The 5 Key Attributes of an Effective SAP Control
Optimization Framework
Clark Oeler
Deloitte & Touche LLP
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
In This Session
The challenge
Greater focus on increasing performance and maximizing
productivity has led to business reorganization, reductions in
staff, complex relationships with customers and third parties,
increased risk of employee fraud, and increasingly complex
systems. These changes can create challenges aligning
effective, efficient, and sustainable controls.
Many organizations have
made significant
investments improving and
tightening controls,
particularly in response to
new regulatory requirements
– but sometimes at the
expense of efficiency.
Getting controls wrong
wastes resources, leaves
organizations exposed,
increases compliance costs,
and distracts management
from running the business..
In challenging times, even the most mature organizations
consider whether their controls are relevant, efficient, and
adaptable.
The opportunity
Many large organizations cannot
operate effectively without an
optimized control framework.
Adequately designed controls
help organizations manage
critical risks and proactively plan
for the future – enhancing
operations, managing
performance, and minimizing
costs.
Getting controls right
enables organizations to
effectively manage risks. It
also keeps costs down,
protects revenue, secures
assets, and supports
compliance obligations.
Business performance can be
enhanced by improving the
effectiveness of controls across
functions closely linked to the
financial statements.
When management knows
that they have the right
controls, they can rely on
those controls to manage
the potential risks.
1
In This Session (cont.)
•
Learn …
 Key reasons for optimizing SAP Controls
 Streamline control environment that has grown over years
 Reduce and manage the cost of compliance
 Strengthen Audit Committee, External Audit, and Management confidence in control
framework
 Build a foundation for technology enablement, automation, and continuous controls
monitoring
 Leverage corporate or system initiatives to optimize SAP controls
 Intended audience and roles for optimizing SAP controls
 SAP Teams
 Internal Audit
 Business Owners
2
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
3
Need for Controls Optimization
•
Addressing SAP Controls Optimization can be an important strategy for your enterprise
initiatives and your compliance requirements
Enterprise Initiatives
•
•
Set out a clear definition of
how your enterprise initiative
can ascertain that
appropriate security and
controls are implemented
Appropriate controls are
optimized during the
initiatives to ensure that risk
considerations can be
assessed and dealt with in a
cost-effective and efficient
manner
Compliance Requirements
Scope
•
Provides focused risk
assessment and control
activities to address material
business processes and
information technology (IT)
systems
•
Provides management with
foundational control
frameworks that form basis
of ongoing assessment and
monitoring
SAP Business
Process Controls
SAP Application
Security
Data Quality and
Integrity
Infrastructure
Security and
Controls
SAP Controls Optimization is an important component that can help bridge these two states
4
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
5
Defining Success: Five Key Attributes
•
SAP controls optimization requires the following attributes to be considered for an
effective implementation:
Five Attributes for Building an Effective SAP Control Optimization Framework
1. An appropriate controls governance organization and assigned roles and responsibilities are in place and functioning to
design, operate, and audit the newly optimized controls structure
2. The approach for controls optimization is determined and executed, taking into consideration a top-down approach or a
controls redesign (bottom-up) approach
3. Approach should leverage continued utilization of technology, automation, and continuous controls monitoring functionality
4. A rollout of the approach should be executed to address defined processes for localization of controls
5. Optimization is not complete until both design and implementation of the controls structure is achieved, which requires rollout,
training, operation, and the eventual monitoring, management testing, and operating effectiveness of the controls
6
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
7
Attribute 1: Governance
A governance model that balances responsibility for SAP optimization activities is
required
•
Establish Controls Optimization
•
Develops and maintains baseline components
of control structure
•
Develops and maintains the control
methodology, tools, and approach for SAP
optimization
•
Updates and optimizes baseline control
structure
•
Provides Business Unit with internal controls
subject matter expert support
•
Manages integration to testing program.
Provides Internal Audit support, remediation
support, etc.
