A Risk-Based Internal Control (RBIC) process allows you to integrate functionality of SAP BusinessObjects Process Control 3.0, SAP BusinessObjects Risk Management 3.0, and SAP BusinessObjects Access Control 5.3. In doing so, you streamline the management of risk and compliance. The solution provides the following benefits:

• The master data catalog is shared across multiple compliance initiatives and allows for centralized management of relevant master data such as organizational hierarchies, processes, subprocesses, controls, control objectives, risks, and account groups
• Master data change requests provide a formal change request and approval workflow for master data changes, if required
• The multi-compliance framework (MCF) supports parallel management of multiple compliance initiatives such as Sarbanes-Oxley, Japan’s version of Sarbanes-Oxley (J-SOX), and FDA drug regulations. This is a key requirement for companies subject to multiple regulations from various countries, regulatory areas, or internal policies.
• Support of operational compliance initiatives including standardized company-wide FDA compliance processes such as corrective action and preventive action (CAPA) workflows for best practice issue remediation
• Support of top-down, risk-based scoping according to Audit Standard No.5 by the Public Company Accounting Oversight Board (PCAOB). This recognized methodology helps narrow down the number of controls in scope for testing based on a materiality and risk analysis. It keeps the costs for control testing under control.
• The automated rules framework (ARF) enables automated testing based on customer-configured rules or pre-delivered rule content for all core business processes such as financial reporting, order-to-cash, and procure-to-pay. The ARF ensures flexibility and a high degree of automation for internal control testing.
• Integration of SAP BusinessObjects Process Control and SAP BusinessObjects Risk Management: A user in SAP BusinessObjects Risk Management can propose a new control or assign an existing control as a risk response while completeness and effectiveness of the risk response is evaluated and updated by SAP BusinessObjects Process Control.
• Support of manual control testing including offline test plans with the SAP Interactive Forms software by Adobe. Testers can work in remote locations offline with their test plans without system connectivity and later upload them into the system.
• Flexible tabular and graphical reporting and analytics based on Crystal Reports and Xcelsius dashboards supporting drill-down analysis. Users can develop additional reports within the license limitations.
• Aggregation of Deficiencies (AoD) provides executive management improved visibility and awareness of control deficiencies and their deficiency levels. It provides a higher assurance over the integrity of the compliance program by focusing on improving controls with highest deficiency levels.
• Automated generation of datasheets providing a summary book in PDF format of all assessments and tests for a given period to auditors to accelerate audits.

The RBIC process consists of three main phases (Figure 1):

• Phase 1: Document and set up compliance initiatives using a top-down, risk-based approach
• Phase 2: Plan and perform assessments and tests
• Phase 3: Remediate issues and certify results

Figure 1

SAP BusinessObjects solution for RBIC

SAP BusinessObjects Process Control 3.0 provides all key features to implement the complete RBIC process. However, it allows for integration with SAP BusinessObjects Risk Management 3.0 and SAP BusinessObjects Access Control 5.3 to align management of risk and compliance and include analysis and remediation of segregation of duties (SoD) risks into the automated control testing, respectively. I’ll provide an overview of each of the three RBIC phases and relate them with key product features. Note that the phases I describe are intended to group product features in a comprehensive order that may not always fall together with the implementation approach of a given enterprise. Some steps may be omitted if not relevant; others may change slightly in order.

Phase 1: Document and Set Up Compliance Initiatives Using a Top-Down, Risk-Based Approach

The goal of the first RBIC phase is the identification of risks associated with new regulations or policies and the documentation of the associated compliance structure using a top-down, risk-based approach. This approach consists of five steps, illustrated in Figure 2.

