Skip to Content
Business Trends
Author's profile photo Thomas Frenehard

GRC Tuesdays: Building The Case For Your Internal Control and Compliance Solution

This blog part 1 of a new 4 part series that I am starting that follows a blog I released earlier this year: GRC Tuesdays – Creating a Business Case for a Governance, Risk, and Compliance Solution.

As its title suggests, this blog was focused on assessing the Return on Investment (ROI) that could be delivered by an organization leveraging a Governance, Risk, and Compliance software solution.

I have since received questions on how to operationally make the case and how/where to get financial estimates that can be used to calculate this ROI and make the case.

In this first blog of the “Building The Case” series, I will focus on internal control and compliance solution – hence specifically SAP Process Control, but I’ll also be releasing dedicated blogs for the rest of the solutions supporting the 3 Lines Model: enterprise risk management with SAP Risk Management; internal audit with SAP Audit Management; and fraud detection and investigation with SAP Business Integrity Screening.

If you are looking to adopt the latest technologies for improving your overall governance, risk and compliance landscape and you need help to make the business case, then this series should help. At least, I hope!

The SAP Process Control Value Calculator has been created to help organizations explore improvements across areas such as risk, control, regulation, and policy mapping, testing (including continuous controls monitoring), assessments, and others by providing estimates to help them:

  • Focus resources on high-impact processes, regulations, and risks
  • Provide continuous insight into the status of compliance and controls
  • Improve compliance and business process quality at the right cost

Are you ready?

Should you decide that this is worth trying out, then just go to the SAP Process Control Value Calculator and click on GET STARTED. No need to register to this free tool!

Before we start, I just want to highlight the fact that this value calculator provides estimated data for illustration purposes only. Actual results or costs may of course vary and may be affected by additional factors that would need to be taken into account when using this information in your business case.


Section 1 – Configure


In this first step, you’ll be asked to provide your best estimate for various company attributes. Don’t worry, you can then change them to create different scenarios if you wish.

What indicators are required:

  • Number of controls in the organization
  • Percentage of controls tested for effectiveness
  • Full-time equivalents (FTE) in compliance and internal control teams (i.e.: 2nd line)
  • Other FTEs involved in compliance and control
  • Annual full-time loaded cost per FTE in compliance and control


Section 2 – Document


This section will focus on the benefits that the solution can provide in terms of documenting controls and policies centrally, but also mapping key regulations and affected organizations.

Best-in-class companies generally harmonize internal controls and policies within a single system of record to minimize maintenance and ensure quality. These organizations then share controls and policies across financial, operational, and other regulations as appropriate.

What indicators are required:

  • Are there manual tools currently in use (i.e.: it could be programs such as Microsoft Excel and Word being used for compliance and control management)
  • Number of entities documenting internal controls – it could be departments, business unities, lines of business, etc.
  • Average full-time equivalents (FTE) documenting internal controls per entities mentioned just above

Once you have entered your information, you will be able to see:

  • Current spend => hence how much your organization spends on this process currently
  • Current gain => hence how much savings you could generate with a software solution such as SAP Process Control

You can always click on “Review Formula” to understand the calculations performed by the tool.

Estimated value gain for organizations using manual tools is 20%, whereas organizations who are already using niche software or ad-hoc tools can gain an average of 10%.


Section 3 – Plan


This section will focus on benefits that the organization can achieved from performing periodic risk assessments to determine scope and test strategies.

Planning is of course a key step to ensure the organization focuses on what is most critical and gets the right controls where they are the most needed: fewer controls but better and stronger controls where there is value at stake or higher risk.

Not only does this process help prioritize and streamline internal controls and associated GRC processes (evaluation, testing, etc.), but it also helps ensure nothing falls between the cracks that can impact the bottom line or impact risk exposure if left aside.

What indicator is required:

  • Percentage of planning time spent on non-critical internal controls (includes documenting, evaluating, and reviewing)

As for the previous section and for all the remaining ones, 2 values are then displayed: Current Spend and Current Gain. And the “Review Formula” option is of course also still available in case you would like to drill-down into the calculations.


Section 4 – Evaluate


Here, we’ll be focusing on the benefits from automating evaluations and speeding up issue remediation.

A core part of the internal control cycle is when the company can ensure that controls are properly designed, work effectively, and that issues are properly identified, documented, and remediated.

This phase entails:

  • Performing and documenting control self-assessments and tests of effectiveness using best practice workflows for manual controls
  • Raising and remediating issues but also tracking their resolution
  • Automating control tests of SAP and non-SAP ERP configuration, master data, and transactions

What indicators are required:

  • Percentage of automatic testing capacity – the controls that could be tested automatically or semi-automatically
  • Average number of hours per year spend on manual testing of key controls by the 2nd line


Section 5 – Perform & Monitor


We’re now progressing on the internal control process and reaching the benefits that can be gained by performing continuous exception-based monitoring of controls. Hence when control owners are automatically notified in case there is an issue raised on a control.

Indeed, compliance and control programs are continuous processes. Transactions are generated around the clock and control deficiencies or issues can occur at any time.

Best-in-class companies leverage business data and use continuous control monitoring to identify exceptions quickly, not only making control performance easier and timely, but also ensuring that review and resolutions are duly documented for auditors.

Furthermore, continuous monitoring can help reduce losses related to errors, fraud, or regulatory fines as issues are caught more rapidly.

What indicators are required:

  • Percentage of controls that could be performed automatically or semi-automatically, or monitored on an automated basis
  • Average number of hours per year spent on control performance and monitoring by the 1st line
  • Potential loss reduction, i.e. monetary gain by reducing errors, fraudulent activities, and penalties


Section 6 – Report


We’re now on the very last section before the final output. Here, we’ll be reviewing the benefits from streamlining reporting processes and audit preparation.

This part of the control and compliance process can help gain visibility into compliance status, control effectiveness, and progress of an organization’s GRC processes such as evaluation and testing progress, issue resolution, and policy acceptance – from any level or angle.

SAP Process Control provides a comprehensive set of reports and dashboards based on SAP business intelligence technology. This also helps establish accountability for compliance and control status by providing users with clear, accessible, and complete information to document sign-off surveys.

What indicators are required:

  • Average full-time equivalents (FTE) involved in producing reports and audit preparation work for compliance and control team review
  • External Auditors’ fees and costs per year, including travel expenses that are often a forgotten cost


Section 7 – Total Value


That’s it! This last section is a summary that displays the potential value gain achievable with SAP Process Control. It includes 4 graphs:


Current Spend vs. Potential Spend


Difference in Spend (lighter color is previous state and darker colors represents potential shift)


Total Gains by Control Step


Total Spend and Gain

Registration is not required, and you can change your assumptions as many times as you wish. So why not give it a try?

What about you, what other variables do you take into consideration when building the case for an internal control and compliance solution? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

And stay tuned on the GRCTuesdays site for the follow up blogs on risk management, internal audit and fraud detection and investigation.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.