SAP

Four Steps to Keeping SAP’s Financial Processes Compliant: Step 4: Enable Intelligent SAP Control Automation

Christine LaRochelleJoe Fuchs
September 29, 2021
5 min read

Protiviti has identified four key steps that organizations can take to improve their overall control environment and receive the benefits mentioned below. Each of these steps will be a focus in this four-part blog series. (See Part 1, Part 2 and Part 3)

Protiviti’s four steps to improving the SAP control environment

Analyze configuration and processes – Identify and gain an understanding of the ERP ecosystem landscape (e.g., SAP instances and versions, Ariba, Concur, etc.), the business processes that utilize SAP, and their current control environment (e.g., manual controls, automated controls, key system-based reports, etc.).

Optimize internal control framework – Optimize and formalize the controls based on the results of the organization’s controls assessment.

Implement internal control governance processes – Implement governance processes for control ownership and management to keep controls updated and consistent.

Enable intelligent SAP control automation – Map automated control configuration opportunities to the identified control strengths, gaps and improvements as indicated in the steps discussed in this blog.

Step 4: Enable intelligent SAP control automation

The final step when improving an organization’s SAP control environment involves the implementation of technology to automate the control monitoring and control testing efforts implemented throughout the previous three steps. Automating this process will help to monitor the health of business and IT configurations, ensure they do not change without proper authorization and, if changed, ensure the appropriate business process owners are promptly notified.

Why this step is important

As an organization’s control structure moves toward more reliance on automated controls, companies can begin to consider the benefits of implementing monitoring tools, such as continuous control monitoring (CCM) within SAP Process Control (SAP PC), robotic process automation (RPA) functionality or automated scripts. These solutions enable automated and continuous monitoring, assessment, and testing of controls to identify potential incidents of fraud and non-compliance on a timely basis. Real time alerting for end users allows for both detective and preventative monitoring of a company’s controls.

The implementation of continuous control monitoring technology is an active and efficient approach to managing compliance with business policies and procedures. It enables:

  • Standardized documentation and testing for business process, risks and controls (e.g., single source of truth for all compliance risks and controls across the organization)
  • Centralized management of a multiple compliance framework (e.g., a single control and/or test addresses multiple requirements)
  • Automation of control execution and control monitoring (e.g., automated alerts when key application controls are changed)
  • Streamlined processes for control performance, self-assessments, test of effectiveness, and process assessments
  • Accountability for compliance and control status with sign-off surveys (e.g., homogenous SOX 302 questionnaire across business units)
  • Immediate visibility into and reporting of potential risk and controls issues

Automated solutions such as SAP GRC Process Control can help monitor business processes where automated controls cannot be implemented. For instance, if a company is unable to implement automated credit controls, which may slow down its pace of doing business with customers, transactional CCM can be enabled to generate alerts if the outstanding accounts receivable balance for any customer exceeds a predefined amount. The use of transactional CCM allows business process owners to monitor transactional information and SAP configurations to take appropriate actions quickly without interrupting business operations.

Case Study: SAP Process Control example

A global manufacturing company was requiring an upgrade to their existing control management and testing solution and engaged Protiviti to assist in improving their compliance processes. The company relied heavily on manual processes and checklists for SOX certification process, had insufficient review and approval of control testing results, extensive customization to existing reporting and dashboards, and manual review of controls for a large number of organizational elements (i.e., company codes, plants, etc.).

Protiviti worked with the SOX Compliance and IT teams to:

  • Improve compliance and internal control management processes
  • Fully migrate the RCM repository, including organizations, business processes, risks and controls
  • Improve testing and review process for control effectiveness assessments
  • Optimize review and certification for SOX 302 questionnaire process
  • Integrate with SAP Access Control for the central management of mitigating controls
  • Create a CCM pilot to better understand capabilities and improve monitoring of SAP data
  • Customize standard reporting, where needed to enable risk visibility and executive-level dashboards

Following these changes, the company found that it benefited immensely from having these processes updated and automated. The company’s control environment is now less prone to error and requires less time. In addition, external auditors were able to place increased reliance on the new automated controls, greatly reducing associated testing efforts and fees.

Summary

When trying to improve an organization’s overall control environment, implementing intelligent control automation methods empowers a company to significantly reduce manual efforts while still ensuring financial compliance. Implementing a method such as SAP Process Control specifically allows for this automation to occur in a centralized platform where there is a control repository, as well as CCM results and alerts to various control owners.

All companies with ERP systems have the opportunity to strengthen their use of, and reliance on, automated controls and should establish a roadmap to transition from extensive use of manual controls to a mostly automated control environment to monitor business risks proactively. The required upfront effort and investment are well worth it for the long-term gains.

Steve Toshkoff, Steve Apel, Vijan Patel, and Toni Lastella also contributed to this post.

To learn more about our SAP capabilities, contact us or visit Protiviti’s SAP consulting services.

Christine LaRochelle

Senior Consultant
Enterprise Application Solutions

View all posts

Joe Fuchs

Senior Manager
Enterprise Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
6 Sep

Protiviti’s Rich Kessler will join @OneTrust's webinar, “From policy to practice: Bringing your AI Governance program to life” Sept. 10, 2024. Attendees will gain practical, real-world guidance from industry experts on implementing effective AI governance. https://ow.ly/9lYG50ThuX1

Reply on Twitter 1832117179954725321 Retweet on Twitter 1832117179954725321 Like on Twitter 1832117179954725321 Twitter 1832117179954725321
protivititech Protiviti Technology @protivititech ·
6 Sep

Discover @Microsoft's advanced quantum capabilities during this episode of The Post Quantum World podcast with @KonstantHacker and his latest guest, Dr. Krysta Svore, who helped build Microsoft Azure Quantum. https://ow.ly/OfI550ThvbI

#ProtivitiTech #Microsoft #Quantum

Reply on Twitter 1832087410785607973 Retweet on Twitter 1832087410785607973 1 Like on Twitter 1832087410785607973 Twitter 1832087410785607973
protivititech Protiviti Technology @protivititech ·
2 Sep

Register now for this #webinar featuring Protiviti experts in AI/ML and ITSM along with Theo Simmons of #ServiceNow as they discuss how this partnership helps companies gain a competitive edge, enhance business efficiency and more. https://ow.ly/8ui550SOy9i #ProtivitiTech

Reply on Twitter 1830607022229721408 Retweet on Twitter 1830607022229721408 Like on Twitter 1830607022229721408 Twitter 1830607022229721408
protivititech Protiviti Technology @protivititech ·
2 Sep

Protiviti is proud to be an exhibitor at the 2024 PCI SSC Community Meeting in Boston. Learn about the latest advancements in global #PaymentSecurity and PCI Security Standards. Visit our booth to connect with our team. https://ow.ly/Iwbo50SKyp2 #ProtivitiTech #PCICommunityMeeting

Reply on Twitter 1830606785230598337 Retweet on Twitter 1830606785230598337 Like on Twitter 1830606785230598337 Twitter 1830606785230598337
protivititech Protiviti Technology @protivititech ·
30 Aug

As regulatory scrutiny increases with the SEC's Cybersecurity Disclosure requirements, the ability to quantify #cybersecurity risks is essential. Explore strategic approaches to prepare your organization to meet these demands. Register now: https://ow.ly/X7Gw50TaXG5 #ProtivitiTech

Reply on Twitter 1829580608558805422 Retweet on Twitter 1829580608558805422 Like on Twitter 1829580608558805422 1 Twitter 1829580608558805422
Load More