The need to comply with regulations (such as the Sarbanes-Oxley Act of 2002) that have direct implications on how organizations handle disclosures is one of the driving factors for introducing disclosure survey in SAP Process Control 10.1. Organizations want to remain as transparent as possible when it comes to disclosure, especially when such disclosures can affect the financial statement of the organization.

SAP Process Control has always supported different types of surveys. The latest version of SAP Process Control offers an enhancement (disclosure survey type) to survey management that is aimed at helping organizations achieve more transparency about control effectiveness review and documentation. Unlike the other closely related functionalities (for example, sign-off), disclosure survey can be implemented at different entity levels: organization, control, and subprocess.  

Disclosure survey can be addressed online (via a workflow inbox) or offline (via an Adobe offline form). I focus on the online approach to responding to disclosure survey but mention the required customization activities for offline survey processing.

It is possible to create ad-hoc issues when executing disclosure survey. Disclosure survey offers the ability to respond to defined survey questions with subsequent workflow to a reviewer for review activities after the survey has been submitted.

A typical business scenario demonstrates the implementation of the highlighted capabilities. First, I provide an overview of the related configuration activities in SAP Process Control 10.1 in the following steps:

• Map roles to business events
• Configure workflow settings
• Customize offline workflow process
• Map plan usage to regulation
• Perform role assignment to regulation
• Maintain question library
• Maintain survey library
• Plan disclosure survey
• Execute disclosure survey
• Review disclosure survey
• Monitor status of disclosure survey

Map Roles to Business Events

The workflow in SAP Process Control works partially on the concept of roles assignment to business events. A business event is used during recipient determination in workflow-driven scenarios. This customizing activity allows you to define roles that receive workflow requests for assigned tasks.

The business events of interest in disclosure survey are:

• 0PC_PERF_DISCSVY: Perform disclosure survey 
• 0PC_REVIEW_DISCSVY: Review disclosure survey

The business event (0PC_PERF_DISCSVY) is aimed at defining the role assignment of the user who will be the recipient of the disclosure survey workflow task for initial execution of the survey. The business event (0PC_REVIEW_DISCSVY) is aimed at defining the role assignment of the user who will be the recipient of the disclosure survey workflow task for the survey review.

You need to define the role that will be associated with this business event for the different entity levels (organization, control, and subprocess). It is good practice to copy standard roles into the customer namespace. These roles are also subsequently assigned to users responsible for processing disclosure survey.

To perform this customizing activity, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Maintain Custom Agent Determination Rule. In the screen that displays, click New Entries and enter the business event for the supported entity levels. Figure 1 shows a typical mapping of roles to disclosure survey specific business events and the associated supported entities.

Figure 1

Disclosure survey business event mapping to standard roles

Configure Workflow Settings

A workflow task can be initiated as a reaction to events triggered by the application. Therefore, specific events need to be defined as triggering events for the corresponding workflow task. The disclosure survey process is based on the standard workflow engine in the SAP NetWeaver ABAP stack. Therefore, it is important to perform all the mandatory baseline configuration activities via transaction code SWU3. Figure 2 shows a typical automatic workflow customizing screen.

Figure 2

Automatic Workflow Customizing

You must define the Disclosure Survey task (TS 76307937) as a general task.  To do this, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Perform Task-Specific Customizing > GRC (folder) > GRC-SPC (folder) > Assign Agents > Disclosure Survey Proposal. In the screen that appears (Figure 3), click the Attributes… menu option. In the pop-up screen select the General Task radio button and click the Transfer button.

Figure 3

Define the disclosure survey as a general task

The next screen (Figure 4) indicates that the disclosure survey has been defined as a general task.

Figure 4

Disclosure survey defined as General Task

You also need to activate event linkage for Disclosure Survey WF node. To complete this task, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Perform Task-Specific Customizing > GRC (folder) > GRC- SPC (folder) > Activate Event Linking > WS 76300018 > CL_GRPC_WF_DISCSVY-CREATE CL. In the screen that displays (Figure 5), click the details view icon and select the Event linkage activated check box. Click the green check mark.

Figure 5

Activate disclosure survey workflow event linkage

Figure 6 indicates that event linkage has been activated for disclosure survey workflow.

Figure 6

Disclosure survey workflow event linkage is activated

Customize Offline Workflow Process

To respond to disclosure surveys via an Adobe offline form, ensure that the generic configuration activities under the Offline Workflow Process node are properly configured. Access this customizing activity by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Process Control > Offline Workflow Process (Figure 7).

