Where does automation of internal controls make sense, and how can you integrate controls monitoring into your finance and other SAP ERP processes?
Carlos Jaimes and Marc Jackson of Turnkey Consulting took questions in a recent GRC forum on Continuous Controls Monitoring (CCM), SAP Process Control, and options for reporting and automation, moderated by Matt Moore, conference producer for SAPinsider’s GRC 2013 conference.
Review the full archived Forum, or read the edited transcript below:
Matt Moore, GRC 2013: Welcome to today's forum on Process Control and Continuous Control Monitoring. Taking your questions today are two experts from Turnkey Consulting: Carlos Jaimes and Marc Jackson.
Carlos and Marc will be taking your questions on CCM for finance and other SAP processes. Today’s forum is the latest
in a series of GRC Q&As, podcasts, and webinars we’ll be doing with Turnkey Consulting experts.
Carlos and Marc, Thanks for joining us today. Carlos, I know your session at GRC 2012 last year covered some of the basics of continuous controls monitoring, and many attendees were evaluating CCM and trying to understand the possibilities for their organizations, especially in finance.
Any misunderstandings about CCM functionality that we should start with here?
Carlos Jaimes, Turnkey Consulting: Hi Matt,
CCM is sometimes confused with CTM (Continous Transaction Monitoring), which is a different type of monitoring. Also, is confused with Continuos Auditing, which essentially has a different set of stakeholders.
CCM is basically a functionality in GRC designed to monitor mainly automated controls from your ERP system. CCM covers a wide variety of standard configuration controls which can be monitored by enabling the specific rules, and setting parameters to tailor your needs. An example of a CCM is control, is changes to exchange rate tables outside set tolerance levels.
Matt Moore: Thank you. And can CCM support closing activities such as document posting, recurring entries, and material price changes?
Carlos Jaimes: It will not support closing activities as such, but if there are changes to any of the automated configuration controls involved in the closing activity process, recurring entries, material price change, etc., it will be picked up as a CCM exception, which will then need to be followed up to ensure changes were done according to the established change management procedures in the organization.
Matt Moore: Also, how does CCM differ from CTM in the SAP system?
Marc Jackson, Turnkey Consulting: CCM is primarily used for monitoring controls which rely on application configuration or master data which shouldn't be changed very often, if at all. Whereas CTM is used for monitoring and interrogating large volumes of transactional data to check for inappropriate or suspicious looking transactions. For example, this could include duplicate invoices, or use of split POs to circumvent purchasing limits.
markusblatter: Hi Marc
Long time no see... SPEAR:-)
Not sure if it fits in here but I posted a question beforehand. SAP promotes PC to be able to handle "event based" monitoring. This is true, but how these events are generated is up to the customer. Is there even a suitable technology out which is able to monitor for example ECC6.0 and raise events? Or is polling the only?
Marc Jackson: Hi Markus,
I remember the SPEAR days very well! In answer to your question, there are various different ways of triggering alerts, but probably the best method in your situation would be to use SAP Process Control's event-driven monitoring.
This uses triggers from the back-end system and then raises the alerts in Process Control directly, rather than waiting for a regular scheduled job to run. This is the closest you get to real-time monitoring, as it raises the exception based upon the configured thresholds.
markusblatter: Sorry, the late reply...my mobile hot spot is a bit shaky.
Thanks for the answer! I checked PC's event-driven monitoring. But all it covers in the documentation is the GRC side, not the back-end. Are these triggers which need to be set up on the back-end system part of the GRC suite or a separate software/tool?
I talked to a guy who did the tutorial for event-
driven monitoring and he said in the example, they used a Cisco network device t raise events...
Marc Jackson: Hi Markus,
You're right in that event-driven monitoring does require some external 'event engine' to determine when an event has been triggered which should be sent to Process Control. This can be Cisco or other external software.
In any case, you'll have to make sure that the connection to SAP is 2-way, and that the RFC queues are enabled to transmit the data out of SAP to this event engine.
markusblatter: Right! hmm, I don't have a client with this requirement currently but to me this seem like something very exciting to check out.
