Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
SAP SOLUTIONS FOR GOVERNANCE,RISK, AND COMPLIANCE
Process Control 2.5Master Data
Applicable Releases:
SAP GRC Process Control 2.5
Topic Area:GRC / Process Control
Capability:GRC / Process Control
Version 2
October 2009
© Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information containedherein may be changed without prior notice.
Some software products marketed by SAP AG and itsdistributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader
are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or
registered trademarks of W3C®, World Wide WebConsortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented andimplemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
NetWeaver, and other SAP products and services
mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are thetrademarks of their respective companies. Data contained
in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with
respect to the materials. The only warranties for SAPGroup products and services are those that are set forth in
the express warranty statements accompanying such
products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
These materials are provided “as is” without a warranty of
any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or consequential
damages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the
information, text, graphics, links or other items contained
within these materials. SAP has no control over the
information that you may access through the use of hot
links contained in these materials and does not endorse
your use of third party web pages nor provide any warranty
whatsoever relating to third party web pages.
SAP NetWeaver “How-to” Guides are intended to simplify
the product implementation. While specific productfeatures and procedures typically are explained in a
practical business context, it is not implied that those
features and procedures are the only approach in solving a
specific business problem using SAP NetWeaver. Should
you wish to receive additional information, clarification or
support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”)
included in this documentation are only examples and are
not intended to be used in a productive system
environment. The Code is only intended better explain andvisualize the syntax and phrasing rules of certain coding.
SAP does not warrant the correctness and completeness of
the Code given herein, and SAP shall not be liable for
errors or damages caused by the usage of the Code, except
if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java™. Anycode change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is only
to be used by SAP’s Support Services and may not be
modified or altered in any way.
10/05/2009 1
TABLE OF CONTENTS1 INTRODUCTION .................................................................................................. 2
1.1 About this document .............................................................................................. 21.2 Target Audience ..................................................................................................... 2
2 PROCESS CONTROL 2.5: DATA MODEL .......................................................... 33 PROCESS CONTROL 2.5: MASTER DATA ....................................................... 8
3.1 Time Dependency Concept in Process Control ...................................................... 83.2 Global Versus Local Master Data ........................................................................... 93.3 What Are Required Fields for Master Data? ........................................................... 13
4 SHARED SERVICES AND REFERENCED CONTROLS .................................... 144.1 SHARED SERVICES............................................................................................ 144.2 REFERENCED CONTROLS ................................................................................ 165 MASTER DATA AND REPORTING IN PROCESS CONTROL 2.5 ..................... 18
5.1 What fields drive reporting?.................................................................................... 18
6 MASTER DATA AND CUSTOM FIELDS ............................................................. 256.1 What are custom fields used for? ........................................................................... 256.2 How are master data custom fields will be used in reporting .................................. 256.3 How to include master data custom fields in reporting ............................................ 266.4 Utilization of custom fields in transactional flows .................................................... 276.5 Custom Field and Authorization ............................................................................. 276.6 Validity period and custom fields ............................................................................ 27
10/05/2009 2
1 Introduction
1.1 About this document
The purpose of this document is provide an overview of additional aspects around the master dataobjects of Process Control 2.5, to provide answers to common questions during the implementationand application phase of the product.
The clear focus of the document rests on the ABAP stack environment and is not venturing intoquestions pertaining to Business Intelligence, Access Control, Data Privacy or non-SAP application.
This document is not intended to supersede or replace provided SAP online documentation.
1.2 Target Audience
This document addresses the following groups:
• Client Project Resources• Implementation Consultants
10/05/2009 3
2 Process Control 2.5: Data Model
The intention of this document is not to provide an in depth overview of the data model of ProcessControl 2.5. Nonetheless, the simplified data model diagram below provides a reference for easyassociation of the most important master data objects and their respective relationships.
Although some of the dependencies will be established using the NWBC front-end, it is important tounderstand the object relationships before starting data conversion efforts.