Figure 7

Offline workflow process customizing activities

Task TS76307937 needs to be activated. To activate this task, execute transaction code SM30. In the screen that appears (Figure 8) enter GRFNV_OWPTASKC in the Table/View field. You can also click the icon at the end of this field and select a table name from the list of options. Click the Maintain button.

Figure 8

The initial screen for the maintenance of table GRFNV_OWPTASKC

In the screen that displays, click the New Entries button (not shown). Click Task TS76307937 and check the corresponding box in the Ind. column as shown in Figure 9. Click the save icon to save your entry.

Figure 9

Activation of offline forms for disclosure survey

The assignment of a regulation to plan usage allows you to define the behavior of a compliance initiative based on the setting for the corresponding plan usage. As it relates to plan usage maintenance for disclosure survey, three plan usages are applicable for the different entities supported by disclosure surveys:

• PERF-CNDS: Perform Control Disclosure Survey
• PERF-OUDS: Perform Organization Disclosure Survey
• PERF-SPDS: Perform Subprocess Disclosure Survey

The selection of a regulation is the second phase of the plan definition wizard for the disclosure survey plan activity. This customizing activity allows you to select a regulation as a drop-down in that phase. To assign regulations to plan usage, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > Process Control > Multiple-Compliance Framework > Relate Regulation to Plan Usage. Figure 10 shows a typical screen for plan usage mapping to regulation (for example, K-SOX).

Figure 10

Plan usage mapping to regulations

Execute transaction code PFCG. After you copy and maintain model roles associated with regulations, you need to perform role provisioning to the defined regulations. Follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > Process Control > Authorizations > Maintain Regulation Role Assignment. Figure 11 shows a typical role mapping to regulation.

Figure 11

Assign roles to regulation configuration

Maintaining this configuration setting allows you to maintain the processor (control owner and control manager) of the corresponding entity as shown in Figure 12. To access the screen shown in Figure 12, follow menu path Transaction NWBC > Access Management > GRC Role Assignments > Business Processes.

Figure 12

Assignment of roles and users to an entity

Maintain Questions Library

The question library is a repository where questions that are used in surveys are stored. The system allows you to select specific answer types when you create questions to be used in a survey. Depending on the answer type selected for a question, additional fields may display. For example, if you select a rating answer type, the system prompts you to additionally provide the rating type to use. To create questions to be used in a survey, follow menu path NWBC > Assessment > Surveys > Question Library. Figure 13 displays.

Figure 13

The initial screen for questions library maintenance

Click the Create button. In the screen that displays, populate the fields as shown in Figure 14. Make sure that you select Disclosure Survey in the Category field and specify the question in the Question column. Set the Active field to Yes.

Figure 14

Creation of question in the question library

Click the Save button and you receive the message Question was saved. For the purpose of this article, I have created additional questions of disclosure survey category and answer types: choices, rating, and text as shown in Figures 15, 16, and 17 respectively.

Figure 15

Disclosure survey question of the answer type Choice

Figure 16

Disclosure survey question of the answer type Rating

Figure 17

Disclosure survey question of the answer type Text

Maintain Survey Library

The survey library is the central repository where all surveys are stored. After you create questions, the next activity is to associate the questions with a survey. Generally, disclosure survey can accommodate object survey, disclosure survey, or both. An object survey is associated with a specific process control object type such as control, whereas a disclosure survey is not associated with a specific object. To plan for a disclosure survey, you might need to create two types of surveys—object and disclosure—depending on your business requirement. Disclosure survey, as opposed to object survey, is intended for generic information gathering (for example, the overall status of the internal control of an organization). On the other hand, you use object survey to gather information about a specific object (for example, a specific financial control).   

To perform this activity, follow menu path NWBC > Assessment > Surveys > Survey Library. Figure 18 displays.

Figure 18

The initial screen for the survey maintenance

Click the Create button. In the screen that displays, choose Disclosure Survey using the drop-down button in the Category field and enter a title for the survey. Set the Active field to Yes. In the questions section, use the Add button to populate the questions. For the purpose of this article, I create two surveys (of disclosure type): ObjectSurvey – K-SOX_ITGC (Figure 19) and DisclosureSurvey – K-SOX_ITGC (Figure 20). I consequently assign the questions created in Figures 14 and 15 to the ObjectSurvey – K-SOX_ITGC and the questions created in Figures 16 and 17 to DisclosureSurvey – K-SOX_ITGC.

