building an sap process control deployment plan:...

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.

Building an SAP Process Control Deployment Plan: Answers to Your Most Frequently Asked Implementation Questions

Steve Toshkoff Protiviti

1

In This Session

• Learn the key capabilities and automation areas of SAP Process Control (PC) and come

away with the knowledge to frame your implementation plan

Discover the ideal approach to build a business case for an SAP PC implementation

See examples of design requirements and scoping considerations for your initial

deployment and future rollouts

Find out the key decision points to consider as you progress through your

implementation roadmap

Understand the security role structure and learn how to leverage standard capabilities

Walk away with tips and tricks for the configuration of Continuous Control Monitoring

(CCM)

2

What We’ll Cover

• Understanding whether you need SAP Process Control (PC)

• Outlining the core components of SAP PC

• Managing compliance initiatives with SAP PC

• Building a business case for the implementation of SAP PC

• Understanding the typical implementation approach and roadmap

• Outlining implementation considerations and success factors

• Wrap-up

3

Understanding Whether You Need Process Control

Minimal enforcement of control ownership

Incomplete reporting

Lack of real-time reporting

Excessive or inconsistent manual controls

Time consuming control testing process

Difficult to benchmark control data

Lack of centralization

Spreadsheet version control of changes

Lack of automated controls

Unable to easily demonstrate compliance

Overall, an internal controls management process can be summarized with the following

potential pitfalls:

4

Understanding Whether You Need Process Control (cont.)

• Is the framework stored in a central location?

• Can changes to the framework be easily identified,

tracked, and audited?

• Is a continuous analysis performed on the framework

to ensure reliability and scalability?

Manage Controls

• Is the testing documentation stored in a central

location?

• Is the framework tested effectively and efficiently?

• Can controls be automatically tested on a continuous

basis?

Manage Testing Efforts

The central questions to ask when considering an automated control management system

should be:

How is the current internal control framework managed?

How is the current internal control framework tested?

5

What We’ll Cover







• Wrap-up

6

SAP Process Control Overview

What is SAP Process Control (PC)?

Part of the GRC (Governance, Risk & Compliance) suite of tools

Resides on the same platform as SAP Access Control (AC)

Supports the lifecycle of the Internal Controls Framework

Provides end-to-end management of compliance initiatives (e.g., SOX 404)

What are the Key Automation Areas?

Workflow-driven changes to organizations, processes and controls

Workflow-driven manual testing of controls

Automated monitoring and testing of ERP system controls

Real-time identification of potential control issues

Ability for overall compliance reporting and sign-off

7

SAP Process Control Overview (cont.)

Key Automation D

OC

UM

EN

T

Centralized and Managed Control Framework

• Automate Compliance Management

• Manage Multiple Compliance Frameworks

Internal Controls Framework: Organization-Process-Risk-Control

TE

ST

Perform Assessments

Test Automated Controls

Test Manual Controls

IT Infrastructure

Business Processes

Testing of Controls Framework

• Testing of automated and manual controls

• Automated testing of labor intensive data

• Evaluate control design and control

effectiveness

MO

NIT

OR

Remediate Issues Monitor exceptions Monitoring and Remediation of Exceptions

• Perform automated, exception-based,

monitoring of controls

• Raise and remediate issues via workflows

CE

RT

IFY

Certify and Sign Off (e.g., 404, 302,…)

Dashboards and Executive Sign-Off

• Easier and consistent quantification of control

issues

Key Functionality

8

SAP Process Control Overview (cont.)

Key Functionalities of SAP Process Control

Documenting Organizational and Compliance Initiatives

Harmonize controls across regulations (multi-compliance framework)

Planning, Assessing, and Testing Control Effectiveness

Document control testing results by following pre-defined test steps

Automated Testing – Continuous Control Monitoring (CCM)

Automated monitoring of controls, delivering quick exception-based results

Policy Management

Manage the full lifecycle of policies, including review and acknowledgement

9

SAP Process Control Internal Control Framework

Key SAP PC master data elements and their relationships

Organization 1 Organization 2

Sub Process

Regulation A Regulation B

Business Process

Control 1

Control 2

Risk Evaluation & Testing

10

SAP Process Control Internal Control Framework (cont.)

