Highlights for Governance, Risk and Compliance (GRC) with SAP S/4HANA 2021
Hi everyone and welcome to my blog illustrating selected highlights for Governance, Risk, and Compliance (GRC) with SAP S/4HANA 2021. Today, I would like to illustrate what is new with SAP S/4HANA for International Trade, introduce our new cloud GRC solution SAP Financial Compliance Management, and explain what our new product SAP Document and Reporting Compliance has in store for you. In addition, I will show what is new with SAP Cloud Identity Access Governance and SAP Privacy Governance.
This blog covers the following topics:
Financial Compliance Management
- Quick Intro: SAP Financial Compliance Management and SAP S/4HANA
- Predefined Stories for SAP Financial Compliance Management in SAP Analytics Cloud
- Best Practice Content for SAP S/4HANA
Document and Reporting Compliance
- Quick Intro: Combination of SAP Document Compliance and SAP Advanced Compliance Reporting
- Document and Reporting Compliance Dashboard
International Trade Management
- Embedded Analytics App for Trade Compliance Issue Handling and Compliance Checks for Sales Scheduling Agreements
- Activation of Document Transfer to SAP GTS for Specific Company Code
- Display of International Trade Compliance Status in Sales and Delivery Management Documents
- Screening Checks for GTM Trading Contracts, Inbound Deliveries, Sales Quotations, and Sales Scheduling Agreements in SAP Watch List Screening
- Trade Compliance Legal Control Checks for Sales Scheduling Agreements, GTM Trading Contracts, Purchasing Documents, and Inbound Deliveries
- Quick Intro: SAP Cloud Identity Access Governance
- Privileged Access Management
- Open Interface for Third-Party Application Access Request
- Redesigned Access Certification Process
- Security and Privacy Issue Handling
- Manual Procedures for Privacy Risks
- Now Available: Microlearning on OpenSAP ‘Introduction to SAP Privacy Governance’
If you are interested to know what is new with Finance with SAP S/4HANA 2021, you can check out the blog ‘Highlights for Finance in SAP S/4HANA 2021‘ by Ulrich Hauke.
Before I start with the innovations, please note that all of the following innovations are also available for SAP S/4HANA Cloud, Private Edition.
Financial Compliance Management
Quick Intro: SAP Financial Compliance Management and SAP S/4HANA
In March 2021, we proudly announced the availability of the first version of SAP Financial Compliance Management which is our brand new control solution in the cloud. The aspects of financial compliance are as numerous as they are varied, and knowing which ones are relevant for your organization can be challenging. SAP Financial Compliance Management provides all the tools needed to ensure that your organization adheres to local laws and regulations. From documenting the processes in place for your organization to setting up checks and controls, the solution enables you to fulfill all tasks necessary to ensuring financial compliance.
SAP Financial Compliance Management is built on SAP Business Technology Platform and provides end-to-end financial compliance. In the light of constantly rising efforts and cost regarding financial compliance, companies are looking for more more and more automation. With SAP Financial Compliance Management, you can establish a proactive risk management instead of just fixing after-the-fact issues. This way, the role of GRC is changing from a cost factor to a strategic differentiator allowing you to optimize your business.
With SAP Financial Compliance Management, compliance specialists can design controls and link them to existing organizational units and business processes, monitor the performance of controls and determine their effectiveness, they can document a regulatory framework of applicable laws and regulations and last but not least detect issues in the implementation of controls and create remediation plans.
Fig. 1: With SAP Financial Compliance Management, compliance managers can design controls and monitor their performance
By integrating SAP S/4HANA and SAP Financial Compliance Management, compliance managers define controls and procedures to monitor financial operation processes and detect anomalies when connected to the SAP S/4HANA system. As you are well aware, financial processes generate a multitude of documents every day. Aside from manual checking and review, the new scope item ‘Financial Operation Monitoring with SAP Financial Compliance’ (3KY) enables continuous monitoring of transaction information and detects activities that may cause financial loss. The results from these monitored processes provide insights for the financial process in a company. Please note that this scope item requires additional licensing.
