How does the market think?
In a survey about Governance, Risk and Compliance ([KPMG19]), 57% of participants stated that only 10% of their internal control framework consisted of automated controls. However, 72% of participants identified control automation as a top priority. During the International SAP Conference on Internal Controls, Compliance and Risk Management in 2021 ([TAC22]), participants were asked several questions related to internal controls and their automation.
Figure 1 shows that 57% of the respondents would like to improve automated testing of their internal controls; 50% of respondents indicated that automated control testing and risk monitoring would be the highest priority on their GRC digitalization roadmap. However, 56% of respondents also stated that there are no technologies leveraged (yet) to automate their control testing.
Figure 1. Poll results from the International SAP Conference on Internal Controls, Compliance and Risk Management ([TAC22]). [Click on the image for a larger image]
Why automation, and what can we automate?
Organizations or representatives are aiming to automate testing of controls, but why? Because automation of controls will lead to increased assurance while spending less effort on manually performing or testing the control. This is also described with practical examples in [Klei16]. In this article the cost savings, assurance increase, and quality increase were calculated for an example control (possible duplicate vendor invoices). Once the control testing is automated, the frequency of testing can be increased and become continuous. When the automated testing or monitoring of these controls indeed becomes continuous, there are additional benefits. A publication from The Institute of Internal Auditors ([Code05]) states about continuous auditing: “The power of continuous auditing lies in the intelligent and efficient continuous testing of controls and risks that results in timely notification of gaps and weaknesses to allow immediate follow-up and remediation.” While continuous monitoring or testing are more the responsibility of the 2nd line of defense function and continuous auditing lies with the 3rd line of defense, the statement can apply to both. Continuous monitoring or testing will lead to timely notification of gaps and weaknesses and enables immediate follow up and remediation.”
The similarities and differences between continuous auditing and continuous monitoring are shown in Table 1.
Table 1. Continuous auditing versus continuous monitoring. [Click on the image for a larger image]
In summary, continuous automated testing or monitoring of controls is interesting for organizations as it is cost efficient, has a high level of reliability and allows for timely notifications and follow-up.
While the testing or monitoring of almost any control can be automated to some extent through periodic data analytics, robotics, small scripts in Python or even through macros in Excel, [Gies20] describes that it is easiest to do this for configuration and authorization controls, which are automated in nature as they are programmed or configured directly in the application. IT dependent controls (e.g. controls based on a report) have slightly less potential for automation followed by completely manual controls for which automation is less straightforward or in case of a procedural control (e.g. both CFO and CEO need to physically sign a document while in the same room).
While both continuous auditing and continuous monitoring are relevant and interesting topics, the remainder of this article will focus more on the continuous monitoring capabilities of selected tooling.
Systems and tools for automation
There are different systems and tools that have capabilities for continuous control monitoring. Some examples are MetricStream, SAI360, ServiceNow and SAP. Some might even say that with Robotic Process Automation (RPA) and low-code platforms, these capabilities can also be met. While this is probably theoretically correct, the costs for setting up and maintaining such RPA or low-code solutions are not always considered in the business case. Examples could be the costs of developing an RPA, this often requires a specialized developer or team to gather requirements, develop, test and deploy the robot. If the process changes after the RPA solution is live, the robot needs to be adjusted accordingly, which again takes time from the specialized development team. Other tools, such as GRC tools, are often owned by the internal control function and usually require less effort from IT or specialized teams.
With organizations that are using SAP as their main ERP or financial system, often an SAP solution for continuous monitoring is used. Nowadays, SAP offers two solutions which can be leveraged for automated testing of controls and continuously monitoring thereof: SAP Process control (part of SAP GRC) and SAP Financial Compliance Management.
SAP Process Control
SAP Process Control is part of the SAP GRC application. It offers, amongst others, capabilities to document controls, send out workflows for control assessment and testing, reporting and automated control monitoring. A detailed overview of this system is provided in [Kimb17]. In this article the focus will be on the automated control monitoring capabilities of SAP Process Control. SAP offers multiple different integration scenarios for control monitoring – as highlighted in Figure 2.
Figure 2. Integration scenarios in SAP Process Control. [Click on the image for a larger image]
While there are ten possible scenarios, the four scenarios highlighted in green in Figure 2 are most commonly used. These are further explained in Table 2.