1

3

4

8

6

1. Control Name / Description

2. Control Criticality

3. Control Automation / Purpose

4. Validation Dates / Trigger

6. Test Automation

5. Control Frequency

7 7. Assign Manual Test Plan

2

Documentation of control content and assignment of control objects

8. Assign Risk to Control

5

11

SAP Process Control Manual Test of Control Effectiveness

Manual testing of controls completed by documenting steps/tests and results

4. If final test result is a

“Fail,” the system

automatically requires a

tester to “Report Issue”

1. Testing can be

downloaded and

populated outside

of the system

2. Testing

documentation

can be uploaded

to test results

1

2

4

3. Populate

test results

3

12

SAP Process Control Overview Continuous Control Monitor (CCM)

3 Different Types of Monitoring Controls

Master Data Controls –

“preventive and process-driven”

Configurable Controls –

“preventive”

Transactional Controls –

“detective and process-driven”

Seamless connection to ERP systems allows for the continuous extraction of data.

Pre-defined deficiency criteria initiates query-driven monitoring to automatically identify control exceptions.

Business users assigned to the specific internal controls will be provided “real-time” notifications of control

exceptions.

Automated monitoring can ensure ERP data remains correct, immediately catching improper transactions.

CCMs allow for ERP systems to be automatically monitored for potential internal

control issues

13

SAP Process Control Overview Continuous Control Monitor (CCM) (cont.)

CREATE ERP CONNECTION

• Create connection to the ERP

system (e.g., SAP ECC) to allow

for the extraction of data

Data Source

IDENTIFY EVALUATION CRITERIA

• Identify deficiency criteria to be evaluated for effectiveness, with ability to assign ratings

Business Rule CONTINUOSLY MONITOR CONTROLS

• Assign deficiency criteria to the

automated control to initiate

continuous monitoring

CCM

How does Continuous Control Monitoring (CCM) really work?

14

SAP Process Control Overview Continuous Control Monitor (CCM) (cont.)

New customers added to SAP ECC can initiate orders without proper review and

approval from Credit or A/R.

The default credit limit for a new customer created in SAP ECC is configured at $1,

which automatically blocks initial customer purchases contingent on a credit review.

CCM: SAP ECC configuration is automatically and continuously monitored to

ensure users are notified if there’s a change to the assigned default credit limit.

Order-to-Cash Risk

Order-to-Cash Control

Data Source: SAP PC extracts the SAP ECC configurable data from the T014

(Credit Control Areas) table.

Business Rule: SAP PC is configured to review the default risk category and

default credit limit automatically assigned to new customer records.

The production support team inappropriately removes the default credit limit of $1. Order-to-Cash Control Issue

Credit or A/R team is

automatically notified

of the Order-to-Cash

control exception

What is an example of a CCM?

15

• Workflow support to

review and approve

policies

• Determine the relevant

recipients per policy

and organization

Review &

Approve Policy

• Workflow support to

distribute policies

across the

organization

• Receive confirmation

on acknowledgement

of policies

Publish &

Distribute Policy

• Centrally document

and define policies in

a policy library

• Separate policies by

organizations and

processes

Create &

Document Policy

• Monitor policy

acknowledgement

• Measure policy

understanding using

quizzes and surveys

Monitor Policy

Effectiveness

• "Out-of-the-box" online

reports on policy and

policy status

• Review policies linked

to controls

Report on Policies

Types of roles that can be defined for the management of policies

Policy Owner

Maintains access to the

overall policy in SAP PC

Policy Approver

Receives the workflow to

review and approve policy

versions in SAP PC

Policy Recipients

Receive policy in email

outside of the system and

send acknowledgement

Policy Viewer

Can view the overall

status of policies

SAP Process Control Overview Policy Management

Policy Lifecycle Management functionalities

Policy Viewer

Can view policy

acknowledgement and

survey results

16

What We’ll Cover







• Wrap-up

17

Managing Compliance Initiatives

• Design Assessments of Sub-

Processes and Controls

• Control Self-Assessments

Assessment of Controls

Framework

Key Elements in Managing Compliance Initiatives

• Organizational Master Data

Structure

• Repository of Internal Controls

Management of Controls

Framework

• Manual and Automated Testing

of Control Effectiveness

• Continuous Control Monitoring

(CCM)

Testing of Controls

Framework

• Control Framework Reporting

• Certification and Sign-off

Reporting and Compliance

Certification

18

Managing Compliance Initiatives (cont.)


