Step 2: Optimize Internal Control Framework
Protiviti has identified four key steps that organizations can take to improve their overall control environment and receive the benefits mentioned below. Each of these steps will be a focus in this four-part blog series. Step 1 covered analyzing configuration and processes. In this post, we review optimizing the internal control framework, why it is important, and a case study of defining a controls framework at a national high tech and consumer products company.
Protiviti’s four steps to improving the SAP control environment
- Analyze configuration and processes – Identify and gain an understanding of the ERP ecosystem landscape (e.g., SAP instances and versions, Ariba, Concur, etc.), the business processes that utilize SAP, and their current control environment (e.g., manual controls, automated controls, key system-based reports, etc.).
- Optimize internal control framework – Optimize and formalize the controls based on the results of the organization’s controls assessment.
- Implement internal control governance processes – Implement governance processes for control ownership and management to keep controls updated and consistent.
- Enable intelligent SAP control automation – Map automated control configuration opportunities to the identified control strengths, gaps and improvements as indicated in the steps discussed in this blog.
Optimize internal control framework
During this stage, organizations should prioritize the results of their controls assessment completed in Step 1 and determine which controls to automate. Controls that are unable to be automated can also be improved through further specification or reliance on system-generated data. These enhancement opportunities should be prioritized based on a cost/benefit analysis with additional consideration for the potential risk (operational, strategic, reputational and/or compliance) of not establishing or enhancing controls.
For reference, organizations should strive to automate up to 70 percent of their internal control framework (automated and semi-automated) with the remaining 30 percent of controls being manual in nature (with reliance placed on system-generated data wherever possible).
The controls optimization plan should help to determine:
- Manual controls that can be replaced with automated controls
- Configurable controls that should be turned “on,” optimized or otherwise updated
- Control framework adjustments – e.g., updates to control definitions, elimination of redundant controls, consolidation of controls that can address multiple compliance requirements (one test for multiple controls), etc.
- Controls that should be centralized (e.g., vendor master data controls, which are typically utilized by multiple departments) and controls that should be defined locally (e.g., by company code, plant, etc.)
This process is equally important for organizations conducting an ERP version upgrade (i.e. SAP ECC to SAP S/4HANA) as it is for companies implementing their first ERP system, due to potential changes in business processes, the risk environment and automated control behavior in the new or upgraded system. Some examples of new S/4HANA critical control configurations include:
- Addition of the ‘universal journal’ concept for FI document postings requires additional controls to restrict access, such as assignment of table authorization group, etc.
- Credit management in S/4 SCM (supply chain management) is replacing legacy ECC FI credit checking functionality, which takes credit management out of core ECC modules and relies on SCM configuration.
- House banks in S/4HANA are treated as master data objects and not as configuration settings (i.e., no longer transportable). Bank setup is performed via Fiori apps which introduces new bank master data maintenance controls (e.g., master data workflow).
- Master data may be centrally maintained via the Master Data Governance solution (SAP MDG) which introduces automated and streamlined controls (e.g., master data workflow).
- Business partner (BP) functionality can centrally manage master data for business partners, customers and vendors allowing a single point of entry for create, edit and display functions.
Why this step is important
A key goal during the optimization stage is to identify and establish global controls (those that apply to all business units/locations within an organization) and local controls (these may vary due to business unit requirements and country or industry-specific regulations, such as invoicing and tax requirements). This categorization will further enable process standardization and help to minimize compliance costs. For example, a company can define global standards for three-way match tolerances in the procure to pay (PTP) process which can then be localized, as needed, based on local business units’ requirements.
Increasing the proportion of controls that are automated can help to improve the quality of the control environment, prevent data entry and processing errors, standardize the organization’s control footprint globally and locally, and reduce manual efforts around reconciliation, review and testing processes.
Other benefits may include:
Case study: SAP S/4HANA control definition example
A national high tech and consumer products company was undergoing an implementation of S/4HANA and engaged Protiviti to help with efforts to define the automated control environment. Protiviti held workshops with the client’s process owners leveraging the SAP control library found in its proprietary Assure Control tool to review and agree on an automated control design. Protiviti helped the company:
- Identify 177 configurable controls to be included in the greater implementation effort, including 31 controls specific to new functionality available only in S/4HANA, and
- Assess the status of the identified in-scope controls prior to system go-live, using Assure Controls to test the controls in an automated fashion (including across company codes, plants, account groups and asset classes). Controls which were not configured to the specifications discussed in blueprinting workshops were identified using data easily extracted from the system via Assure Controls.
The company went live on S/4HANA with the assurance that their automated control design was configured in the system as intended. These controls could then be referenced in process documentation and tested in a more efficient manner than manual controls (i.e., using a “test of one” as opposed to traditional sampling techniques).
When trying to improve an organization’s overall control environment, optimizing the internal controls framework has many benefits. Having clearly defined automated global and local configurable controls allows for process standardization and significantly reduces costs. Once a solid control framework is in place, an organization can then move on to the next step in the process, implementing internal control governance processes, for control ownership and assurance that controls are updated and consistent.
Steve Toshkoff, Steve Apel, Vijan Patel and Toni Lastella also contributed to this post.