Process Control 2.5 Master Data - Archive · 2019. 11. 12. · It is preferred practice to leverage automated testing provided in PC 2.5 to reduce manual workload. The test plan object

SAP SOLUTIONS FOR GOVERNANCE,RISK, AND COMPLIANCE

Process Control 2.5Master Data

Applicable Releases:

SAP GRC Process Control 2.5

Topic Area:GRC / Process Control

Capability:GRC / Process Control

Version 2

October 2009

© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information containedherein may be changed without prior notice.

Some software products marketed by SAP AG and itsdistributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C®, World Wide WebConsortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented andimplemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are thetrademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions with

respect to the materials. The only warranties for SAPGroup products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify

the product implementation. While specific productfeatures and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain andvisualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable for

errors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Anycode change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.

10/05/2009 1

TABLE OF CONTENTS1 INTRODUCTION .................................................................................................. 2

1.1 About this document .............................................................................................. 21.2 Target Audience ..................................................................................................... 2

2 PROCESS CONTROL 2.5: DATA MODEL .......................................................... 33 PROCESS CONTROL 2.5: MASTER DATA ....................................................... 8

3.1 Time Dependency Concept in Process Control ...................................................... 83.2 Global Versus Local Master Data ........................................................................... 93.3 What Are Required Fields for Master Data? ........................................................... 13

4 SHARED SERVICES AND REFERENCED CONTROLS .................................... 144.1 SHARED SERVICES............................................................................................ 144.2 REFERENCED CONTROLS ................................................................................ 165 MASTER DATA AND REPORTING IN PROCESS CONTROL 2.5 ..................... 18

5.1 What fields drive reporting?.................................................................................... 18

6 MASTER DATA AND CUSTOM FIELDS ............................................................. 256.1 What are custom fields used for? ........................................................................... 256.2 How are master data custom fields will be used in reporting .................................. 256.3 How to include master data custom fields in reporting ............................................ 266.4 Utilization of custom fields in transactional flows .................................................... 276.5 Custom Field and Authorization ............................................................................. 276.6 Validity period and custom fields ............................................................................ 27

10/05/2009 2

1 Introduction

1.1 About this document

The purpose of this document is provide an overview of additional aspects around the master dataobjects of Process Control 2.5, to provide answers to common questions during the implementationand application phase of the product.

The clear focus of the document rests on the ABAP stack environment and is not venturing intoquestions pertaining to Business Intelligence, Access Control, Data Privacy or non-SAP application.

This document is not intended to supersede or replace provided SAP online documentation.

1.2 Target Audience

This document addresses the following groups:

• Client Project Resources• Implementation Consultants

10/05/2009 3

2 Process Control 2.5: Data Model

The intention of this document is not to provide an in depth overview of the data model of ProcessControl 2.5. Nonetheless, the simplified data model diagram below provides a reference for easyassociation of the most important master data objects and their respective relationships.

Although some of the dependencies will be established using the NWBC front-end, it is important tounderstand the object relationships before starting data conversion efforts.

Since the diagram represents only a simplified view, not all existing objects were included. Theexclusion does not deliver an indication about the importance of those objects.

10/05/2009 4

The table below provides additional object-related information to the master data objects of theGRC Process Control 2.5 application

Object Object Purpose Object Detail Information

Organization An organization represents a legalentity or any other company,division, geographic, or line ofbusiness that is subject to anevaluation and/or sign-off.

All organization objects are maintainedwithin a dedicated hierarchy, which existsseparately from the Central ProcessHierarchy and Control Objective / RiskHierarchy.

Process A Process represents a set ofbusiness activities relating to aspecific function in an organizationand is an element within theProcess Hierarchy.

It is a preferred practice to useyour scoping results as a basis fordetermining the processes toinclude your Process Hierarchy.

Processes and Subprocesses aremaintained within the same centralhierarchy. Central Process elements are notdependent upon organizations.

Subprocess Subprocesses represent subsets ofactivities within a businessprocess. They are always tied toat least one central parent processsince a central subprocess canonly be created under a specificprocess within the Central Processhierarchy.

It is preferred practice to use yourcontrol / risk matrix as a guide fordetermining the subprocesses toinclude in your Central Processhierarchy.

A Subprocess can be linked to multipleOrganizations (via reference or copyfunctions) and to multiple ControlObjectives/Risk pairs.