Since the diagram represents only a simplified view, not all existing objects were included. Theexclusion does not deliver an indication about the importance of those objects.
10/05/2009 4
The table below provides additional object-related information to the master data objects of theGRC Process Control 2.5 application
Object Object Purpose Object Detail Information
Organization An organization represents a legalentity or any other company,division, geographic, or line ofbusiness that is subject to anevaluation and/or sign-off.
All organization objects are maintainedwithin a dedicated hierarchy, which existsseparately from the Central ProcessHierarchy and Control Objective / RiskHierarchy.
Process A Process represents a set ofbusiness activities relating to aspecific function in an organizationand is an element within theProcess Hierarchy.
It is a preferred practice to useyour scoping results as a basis fordetermining the processes toinclude your Process Hierarchy.
Processes and Subprocesses aremaintained within the same centralhierarchy. Central Process elements are notdependent upon organizations.
Subprocess Subprocesses represent subsets ofactivities within a businessprocess. They are always tied toat least one central parent processsince a central subprocess canonly be created under a specificprocess within the Central Processhierarchy.
It is preferred practice to use yourcontrol / risk matrix as a guide fordetermining the subprocesses toinclude in your Central Processhierarchy.
A Subprocess can be linked to multipleOrganizations (via reference or copyfunctions) and to multiple ControlObjectives/Risk pairs.
A Process may contain multipleSubprocesses.
Control A Control represents an activitywithin a subprocess that addressesa control objective or associatedrisk. It has a direct link to thefollowing objects:
Subprocess
Control Objective/Risk pair
Test Objects:
o Rule
o Test Plan
o Survey
It is a preferred practice to useyour control / risk matrix as a guideto determining which controls touse for the master data set-up.
A Control always belongs to a singleSubprocess. However, a Control can beassigned to multiple Subprocesses viareferencing or shared service functionality.
.
10/05/2009 5
Object Object Purpose Object Detail Information
ControlObjective
The Control Objective representsthe purpose of an activity or acontrol based on the associatedrisks.
It is preferred practice to use yourcontrol / risk matrix as a guide todetermining the control objective toset up as master data in PC2.5.
A Control Objective can have one or morerisks assigned to it.
Risk Main entity in the central Riskcatalog.
It is preferred practice to use yourcontrol / risk matrix as a guide indetermining risks to set up asmaster data in PC2.5.
A Risk always has one parent ControlObjective. Thus, it is not possible to link aRisk to more than one Control Objective.
A Control Objective/Risk pair can be linkedto more than one Control or Subprocess.
AccountGroup
Account groups (or significantaccounts) are the reportingaccount elements in the financialstatements.
It is preferred practice to use thesignificant accounts identified inthe risk assessment and scopingprocess as outlined in AS5.
Account Groups can be structured in ahierarchical way.
However, it is not a requirement to havesuch a hierarchy and therefore possible tocreate all account groups on the samelayer.
Entity-LevelControlGroup(ELCG)
An Entity-Level Control Group(ELCG) represents a grouping ofentity-level controls (ELCs) and isa hierarchical parent layer for theEntity-Level Control.
Entity-Level Control Groups can form ahierarchy in itself. However, the Entity-LevelControl represents a single layer.
Entity-LevelControl(ELC)
An ELC addresses an entity-levelrisk that has a pervasive impact onthe organization.
It is a preferred practice to useELC to represent organization-widecompliance controls (e.g., policy-related surveys), sometimesreferred to as Tone At The Top.
Each Entity-Level Control can only beassociated with one ELCG.
10/05/2009 6
Test Plan The test plan object exists as a flatstructure and is independent of anyother object.
It is preferred practice to leverageautomated testing provided in PC2.5 to reduce manual workload.
The test plan object is a collection of stepsand tests to be executed during manualtesting of a control. A test plan will be linkedto a control within the master data of thecontrol as attribute.
Rule A rule is the link between thedelivered automated controlprogram and the subprocess /control specific parameters orcriteria.
