Keeping SAP Financial Processes Compliant

Keeping SAP Financial Processes Compliant

Four Steps to Optimizing SAP Automated Controls and Enabling Continuous Monitoring

1PROTIVITI • Keeping SAP Financial Processes Compliant

Executive Summary

This white paper provides guidance on different steps that can help enhance SAP financial compliance processes through increasing the level of SAP automation around financial controls. Too many organizations perform financial and operational processes using inefficient manual controls, paper-based approvals and labor-intensive reviews of large volumes of data because not all relevant SAP configuration controls were correctly set up when the system was initially implemented.

Key benefits of optimizing controls and expanding the use of control automation include greater reliability of the financial systems, increased return on investment (ROI) for your enterprise resource planning (ERP) system and a significant reduction in compliance costs and testing efforts.

To optimize financial controls, companies should start by:

• Gaining an understanding of their current control environment (level of manual versus automated controls)

• Identifying the business processes and controls that utilize SAP, and

• Assigning current SAP automated control configuration to identified control strengths, gaps and improvements as indicated in the steps discussed in this paper.


INTRODUCTION

To improve their overall control environment, more organizations are streamlining and optimizing their SAP configurations and making better use of automated controls. They are also implementing continuous control monitoring solutions like SAP Process Control (SAP PC) to enhance their compliance processes. Automating the SAP control environment and enabling continuous monitoring can help organizations achieve the following business goals:

• Increased reliance on financial systems: Compliance efforts are moving away from general controls toward ERP-specific application controls. Increased reliance on automated controls reduces transactional and master data errors and the need for manual mitigating controls.

• Maximized ERP ROI: This involves taking advantage of standard SAP configuration control settings and inherent functionality as part of the organization’s control framework.

• Reduced manual processes: This involves enforcing automated controls and minimizing data entry corrections and manual reconciliations or approvals, and increasing the productivity of operations personnel who are no longer required to perform manual control activities.

• Reduced compliance price tag: This involves reliance on, and the effectiveness of, both internal and external testing and reducing retesting costs for failed controls (automated controls typically have a much higher pass rate than manual controls).

FOUR STEPS TO OPTIMIZING FINANCIAL CONTROLS AND ENABLING CONTINUOUS MONITORING

There are four important steps to optimizing financial controls and enabling continuous control monitoring solutions. These steps are outlined in the table below:

Key Steps to Optimizing SAP Automated Controls and Enabling Continuous Monitoring

1 Analyze SAP Configuration Evaluate the current state of SAP automated controls

2 Optimize Controls Determine controls to automate or improve

3 Implement Governance Processes Establish a control ownership and change management framework

4 Enable Continuous Control Monitoring Enable technology to automate control testing and monitoring

Step 1: Analyze SAP Configuration

This initial step includes evaluating the current SAP environment from a controls perspective to identify and under-stand configurable control strengths and weaknesses and to gain insight into control automation opportunities.

There are numerous SAP configuration parameters that can be leveraged as automated controls within standard SAP functionality. These configuration parameters or automated controls may or may not be turned on when the system is initially implemented, and the default parameters or current settings may not align with the company’s policies and procedures.1

1 Analyzing SAP configuration parameters is a labor-intensive task when automated assessment tools are not used. Companies should leverage SAP assessment tools to evaluate the quality of SAP automated controls efficiently.


Why this step is important: Most organizations expect key configuration controls in their ERP solutions to be preset to “best practice” settings. However, this is often not the case. Most SAP system integrators and accelerated implementation packages (or industry templates) focus on overall system functionality and may not consider the control components that will benefit the organization’s compliance initiatives.

In addition, many organizations fail to take full advantage of available configuration controls in their SAP environment. Many are simply not aware of SAP’s standard control functionality. Others fail to ensure that control design requirements are fully considered during the business process design phase and subsequent phases of the implementation.

Another concern is the fact that project teams and system integrators are often up against tight deadlines and may overlook key control configurations during the system blueprint and build phases. This results in the need for additional efforts to implement controls after go-live, increasing the risk of compliance issues and poor end-user acceptance.

450 Opportunities for Control

0 2010 40 6030 50 70 80 90

Inventory 38

Projects 19

General Controls

People Management 16

General Ledger

Assets 40

Purchasing to Payables 83

Order to Cash 89

Controlling 19

Production Planning 12

Consolidation 10

Treasury 7

Plant Maintenance 11

Available SAP Automated Control Points by Business Process

Configurable Controls by Business Process

65

45

Protiviti has identified more than 450 configuration parameters that can be utilized as control points in SAP to improve financial compliance and enable control automation. More than half of these parameters may be set by company code, vendor account group or asset class.


