Introduction to Process Controls
description
Transcript of Introduction to Process Controls
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 1/33
© SAP AG 1
©SAP AG2005
SAP Solutions for Governance, Risk,
and Compliance:Process Controls
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 2/33
© SAP AG 2
© SAP AG2006
End-to-End Compliance Process Management
Compliance Team &
Business Process
Owners
Control
Testers &
Internal Audit
Document internal
control environment
(upload, integration,
data entry)
Manage manual &
automated controls
and tests in a single,
integrated system
Executives,
Controllers,
Managers & Auditors
Automatically identify
and prioritize issues
Automatically route
cases and document
resolution
Drill directly to
source systems forimmediate resolution
Perform manual &
automated tests
(process & access)
Collect evidence of
control effectiveness
in a single system for
cohesive view of
compliance & risks
Document Test Remediate Analyze Optimize
Assess status of
global compliance
activities
Monetary, quantified
analysis of global
violations
Organize auditevidence of control
effectiveness
Compliance Team &
Business Process
Owners
Compliance Team &
Business Process
Owners
RISK
Compliant Change
Control: Prevent
process control risks
Compliant
provisioning:
Create and manage
compliant roles
To further highlight the requirement for an integrated compliance management solution, let’s walk through theend-to-end processes involved in a complete compliance cycle.
Document
First, the business process owners and compliance team must document the internal control environment. Sincethey’ve already created significant documentation in previous years, the system must be able to upload existingdocuments and set ups. In addition, the system must be able to define both manual and automated tests and tyingthem directly to control documentation.
Test
Next, manual and automated tests must be performed. The advantages of an integrated compliance system fortesting is that is can collect in a single system the test results and evidence for both manual and automatedcontrols, making it possible to have a cohesive view of the compliance risk profile for the company.
Remediate
For remediation, an integrated compliance system provides significant advantages by automatically routingremediation cases and providing direct drills to enterprise systems for faster resolutions. This faster cycle helpsto prevent material weaknesses from developing and persisting.
Analyze
Building upon an integrated base of centralized documentation, testing, and remediation, all key audiences gain acohesive view of compliance activities and results for the entire company. Executives and auditors can use thiscomplete view and access to evidence to support certification and attestation activities.
Optimize
Finally, the integrated compliance system actually optimizes controls by preventing risks from enteringenterprise applications. Companies which implement preventive measures such as compliant change control andcompliant provisioning will see a reduction in control violations because risk never enters the enterpriseapplications they use to run their business.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 3/33
© SAP AG 3
© SAP AG2006
Integrated is the Best Approach
Complicated Compliance
Workflow
Automated Controls
Source Systems
Reporting
Control Documentation
Many points of costly custom integration
Lacks flexibility and auditability for evolving
business and compliance requirements
Limited visibility – too many systems and no
source drills
Integrated GRC
Integrated, end-to-end GRC foundation
Flexible, configurable setup with complete
audit trails
Cohesive visibility into compliance and risks
across the global enterprise, drill to details
Business Process Platform
SAP Solutions for GRC
Industry-Specific GRC
Business Applications
Business
Process
Business
Process
Cross-Industry GRC
Risk Management
GRC Repository: Documentation and Monitoring
Global Trade EnvironmentAccess Control Process Controls
Point solution partnerships actually complicate compliance and – even with the best partnerships – theyabsolutely cannot provide coverage for the end to end compliance process.
(CLICK) Let’s take the OpenPages example to illustrate what we mean.
The OpenPages application delivers document management capabilities, primarily used for manualcontrol management.
(CLICK) They partnered with several automated controls point solutions, such as ACL, to manageERP controls.
(CLICK) These automated controls solutions provide data query connections to the source systems.But, let’s be clear – there is no direct integration with these systems, they simply query and analyze
data offline
(CLICK) As AMR points out, Business Process Management is a key component of the compliance process. OpenPages partners with Fujitsu for this capability, but keep in mind that they actually applyworkflow to very few processes in their system.
(CLICK) And, finally, we all know the end goal for executives to analyze exceptions and provideconfidence in the effectiveness of contorls. OpenPages also partners for this key functionality,
primarily with Cognos.
