Automating IT controls to improve future audits

Posted by Andreas Fritz on 20 April 2018
Andreas Fritz

It is one of the most interesting but underrated features of GRC Process Control: Automated Controls. In most companies an Internal Control System (ICS) is always associated with lots of work. The efforts for assessments are high, the coverage is poor and audits are usually troublesome.

beverage-black-coffee-business-33972-653262-edited
 
Just recently a major German retail corporation (and client of ours) had the same issues. Moreover, the pressure was high from the last audit to initiate some changes. So how is GRC Process Control helping?
 

Sensoring issues automatically via GRC Process Control

Automated Controls are also called Continuous Control Monitoring (CCM) and come with every GRC Process Control. In order to make them work, tables and critical values have to be defined in the GRC system. By planning the controls to run as a job, they reach into the connected backend systems, pull the data from the pre-defined tables and perform a check for deficiencies.

Now whether it is value checks, change logs or events the possibilities are huge and even HANA databases and non-SAP systems can be connected. The controls can go from simple parameter checks to really complex checks on the accounting tables. For IT controls an example is a change log check on the profile parameter for the password length. If this parameter has been changed and the password length is lower than a certain number, an issue will be raised.

That means with automated controls it is possible to detect security holes and prevent fraudulent behaviour.

 

What does that mean for our client?

For our current client we have implemented a little over 60 automated controls and have rolled them out to more than 60 production systems. This results in 3600 less checks for the IT department and a massive return of investment for the whole corporation.

Aside from saving time and money, they were also getting reliance from their auditors after the project. So just by introducing automated controls, trust has immediately gone up for future audits. It is these kind of benefits, that make this feature so valuable for clients.

Since the IT controls can be applied to almost any other SAP system, this is just the first step and more controls and systems are to come. Are you interested in automating your controls as well? Please do not hesitate to contact us for further information.

 

PS: You can also hear about the project approach and key takeaways from our client himself at the SAP-Forum for Financial Management and GRC 2018 in Frankfurt (Germany)

 

Privacy by Design CTA

Topics: GRC Automated Controls Process Controls GRC Process Control

We would love to hear your thoughts. Please leave a comment.