Transcription
www.pwc.comSAP controlsBuilding efficient, effective,and consistent controlenvironments
SAP controlsoverviewBackgroundOver the last 15 years most large organizations have embarked onstrategic ERP investment programs. Improved data and information,standardized processes, common platforms, and improved supply chainsare just a few of the drivers. Many of these organizations have struggled tobuild sustainable controls, often leading to manual, inconsistent, high-costcontrol environments.One of the principal reasons for this is a lack of a built-in control process thatshould be embedded within any change program.Good business controls in and around your SAP systems are critical toensure your organization gets value from ERP investments, and sustainseffective, and reliable control.BenefitsAn efficient, effective,and consistent controlenvironment brings anumber of advantages to anorganization, including:Holistic security and controls modelEnvironmental FactorsRisk AppetiteResourcesPrioritiesExpectationsLegal &RegulatoryStrategyTechnologyPeopleCostsThreats trol urityIncidentIT ontrolsVirus andMaliciousSoftwareProtectionNetwork ningPhysicalSecurityThreat andVulnerabilityManagementRemoteAccessTechnicalIT SecurityPoliciesBusiness ProcessControlsEnterpriseRiskManagementEntity LevelControlsTalentManagementInformation TechnologyGeneral ControlsRoles andProfileDefinitionImproved managementof risk, reducing thelikelihood or severityof adverse events Improved decision-makingthrough the provision ofmore timely, accurate, andreliable information Reduced cost of complyingwith relevant regulatoryrequirements, includingthe cost of monitoring andtesting the environment Standardized andsustainable businessprocesses across theorganization Management attentionfocused on value-addingactivities and strategicdecision-making ratherthan “fire-fighting”compliance BusinessRoles andAccessRequirements EncryptionBusiness BenefitsComplianceCost iskAwarenessSAP control1
SAP Controls design and implementationApproach overview SAP Controls design and implementation tends to occur in the context of a wider transformation program and involves the completerebuild of controls and controls technology.SAP Controls design and implementation12AssessDesignAssessDesignEstablish strategyand approachdocuments andwork with projectteam and externalstakeholders todefine risks.ConstructImplementOperate& ReviewOperate& ReviewPerform useracceptance testing(UAT) for businessprocess andautomated controlsalong with GRCtechnology.Build and customizesupporting GRCtechnology.Design processesand definefunctionalrequirements forsupporting GRCtechnology.5ImplementPerform functionaltesting forautomated controls.Ongoing monitoring,post-implementationreviews and transitionof knowledge.Undertakelocalization andtransition activities(including trainingsupport).2345From a controls perspective, the scopewill be defined along with the risks.Control key performance indicators(KPIs) will be developed and agreedupon. These risks and KPIs willeffectively form the requirements for thecontrols team in the subsequent phases.The business requirements for anysupporting governance, risk andcompliance (GRC) technology (such asthe SAP GRC suite) will be defined alongwith initial vendor selection.SAP controlIM.R002Incorrect Goods Receipt in terms ofSKU or quantity resulting in incorrectinventory balance for planning andfinancial reporting purposesIM.R003Incorrect Recording of Goods Disposalresulting in incorrect inventorybalance for planning and financialreporting purposesExample risks—illustrative onlyImpactWarehouse schedule is infeasible dueto incomplete planning of resourcesresulting in tasks not being able tobe tionalAssess phaseProject tasks will include definingbusiness requirements and establishingthe appropriate governance and projectmanagement frameworks to support theproject going forward.24ConstructUnderstand detailedprocess design inorder to documentand agree oncontrols.113
Construct phaseIM.C002Over Delivery Tolerance suppressed at transaction level SAPis configured (per document type/transaction code) todisplay/suppress the “Unlimited over delivery” and “Over/Underdelivery” tolerance fields at the “Purchase Order/Stock TransportOrder level”Implement phaseDuring this phase the technical system willbe implemented. During UAT, both SAPautomated and semi-automated controlswill be validated in the test system.Controls will be included in training andtransition plans to ensure that users areready for the new control environment. GRCtechnology will also be subject to UAT,transition plans, and readiness checks.Ref.ControlTest 1Weekly Warehouse schedule1.1Review “Planned Goods Receipts (incoming)” report and ensurethat all income GR for the Plant 001 are included.1.2Review “Outgoing Deliveries (pick/dispatch)” report and ensurethat all outgoing Deliveries for the Plant 001 are includedExample controls—illustrative onlyHighPost-implementationreviewOperate & Review phaseDuring the Operate & Review phase ongoingmonitoring of controls andpost-implementation reviews will ensurethat the control environment is operating asdesigned. Knowledge transfer from theproject team to those responsible formaintaining the control environment goingforward will also be completed.Control maintenance effort5WeeklyExample controls—illustrative onlyUAT-3.4WeeklyDesigned processes and systems will bebuilt and tested (unit, functional, andintegration testing). The SAP automatedcontrols identified in the design phasewill be validated as part of the functionaltesting. Any GRC technology will beconstructed per the design and testedaccordingly.Prevent.Weekly Warehouse scheduleWarehouse Planner reviews the following reports tomanage capacity:- Planned Goods Receipts (incoming)- Outgoing Deliveries (pick/dispatch) and- Scheduled Work Orders/CountsThe planner will coordinate with other areas to make anyamends, and the consolidated schedule will be approved bywarehouse etailed process design will be completedin this phase along with functionalrequirements for any developments to beundertaken in the next phase. Controlsare designed at the conceptual level andembedded in the “to be” processes,leveraging existing PwC SAP intellectualproperty. GRC technology will havesimilar deliverables to the projectsystems, including detailed processes andfunctional requirements.UAT-2.3Design -LiveOperate & Review phaseSAP control3
Client citationIndustryRetail & Consumer goodsAnnual revenue 18 billionNumber of employees70,000Number of SAP users9,000 SEC RegisteredBackgroundA global consumer goods companyembarked on a major businesstransformation program, where globaltemplate back-and front-office processesare being designed and deployed.The program involves significantchanges to systems, processes, people,and governance structures, raisingsignificant challenges to the futurecontrol environment.To accelerate the process of designingand implementing a sustainablecontrol environment with a view tomaking it more effective and efficient tooperate, the company approachedPwC to support a dedicated ControlsStream embedded within its multi-yeartransformational program.5SAP controlNoWhat are the main drivers for investingin controls? Improved decision-making through the provision of more accurate andreliable information Releasing management’s time to focus on value-adding activities and strategicinitiatives rather than “fire-fighting” compliance issues Reduced cost of compliance with regulatory requirements Supporting the effort to standardize the business processes across the organizationWhat has the client achieved? Developed a repository of global template best-in–class controls to be deployed aspart of its business transformation program Deployed controls embedded into business processes that support strategicbusiness objectives across multiple markets Detailed testing plans are available for future monitoring activities Implemented technology to continuously monitor the operating effectiveness ofthe control environment
A global consumer goods company embarked on a major business transformation program, where global template back-and front-office processes are being designed and deployed. The program involves significant changes to systems, processes, people, and governance structures, raising significant challenges to the future control environment.
