Transcription
www.pwc.grSAP Controls AdvisoryBuilding efficient, effectiveand consistent controlenvironments
SAP ControlsAdvisory OverviewBackground / contextOver the last 15 years most large organisations have embarked onstrategic ERP investment programmes. Improved data and information,standardised processes, common platforms and improved supplychains are just a few of the key drivers. Most of these organisationshave struggled to build sustainable control systems, often leading tomanual, inconsistent, high cost control environments.One of the principle reasons for this is a lack of a “built in” controlprocess, that should be developed via a dedicated Controls Streamembedded within any change programme.Good business controls in and around your SAP systems are critical toensure your organisation gets value from ERP investments and sustainseffective, reliable control environments.Key benefitsDRAFT Discussion Document –Horizon End-State Security and Controls ModelAn efficient, effective and consistent control environmentbrings a number of advantages to an organisation,including:Holistic security & Controls ModelThe following model presents a holistic view of Horizon end-state Security andControls and demonstrates the inter-related nature of Entity Level, BusinessProcess, Information Technology General Controls and Technical IT Security. Improved management of risk, reducing the likelihoodor severity of adverse events,Environmental FactorsRisk AppetiteResourcesPrioritiesExpectationsLegal &RegulatoryStrategyTechnologyPeopleCostsThreats ofControlsBusinessContinuityPlanningPoliciesRoles )DataProtectionManagementInformationControl MonitoringDatabase /ToolApplicationConfigurationSecurityIncidentIT ontrolsInformation TechnologyGeneral ControlsBusinessRoles andAccessRequirementsVirus andMaliciousSoftwareProtectionNetwork ningPhysicalSecurityThreat andVulnerabilityManagementRemoteAccess Standardised and sustainable business processes acrossthe organisation, and Management attention focused on value-addingactivities and strategic decision making rather than “firefighting” compliance issues.TechnicalIT SecurityTalentManagementBusiness ProcessControlsCorporateGovernanceFramework Reduced cost of complying with relevant regulatoryrequirements, including the cost of monitoring andtesting the environment,ExecutiveSupportEntity LevelControlsCultureandAwareness Improved decision making through the provision ofmore timely, accurate and reliable information,EncryptionBusiness BenefitsComplianceCost iskAwarenessApproach overview SAP Controls design and implementation which tends to occur in the context of a wider transformation programme andinvolves the complete rebuild of controls and controls technology.SAP Controls design and implementation12Assess3Design4ConstructImplement5 Operate& Review
SAP Controls design and implementationAssess PhaseKey project tasks will include definingbusiness requirements and establishingthe appropriate governance and projectmanagement frameworks to support theproject going forward.From a controls perspective the scope willbe defined along with the risks. ControlKey Performance Indicators (KPIs)will be developed and agreed. Theserisks and KPIs will effectively form therequirements for the controls team in thesubsequent phasesThe business requirements for anysupporting Governance, Risk andCompliance (GRC) technology (such asthe SAP GRC suite) will be defined alongwith initial vendor selection.REF.RISKIM.R001Warehouse schedule is infeasible due toincomplete planning of resources resultingin tasks not being able to be executedIM.R002Incorrect Goods Receipt in terms of SKUor Quantity resulting in correct Inventorybalance for planning and Financialreporting purposesIM.R003Incorrect Recording of Goods Disposalresulting in correct Inventory balance forplanning and Financial reporting purposesExample Risks - Illustrative Only54IMPACT3LIKELIHOOD2Ongoing monitoring,post-implementationreviews and transitionof knowledge.Perform UserAcceptanceTesting (UAT) forbusiness processand automatedcontrols along withGRC technology.Undertakelocalisation andtransition activities(inc. trainingsupport).Build and customisesupporting GRCTechnology.Design processes anddefine functionalrequirements forsupporting GRCTechnology.11Perform functionaltesting forautomated controls.SOXUnderstand detailedprocess design inorder to documentand agree conceptualcontrols.Establish keystrategy andapproach documentsand work withproject team andexternal stakeholdersto define risks.Operate LAssess
