A typical organization is faced with the business need of managing one or more regulations, procedures, or policies. Some common compliance initiatives include the US Sarbanes-Oxley Act, Japanese SOX (J-SOX), Health Insurance Portability and Accountability Act (HIPAA), US Food and Drug Administration (FDA), and the German Data Protection Law. Aside from these standard regulations, organizations also need to set up corporate policies (or internal controls) that define the corporate and strategic philosophy of the business enterprise. For all these regulations and policies, organizations need to ensure and enforce strict compliance to avoid undesirable implications as a result of noncompliance, such as litigation, fines, and outright blacklisting.

As the need to ensure sanity in the way businesses are managed locally and globally rises, it is evident that companies will continue to witness an increase in the number of regulations that will eventually dictate how businesses are conducted, especially in the best interest of the investors.  This inevitable trend will be especially challenging for multinational corporations that will have to comply with their local regulations and standards, as well as with related global standards. The consolation, anyway, is that in as much as the different regulations are distinct, they will probably have metrics (driven by master data) that are similar and that can be used to evaluate compliance. Let’s quickly examine three distinct regulations: Sarbanes-Oxley Act, Payment Card Industry (PCI) Data Security Standard, and Gramm-Leach Bliley Act (GLBA).

The Sarbanes-Oxley Act is geared towards data security and information integrity, and is designed to ensure that financial information is accurate, as well as to ensure the reliability and effectiveness of the system that produces it. The Payment Card Industry (PCI) Data Security Standard is geared towards fraud prevention and data privacy, and it ensures that organizations comply with information security obligations as they relate to data protection, safeguard from intrusion, and access control. The Gramm-Leach Bliley Act is aimed at ensuring data privacy by compelling organizations to have in place administrative, physical, and technical infrastructures that guarantee security protection, integrity, and confidentiality of the customer’s financial information. A quick deduction shows that even though these regulations are unique, the regulations will still likely need to access the same or similar master data elements, such as risks, processes, controls, mitigation controls, and test plans to drive compliance control, monitoring, and reporting.

If the capability to leverage shared master data is true for regulations that have seemingly different focus areas, then there is no need to over-emphasize that potential for closely related regulations, such as the Sarbanes-Oxley Act (section 302 [management certification] and section 404 [management evaluation and report on internal controls]) and J-SOX (which is the Japanese flavor of the US Sarbanes-Oxley Act). Therefore, it is obvious that a system capable of harmonizing these master data elements in a central repository in a format that makes it re-usable by different regulations is laudable.

Managing these varying regulations can often be challenging, especially if you do not have a central infrastructure that provides tight integration and reusable master data capabilities. SAP Process Control 10.0 provides the central repository for managing diverse regulations via its multicompliance framework (MCF) toolset.  This capability eliminates the need for redundant data, because if you have five or 10 regulations to comply with, you do not necessarily need to create distinct master data elements, especially when you have defined master data that you can adapt and even use as is. This portends excellent performance enhancement and efficiency in the central management of different compliance initiatives. This article seeks to provide a step-by-step procedure on how to set up a new regulation while taking advantage of existing master data.

I discuss the following activities as they relate to leveraging SAP Process Control 10.0 for multiple compliance management:

• Create and maintain PFCG Roles
• Create subtypes for attributes related to regulations
• Define compliance initiative
• Associate regulations to plan usage
• Perform role assignment to regulations
• Maintain custom agent determination rules
• Maintain regulations in the master data work center

To learn how to use the multicompliance framework with SAP Process Control 3.0, see Frank Rambo’s article titled “Manage Multiple Compliance Initiatives Effectively Leveraging Shared Master Data.” I now describe the activities that are invaluable for the successful setup of the multicompliance framework in SAP BusinessObjects Process Control 10.0.

Create and Maintain PFCG Roles

SAP Process Control 10.0 has standard and model roles that are used to drive the authorization concept of the application. The model roles usually have the prefix SAP_GRC_SPC. Furthermore, specific roles are designed to address the authorization needs of the management of compliance initiatives. It is a best practice to copy the model roles and maintain them appropriately, according to the needs of the operating business environment. Model roles can be copied and maintained via the profile generator (transaction PFCG). After the successful role copy operation, it is important to generate profiles for the roles accordingly.