A Process may contain multipleSubprocesses.

Control A Control represents an activitywithin a subprocess that addressesa control objective or associatedrisk. It has a direct link to thefollowing objects:

Subprocess

Control Objective/Risk pair

Test Objects:

o Rule

o Test Plan

o Survey

It is a preferred practice to useyour control / risk matrix as a guideto determining which controls touse for the master data set-up.

A Control always belongs to a singleSubprocess. However, a Control can beassigned to multiple Subprocesses viareferencing or shared service functionality.

.

10/05/2009 5

Object Object Purpose Object Detail Information

ControlObjective

The Control Objective representsthe purpose of an activity or acontrol based on the associatedrisks.

It is preferred practice to use yourcontrol / risk matrix as a guide todetermining the control objective toset up as master data in PC2.5.

A Control Objective can have one or morerisks assigned to it.

Risk Main entity in the central Riskcatalog.

It is preferred practice to use yourcontrol / risk matrix as a guide indetermining risks to set up asmaster data in PC2.5.

A Risk always has one parent ControlObjective. Thus, it is not possible to link aRisk to more than one Control Objective.

A Control Objective/Risk pair can be linkedto more than one Control or Subprocess.

AccountGroup

Account groups (or significantaccounts) are the reportingaccount elements in the financialstatements.

It is preferred practice to use thesignificant accounts identified inthe risk assessment and scopingprocess as outlined in AS5.

Account Groups can be structured in ahierarchical way.

However, it is not a requirement to havesuch a hierarchy and therefore possible tocreate all account groups on the samelayer.

Entity-LevelControlGroup(ELCG)

An Entity-Level Control Group(ELCG) represents a grouping ofentity-level controls (ELCs) and isa hierarchical parent layer for theEntity-Level Control.

Entity-Level Control Groups can form ahierarchy in itself. However, the Entity-LevelControl represents a single layer.

Entity-LevelControl(ELC)

An ELC addresses an entity-levelrisk that has a pervasive impact onthe organization.

It is a preferred practice to useELC to represent organization-widecompliance controls (e.g., policy-related surveys), sometimesreferred to as Tone At The Top.

Each Entity-Level Control can only beassociated with one ELCG.

10/05/2009 6

Test Plan The test plan object exists as a flatstructure and is independent of anyother object.

It is preferred practice to leverageautomated testing provided in PC2.5 to reduce manual workload.

The test plan object is a collection of stepsand tests to be executed during manualtesting of a control. A test plan will be linkedto a control within the master data of thecontrol as attribute.

Rule A rule is the link between thedelivered automated controlprogram and the subprocess /control specific parameters orcriteria.

A rule is the instance of the automatedcontrol script. The rule contains the valueand threshold definition for each rulecriterion to which it links.

Rule criteria are attributes to a rule andinclude control-specific selection criteria forexecuting a particular script. The deficiencyindicator parameters are also maintained aspart of the rule criteria.

Script A script is an automated controlprogram in the back-end ERPsystem.

SAP delivered rule scripts for automatedcontrol to be executed in a SAP backendhave the script type GRC.

The utilization of SAP Query requires thecreation of corresponding custom Scripts.

Custom ABAP cannot be executed viaScripts.

ScriptCriteria

Program Parameters to be used toexecute an automated controlprogram in the backend system.

No additional selection parameters arepossible for pre-delivered automated controlprograms.

Organization-Level SystemParameter(OLSP)

OLSPs are maintained for a set oforganization structures and areassociated as part of theorganization master data.

The OLSPs allow you to assignsystems and system-specificorganization parameters at theorganizational level, rather than atthe rule level. This avoids having tomaintain the values within eachrule.

OLSP can only comprise values for thefollowing 4 SAP objects:

Company Code

Plant

Purchase Organization

Sales Organization

The addition / utilization of other objects donot have any effect to the execution ofcontrols.

10/05/2009 7

Question A Question is an entry in thequestion library and constitutes thedata elements or building blocksfor a survey.

It is a preferred practice to keepthe contents of the question asneutral as possible to allowquestions to be used with a varietyof controls and in a variety ofsurveys to reduce the number ofquestions to be maintained in thelibrary.

A question can be used in multiple surveysin parallel.

