Protiviti has identified four key steps that organizations can take to improve their overall control environment and receive the benefits mentioned below. Each of these steps will be a focus in this four-part blog series. In Part 1 and Part 2, we covered Step 1: Analyze SAP configuration and processes and Step 2: Optimize internal control framework. In this post, we will be covering the third step, implementing internal control governance processes, why it is important, and an example of a governance framework leveraged by multiple of our clients.
Protiviti’s four steps to improving the SAP control environment
Analyze configuration and processes – Identify and gain an understanding of the ERP ecosystem landscape (e.g., SAP instances and versions, Ariba, Concur, etc.), the business processes that utilize SAP, and their current control environment (e.g., manual controls, automated controls, key system-based reports, etc.).
Optimize internal control framework – Optimize and formalize the controls based on the results of the organization’s controls assessment.
Implement internal control governance processes – Implement governance processes for control ownership and management to keep controls updated and consistent.
Enable intelligent SAP control automation – Map automated control configuration opportunities to the identified control strengths, gaps and improvements as indicated in the steps discussed in this blog.
Implement internal control governance processes
During the third stage, implementing governance processes, the framework for control ownership and management is established to keep controls updated and consistent, given that most companies may have changes to the organizational structure and SAP system functionality over time. Furthermore, companies should determine global and local control owners that will be responsible for reviewing control parameters periodically and approving control changes going forward.
Why this step is important
This step is vital to the overall control optimization process because it ensures the updated internal control framework remains aligned with company policies, corporate initiatives, and compliance requirements. It also establishes control accountability and ownership at multiple management levels in the organization and keeps controls current during organizational changes. As it relates to potential business transformation or periodic upgrades to SAP S/4HANA, control ownership will help identify impacts to configurable controls arising from updates to business processes (both from the business and from possible feedback provided during Step 1, analysis of configuration and processes) or system functionality.
More specifically, the establishment of a control governance committee, team and processes can help the organization:
- Manage strategic control decisions and understanding evolving risks that need to be managed
- Create business accountability around control ownership and changes
- Ensure proper training for control execution is maintained and delivered to the organization
- Oversee adherence to policies and procedures
- Align SAP configurable controls with the overall control environment (e.g., change management, SAP support access, access provisioning, etc.)
- Take ownership of governance, risk and compliance (GRC) solutions that provide continuous monitoring of the control environment
Case study: Control governance organization example
The model below has been used successfully by multiple organizations to maintain effective governance around their control environments. There are three key stakeholder groups needed for success: sponsors, governance committees, and governance teams, along with the key roles and responsibilities associated with them.
This model has been so successful because it provides structure around the controls and ensures flow between all levels of an organization. It ensures that the controls align with the organization’s changing goals via sponsors, are documented and communicated via the governance committee, and are relevant to the day-to-day business activities via the governance teams.
In summary, when trying to improve an organization’s overall control environment, implementing internal control governance processes is key to ensure continuous monitoring and improvement. Establishing clearly defined control owners ensures alignment with company initiatives and updates to system functionality, ensuring a framework that is current. Once a governance process is established, an organization can then move on to the next step in the process, enabling intelligent SAP control automation, to decrease manual efforts and ensure continuous monitoring.
Steve Toshkoff, Steve Apel, Vijan Patel and Toni Lastella also contributed to this post.