A rule is the instance of the automatedcontrol script. The rule contains the valueand threshold definition for each rulecriterion to which it links.
Rule criteria are attributes to a rule andinclude control-specific selection criteria forexecuting a particular script. The deficiencyindicator parameters are also maintained aspart of the rule criteria.
Script A script is an automated controlprogram in the back-end ERPsystem.
SAP delivered rule scripts for automatedcontrol to be executed in a SAP backendhave the script type GRC.
The utilization of SAP Query requires thecreation of corresponding custom Scripts.
Custom ABAP cannot be executed viaScripts.
ScriptCriteria
Program Parameters to be used toexecute an automated controlprogram in the backend system.
No additional selection parameters arepossible for pre-delivered automated controlprograms.
Organization-Level SystemParameter(OLSP)
OLSPs are maintained for a set oforganization structures and areassociated as part of theorganization master data.
The OLSPs allow you to assignsystems and system-specificorganization parameters at theorganizational level, rather than atthe rule level. This avoids having tomaintain the values within eachrule.
OLSP can only comprise values for thefollowing 4 SAP objects:
Company Code
Plant
Purchase Organization
Sales Organization
The addition / utilization of other objects donot have any effect to the execution ofcontrols.
10/05/2009 7
Question A Question is an entry in thequestion library and constitutes thedata elements or building blocksfor a survey.
It is a preferred practice to keepthe contents of the question asneutral as possible to allowquestions to be used with a varietyof controls and in a variety ofsurveys to reduce the number ofquestions to be maintained in thelibrary.
A question can be used in multiple surveysin parallel.
Survey A Survey is an entry in the surveylibrary
A survey is evaluation-type-specific and cancomprise multiple questions.
3 Process Control 2.5: Master Data
3.1 Time Dependency Concept in Process ControlWhen working with master data, it is important to select the correct timeframe, as all objects inProcess Control are time dependent. It is a preferred practice that during initial implementation youcreate objects as of the beginning of the compliance reporting period, so the objects will beavailable in reports for the entire period. Thereafter, you should use the date that the object iscreated or implemented. For example, during initial load you may wish to have your organizations,account hierarchy, process hierarchy and entity-level control hierarchy objects all begin as of01/01/200X. Thereafter, you may acquire a company as of 09/30/200X and add organizations andnew processes as of that date.
The timeframe is set in the Process Control back end in GRPC_STR_CHANGE using the iconindicated below which controls both the default Valid From date and the Assigned As Of Date:
While working with master data in the NWBC, the timeframe can be changed at the top of mosttasks such as the area in the screenshot below. Note that if you change the period and/or year it isimportant to click "Go” to put the new timeframe into effect and to retrieve the relevant objects.
Once you set the timeframe in the NWBC, if you close and open a session the timeframe willremain the same until you change it. Any sessions you have open while you change the timeframewill not change until you close and reopen the session.
10/05/2009 9
3.2 Global Versus Local Master DataMaster Data for Process Control 2.5 can be categorized into two general groups. Those groups areglobal master data and local organization-dependent master data.
It is important to understand that all organization-dependent master data objects exist as part of theglobal master data. The localization of an object is driven by the temporal association to anorganization.
The creation of all master data objects within the global master data catalog / hierarchies is thebase upon which all subsequent activities depend to establish master data objects for therespective organization-dependent organizations.
The subprocesses defined in the central process catalog do not automatically apply to allorganizations across the hierarchy. This is because each organization can have a process flow thatis different from the one defined centrally. You decide which subprocesses are relevant for anorganization during the scoping phase. As organization owner, you must select the relevantprocesses for an organization from the central process catalog (with or without the correspondingcontrols).
The subprocesses are assigned as either referenced or copied to the organizations. Onlysubsequent does the subprocess become relevant for the organization for assessments and tests.
Selection of the assignment method based on business intent.
Copy (Decentralized with controls proposed) – to copy a selectedsubprocess, including assigned controls. You can later edit the localsubprocess and controls.