To demonstrate how to complete this task, I copied the model roles delivered with the application for the Sarbanes-Oxley Act regulation. Specifically, I copied and maintained the role SAP_GRC_SPC_SOX_AUT_SPECIALIST. To copy the model roles into your own namespace, follow menu path Tools > Administration > User Maintenance > Role Administration > Roles or use transaction PFCG. Enter a search criterion (e.g., *SOX*) as shown in Figure 1.

Figure 1

The initial screen for role maintenance

Press F4 (input help). In the pop-up screen click the green checkmark or press Enter (Figure 2).

Figure 2

Define selection criteria for role maintenance

Figure 3 displays all the model roles related to the Sarbanes-Oxley Act regulation.

Figure 3

Model roles for Sarbanes-Oxley Act regulation

Select a role and choose the copy icon. In the dialog box that appears (Figure 4), enter a new value for the target role name (e.g., Z_SAP_GRC_SPC_INT_CTRL_AUT_SPECIALIST).

Figure 4

Define source and destination role names

Leave the source role name unchanged (Figure 5).

Figure 5

Maintain the target role name

Click the Copy all button. Figure 6 displays with a status message for the copy operation.

Figure 6

Status message for successful role copy operation

The next operation in the role maintenance process is to maintain authorization data and generate profiles for the role. Click the change icon and maintain the role description (Figure 7).

Figure 7

Maintain the role description

In the Authorizations tab, click the icon beside Change Authorization Data (Figure 8).

Figure 8

Authorization tabs of the role maintenance screen

Click the Yes button in the Save the role dialog box (Figure 9).

Figure 9

Save the role prompt during role maintenance

In the next screen, click the save icon (Figure 10).

Figure 10

Maintain a profile for a role

The next screen allows you to change the profile name and description (Figure 11). Click the green checkmark or press Enter.

Figure 11

Maintain the profile name and description

A status message appears in the next screen (Figure 12).

Figure 12

The status message for successful profile maintenance

Click the Generate icon. A status message appears in the next screen (Figure 13).

Figure 13

The status message for successful profile generation

Repeat the same process of copying and maintaining roles for the other model roles. When you are done, use transaction SUPC (Roles: Mass generation of profiles). In the next screen, you see the list of the profiles that you have generated (Figure 14).

Figure 14

Profile generation status for copied model roles

Create Subtypes for Attributes Related to Regulations

Subtypes act as a repository for storing attributes specific to compliance initiatives. This customizing activity allows you to create a unique subtype for infotypes associated with compliance initiatives. Suffice it to say that all infotypes related to regulations must be associated with a specific subtype for a particular compliance initiative. The concerned infotypes for the maintenance of compliance initiatives include:

• Relevance (5302)
• Control Details (5304)
• ELC Details (5306)
• Regulation Specific Flag (5307)
• Settings: Subprocess (5311)
• Settings: Organization (5313)
• Settings: Local ELC (5315)
• Test Plan (5326)
• MCF Organization Attributes (5337)
• Scope (5338)

The SAP Process Control 10.0 system has two standard subtypes related to regulations: 5000 (SOX Regulation) and 5100 (FDA Regulation). You can create additional subtypes for every new compliance initiative by copying and consequently maintaining any of the standard subtypes.

The procedure I outline in this section guides you through the process of maintaining subtypes for infotypes associated with regulations. Follow menu path SPRO > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Process Control > Multiple-Compliance Framework > Define Subtypes for Regulation Specific Attributes or use transaction OOSU (Figure 15). 

Figure 15

The initial screen for the maintenance of subtypes for regulation-specific infotyp

For the purpose of this procedure, I created a new subtype (for the new compliance initiative) using the SOX subtype as a template. Therefore, I highlighted all the infotypes associated with the SOX subtype (5000), as shown in Figure 16.

Figure 16

Infotypes associated with the SOX subtype

Choose the copy icon in Figure 16. A list of the copied infotypes appears (Figure 17).

Figure 17

Copied entries for subtype maintenance

Maintain the Subtyp (e.g., 9000) and Subtype text (e.g., SAPKEN-INT-CTRL) columns appropriately, as shown in Figure 18. For the Subtyp field, use any number between 9000 and 9999.

Figure 18

Maintain subtyp and subtype fields

Press Enter. A dialog box appears asking you to specify an object to be copied (Figure 19).

Figure 19

Notification for definition of objects to be copied

Press the copy all button. On the next screen, click the green checkmark or press Enter (Figure 20).