Deploy and Operate
•
Accountable for business processes and
documentation, maintenance, and execution of
related internal controls
•
Periodically assesses and asserts on risk
management and the control environment
•
Develops and implements action plans for
improvement based on Controls and Audit
feedback
•
Adjusts and updates the control baseline
documentation to reflect Business-Unit-specific
processes and controls
Monitor and Evaluate
•
Periodically assesses the adequacy of the control
baseline maintained by Controls Group
•
Audits business processes and operational
effectiveness of the Business Unit (financial, IT,
operational audits)
8
Attribute 1: Governance (cont.)
•
Key questions to consider
 Are roles and responsibilities defined for a Controls Group, Internal Audit, and
Business Units for controls?
 Are resources assigned controls roles to design or optimize controls across each
geographical location and business unit?
 Are control design/optimization resources appropriately staffed, trained, and focused
with right level of consistency for an SAP optimization initiative?
 Is control ownership at the business level defined to accept and ensure operation of
controls?
 What is the process for ongoing sustainability and maintenance of optimized controls?
9
Attribute 1: Governance (cont.)
•
Key lessons learned
 Executive leadership support is required to optimize controls and is essential to
overcoming hesitancy to challenge existing approaches
 Controls governance is essential
 A set of roles and responsibilities that balances design, operation, assessment, and
audit of controls is required
 Working with internal and external audit is important and the process should include
regular communication, support, and buy-in
10
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
11
Attribute 2: Approach
•
Two approaches are possible to SAP optimization – a review of existing frameworks or
control redesign approach
Approaches to Optimization
Scope
Approach/
Outcomes
Top-Down Rationalization
•
•
•
Benefits/
Risks
Management to rationalize existing control frameworks access and
between locations
Apply principles of control rationalization including:
•
Risk-based scoping and risk assessment
•
Review of multi-location scoping
•
Top-down approach to controls identification
•
Consider approaches for automation
•
Risk-based testing strategy and design
A pilot or proof-of-concept location would be selected to start with a roll-out
strategy for deployment of rationalization and localization guidelines
Benefits:
•
Leverages existing control frameworks
•
Ability to consolidate frameworks early and anticipate challenges across
locations
•
More control over timing of rationalization efforts
Risks:
•
Resistance to change in controls – rationalization efforts less effective than
a redesign of controls
•
Risk localization undermines rationalization
Controls Redesign/Bottom-Up
•
•
•
•
•
Management to select geography, business units, or location to conduct
“bottom-up” control redesign
Controls redesign approach may leverage in-progress SAP
implementation or other initiative
Goal to create a common control framework for rollout to additional
geographies, business units, or locations
Principles of control rationalization would be followed (risk-based scoping,
top-down approach, etc.)
Common control framework would be basis for deployment to other
locations, along with localization guidelines
Benefits:
•
Ability to leverage in-progress SAP implementations to further drive
process standardization and automated controls
•
Process not anchored to existing control inefficiencies; ability to design
with leading practice controls and testing strategies
Risks:
•
Additional effort/cost to redesign framework
•
Common control framework difficult to define based on individual location
•
Risk of greater localization based on initial control design
•
Less control over timing and rationalization efforts
12
Attribute 2: Approach – Top-Down Optimization
•
A top-down optimization can start with existing frameworks. This can be performed with a pilot or reviewed
across business units and processes. Steps to take include:
 Top-down risk-based scoping
 Focus on high-risk areas
 Address multi-location/
conduct BU-specific risk
assessments
 Control optimization
 Entity-level controls
 IT general controls
 Business process controls
 Automated controls review
 Risk-based testing
 Apply greater use of analytics
Copyright © 2016 Deloitte Development LLC. All rights reserved.
13
Attribute 2: Approach – Top-Down Optimization (cont.)
•
The top-down approach allows you to adjust mix of controls
Copyright © 2016 Deloitte Development LLC. All rights reserved.