Survey A Survey is an entry in the surveylibrary

A survey is evaluation-type-specific and cancomprise multiple questions.

3 Process Control 2.5: Master Data

3.1 Time Dependency Concept in Process ControlWhen working with master data, it is important to select the correct timeframe, as all objects inProcess Control are time dependent. It is a preferred practice that during initial implementation youcreate objects as of the beginning of the compliance reporting period, so the objects will beavailable in reports for the entire period. Thereafter, you should use the date that the object iscreated or implemented. For example, during initial load you may wish to have your organizations,account hierarchy, process hierarchy and entity-level control hierarchy objects all begin as of01/01/200X. Thereafter, you may acquire a company as of 09/30/200X and add organizations andnew processes as of that date.

The timeframe is set in the Process Control back end in GRPC_STR_CHANGE using the iconindicated below which controls both the default Valid From date and the Assigned As Of Date:

While working with master data in the NWBC, the timeframe can be changed at the top of mosttasks such as the area in the screenshot below. Note that if you change the period and/or year it isimportant to click "Go” to put the new timeframe into effect and to retrieve the relevant objects.

Once you set the timeframe in the NWBC, if you close and open a session the timeframe willremain the same until you change it. Any sessions you have open while you change the timeframewill not change until you close and reopen the session.

10/05/2009 9

3.2 Global Versus Local Master DataMaster Data for Process Control 2.5 can be categorized into two general groups. Those groups areglobal master data and local organization-dependent master data.

It is important to understand that all organization-dependent master data objects exist as part of theglobal master data. The localization of an object is driven by the temporal association to anorganization.

The creation of all master data objects within the global master data catalog / hierarchies is thebase upon which all subsequent activities depend to establish master data objects for therespective organization-dependent organizations.

The subprocesses defined in the central process catalog do not automatically apply to allorganizations across the hierarchy. This is because each organization can have a process flow thatis different from the one defined centrally. You decide which subprocesses are relevant for anorganization during the scoping phase. As organization owner, you must select the relevantprocesses for an organization from the central process catalog (with or without the correspondingcontrols).

The subprocesses are assigned as either referenced or copied to the organizations. Onlysubsequent does the subprocess become relevant for the organization for assessments and tests.

Selection of the assignment method based on business intent.

Copy (Decentralized with controls proposed) – to copy a selectedsubprocess, including assigned controls. You can later edit the localsubprocess and controls.

Reference (Centralized) – to reference to a selected subprocess andcontrols in the central catalog. You will not be able to locally edit thereferenced subprocess and controls since these remain as central objects.

Subprocesses offered as Shared Services must be assigned as Reference.

Assign Without Controls (Decentralized with no controls proposed) – to assign asubprocess only excluding associated controls. This presumes that theorganization will create and maintain its own controls independently from thecentral catalog.

The actions usually taken are:

1. Assign subprocesses out of the central process catalog to organization2. All controls pertaining to the assigned subprocess are also now linked to the organization3. Once assigned locally, control-rule assignments can be completed to enable automated

testing and monitoring. The control-rule assignment can be manual via the NWBC, orduring the data load process.

4. The organization accepts the centrally-defined entity-level controls and the system createsentries as Organization-dependent Entity-level Controls

5. Role owners are assigned for processes, subprocesses, controls and testers for eachorganization.

Please refer to the table below for an overview of master data objects that are associated with thosetwo layers. All listed master data objects and their relationships are time dependent. That timedependency provides high flexibility to address the need to associate master data objects that canbe localized for a period of time.

Object Name Global Master Data Organization-dependentMaster Data

Organization X

Entity-level Control X X

Process X X

Subprocess X X

Control Objective X

Risk X

Account Group X

Test Plan X

Person X

Global master data is referred to as “central” master data in the PC 2.5 back-end. For simplificationpurposes and to align the explanation with the system terminology, the subsequent outline uses theexpression “central” to refer to global master data. In the screen shot below, the icons on the leftside are color coded, white/global and green/local.

The maintenance of central master data should be performed in the NWBC client (front-end) afterthe initial data loads. Despite the fact that master data can also be maintained directly in the back-end, it is highly advisable to maintain master data using NWBC when possible because of theadditional validation.

Since organization-dependent master data reflects association to organizations, the creation andmaintenance of organization-dependent master data is performed automatically in the backgroundonce assigned by the organization owner. That creation is driven by the association of objects in theNWBC and localization entries can then be completed.

