One of world's largest international tobacco growers, producers, distributors, and retailers, which operates nearly 50 factories in close to 200 countries, realized that to remain competitive and prosperous it needed to reduce the complexity of its business structure, specifically the roughly 20 global instances of ERP systems it maintained. Over the years, this landscape led to a host of localized business processes and a complicated controls environment. There was a robust process to manage internal controls, but also a clear opportunity to improve visibility into control design and effectiveness across the group.
With the goal of reducing complexity throughout all aspects of the organization, including its controls environment, the business embarked on a massive implementation program, which aimed to transform nearly every area of operations. This project involved upgrading existing technologies, evolving how the business works with suppliers, as well as how it takes products to market and engages with customers. A primary goal was to consolidate the environment to as close to a single ERP instance as possible.
For an implementation of this magnitude, which covered every element of the organization, evolving business processes and putting controls in place to manage and mitigate risk across the business was imperative. The business wanted a solution that could help design a sustainable process for its controls operation throughout the company. The business looked to overhaul its governance, risk, and compliance (GRC) toolset to enable a robust controls platform in which to manage its newly streamlined business processes.
Automating this controls environment was also a priority to create more sustainable controls and testing processes on a global scale. Moving away from a more manual system would decrease the risk of human error, eliminate disparate controls repositories — each with its own localized knowledgebase, details, design elements, and different technology sets to address – simplify the audit trail, and alleviate auditing concerns, especially from a segregation of duties (SoD) standpoint. Implementing a system where controls are not created and approved manually at a local level nor reside in a siloed control repository would improve the global controls remediation activities.
As part of the implementation initiative, a controls team was established to set up a central controls capability to create a controls framework that linked risk, control and assurance; promoted efficiency through the rationalization of controls; provided visibility to manage the effectiveness of controls; and ensured the central team can readily address the predicted future compliance standards requirements.
The team members worked closely with process leads to ensure they designed the appropriate controls within each business process and quickly found there was a gap in terms of technology. Traditionally, each entity would manage its controls via a variety of tools including Microsoft Excel, but the business determined it needed a tool to move this function forward and automate it.
Enter SAP Process Control
In part because many of the company’s process controls were running in its ERP environment, and also in part because it was already utilizing SAP Access Control, it decided to implement SAP Process Control to bridge these gaps and centralize its controls platform. SAP Process Control was chosen because of its out-of-the-box functionality for monitoring a centralized controls repository, and also its ability to support the company’s goal of continuous controls monitoring (CCM) for high-priority controls, such as for finance-related processes.
The CCM efforts were important to the business because of the ongoing ERP convergence; the intent in implementing SAP Process Control wasn’t to create controls for existing processes, but instead to enable management of controls for the new business processes that were being rolled out globally in line with the transformation initiative. With CCM, the business had visibility into this new, untested landscape by tying controls monitoring into its larger ERP Utilization project, where it assessed its entire ERP environment to ensure it was maximizing its ERP investment. Having SAP Access Control in place facilitated CCM because it naturally integrates with SAP Process Control as part of the SAP solutions for GRC, so as the business rolled out new processes, it could monitor controls from both a design and effectiveness perspective.
Buy-in for SAP Process Control was facilitated by already having a controls team in place as part of the transformation initiative. This team had already done a lot of the legwork in determining that a robust controls platform was a necessity as the business reinvented many of its operational processes. The value was clearly apparent.
Flipping the Switch
The SAP Process Control rollout piggybacked on the larger implementation initiative. The company created a pilot program for bringing certain markets onto the corporate ERP instance, and as those markets adjusted to the change, such as reallocating personnel according to the centralized controls repository and remediating ensuing SoD conflicts, SAP Process Control also went live. So while SAP Process Control essentially followed a big-bang approach in that it was available globally, it was only made functional when necessitated as certain markets (30 in total so far) went live with the project.
As a tool for the ERP Utilization project, SAP Process Control was integral to each market’s self-assessment requirement. By accessing the controls repository and adjusting processes accordingly, each business or end market could report where it was in aligning to the new controls framework.
CCM is at a key stage in parallel with the out-of-the-box reporting on the new controls platform. Running the CCM in the markets that have gone live is giving the company a line of visibility into controls operation and evaluation. Dashboard reports are then fed back to the regions and businesses that still have to go live.
Disparate controls repositories have been replaced by a central, consolidated repository with roughly 1,000 controls that have been standardized into SAP Process Control.
A New Look
This single source of the truth in GRC reporting was a newfound benefit that the business realized nearly immediately after its first markets went live with SAP Process Control. Now, it is easier for end markets to capture information and share it across the business simultaneously on a global level. Because SAP Process Control is a single common database, everything can be cascaded downstream or consolidated upstream. Having this centralized reporting was a big driver for the new controls platform for the business. SAP Process Control brought a host of other benefits to the business, such as:
- Improved reporting that allows senior managers to see what controls they want to maintain going forward
- Overall transparency that allows all stakeholders to more quickly and easily identify issues
- Decreased costs associated with testing by standardizing procedures and eliminating duplicate activities
- Reduced risk of human error due to automation
There was some initial resistance from users to overcome. Overall, centralization throughout the organization was a big adjustment for end markets that were accustomed to their own processes, controls, and data.
The members of the project team, however, considered the mindset change a real opportunity. Now, with end markets monitored in terms of controls, they can see who is (or is not) compliant, or where a market is in its controls journey through the required self-assessment. They had some pushback, but it was a challenge they took head-on. Right from day one, they were up-front about the scope, the deliverables, and the impact on specific regions. And this early communication helped knock down any resistance.
Disparate controls repositories have been replaced by a central, consolidated repository with roughly 1,000 controls that have been standardized into SAP Process Control. And with the end markets now accessing the same controls, monitoring and testing procedures are moving toward standardization across the organization. Potential SoD conflicts are also now easier to identify and mitigate with end markets sharing common process controls.
The business can identify and analyze exceptions very quickly, it has corrective controls remediation, and through SAP Process Control, it can prioritize and manage remediations. At a basic level, the business is now in a position to better see which controls it wants to maintain going forward and which are no longer required. And with the overall transparency, with every stakeholder being able to see where the problems are, there are fewer surprises.