Figure 20

Notification for maintenance of local control object during subtype copy operation

On the next screen (Figure 21), click the green checkmark (or press Enter).

Figure 21

Notification for maintenance of central control object during subtype copy operation

In the dialog box that appears, click the green checkmark or press Enter (Figure 22).

Figure 22

Notification about the status of subtype copy operation

Repeat the steps in Figures 19 through 22 until all entries are copied. Figure 23 displays with a status message.

Figure 23

Summary message for copy operation of Subtypes

Click the save icon. On the next screen, you see a status message (Figure 24).

Figure 24

Status message for successful subtype copy operation

Configure a New Compliance Initiative

The core capability of the multicompliance framework is to jointly manage different regulations and policies of an organization. Following the activation of the corresponding business sets, you populate two regulations in the standard system. The application allows you to create additional regulations that are centrally managed together. The customizing activities involved in the configuration of the new compliance initiative include:

• Creation of a new regulation configuration and association with subtype
• Maintenance of the regulation type
• Association of compliance initiative with regulation type
• Maintenance of the account group master data for regulation type
• Maintenance of business transactions (AOD – Aggregation of deficiencies, CAPA – Corrective Action Preventive Action and SIGN-OFF – Sign-Off Procedures) for regulation types

To configure a new compliance initiative, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > Process Control > Multiple-Compliance Framework > Configure Compliance Initiatives. Highlight the SOX regulation configuration. Choose the copy as icon (Figure 25).

Figure 25

Select a regulation configuration

Maintain the entries in the regulation configuration (e.g, SAPKEN-INT-CTRL), regulation configuration description (e.g., SAPKEN INTERNAL CONTROL), and STy (e.g, 9000) fields, as shown in Figure 26.

Figure 26

Create a new regulation configuration

Click the green checkmark or press Enter. Highlight the new regulation configuration (Figure 27).

Figure 27

Highlight regulation configuration for maintenance

Double-click the Define Regulation Type option under the Dialog Structure menu (Figure 28).

Figure 28

Define a regulation type

Highlight a regulation type (e.g., FINANCIAL), as shown in Figure 29.

Figure 29

Highlight a regulation type

Double-click the Regulation Configuration Assignments option under the Define Regulation Type menu (Figure 30). Click the New Entries button.

Figure 30

Regulation configuration assignment

On the next screen, enter values under the Regulation Configuration column (Figure 31). Click the save icon.

Figure 31

Assign regulation configuration to a regulation type

A status appears on the next screen indicating that your data was successfully saved (Figure 32).

Figure 32

The status message for sucessful assignment of regulation configuration to regulation type

Highlight the appropriate regulation configuration, as shown in Figure 33.

Figure 33

Highlight regulation configuration

Double-click the Master Data option under the Define Regulation Type menu. Confirm that the entity ACC_GROUP checkbox is set to active (selected), as shown in Figure 34.

Figure 34

Maintain master data during configuration of a compliance initiative

Highlight the Entity ID entry, ACC_GROUP, as shown in Figure 35.

Figure 35

Highlight the Entity ID entry

Double-click Business Transactions. Confirm that AOD and SIGN-OFF business transactions checkboxes are activated (selected), as shown in Figure 36.

Figure 36

Maintain business transactions during configuration of compliance initiative

If you made changes, save your entry by using the save icon. In my case, I did not maintain any entry when I saved. Therefore, I receive the status message shown in Figure 37.

Figure 37

Status message for saving entries for configuration of compliance initiative

Associate Regulations to Plan Usage

The assignment of regulation to plan usage is an important customizing activity, because it allows you to define the behavior of a compliance initiative based on the setting for the corresponding plan usage. As a prerequisite to performing this customizing activity, you need to have maintained the Plan usage via menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > Common Component Settings > Planning and Scheduling > Define Plan Usage. It is important to state that SAP provides business sets for plan usage for SAP Process Control 10.0.

To assign regulations to plan usage, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > Process Control > Multiple-Compliance Framework > Relate Regulation to Plan Usage. On the initial screen that appears, highlight specific plan usages (e.g., plan usages associated with SOX regulation), as shown in Figure 38. Click the copy as icon.

Figure 38

Highlight plan usage for specific regulation configuration

Maintain the Regulation Configuration field to reflect the new regulation initiative (Figure 39).

Figure 39

Copied plan usage assignments

Click the save icon. On the next screen, you receive a message indicating that your data was saved successfully (Figure 40).