Those dependencies are illustrated in the example below:

In the mentioned example an organization-dependent subprocess and organization-dependentcontrol is being created (please see screen shot sequence below for illustration purposes).

The Process “18_SPDA_Process” and associated subprocess “18_SPDA_Subprocess 2” havebeen created in the system.

As next step, the subprocess (18_SPDA_ Subprocess_2) has been assigned to five differentorganizations. Each assignment represents the validity of the subprocess to the organization for agiven period of time (as depicted below). It is a common practice to assign the subprocess with anunlimited duration. If a subprocess becomes obsolete, a subsequent delimitation will be executed.

Each of those associations creates an organization-dependent subprocess object in the PC 2.5back-end. The example below shows the entry for the organization-dependent process master data.Those objects are referred to as “local master data.”

The drill-down into a selected item provides the inside into the relationship established by thesystem.

The associated organization-dependent subprocess is also created automatically based upon theestablished object relationship.

The same entry creation is valid for all organization-dependent master data objects illustrated in theoverview table. Changes to the validity period do not lead to the creation of additional organization-dependent master data objects, but rather impact the validity period directly.

It is strongly recommended to perform such validity period changes through the NWBC front-end.

3.3 What Are Required Fields for Master Data?Depending on the functionality to be used in Process Control 2.5, different subsets of fields arerequired. Those requirements have an impact to the initial upload as well as for on-goingmaintenance.

The master data requirements to be considered during the data load in chapter 5.

Based upon that fact that selected functionality drives the need for specific master data, the sectionis structured by major functionality sets.

Each mandatory field is signified by a small red star that is displayed at the right hand side of therespective field name.

4 Shared Services and Referenced Controls

It is often difficult to understand the effectiveness of internal controls within a business cycle withoutconsidering the impact of controls that cross organizational and process boundaries. In fact, oftennot all control objectives/risks will be met / mitigated by controls within a given subprocess withoutrelying upon controls existing in another subprocess or organization. There are two scenariosavailable in PC to address this requirement:

4.1 Shared ServicesSome companies have organizations whose purpose is to perform services for other organizationswithin the company. Those organizations are understood as “shared services”. The controls withinthe shared service organization, with related control objectives and risks, are shared amongpotentially many organizations.

However they are actually performed, assessed and tested within the shared services organization.

An example of this would be a company that has shared services for accounts payable processing.That is, they have a centralized processing center or entity that performs the accounts payableprocessing for several organizations within the corporation. All control objectives and risks aremaintained relative to subprocesses within the shared services organization. It is also verycommon to have shared services related to the IT and HR functions.

These controls will be referred to as “Shared Service” controls.

Organizations designated as a shared service provider should be maintained during theorganization setup as shown below:

During the subprocess assignments, organizations can choose to select or not select the sharedservice when taking the subprocess to the local level. If the organization does take the sharedservice subprocess, they will not conduct assessments or tests, but will use the results reportedby the shared service to satisfy their compliance requirements in reporting.

4.2 Referenced ControlsAny given control in a subprocess may satisfy control objectives and mitigate risks in othersubprocess, process and/or organization.

For example, a control related to timely preparation and review of bank statements might existwithin the Treasury or Cash Management subprocess, but the control might also satisfy controlobjectives and mitigate risks within the AP Payments and AR Cash Receipts subprocesses thatmay reside in different organizations.

These controls will be referred to as “Referenced” controls.

A given organization may reference this control that resides in another subprocess, process and/ororganization to mitigate its own associated risk.

At the time a control is set up a decision is made to allow referencing, by selecting "allowreferencing" button on the bottom left of the screenshot below:

An organization that wants to reference a control does so by selecting the control and assigningit to a subprocess they have assigned to the organization using “reference” rather than “copy”.See the screen shot below illustrating selection of a control to be referenced:

Evaluation results of a referenced control will reflect in the evaluation results of the organization thatreferenced that control. Thus, in both cases mentioned above, customers avoid redundantdocumentation, assessment and testing while still enabling a subprocess and/or organization toaccess documentation and testing results of the shared service or referenced controls upon whichthey rely. This enables them to present and report their Sarbanes-Oxley compliance in its totality.

