Four Steps to Keeping SAP’s Financial Processes Compliant – Step 3: Implement Internal Control Governance

Protiviti has identified four key steps that organizations can take to improve their overall control environment and receive the benefits mentioned below. Each of these steps will be a focus in this four-part blog series. In Part 1 and Part 2, we covered Step 1: Analyze SAP configuration and processes and Step 2: Optimize internal control framework. In this post, we will be covering the third step, implementing internal control governance processes, why it is important, and an example of a governance framework leveraged by multiple of our clients.

Protiviti’s four steps to improving the SAP control environment

Analyze configuration and processes – Identify and gain an understanding of the ERP ecosystem landscape (e.g., SAP instances and versions, Ariba, Concur, etc.), the business processes that utilize SAP, and their current control environment (e.g., manual controls, automated controls, key system-based reports, etc.).

Optimize internal control framework – Optimize and formalize the controls based on the results of the organization’s controls assessment.

Implement internal control governance processes – Implement governance processes for control ownership and management to keep controls updated and consistent.

Enable intelligent SAP control automation – Map automated control configuration opportunities to the identified control strengths, gaps and improvements as indicated in the steps discussed in this blog.

Implement internal control governance processes

During the third stage, implementing governance processes, the framework for control ownership and management is established to keep controls updated and consistent, given that most companies may have changes to the organizational structure and SAP system functionality over time. Furthermore, companies should determine global and local control owners that will be responsible for reviewing control parameters periodically and approving control changes going forward.

Why this step is important

This step is vital to the overall control optimization process because it ensures the updated internal control framework remains aligned with company policies, corporate initiatives, and compliance requirements. It also establishes control accountability and ownership at multiple management levels in the organization and keeps controls current during organizational changes. As it relates to potential business transformation or periodic upgrades to SAP S/4HANA, control ownership will help identify impacts to configurable controls arising from updates to business processes (both from the business and from possible feedback provided during Step 1, analysis of configuration and processes) or system functionality.

More specifically, the establishment of a control governance committee, team and processes can help the organization:

  • Manage strategic control decisions and understanding evolving risks that need to be managed
  • Create business accountability around control ownership and changes
  • Ensure proper training for control execution is maintained and delivered to the organization
  • Oversee adherence to policies and procedures
  • Align SAP configurable controls with the overall control environment (e.g., change management, SAP support access, access provisioning, etc.)
  • Take ownership of governance, risk and compliance (GRC) solutions that provide continuous monitoring of the control environment

Case study: Control governance organization example

The model below has been used successfully by multiple organizations to maintain effective governance around their control environments. There are three key stakeholder groups needed for success: sponsors, governance committees, and governance teams, along with the key roles and responsibilities associated with them.

This model has been so successful because it provides structure around the controls and ensures flow between all levels of an organization. It ensures that the controls align with the organization’s changing goals via sponsors, are documented and communicated via the governance committee, and are relevant to the day-to-day business activities via the governance teams.

In summary, when trying to improve an organization’s overall control environment, implementing internal control governance processes is key to ensure continuous monitoring and improvement. Establishing clearly defined control owners ensures alignment with company initiatives and updates to system functionality, ensuring a framework that is current. Once a governance process is established, an organization can then move on to the next step in the process, enabling intelligent SAP control automation, to decrease manual efforts and ensure continuous monitoring.

Steve Toshkoff, Steve Apel, Vijan Patel and Toni Lastella also contributed to this post.

To learn more about our SAP capabilities, contact us or visit Protiviti’s SAP consulting services.

 

Christine LaRochelle

Senior Consultant
Enterprise Application Solutions

Joe Fuchs

Senior Manager
Enterprise Application Solutions

Subscribe to Topics

In the latest #Technology Insights blog post, read how Protiviti works with clients who have concerns about #IoT device #security by asking five questions about their device security ecosystem: http://ow.ly/igKy50H5pbV

In this #podcast episode, Protiviti's Jim McDonald and Jeff Steadman talk with Armin Ebrahimi, Head of Distributed Identity at Ping Identity, about the role #identityproofing plays in the #identity space. Listen now: http://ow.ly/8jCz50H5mte

We invite you to visit the @Xillio #TOPGOLF VIP Cabana for a few hours of networking, happy hour food & drinks, and golf ⛳️ to unwind yourself during the #Microsoft365 Collaboration Conference in Las Vegas. Reserve your ticket at https://hubs.li/Q0106-7R0 and have fun🥳!

The #quantumcomputing industry believed #MonteCarlo simulations would be one of the best use cases to show #quantumadvantage; @QCWare proved the feasibility. @KonstantHacker and QC Ware's Yianni Gamvros chat how to access reusable #quantum #code. http://ow.ly/cRmK50H4wQh

Protiviti's Scott Laliberte shares with Venture Beat four mistakes that can lead to a failed AI implementation and what to do to avoid or resolve these issues for a successful AI rollout. http://ow.ly/wU8C50H4pBY

#ProtivitiTech #AI #machinelearning #technology

Load More...