Designed processes and systems will bebuilt and tested (unit, functional andintegration testing). The SAP automatedcontrols identified in the design phasewill be validated as part of the functionaltesting. Any GRC Technology will beconstructed per the design, and testedaccordingly.PREVENT.AUTO.Over Delivery Tolerance suppressed at transaction levelSAP is configured (per document type/transaction code) to display/suppress the “Unlimited over delivery” and “Over/Under delivery”tolerance fields at the Purchase Order/Stock Transport Order level”WeeklyIM.C002Example Controls - Illustrative OnlyImplement PhaseDuring this phase the technical systemwill be implemented. During UAT, bothSAP automated and semi-automatedcontrols will be validated in the testsystem.Controls will be included in training andtransition plans to ensure that users areready for the new control environment.GRC technology will also be subjectto UAT, transition plans and readinesschecks.REF.CONTROLTest 1Weekly Warehouse schedule1.1Review “Planned Goods Receipts (incoming)” report and ensure thatall income GR for the Plant 001 are included.1.2Review “Outgoing Deliveries (pick/dispatch)” report and ensure thatall outgoing Deliveries for the Plant 001 are includedExample Controls - Illustrative Only LJKOperate & ReviewPhaseDuring the Operated Review phaseongoing monitoring of controls andpost-implementation reviews will ensurethat the control environment is operatingas designed. Knowledge transfer fromthe project team to those responsible formaintaining the control environmentgoing forward will also be completed.&RQWURO PDLQWHQDQFH HIIRUW5Weekly Warehouse scheduleWarehouse Planner reviews the following reprts to manage capacity:- Planned Goods Receipts (incoming)- Outgoing Deliveries (pick/dispatch) and- Scheduled Work Orders/CountsThe Planner will co-ordinate with other areas to make any amendsand the consolidated schedule will be approved by uct PhaseCONTROLUAT-2.3REF.AutomatedDetailed process design will be completedin this phase along with functionalrequirements for any developments to beundertaken in the next phase. Controlsare designed at the conceptual leveland embedded in the “to be” processes,leveraging existing PwC SAP intellectualproperty. GRC Technology will havesimilar deliverables to the projectsystems, including detailed processes andfunctional requirements.FREQ.Design PhaseUAT-123RVW LPSOHPHQWDWLRQUHYLHZ0HGLXP3RVW LPSOHPHQWDWLRQUHYLHZ 7UDLQLQJ DQG IDPLOLDULVDWLRQ,VVXH UHPHGLDWLRQ)LQDO UHYLVLRQ DQG RSWLPLVDWLRQ/RZ*R /LYH% 82SHUDWH DQG 5HYLHZ 3KDVH
Client CitationIndustryRetail & Consumer goodsCountryUKAnnual revenue 18 billionNumber of employees70,000Number of SAP users9000 SEC RegisteredBackgroundA global consumer goods companyembarked on a major businesstransformation programme, where globaltemplate back and front office processesare being designed and deployed.The programme involves significantchanges to systems, processes, people andgovernance structures raising significantchallenges to the future controlenvironment.To accelerate the process of designingand implementing a sustainable controlenvironment with a view to making itmore effective and efficient to operate,the company approached PwC to supporta dedicated Controls Stream embeddedwithin their multi-year transformationalprogramme.NoWhat are the main drivers for investing incontrols? Improved decision making through the provision of more accurate andreliable information Releasing management’s time to focus on value-adding activities andstrategic initiatives rather that “fire-fighting” compliance issues Reduced cost of compliance with regulatory requirements Supporting the effort to standardise the business processes across theorganisationWhat has the client achieved/currentlydelivered? Developed a repository of global template “best-in–class” controls to bedeployed as part of their business transformation programme Deployed controls embedded into business processes which support strategicbusiness objectives across multiple markets Detailed testing plans are currently available for future monitoring activities Implemented technology to continuously monitor the operating effectivenessof the control environment
For further information, please contact:Asterios VoulanasPartner, Risk Assurance 30 210 6874714stan.voulanas@gr.pwc.comElena TsakanikaSenior Manager, Risk Assurance - Controls 30 210 6874526eleni.tsakanika@gr.pwc.comAggeliki BogdanouManager, Risk Assurance - Controls 30 210 6874514aggeliki.bogdanou@gr.pwc.comwww.pwc.grPwC firms provide industry-focused assurance, tax and advisory services to enhance value for their clients. More than 161,000 people in 154 countries infirms across the PwC network share their thinking, experience and solutions to develop fresh perspectives and practical advice. See www.pwc.com for moreinformation.This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to theaccuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members,employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act,in reliance on the information contained in this publication or for any decision based on it. 2011 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in theUnited Kingdom), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.HB-2011-08-09-1055-CG SAP solutions
Number of SAP users 9000 SEC Registered No Background A global consumer goods company embarked on a major business transformation programme, where global template back and front office processes are being designed and deployed. The programme involves significant changes to systems, processes, people and governance structures raising significant