Framework



Framework

Testing of Controls

Framework


Certification

Create a unified repository of all risks and controls that can be shared across different organizational units

Design an organizational hierarchy which aligns with all compliance initiatives and regulations to be

managed in SAP Process Control

Leverage G/L Account Groups to connect the controls with financial reporting requirements

19



Framework



Framework

Testing of Controls

Framework


Certification

Allow Control Owners to evaluate their own controls by sending surveys with questions to be answered and

identify issues prior to executing formal test of effectiveness

Perform top-down risk assessments, such as materiality analysis or control risk assessment

Allow Internal Audit, Compliance, or Control Owners to conduct periodic assessments of the design and

structure of processes, sub-processes, and controls

20



Framework



Framework

Testing of Controls

Framework


Certification

System-initiated automated testing of control effectiveness on a pre-determined schedule, with notifications

to Internal Audit of possible control exceptions

Enable Control Owners to automate the system monitoring and analysis of control data using system-driven

rules by leveraging Continuous Control Monitoring (CCM)

Allow Internal Audit to conduct periodic manual testing of control effectiveness using pre-defined test plans,

which include test steps with pass/fail ratings

21



Framework



Framework

Testing of Controls

Framework


Certification

Provide external auditors with visibility into control framework and testing efforts related to compliance

requirements

Initiate formal certification and sign-off process; the sign-off begins with the lower organizations and

proceeds to the higher organizations in the hierarchy

Understand overall status of the corporate compliance globally and throughout different business units

22

What We’ll Cover







• Wrap-up

23

Building a Comprehensive Business Case

• COSO 2013 reflects the increased relevance

of technology

• Technology can impact how all components of

internal control are implemented, including the

control management system

• Management may exercise judgment in

assessing trade-offs between:

Cost of achieving perfection

Benefits of seeking to operate at various

lower levels of performance

• There is no “one-size-fits-all” approach in

designing a control management system

24

Building a Comprehensive Business Case (cont.)

Includes realistic goals (Short-term vs. long-term goals)

Includes qualitative & quantitative drivers

Includes benefits to both Internal Audit and Management

• Implementing Continuous Auditing systems is necessary and important to effectively manage risk and quickly

resolve potential issues

• However, there is difficulty in building a business case to implement and deploy a control management system

• It is important to build a business case that:

25


The ideal approach to build a business case is to use proven methods and leverage benchmarks.

• Set short term goals to include full

understanding of all functionalities

• Set long term goals by outlining step-

by-step plan for control system

expansion

• Consider if a control re-design is

necessary prior to system

implementation

Set Realistic Goals

• Great way to communicate intangible

benefits (e.g., better reporting, more

intuitive use of systems, etc.)

• Great way to outline key

functionalities and make the most

suited selection

• No investment and cost consideration

Perform Qualitative Analysis

• Find the right and key value drivers,

methodology, and calculations to

come up with an accurate and

appropriate ROI

• Quick and cost effective way to

benchmark specific improvement

opportunities and calculate benefits

Perform Quantitative Analysis

Approach to Building a Business Case:

26


Short-term goals should be initiated by creating a vision for the tool

Ensure a thorough understanding of the SAP PC functionalities

Spend considerable time understanding how SAP PC can fit into your organization

Determine whether your internal control environment is appropriately managed

Consider starting with a Pilot implementation or Proof of Concept to evaluate the system

Long term goals should ensure a detailed roadmap and project plan

Consider performing a control re-design to increase automated controls

Determine automated controls which can be migrated to CCMs

Categorize controls based on level of effort required to implement

Determine additional functionalities to be implemented and appropriate timing

Set Realistic Goals

27


Central repository of all controls, with easy view of changes to organizational structure