Predefined Stories for SAP Financial Compliance Management in SAP Analytics Cloud
Over the course of the year, SAP Financial Compliance Management has been extended step by step and now with the 2021 release, we are proud to present two predefined analytical stories for SAP Financial Compliance Management in SAP Analytics Cloud.
Story for Run Results Data Analysis
This story provides compliance managers with compliance analyses by organizations, processes, and regulations. Moreover, it contains detailed analyses of manual procedures, procedures runs, as well as a breakdown of procedure runs over time.
Fig. 2: The story for SAP Financial Compliance Management with run results data provides compliance analyses by organizations, processes, and regulations
As an example, I will now dig a bit deeper into one of the underlying views: The compliance analysis by processes: In the upper left corner of the view, you see the number of failed controls per processes. ‘Failed’ means that SAP Financial Compliance Management has executed a control via a work package and has found entries in the SAP S/4HANA which match our search criteria. So, for example, when we look at process ‘P2: Reimburse to Pay’, there are 3 controls which have been assigned to this process and have failed items.
In the upper right corner, you see the top-5 failed controls meaning the controls with the most failed items. Here, control ‘C5: Verify the Authenticity of General Ledger Accounts’ has had the highest number of failed items and is therefore top 1. At the bottom, you see the analysis by control risk level and by significance. Both is data, that you can use to specify your controls with SAP Financial Compliance Management.
As mentioned above, the run results data story consists of several other views. If you are interested in further information, check out Video 1 below. It was recorded for SAP S/4HANA Cloud, but is equally valid for SAP S/4HANA.
Fig. 3: With the analytical story for run results data analysis for SAP Financial Compliance Management, compliance managers can analyze compliance by process
Analytical Story for Master Data Analysis
The second story is allows to analyze the maintenance of master data for SAP Financial Compliance Management. You can display the distribution of controls by certain criteria, such as regulations, you can see which controls owners have been assigned to which controls. You can find missing assignments in controls regarding organizations, process, regulations, control owners, control groups, and procedures. You can see which procedures haven been assigned to which controls and you can find orphaned data meaning existing objects which have not been used, assigned, or scheduled so far.
Fig. 4: The predefined story for master data analysis allows to analyze the master data of controls and related objects
As an example here, I have picked the view regarding the distribution of controls. In the upper left corner, the pie chart shows how the controls are distributed by regulation. In this case, more than 38% of the controls are assigned to regulation R1. The second pie chart in the lower left corner shows the distribution by control group. Here, 50% of the controls are assigned to control group ‘Record-to-Report’. On the left-hand side of the screen, the heat map shows the distribution by organization and by processes. For example, the column ‘Unassigned’ immediately draws your attention to those controls where an organization has been assigned but no process.
Fig. 5: As of SAP S/4HANA 2021, compliance managers can analyze the distribution of their controls by regulation, control group, or organization and processes with SAP Financial Compliance Management.
As mentioned above, the story for master data analysis consists of several other views. If you are interested in a detailed system demo, check out Video 1 below. It was recorded for SAP S/4HANA Cloud, but is equally valid for SAP S/4HANA.
Detailed System Demo of of Analytical Stories
If you are interested in a detailed system demo of the new SAC stories for SAP Financial Compliance Management in SAP Analytics Cloud, check out the following video. It was recorded for SAP S/4HANA Cloud, but is equally valid for SAP S/4HANA.
Video 1: Detailed system demo (14:34 min.) of the predefined analytical stories for SAP Financial Compliance Management in SAP Analytics Cloud analyzing run results and master data of controls
Best Practice Content for SAP S/4HANA
With SAP Financial Compliance Management, compliance managers benefit from more than 60 most commonly used, predefined controls which can be used out-of-the-box with SAP S/4HANA and S/4HANA Cloud. Thanks to this, you can check your SAP S/4HANA system for suspicious activities and detect, for example, suppliers with disabled duplicate invoice or overpaid purchase orders compared to goods receipt.
With SAP Financial Compliance Management, you can choose between leveraging these finance-related automated controls either out-of-the-box or you can use them as templates for your own customer-defined controls. The corresponding scope item for SAP S/4HANA Cloud is called ‘Financial Operation Monitoring with SAP Financial Compliance (3KY).