14
Attribute 2: Approach – Top-Down Assessment
•
There may be different stages at an organization
 A scorecard process may be required to understand current state
15
Attribute 2: Approach – Controls Redesign Approach
•
An alternate approach to consider is to optimize controls from a standalone perspective
or leverage an in-progress system implementation to develop a “Common Template” for
rollout to other businesses/regions
16
Attribute 2: Approach
•
Key Questions to Consider – Top-Down
 What is the scope of SAP optimization? Financial reporting, operational, compliance
controls? What is the focus?
 What does optimization mean in terms of work product? Frameworks, narratives,
process flows, test plans?
 Have risk assessments been reviewed? Review of locations?
 Has SAP control optimization been applied previously, including top-down scoping,
review of entity-level, process controls, IT general controls?
 Have testing plans been reviewed?
 Has current state been assessed and reviewed?
 What is the intended approach to optimization?
17
Attribute 2: Approach (cont.)
•
Key Questions to Consider – Control Redesign
 Have prior initiatives or implementations leveraged a controls design approach?
 Are there current enterprise initiatives suitable for controls redesign as a pilot or to
build a common controls framework?
 Do processes and approaches exist for controls design in an implementation?
 What are the challenges to such an approach?
18
Attribute 2: Approach (cont.)
•
Key lessons learned:
 The approach to controls optimization can take a “top-down” rationalization approach,
leveraging existing frameworks, or a “bottom-up” controls redesign approach
 In either approach, agreeing to and standardizing the risks to the extent possible
among similar functions/locations will improve consistency and efficiency
 Utilize a pilot approach, based off of geographic location and/or business unit, to
provide an optimization “proof of concept” in either approach that will help illustrate
the efficiency gains that are possible to the business and control teams
 While quick results can be possible, achieving optimum results may require
approaches integrating into and with other corporate initiatives
19
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
20
Attribute 3: Technology Enablement
•
SAP Control Optimization should leverage technology to enhance the streamlining and
efficiency of the controls program. Areas of technology enablement for optimization
include:
 Access and Security Controls
 Controls Automation
 Automated Controls Testing
 Governance through Process and Workflow
 Continuous Controls Monitoring
 Integration with Risk Management Capability
 Enhanced and Automated Fraud Monitoring
 Streamlined Audit Processing
21
Attribute 3: Technology Enablement (cont.)
•
SAP GRC 10.1 and its modules can contribute to SAP Controls Optimization through
enablement, automation, and efficiency
Access
Control
Process
Control
Manage access
risk and prevent
fraud
Ensure effective
controls and
ongoing
compliance
Risk
Management
Preserve and
grow value
Fraud
Management
Achieve
effective and
efficient fraud
management
Global Trade
Services
Optimize global
trade and
screen restricted
parties
Sustainability
Management
Manage
environmental
compliance
Audit
Management
Drive a unified
fraud
management
function
22
Attribute 3: Technology Enablement (cont.)
•
SAP GRC 10.1 Access Control
•
Some benefits to SAP Control Optimization:
 Automate segregation of duties (SOD) management
 Optimize segregation of duties across applications and
departments
 Automate access management
 Promote Controls, Internal Audit, and Business
collaboration
 Enforce accountability with review and approval
processes
 Enhance preventative security access processes
 Roll out and maintain SAP security control consistently
across business
 Sustain SAP security controls efficiently
Copyright SAP AG 2011
23
Attribute 3: Technology Enablement (cont.)
•
SAP GRC 10.1 Process Control
•
Some benefits to SAP Control Optimization:
 Automate business controls
 Automate continuous control monitoring
 Automate controls testing
 Enforce governance through control owners and workflow
 Conduct top-down optimization using risk assessment and
master data availability
 Simplify and remove redundant controls with visibility and
access to control framework
 Manage a unified repository of control data for rollout and
localization
 Conduct testing and remediation to monitor and sustain
controls
Copyright SAP AG 2011
24
Attribute 3: Technology Enablement (cont.)