(CLICK) But it gets worse. You can see that already the total cost of ownership is going through theroof because all of these applications have to have customer
What organizations have to contend with are many separate solutions that address part of the financial
compliance process. This results in many points of costly custom integration, making it difficult torespond to evolving requirements and to have the transparency needed. We’re offering the market analternative to that piecemeal approach – a holistic integrated foundation for Governance, Risk, andCompliance.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 4/33
© SAP AG 4
© SAP AG2006
SAP Solutions for GRC Process Controls
Comprehensivedocumentation capabilities
Complete support for both
manual and automated
control assessment and
testing
Automated remediation
management with direct
drill-down to case
Business Process Platform
SAP Solutions for GRC
Industry-Specific GRC
Business Applications
Business
Process
Business
Process
Cross-Industry GRC
Risk Management
GRC Repository: Documentation and Monitoring
Global T rade EnvironmentAccess Control Process Controls
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 5/33
© SAP AG 5
© SAP AG2006
Minimize fragmentation with a
single repository for GRC records
Increase accuracy and business
transparency with a common GRC catalog
Comprehensive Design and Documentation
Common
GRC Records
ObjectiveRemediation
Case
ControlFramework
Manual &
Automated
Tests
Process
Account Risk
Ensure consistency in
GRC approach and
enable shared
understanding
Reduce redundant
efforts and resources
spent on multiple GRC
requirements
This single system of record, called the GRC repository, will be used to document and monitor all
controls across the organization – regardless whether they are manual or automatic controls. It ensures
a consistent approach to managing risk and control activities, minimizing fragmentation to enable a
shared understanding of corporate objectives and alignment with day-to-day operations. All
governance, risk, and compliance elements including frameworks, policies, processes, risks, controls,
test plans, applications, systems, remediation cases, evidence, and more, are centrally managed in a
single common repository.
The GRC Foundation will expand the repository to include other aspects of governance, risk and
compliance such as Enterprise Risk Management (ERM) and the access suite.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 6/33
© SAP AG 6
© SAP AG2006
Control Design and Documentation
Set up internal
control
environment
Set up internal
control
environment
Assign & distribute
manual tests
Assign & distribute
manual tests
Remediate
failed manual
tests
Remediate
failed manual
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 7/33
© SAP AG 7
© SAP AG2006
Control Design & Documentation
Set up internal
control
environment
Set up internal
control
environment
Assign & distribute
manual tests
Assign & distribute
manual tests
Remediate
failed manual
tests
Remediate
failed manual
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 8/33
© SAP AG 8
© SAP AG2006
Selects controls that
contribute to financial
quantification of risk
for executive reporting
Single System of Record – Control Creation
Creates complete control
environment, including
Organizations
Business processes
Subprocesses
Risks
Control objectives
Financial statement
accounts
Creates and links both
manual & automated
control tests in a single
application
Assignment of Test Plan
and Test Step Owners
Assignment of
Compliance Information
(financial and non-
financial Assertions)
Assignment of
Organizations
Main point: Process Controls provides a centralized repository to manage control design and
documentation across the enterprise in a single environment. You can define organizations, processes,
risks, controls, and test plans all in one place, providing seamless integration between controls
documentation, testing, and remediation activities.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 9/33
© SAP AG 9
© SAP AG2006
Control Design & Documentation
Set up internal
control
environment
Set up internal
control
environment
Assign & distribute
manual tests
Assign & distribute
manual tests
Remediate
failed manual
tests
Remediate
failed manual
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 10/33
© SAP AG 10
© SAP AG2006
Single System of Record – Assign Test Plan & Test StepOwner
Test plan owner and
test step owner
assignment
automatically delivers
work to assigned
tester by email and via
Inbox
Test plan owner and test step owner assignment automatically delivers work to assigned tester by
email and via Inbox
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 11/33
© SAP AG 11
© SAP AG2006
Routes Tasks to Manual Control Testers
Guides testers through
control tests and progress,
drills to details
Delivered workflow
task to assigned tester
via Inbox
My Tasks provides a list of work to be performed specific to each user.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 12/33
© SAP AG 12
© SAP AG2006
Guides Manual Control Tests to Completion
Guides manual controltests to completion
This is a test of effectiveness to be performed. The test step owner (tester) has performed the test,
added comments and may also attach documents as evidence.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 13/33
© SAP AG 13
© SAP AG2006
Fast Drill-Down to Workflow Tasks via the Inbox
Fast drill-down to
pending workflow
tasks via the Inbox
From each user’s Home Page, the user can easily see work to be done (My Tasks and My Cases). Also
presented is a graphical look at control status as well as a list of control tests including drill-down to
related remediation cases, if any.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 14/33
© SAP AG 14