Reference (Centralized) – to reference to a selected subprocess andcontrols in the central catalog. You will not be able to locally edit thereferenced subprocess and controls since these remain as central objects.
Subprocesses offered as Shared Services must be assigned as Reference.
Assign Without Controls (Decentralized with no controls proposed) – to assign asubprocess only excluding associated controls. This presumes that theorganization will create and maintain its own controls independently from thecentral catalog.
The actions usually taken are:
1. Assign subprocesses out of the central process catalog to organization2. All controls pertaining to the assigned subprocess are also now linked to the organization3. Once assigned locally, control-rule assignments can be completed to enable automated
testing and monitoring. The control-rule assignment can be manual via the NWBC, orduring the data load process.
4. The organization accepts the centrally-defined entity-level controls and the system createsentries as Organization-dependent Entity-level Controls
5. Role owners are assigned for processes, subprocesses, controls and testers for eachorganization.
Please refer to the table below for an overview of master data objects that are associated with thosetwo layers. All listed master data objects and their relationships are time dependent. That timedependency provides high flexibility to address the need to associate master data objects that canbe localized for a period of time.
Object Name Global Master Data Organization-dependentMaster Data
Organization X
Entity-level Control X X
Process X X
Subprocess X X
Control Objective X
Risk X
Account Group X
Test Plan X
Person X
Global master data is referred to as “central” master data in the PC 2.5 back-end. For simplificationpurposes and to align the explanation with the system terminology, the subsequent outline uses theexpression “central” to refer to global master data. In the screen shot below, the icons on the leftside are color coded, white/global and green/local.
The maintenance of central master data should be performed in the NWBC client (front-end) afterthe initial data loads. Despite the fact that master data can also be maintained directly in the back-end, it is highly advisable to maintain master data using NWBC when possible because of theadditional validation.
Since organization-dependent master data reflects association to organizations, the creation andmaintenance of organization-dependent master data is performed automatically in the backgroundonce assigned by the organization owner. That creation is driven by the association of objects in theNWBC and localization entries can then be completed.
Those dependencies are illustrated in the example below:
In the mentioned example an organization-dependent subprocess and organization-dependentcontrol is being created (please see screen shot sequence below for illustration purposes).
The Process “18_SPDA_Process” and associated subprocess “18_SPDA_Subprocess 2” havebeen created in the system.
As next step, the subprocess (18_SPDA_ Subprocess_2) has been assigned to five differentorganizations. Each assignment represents the validity of the subprocess to the organization for agiven period of time (as depicted below). It is a common practice to assign the subprocess with anunlimited duration. If a subprocess becomes obsolete, a subsequent delimitation will be executed.
Each of those associations creates an organization-dependent subprocess object in the PC 2.5back-end. The example below shows the entry for the organization-dependent process master data.Those objects are referred to as “local master data.”
The drill-down into a selected item provides the inside into the relationship established by thesystem.
The associated organization-dependent subprocess is also created automatically based upon theestablished object relationship.
The same entry creation is valid for all organization-dependent master data objects illustrated in theoverview table. Changes to the validity period do not lead to the creation of additional organization-dependent master data objects, but rather impact the validity period directly.
It is strongly recommended to perform such validity period changes through the NWBC front-end.
3.3 What Are Required Fields for Master Data?Depending on the functionality to be used in Process Control 2.5, different subsets of fields arerequired. Those requirements have an impact to the initial upload as well as for on-goingmaintenance.
The master data requirements to be considered during the data load in chapter 5.
Based upon that fact that selected functionality drives the need for specific master data, the sectionis structured by major functionality sets.
Each mandatory field is signified by a small red star that is displayed at the right hand side of therespective field name.
4 Shared Services and Referenced Controls
It is often difficult to understand the effectiveness of internal controls within a business cycle withoutconsidering the impact of controls that cross organizational and process boundaries. In fact, oftennot all control objectives/risks will be met / mitigated by controls within a given subprocess withoutrelying upon controls existing in another subprocess or organization. There are two scenariosavailable in PC to address this requirement:
4.1 Shared ServicesSome companies have organizations whose purpose is to perform services for other organizationswithin the company. Those organizations are understood as “shared services”. The controls withinthe shared service organization, with related control objectives and risks, are shared amongpotentially many organizations.