Fig. 6: The business content from SAP Financial Compliance Management for SAP S/4HANA provides more than 60 most-commonly used, predefined controls
Now, you might be wondering where you as a customer can find the best practice content of SAP Financial Compliance Management. Well, the answer is pretty easy: You will find it directly in your customer system in the apps ‘Manage Automated Procedures’ and ‘Manage Controls’ as draft versions which you can use
- either as is, obviously you would still have to enter e.g. your S/4HANA Cloud system etc., but apart from that it’s ready to use.
- or if necessary, you can use the automated procedures and controls as templates and adapt them to your needs.
- SAP Help Portal: Business Content of SAP Financial Compliance Management
- Best Practice Explorer: Financial Operation Monitoring with SAP Financial Compliance (3KY)
Control for Revenue Recognition
One very prominent example of the business content for SAP S/4HANA is the control for contract-based revenue recognition which allows you to automate the detection of compliance risks before their effects become material to financials and are identified by auditors. You can use the automated compliance rule to detect a critical deterioration of the actual selling prices compared to the standalone selling prices applied in accounting for the transactions. You can evaluate past transactions to assess whether a narrow range of observable selling prices exists and verify whether the correct standalone selling price is applied to the underlying product or service for the allocation of the transaction prices.
With SAP Financial Compliance Management, you can prioritize your work items for checking revenue issues and track findings and resolution for full auditability, increase overall reliability of financials and provide feedback to policy owners for common issues requiring clarification. In addition, you can utilize a platform to quickly analyze issues and extend the controls on a common framework for setting up detection rules, running automated controls, and remediating identified issues.
In order to achieve this, you can compare the transaction prices that were charged with the standalone selling price (SSP) range for variable time periods, e.g. the previous four quarters. You can validate SSP compliance for each group (e.g. performance obligation name in Revenue Accounting) and a percentage of transactions concentrated around the +/- corridor for the standard SSP price. In addition, you can check the SSP compliance to evaluate whether the correct SSP is applied to the underlying product/service for the allocation of the transaction prices in multiple element arrangements (MEAs).
- Excellent blog ‘Early Warning Mechanism for Standalone Selling Price Compliance Risks‘ by Ling Zeng which describes the control in more detail
- SAP Help Portal: Early Warning Mechanism for Standalone Selling Price Compliance Risks
Document and Reporting Compliance
Quick Intro: Combination of SAP Document Compliance and SAP Advanced Compliance Reporting
As you are well aware, real-time business document submissions and statutory reports become more and more the new operating standard. In order to provide enterprises with an arsenal of abilities to address these challenges, SAP has combined SAP Document Compliance and SAP solutions for Advanced Compliance Reporting into one holistic solution: SAP Document and Reporting Compliance. It centralizes all types of mandates within one end-to-end compliance process – from real-time electronic business documents to statutory reports.
SAP Document and Reporting Compliance enables enterprises to stay compliant in the digital world, and it goes beyond. With its streamlined approach to tax compliance and embedded automation, the solution allows also to re-think compliance processes maximizing efficiency, reducing both compliance risks and costs, and increasing sustainability of tax operations.
- Excellent blog by Erika Buson on ‘SAP S/4HANA 2021 – E-invoicing and statutory reporting made easy with SAP Document and Reporting Compliance, a holistic approach to compliance reporting regulations‘
- SAP Help Portal: SAP Document and Reporting Compliance
Document and Reporting Compliance Dashboard
With SAP S/4HANA 2021, we deliver a single, easy-to-use SAP Fiori dashboard called ‘Document and Reporting Compliance Dashboard’ that allows you to monitor and follow-up on all compliance tasks across countries, irrespective of their frequency, from real-time business documents to statutory reports. This ready-to-use dashboard serves as a global cockpit for real-time analysis of electronic business documents and allows follow-up activities after rejections. In addition, it facilitates the reconciliation between electronic business documents and statutory reporting with full audit trail.
