Search Start 1 Month

Premium Trial

SAP Process Control: 12 little things that

Little things can actually make a lot of sense !!

can make a big difference...

Published on October 14, 2016
Ralph Aboujaoude Diaz Follow
Director at GlaxoSmithKline 120 6 30
19 articles

I have been involved in many implementations of SAP Process Control solution and I have
learned that sometimes little things can make a big difference.

No integration with other solutions or tools, no Add-Ons, no custom enhancements, no

complex configuration activities...Just standard and out-of-the box functionalities that can be
easily configured to meet a wide range of requirements (it is hard to believe, I know!).

The intention of this post is to list 12 functionalities (a mix of technical and functional ones)
in 5 key areas that in my view can make a real difference. I will do my best to explain things
in "plain english" without going too technical…but I can’t promise anything!

Enhance end‑user experience

Simplify end-user interfaces by defining role-based entry pages. Let’s be honest,
navigating between Work Centres can be a real pain for end-users. Having one entry
page per role is a really effective way to increase user adoption. Tailored entry pages
should be configured for each relevant role in order to allow users to access all the
required functionality and data from one centralised User Interface. A control owner for
example will be able to see her/his work inbox, create ad-hoc issues, display controls,
track open issues and remediation plans, etc. By leveraging the pre-delivered CHIP
catalogue (Collaborative Human Interface Part), it easy to add or remove menu items
from entry pages in order to meet specific requirements of each functional role. Note
Messaging
 g g
Search that if you want to create new CHIPs, you will need to do it via the Web Dynpro ABAP Start 1 Month
Page Builder which in that case requires some dedicated technical skills.
Premium Trial

Create a custom user interface that is more aligned with the risk & control taxonomy of
the organisation. It is possible to easily tailor the “Launch pad” by changing the name
and description of the different menu group and menu items in each work centre. As an
example, you can change the name and description of the pre-delivered menu group
“Organisations” to “<Name of the Company> organisational hierarchy”. You can also
change the pre-delivered menu item “Regulations” to a more generic one like
“Applicable Regulations, Frameworks and Standards”.

Define custom names for workflow items that are more aligned with your corporate
“jargon” and words. The solution also provides the ability to customise workflow tasks
in 2 different ways: changing the text of the workflow item and/or including additional
parameters that automatically inject more information at the end of the workflow item.
As an example, you can change the name of the standard workflow item “Remediate
Exception: Automated Monitoring” to “Review automated control exceptions”. In order
to ensure that end-users can directly (and quickly) understand reported exceptions from
their Work Inbox (without actually clicking to go into the detailed workflow item), it is
possible for example to add the parameter “&4” which corresponds to the “Issue Name”.
Believe me, it will make much more sense for an end-user to get a workflow item in
her/his Work Inbox with the description “Review automated control exception:
Duplicate Invoice Check disabled” rather than just “Remediate Exception: Automated
Monitoring”.

Increase master data governance

Specify which fields should be set as “Required” during master data creation (at process,
sub process and control levels). It is possible to change the standard behaviour of the
solution by maintaining the values for the field status configuration in the "GRC-PC"
application component. As an example, you can force the master data maintenance team
to populate the pre-delivered “Input” and “Output” fields at the central control level in
order to ensure that enough information is captured based on functional requirements. It
is possible to set the status of certain fields as Required, Optional, Display, or Hidden by
updating the view/cluster GRFNVC_FLD. Note that some fields which are shared across
application components (Access Control, Process Control and Risk Management)
cannot be configured.

Determine which control fields/ attributes can actually be changed at local level (once
the central control has been assigned to an organisation unit). The solution allows to
specify which control attributes can be modified according to local requirements (such
as control test plan, control frequency, etc.) and which ones can never be altered (such as
control description, control purpose, etc.) in order to ensure consistency with the central
control template. If you flag a control attribute as “No local change allowed”, this
control attribute will always be synchronised with the central control template stored in
the central business process library (a change to the value of the central control attribute
Search will be automatically cascaded at local level where this control has been assigned). This Start 1 Month
is a great way also to optimise the master data maintenance activities. Also note that this
Premium Trial
is a very powerful configuration because it bypass the authorisation settings (even if a
role has the ability to change master data at the local control level, this configuration will
simply prevent the user of doing so).