10/05/2009 18

5 Master Data and Reporting in Process Control 2.5

5.1 What fields drive reporting?

Master Data ReportsReport Name Selection Fields Standard

Content FieldsReport Purpose

Control Objective -Risk Coverage

a) Periodb) Yearc) Organizationd) Process

a) Subprocessb) Control

Objectivec) Riskd) Control

This is a tabular report showing theprocess and risk matrix byorganization, with associated controlevaluation ratings.

This report will help you validate ifevery control objective and risk pair istested via a control. The report alsoprovides visibility into the riskcoverage.

FinancialAssertionsCoverage

a) Periodb) Yearc) Organization

a) Organizationb) Subprocessc) Account

Groupd) FS Assertione) Control

This report provides visibility into thefinancial assertion coverage for a givenorganization.

This report shows whether or not acontrol has been assigned to a givenaccount group / assertion combination.

Organization andProcess Structure

a) Periodb) Yearc) Organizationd) Processe) Control

a) Hierarchyb) Ownerc) Significance

The report shows a hierarchical view oforganizations and related processes,subprocesses, controls and relatedcontrol owners for the specifiedorganization.

Entity-Level ControlStructure


a) Hierarchyb) Owner

This is a hierarchical report that showsthe entity-level control structure andrelated owners.

Test Plan byControl

a) Periodb) Yearc) Organizationd) Processe) Control

a) Custom Dateb) Subprocessc) Controld) Ownere) Significancef) To Be Tested

This report provides visibility into thetest plans that have been assigned tospecific controls in the processcatalog.

To access this report, you must have arole with the task “DISP_REPT”.

10/05/2009 19

Authorization Analysis ReportsReport Name Selection Fields Standard


PersonAuthorizationAnalysis

a) Periodb) Yearc) Person Named) User Last Namee) User Id

a) User IDb) User Namec) Roled) Role Levele) Objectf) Object Typeg) Organizationh) Taski) Minimum Levelj) One Role One

This report shows the role / role levelthat have been assigned for the user/sselected.

This report is useful to an InternalControls Manager or Audit Manager forevaluating the roles assigned to specificuser/s at a corporate or organizationallevel.

To access this report, you must have arole with the task “DISP_SCREP”.

Role AuthorizationAnalysis

a) Periodb) Yearc) Role IDd) Rolee) Role Level

a) Objectb) Object Typec) Organizationd) Rolee) Role Levelf) Persong) Taskh) Minimum Leveli) One Role One

This report provides inside the tasks thatare assigned to a particular role.

This report is useful to an InternalControls Manager or Audit Manager forevaluating which tasks are assigned toparticular roles at a corporate ororganizational level.


Task AuthorizationAnalysis

a) Periodb) Yearc) Task IDd) Task

a) Roleb) Role Levelc) Taskd) Objecte) Object Typef) Organizationg) Person

This report shows which roles aparticular task is assigned to.

This report is useful to an InternalControls Manager or Audit Manager forevaluating which roles at a given levelhas a particular task.


10/05/2009 20

Evaluation ReportsReport Name Selection Fields Standard


Evaluations byOrganization

a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control

a) Hierarchyb) Ratingc) Ownerd) Significancee) Subprocess

Design Ratingf) Control Design

Rating

This report provides an overview aboutthe overall rating from the assessmentsand evaluations for selectedorganizations in a given time period.

To access this report, you must have arole with the DISP_REPT taskassigned.

Entity-Level ControlAssessments

a) Periodb) Yearc) Organizationd) Rating Typee) Rating

a) Organizationb) ELC Group

Descriptionc) Entity Level

Controld) ELC

AssessmentRating

This is a tabular report showing thecomplete list of entity-level controls andtheir assessment status.


Entity-Level ControlAssessments byOrganization


a) Hierarchyb) Ratingc) ELC

AssessmentStatus

d) ELCAssessmentRating

e) Issues – ELCAssessment

f) RemediationPlans – ELCAssessment

This is a hierarchical report that showsthe evaluation results of ELCs for aparticular organization for a specifiedperiod of time.

It contains the same information as theEntity-Level Control Assessmentsreport, but in a hierarchical format.


Subprocess DesignAssessments

a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Rating

a) Organizationb) Processc) Subprocessd) Subprocess

Design Rating

This report shows the subprocessdesign assessment results for thespecified subprocesses andorganization.


