SAP Process Control is designed to transform manual assessments into automated control schedules and checks. GRC 2013 speaker Tracey Rust of Integrc recently took questions on get the most from this tool, in a Q&A moderated by GRC 2013 producer Matt Moore.
In advance of Tracey's session at GRC 2013 conference in Amsterdam, this Q&A covering topics such as Process Control implementation planning, how to avoid data migration issues, use of Adobe forms, performance and change management, ensuring correct filter values, optimizing dashboards, and more.
You can read the full text of the Q&A in Insider Learning Network's Compliance Forum, or read our edited transcript here.
Matt Moore: Welcome, everyone, and thanks for joining us today.
Today, Integrc's Principal Consultant Tracey Rust is joining us to take your questions on SAP Process Control. Most recently, Tracey's role has focused on controls design and automation, and she has led a global transformation program to implement SAP Access and Process Control.
Tracey will be presenting a session dedicated to SAP Process Control at the upcoming GRC 2013 conference in Amsterdam.
Welcome, Tracey, and thank you very much for taking the time for today's Forum!
Tracey Rust, Integrc: Hi all and welcome to the session.
Matt Moore: I do have one question to start things off -- a business question before we get into more details about filter values, reporting and data:
In your GRC 2013 session, you cover typical use cases for Process Control. For those evaluating this solution, where in the business do you see PC now? Any tips for preparing for a new implementation?
Tracey Rust: The key areas are to consider the GRC maturity of the client and assess the degree of automation that can be offered -- the aim being to reduce the burden and cost of manual-based tests. This not only increases assurance but also helps offer cost reductions in control management.
Matt Moore: Can you elaborate a bit on GRC maturity and what specifically to consider?
Tracey Rust: When I say GRC maturity, I refer to the maturity of the business approach to their control and risk matrix. In some cases a client may have a very mature RACM that has taken years to refine, and we must not lose sight of that investment. Hence the automation of the manual activities can be focused on this as a starting point. Once these automated controls are in place you can then look to extend the breadth of the framework further.
In other situations, the client may be just at the start of their GRC journey. The use of the solution and its design can help them refine their RACM and take it to the next level.
M.S. Hein: Tracey, good morning.
Can you give a few tips on preparing for -- or avoiding -- data migration issues with Process Control? Thanks.
Tracey Rust: Assuming when you refer to migration you mean across the GRC landscape, then the main thing is to think ahead.
The data within PC is moved using three different tools: CLM, ABAP Transport, and manual. CLM and ABAP transports provide a controlled mechanism for migrating the data across the GRC landscape. Manual changes, of course, are more difficult to manage. I would always ensure that within the migration a full data validation and sign-off by the client/auditor is in place.
Matt Moore: With all the automation that comes with Process Control, user adoption is still critical to take you through to remediation. Can you share a couple of your best practices for optimizing dashboards and forms for the managers who need to respond to alerts? Is this where Adobe Interactive Forms can be used?
Tracey Rust: When it comes to dashboards then my recommendation it to invest the time in gathering your requirements. Make sure you really understand what each setting means. Sometime people focus too much on how it looks rather than what goes in it.
In relation to Adobe forms, the standard form covers a wide area of Survey assessments, manual test plans, and elements of Risk Management. As a result, the form can look a little complex for the user. Tailoring the form to suit the client is a good solution, but do so with caution to ensure that you are not removing things that will be needed in the future.
The use of the interactive forms opens up a whole new approach to the controls solution. No longer do you ask a senior Finance Director/Risk Manager to log on to a system. They can just complete their responses in a form that arrives via their email.
Currently this functionality does not exist with the continuous monitoring area of the system.
HeraleenBowers: Is there any documentation about best practices to integrate GRC Process Control with GRC Access Control? Our implementations are currently separate, but we may get an opportunity to integrate them in the future, and we are wondering how to best get them working together to improve our return on investment.
Tracey Rust: There is a document that covers the details of how the AC and PC elements of the system integrate. I am not aware that this is specifically a best practice document, more of an overview of the options. There are some key points that you should always look for. The top 3 being: Organizational Structures, Connectors, and Controls.
