SAP Business Objects Process Control 3.0 manages the following types of evaluations for subprocesses and controls through surveys, manual test plans, and automated control scripts:

• Subprocess design assessments
• Control design assessments
• Self-assessments of controls by the control owners
• Test of control effectiveness with manual test plans
• Automated or semi-automated test of control effectiveness
• Automated control monitoring

The term controls refers here to both controls linked to a subprocess and indirect entity level controls (iELC) linked directly to an organization (e.g., code-of-conduct). In general, each type of these evaluations runs through the following basic steps:

1. Evaluation by the assessors, testers, or the system
2. Optional review of the results by a reviewer
3. Issue identification and documentation, if deficiencies are found
4. Issue remediation by issue owners and documented by remediation plans
5. Optional reevaluation by the assessors or testers (for manual evaluations only)

The recipients of the related workflow task notifications are determined by the SAP BusinessObjects Process Control security concept. For details, refer to the Security Guide > SAP Business Objects Process Control 3.0 > Risk management 3.0 available in SAP Service Marketplace at https://service.sap.com/instguides. A high-level summary is provided in Table 1. During manual evaluations with surveys and manual test plans, assessors and testers document new issues within the application and can select any SAP BusinessObjects Process Control user as the owner of the issue, unless the second-level authorization capability is activated in the IMG customizing. In the latter case, you can only select the holders of the application roles indicated in Table 1 for the respective process, subprocess, or control as issue owners.

Table 1

Recipients of workflow tasks for evaluations, review, and issue remediation

Workflow-based notifications alert issue owners of failed tests, design issues, and potential risks (e.g., fraud). Issue owners kick off remediation plans processed in a subsequent remediation workflow, which ensures speedy and comprehensive issue resolution. During this process, detailed documentation of detected issues and remediation action items is provided, permitting a complete audit of the issue resolution process. Remediation workflows and the format of remediation plans depend on the requirements of the given regulation. SAP BusinessObjects Process Control supports both remediation workflows and plans for financial and operational compliance initiatives. Later in this article, I’ll run through an example for both.

Activation of Reviews and Reevaluations

You can activate the optional review of evaluation results for each evaluation type separately by following IMG menu path Evaluation Setup > Assessment and Test > Specify Whether Review Is Necessary (Figure 1). If you have automated or semi-automated controls, a review only happens if the system detected a deficiency during execution of the automated control script.

Figure 1

Activation of the review of evaluation results and remediation plans

In a similar way as for the review, you can activate reevaluations for each evaluation type separately by following IMG menu path Evaluation Setup > Assessment and Test > Specify Reevaluation Necessity and Time Lag. The global IMG settings for review and reevaluation define the default for each business object type (e.g., control, subprocess, or process).

You can overwrite these default settings in the context of a given compliance initiative or organization to which the respective subprocess and its associated process and controls are assigned. This is possible for both subprocesses assigned as a copy from or as reference to the central process catalog in SAP BusinessObjects Process Control. The local settings for review and reevaluation (also known as review and repeat settings) are always made at the next-level object. For example, the review and repeat settings for control design assessments are made in the respective local subprocess. In SAP BusinessObjects Process Control, navigate to SOX > Compliance Structure > My Processes and search the subprocess to which your control is tied, if SOX is your current compliance initiative under investigation (Figure 2).

Figure 2

Local review and repeat settings for evaluations for the controls tied to the subprocess Execute Credit Management in the context of the SOX initiative

Similarly, you need to set the review and repeat settings for subprocess design assessments on the level of the respective process to which the subprocesses are tied (Figure 3). The review and repeat settings for iELC evaluations are made on the level of the respective organization in SOX > Compliance Structure > Organizations (Figure 4).

Figure 3

Review and repeat settings for subprocesses tied to the business process Credit and Collections

Figure 4

Review and repeat settings for indirect entity level controls tied to the organization CRG-Field-Accounting-UK

Remediation Plans and Workflows for Financial Compliance

SAP BusinessObjects Process Control supports best practice remediation workflows for financial compliance initiatives (Figure 5). You can establish the association of a new compliance initiative in SAP BusinessObjects Process Control to financial or operational best practice remediation plans and workflows by following IMG menu path GRC Process Control > Multiple Compliance Framework > Configure Compliance Initiatives. Here, you configure the particular features of a regulation type such as FINANCIAL and assign new compliance initiatives to it. For more details, refer to my article, “Manage Multiple Compliance Initiatives Effectively Leveraging Shared Master Data.” 

