New general auditing standards such as Audit Standard 5 by the Public Company Accounting Oversight Board (PCAOB) help companies narrow down the number of controls in scope for testing. They can focus on areas with the highest compliance risk and save on costs for compliance testing. These controls include:

• A top-down approach to planning the audit
• Emphasis on the importance of auditing higher risk areas
• A range of alternatives for auditors that addresses lower risk areas and a transparent methodology for calibrating the nature, timing, and extent of testing based on risk

SAP BusinessObjects Process Control 3.0 comes with instruments to efficiently scope your evaluations for the next audit cycle. Applied in combination they provide a powerful scoping method following a top-down risk based approach. In a nutshell, SAP BusinessObjects Process Control delivers the following scoping instruments (Figure 1):

• Materiality analysis
• Risk assessment
• Control risk assessment
• Testing strategy

Figure 1

Sequence of features in SAP BusinessObjects Process Control 3.0 to facilitate a top-down, risk-based scoping

During the materiality analysis, significant account groups are identified and subprocesses and organizations associated with significant account groups are set in scope for your evaluations. A subsequent risk analysis and control risk analysis of in-scope subprocesses concludes which level of evidence is needed to satisfy the regulatory requirements and defines your testing strategy for your subprocesses and controls. Higher risk areas require full tests of control effectiveness and design assessments, whereas low risk areas may only require self-assessments or can be completely omitted from your evaluations. Not all these instruments have to be applied during scoping. For example, instead of an account group-based materiality analysis, privileged users can set organizations and subprocesses in scope manually. This allows for applying the remaining scoping instruments to non-financial compliance initiatives where account groups aren’t relevant.

In summary, applying a top-down, risk-based scoping approach to scoping delivers the following benefits:

• Reduction of costs and audit cycles
• Integration of risk management and risk mitigation
• Deployment of scarce and costly resources to higher-value compliance tasks
• Increased control effectiveness while reducing number of controls in scope

I’ll explain in the following sections how the scoping instruments mentioned above work in detail and provide some remarks on the required customizing, which generally is easy in nature. As a prerequisite, I’ll assume that your compliance initiatives and master data in terms of organizations, subprocesses, controls, account groups, risks, control objectives, regulations, and their relationships have already been set up in your SAP BusinessObjects Process Control system.

Materiality Analysis 

Materiality analysis focuses on the determination of the significance a potential misstatement of a financial reporting element such as accounts and disclosures would have. Both for internal and external auditing, it is important to evaluate the potential magnitude of financial misstatement errors. Accounts with large balances are generally considered as significant and require testing, but also qualitative factors may influence what is ultimately considered to be in scope. For this reason, SAP BusinessObjects Process Control allows for manually adding organizations and subprocesses to the scope. The materiality analysis is executed in two steps in the following order:

1. Consolidated level materiality analysis
2. Compliance and organization-specific level materiality analysis

Log on to SAP BusinessObjects Process Control and open the Global Compliance Office to perform the consolidated level materiality analysis. Choose Global Compliance Structure > Accounts > Consolidated Balances and Significance (Figure 2). This screen lists your account group hierarchy as defined during master data setup. For each account group, enter the consolidated balance manually, or upload it via the predelivered template. The information collected is time frame and currency dependent. Enter a significance threshold that controls the inclusion of significant accounts on the corporate level. The determination of the significance threshold is executed outside the system and agreed on with your external auditors. Click the Apply Significance Threshold button and the system marks as significant all account groups with balances equal or higher than the threshold. You can also manually tag additional account groups as significant and provide a reason. Save and exit the screen. This prepares the system for the second step, the compliance and organization specific materiality analysis.

Figure 2

Perform consolidated level materiality analysis

Now, navigate to the compliance initiative for which you want to do the scoping. For example, navigate to SOX > Compliance Structure > Accounts > Organization-Level Balances and Significance (Figure 3). The system displays your organization structure on the left and the account groups that were tagged as significant during the consolidated level materiality analysis on the right. The account groups are associated with the selected organization at the same time. The relationship between organizations and account groups is established during the master data setup in SAP BusinessObjects Process Control.

Figure 3

Perform compliance initiative- and organization-specific materiality analysis

In the central process catalog, you tie subprocesses to account groups and during the setup of your compliance initiatives you assign subprocesses to organizations. This indirectly relates organizations to account groups. Some organizations may display an empty list of account groups because none of their subprocesses is tied to an account group that was tagged as significant during the consolidated level materiality analysis.

You proceed now by organization and maintain the balance values for each listed account group either manually or uploading the predelivered Microsoft Excel template. Again, the information provided depends on the time frame and is selected in the upper part of the screen. Then enter the significance threshold for the compliance- and organization-specific materiality analysis. This threshold applies to all organizations associated with the Sarbanes-Oxley compliance initiative, but can differ from the threshold you defined for the consolidated level materiality analysis. Again, its value is determined outside the system and agreed on with your external auditors.