Benefits:

An initial evaluation of SAP automated controls can help organizations see the following:

1 Control strengths

• Configuration parameters that are set up and follow company policies and best practices

• Example: Default credit is set up to “lower amounts” for new customers until a background/credit check can be run and an appropriate credit limit can be provided.

2 Controls not utilized

• Controls not configured

• Example: The duplicate system message configuration needs to be set for the user to be alerted to a potential duplicate customer.

3 Control gaps

• Controls that require multiple configuration settings to be fully set

• Example: Duplicate invoice check has multiple dependent controls – mandatory fields, duplicate criteria and system messages. SAP comes with duplicate invoice check enabled; however, users will not be alerted if the system message is not set.

Step 2: Optimize Controls

During this stage, companies should prioritize the results of their controls assessment and determine which controls to automate or improve. These enhancement opportunities should be prioritized based on a cost/benefit analysis that also should consider the potential risk (operational or compliance) of not establishing controls. As a best practice, companies should strive to automate up to 70 percent of their financial compliance controls and define the remaining 30 percent as manual controls.

Why this step is important: The improvement plan should help to determine:

• Manual controls that can be replaced with automated controls

• Configuration controls that should be turned “on,” optimized or updated

• Control framework adjustments – e.g., updates to control definitions, elimination of redundant controls, consolidation of controls that can address multiple compliance requirements (one test for multiple controls), etc.

• Controls that should be centralized (e.g., vendor master data controls, which are typically utilized by multiple departments) and controls that should be defined locally (e.g., by country or business unit)

Increasing ERP Value with Global Control Standardization

A key goal during the optimization stage is to identify and establish the global controls (those that apply to all business units/locations within an organization) and the local controls (these may vary due to country- or industry-specific regulations, such as invoicing and tax requirements). This categorization will further enable process standardization and help to minimize compliance costs.


Benefits:

Increasing the level of automated controls can help to improve the quality of the control environment, prevent data entry and processing errors, standardize the organization’s control footprint globally and locally, and reduce manual efforts around reconciliation and review processes.

Other results may include:

Example

1Reduction/ replacement of manual controls

Replace manual approval of non-purchase order invoices with SAP workflow to route invoices automatically to the appropriate manager for approval

2Updated SAP configuration

Update SAP configuration of vendor master data to include mandatory, optional, suppressed or display fields

3Streamlined control framework

Manage most invoice processing risks without manual intervention, e.g., a 3-way match (purchase order, goods receipt and invoice)

Step 3: Implement Governance Processes

This step includes establishing the framework for control ownership and management to keep controls updated and consistent, given that most companies may perform acquisitions, mergers, downsizing, outsourcing and other actions over time. In this stage, companies also should determine global and local control owners responsible for reviewing control parameters periodically and approving control changes.

Why this step is important: This step is vital to the overall control optimization process because it ensures the updated internal control framework remains aligned with company policies, corporate initiatives and multiple compliance requirements. It also establishes control accountability and ownership at multiple management levels in the organization and keeps controls current during organizational changes.

SAP Control Optimization Example

A global consumer products company running SAP throughout its organization engaged Protiviti to assess its level of control design and automation and to implement control improvements.

The assessment determined that the company had more than 550 controls in six key business functions – and more than 70 percent of those controls were manual.

Protiviti helped the company to:

• Increase automated controls to approximately 70 percent of all controls in place, and

• Reduce total control count by 34 percent, using Protiviti’s control optimization process.

Following these changes, the consumer products company found that it benefited not only from measurably more efficient business processes, but also from increased visibility into potential risk exposures.

The company’s control environment now features more automated controls, which are less error-prone. The testing of the company’s automated controls now requires 60 to 75 percent less time than before. In addition, external auditors place increased reliance on these automated controls, which greatly reduces their testing efforts and fees.


Benefits:

The establishment of a governance committee and team can help the organization by:

• Managing strategic control decisions and understanding risks that need to be managed

• Ensuring business accountability around control ownership and changes

• Ensuring proper control training is developed and delivered to the organization

• Ensuring policies and procedures are in place and enforced

• Ensuring alignment of IT general controls with the overall control environment (e.g., change management, SAP support access, access provisioning)

• Taking ownership of governance, risk and compliance (GRC) solutions that monitor the control environment

Control Governance Organization Example

The model below has been implemented successfully by multiple organizations to maintain effective governance around their control environments.