Figure 5

Remediation workflow on a high level for financial compliance initiatives

Issues are detected and documented during evaluations such as assessments or tests (which can be manual or automated). The evaluator being the assessor, tester, or in the case of automated tests, the system creates and documents issues and assigns them to an issue owner. Figure 6 displays an issue attached to a manual test executed by a tester upon receiving the corresponding workflow task. The system sends the respective Start Issue Remediation task to the workflow inbox of the issue owner. The issue owner opens the workflow item containing the respective evaluation object being a particular assessment or test and reviews the issue attached to it. Note that it is possible that multiple issues with different issue owners are attached to the same evaluation. The issue owner has four options to react on the issue: He or she can void the issue, assign a different issue owner, close minor issues without a remediation plan, or assign a remediation plan with a plan owner (Figure 7).

Figure 6

Issue raised by the tester in the context of a manual test plan

Figure 7

Remediation plan assigned by the issue owner to a plan owner

In the latter case, the system sends the Enter Details for Remediation Plan task to the assigned remediation plan owner who then clicks Start the Plan to define the details of the required remediation actions to be executed by the processors. Alternatively, the plan owner can also reassign the plan, if he doesn’t feel responsible for it. Depending on the review settings of the given evaluation (Figures 1, 2, and 3) the plan can be approved by the issue owner first, before the processors start working on it.

If the plan is rejected, the system sends it back to the plan owner for rework. The plan owner or one or multiple processors can work on the remediation actions until the plan is complete. The last processor clicks the Complete button and submits the plan to the issue owner who then closes the issue by clicking the Close button (Figure 8). If additional work on the given plan needs to be done to close the issue, the issue owner can reopen the issue by clicking the Reopen button (Figure 9). The remediation plan appears in the Remediation tab of the original evaluation object tied to the underlying issue and displays as History all details of earlier actions taken by other processors so that all information on issue remediation for a given evaluation is available at a single place.

Figure 8

Remediation plan completed by the processor (here it is the plan owner)

Figure 9

Remediation plan sent to the issue owner to close or reopen the plan for rework

Remediation Plans and Workflows for Operational Compliance

Some industries deal with a broad range of industry-specific regulatory issues in addition to standard financial compliance demands. In fact, regulatory compliance is a core part of business for the biotechnology, pharmaceutical, medical devices, and life sciences industries. While these companies focus on their core business, they must comply with demanding regulatory requirements and the continuous increase in quality and safety expectations.

A key requirement in this context is compliance with FDA regulations. A key FDA-specific concept is the Good Manufacturing Practice (GMP) appearing in section 501(B) of the 1938 Food, Drug, and Cosmetics Act (21US351). It is recognized worldwide as part of a quality system covering the manufacture and testing of diagnostics, foods, pharmaceutical products, and medical devices. The GMP includes specific requirements regarding issue remediation such as remedial corrections of an identified issue and root cause analysis combined with corrective actions and preventive actions (CAPA) to avert recurrence of a similar potential issue.

In addition, title 21 CFR Part 11 of the Code of Federal Regulations deals with the FDA guidelines on electronic records and electronic signatures in the US. An e-signature must have two distinct and unique identification components for each user such as a user name and password combination. An e-signature is required whenever the user needs to provide accountability for a decision or take responsibility for an action.

SAP BusinessObjects Process Control supports best practice CAPA remediation plans for ongoing FDA compliance including e-signatures for CAPA plan creation and reviews. The CAPA remediation process is depicted in Figure 10. There is no difference in the way evaluations are conducted and issues are created compared to financial compliance initiatives.