However they are actually performed, assessed and tested within the shared services organization.
An example of this would be a company that has shared services for accounts payable processing.That is, they have a centralized processing center or entity that performs the accounts payableprocessing for several organizations within the corporation. All control objectives and risks aremaintained relative to subprocesses within the shared services organization. It is also verycommon to have shared services related to the IT and HR functions.
These controls will be referred to as “Shared Service” controls.
Organizations designated as a shared service provider should be maintained during theorganization setup as shown below:
During the subprocess assignments, organizations can choose to select or not select the sharedservice when taking the subprocess to the local level. If the organization does take the sharedservice subprocess, they will not conduct assessments or tests, but will use the results reportedby the shared service to satisfy their compliance requirements in reporting.
4.2 Referenced ControlsAny given control in a subprocess may satisfy control objectives and mitigate risks in othersubprocess, process and/or organization.
For example, a control related to timely preparation and review of bank statements might existwithin the Treasury or Cash Management subprocess, but the control might also satisfy controlobjectives and mitigate risks within the AP Payments and AR Cash Receipts subprocesses thatmay reside in different organizations.
These controls will be referred to as “Referenced” controls.
A given organization may reference this control that resides in another subprocess, process and/ororganization to mitigate its own associated risk.
At the time a control is set up a decision is made to allow referencing, by selecting "allowreferencing" button on the bottom left of the screenshot below:
An organization that wants to reference a control does so by selecting the control and assigningit to a subprocess they have assigned to the organization using “reference” rather than “copy”.See the screen shot below illustrating selection of a control to be referenced:
Evaluation results of a referenced control will reflect in the evaluation results of the organization thatreferenced that control. Thus, in both cases mentioned above, customers avoid redundantdocumentation, assessment and testing while still enabling a subprocess and/or organization toaccess documentation and testing results of the shared service or referenced controls upon whichthey rely. This enables them to present and report their Sarbanes-Oxley compliance in its totality.
10/05/2009 18
5 Master Data and Reporting in Process Control 2.5
5.1 What fields drive reporting?
Master Data ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
Control Objective -Risk Coverage
a) Periodb) Yearc) Organizationd) Process
a) Subprocessb) Control
Objectivec) Riskd) Control
This is a tabular report showing theprocess and risk matrix byorganization, with associated controlevaluation ratings.
This report will help you validate ifevery control objective and risk pair istested via a control. The report alsoprovides visibility into the riskcoverage.
FinancialAssertionsCoverage
a) Periodb) Yearc) Organization
a) Organizationb) Subprocessc) Account
Groupd) FS Assertione) Control
This report provides visibility into thefinancial assertion coverage for a givenorganization.
This report shows whether or not acontrol has been assigned to a givenaccount group / assertion combination.
Organization andProcess Structure
a) Periodb) Yearc) Organizationd) Processe) Control
a) Hierarchyb) Ownerc) Significance
The report shows a hierarchical view oforganizations and related processes,subprocesses, controls and relatedcontrol owners for the specifiedorganization.
Entity-Level ControlStructure
a) Periodb) Yearc) Organization
a) Hierarchyb) Owner
This is a hierarchical report that showsthe entity-level control structure andrelated owners.
Test Plan byControl
a) Periodb) Yearc) Organizationd) Processe) Control
a) Custom Dateb) Subprocessc) Controld) Ownere) Significancef) To Be Tested
This report provides visibility into thetest plans that have been assigned tospecific controls in the processcatalog.
To access this report, you must have arole with the task “DISP_REPT”.