Figure 2

Document and set up compliance initiatives and steps

Step 1. Define Processes that Align with Business Initiatives

From a technical perspective, SAP BusinessObjects Process Control’s user interface is based on SAP NetWeaver Portal 7.01. Follow menu path GRC Process Control > Global Compliance Office > Global Compliance Structure and create the following master data objects that will be later shared across multiple compliance initiatives (Figure 3):

• Organizations: Define the organizational hierarchy as needed for your compliance initiatives. Note that the resulting organizational hierarchy usually differs so much from your organizational hierarchy maintained in your SAP ERP Human Capital Management system that there is little point to synchronize them.
• Accounts: Maintain account groups and assign assertions, general ledger accounts, and risks from the central risk catalog to them. You can assign account groups to subprocesses later.
• Control Objectives: Maintain control objectives and assign risks from the risk catalog to them. Control objectives with their associated risks are later assigned to subprocesses.
• Risk Classification: Create risk categories and central risks in SAP BusinessObjects Process Control 3.0, or take advantage of the integration with SAP BusinessObjects Risk Management 3.0 and use the risks defined there.
• Processes & Controls: Maintain the central process hierarchy made up by processes, subprocesses, and controls. Assign control objectives with their associated risks and account groups with their associated assertions, general ledger accounts, and risks to subprocesses. When creating a control for a given subprocess, select relevant risks from the list of risks associated with the subprocess directly or indirectly via control objectives and account groups.
• Indirect Entity-Level Controls: Maintain and assign the company’s indirect entity-level control hierarchy to represent controls that are documented and evaluated at higher levels in the organization such as code of conduct.

Figure 3

Define all master data that will be used in your various compliance initiatives

Step 2. Identify Top Compliance Risks

Optionally, you can also identify compliance risks through a risk identification process in SAP BusinessObjects Risk Management 3.0. The risks identified in SAP BusinessObjects Risk Management 3.0 are also available in the central risk catalog of SAP BusinessObjects Process Control 3.0 due to the shared data model.

Step 3. Perform High-Level Scoping

This step contains the following tasks: 

1. Maintain and set up compliance initiatives
2. Assign processes and controls to organizations
3. Identify organizations and processes in scope through materiality analysis or enterprise risk assessment

Global companies need to adhere to regulatory requirements of each country where they engage in business. In many companies, each initiative is managed separately not only by different individuals, but also by different systems and different procedures. Consequently, there is also a slow ramp-up time. New systems need to be procured, data maintained, users trained, and so on for each compliance initiative. The longer the ramp-up time, the higher is the risk of non-compliance. Another problem is lack of management confidence. There is poor visibility into the health of the compliance initiatives, with non-standardized, often manual processes and reporting. Two or more groups may be maintaining similar master data, leading to redundant evaluations and tests. There are also higher IT costs, with multiple systems to maintain and support.

SAP BusinessObjects Process Control 3.0 comes with an MCF that can handle several different compliance and policy mandates. This helps eliminate the duplication of efforts and simplifies the management of compliance initiatives by using common master data across the entire environment. It also improves visibility of your compliance initiatives significantly as management can now monitor and report on it using a central standardized interface. You simply set up the compliance initiatives relevant to you once and start sharing master data you have previously created in the Global Compliance Office page of the application. Each compliance initiative adds an additional page for this initiative to the portal user interface of SAP BusinessObjects Process Control 3.0 (Figure 4). During the setup of a compliance initiative you assign it to a regulation type (e.g., financial or operational compliance) that has previously been customized to contain specific features. For example, you can configure the availability of following features for a selected regulation type: 

• Account groups and financial assertions
• AoD
• CAPA remediation plans with or without eSignature
• Sign-off procedures
• Custom fields

Figure 4

Portal page added by setting up the compliance initiative for Sarbanes-Oxley in SAP BusinessObjects Process Control 3.0

After the setup is completed, you assign organizations subject to your new compliance initiative. You continue adding all relevant subprocesses and controls from the global process catalog to your compliance initiative using the Processes & Controls link in the portal page representing the new compliance initiative. You continue assigning these subprocesses and controls to the organizations you have previously assigned to the new compliance initiative. The assignment can either be instantiated as a copy for later localization or as a reference to the original object in the process catalog. As a result, subprocesses and controls are assigned to organizations in the context of the new compliance initiative. This setup provides the base for the top-down, risk-based scoping approach.

