Protiviti has identified four key steps that organizations can take to improve their overall control environment and receive the benefits mentioned below. Each of these steps will be a focus in this four-part blog series. (See Part 1, Part 2 and Part 3) In this post, we will cover the fourth step, optimizing the internal control framework, why it is important, and a case study of defining a controls framework at a national high tech and consumer products company.
Protiviti’s four steps to improving the SAP control environment
- Analyze configuration and processes – Identify and gain an understanding of the ERP ecosystem landscape (e.g., SAP instances and versions, Ariba, Concur, etc.), the business processes that utilize SAP, and their current control environment (e.g., manual controls, automated controls, key system-based reports, etc.).
- Optimize internal control framework – Optimize and formalize the controls based on the results of the organization’s controls assessment.
- Implement internal control governance processes – Implement governance processes for control ownership and management to keep controls updated and consistent.
- Enable intelligent SAP control automation – Map automated control configuration opportunities to the identified control strengths, gaps and improvements as indicated in the steps discussed in this blog.
Step 4: Enable intelligent SAP control automation
The final step when improving an organization’s SAP control environment involves the implementation of technology to automate the control monitoring and control testing efforts implemented throughout the previous three steps. Automating this process will help to monitor the health of business and IT configurations, ensure they do not change without proper authorization and, if changed, ensure the appropriate business process owners are promptly notified.
Why this step is important
As an organization’s control structure moves toward more reliance on automated controls, companies can begin to consider the benefits of implementing monitoring tools, such as continuous control monitoring (CCM) within SAP Process Control (SAP PC), robotics process automation (RPA) functionality or automated scripts. These solutions enable automated and continuous monitoring, assessment, and testing of controls to identify potential incidents of fraud and non-compliance on a timely basis. Real time alerting for end users allows for both detective and preventative monitoring of a company’s controls.
The implementation of continuous control monitoring technology is an active and efficient approach to managing compliance with business policies and procedures. It enables:
- Standardized documentation and testing for business process, risk and controls (e.g., single source of truth for all compliance risks and controls across the organization)
- Centralized management of a multiple compliance framework (e.g., single control and/or test addresses multiple requirements)
- Automation of control execution and control monitoring (e.g., automated alerts when key application controls are changed)
- Streamlined processes for control performance, self-assessments, test of effectiveness, and process assessments
- Accountability for compliance and control status with sign-off surveys (e.g., homogenous SOX 302 questionnaire across business units)
- Immediate visibility into and reporting of potential risk and controls issues
Automated solutions such as, SAP GRC’s Process Control, can help monitor business processes where automated controls cannot be implemented. For instance, if a company is unable to implement automated credit controls, which may slow down its pace of doing business with customers, transactional CCM can be enabled to generate alerts if the outstanding accounts receivable balance for any customer exceeds a predefined amount. The use of transactional CCM allows business process owners to monitor transactional information and SAP configurations to take appropriate actions quickly without interrupting business operations.
Case Study: SAP Process Control example
A global manufacturing company was requiring an upgrade to their existing control management and testing solution and engaged Protiviti to assist in improving their compliance processes. The company relied heavily on manual processes and checklists for SOX certification process, had insufficient review and approval of control testing results, extensive customization to existing reporting and dashboards, and manual review of controls for a large number of organizational elements (i.e., company codes, plants, etc.).
Protiviti worked with the SOX Compliance and IT teams to:
- Improve compliance and internal control management processes
- Fully migrate the RCM repository, including organizations, business processes, risk and controls
- Improve testing and review process for control effectiveness assessments
- Optimize review and certification for SOX 302questionnaire process
- Integrate with SAP Access Control for the central management of mitigating controls
- Create a CCM pilot to better understand capabilities and improve monitoring of SAP data
- Customize standard reporting, where needed to enable risk visibility and executive level dashboards
Following these changes, the global manufacturing company found that it benefited immensely from having these processes updated and automated. The company’s control environment is now less prone to error and requires less time. In addition, external auditors were able to place increased reliance on the new automated controls, greatly reducing associated testing efforts and fees.
When trying to improve an organization’s overall control environment, implementing intelligent control automation methods empowers a company to significantly reduce manual efforts while still ensuring financial compliance. Implementing a method such as SAP Process Control specifically allows for this automation to occur in a centralized platform where there is a control repository, as well as CCM results and alerts to various control owners.
All companies with ERP systems have the opportunity to strengthen their use of, and reliance on, automated controls and should establish a roadmap to transition from an extensive use of manual controls to mostly automated control environment to monitor business risks proactively. The required upfront effort and investment is well worth it for the long-term gains.
Steve Toshkoff, Steve Apel, Vijan Patel and Toni Lastella also contributed to this post.