Then click the Apply Significance Threshold button. The system now tags the account groups as Significant for Org Unit, applying the following algorithm:

1. The system tags account groups with balance values on an organizational level equal to or higher than the significance threshold right away.
2. The system applies an aggregation method for account groups whose balances do not exceed the threshold for none of the organizations. It tags a given account group at the organizational level in descending order of their balance values until their sum exceeds the threshold. The system outputs a notification message for each account group that was applied to the aggregation method and enters in the Reason field at organizational level the comment by aggregation method (Figure 3).

Let’s go through a short example. Let’s assume account group 1 has on a consolidated level a balance of US$3,000,000 and a significance threshold of US$2,500,000 for the consolidated level materiality analysis, which tags account group 1 as significant on consolidated level. Let’s further assume a significance threshold of US$1,000,000 on a compliance- and organization-specific level and the following balances of account group 1 at the organizational level:

• Organization 1: US$400,000
• Organization 2: US$200,000
• Organization 3: US$100,000
• Organization 4: US$300,000
• Organization 5: US$500,000

In this example, none of the balance values of account group 1 at the organizational level exceeds the threshold of US$1,000,000. Therefore, the system applies the aggregation method and tags account group 1 in the order organization 5, organization 1, and organization 4 as Significant for Org Unit. The system then stops, because the sum of the three balances equals 1,200,000 and exceeds the threshold value.

Click the Submit button and the system sets all organizations and subprocesses in scope that are associated with account groups tagged as Significant for Org Unit. A user with the required authorizations can overwrite the In Scope check box for organizations and subprocesses (Figures 4 and 5).

Figure 4

Organization set in scope during materiality analysis

Figure 5

Subprocess set in scope during materiality analysis as a result of its association to an account group

You can set organizations and subprocesses in scope for one time frame and not in scope for another. SAP predelivers a variety of possible time frames that you can choose and set active for the materiality analysis frequency. Do this by following IMG menu path GRC Process Control > Scoping > Maintain Scoping Materiality Analysis Frequency. The most common frequency is the annual analysis frequency. However, corporation-specific circumstances might require a shorter analysis frequency. In emerging markets or in new industries, a shorter analysis frequency is often required.

Risk Assessment

In the SAP BusinessObjects Process Control data model, subprocesses are associated with risks that are either inherent to the subprocess itself, or are assigned via account groups and control objectives. The second scoping step consists of an assessment of these risks with the objective to evaluate a risk level for each risk. The risk assessment is executed in a sequence of workflow steps for the given compliance initiative (e.g., Sarbanes-Oxley).

The Sarbanes-Oxley internal control manager kicks off the risk assessment using the guided procedure in five steps provided by the Planner feature available via menu path SOX > Evaluation Setup > Planner for subprocesses:

Step 1. Enter Plan Details. Select Perform Risk Assessment from the drop-down list for the Plan Activity (Figure 6). Then choose the appropriate Period, Year, Start Date, and Due Date for the risk assessment.

Figure 6

Enter plan details of the guided procedure to kick off a risk assessment provided by the Planner feature

Step 2. Select Organizations. Select the organization for which you want to plan a risk assessment. Select from the drop-down list Organizations in Scope to display only organizations that were set in scope during the materiality analysis (Figure 7).

Figure 7

Select organizations that were set in scope during the materiality analysis

Step 3. Perform Selection. Set the radio button to Select by Subprocess Attributes and select the check box In Scope to select all subprocesses tied to the selected organizations that were set in scope during the materiality analysis (Figure 8).

Figure 8

Perform the selection of all subprocesses that were set in scope during the materiality analysis

Step 4. Review. Check your selections and click the Activate Plan button (Figure 9).

Figure 9

Review your selection

Step 5. Confirmation. Verify the system confirmation that the risk assessment was successfully created (Figure 10).

Figure 10

Confirm that the risk assessment has been kicked off successfully

By default, the workflow tasks for a risk assessment are sent to the inboxes of the users granted with the global organization owner role for the selected organizations. You can change the recipients of workflow tasks by following IMG menu path GRC Process Control > Authorizations > Maintain Roles to Receive Workflow Tasks. The global organization owners open the workflow tasks and estimate a Probability and an Impact Level from drop-down lists for each listed risk.

