Marc Jackson recently hosted an insightful webinar focusing on Process Controls and the business benefits. Below is a summary of the discussion.
Process Controls as a concept
Although the name may suggest, it isn't simply about providing control solutions for your business processes, rather it describes the concept of providing an overall control and compliance management solution for your organisation. This means having a single centralised solution to coordinate and manage all of your controls and compliance related activities.
GRC Process Controls
SAP GRC Process Controls provides functionality in five broad areas which support both the lifecycle of a control and the underlying controls management processes and procedures required to comply with associated regulatory standards.
1) Document - Document controls and policies centrally; map to key regulations and impacted organisations
2) Scoping - Perform periodic risk assessments to determine scope and test strategies
3) Evaluate - Evaluate control design and effectiveness; raise and remediate issues
4) Monitor - Perform automated, exception-based monitoring of ERP systems
5) Report - Support decisions and promote accountability with insightful analytics and sign-off
Automated Controls Monitoring
Process Controls provides the ability to automate monitoring of configuration settings, master data and transactional data related to key control activities. For example, monitoring and preventing duplicate payments. Below is an example of a scenario where automated monitoring could be successfully applied with associated benefits over control assurance.
Control deficiency in an organisation
There is a system configuration-based control which prevents field changes after posting to General Ledger, providing full transparency into all transactions affecting the SAP General Ledger. Any changes to this control means that the system is potentially exposed to the risk of fraudulent transactions or mistakes being made leading to inaccurate financial reporting.
For example, a user with access to OB32 may change this setting allowing vendor bank account details to be changed after posting. The risk is that inappropriate persons may receive payments, particularly if this configuration setting is not routinely checked. The company may leverage the automated control monitoring functionality in Process Controls to markedly reduce the risk in this scenario. In order to achieve this, a Business Rule can be defined looking at the bank account field to see if ‘Field Can Be Changed’ is set to X or not (‘X’ meaning that changes are allowed after posting), and could be scheduled for hourly monitoring. A control deficiency would then be automatically detected and an alert will be sent to the control owner allowing them to respond accordingly as part of the in-built issue remediation process.
Process Controls & Access Controls Integration
With the release of GRC 10.0, Access Controls and Process Controls no longer come as isolated applications as they are offered as an integrated solution. This new unified platform enables increased harmonization of key master data, where organization, process and control structures can now be shared across components of Access Control and Process Control, and this in turn supports a more integrated approach to governance, risk, and compliance. A big advantage of having the functionality of both Access Controls and Process Controls is the ability to perform continued monitoring of your SOD & critical access risks, which might otherwise be checked on a much less frequent basis. Additionally, by using Process Controls to maintain, monitor and assess your mitigating controls you instantly have greater visibility over their operating effectiveness based on their latest test, assessment or monitoring results. You can also use Process Controls to ensure that your GRC solution remains ‘fit for purpose’ at all times, which helps to underline its integrity and ensure you can rely on the risk and controls-related information it is reporting on.
- Manage, maintain and coordinate multiple compliance initiatives from a single repository with greater efficiency and improved visibility
- Automation of controls monitoring, testing and assessments
- Improved communication and adherence to policies
- Integrating Process Controls & Access Controls solutions to enhance compliance initiatives
- Reduced effort to achieve audit compliance
Marc will be re running this webinar on 9th July 2015 at 11:00am. To sign up please click here.