GOVERNANCE, RISK AND

COMPLIANCE

PROCESS CONTROL
CONTENT

 GRC Process Control

 Continuous Control Monitoring

 Implementation Duration
 SAP BusinessObjects Process Control (PC) is an enterprise software
GRC PROCESS solution for compliance and policy management. The compliance
CONTROL management capabilities enable organizations to manage and monitor
their internal control environment. This provides the ability to
Introduction
proactively remediate any identified issues, and then certify and
report on the overall state of the corresponding compliance activities.
The policy management capabilities support the management of the
overall policy lifecycle, including the distribution and attestation of
policies by target groups. These combined capabilities help reduce the
cost of compliance and improve management transparency and
confidence in overall compliance management processes.
 Introduction- Automated monitoring of backend systems and processes. Customers of GRC use automated monitoring for configurations, master data
and transactions; SAP BusinessObjects Process Control provides a range of techniques to address these needs. While particularly well-suited to monitoring

GRC PROCESS SAP‘s backend applications, PC provides a sound platform for monitoring other applications as well. Such other applications include ERP and related
software suites from other vendors, but can also include IT management, physical access management, software used for tracking movement of goods and

CONTROL
managing logistics, and so on.

Features:

Continuous Control Monitoring 


Supports monitoring configurations, master data, transactions and change logs
Recurring or event-driven monitoring activities are automated which helps identify and fix issues before they become significant problem
 Exceptions are routed via workflow to ensure accountability, timely investigation and remediation
 Sends reminder and escalation notifications via workflow or email to avoid missed deadlines
 Ability to monitor both SAP and non-SAP business systems
 Reduces evaluation and monitoring effort and cost by sharing results across regulations
 Decreases time to value using pre-delivered yet configurable best-practice workflow
 Allows us to view up-to-date status with delivered dashboards and reports
 Provides additional assurance/increases compliance

Assumptions

 Internal Control Matrix.

 Control Owners from the business.
TYPES OF CONTROLS Configuration Data Monitoring

WITH SOME EXAMPLES Automated controls

IMPLEMENTA Master data Transactional data
Exceptions relating to
Exceptions relating to Exceptions relating
TION
configuration settings to governance of business transactions
within the ERP system
or parameters in the master data in the
ERP systemDURATION ERP system
An exception is
An exception is An exception is reported if …
reported if… reported if… • A purchase order
is created on the
• The tolerance amount • The GL field same day that goods
for the three-way structures have been were received for a
Access
match Control
control for modified transaction.
accounts payable
• Emergency
invoices Access
is changed. • Changes are made • A manual journal
Management to critical attributes entry has unusual
• The credit defined in vendor accounts and/or
authorization
• Access Risk approval
Analysis master data. descriptors.
control is turned off.
Process Control • Changes have been • An employee
made to GL account receives more than
• Continuous Control code options and/or one pay distribution
account mapping for in a pay period.
Monitoring automatic system
processing functions.
SAMPLE SCENARIOS
Configuration Monitoring: To prevent one-time vendors from being used in SAP. The business would like to continuously
monitor this configuration to ensure it does not change.

Multi-Step Configuration Monitoring: To ensure purchasing is configured to prevent inappropriate payments and accurate
posting to financial statement line items. The business would like to continuously monitor this configuration using a complex
set of automated business rules.

Review Master Data as a Control Test: A company has a control preventing alternative payees from being used. The company
must design the most effective automated rule to monitor this control.

Testing & Control Performance with SAP Reports: A manual control requires the AP Supervisor to regularly export an ECC
report and review. The company wishes to help automate this process by having PC 10 execute the report from a pre-defined
variant and send to the supervisor.

Transaction Monitoring as a Control: A business wants to use PC to monitor one-time sales orders transactions. They want
visibility to the net value of sales orders and the users most frequently creating one-time orders.