GRC Tuesdays: Fast Track Your Internal Control Project
In one of the previous blogs of this GRC Tuesdays series – Risk Management Project – Where Do I Start?, I had suggested a few steps on how to get started on your risk initiative. I have since received some requests about doing something similar for an internal control project but the ask itself seems to relate more about where to start in terms of content, rather than project steps.
I have therefore tried to list below some resources that you could leverage to fast track your internal control project.
As I am sure you already know, SAP Process Control is SAP’s solution for control and compliance requirements. With this solution, customers can decide to trigger manual controls and/or combine them with automated controls. Progressing from manual to automated controls typically helps organizations move towards an exception-based approach where control deficiencies are automatically routed to relevant stakeholders for review.
A first step for most Compliance department is to document controls that they will then send to control owners across the business for manual control design assessment or control self-assessment. In case your organization is looking for pointers on what type of controls it could put in place, then I would suggest having a look at SAP Note 1968683 – SAP Process Control rapid deployment solution v1.101.
This rapid deployment solution (“RDS” in SAP’s acronym lingo) no longer applies since SAP Process Control is now in version 12.0 and that this asset was created for version 10.1 of the solution, but the content shared in this SAP Note is still fully relevant. Regardless of the version of SAP Process Control that you are running at the time you read this blog, this content can be imported in the solution via the Master Data Upload Generator (MDUG in yet another SAP acronym).
As you will be able to read in the attachments to this note, there are examples of controls associated to different regulatory initiatives:
Note: you may also find the tabs on Test Plans (including the Test Plans Steps) very interesting for defining an approach to test the controls
As mentioned in the introduction, another of SAP Process Control’s key features relates to its automated control testing and continuous control monitoring capabilities.
SAP Process Control enables the automated testing of controls by leveraging predefined rules and a configurable rules engine. By monitoring configurations, master data, transactions, related changes and by routing the exceptions through the workflow to appropriate users, the solution helps organizations lower testing costs but also enables continuous insight with consistent and timely information.
Once again, should you be looking for suggestions of controls, then SAP Note 1852865 – Continuous Control Monitoring Rule Content might be what you are looking for.
This SAP Note details 44 Configurable Rules and 11 Programmed Rules for use in SAP Process Control. Should an organization want to use these rules, the administrators of the solution would need to download the rule content package listed at the bottom of the note and then import into their system.
These internal control and compliance starter kits have been put together as best practice control frameworks and libraries. They are therefore only examples and need to be adapted for each context of course. Nevertheless, they are a great starting point to fast track your internal control project and maybe even automate some of the controls from day 1. At the very least, they will provide some food for thought that you may want to consider running by your audit department to get validation of the scope to deliver first.
What about you, is there some other content that you have leveraged to kick off your internal control project? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Update (July 2020)
Since this blog was originally published in April 2020, the SAP GRC Product Management team has been working on additional control content specifically for SAP S/4HANA.
As a result, a new set of content has been released and you will be able to find it in the SAP Note 2949577 – SAP Process Control 12.0 for SAP S/4HANA Continuous Control Monitoring Content