No need to manually track changes to organizational structure and control assignments

SAP PC can segregate duties for the maintenance and provides “out-of-the-box” reporting for

organizational structure and control updates

Real-time notifications of changes to ERP system data and configuration

No need to wait until testing of automated controls is manually performed during audits

SAP PC can provide real time notifications to business users when changes occur in the ERP

system

Automated workflow for the manual testing of controls

No need to manually track testing progress and results in spreadsheets

SAP PC can provide notifications when testing should be initiated and “out-of-the-box” reporting

when testing is completed

Perform Qualitative Analysis

28


Example 1 – Re-designing manual controls can lead to tangible cost savings:

Perform Quantitative Analysis

Example 2 – Leveraging automated control testing tools can lead to tangible cost savings:

29

What We’ll Cover







• Wrap-up

30

Implementation Approach and Roadmap

• Transition to managing the full lifecycle

of controls in SAP PC

• Leverage PC for compliance initiatives

‒ Manual and Automated controls

‒ Certifications

• Automate the testing of manual

controls by leveraging Continuous

Control Monitoring (CCM) functionality

• Consider limiting scope to one

regulation (e.g., SOX 404)

• Consider re-designing control

framework

Define, Expand, and Test Controls

• Implement other compliancy and

regulation areas/structures

• Expand SAP PC use to operational-

and fraud-related areas

• Consider additional continuous

monitoring functionalities and tools:

‒ Fraud Management

‒ Access Violation Management

(AVM)

Identify Additional Value Areas

• Define short- and long-term GRC

roadmap

• Understand effort and timing required

• Understand value and capabilities

implemented

• Establish key metrics

• Develop strategy for master data

structure

• Pilot single process (e.g., IT General

Controls)

• Limit the number of initial controls

configured

Identify Strategy and Pilot System

Implementation approach and considerations

31

Implementation Approach and Roadmap (cont.)

Can manual

testing of

controls be

automated?

Stage 0

Innovation

Strategy

Stage 2

Document

Stage 3

Test

Stage 4

Manage

Stage 5

Optimize

Create focused

strategy; Develop

detailed roadmap

and vision

Stage 1

Pilot the

System

Does the

concept and

system merit

full feasibility?

How can we

reduce reliance

on manual

controls?

What do we

want to

innovate?

How else

can we

improve?

How can we

expand

further?

Corporate

Strategy

User

Requirements

Pilot PC

functionalities

to understand

complexities

Migrate and

continue improving

controls framework

Define test steps;

Consider control

testing automation

Continue identifying system

improvements; Reduce

reliance on manual controls

Compliance

Roadmap

Determine the best approach to reduce time, labor, cost, and gain efficiencies

32

What We’ll Cover







• Wrap-up

33

Implementation Considerations Design Requirements

Master Data Planning Spend considerable time on planning your master data (e.g. regulations, organizations, etc.) for future

sustainability. Consider overall nomenclature when structuring your Master Data.

Unique Control Classifications If there’s unique requirement for control classification, consider leveraging an existing field that your company is

not using. Most drop downs/radio buttons are configurable.

Phased Automated Testing

Rollout

Consider a phased rollout of automated controls beginning with the most manual SOX/Financially relevant

controls. There is a learning curve for users so start with a “quick wins” deployment to ensure buy-in.

Key Design Requirements to be Considered before Implementation

Continuous Control

Monitoring (CCMs)

Leverage Continuous Control Monitoring (CCMs) to reduce manual IT Configurable Control (ITGC) testing

efforts. Consider the time and effort required to implement every type of CCM; there are limitations.

Transport Functionality Consider the values of system copies and use of transport functionality, ensuring an effective change

management process is in place.

Integrate Access Control

and Process Control

Discontinue use of the SAP AC Mitigating Control library and utilize SAP PC controls to mitigate SAP AC risks.

The Control Test of Effectiveness will ensure a mitigating control can actually be relied upon.