Figure 40

Status message for successful assignment of plan usage to regulation configuration

Perform Role Assignment to Regulations

After you copy and maintain model roles associated with regulations, you need to perform role provisioning for defined regulations. Follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > Process Control > Authorizations > Maintain Regulation Role Assignment. To limit the display entries, press the Selection button and select By Contents … from the drop-down menu (Figure 41).

Figure 41

Limit the entries displayed

In the Field Selection dialog box, highlight the Regulation Configuration field entry, as shown in Figure 42.

Figure 42

Select a field for limiting screen display

Click the green checkmark and enter values for the Operator (O.) and Field Contents fields (e.g., = and SOX, respectively), as shown in Figure 43. Click the Choose button.

Figure 43

Define criteria to limit the display screen

The next screen (Figure 44) appears with a status message.

Figure 44

Model roles related to SOX regulation

Highlight all the roles and choose the copy as icon. The next screen appears with a status message (Figure 45).

Figure 45

Copied model roles related to SOX regulation

Maintain the entries by changing the role and regulation configuration, as shown in Figure 46. Press Enter.

Figure 46

Assign roles to regulation configuration

Click the save icon. The next screen appears with a status message indicating that your data was saved (Figure 47).

Figure 47

Status message for successful assignment of roles to regulation

Maintain Custom Agent Determination Rules

You use this customizing activity to define roles that receive workflow requests for tasks. It is important to maintain this assignment if roles have been copied from the model roles or if you have created roles in your own namespace. To perform this customizing activity, follow menu path SPRO > SAP Reference IMG > Governance, Risk and Compliance > General Settings > Workflow > Maintain Custom Agent Determination Rule.

Use the selection strategy used in Figures 41 through 43 to limit the record display. However, use the selection criteria: Role, CS (contains character string), and SOX for the fields Field description, Operator, and Field Contents, respectively. When you are finished limiting the record display for your selected criteria, a screen appears with a status message of the number of records filtered (Figure 48).

Figure 48

Filtered record for SOX regulation-related custom agent assignment for workflow

Select all records and click the copy as icon. The next screen (Figure 49) displays a status message.

Figure 49

Define target entries for the copy operation of business events

Maintain the role assignment of the individual entries with the corresponding record, as shown in Figure 50.

Figure 50

Maintain custom agent determination rules for workflow tasks

Click the save icon. The next screen appears with a status message (Figure 51).

Figure 51

The status message for successful maintenance of custom agent determination rules for workflow tasks

Maintain Regulations in the Master Data Work Center

The work center is the user interface for accessing SAP GRC 10.0 applications, including SAP Process Control. The work center represents a central environment that allows users to work in the system based on assigned roles in the back-end SAP GRC system; you access it via the SAP NetWeaver Business Client (NWBC) or via the SAP Enterprise Portal. Operational activities, such as maintenance of regulations, are performed via the work center.

To maintain regulations in the work center, access the master data tab of the work center of SAP GRC 10.0. Go to Regulations and Policies > Regulations. Break up the regulation hierarchy and create a regulation under a regulation group (e.g., SAPKEN Regulation), as shown in Figure 52.

Figure 52

Create a regulation

Click the Create button. Select Regulation from the drop-down list of options. Enter values for the Name, Description, and Assign Regulation Configuration fields, as shown in Figure 53.

Figure 53

Define a regulation

Click the Save button. The newly created regulation appears in the next screen (Figure 54).

Figure 54

The status message for the successful creation of a new regulation

The next activity is to associate subprocesses to the regulation. Access the Activities and Processes section of the master data work center. Follow menu path Activities and Processes  > Business Processes. Navigate to the subprocess that you want to associate with the regulation, as shown in Figure 55.

Figure 55

Defined processes and subprocesses

Press the Open button. On the next screen, select the Regulations tab (Figure 56).

Figure 56

Maintain subprocess master data

Associate the subprocess to a regulation by selecting it from a list of available regulations (Figure 57). Click the OK button.

Figure 57

Highlight the regulation to be assigned to a subprocess

Now click the Save button (Figure 58).

Figure 58

Assign a regulation to a subprocess

The next screen appears with a status message indicating that your data was saved successfully (Figure 59).

Figure 59

The status message for successful association of the regulation to the subprocess

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.
 

You may contact the author at eseyinok@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.