© SAP AG2006
Control Design & Documentation
Set up internal
control
environment
Set up internal
control
environment
Assign & distribute
manual tests
Assign & distribute
manual tests
Remediate
failed manual
tests
Remediate
failed manual
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 15/33
© SAP AG 15
© SAP AG2006
Fast Drill-Down to Cases via the Inbox
Fast drill-down tocases via the Inbox
Automatically generates
and prioritizes remediation
cases
Main point: Process Controls provides an efficient process for remediating and reporting control
exceptions: the solution identifies the violation and automatically generates a case and alert, enabling
customers to drill down to the root cause in the ERP system to perform the remediation.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 16/33
© SAP AG 16
© SAP AG2006
Case Trail and Status Tracking During Case Remediation
Case trail and status
tracking during case
remediation
Maintains completeaudit trail of resolution
Contributors
Date / Time stamp
Attachments
…
Main point: Process Controls provides an efficient process for remediating and reporting control
exceptions: the solution identifies the violation and automatically generates a case and alert, enabling
customers to drill down to the root cause in the ERP system to perform the remediation.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 17/33
© SAP AG 17
© SAP AG2006
Process Control – Additional Functions
SurveysSurveys
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 18/33
© SAP AG 18
© SAP AG2006
Survey – Generic Survey Questions
Generic survey
questions can
be maintained
Survey questions can be organized by the category and desired frequency of the survey. Questions can
be reused or copied, and each survey question has an answer type (e.g., Y/N/NA, rating 1-5, text) plus
an indication of what constitutes a negative response.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 19/33
© SAP AG 19
© SAP AG2006
Survey – Generic Survey Questions
Re-usable surveys
based on the
question library canbe easily created
Surveys are set up and include questions from the Question Library. Each survey may be set to require
review (or not).
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 20/33
© SAP AG 20
© SAP AG2006
Process Control – Additional Functions
Upload InterfaceUpload Interface
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 21/33
© SAP AG 21
© SAP AG2006
Single System of Record
Spreadsheet-based
utility uploads fromtab-delimited source file
Our customers will often have process catalog information (aka risk and control matrices) in Excel or
in another system that can export to Excel. We provide an upload utility to enable upload from
properly formatted tab-delimited source files.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 22/33
© SAP AG 22
© SAP AG2006
Support for Manual and Automated Controls
Improved Efficiency
& Effectiveness
Automated Preventive Controls
Automated Detective Controls
Manual Preventive Controls
Manual Detective Controls
Hierarchy of Controls
SAP GRC Process Control supports both automated and manual controls, but it is the goal of most
companies to increase the number of automated controls—especially automated preventive controls—
which generally require less testing and can be part of automated control monitoring activities. Process
Control 2.0 helps support that effort by providing out-of-the-box rules to test common automated
controls in SAP.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 23/33
© SAP AG 23
© SAP AG2006
Automated Controls Enforce Corporate Policies
Set up
control values in
source systems
Set up
control values in
source systems
Document
and configure
automated process
controls tests
Document
and configure
automated process
controls tests
Remediate
failed
automated
tests
Remediate
failed
automated
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 24/33
© SAP AG 24
© SAP AG2006
Multiple Controls
Automatically Create & Test Thousands of Controls
Any Form, Tab
or Field
...
Apply percentage threshold
Apply absolute value threshold
Monitor change frequency
Monitor changes to control
Check that control value exists
Do all vendors
have payment
terms specified?
Have any vendors
exceeded
exchange limits?
Hide / Disable / Query Only
Has the double
invoice control
changed?
How often?
Main point: Process Controls employs the concept of centrally creating, monitoring, and testing controls applied
to multiple fields, tabs, and forms in the ERP system. You can test literally thousands of controls in real time
with Process Control.
To illustrate, we’ve provided an example applicable to the procure to pay business process. The company has
set up a combination controls for different fields.
(mouse click): This company wants to ensure that all procurement vendors have been assigned payment terms,
so they can set up a control to test existence (or require entry in the field) of payment terms for all vendors.
(mouse click): This company also wants to ensure that the checking for double invoices control is in place and
that it is not being changed frequently to circumvent this control. For this field, they employed the changes and
frequency of changes to monitor this control.
(mouse click): Finally, they also want to ensure that no vendors have exceeded exchange limits. They use the
monitor thresholds controls for that purpose.
SAP Only
Virsa Process provides “master controls,” which means that each control can actually monitor dozens of
different fields and multiple parameters for each field. This includes monitoring for the existence of a value,
whether the value has been changed, and the number of times it’s been changed, monitoring for thresholds by
absolute value or percentage, and hiding/disabling, or granting query-only access to a particular item.