Did you guys implement a solution like that already? Sounds a little bit like SAP's "wishful thinking" to monitor a back-end this way.
Marc: We haven't had a client as yet whose requirements involved the use of an event engine. However, we have used the same concept as event-based monitoring with the use of HR triggers in Access Control.
markusblatter: ...sounds interesting, I just read that this is possible in theory!
Thanks for the discussion Marc and Carlos
M.S. Hein: Hi, Carlos and Marc. I have a question. Could you clarify the difference between SAP Risk Management and Process Controls solutions? Does SAP Risk Management software cover some of the same configuration controls as well? Thanks so much.
Marc Jackson: SAP’s Risk Management solution is intended to be a more overarching tool to identify, define and manage enterprise risk. By this, we mean the risks which might prevent the enterprise from achieving its business objectives. e.g. governmental policies which might prohibit trade or raw material supply issues for utilities o
r oil & gas businesses.
Risk Management provides a set of tools to aid in this identification and to categorise those risks but when it comes to the actual mitigation, it is normally the case that you'd use additional tools such as Process Controls or Access Controls to manage them.
For example, it might be that a risk in Risk management relies upon configured controls identified in SAP Process Controls to prevent the risk being realised or that the access to perform that function is supported by access management controls in place supported by SAP Access Controls.
Dave Hannon: Carlos, Mark,
Thanks for answering our questions. I'm curious about the benefits/differences control owners see in monitoring with CCM. Can CCM automate some of the actual testing and monitoring that would normally be done by control owners?
Marc Jackson: Hi Dave,
Good question. Carlos and I have just discussed this and here's our view:
First, it's good to clarify that Process Control has primarily been designed for testing controls, rather than operating them. That's quite evident in the terminology (e.g. an exception creates an issue, which is not always the case as it might just be the control doing its job - although the term issue is relevant for testing) and workflow (e.g. you wouldn't want exceptions to go through the remediation workflow process if you were using Process Control for control operation purposes rather than testing).
Regarding truly automated controls (e.g. configurable controls), Process Control can be used to perform the testing on behalf of the control owner.
For semi-automated and manual controls, then there will still be a degree of effort required by the operator/tester, although you can use Process Control to help deliver the relevant information to them. However, it doesn't r
emove the accountability from the control owner (in fact it will enhance accountability), it will just change the way they do things.
Matt Moore: Hi Carlos, Another question on your GRC 2012 presentation. It also focused on CCM scenarios specifically for finance – not just how controls are improved to manage exceptions, but how tighter controls improve profitability. Can you please explain that a little more in-depth?
Carlos Jaimes: Hi Matt,
On my presentation I focused primarily on finance controls, however, I also looked into other core business areas such as HR and treasury. Controls need to be balanced in order bring benefits to the business. Too many controls can become costly to maintain, so having fewer tighter controls, would help reduce costs in this area.
Monitoring your configuration controls in a automated way can save money and time, as the effort would be focused on investigating your exceptions (if any), rather than testing.
Carlos_Ochoa: Hi I have a question; as you know, CCM does not have a nice dashboard as the heat map at risk management, maybe BO dashboard it's a solution, what can you tell about it?
Marc Jackson: Hi Carlos,
There are default dashboards available in Process Control, but like most out-of-the-box reporting solutions, they usually require some tailoring to make them useful for the individual client. For this, you can use the in-built Crystal reporting capability or use the standard BI content to deliver this through an alternative reporting platform such as BI or BO.
The focus of CCM is to provide and facilitate a per transaction alert so you can react at point of transaction almost as it happens.
Matt Moore: Thanks again for participating in today’s forum, and a special thanks to Carlos Jaimes and Marc Jackson of Turnkey Consulting.
For additional GRC information, the GRC Forum archives past Q&As with Turnkey Consulting’s Richard Hunt, Simon Persin and other GRC experts. You can also post your questions for the entire community by selecting "New Thread" in the GRC Forum.
Thanks for joining us, and I look forward to seeing you all at GRC 2013 in the US.
Thanks again for a great discussion!