Control Ratings a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control

a) Organizationb) Processc) Subprocessd) Controle) Control Design

Ratingf) Self

AssessmentRating

This tabular report shows overall controlratings by organization, process andsubprocess. The report shows both theControl Design Rating and theEffectiveness Rating.


Control Objective-Risk Coverage withEvaluations

a) Periodb) Yearc) Organizationd) Rating Typee) Process

a) Subprocessb) Control

Objectivec) Riskd) Controle) Subprocess

This report provides visibility to thecontrol coverage of control objectiveand risks. It also shows the ratings ofthe effectiveness of the controls.

10/05/2009 21



f) Rating Design Ratingf) Control Design

Rating


Control Objective-Risk Coverage withRatings byOrganization

a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Rating

a) Hierarchyb) Organizationc) Subprocessd) Control

Objectivee) Riskf) Control

This is a tabular report that shows therisk-control matrix and thecorresponding overall control rating byorganization.

The report enables an Internal ControlsManager to get a comprehensive viewof all Process Control objective-Risk-Control mappings, with accompanyingratings, for a specific organization oracross the enterprise.

To access this report, you must have arole with the DISP_SCREP taskassigned.

Control Test Historywith Ratings


This report enables an Internal ControlsManager or a control owner tounderstand the historic test scheduleand results related to a specific controlor set of controls. All controls aredisplayed in alphabetical order.

To access this report, you must have arole with the DISP_REPT task.

Financial AssertionsCoverage withEvaluations


a) Organizationb) Subprocessc) Account Groupd) FS Assertione) Controlf) Control Design

Rating

This is a tabular report that shows theaccount groups / financial assertionswithin a subprocess that havecorresponding controls. The evaluationresults of those controls are included.


Assessment SurveyResults


This report shows the current status andresults of surveys that have beenscheduled.


Issue Status a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control

This is a tabular report by subprocessshowing all issues generated and theircurrent status.


10/05/2009 22



Remediation Status a) Periodb) Yearc) Organizationd) Rating Typee) Processf) Ratingg) Control

This tabular report shows the status ofremediation plans by subprocess andcontrol.


10/05/2009 23

Audit ReportsReport Name Selection Fields Standard


Change Analysis a) Period 1b) Period 2c) Organizationd) Processe) Showf) Change Type

Audit Log a) Date fromb) Date toc) Object Typed) Showe) Change Type

Certification ReportsReport Name Selection Fields Standard


Organizational Sign-off Status


To access this report, you must have arole with the DISP_SIGNO taskassigned.

Sign-off with Entity-Level ControlAssessment



Issues Relevant forSign-off



10/05/2009 24

Business Intelligence ReportsReport Name Selection Fields Standard


Global Heat Map This report provides a map-based visualview of controls status, and enablesfurther drill-down to summary reportsand individual issues.

This BI report enables SOX managersto identify the organization's problemgeographic regions, as represented bythe levels of controls violations, andanalyze them further.

Control Failures andIssue Trends

This BI report helps the SOX Manageror Organization Owner understand thetrends and pattern in the occurrence oftest failures and issues across the timeperiods.

The decision maker can look at thereport and decide if action is needed ornot, depending on the upward ordownward trajectory of the curve.

Control Status byKey Accounts,Assertions andRisks

This BI report enables the SOXManager or Organization owner toadopt a risk-based approach toidentifying and tracking control failures.

By analyzing ineffective controls by keyaccounts, assertions or risks, decisionmakers can identify and focus on themost serious failures and address themfirst.

10/05/2009 25

6 Master Data and Custom Fields

6.1 What are custom fields used for?

Custom fields provide the opportunity to enhance the pre-delivered data structuresto provide customers with the ability to reflect customer-specific information for reporting purposes.Custom fields cannot be used to drive functionality. The only exception to that rule is the utilizationin custom selection procedures for planning evaluations.

6.2 How are master data custom fields will be used in reporting

Custom Fields can be included into any of the pre-delivered reports as additional report columns.No inclusion into the selection criteria is supported.

It is important to understand that technical know-how (e.g. understanding of data dictionary relatedexpressions and transaction codes are required to execute the necessary steps).

The inclusion of custom fields is being done via the transaction codeCRMC_BLUEPRINT_C. The technical name / key of the report in question can be found indomain GRPC_REP_TYPE.