10/05/2009 19
Authorization Analysis ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
PersonAuthorizationAnalysis
a) Periodb) Yearc) Person Named) User Last Namee) User Id
a) User IDb) User Namec) Roled) Role Levele) Objectf) Object Typeg) Organizationh) Taski) Minimum Levelj) One Role One
This report shows the role / role levelthat have been assigned for the user/sselected.
This report is useful to an InternalControls Manager or Audit Manager forevaluating the roles assigned to specificuser/s at a corporate or organizationallevel.
To access this report, you must have arole with the task “DISP_SCREP”.
Role AuthorizationAnalysis
a) Periodb) Yearc) Role IDd) Rolee) Role Level
a) Objectb) Object Typec) Organizationd) Rolee) Role Levelf) Persong) Taskh) Minimum Leveli) One Role One
This report provides inside the tasks thatare assigned to a particular role.
This report is useful to an InternalControls Manager or Audit Manager forevaluating which tasks are assigned toparticular roles at a corporate ororganizational level.
To access this report, you must have arole with the task “DISP_SCREP”.
Task AuthorizationAnalysis
a) Periodb) Yearc) Task IDd) Task
a) Roleb) Role Levelc) Taskd) Objecte) Object Typef) Organizationg) Person
This report shows which roles aparticular task is assigned to.
This report is useful to an InternalControls Manager or Audit Manager forevaluating which roles at a given levelhas a particular task.
To access this report, you must have arole with the task “DISP_SCREP”.
10/05/2009 20
Evaluation ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
Evaluations byOrganization
a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
a) Hierarchyb) Ratingc) Ownerd) Significancee) Subprocess
Design Ratingf) Control Design
Rating
This report provides an overview aboutthe overall rating from the assessmentsand evaluations for selectedorganizations in a given time period.
To access this report, you must have arole with the DISP_REPT taskassigned.
Entity-Level ControlAssessments
a) Periodb) Yearc) Organizationd) Rating Typee) Rating
a) Organizationb) ELC Group
Descriptionc) Entity Level
Controld) ELC
AssessmentRating
This is a tabular report showing thecomplete list of entity-level controls andtheir assessment status.
To access this report, you must have arole with the DISP_REPT taskassigned.
Entity-Level ControlAssessments byOrganization
a) Periodb) Yearc) Organizationd) Rating Typee) Rating
a) Hierarchyb) Ratingc) ELC
AssessmentStatus
d) ELCAssessmentRating
e) Issues – ELCAssessment
f) RemediationPlans – ELCAssessment
This is a hierarchical report that showsthe evaluation results of ELCs for aparticular organization for a specifiedperiod of time.
It contains the same information as theEntity-Level Control Assessmentsreport, but in a hierarchical format.
To access this report, you must have arole with the DISP_REPT taskassigned.
Subprocess DesignAssessments
a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Rating
a) Organizationb) Processc) Subprocessd) Subprocess
Design Rating
This report shows the subprocessdesign assessment results for thespecified subprocesses andorganization.
To access this report, you must have arole with the DISP_REPT taskassigned.
Control Ratings a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
a) Organizationb) Processc) Subprocessd) Controle) Control Design
Ratingf) Self
AssessmentRating
This tabular report shows overall controlratings by organization, process andsubprocess. The report shows both theControl Design Rating and theEffectiveness Rating.
To access this report, you must have arole with the DISP_REPT taskassigned.
Control Objective-Risk Coverage withEvaluations
a) Periodb) Yearc) Organizationd) Rating Typee) Process
a) Subprocessb) Control
Objectivec) Riskd) Controle) Subprocess
This report provides visibility to thecontrol coverage of control objectiveand risks. It also shows the ratings ofthe effectiveness of the controls.
10/05/2009 21
Evaluation ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
f) Rating Design Ratingf) Control Design
Rating
To access this report, you must have arole with the DISP_REPT taskassigned.
Control Objective-Risk Coverage withRatings byOrganization
a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Rating
a) Hierarchyb) Organizationc) Subprocessd) Control
Objectivee) Riskf) Control
This is a tabular report that shows therisk-control matrix and thecorresponding overall control rating byorganization.