You can customize the available probabilities and impact levels in the IMG customizing under GRC Process Control > Scoping > Define Impact Levels and GRC Process Control > Scoping > Probability Levels. From the estimated probability and impact level, the system evaluates an overall risk level and displays it in the last column of the risk assessment screen (Figure 11). You can maintain the evaluation of the overall risk level that is based on the risk level matrix by following IMG menu path GRC Process Control > Scoping > Maintain Risk Level Matrix. Finally, you can define color codes for your risk heat map by following IMG menu path GRC Process Control > Scoping > Maintain Risk level and Colors. 

Figure 11

Risk Assessment workflow task completed by the global organization owner

When a global organization owner submits the risk assessment for his organization the risk assessment is sent to the inbox of the Sarbanes-Oxley internal control manager for review. The Sarbanes-Oxley internal control manager has the following options during the review of the risk assessment:

1. Accept risk assessment
2. Accept risk assessment with changes: Overwrite probabilities and impact levels and add a comment (Figure 12)
3. Reject risk assessment: Workflow task is sent back to global organization owner for rework

Figure 12

Review of risk assessment – accept with changes screen

The risk assessment concludes when the Sarbanes-Oxley internal control manager accepts the risk assessment with or without changes. The results from the risk assessment are accessible through IMG menu path SOX > Report Center > Evaluation > Risk Assessment Results (Figure 13).

Figure 13

Report displaying results from risk assessment

Control Risk Assessment

The control risk assessment is also driven by workflow out of the given compliance initiative (e.g., Sarbanes-Oxley) and works very much the same way as the risk assessment. The Sarbanes-Oxley internal control manager kicks off the control risk assessment with the Planner in the same way he did for the risk assessment, but he selects Perform Control Risk Assessment from the drop-down list as the Plan Activity.

By default, the Sarbanes-Oxley subprocess owners are the recipients of the workflow tasks. When they have completed the control risk assessment for each control of their subprocesses the workflow task is sent for review to the Sarbanes-Oxley internal control manager. Again, he or she can accept, accept with changes, or reject the control risk assessment. In the latter case, the workflow task is sent back to the responsible Sarbanes-Oxley subprocess owner for rework. Otherwise, the workflow concludes.

The system evaluates the control risk rating as a weighted sum of control risk factors, which is estimated by the Sarbanes-Oxley subprocess owners during the control risk assessment (Figure 14). You can customize the control risk factors and their weights by following IMG menu path GRC Process Control > Scoping > Control Risk Factor. The system comes predelivered with the following control risk factors – their preconfigured weights are noted in parenthesis:

• Complexity (3,0)
• History of Control Failure (2,0)
• Judgment to Operate (2,0)
• Potential for Management Override (3,0)

Figure 14

Workflow task of a control risk assessment

The system calculates the control risk rating as a numerical value between 0 and 1. You can change the preconfigured numerical ranges mapped to the resulting overall rating in terms of High, Medium, or Low by following IMG menu path GRC Process Control > Scoping > Set Control Rating Range. Once the control risk assessment including its review is completed, the system displays for each assessed control a rating for the control risk (Figure 15).

Figure 15

As a result of the control risk assessment, the system adds a control risk rating to each assessed control and evaluates the Level of Evidence

Level of Evidence and Testing Strategy

During master data setup, controls are associated with a subset of the risks that are tied to their subprocesses either inherently or via control objective or account group assignments. As a result of the risk assessment, each of these risks is associated with a rating for its overall risk level (Figure 13). The system combines the risk and control risk levels for each control and each risk associated to it and calculates the level of evidence needed by the regulatory requirements for the given control (Figure 16). You can customize the available levels of evidence by following IMG menu path GRC Process Control > Scoping > Set Level of Evidence Value. The system comes with the following preconfigured levels of evidence:

• Tier 1: No Testing
• Tier 2: Self-Assessment
• Tier 3: Control Design Assessment + Control Effectiveness
• N/A

Figure 16

Calculation of the required level of evidence and determination of the test strategy

You can customize how the system combines risk and control risk levels to a resulting level of evidence by following IMG menu path GRC Process Control > Scoping > Set Level of Evidence. The level of evidence identifies high, medium, and low risk areas and implies a test strategy as mentioned above. You can access a report that summarizes for each control the results from the risk and control risk assessment and displays the resulting level of evidence by following menu path SOX > Report Center > Evaluation > Testing Strategy by Control (Figure 17). The system displays the level of evidence with the master data of each control (Figure 15).

Figure 17

Testing strategy by control report

In summary, the described scoping instruments provide the following attributes as additional filter criteria when planning evaluations with the Planner tool:

• Organizations: In-scope setting
• Subprocesses: In-scope setting
• Controls: Control risk level and level-of evidence (Figure 18)

Figure 18

Use control risk and level of evidence to filter controls that are in scope for your evaluations

They permit you to implement your test strategy and plan your evaluations as a result from a top-down, risk-based scoping approach.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.