Enable the approval workflow for master data maintenance to govern changes that occur
at local control level (only). Given that maintenance of central master data should be
restricted to a very limited group of roles and users (I hope so!), I generally don’t see too
much value in enabling the approval workflow for central controls. This configuration in
combination with the previous one (definition of which control fields/ attributes can
actually be changed at local level) will allow you to have a very robust governance
model over changes to local control master data. Note that there is a minor known
limitation in the solution where once the request for master data changes has been
approved, the requester can actually change the value of any control attribute (and not
limited to the fields captured in the request). The best approach here is to also have a
detective review of master data changes through the standard pre-delivered “Audit Log”
report (with a monthly frequency).

Simplify control evaluation processes

Probably most of the organisations that are deploying (or have the intention to deploy)
the solution have already SAP Access Control solution in place. It would be a shame not
to integrate the 2 solutions from a master data and transactional perspectives! Mitigating
controls for segregation of duties and critical actions rules can be directly maintained
(creation/change/deletion) from SAP Process Control via the business process library.
Once created from SAP Process Control, mitigating controls will be automatically
pushed and visible in SAP Access Control mitigating control library. As a result, no
users should be able to maintain mitigating controls from SAP Access Control
(Remove/Copy/Delete authorisations should be removed from existing SAP Access
Control roles). The benefits are quite clear here: one centralised and standardised way of
maintaining controls and the ability to monitor/ evaluate the operating effectiveness of
existing mitigating controls via SAP Process Control solution. The transactional
integration between SAP Process Control and SAP Access Control can also allow
organisations to automatically trigger/ run the access risk analysis based on a pre-defined
frequency (via the Continuous Monitoring platform) and automatically send the access
violations results to the designated control owner for subsequent evaluation. The
benefits here also quite clear: ability to provide a rating of mitigating control evaluations
(that can be included in existing SAP Process Control reports), raise control issues and
undertake remediation activities (following the standard issue/remediation workflows).

Most organisations nowadays are operating controls via dedicated shared service
centres. It is possible to use the “Shared Service Provider” functionality to monitor/ test
controls against one organisation unit (a Finance SSC) and automatically leverage and
share control evaluation results with all the relevant markets/ legal entities. Flagging an
organisation unit as “Shared Services Provider” in SAP Process Control will enable to
Search share the control evaluation results (including issue and remediation activities) with Start 1 Month
other organisation units that rely on these SSCs. The key benefit here is that controls are
Premium Trial
monitored/ tested in one single location avoiding multiple and redundant control
evaluation cycles performed in all markets/ legal entities. Note that shared sub-processes
(and underlying controls) can only be assigned to organisation units using the “No local
changes allowed” sub-process assignment method. This assignment method does not
provide the flexibility to remove controls when local deviations exist, limiting the ability
to apply a flexible model that is required in some instances based on local requirements.
You just need to carefully think about the most suitable approach during the design
phase.

Optimise continuous monitoring rules

Continuous monitoring rules in SAP Process Control can be boosted via the Business
Rule Framework plus (BRFplus) that provides a very robust API and UI for defining and
processing complex business rules. For example, it is quite common when defining
continuous transaction monitoring rules to use a wide range of formulas in BRFplus in
order to concatenate fields, calculate time duration differences, aggregate data (count,
sum, etc.), split a text string, define a decision tree, write an “If” statement, etc. Note that
not all formulas that exist in BRFplus can actually be used in SAP Process Control. I
have used the continuous monitoring platform and BRFplus to perform transaction
monitoring over a significantly large amount of data and I can assure you that the
solution is definitely able to extract and analyse data in an efficient and consistent
way...if you do it properly! I recommend to use a “date” type field as a filter criteria
during the business rule definition (to target a specific set of data during the
extraction/analysis process) and to ensure that the system profile parameter
“ztta/max_memreq_MB” is adjusted in each targeted SAP back-end systems
(recommended value: 2047 MB).