With master controls, thousands of individual controls and tests can be easily configured. SAP Controls include
existence, control changes, number of control changes, absolute value and percentage thresholds
The set of controls that are delivered with Process Controls are those that have a direct impact on financial
reporting. These are P2P controls for monitoring cash that is going out, O2C controls for monitoring cash that is
coming in, and financial operations controls for monitoring accounting and reporting.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 25/33
© SAP AG 25
© SAP AG2006
Automated Controls Enforce Corporate Policies
Set up
control values in
source systems
Set up
control values in
source systems
Document
and configure
automated
process control
tests
Document
and configure
automated
process control
tests
Remediate
failed
automated
tests
Remediate
failed
automated
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 26/33
© SAP AG 26
© SAP AG2006
Set Up Control Values in Source Systems
Set Up Control Values:
Graduated discount schedule
based upon date of invoice
payment from vendors
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 27/33
© SAP AG 27
© SAP AG2006
Single System of Record
Delivers configurable
business process
controls for leading
enterprise applications
Step-by-step
rule designer
eases and
speeds set up
Main point: Process Controls provides a centralized repository to manage control design and
documentation across the enterprise in a single environment. You can define organizations, processes,
risks, controls, and testing schedules all in one place, providing seamless integration between controls
documentation, testing, and remediation activities.
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 28/33
© SAP AG 28
© SAP AG2006
Automated Controls Enforce Corporate Policies
Set up
control values in
source systems
Set up
control values in
source systems
Document
and configure
automated process
control tests
Document
and configure
automated process
control tests
Remediate
failed
automated
tests
Remediate
failed
automated
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 29/33
© SAP AG 29
© SAP AG2006
Deploys Automated Business Process Controls
Delivers configurable
business process
controls for leading
enterprise applications
Selects automated controls
by business process
Procure to Pay
Order to Cash
Report to Reconcile
Code-free link of automated
controls saves time and improveseffectiveness of risk analysis
Integrates and automates:
Control documentation
Test execution
Remediation
Analysis
Ongoing change management
Selects rule criteria to use with automated control
tests for optimal flexibility
Sample criteria:
Company Code
Fiscal Period or Number of Days
General Ledger Account
Accounting Documents (journals, invoices, etc.)
Order Documents (sales orders, purchase orders)
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 30/33
© SAP AG 30
© SAP AG2006
Automated Controls Enforce Corporate Policies
Set up
control values in
source systems
Set up
control values in
source systems
Document
and configure
SAP process
control tests
Document
and configure
SAP process
control tests
Remediate
failed
automated
tests
Remediate
failed
automated
tests
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 31/33
© SAP AG 31
© SAP AG2006
End-to-End Compliance Process Management forAutomated Controls
Identifies violations
See root cause in source
systems for immediate
resolution of set up and
configuration issues
Maintains complete audit
trail of resolution
Contributors
Date / Time stamp
Attachments
Automatically generatesand prioritizes remediation
cases
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 32/33
© SAP AG 32
© SAP AG2006
Expanded Process Control Management
Q4 2006
SAP GRC Process Control (V2.0)
Control Documentation
• Spreadsheet-based upload for easy
setup of master data
• Link control documentation to manual
and automated control tests
• Flexible integration framework for
document management systems
• Native document management
capabilities
Manual Control Testing
• Define manual controls and tests
• Provide guided testing procedures
through workflow
• Attach completed workpapers for
evidence
• Capture monetary risk quantification
for failed tests
Automated Process Control Testing
• Assign same control to multiple
organizations
• Custom query builder allows ad-hoc
automated control creation
• Support for pre-existing custom
controls
• Expanded out-of-the-box process
controls for SAP
Remediation Case Management
• Central remediation and resolutionworkbench for both manual and
automated controls
• Incident notification and escalation
through workflow
• Utilities to attach evidence and
remediation workpapers
• Audit trail and change history records
• Multi-level drills to remediation and
control violation details
Management Certification
• Flexible creation & deployment of
surveys for control design, process
design, & entity-level controls
• Business process review and
approval
• Section 302 and 404 certification
Reporting and Optimization
• Analyze regional risks with Global
Violations Heatmap
• Analyze organizational risks by
drilling down to lower levels
• Analyze business process risks• Drill to related control tests, and
remediation cases
• Dashboards for management,
auditors, and administrators
7/18/2019 Introduction to Process Controls
http://slidepdf.com/reader/full/introduction-to-process-controls 33/33
© SAP AG2006
Copyright 2007 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information containedherein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose withoutthe express prior written permission of SAP AG.
This document is a preliminary version and not subject to your li cense agreement or any other agreement with SAP. This document contains only intendedstrategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy,
and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links,or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to theimplied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use ofthese materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hotlinks contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.