34

Consider the following additional scoping considerations that are significant time and cost drivers of SAP

Process Control implementations:

Number of automated and manual controls configured Number of custom queries for CCMs

Complexity of automated controls to be configured Number of custom security roles to be created

Number of design and self-assessments to be built /

migrated Amount of expected workflow customization

Internal control master data to be built / migrated (e.g.

processes, control objectives, tests, risks, etc.) Number of policies to be built / migrated

Number of organizational, regulation, accounting hierarchies

utilized and configured Number of customer-defined fields

Implementation Considerations Scoping Considerations

35

Help define relevant

risks, controls, and

remediation strategy

for the various

business areas

Provide expertise and

assist with the

implementation,

documentation, and

issue resolution

Steer the project and

ensure risk and control

processes meet audit

requirements

Responsible for

technical tasks

pertaining to the

implementation and

infrastructure support

Implementation Considerations Key Roles and Responsibilities

SAP

Process

Control

SAP Process

Control

Administrator

IT Basis/

Technology Team

Business Users/

Control Owners

Compliance/

Internal Audit

Team

Functional and

Technical Team

Responsible for ongoing

configuration and administration of

the SAP PC system

36

Help define relevant

risks, controls, and

remediation strategy

for the various

business areas

Provide expertise and

assist with the

implementation,

documentation, and

issue resolution

Steer the project and

ensure risk and control

processes meet audit

requirements

Responsible for

technical tasks

pertaining to the

implementation and

infrastructure support

Implementation Considerations Key Roles and Responsibilities (cont.)

SAP

Process

Control

IT Basis/

Technology Team

Business Users/

Control Owners

Compliance/

Internal Audit

Team

Functional and

Technical Team

SAP Process

Control

Administrator

Responsible for ongoing

configuration and administration

of the SAP PC system

Remember to consider

an Administrator for the

SAP PC system

37

It is important to review the user access security roles for SAP Process Control. Unlike designing SAP ECC

security roles, there are additional layers of access that should be considered.

Key Security Roles Considerations

Back-end Security – Users must have the appropriate authorization objects and values assigned to complete PC

functions, which also affects and controls the specific views within PC. 1

Workflow Events Configuration – To enable successful workflow-driven scenarios, workflow events need to be

configured to determine the appropriate recipients of SAP Process Control business events. User roles must be

mapped to configured workflow events to determine the sequence of steps to evaluate continuous monitoring results

or other types of assessments.

2

Organizational and Process Master Data Configuration – User ownership and responsibilities must be maintained

in master data elements (organization, process, control, etc.) with the SAP Business Client (BC). 3

Implementation Considerations Security Roles Design

38

Create security roles

Create workflow business events

Assign security roles to the business events

Assign users in the Organizational Master

Data Elements

Assign User IDs the security roles

Implementation Considerations Security Roles Design (cont.)

1 2 3 4 5

1 Leverage standard SAP PC security roles, which are job-based and align with the organizational/regulation mapping

2 Leverage standard workflow business events, unless there are requirements such as tertiary reviews

3 Leverage standard assignments; however, if changes are required, make the appropriate assignments to security roles

4 Assign the business user IDs to the appropriate area in the master data structure (e.g., Organization, Process, Control, etc.)

5 Assign the business user IDs to the appropriate security role containing the right job-based authorizations

The process below should be followed to ensure an optimal security role structure is designed

39


Although SAP has pre-configured security components, there are still some gaps

Components to be Assigned Pre-Configured Components

Ensure an understanding of the overall vision of the tool to identify required security updates

Critical to hold detailed blueprint design sessions to identify all user responsibilities