Figure 10

Remediation workflow on a high level for operational compliance initiatives involving CAPA

Issue remediation, however, works quite differently: Again, the issue owner receives the workflow task to start issue remediation containing the affected evaluation object with the issue attached. The issue owner first performs a discrepancy evaluation and decides whether the issue is minor and can be closed without a CAPA plan or requires a CAPA plan for remediation clicking the Close Without Plan button or the Assign CAPA Plan button, respectively (Figure 11). In the latter case, a pop-up window opens and the issue owner assigns a CAPA plan to the issue (Figure 12). The system adds the additional CAPA tab to the evaluation object (Figure 13). The issue owner must include the following in this tab:

• Contingencies (optional)
• Results of a root cause analysis (Figure 13)
• One or multiple corrective actions each one assigned to a responsible remediator (Figure 14)
• One or multiple preventive actions each one assigned to a responsible remediator (Figure 15)

Figure 11

The issue owner performs a discrepancy evaluation and decides on validity of the issue

Figure 12

The issue owner assigns a CAPA plan to the issue

Figure 13

The issue owner performs a root cause analysis in the CAPA plan

Figure 14

The issue owner creates a corrective action within the CAPA plan and assigns a remediator

Figure 15

The issue owner creates a preventive action within the CAPA plan and assigns a remediator

Then, the issue owner submits the CAPA plan for approval providing his or her electronic signature by clicking the Submit button and then the Sign button in the resulting pop-up screen (Figure 16). The CAPA plan approver receives the workflow task containing the evaluation object to reject, approve, or cancel the plan, all requiring an electronic signature (Figure 17). If the plan is rejected, it is sent back for rework to the issue owner. If it is cancelled, the issue owner receives a workflow task to confirm the cancellation, which then triggers the closure of the issue. The CAPA plan approver is identified as the holder of the application role SAP_GRC_SPC_FDA_CAPA_PLAN_APPR or its copy in the customer name space for the evaluated object. After the approval of the CAPA plan, the remediators of the corrective actions receive the workflow task Perform Corrective Action (Figure 18).

Figure 16

The issue owner needs to provide his or her electronic signature to submit the CAPA plan for approval

Figure 17

The CAPA plan approver approves, cancels, or sends the plan back to the issue owner for rework

Figure 18

Remediators first work on corrective actions and submit the CAPA plan

Upon completion of the corrective action assigned to them, they submit the CAPA plan. At this point no electronic signature is needed. As soon as all corrective actions are completed, the remediators of the preventive actions receive the workflow task Perform Preventive Action. Upon completion of all preventive actions, the CAPA plan is sent to the CAPA execution approver who is the holder of the application role SAP_GRC_SPC_FDA_CAPA_EXEC_APPR or its copy in the customer name space for the evaluated object. The CAPA plan execution approver answers the questions regarding the appropriateness and effectiveness of the CAPA plan and approves or sends back the plan to the remediators for rework (Figure 19). Both options require an electronic signature. If the CAPA plan execution is approved, the plan and the issue are closed.

Figure 19

The CAPA plan execution approver verifies appropriateness and effectiveness of the CAPA plan and approves or rejects the plan

Title 21 CFR Part 11.10 requires the use of time-stamped audit trails to document record changes, all write-to-file operations, and to independently record the date and time of the operator, entries, and actions. SAP BusinessObjects Process Control adds an additional tab named CAPA Work Log/Audit Trail to the evaluation object (Figure 20). It tracks the following information:

• Issue owner
• Task performer
• Root cause
• Immediate cause
• Attachments
• Time stamp of when attachments are added or deleted.
• E-signature
• Time stamp

Figure 20

CAPA worklog and audit trail

The audit trail time stamps the following recorded activities:

• Issue submission
• CAPA plan submission
• CAPA plan approval
• CAPA plan execution
• CAPA plan execution approval

In addition, there is a CAPA status report available in the compliance initiative-specific report center, which you can reach by following menu path FDA > Report Center > Evaluation > CAPA Status (Figure 21).

Figure 21

CAPA status report

As in the case of the financial compliance initiative, you can link a new compliance initiative and best practice CAPA remediation plans and workflow by following menu path GRC Process Control > Multiple Compliance Framework > Configure Compliance Initiatives. You can configure pre-delivered and create new regulation types, and allocate new compliance initiatives to them. In addition, you can activate or deactivate specific features available to CAPA remediation workflows. Select the pre-delivered regulation type OPERATIONAL and the business process CAPA and double-click Settings (Figure 22). Then deactivate the following features of CAPA workflows:

• Availability of CAPA Worklog/Audit Trail tab in evaluation objects
• Necessity of CAPA plan approval
• Necessity of CAPA plan execution approval
• Necessity of electronic signatures for CAPA plan creation and reviews

Figure 22

IMG customizing settings for CAPA remediation workflows

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.