Regulatory agencies such as the SEC and the PCAOB encourage companies to focus on areas where there is the greatest risk that internal controls over financial reporting (ICFR) fail to prevent or detect a material misstatement in the financial statements. New general auditing standards include: 

• Focus on incorporating a top-down approach to planning the audit
• Emphasis on the importance of auditing higher risk areas, such as the financial statement close process and controls designed to prevent fraud by management
• A range of alternatives for auditors that address lower risk areas, such as by more clearly demonstrating how to calibrate the nature, timing, and extent of testing based on risk

In general, management documents and discusses with their external auditors how they have performed their top-down risk assessment to ultimately determine the scope of control evaluations.

SAP BusinessObjects Process Control 3.0 fully supports the top-down, risk-based scoping following the approach of Audit Standard 5 by the PCAOB. This approach is made up by the following sequence of activities (Figure 5): 

1. Materiality analysis based on the significance of account groups on corporate and organization level
2. Enterprise risk assessment on subprocess level
3. Control risk assessment on control level
4. Determination of the test strategy

Figure 5

Top-down, risk-based scoping approach for compliance testing

The first two activities define the high-level scoping, whereas the control risk assessment and the test strategy already fall into the second phase of the RBIC process (which I’ll explain later). The idea behind this approach is to narrow down the number of controls in scope for testing, focusing on areas with the highest compliance risk. Setting the right focus with this recognized methodology saves cost for compliance testing. In summary, the materiality analysis is based on capturing general ledger account balances and thresholds for their significance. As a result, organizations and subprocesses with significant account groups are flagged as in scope by the system. In-scope subprocesses then undergo the enterprise risk assessment, which is planned by the internal control manager and assessed in a workflow by the organization owners. As a result, all in-scope subprocesses are assigned a risk level, which are later used to determine the test strategy.

Step 4. Identify Business Owners and Users

To use the workflow driven scenarios effectively you need to assign business owners to entities such as organizations, processes, subprocesses, and controls, and set up users for them in SAP BusinessObjects Process Control 3.0 and in the portal providing the user interface. You also need to set up internal control managers and auditors. The SAP BusinessObjects Process Control 3.0 security concept allows for controlling the list of users who are potential candidates for these roles. It is also possible to customize the recipients for workflow tasks of a given business event. For example, you can configure if the workflow task to perform a control design assessment is sent to the subprocess owner or to the control owner, or to both.

Step 5. Maintain Assessment and Testing Catalogs

This step contains the following two tasks:

• Define and document question and survey library for assessments
• Define test plans for manual testing

Assessments such as indirect entity-level design assessment, subprocess design assessments, control design assessments, or self-assessments are based on surveys consisting of a list of questions. You create the questions first in the question library and reuse the questions when you create surveys in the survey library. The surveys in the survey library are then available for planning assessments.

Define test plans consisting of one or multiple steps containing detailed test instructions and specify sampling methods and the criteria for failure of the test plan. The test plans are then available for planning manual control testing.

Phase 2: Plan and Perform Assessments and Tests

The goal of the second RBIC phase is the alignment of planning and scheduling of testing in accordance with the compliance calendar of your enterprise, execution of tests, reporting of test results, and issue creation to kick off remediation workflows. This phase consists of five steps illustrated in Figure 6.

Figure 6

Plan and perform assessments and tests

Step 1. Identify Controls and Map Them to Risks

This step contains the following tasks:

• Review control proposals
• Implement proposed controls
• Perform a control risk assessment
• Determine the required level of evidence

The integration with SAP BusinessObjects Risk Management 3.0 provides the option to risk managers in SAP BusinessObjects Risk Management 3.0 to assign an existing control or propose a new control as a risk response. This creates workflow items sent to subprocess owners in SAP BusinessObjects Process Control 3.0 who have to approve the control assignment or control proposal and implement the control in the system.