Important to understand and map how users will interact and use the tool

Create security roles

Create workflow business events

Assign security roles to the business events

Assign users in the Organizational Master

Data Elements

Assign User IDs the security roles

40


Pre-Configured Receivers of Assessments

Automated Tests Semi-Automated Tests Manual Tests

Manual Test of Control Effectiveness N/A N/A Control Tester

Automated Test of Control Effectiveness Sub-process Owner Control Tester N/A

Continuous Control Monitoring (CCM) Control Owner Control Owner N/A

Perform Review

Sub-process Design Assessment Sub-Process Owner Process Owner

Control Design Assessment Control Owner Sub-Process Owner

Control Self-Assessment Control Owner Sub-Process Owner

Pre-Configured Receivers of Control Tests

Consider the pre-configured components of the business events below when

assigning individuals to the specific organizational elements

41

• Tip: Should be linked to data with

similar business functions

• Importance: Allows for one Data

Source to be leveraged by multiple

Business Rules

• Limitation: Only five SAP ECC table

joints can be assigned in a data

source

Data Source

• Tip: Keep descriptions only to 74

characters in length

• Importance: Allows for quick

understanding and analysis of

deficiency in the work inbox

• Limitation: “Pooled” or “Cluster” SAP

ECC tables can be monitored

individually, but cannot be joined

Business Rule

• Tip: Controls relying on SAP ECC

change logs should ensure table

logging is activated

• Importance: Allows for real-time

review of configurable controls

changes

• Limitation: Only ten business rules

can be assigned to a CCM

CCMs

CCM Configuration Tips & Tricks

Implementation Considerations Continuous Control Monitor (CCM)

42

Implementation Success Factors

Successful SAP Process Control implementations start with “Quick Wins.” A common mistake is to pursue

an initial scope that is too large, resulting in a long project which loses momentum and organizational focus.

Focus on utilization of standard features and reports where possible

Identify a Pilot business process or compliance area to be the focus of the initial implementation

Pilot basic control management and assessment across a modestly sized user population

Tackle high impact/low effort remediation or improvements first

43

Implementation Success Factors (cont.)

Once the foundation is in place, it provides a platform to work toward the enhanced benefits that can be

achieved through a full deployment of the solution. The extended benefits include items such as:

Increased number and complexity of automated controls

Decreased reliance on manual testing of automated controls

Increased use of custom dashboards and reports

Higher effort improvements and remediation

44

Implementation Success Factors (cont.)

An organization’s efficiency depends on the

complete alignment of processes, systems and

people with each other.

If one element falls short, the remaining two

cannot make it up.

People

Communication

Change Readiness

Dedicated Resources

Technology

Design & Development

End-User Training

System Implementation

Process

Design & Development

Process Standardization

Control Ownership

Ensure your SAP Process Control

implementation and roadmap

encompasses all three areas

45

What We’ll Cover







• Wrap-up

46

Where to Find More Information

• http://help.sap.com/pc

SAP Process Control 10.1 on the SAP help Portal

• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/Unlocking-Value-Continuous-

Monitoring-Control-Automation-Capabilities-SAP-Process-Control-Protiviti.pdf

“Unlocking the Value of Continuous Monitoring and Control Automation Capabilities in SAP

Process Control” (Protiviti, 2014).

• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/SAP-FinProcessOptimization-

whitepaper-Protiviti.pdf

“Keeping SAP Financial Processes Compliant” (Protiviti, 2015).

• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/GRC-platform-considerations-

whitepaper-Protiviti.pdf

“Governance, Risk and Compliance Platform Considerations” (Protiviti, 2015).

http://help.sap.com/pc

http://www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/Unlocking-Value-Continuous-Monitoring-Control-Automation-Capabilities-SAP-Process-Control-Protiviti.pdf



























http://www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/SAP-FinProcessOptimization-whitepaper-Protiviti.pdf













http://www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/GRC-platform-considerations-whitepaper-Protiviti.pdf















47

7 Key Points to Take Home

• Identify controls and processes to automate and determine expected ROI

• Build a solid foundation by creating an innovation/implementation strategy

• Plan a pilot implementation and define appropriate scope for future rollouts

• Plan the organizational master data design or migration from legacy tool

• Assess the complexity of implementing different types of controls

• Evaluate the security scope/requirements and make adjustments

• Track progress, adjust scope where necessary, and continue to expand

48

Your Turn!

How to contact me:

Steve Toshkoff

[email protected]

www.linkedin.com/in/steve-toshkoff-bba9b530

Please remember to complete your session evaluation

49

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Disclaimer