Table 2. Commonly used integration Scenarios in SAP Process Control explained. [Click on the image for a larger image]
Once the integration with the target SAP ECC or SAP S/4 system is done, Data Sources (which is essentially a table, view or set of tables and views) and Business rules (a rule that determines which records are “right” and “wrong” in the retrieved data source) can be set up in SAP Process Control to determine whether the automated control in the target system is correctly or incorrectly configured. If the control is correctly configured, the SAP Process Control business rule will provide a “passed” result and the control is automatically reported as effective in SAP Process Control. However, if the control is not correctly configured, SAP Process Control will automatically create an issue workflow and send it, accompanied by the results of the business rule, to the responsible person for the control for further follow up. An example of such a workflow task in SAP Process Control is shown in Figure 3.
Figure 3. SAP Process Control Automated Monitoring workflow. [Click on the image for a larger image]
On top of this check, SAP Process Control also offers a change log check functionality. This functionality can read and analyze the full change history of a table (e.g. configuration table for 3-way-match control) if the table is flagged for change logging. By combining the “regular” configuration check and the change log check in SAP Process Control, a 100% coverage can be achieved, meaning that the configuration settings of a target SAP system are completely and continuously monitored.
SAP Financial Compliance Management
SAP Financial Compliance Management is a relatively new solution from SAP. The aim of SAP with Financial Compliance Management is to provide a system that can be used to comply with SOx, with a low total cost of ownerships that can leverage a set of existing, pre-defined monitoring content.
As part of SAP Financial Compliance Management, SAP currently provides 60 Core Data Services (CDS) views in SAP S/4 which can be leveraged. These 60 CDS are provided out-of-the box. It is also possible to create additional CDS views which can be read by SAP Financial Compliance Management.
The CDS views are read using so called “Automated procedures” in SAP Financial Compliance Management. These procedures are run to determine whether a control linked to the procedure is effective or ineffective. If the result of a procedure is ineffective, an issue is created for follow up by the responsible user. An example of such a workflow task in SAP Financial Compliance Management is shown in Figure 4.
Figure 4. SAP Financial Compliance Management procedure results. [Click on the image for a larger image]
SAP Process Control and SAP Financial Compliance Management side by side
Both solutions from SAP can be used for continuous control monitoring of automated controls in SAP target systems. While they are largely similar, there are also some differences. Table 3 shows a comparison.
Table 3. Comparison between SAP Process Control and SAP Financial Compliance Management. [Click on the image for a larger image]
While SAP Process Control has been around for several years, contains a broad range of functionalities and could be considered more heavy-duty, SAP Financial Compliance Management a new solution from SAP, more positioned as a quick and easy introduction to control automation and SOx compliance. Both solutions provide the tools that are needed to perform continuous control monitoring.
Looking at the roadmap for the remainder of 2022, there is a clear focus on the further development of SAP Financial Compliance Management, with seven planned activities. For SAP Process Control, there is only one development planned on the roadmap. On one hand, this might mean SAP Process Control is a stable solution, as it has been around for many years. On the other hand, it also shows the ambition to enhance the new SAP Financial Compliance Management system. Both systems are, and remain, compatible with the SAP S/4 system. This provides customers with a choice and the opportunity to really assess what is the best solution for their requirements.
Control automation and continuous control monitoring are still trending topics in the market. There are different applications and tools that provide functionality for continuous control monitoring. The applications delivered by SAP – SAP Process Control and SAP Financial Compliance Management – have their differences, but both deliver the functionalities needed to make the next step in the continuous control monitoring efforts of the internal control or internal audit function.
[Code05] Coderre, D. (2005). Global Technology Audit Guide: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. The Institute of Internal Auditors. Retrieved from: https://www.iia.nl/SiteFiles/IIA_leden/Praktijkgidsen/GTAG3.pdf
[Gies20] van der Giesen, S. & Speelman, V. (2020). Exploring digital: Empowering the internal control function. Compact, 2020(3). Retrieved from: https://www.compact.nl/articles/exploring-digital-empowering-the-internal-control-function/
[Kimb17] Kimball, D.A. & van der Giesen, S. (2017). A practical view on SAP Process Control. Compact, 2017(4). Retrieved from: https://www.compact.nl/articles/a-practical-view-on-sap-process-control
[Klei16] Klein Tank, K. & van Hillo, R. (2016). It’s time to embrace continuous monitoring. Compact, 2016(4). Retrieved from: https://www.compact.nl/articles/its-time-to-embrace-continuous-monitoring/
[KPMG19] KPMG (2019, May). Survey – Governance, Risk and Compliance. Retrieved from: https://assets.kpmg/content/dam/kpmg/ch/pdf/results-grc-survey-2019.pdf
[TAC22] TAC Events (2022, March). Poll results – International SAP Conference on Internal Controls, Compliance and Risk Management 2021. Retrieved from: https://www.linkedin.com/posts/tac-events_sapccr-sapgrc-grc-activity-6902553579547426816-Q7A6