Governance, Risk, and Compliance are some of the terms which almost everyone is afraid of. Process audits can be disastrous if these terms have not been given a deep thought while analysing, designing and operating on various processes running within the organisation. Processes can make or break an organisation, if processes are non-compliant and exposes an organisation to a range of risks, its better to get rid of them as those may cost you and your organisations a fortune.
Processes defines the character of an organisation as those govern behaviour, strategies, future and ultimately the destiny of an organisation very much like values, habits and traits defines the character of an individuals and help in triumphing the journey of life.
For better process governance and to avoid risks, businesses continuously or periodically check the processes. This gives business an opportunity to get insight of the process, its exceptions and verify the input and output data to check if it is compliant.
The Tool: Security Weaver- Process Auditor
Recently, I got the opportunity to work on a GRC tool from Security Weaver. In this blog, I am sharing my implementation experiences on “Process Auditor –PA”.
Process Auditor also called Security Weaver-PA, is a bolt-on solution to SAP and does not need any additional portal/web access. This tool is well integrated with SAP and therefore does not need full range of batch jobs to run to pull data from SAP database, the actual tool can be accessed through SAP GUI once the user logs in. The tool can be called with the help of transaction codes (/n/PSYNG/PA) within SAP. Access to tool can be controlled by SAP authorisations.
Process Auditor- “Controls”:
The Process Auditor tool comes with its own standard “Controls”, which can be easily implemented as per business needs and requirements. The tool gives a perfect platform to further customise and develop these basic standard controls, as per business needs. These controls cover all business areas and SAP modules. Some of the high interest controls which shall pick business attention almost immediately are:
Purchasing controls: (PTP)
- Duplicate vendor invoices
- Duplicate vendor payments
- Employees and vendors with the same bank details
- Purchase Req and corresponding Purchase Order approved by same person
- Duplicate vendors in the system, having same bank details
- Employees and Vendors with Same Name or Address
- Changes in Payment Terms for customer or Vendors
Sales controls: (OTC)
- Ageing Analysis of Sales Returns
- Employees and customers with the same bank details
- Changes in Credit Exposure for Customer by Credit Control Area
- Credit Check in Sales Order Processing
- Sales through One time Customers
- Credit Exposure for Customer Risk Category
- Changes in Payment Terms for customer or Vendors
- Sales Cancellation
Finance controls: (RTR)
- GL Account Changes Company Wide
- Monitoring Exchange Rate Changes
- Employees and Vendors with same Bank accounts
- Changes in Bank Details in Vendor Master
- Journal Entries Posted and Parked by the same person
System controls: (IT)
- Detect Changes Made in Production Client Settings
- Detect Unauthorized Changes in Technical Settings of Tables
- Detect SAP Data Transport By Unauthorized User
- Detect ABAP Programs Not Assigned To Authorization Group
In essence, these controls can cover SAP configuration, master data and transactional data aspects to touch base with every process running in your organisation to identify the potential risks.
The tool further gives an excellent platform to customise these standard controls and help in preparing a framework to run these controls with a logical approach.
Output of a control run:
The outcome of the control run is potential risk “cases” which have got the data records identified. A case may have several data records as per the definition of the control. The control can have the business ownership within the tool and therefore the cases generated will also have the business owner who will take action on these cases or can delegate someone to take action further.
These records within the case generated, are then analysed by the business and appropriate action is taken on data records or cases can be closed with suitable comments without action.
Over a period, the tool can hold full history of these control runs and appropriate actions & comments filled in by the business owners.
An example of control- Duplicate vendor invoice/payment control:
Many people would say that identifying duplicate vendor invoices is an easy task, we can design a report to cross check the SAP invoice reference number (vendor invoice number) and identify if these numbers are same. Its not that simple as this reference number is manually keyed in, there are chances that a space, additional number or fake invoice number has been keyed in. A invoice can be create with or without a PO reference or with different vendor accounts which belongs to the same vendor.
Moreover, a typical SAP system may also have some invoicing tools as interfaces, which are sending invoices into the system like e-invoicing tools OB10, Ariba etc.
Also, there are other payment channels and processes outside accounts payable like direct debit, BACS, CHAPS, Procurement card payments, One time vendor payment, subsequent debit, and advance against PO etc. The duplicate invoice might be a week or 15 months old you are not sure.
We actually need to consider all channels of payments and invoicing, potential vendor master data duplication, invoice amount, currency, invoice date, vendor bank details and finance journal postings etc. There are companies which gives consulting services just to identify duplicate vendor invoices and charge a percentage of identified duplicate amounts for their services.
With the help of Process auditor, we could consider all aspects of vendor invoicing and payments as mentioned above and could easily enhance the controls to our business needs. Now we have a framework covering all aspects to identify vendor duplicate payments. This is protecting the business of paying any duplicate vendor invoice. Also, has reduced a lot of manual work which goes in to identify such duplicates.
Over a period the project costs will be covered by the corresponding savings made by the business.
I hope I could cover all aspects of Security Weaver – Process Auditor controls to give you glimpse of the tool features and how it can help in auditing the processes.