When you choose an internet browser home page, program your DVR to record a series, or assign specific ringtones for various contacts in your mobile phone, you’re establishing personal communications process controls, a set of standards to help simplify how you consume and manage information.
For millions of people around the world — particularly in Europe, the Middle East, Africa, and Asia Pacific — that communication is made possible by Vodafone Group. With nearly a half-billion mobile subscribers, about 14 million fixed broadband customers, and roughly 10 million TV customers, Vodafone is one of the largest telecommunications companies in the world, serving a combined 84 local or partner markets and affiliates. In 2011, the company established a vertical function to oversee financial operations for processes managed by a single SAP ERP Financials instance, touching more than 100,000 users.
The establishment of this group created a need for more stringent control management and extended monitoring. At the time, controls beyond those in place to satisfy Sarbanes-Oxley requirements were managed at the local market level and were mostly manually driven with low levels of control automation. A controls repository reflected this localized nature of controls management with a focus more on aggregation than standardization.
It was time, in other words, for Vodafone to do what its millions of customers do every time they customize communications: set standards and simplify how it managed financial operations and controls on a global scale.
“We wanted more control, but fewer controls,” says Sara Heuer, Group Head of Finance Processes and Controls at Vodafone Group. “Where possible, we wanted to use standard control sets across the business’s geographical footprint and within our processes themselves, but with flexibility depending on the process itself, the maturity of the business, or the business priority and focus.”
A focus on standardization and simplification was one of four “golden rules” that Vodafone set to guide the company through establishing a tighter controls framework. The other rules were to establish clear baselines, heighten awareness throughout the organization, and derive maximum value from whichever controls solution it selected.
Establishing a baseline was important because the global scale of the project required a thorough analysis of which processes to target. Vodafone had to fully understand its processes before implementing a controls framework, which required the groundwork of a detailed risk mapping and end-to-end process documentation. Fortunately, a lot of processes had been standardized while rolling out the global ERP system and documented using a third-party process modeling tool. This baseline fed into the simplification and standardization requirement because by following this path Vodafone could more easily determine how to extract value from a controls solution.
The challenge in this undertaking, according to Heuer, was that a shift from a local to global approach needed extensive communication as users were accustomed to processes and controls being conducted a certain way. “Standardization was a difficult task because while we had to focus on the areas where we needed to standardize, we also had to give people a voice and try to understand what level of localization we could tolerate versus the level of localization everyone wanted,” she says.
Raising organizational awareness helped diffuse the situation by creating a shared goal, and showed users that more efficient controls could be a personal as well as a business benefit by simplifying their day-to-day jobs. Throughout the project, team leads attempted to keep everyone engaged in the project’s success to clearly demonstrate that the value started with the users. This was done in several ways, including with a “Controls Carol” avatar that Vodafone leveraged as a kind of project cheerleader, appearing in videos to celebrate project achievements or milestones.
As for the controls solution itself, the thinking behind this rule stemmed from a desire to maximize the investment. Heuer says that it wouldn’t have made sense for the company to go through all the work of achieving a new controls framework and then let items slip through the cracks by not targeting the maximum number of geographies, markets, processes, or even users.
A Clear Connection
Vodafone identified and selected SAP Process Control as the tool best suited to the parameters and requirements spelled out for the project. Three main factors played into the decision.
First, with a single instance of SAP ERP Financials, users were already familiar with how processes — such as record-to-report and procure-to-pay — run in an SAP environment, so an SAP solution for monitoring those processes from a controls standpoint would likely have easy user adoption. Second, it offered seamless integration into SAP ERP with added benefits of some strong functionality. Third, the solution could be implemented relatively quickly.
“We went from talking about it to actually implementing it in a short period of time,” Heuer says. “Being able to implement this quickly was a key driver, and it took just 16 weeks to achieve our initial go-live.”
A fast implementation was possible mainly due to the extensive groundwork Vodafone completed in advance of go-live. This included the 2015 kick-off of its controls standardization and rationalization project across major markets, during which the company identified three types of controls: standard, generic, and local. This initiative was a major factor in the condensed SAP Process Control implementation, and led to an approximate 90% adoption rate in major markets shortly after implementation of the new controls.
“Having a standard control suite made life a lot simpler, not only internally but also for external audit purposes due to leveraging economies of scale — the same controls to be operated, tested, and monitored across all markets,” Heuer says.
Continuous controls monitoring with SAP Process Control significantly enhanced Vodafone’s governance capabilities, where prior to implementation, the company had procedures in place for no more than two or three controls, and even those entailed a lot of discussions with external audit to ensure reliance.
“We have gone from those two or three controls to having 60 in place by 2016, with another 60 in the works,” says Heuer. “We’re seeing that it’s easier to do than people thought possible, and with automation there are fewer surprises — so whereas before we had a lot of dialog with our auditors around certain procedures, now it’s very smooth.”
We wanted more control, but fewer controls. We wanted to use standard control sets across the business’s geographical footprint and within our processes themselves, but with flexibility depending on the process itself, the maturity of the business, or the business priority and focus.
— Sara Heuer, Group Head of Finance Processes and Controls, Vodafone Group
Fewer Dropped Calls
Vodafone implemented more than 40 automated controls to monitor SAP configurations on a regular basis, with alerts in place for any changes. To ensure that flagged incidents were addressed, the business elected to follow the three-lines-of-defense type of approach — enabled by SAP governance, risk, and compliance (GRC) solutions — as it mirrors the Committee of Sponsoring Organization (COSO) framework used within the group. Vodafone established a supporting second-line-of-defense team between the first line of defense (control owners) and the third line of defense (internal audit), responsible for verifying that controls and tools are all monitored accurately.
“A second line of defense allows us to ensure accurate control activities from the first line, and take some of the heavy lifting away from internal auditors to let them focus on value-added assurance pieces,” Heuer says. “It also allows for a lot more transparency.”
To complement its continuous control monitoring, Vodafone implemented SAP Fraud Management to detect, investigate, analyze, and prevent irregularities or fraud in high-volume environments, including travel and expense and accounts payable.
With three lines of defense in place, increased automation at work, and SAP Process Control running approximately 1,500 controls for finance processes on a global scale, Vodafone has experienced fewer controls issues than before.
“When we formulated a controls strategy, we wanted it to be broader, faster, smarter, and more efficient, and we’ve accomplished those goals,” Heuer says. “We are broader both in terms of our geographical footprint and control coverage, and faster in that continuous controls monitoring produces results more quickly, intelligently, and efficiently because of the increased automation. We weren’t afraid to dream big and have many conversations about how big that dream could be.”