SAP GRC Process Control helps organizations to manage their compliance processes more effectively. The objective of Process Control is to provide automated risk and control monitoring, testing and analytical capabilities across the entire enterprise and to improve the effectiveness of a overall compliance program.

SAP GRC Process Control enables organizations realize strategic alignment, predictable performance and confident decision making by leveraging SAP GRC Business Objects GRC solution through values like;

• Increased visibility into the impact of risk against performance

• Reduced risk and cost across risk and control management objectives

• Increased strategic effectiveness through automated monitoring of risks and controls

In SAP GRC Process Control 10.0 all evaluation activities are governed by a set of robust workflows and notifications. Based on evaluation schedules, users are automatically notified through workflow tasks which covers test performance, issue management, remediation and retesting.

Steps to create Automated Control in SAP GRC:

In GRC, an automated control can be created in few steps as given below;

1. Create Control
2. Create Data Source
3. Create Business Rule
4. Assign Business Rule to Control
5. Schedule continuous monitoring job

This document is focused on how to create an automated control in SAP GRC 10.0 version. The scenario taken is for "Purchase to Pay" business process. Control specifications are as given below;

Control Objective: To ensure that all the invoices in quantity equal to the respective goods receipts. So, the control captures the changes made to the defined fields of the concerned table.

Deficiency to be captured: Any Change made to the mentioned fields of the given table

Risks & Impact: If not configured, the goods received may be less than the quantity mentioned in the invoice. So, may end up paying for the goods which are not actually received.

Table & Field: Table: T169G

Field: PROZ2 (Percentage Tolerance Limit)

           XP2JA (Limits to be checked)

           XW2JA (Limits to be checked)

1. Create Control:

The prerequisites for creating a control are;

• Organizational hierarchy
• Process hierarchy

A control can be created in the process hierarchy under a sub-process for a particular business process. During implementation, the organizational hierarchy and process hierarchy are generally created.

Create Process: Process can be created or an existing one can be used, if process heirarchy has already maintained.

Once process is identified, sub-process has to be created under process. An existing one can also be used. In the following picture, sub-process has been created.

In the following picture, regulation has been assigned to the sub-process. So, the control will be regulation specific.

Now, as our sub-process is ready we can go ahead for creation of control under the subprocess. Specifications for control can be maintained for the control, as per the requirement.

Once all general specifications are maintained, regulation has to be assigned to the control in case the control is a regulation specific control. As this control is a regulation specific control, regulation has to be assigned to the control.

Below picture depicts the process hierarchy and our requirement is to create a control under sub-process “P2P: Goods Receipt”.

In this example we have created new process and sub-process. So, the next step is to assign the sub-process “P2P: Goods Receipt” to organizational hierarchy.

As shown in the below picture sub process “P2P: Goods Receipt” has been assigned to Organization “Synxxx_New” along with many other assignments.

1. Create Data Source:

Now, as we are ready with the control and subprocess, the next step is to create a data source from which the control will fetch information we are looking for.

Enter the relevant table name for the Data Source. Here, the table is T169G. This is followed by selecting the fields as per the details provided previously. We can execute the adhoc query as well to test if our data source is pulling correct data as per our requirement.

The connector tab shows the data source system details from where we are fetching the required data.

1. Create a Business Rule:

Now, as the data source is ready, our next step is to create a business rule.

Click on the “Business Rule” tab to create the required business rule. Once data source is selected for the business rule, it takes to the next screen where we can fill in the business rule details, as shown in the screen shown below.

Select the fields which are required for analysis.

Create Deficiency Criteria: Deficiency criteria is the most important filed where we decide the limits of the fields selected. Here, we are capturing all the changes in the selected fields.

It is also possible to customize our out put the way we need by hiding/displaying some fields. If we need to hide some fields in the output, we can click on the box against the same field as shown in the next picture.

1. Business Rule Assignment:

Once business rule and control are ready, we can assign the control to the business rule. This can be done through tab “Business Rule Assignment” as shown in the below picture.

As shown in the picture given below, select the date and search for the control. Check the control and select on modify to select the correct business rule. Then, set the frequency at which the controls should collect the data. It can be daily, weekly, monthly, quarterly, half yearly,
yearly or any frequency. In the following picture the frequency is set as “any frequency”. This will help us to schedule our job as per our requirement.

1. Schedule automated Monitoring Job:

Click on the “automated monitoring” tab to schedule the job.

Fill in the job details as shown in the following picture.

In the below picture we can see there are options to share/restrict the control result with other regulations.

In the next step, search for the control which is assigned to the business rule.

Select the control and save the option.

Recipients of the controls result (as defined in GRC, mostly the owners) get mails in their respective GRC inbox. THe below picture depicts how does the control result look like.