After all controls are identified and implemented in the system, you’re ready to perform the control risk assessment to complete the top-down, risk-based scoping for compliance testing. The internal control manager sends workflow items to all subprocess owners whose subprocesses were flagged as in scope during the high-level scoping. The subprocess owner provides estimates for various factors such as control complexity, or a history of control failure. The system then evaluates the control risk level using a customizable weighted average of these factors. With the risk level from the enterprise risk assessment and the control risk level from the control risk assessment two independent risk levels are available to the system to derive the required level of evidence for a given control, which determines its test strategy (Figure 7): 

• Tier 1: Control design assessment and control effectiveness test
• Tier 2: Intermediate testing and control monitoring
• Tier 3: Self-assessment

Figure 7

Risk level and control risk level determine the required level of evidence and the test strategy

While planning assessments and tests the system allows for selecting organizations and subprocesses flagged as in scope and controls based on scoping specific criteria such as control risk level or required level of evidence. This concludes the top-down, risk-based scoping approach.

Step 2. Plan Assessments and Tests 

This step contains the following tasks: 

• Plan assessments, tests, and monitoring
• Perform assessments and tests
• Raise issues for remediation

When planning assessments you select a survey from the survey library and use the guided procedure available in the planner feature to select organizations and entities such subprocesses and controls that are to be assessed and define the start and due date for the assessment.

You can base tests of control effectiveness either on manual test plans or on automated controls. Before you can plan a manual test of control effectiveness with the planner feature, you need to assign the previously created test plans to the controls to be tested. Obviously, the preferred method is using automated controls where possible, since a higher degree of automation always results in cost savings. For this reason, you can consider the ARF as one of the key product capabilities and differentiators of SAP BusinessObjects Process Control 3.0. It allows for automated control testing in remote SAP systems using existing SAP queries, SAP NetWeaver Business Warehouse (SAP NetWeaver BW) queries, standard reports, or complex customer programs. You can also configure rules in SAP BusinessObjects Process Control 3.0 for change log checks for configuration and master data or value checks in configuration, master data, and transaction tables in remote SAP systems. SAP BusinessObjects Process Control also delivers out-of-the-box rule content containing more than 200 pre-packaged rules and scripts for automated control testing covering all your core business processes (Figure 8). Adapter software from SAP’s software partner Greenlight permits you to include third-party applications into the automated testing.

Figure 8

Out-of-the-box rule content for automated control testing with SAP BusinessObjects Process Control 3.0

Assessors and testers receiving the corresponding workflow tasks perform assessments and manual tests of effectiveness, whereas automated control tests are conducted by the system. Testers can download manual test plans as SAP Interactive Forms and work with them in remote locations without system connectivity and upload them later into the system (Figure 9).

Figure 9

Offline test plan based on SAP Interactive Forms for testing in remote locations without system connectivity

If assessors or testers identify deficiencies, they can create issues and assign an issue owner for further follow-up. The issue owner receives a workflow task and decides whether the issue can be closed or a remediation plan is required. In the case of automated control testing, the system creates issues if deficiencies are detected. Issue remediation is covered in phase 3 of the RBIC process.

Step 3. Remediate Access 

One particular case of automated control testing is the integration of risk analysis of access and authorization related risks executed in SAP BusinessObjects Access Control 5.3 into the automated testing. After some initial configuration, SAP BusinessObjects Process Control 5.3 automatically starts a risk analysis via Web service in SAP BusinessObjects Access Control 5.3. If SoD violations are found, issues are created for later access remediation or mitigation. For more details on this, see Raj Behera’s articles “Create a Centralized Control Management System by Integrating Access and Process Controls” and “Integrate Access and Process Controls in the Latest Releases of SAP BusinessObjects Solutions for GRC.” 

Step 4. Monitor Control Effectiveness

It is a best practice to continuously monitor the effectiveness of key controls to prepare the formal test of effectiveness. Controls assigned as risk response are also assigned in SAP BusinessObjects Risk Management 3.0 percentage values for their completeness and effectiveness. These values are updated based on the results of a completed design assessment and test of effectiveness, respectively, executed in SAP BusinessObjects Process Control 3.0 for these controls.

Step 5. Update Risk Exposure

Updated values for completeness and effectiveness of controls assigned as risk responses also automatically update the residual risk level of the respective risks monitored in SAP BusinessObjects Risk Management 3.0. The details here are controlled by customizing settings in SAP BusinessObjects Risk Management 3.0. Changes to residual risks may lead to a change in overall risk exposure in some of your business areas and require actions such as assigning additional risk responses to your risks, or reprioritizing your investments.