Dave Hannon: Tracey,
Thanks for taking our questions today. I have two questions (at opposite ends of the spectrum).
First, are there any common tips or practices for improving the technical performance of Process Control? Sizing suggestions or version/integration concerns?
Secondly, when I hear "automation" I immediately think change management. Do you have any suggestions on areas that organizations might want to pay particularly close attention to -- in terms of org change management -- when increasing the automation in PC?
Tracey Rust: Hi,
In relation to technical performance, then we always start with the SAP sizing guide and take it from there. This is within the Basis area of expertise.
You may find that you experience communication issues for some controls, however these tend to be when a data set is very large. The key here being to schedule the control more frequently.
Yes, automation and change management are linked. I would always recommend a set of automated controls that are designed to ensure your GRC PC system stays in line with any changes to the connected ECC systems. For example, if within PC you have selected certain company codes as within scope of your controls, you must ensure you can flag if these filters need updating if a new company code is created. Automated controls can be set to do this.
Remember, monitoring by exception means they run in the background and only send something to the user if an issue is identified.
Mark Bridges: Dave,
For sizing have a look at the following:
Sizing guide SAP GRC 10.0 (Access Control and Process Control) service.sap.com/sizing. Once on the web page then in the menus on the left hand side open “Sizing Guidelines --> Analytics" to find the documents.
You will need an SAP Service Marketplace ID to be able to access this area.
The only version/integration you need to take into account is if you are looking to run GRC 10.0 with an existing Access Control v5.3 that will communicate to the same ECC systems. There are specific patch levels for the plug-in that are applied to the ECC systems to ensure they can co-exist.
Ken Murphy: Hi Tracey, how does Process Control help assess IT preventive controls and IT dependent controls?
Tracey Rust: Hi Ken,
That's a big question. I could write for hours!
The main value is the ability to monitor by exception. The controls, once in place, are scheduled based upon a timetable (or ad hoc if needed), but only when an issue is identified would the owner need to take corrective action. All the time assurance data is being collected.
This allows you to expand the breadth and frequency of your control testing.
The largest initial impact tends to be in the areas of Procure to Pay or Record to Report (also Finance to Manage) process areas, but controls can cover the whole breadth of the business processes.
My suggestion is to make sure you understand the key risks you are addressing and focus the control automation in those areas.
Bette Ferris: Hi Tracey,
I understand that setting the right filter controls is a key step. Can you give a few pointers on setting up and checking filter values to ensure that they are correct? And do you have a recommendation on reviewing values on a regular basis?
Tracey Rust: Hi,
The use of filter values is key. They define the scope of your control tests and can be very effective if the supporting ECC systems have been in place for some time and have some old data or configuration that is not used but still in the system.
The only standard way to check these is to do so manually, and it can be difficult and time consuming to do this. As a result we developed our own tool to extract these values to allow for validation.
I would also suggest a set of automated controls are in place to monitor anything used within a filter value. So, for example, in PTP you may filter on purchase document types. If this is the case you need to know if someone creates a new one in the supporting ECC system.
Rather than having a dependency on a manual change management process, you can monitor this using an automated control that shows an exception when a new purchase document type is created. This is then the trigger that is used to update the filter in GRC PC -- of course, assuming the change in the ECC system, etc., has been approved.
Matt Moore: Thanks to all who posted questions and followed the discussion!
A full summary of all the questions will be available here in the Compliance Forum. And, of course, I invite you to our annual GRC 2013 conference in Amsterdam, starting June 11. Tracey will be presenting her session on SAP Process Control and regulatory control. It is sure to be an excellent session, and attendees will be able to take home a recorded demo of SAP Process Control and a controls dashboard to share back at the office.
You can also check out our full list of Process Control-related sessions here.
And finally, thank you to Tracey Rust and the team at Integrc for participating today. Tracey, thanks especially to you for all the great advice. We'll see you in Amsterdam!