Step 1: Analyze SAP configuration and processes
Protiviti has identified four key steps that organizations can take to improve their overall control environment and receive the benefits mentioned below. Each of these steps will be a focus in this four-part blog series.
Too many organizations perform their financial and operational processes using inefficient manual controls, paper-based approvals and labor-intensive reviews of large volumes of data. This often happens because not all relevant SAP automated controls were correctly set up or considered when the system was initially designed and implemented. Additionally, regardless of the version of SAP and additional modules in use (e.g., S/4HANA, ECC, Ariba), there are always opportunities to increase automation, decrease manual efforts and mitigate risks while simultaneously reducing reliance on human intervention.
Increasingly, organizations are improving their control environment by streamlining and optimizing SAP configurations and making better use of automated controls. Those making the move to implement or upgrade to S/4HANA are using this opportunity to take a fresh look at control automation as they innovate and roll out new functionality. They are also implementing continuous control monitoring solutions like SAP Process Control (SAP PC) to enhance compliance processes. Automating the SAP control environment and enabling continuous monitoring can help organizations achieve these business goals:
- Increased reliance on financial systems: Compliance efforts are moving away from general controls and toward ERP-specific application controls where possible. Increased reliance on automated controls reduces transactional and master data errors and the need for manual mitigating controls that are prone to failure.
- Maximized ERP ROI: Companies want to see the benefits of their significant investment in implementing and maintaining an ERP system. This is partially accomplished by taking advantage of standard SAP configurable control settings and inherent functionality as part of the organization’s control framework.
- Reduced manual processes: This goal is attained by enforcing automated controls and minimizing data entry corrections, manual reconciliations or approvals or nefarious activities, as well as increasing the productivity and strategic focus of operations personnel who are no longer required to perform manual control activities. Companies want to be sure their systems are configured to prevent and detect not only input errors but also fraudulent transactions, which allows for better control of their business.
- Reduced compliance price tag: This involves reliance on, and the effectiveness of, both internal and external testing and reducing retesting costs for failed controls. Automated controls typically have a much higher pass rate than manual controls, once configured correctly and initially validated.
Protiviti’s four steps to improving the SAP control environment
- Analyze SAP configuration and processes – Identify and gain an understanding of the ERP ecosystem landscape (e.g., SAP instances and versions, Ariba, Concur, etc.), the business processes that utilize SAP, and their current control environment (e.g., manual controls, automated controls, key system-based reports, etc.).
- Optimize internal control framework – Optimize and formalize the controls based on the results of the organization’s controls assessment.
- Implement internal control governance processes – Implement governance processes for control ownership and management to keep controls updated and consistent.
- Enable intelligent SAP control automation – Map automated control configuration opportunities to the identified control strengths, gaps and improvements as indicated in the steps discussed in this blog.
Analyze SAP configuration and processes
The initial step when trying to enhance an organization’s financial compliance processes is to analyze the current SAP configuration and processes. Evaluating the current SAP environment from a risk and controls perspective to identify and understand the configurable controls strengths and weaknesses and to gain insight into control automation opportunities is an important component of this step. This can be done manually, but would be a very labor-intensive task. A significantly more efficient method would be to utilize automated SAP assessment tools, such as Protiviti’s proprietary Assure Controls tool.
There are numerous SAP configuration points available within standard SAP functionality. These configuration points, or automated controls, may or may not be turned on when the system is initially implemented, or the default parameters or current settings may not align with the company’s policies and procedures. Looking at these configuration parameters in greater detail allows for the organization to see those strengths, weaknesses and areas for improvement.
For companies either running or migrating to S/4HANA, automated controls continue to be the most effective method for streamlining the performance and testing of controls. This results in significant reductions in expenditures for annual compliance efforts. When evaluating the impact of S/4HANA on the control environment, it is important to know that the underlying ABAP code and functionality was materially rewritten as compared to prior versions (e.g., ECC, R/3) and thus many control opportunities were either added, changed or eliminated as a result.
Why this step is important
Most organizations expect key configuration controls in their ERP solutions to be preset to “best practice” settings. However, this is often not the case. Most SAP system integrators and accelerated implementation packages (or industry templates) focus on overall system functionality and may not consider the control components that will benefit the organization’s compliance initiatives. This could lead to control design requirements not being fully considered during the business process design phase and subsequent phases of the implementation. Additional efforts to implement controls after go-live are then required, increasing the risk of compliance issues and poor end-user acceptance. In addition, many organizations fail to take full advantage of available configuration controls in their SAP environment because they are simply not aware of SAP’s standard control functionality.
Protiviti has identified hundreds of configuration parameters in S/4HANA (many of which apply for ECC as well) that can be utilized as control points in SAP to improve financial compliance and enable control automation. More than half of these parameters may be set separately at different organizational levels including company code, plant, vendor account group or asset class.
An initial evaluation of SAP automated controls can help organizations see the following:
- Control strengths – Configuration parameters that are set up and follow company policies and best practices. For example, default credit is set up to “lower amounts” for new customers until a background/credit check can be run and an appropriate credit limit can be provided (Note: In S/4HANA, credit is controlled within the supply chain management credit management functionality).
- Controls not utilized – Controls not currently configured. For example, the duplicate system message configuration within the system should be set for the user to be alerted to a potential duplicate vendor or customer. (Note: In S/4HANA, this control is set in either the business partner or account group level, depending on the approach chosen by the organization.)
- Control gaps – Controls that require multiple configuration setting updates to be fully set. For example, Duplicate invoice check has multiple dependent controls – mandatory fields, duplicate criteria and system messages. SAP comes with duplicate invoice check enabled; however, users will not be alerted if the system message is not also set.
Case Study: SAP S/4HANA Analysis of configuration and processes
Protiviti was engaged to review SAP architecture and financial automated controls for a global consumer products firm. We accomplished the following key tasks:
- Performed an SAP Assure Controls assessment for core ERP processes (assets, general controls, general ledger, inventory, order to cash and procure to pay) across SAP ECC, S/4HANA, Coupa and Apttus environments
- Met with process owners and SAP BASIS leads to discuss local and global configurable controls and gather feedback
- Provided management with a roadmap (both control gaps and optimization opportunities), which were organized by criticality and level of effort to implement
- Management was able to adjust configurations in the target environments based on the roadmap, by focusing on the “quick wins” first
- Presented to the audit committee the results and findings with positive feedback on what worked well and areas for improvement considerations
Overall, it is clear to see that the first, and most important step, when trying to improve an organization’s overall control environment is to have a clear understanding of the current situation: the ERP ecosystem landscape, the business processes in place and the current control environment. Once a better understanding of these factors is achieved, an organization can then confidently move onto the next phase of the process, optimizing their internal control framework by addressing recommendations and findings provided.
Steve Toshkoff, Steve Apel, Vijan Patel and Toni Lastella also contributed to this post.