Phase 3: Remediate Issues and Certify Results

The goal of the last RBIC phase is the review of the results of your compliance activities, the remediation of identified issues, and the certification, sign-off, and audit of your results. This last phase consists of the three steps illustrated in Figure 10.

Figure 10

Remediate issues and certify results

Step 1. Review and Remediate Issues

Assessors or testers create issues when they detect deficiencies in the context of a given compliance initiative and assign an issue owner for further followup. The issue owner reviews the issue and decides whether a remediation plan is required or the issue can be solved immediately and closed. Financial compliance initiatives only require a simple remediation plan specifying the tasks and a remediation owner who will receive the remediation plan as a workflow task. Once the remediation owner has completed the remediation tasks he sends the workflow item back to the issue owner who reviews the remediation tasks and closes the issue. When all issues for a given assessment or test are closed, assessors or testers can reassess or retest, respectively.

However, operational compliance initiatives such as initiatives targeting compliance with FDA regulations require more elaborate CAPA remediation processes including root cause analysis, contingencies, and electronic signatures. As explained in the context of the MCF in SAP BusinessObjects Process Control 3.0 users can configure for each compliance initiative whether simple remediation workflows or CAPA workflows are used for issue remediation.

Step 2. Report and Analyze Compliance Results

SAP BusinessObjects Process Control 3.0 comes with a huge variety of reports and dashboards with drill-down capability using the technology of Crystal Reports and Xcelsius dashboards (Figure 11). These reports and dashboards allow for cross-compliance or compliance-specific reporting on your risk and compliance structures, status tracking of compliance monitoring, testing, assessments, and issue remediation, change analytics, audit logs, and many more. Users can develop additional reports to meet specific reporting requirements. This ensures improved visibility of the status of your compliance initiatives to your management.

Figure 11

Crystal Reports and Xcelsius dashboards to report on compliance setup, status, and results

After the testing, remediation, and retesting phases are completed for the fiscal year you can use the AoD feature to assess control deficiency levels for each failed control and assess an aggregated deficiency level for a group of failed controls. At the end of an AoD assessment, a deficiency level is assigned to the fiscal year. AoD reports provide to executive management an improved visibility of control deficiencies and a higher assurance over the integrity of the compliance program. AoD helps you to focus on improving controls with the highest deficiency levels.

Step 3. Perform Sign-Off and Audit

Sign-off enables executive management to formally attest to the effectiveness of its internal controls. When performing sign-off, management effectively approves its compliance results. The sign-off also provides an accountability trail that is particularly useful when a company has several subsidiaries within the scope of its compliance initiatives. For example, a CFO has to sign off for the entire company composed of several organizations. SAP BusinessObjects Process Control 3.0 allows assignment of sign-off accountability for each organization. It also allows the CFO to monitor the sign-off status of each organization subject to sign-off. Compliance data for the fiscal year is frozen when sign-off is performed. This helps to ensure that historical accuracy is maintained.

Sign-off also closes the year for testing. Thus, it is important to ensure that compliance tests are completed and corresponding results are validated prior to sign-off. Open issues and remediation plans remain open and are carried forward so they can be closed in later periods. The sign-off is executed in the system via workflow tasks in a bottom-up flow. The sign-off task is routed to the inbox of the lowest level organization owner, who reviews issues and remediation status and responds to the sign-off survey to perform the sign-off. The sign-off freezes the organization’s master data and transactions for the sign-off period. If there is a higher level organization unit that is subject to sign-off, a sign-off task is routed to the higher level organization owner until it reaches the top-level organization subject to sign-off. When the CEO or CFO performs sign-off at the corporate level, the certification process is completed.

The sign-off may be followed by an audit executed by external auditors, who review your approach to compliance testing and its results. To accelerate these audits, SAP BusinessObjects Process Control comes with the practical datasheet feature. It automatically generates a summary of all assessments and tests for a given period as a PDF. This saves time and provides your auditors with all required information to accelerate the audit.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.