Figure 19

Creation of disclosure survey type Object survey

Click the Save button. The status message Survey was saved should display for ObjectSurvey – K-SOX_ITGC (Figure 19) and DisclosureSurvey – K-SOX_ITGC (Figure 20).

Figure 20

Creation of disclosure survey

In the planner tool for disclosure survey, you can plan for object survey, disclosure survey, or both. Now that the questions have been defined and consequently associated with a survey, the next activity is to schedule a plan for the execution and review of the disclosure survey. The system provides a wizard-driven engine to schedule a plan for disclosure survey. To perform this activity, follow menu path NWBC > Assessments > Assessment Planning > Planner. Figure 21 displays.

Figure 21

The initial screen for the definition of a plan

Click the Create button. Figure 22 displays showing the three types of disclosure surveys for which you can plan by choosing the drop-down arrow button against the field Plan Activity. The possible options that you can select when planning for disclosure survey in the planner tool are:

• Perform control disclosure survey
• Perform organization disclosure survey
• Perform subprocess disclosure survey
  
  

Figure 22

Types of disclosure surveys than can be planned

For the purpose of this article, I select the Perform Control Disclosure Survey option. In the screen that displays, enter values for the different fields as shown in Figure 23. The applicable fields are:

• Plan Name: This is a free text field used to define the name of the plan for the survey.
• Plan Activity: Plan activity is the type of activity you intend to perform a disclosure survey for - control disclosure survey, organization disclosure or subprocess disclosure survey
• Survey: This field typically contains the disclosure survey you intend to use in the plan.
• Object Survey: This field typically contains the object survey you intend to use in the plan.
• Period, Year, Start Date and Due Date fields contain time dependent attributes of the plan.
  
  

Figure 23

The initial screen for disclosure survey planning

Once you select Perform Control Disclosure Survey in the Plan Activity: field, additional fields are displayed including:

• Survey: This allows you to define the survey shown in the Disclosure section of the disclosure survey. For the purpose of this article, I entered the survey created in Figure 20.
• Object Survey: This allows you define the survey shown in the Evaluation section of the disclosure survey. For the purpose of this article, I entered the survey created in Figure 19.

Click the Next button. In the screen that displays, maintain the corresponding regulation you intend to plan for as shown in Figure 24. The regulation that you can choose here is influenced by the regulation maintained in the section – Map plan usage to regulation (Figure 10).

Figure 24

Selection of regulation for disclosure survey planning

Click the Next button. In the screen that displays, select an organization, as shown in Figure 25.

Figure 25

Selection of an organization

Click the Next button. In the screen that displays, choose the radio button Select Specific Controls and highlight the control entry for which you want to plan the disclosure survey as shown in Figure 26.

Figure 26

Selection of control disclosure survey planning

Click the Next button. The review screen for the disclosure survey plan displays as shown in Figure 27.

Figure 27

Review page of control disclosure survey

Click the View Objects button. In the screen shown in Figure 28 you can review the definitions of the plan object, especially the recipient of the disclosure survey workflow item.

Figure 28

Review of the recipient of the disclosure survey workflow item

Click the Close button to return to the planner window (Figure 29).

Figure 29

Activation of disclosure survey plan

Click the Activate Plan button. Figure 30 displays with a status message confirming the activation.

Figure 30

Status message for plan activation

Click the Finish button and the planner window closes. The initial planner table (Figure 31) shows the plan schedule with a Completed status.

Figure 31

Status of disclosure survey plan

Execute Disclosure Survey

The recipient of the workflow item, CTL_OWNER in my business example, will receive a workflow item in his workflow inbox. Therefore, log in as CTL_OWNER and navigate to your work inbox via menu path My Home > Work Inbox > Work Inbox. Figure 32 displays.

Figure 32

Control owner work inbox showing disclosure survey workflow item

Choose the workflow item you want to process by clicking the link. Figure 33 displays.

Figure 33

The initial screen for executing the disclosure survey

Observe that the status of the survey has a red bulb, which implies it has not been addressed. Highlight the control and the survey section displays at the lower part of the form as shown in Figure 34.

Figure 34

Survey section of the workflow item

Respond to the survey. You can enter a comment. Choose Yes, or Yes, sometimes, as shown in Figure 35.

Figure 35

Response to the evaluation section of the survye

Click the Disclosure button (Figure 36).