•
SAP GRC 10.1 Process Controls – Continuous Controls
Monitoring
Category
Features
Transaction
Monitoring
•
Master Data
Monitoring
•
•
•
Identifies suspicious transactions for review
Isolates transactions out of compliance with business rules
•
Monitors changes to master data for suspicious activity
Identifies unusual additions and deletions
•
•
•
Access Controls and
SOD Monitoring
Application
Configuration
•
•
Monitors changes to user access, role access, and testing
documentation
Detects executed transactions that violate SOD rules
•
Detects changes to system configuration
•
•
•
Benefits
Identifies inappropriate flows (e.g., duplicate payments)
Provides evidence of control operation, quickly identifies
Issues
Identifies and addresses suspicious changes to master
data
Detects stale master data files
Detects unauthorized modification to user access and
role access
Identifies SOD conflicts that increase risk of fraud and
error
Demonstrates the continued effectiveness of application
controls
An end state for SAP Controls Optimization is the automation toward Continuous Control Monitoring
25
Attribute 3: Technology Enablement (cont.)
•
SAP GRC 10.1 Risk Management
•
Risk Planning
Risk Identification
Risk Analysis
Risk Response
Risk Monitoring
Benefits to SAP Control Optimization:
 Formal integration of risk management with
SAP Control Optimization Strategy
 Automate and optimize manual and fragmented
risk and control activities across lines of
business
 Repeatable framework to analyze and mitigate
risk to organization and initiative
 Continuous monitoring of key risk indicators
across defined optimization objectives
 Automatically identify and prioritize risks
through proactive alerts and escalations
26
Attribute 3: Technology Enablement (cont.)
•
Fraud
Management
Achieve effective
and efficient fraud
management
Global Trade
Services
Optimize global
trade and screen
restricted parties
Sustainability
Management
Manage
environmental
compliance
Audit
Management
Drive a unified fraud
management
function
Benefits to SAP Control Optimization:
 Improve operational efficiency through
automating fraud monitoring and direct integration
with SAP control optimization activities
 Automate compliance to import and export
regulations such as International Traffic in Arms
Regulations (ITAR)
 Address environmental controls and compliance
processes
 Streamline the audit lifecycle, including creating,
reviewing, approving, and linking audits
throughout your organization
Copyright © 2016 Deloitte Development LLC. All rights reserved.
27
Attribute 3: Technology Enablement (cont.)
•
Key Questions to Consider
 What capabilities are currently leveraged in SAP GRC? What areas can benefit from
greater optimization and automation?
 How are Access and Security Controls managed? Are there opportunities to enhance
access controls, processes, and segregation of duties?
 What technology enablement will support your optimization? Automating controls,
automating testing, enhancing accountability and workflow?
 How will optimization manage a changing control framework, including rollout and
localization of controls?
 How will implementation and sustainability be addressed?
28
Attribute 3: Technology Enablement (cont.)
•
Key lessons learned
 Some control owners prefer the security of manual controls because they are more
easily observed and documented – training the business on the acceptability and
efficiency of automated controls is often needed
 The background and skill sets of the individuals who originally identified the controls
affects the types of controls identified, i.e., someone with no system experience will
document manual controls that monitor activities performed within an IT system rather
than identifying an automated control within the system
 SAP GRC technology for access control and process control capabilities can provide
standardization for controls rollout, automated controls, and enhanced controls testing
29
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
30
Attribute 4: Rollout and Localization
•
A key principle of either approach selected requires rollout to locations from an initial
pilot or “Common Controls Framework”
Copyright © 2016 Deloitte Development LLC. All rights reserved.
31
Attribute 4: Rollout and Localization (cont.)
•
A “Degrees of Freedom” approach to localization allows flexibility for the control
environment, while meeting the control objectives
Controls in the customer-facing processes must adhere
to the control baseline (objectives); however,
management allows for a certain “degree of freedom” for
specific control activities
Degree of Freedom = + (Acceptable Freedom)
Control Differential Value – An allowable and acceptable “degree
of freedom” for specific critical controls.
