Considerations Security Roles Design (cont.)
1 2 3 4 5
1 Leverage standard SAP PC security roles, which are job-based and align with the organizational/regulation mapping
2 Leverage standard workflow business events, unless there are requirements such as tertiary reviews
3 Leverage standard assignments; however, if changes are required, make the appropriate assignments to security roles
4 Assign the business user IDs to the appropriate area in the master data structure (e.g., Organization, Process, Control, etc.)
5 Assign the business user IDs to the appropriate security role containing the right job-based authorizations
The process below should be followed to ensure an optimal security role structure is designed
39
Implementation Considerations Security Roles Design (cont.)
Although SAP has pre-configured security components, there are still some gaps
Components to be Assigned Pre-Configured Components
Ensure an understanding of the overall vision of the tool to identify required security updates
Critical to hold detailed blueprint design sessions to identify all user responsibilities
Important to understand and map how users will interact and use the tool
Create security roles
Create workflow business events
Assign security roles to the business events
Assign users in the Organizational Master
Data Elements
Assign User IDs the security roles
40
Implementation Considerations Security Roles Design (cont.)
Pre-Configured Receivers of Assessments
Automated Tests Semi-Automated Tests Manual Tests
Manual Test of Control Effectiveness N/A N/A Control Tester
Automated Test of Control Effectiveness Sub-process Owner Control Tester N/A
Continuous Control Monitoring (CCM) Control Owner Control Owner N/A
Perform Review
Sub-process Design Assessment Sub-Process Owner Process Owner
Control Design Assessment Control Owner Sub-Process Owner
Control Self-Assessment Control Owner Sub-Process Owner
Pre-Configured Receivers of Control Tests
Consider the pre-configured components of the business events below when
assigning individuals to the specific organizational elements
41
• Tip: Should be linked to data with
similar business functions
• Importance: Allows for one Data
Source to be leveraged by multiple
Business Rules
• Limitation: Only five SAP ECC table
joints can be assigned in a data
source
Data Source
• Tip: Keep descriptions only to 74
characters in length
• Importance: Allows for quick
understanding and analysis of
deficiency in the work inbox
• Limitation: “Pooled” or “Cluster” SAP
ECC tables can be monitored
individually, but cannot be joined
Business Rule
• Tip: Controls relying on SAP ECC
change logs should ensure table
logging is activated
• Importance: Allows for real-time
review of configurable controls
changes
• Limitation: Only ten business rules
can be assigned to a CCM
CCMs
CCM Configuration Tips & Tricks
Implementation Considerations Continuous Control Monitor (CCM)
42
Implementation Success Factors
Successful SAP Process Control implementations start with “Quick Wins.” A common mistake is to pursue
an initial scope that is too large, resulting in a long project which loses momentum and organizational focus.
Focus on utilization of standard features and reports where possible
Identify a Pilot business process or compliance area to be the focus of the initial implementation
Pilot basic control management and assessment across a modestly sized user population
Tackle high impact/low effort remediation or improvements first
43
Implementation Success Factors (cont.)
Once the foundation is in place, it provides a platform to work toward the enhanced benefits that can be
achieved through a full deployment of the solution. The extended benefits include items such as:
Increased number and complexity of automated controls
Decreased reliance on manual testing of automated controls
Increased use of custom dashboards and reports
Higher effort improvements and remediation
44
Implementation Success Factors (cont.)
An organization’s efficiency depends on the
complete alignment of processes, systems and
people with each other.
If one element falls short, the remaining two
cannot make it up.
People
Communication
Change Readiness
Dedicated Resources
Technology
Design & Development
End-User Training
System Implementation
Process
Design & Development
Process Standardization
Control Ownership
Ensure your SAP Process Control
implementation and roadmap
encompasses all three areas
45
What We’ll Cover
• Understanding whether you need SAP Process Control (PC)
• Outlining the core components of SAP PC
• Managing compliance initiatives with SAP PC
• Building a business case for the implementation of SAP PC
• Understanding the typical implementation approach and roadmap
• Outlining implementation considerations and success factors
• Wrap-up
46
Where to Find More Information
• http://help.sap.com/pc
SAP Process Control 10.1 on the SAP help Portal
• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/Unlocking-Value-Continuous-
Monitoring-Control-Automation-Capabilities-SAP-Process-Control-Protiviti.pdf
“Unlocking the Value of Continuous Monitoring and Control Automation Capabilities in SAP
Process Control” (Protiviti, 2014).
• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/SAP-FinProcessOptimization-
whitepaper-Protiviti.pdf
“Keeping SAP Financial Processes Compliant” (Protiviti, 2015).
• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/GRC-platform-considerations-
whitepaper-Protiviti.pdf
“Governance, Risk and Compliance Platform Considerations” (Protiviti, 2015).
47
7 Key Points to Take Home
• Identify controls and processes to automate and determine expected ROI
• Build a solid foundation by creating an innovation/implementation strategy
• Plan a pilot implementation and define appropriate scope for future rollouts
• Plan the organizational master data design or migration from legacy tool
• Assess the complexity of implementing different types of controls
• Evaluate the security scope/requirements and make adjustments
• Track progress, adjust scope where necessary, and continue to expand
48
Your Turn!
How to contact me:
Steve Toshkoff
steve.toshkoff@protiviti.com
www.linkedin.com/in/steve-toshkoff-bba9b530
Please remember to complete your session evaluation
49
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
Disclaimer
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2016 Wellesley Information Services. All rights reserved.