The solution provides now a new functionality called “Business Rule Parameters”
(BRPs) that allow organisations to create a specific list of parameters. BRPs are used
during the execution of continuous monitoring business rules in order to filter data and
set pre-defined deficiency criteria. The benefit is quite clear here: avoid the creation and
maintenance of a very large amount of business rule variants (each variant having its
own set deficiency and filter criteria) as this would drastically increase the creation and
maintenance efforts. Just make sure that you have also in place “housekeeping” rules to
ensure that all your parameters are always up to date! Note that in order to enable this
functionality, you will need to add new authorisations to the role(s) in charge of business
rule maintenance.

Improve reporting and tracking

Generating clear and custom reports is quite critical in order to ensure a smooth end-user
adoption. The solution provides an easy way to change the text of existing column
headers of each pre-delivered report via an IMG step called "maintain report column
settings". You don’t have to modify the name of control fields/ attributes at the control
Search master data level because this activity will require some modifications to the data Start 1 Month
dictionary (you can live with it from an operational perspective!). As an example, you
Premium Trial
can decide to convert the name of the standard field “Significance” (defined at the
control level) into a custom report header called “Control Classification”. The automated
conversion mechanism will allow you to tailor any report (i.e. the Risk and Control
Matrix report) in order to make it more appealing to the target audience/ recipients.

The solution provides two standard and pre-delivered reports that in my opinion are
undervalued: "Test Status by Organisation" and "Test Status by Process". These 2
reports provide a high level overview of the overall number of controls included in a
specific evaluation time frame together with a percentage of control evaluations that
have been performed and failed. They also provide a quick overview of the number of
controls that have not been remediated. I personally think that these reports produce
great statistics (per regulation, organisation and process) and allow to quickly track a
wide range of control evaluation activities (such as control self-assessment, control
design effectiveness and control operating effectiveness activities).

Stay tuned as I will be releasing additional posts related to SAP Process Control solution in
the next few months. The next one will probably focus on key areas that your auditors will
scrutinise during a functional and technical review (and how to ensure that they can place
reliance on the solution).

I hope you enjoyed the reading and feel free to provide additional “simple things” that can
make a difference!

If you would like to read my future posts then please follow me.

Opinions expressed are solely my own and do not necessarily express the views or
opinions of my employer.

Report this
120 Likes
…

6 Comments
Show previous comments
Hassan Javed 10mo
Manager at EY
Hi Ralph, hope you are doing well? Thanks for sharing key points, useful stuff.
One quick point, I totally agree that "Test Status by Organization" and "Test Status by
Process" are undervalued, and under used reports however I found it surprising that…seeit more
Like Reply
A Emmanuel 4mo
Senior SAP GRC Consultant at Winterhawk Consulting EMEA, Asia Pacific and Oceania
like
 Like Reply Start 1 Month
Search Premium Trial
Add a comment…

Ralph Aboujaoude Diaz

Director at GlaxoSmithKline
Follow

More from Ralph Aboujaoude Diaz See all 19 articles

Robotic process automation: a few The intelligent automation journey: Emergency access 8 features th
tips for your Proof of Concept a few thoughts... management...Chatbot meets… SAP Process
Ralph Aboujaoude Diaz on LinkedIn Ralph Aboujaoude Diaz on LinkedIn Ralph Aboujaoude Diaz on LinkedIn Ralph Aboujaou

t Questions? Select Language

munity Guidelines Visit our Help Center. English (English)
cy & Terms Manage your account and privacy.
feedback Go to your Settings.
dIn Corporation © 2018