Fig. 7: With the Document and Reporting Compliance Dashboard, tax accountants benefit from an overview of the communication status of all documents as well as pending items requiring action
The ‘Documents – Communications Progress’ card provides an overview of all electronic business documents which have been created, processed and exchanged for a specific country. If you require additional information on this, you can drill down from here to the underlying data. This card provides also a direct overview of all documents which have status ‘Action required’ meaning all the objects that are pending and need to be corrected to enable successful processing. So, tax accountants can see at a glance what needs to be done from their side. By selecting one of the items which are pending, they can jump to the EDocument Cockpit to get further information such as processing status, error returned, corresponding document number, and company code and, if necessary, they can navigate to the respective invoice to get further information and take the actions required.
The ‘Reports – Immediate Attention Required’ card displays the list of statutory reports that need to be completed with priority based on their due date. Within the same dashboard, after reviewing any pending electronic business documents, tax accountants can navigate to the corresponding statutory reports for preparation and submission. The ‘Reporting Progress’ card provides an helicopter view of the latest status across all countries/reports to ensure they are on-track versus the due date and any risk of non-compliance is promptly followed-up.
- SAP Help Portal: Document and Reporting Compliance Dashboard
International Trade Management
Also for International Trade, I have several innovations with SAP S/4HANA 2021 that I would like to share with you:
Embedded Analytics App for Trade Compliance Issue Handling and Compliance Checks for Sales Scheduling Agreements
With the 2021 release, we deliver a brand-new embedded analytics app for trade compliance issue handling which is called ‘Analyze and Resolve Blocked Documents’. The beauty of this app lies within the fact that it provides full transparency regarding blocked trade compliance documents in the system. Trade compliance specialists can easily analyze the documents and select their workload by visually and/or classically filtering blocked documents according to different dimensions such as legal regulations, document categories, and company codes. In addition, you can process blocked documents very easily from within the app, e.g. by assigning missing licenses or classifications.
Fig.8: As of SAP S/4HANA 2021, trade compliance specialists can analyze and resolve trade compliance issues in the new embedded analytics app ‘Analyze and Resolve Issues’.
Activation of Document Transfer to SAP GTS for Specific Company Code
The next innovation with International Trade is from Compliance Management. Here, you have now additional options when it comes to fine-tuning the document transfer to SAP Global Trade Services. So far, it was possible to activate this on a document level only. As of S/4HANA 2021, this can be restricted also by company code or document type and company-code level. As you can imagine, this allows you to significantly reduce the data traffic between S/4HANA and SAP GTS.
Display of International Trade Compliance Status in Sales and Delivery Management Documents
As of SAP S/4HANA 2021, trade compliance specialists can display the trade compliance status of sales documents, meaning sales orders, sales orders without charge, as well as sales contracts in the corresponding visually harmonized apps. This also applies to the filter and results list of the ‘Manage Sales Orders’, ‘Manage Sales Orders without Charge’, and the ‘Customer 360’ apps. This way, you can select trade compliance relevant documents in the analytical list pages.
For delivery management documents, it is now possible to gain direct information on the legal control, embargo, as well as watch list screening statos of trade compliance relevant delivery documents on item level. In additon, you can display the status in inbound delivery and outbound delivery.
Fig. 9: As of SAP S/4HANA 2021, the trade compliance status can be displayed in delivery management documents
Screening for GTM Trading Contracts in SAP Watch List Screening
As of SAP S/4HANA 2021, you can meet the legal requirement to exclude any individual customer names or addresses used in business processes from all lists of sanctioned parties (for instance, a company’s denied-party list) and call SAP Watch List Screening from within the trade compliance document in SAP S/4HANA for global trade management (GTM) trading contracts to perform screening checks in the app ‘Manage Documents – Trade Compliance’. In addition, you can schedule the postprocessing of the trade compliance documents relevent for the SAP Watch List Screening service from within the app ‘Schedule Postprocessing – Watch List Screening’.
Trade Compliance Legal Control Checks for Sales Scheduling Agreements, GTM Trading Contracts, Purchasing Documents, and Inbound Deliveries
In the app ‘Analyze and Resolve Blocked Documents’, you can analyze and display blocked legal control documents and resolve blocks – due to missing classifications or missing licenses – for the trade compliance documents.Back to Top
SAP Cloud Identity Access Governance
Quick Intro: SAP Cloud Identity Access Governance
As you are might know, SAP Cloud Identity Access Governance is a cloud-based solution for access governance and consists of several micro services:
- Access Analysis is about finding segregation of duties issues, meaning critical access of users within the system landscape, and running mitigation processes in order to solve these issues.