To determine those information, please execute transaction SM30 using the tableGRPCREPORT. To include the new fields in the report, you must adjust the field group forthat particular report.

In the transaction CRMC_BLUEPRINT_C, start the item “Field Group Structure”, andspecify the name of the field group GRPC_REPORT_DATA_F3.

Each report has a field group GRPC_REPORT_DATA_XXX, where XXX stands for thecode of the report, according to the fixed values in the domain GRPC_REP_TYPE.

Switch to change mode and export the entries delivered by SAP.

Please note: These field groups are very large, as they contain all the fields that are relevant forparticular report.

As next step, locate the free screen position in the field group and then enter your own fields: fieldname ZZ_KEYDATE and field type “Text field” and another entry for field name ZZ_ISSUEKINDand field type “Dropdownlistbox”.

Please note: Since a drop-down function is being used, you must specify the drop-down to get thedomain values involved, as the text field would only show the single character (the real value of thefield). To complete this, we have to switch on two checkboxes at the bottom of the page – “Domainvalues” and “Read Only” (as reports are always read-only).

It is also feasible to make the custom fields e.g. optional, but not displayed by default, by setting therelated flags.

Finally, save all changes and generate the layout of the field group GRPC_REPORT_DATA_F3again.

6.3 How to include master data custom fields in reporting

Start transaction SE11, entering the data type GRPT_BSP_UI_REPORT_DATA and clicking on the“Change” button.

Locate the included structure CI_GRPC_CONTROL and double-click on that. Confirm that you want to create a new structure and include your infotype structure there:

Maintain the enhancement category (as “Cannot be enhanced”), save, check and activate. Thecustom fields from the infotype HRI9101 are now available for online reporting. However, therespective field groups have not been updated yet. This is the next step to be executed.

First determine which reports are going to contain the new control fields. In our example, let’s use the report M3 (“Control Ratings Report”). Execute transaction CRMC_BLUEPRINT_C and navigate to the section “Field Group

Structure”. Specify the field group GRPC_REPORT_DATA_M3 and switch to the change mode and

import SAP standard.

At this point the inclusion of the custom fields into the field group on the desired position is possible.The fields which contain the value can be included as text fields

The fields which should be displayed with texts from the domain values (like ZCOSO_REL) shouldbe included as dropdown list box, and properly flaggedas “read-only” and “domain values”.

To complete the addition of the custom fields, the following steps are necessary:

Save all changes made Leave the transaction Generate the layout of the field group GRPC_REPORT_DATA_M3.

Now the online report “Control Effectiveness Testing” should contain your customer specific fields(“Layout Generation node” in the same transaction)

10/05/2009 27

6.4 Utilization of custom fields in transactional flowsWhen the Custom Fields are created they can be used in all subsequent executed master datamaintenance transactions.

Please see the list below for an overview of Process Control 2.5 master data objects that can beenhanced by custom fields.

O Organization

P0 Organization dependent Process

P1 Organization dependent Subprocess

P2 Organization dependent ProcessStep

P3 Referred Process Step

P4 Process in scope

P5 Central Process Step

P6 Account Group

P7 Entity level control

P8 Organization dependent AccountGroup

P9 Organization dependent Entitylevel control

PK Central Process

PL Central Subprocess

PM Control Objective

PN Risk

PQ Test Plan

6.5 Custom Field and AuthorizationThe custom field could be accessed by the Person who has authorizations for accessing the masterdata object. No custom field specific authorization exists.

For Example: If Organization OIF has the Custom Field, if person has authorizations to editorganizations, can edit this custom field too.

The authorization for the creation of custom fields is a different matter.

The authorization required depend on type of Custom FieldMost of the steps in Custom Field Creation are considered “development”,which means:The user needs S_DEVELOP authorization profile or equivalentThe changes should be done in the development system and included inrequests and transported into the test and production systems.Although the activities belong are considered “development”, they are nottreated as modification of the delivered SAP standard

6.6 Validity period and custom fieldsThe utilization of the validity period concept could be applied to the custom field of type – HRobjects.

Documents

Process Control 2.5 Master Data - Archive · 2019. 11. 12. · It is preferred practice to leverage automated testing provided in PC 2.5 to reduce manual workload. The test plan object