The report enables an Internal ControlsManager to get a comprehensive viewof all Process Control objective-Risk-Control mappings, with accompanyingratings, for a specific organization oracross the enterprise.
To access this report, you must have arole with the DISP_SCREP taskassigned.
Control Test Historywith Ratings
a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
This report enables an Internal ControlsManager or a control owner tounderstand the historic test scheduleand results related to a specific controlor set of controls. All controls aredisplayed in alphabetical order.
To access this report, you must have arole with the DISP_REPT task.
Financial AssertionsCoverage withEvaluations
a) Periodb) Yearc) Organizationd) Rating Typee) Rating
a) Organizationb) Subprocessc) Account Groupd) FS Assertione) Controlf) Control Design
Rating
This is a tabular report that shows theaccount groups / financial assertionswithin a subprocess that havecorresponding controls. The evaluationresults of those controls are included.
To access this report, you must have arole with the DISP_REPT taskassigned.
Assessment SurveyResults
a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
This report shows the current status andresults of surveys that have beenscheduled.
To access this report, you must have arole with the DISP_REPT taskassigned.
Issue Status a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
This is a tabular report by subprocessshowing all issues generated and theircurrent status.
To access this report, you must have arole with the DISP_REPT taskassigned.
10/05/2009 22
Evaluation ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
Remediation Status a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
This tabular report shows the status ofremediation plans by subprocess andcontrol.
To access this report, you must have arole with the DISP_REPT taskassigned.
10/05/2009 23
Audit ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
Change Analysis a) Period 1b) Period 2c) Organizationd) Processe) Showf) Change Type
Audit Log a) Date fromb) Date toc) Object Typed) Showe) Change Type
Certification ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
Organizational Sign-off Status
a) Periodb) Yearc) Organization
To access this report, you must have arole with the DISP_SIGNO taskassigned.
Sign-off with Entity-Level ControlAssessment
a) Periodb) Yearc) Organizationd) Rating Typee) Rating
To access this report, you must have arole with the DISP_SIGNO taskassigned.
Issues Relevant forSign-off
a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control
To access this report, you must have arole with the DISP_SIGNO taskassigned.
10/05/2009 24
Business Intelligence ReportsReport Name Selection Fields Standard
Content FieldsReport Purpose
Global Heat Map This report provides a map-based visualview of controls status, and enablesfurther drill-down to summary reportsand individual issues.
This BI report enables SOX managersto identify the organization's problemgeographic regions, as represented bythe levels of controls violations, andanalyze them further.
Control Failures andIssue Trends
This BI report helps the SOX Manageror Organization Owner understand thetrends and pattern in the occurrence oftest failures and issues across the timeperiods.
The decision maker can look at thereport and decide if action is needed ornot, depending on the upward ordownward trajectory of the curve.
Control Status byKey Accounts,Assertions andRisks
This BI report enables the SOXManager or Organization owner toadopt a risk-based approach toidentifying and tracking control failures.
By analyzing ineffective controls by keyaccounts, assertions or risks, decisionmakers can identify and focus on themost serious failures and address themfirst.
10/05/2009 25
6 Master Data and Custom Fields
6.1 What are custom fields used for?
Custom fields provide the opportunity to enhance the pre-delivered data structuresto provide customers with the ability to reflect customer-specific information for reporting purposes.Custom fields cannot be used to drive functionality. The only exception to that rule is the utilizationin custom selection procedures for planning evaluations.
6.2 How are master data custom fields will be used in reporting
Custom Fields can be included into any of the pre-delivered reports as additional report columns.No inclusion into the selection criteria is supported.
It is important to understand that technical know-how (e.g. understanding of data dictionary relatedexpressions and transaction codes are required to execute the necessary steps).
The inclusion of custom fields is being done via the transaction codeCRMC_BLUEPRINT_C. The technical name / key of the report in question can be found indomain GRPC_REP_TYPE.
To determine those information, please execute transaction SM30 using the tableGRPCREPORT. To include the new fields in the report, you must adjust the field group forthat particular report.