Executive management

• Provides “tone at the top”• Supports compliance initiatives• Enables organizational change management and

communicationSponsorship

Governance lead (information systems, global and local controllers, internal audit)

• Coordinates periodic updates to executive management• Establishes standards and requirements• Includes representation from key stakeholders

Governance Committee

Business process owners, global and local security administrators, basis teams

• Provide updates about day-to-day governance activities• Communicate information to end-user community• Facilitate compliance training

Governance Teams


Step 4: Enable Continuous Control Monitoring

This final step involves the implementation of technology to enable further automation around control monitoring. This will help to monitor the health of configurations implemented during the optimization process, ensure they do not change without proper authorization, and, if changed, ensure that the appropriate business process owners are promptly notified.

Why this step is important: As an organization’s control structure moves toward more reliance on automated controls, the organization can begin to consider the benefits of implementing a continuous monitoring tool, such as SAP Process Control (SAP PC). This solution enables automated monitoring of controls to identify potential incidents of fraud and non-compliance on a timely basis, with real-time alerts to end users.

SAP PC is also helpful for monitoring business processes where automated controls cannot be implemented. For instance, if a company is unable to implement automated credit controls – which may slow down its pace of doing business with customers – transactional continuous control monitoring (CCM)2 can be set up to generate alerts if the outstanding accounts receivable balance for any customer exceeds a predefined amount. The use of CCM allows business process owners to monitor information and SAP configurations to take appropriate actions quickly without interrupting business operations.

Benefits:

Implementation of the SAP PC solution is an active and efficient approach to managing compliance with business policies and procedures. It enables:

• Standardization and streamlined compliance documentation and testing

• Centralized management of a multiple compliance framework (i.e., a single control and/or test addresses multiple requirements)

• Automation of control execution (e.g., automated alerts when key fields within the vendor master file are updated)

2 CCM is a set of automated controls that can be created in the SAP PC solution to monitor master data, transaction or configuration changes. A “rule” is set up in the system; when that rule is broken, an alert is generated to notify users that a potential violation or control exception has occurred.


SAP PC enables the following key benefits in these areas:

Control Documentation Risk AssessmentControl Testing and Monitoring

Reporting

Benefits

• Streamline processes, risks and controls documentation

• Centralize IT, compliance, audit, risk and legal documentation

• Harmonize controls across regulations

• Manage policy life cycle, including user acknowledgment

• Import account balances and define material accounts

• Perform risk assessments to determine scope and level of testing

• Share controls with audit management

• Perform self-assessment and effectiveness tests

• Raise, track and remediate issues

• Automate SAP configuration tests, master data and transactions

• Schedule CCM to raise exceptions

• Provide executive insight

• Establish accountability for compliance and control status with sign-off surveys

Conclusion

By optimizing SAP controls, organizations can reduce the risk of fraudulent activity, improve their effectiveness in monitoring business process risks, ensure compliance with multiple regulations and gain cost savings around control testing and monitoring activities.

All companies with ERP systems have the same opportunity to strengthen their use of and reliance on automated controls, and should establish a roadmap to transition from an extensive use of manual controls to mostly automated controls to monitor business risks proactively. The effort is well worth it: Our clients have experienced internal rates of return of up to 250 percent on control optimization efforts.


ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Named one of the 2015 Fortune 100 Best Companies to Work For®, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Our ERP Solutions Practice

We partner with chief information officers, chief financial officers and other executives to ensure their organizations maximize the return on information systems investments while minimizing their risks. Using strong IT governance to ensure alignment with business strategies, we drive excellence through the IT infrastructure and into the supporting applications, data analytics and security. We also facilitate the selection and development of software, manage the risk of implementation, implement configurable controls on large ERP installations, and implement governance, risk and compliance (GRC) software applications.

As a SAP Partner, Protiviti works actively with SAP to help clients implement and effectively utilize the SAP GRC solutions to enhance their integrated enterprisewide risk mitigation and compliance efforts. For more information, visit our website: Protiviti ERP Solutions.

Contacts

For additional information about the issues reviewed in this white paper or Protiviti’s services, please contact:

Carol Raimo +1.212.603.8371 [email protected]

John Harrison +1.713.314.4996 [email protected]

Thomas Luick +1.312.476.6342 [email protected]

Ronan O’Shea +1.415.402.3639 [email protected]

Aric Quinones +1.404.240.8376 [email protected]

© 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO-0315-103055Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbourneSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA*

BangaloreMumbaiNew Delhi

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

* Protiviti Member Firm

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro São Paulo

CANADA

Kitchener-WaterlooToronto

CHILE*

Santiago

MEXICO*

Mexico City Monterrey

PERU*

Lima

VENEZUELA*

Caracas SOUTH AFRICA*

Johannesburg

EUROPE/MIDDLE EAST/AFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

UNITED ARAB EMIRATES*

Abu Dhabi Dubai

Documents

Keeping SAP Financial Processes Compliant