Controls in back-office-facing processes are critical to
organization and must follow strict adherence to the
control baseline (objectives). There is very limited degree
of freedom.
Degree of Freedom = 0 (Zero Tolerance)
A control environment with proper “Degrees of Freedom” allows for localization
32
Attribute 4: Rollout and Localization (cont.)
•
This can be applied to both the Process and Type of Control
Copyright © 2016 Deloitte Development LLC. All rights reserved.
33
Attribute 4: Rollout and Localization (cont.)
•
•
Key Questions to Consider
 What approach to rationalization and rollout is planned?
 Are there prior experiences for rollout with lessons learned?
 Is there a location or business unit better suited to pilot or apply controls design?
 What are prior experiences with localization?
 What is the estimate of current localization of controls?
 Has a process to define localization allowances or limits been established or enforced?
Some key lessons learned
 Rollout organizationally requires careful selection of geographies/locations. A process
to define localization of controls is beneficial.
 Full implementation requires controls communication and training to control owners
and must be monitored through management testing
34
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
35
Attribute 5: Implementation and Sustainment
•
•
SAP control optimization is not complete until both design and implementation of the
SAP controls is achieved, which requires rollout, training, operation, and the eventual
monitoring, management testing, and operating effectiveness of the controls
Key Questions to Consider
 How will control optimization be rolled out? Centralized group to each region, local
resources?
 If local teams optimize, is there a central controls group to review, provide quality
assurance, and monitor?
 How will local control owners be trained on controls?
 What will be the initial management testing process? Will there be oversight and early
testing to head off deficiencies and address remediation?
 What will be the communication process with internal and external auditors?
36
Attribute 5: Implementation and Sustainment (cont.)
•
Key lessons learned
 Working with internal and external audit is important and the process should include
regular communication, support, and buy-in
 Full implementation requires controls communication and training to control owners
and must be monitored through management testing
37
What We’ll Cover
•
•
•
Need for SAP controls optimization
Defining success – Five attributes for an effective SAP Control Optimization Framework
 Governance
 Approach
 Technology enablement
 Rollout and localization
 Implementation and sustainment
Wrap-up
38
Where to Find More Information
•
•
•
www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/grc-atheart-of-managing-business.html
 Deloitte Insights, GRC – At the heart of managing business (Deloitte, 2014).
www2.deloitte.com/content/dam/Deloitte/global/Documents/Technology/dttl_technology_
GrupoModeloManagesRiskWithSAPsLatestSolutionsForGRC.pdf
 Ken Murphy, “Brewing Up Process Change: Grupo Modelo Manages Risk with SAP’s
Latest Solutions for GRC” (insiderPROFILES, 2013).
www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/dbf8f10c3f
889210VgnVCM200000bb42f00aRCRD.html
 “Continuous Monitoring and Continuous Auditing: From Idea to Implementation”
(Deloitte, 2010).
39
7 Key Points to Take Home
•
•
•
•
•
•
•
Assemble a team of subject matter specialists with the right skill set, industry knowledge,
and understanding of operations
Take an approach – either existing or redesign – to yield greater efficiencies and
consistency
Work side-by-side with corporate and local leadership as a core team, and leverage
existing resources where possible
Demonstrate quicker results through a global controls template approach and focused
redesign in an area for rapid results
Leverage enabling technology such as SAP GRC 10.1 to roll out consistent frameworks
and more automated testing of controls
Integrate and align with other enterprise initiatives
Enforce accountability through local/regional localization training and rollout of a uniform
and repeatable approach
40
Your Turn!
How to contact me:
Clark Oeler
[email protected]
Please remember to complete your session evaluation
41
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a
legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and
its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not
be available to attest clients under the rules and regulations of public accounting.
This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax,
or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision
or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2016 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited.
42
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.