- The functionality of the new Privileged Access Management service is also known as fire fighter capability meaning superuser access.
- Next, we have the Role Design service which is about clustering very technical roles into business roles that are aligned with the corresponding business processes which makes it very easy to define and manage compliant roles across landscapes.
- The Access Request service provides self-service capabilities and allows end users to request access in specific systems. After a successful approval process, the access is then provided to the end users.
- The service that we will look at in this blog in more detail is Access Certification. In the on-premise world, this functionality is called user access review.
Fig. 10: SAP Cloud Identity Access Governance consists of several micro services for access analysis, role design, access requests, access certification, and privileged access management
Privileged Access Management
As mentioned above, we now offer a new micro service for Privileged Access Management (PAM) which can be used with SAP S/4HANA. This service allows you to have a cloud-based elevated access management process. Users can create self-service requests for emergency access to systems and applications. This emergency access is also known by the term ‘firefighting’ in the on-premise world. In addition, to providing access to firefighters, the service includes embedded compliance reviews of the firefighters’ activities in the respective business systems. This means that approvers, reviewers, and security can review requests for emergency access and grant access. Compliance persons can perform periodic audits of usage and logs to monitor compliance with company policies.
Open Interface for Third-Party Application Access Request
The open interface for external system integration to extend access governance enables access compliance for third-party business applications. It supports creating access requests and provides a lookup interface for specific entities that are required to create requests. This allows the initiation of access requests in third-party identity management and ticketing systems and simplifies access request and approval processes by extending the existing processes. In addition, integration with the required data available for submitting access requests has become much easier.
Fig. 11: The ‘Access Request Service’ API enables external applications to submit requests to SAP Cloud Identity Access Governance for further processing.
It comes with the following Rest APIs:
- Access Search: Searches the accesses that can be requested
- Application User: Fetches the list of application users for SAP Cloud Identity Access Governance which are allowed to create or view the status of the request
- Create IAG Request: Creates access requests for assignment creation or update
- Custom Field: Retrieves the list of custom field configured in SAP Cloud Identity Access Governance
- Request Priorities: Returns the available priorities from which one can be chosen to create a request
- Request Reason Codes: Retrieves the list of request reason codes
- Request Status: Retrieves the request status details for already submitted requests
- SAP API Business Hub: SAP Cloud Identity Access Governance, Access Request Service
Redesigned Access Certification Process
With the Access Certification service, compliance administrators can manage user access in the landscape and always have full transparency regarding the current user access situation. To ensure that users only have the access that they need for their work, automated periodic access reviews are executed and authorized reviewers decide whether the access of a user should be approved and kept as is or whether it should be removed for compliance reasons. The service allows you to manage the review process and perform the reviews according to your organization needs. Moreover, it supports large-scale reviews and provides access data-driven views for the review process.
With the new release, the access certification process has been redesigned in order to optimize performance and usability. Administrators now benefit from a new and dedicated app for creating, editing, and submitting certification campaigns. Thanks to this redesign, response times are much faster now and the look and feel of the user interface is consistent. Various filter options allow to tightly align the periodic reviews process to the needs of your respective organization.
In addition, we offer more choices to campaign administrators when creating new campaigns as they can now choose from three available workflow templates:
- one-step approval by manager
- one-step approval by role owner
- three-step approval by manager, role owner, and security expert
Thanks to this, you can increase your efficiency by reducing the number of mandatory reviewers and review items whenever possible from a compliance perspective.
SAP Privacy Governance
Security and Privacy Issue Handling
Also with SAP Privacy Governance, there is news to spread regarding this release. Similar to SAP Financial Compliance Management, it is now possible to handle security and privacy issues. Thanks to this issue handling functionality, you can manage and remediate security and privacy issues which are created based on findings from automated and manual procedure runs.
In the ‘Process Issues’ app, the findings – meaning the results of the automated procedure run – can be prioritized by issue category and by risk level. The prioritization is done by means of rules in the SAP Business Rules service which is part of SAP Privacy Governance. In the ‘Process Issues’ app, you can set a conclusion for your issues such as ‘Confirmed’ or ‘False Positive’ and set them to ‘Completed’ after the issues have been resolved.