In the transaction CRMC_BLUEPRINT_C, start the item “Field Group Structure”, andspecify the name of the field group GRPC_REPORT_DATA_F3.
Each report has a field group GRPC_REPORT_DATA_XXX, where XXX stands for thecode of the report, according to the fixed values in the domain GRPC_REP_TYPE.
Switch to change mode and export the entries delivered by SAP.
Please note: These field groups are very large, as they contain all the fields that are relevant forparticular report.
As next step, locate the free screen position in the field group and then enter your own fields: fieldname ZZ_KEYDATE and field type “Text field” and another entry for field name ZZ_ISSUEKINDand field type “Dropdownlistbox”.
Please note: Since a drop-down function is being used, you must specify the drop-down to get thedomain values involved, as the text field would only show the single character (the real value of thefield). To complete this, we have to switch on two checkboxes at the bottom of the page – “Domainvalues” and “Read Only” (as reports are always read-only).
It is also feasible to make the custom fields e.g. optional, but not displayed by default, by setting therelated flags.
Finally, save all changes and generate the layout of the field group GRPC_REPORT_DATA_F3again.
6.3 How to include master data custom fields in reporting
Start transaction SE11, entering the data type GRPT_BSP_UI_REPORT_DATA and clicking on the“Change” button.
Locate the included structure CI_GRPC_CONTROL and double-click on that. Confirm that you want to create a new structure and include your infotype structure there:
Maintain the enhancement category (as “Cannot be enhanced”), save, check and activate. Thecustom fields from the infotype HRI9101 are now available for online reporting. However, therespective field groups have not been updated yet. This is the next step to be executed.
First determine which reports are going to contain the new control fields. In our example, let’s use the report M3 (“Control Ratings Report”). Execute transaction CRMC_BLUEPRINT_C and navigate to the section “Field Group
Structure”. Specify the field group GRPC_REPORT_DATA_M3 and switch to the change mode and
import SAP standard.
At this point the inclusion of the custom fields into the field group on the desired position is possible.The fields which contain the value can be included as text fields
The fields which should be displayed with texts from the domain values (like ZCOSO_REL) shouldbe included as dropdown list box, and properly flaggedas “read-only” and “domain values”.
To complete the addition of the custom fields, the following steps are necessary:
Save all changes made Leave the transaction Generate the layout of the field group GRPC_REPORT_DATA_M3.
Now the online report “Control Effectiveness Testing” should contain your customer specific fields(“Layout Generation node” in the same transaction)
10/05/2009 27
6.4 Utilization of custom fields in transactional flowsWhen the Custom Fields are created they can be used in all subsequent executed master datamaintenance transactions.
Please see the list below for an overview of Process Control 2.5 master data objects that can beenhanced by custom fields.
O Organization
P0 Organization dependent Process
P1 Organization dependent Subprocess
P2 Organization dependent ProcessStep
P3 Referred Process Step
P4 Process in scope
P5 Central Process Step
P6 Account Group
P7 Entity level control
P8 Organization dependent AccountGroup
P9 Organization dependent Entitylevel control
PK Central Process
PL Central Subprocess
PM Control Objective
PN Risk
PQ Test Plan
6.5 Custom Field and AuthorizationThe custom field could be accessed by the Person who has authorizations for accessing the masterdata object. No custom field specific authorization exists.
For Example: If Organization OIF has the Custom Field, if person has authorizations to editorganizations, can edit this custom field too.
The authorization for the creation of custom fields is a different matter.
The authorization required depend on type of Custom FieldMost of the steps in Custom Field Creation are considered “development”,which means:The user needs S_DEVELOP authorization profile or equivalentThe changes should be done in the development system and included inrequests and transported into the test and production systems.Although the activities belong are considered “development”, they are nottreated as modification of the delivered SAP standard
6.6 Validity period and custom fieldsThe utilization of the validity period concept could be applied to the custom field of type – HRobjects.