Figure 36

The initial screen for completing the disclosure section ot the survey

Respond to the disclosure section of the survey as shown in Figure 37 by choosing Above 80%. Enter a comment in the Comments field. Click the Send for Review button.

Figure 37

Response to the disclosure section of the survey

Figure 38 displays with a status message – Disclosure survey was submitted successfully.

Review Disclosure Survey

Once the survey has been completed by the control owner, the workflow item moves to the control manager. The control manager then performs and reviews the survey. Follow the following instructions to execute and review the survey as the control manager.

Log on as the control manager (CTL_MANAGER) and navigate to your inbox via menu path Transaction NWBC > My Home > Work Inbox > Work Inbox. Figure 39 displays.

Figure 39

Control manager's work inbox showing disclosure survey workflow item

Choose the workflow item you want to process by clicking the appropriate link. Figure 40 displays.

Figure 40

The initial screen for the review of disclosure survey

The review screen allows the control manager to check the audit trail of the workflow item by clicking the Check History button. Figure 41 displays showing the name of the control owner who acted on the survey and in what capacity (reviewer or not) and the historical status.

Figure 41

Audit log of disclosure survey

You can also access disclosure survey reports from the review screen by choosing the You can also button. Figure 42 shows the two report options (Disclosure Survey and Disclosure Survey Status).

Figure 42

Reporting options for disclosure survey

For the purpose of this article, I choose the Disclosure Survey Status option. In the screen that displays, choose the Plan Name as shown in Figure 43.

Figure 43

Definition of plan name for disclosure survey status report

Click the Go button. Figure 44 displays with a report showing the status of the disclosure survey. The activity performed by the control owner has the status Completed while the pending review of the disclosure survey by the control manager has the status In Process.

Figure 44

Status of disclosure survey plan

I access this report again later in the article (via the Assessments work center) and look at the output  after the reviewer (control manager) has performed his function. To perform the review activity as the control manager, highlight the control and in the survey section that displays, respond (No, Yes, sometimes) to the survey as shown in Figure 45.

Figure 45

Completed evaluation section of the disclosure survey

As I mentioned earlier, it is possible to create ad-hoc issues directly from the disclosure survey. To do this, click the Ad Hoc Issues tab. Figure 46 displays.

Figure 46

Ad-hoc issues section of the disclosure survey

Click the Create button. In the new screen that displays, provide information about the ad-hoc issue you intend to create, as shown in Figure 47, with entries in the Name, Description, Priority, and Issue Date fields.

Figure 47

Definition of attributes for an ad-hoc issue

Click the Submit button. Figure 48 displays with status messages confirming the creation of the ad-hoc issue.

Figure 48

Status message following successful creation of ad-hoc issue

Go back to the evaluation section of the disclosure review screen. Note that the issue I just created is updated in the Ad Hoc Issues tab as shown in Figure 49.

Figure 49

Issue assignment to disclosure survey

Click the Disclosure tab. In the disclosure survey section screen that displays, respond to the survey as shown in Figure 50. Choose the answer between 21% and 80% and enter a comment in the appropriate section.

Figure 50

Performing disclosure survey

Click the Finish button. Figure 51 displays with a status message – Disclosure survey was submitted successfully.

Figure 51

Status message displayed following the completion of disclosure survey review

Monitor Status of the Disclosure Survey

Unlike the other types of surveys in which the plan monitor provides information about planned surveys, the system provides two standard reports to monitor and track disclosure surveys. The reports are the same reports that can be accessed directly in the reviewer screen of the disclosure survey. (Refer to Figure 42.)

Disclosure Survey Details

To access disclosure survey details, follow menu path Transaction NWBC > Assessments > Reports > Disclosure Survey Details. In the screen that displays, enter value for the plan name as shown in Figure 52.

Figure 52

Plan name definition in the selection criteria definition for disclosure survey details

Click the Go button. Figure 53 displays.

Figure 53

Detailed report on disclosure survey

Disclosure Survey Status

To access the disclosure survey status, follow menu path Transaction NWBC > Assessments > Reports > Disclosure Survey Status. In the screen that displays, enter a value for the plan name in the Plan name field (Figure 54).

Figure 54

The initial screen for disclosure survey reporting

Click the Go button. Figure 55 displays (compare this screen with the one shown in Figure 44 to see the change in status from In Process to Completed).

Figure 55

Status of disclosure survey

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.
 

You may contact the author at eseyinok@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.