Fig. 12: With SAP Privacy Governance, compliance managers can manage and remediate security and privacy issues which are created based on findings from automated and manual procedure runs
Manual Procedures for Privacy Risks
With SAP Privacy Governance, we offer already a multitude of predefined automated procedures for detecting privacy risks in your connected SAP S/4HANA and SAP S/4HANA Cloud systems. As you can imagine, this is of outmost importance, for example, when it comes to private data which should not reside in the system anymore or in case of missing configurations in ILM.
What is new is that compliance managers benefit from the new option to not only create automated procedures, but also manual ones. This is relevant for all aspects of privacy procedures which cannot be automated. Typical examples might be the screening of local files such as MS Excel or MS Access databases, reviews of physical data protection measures, or conducting privacy assessment interviews with important stakeholders.
Fig. 13: Compliance specialists can use not only automated but also manual procedures
Using the new manual procedures, you can create action plans with multiple steps which can be manually performed by one or multiple responsibles along with assessments of the individual steps and an overall result. Similar to the automated procedures, the manual procedure is mapped to a control and the execution of the control is planned and scheduled by means of a work package. The work package triggers the creation of a task in the inbox of the respective assignee. This person then performs and documents the steps along with the individual assessments as well as the overall result of the manual procedure.
OpenSAP Microlearning Available: Introduction into SAP Privacy Governance
In addition, we are proud to announce that the first OpenSAP microlearning for SAP Privacy Governance has been published. It provides an introduction to our cloud-based solution SAP Privacy Governance. In addition, you will learn about the two key features Regulation Management and Policy Management.
Fig. 14: The new microlearning on OpenSAP provides an introduction to SAP Privacy Governance and its key features Regulation Management and Policy Management
For more information on SAP S/4HANA 2021, check out the following links
- SAP S/4HANA release info: here
- Link Collection – Governance, Risk and Compliance (GRC) with SAP S/4HANA and SAP S/4HANA Cloud here
- SAP S/4HANA Community here
- SAP S/4HANA PSCC Digital Enablement Wheel here
- Inside SAP S/4HANA Podcast here
- Join the SAP S/4HANA Movement
- Best practices for SAP S/4HANA here
- Help Portal Product Page here
Follow us via @SAP and #S4HANA, or myself via LinkedIn or @DeissnerKatrin
Many thanks for such an informative blog!
I have learnt that SAP Financial Compliance Management is a cloud based product which can be deployed on BTP and it provides E2E financial compliance solutions. Moreover it is also possible to establish risk management with it.
Can you please also shed some light about the positioning of this product within GRC portfolio - F.x If a customer already running on S/4 HANA and BTP, then implementation of SAP Financial Compliance Management would be able to cover all the functionalities and possiblities offered by tranditional SAP GRC solutions in the areas of Process Control and Risk Management?
Actually I am trying to draw the difference between SAP FCM(cloud) and SAP GRC(traditional) in the process control and risk management areas. Your inputs will be valued and appreciated. Many thanks in advance!
Good question! You are tapping into one of the GRC strategies here at SAP.
SAP Financial Compliance Management (FCM) will eventually grow to cover the business requirements that SAP Process Control (PC) and SAP Risk Management (RM) cover. Note however that (a) it is new design and (b) it is a public cloud solution - so it will do this differently. Because of this it is unlikely that one will be able to have a technical feature list comparison between PC&RM, and FCM. But the plan is that FCM will be able to cover the business requirements of internal controls and risk management, all within the same cloud solution.
At the time of writing (Nov 2022) we have not included the risk management service in FCM, this is planned for 2023 (actual date TBC). FCM is still a young solution too, so some of the functionalities seen in PC have not yet been included in FCM (e.g. entity signoff).
Some of the significant advantages of FCM are worth lighlighting because we find customers want a quick, low cost, 'ready to use' controls solution - increasingly focussing on first line:
We have a very strong roadmap for 2023 (and 2024...), but watch this space early next year for Katrin's next blog, and other SAP blogs & announcements.