Many companies spend an increasing portion of their budget on manual control evaluations to remain compliant with regulatory frameworks and internal policies. Scarce auditing resources spend a good part of their time with tedious manual test plans. Tolerances often vary by vendor, organization unit, and other elements. This makes manual testing error prone and unreliable, and continuous monitoring for critical business areas very challenging. In addition, companies whose business or regulatory requirements are changing rapidly need to deploy new controls to assure compliance. Manual tests executed in a heterogeneous system landscape lack central standardized reporting and harmonized remediation workflows. This limits overall visibility and management confidence into the compliance programs.

The automated control framework (ACF) centralizes and automates control monitoring and testing across a heterogeneous system landscape. It allows companies to interactively define complex rules to monitor critical configuration settings, master data, and transactions within multiple compliance initiatives set up in SAP BusinessObjects Process Control. It provides the following benefits:

• Reduced cost and the risk of non-compliance through rapidly deployable configurable controls
• Ensured control effectiveness across heterogeneous application landscapes thanks to continuous monitoring
• Perfect repeatability making more complex tests possible and reducing dependency on knowledge of individual employees
• Freed-up audit resources from routine work can focus on more strategic tasks
• Self-documenting solution: audit trails, execution logs, issues, and remediation plans
• Pre-delivered set of more than 120 automated controls covering all core business processes
• Standardized reporting of evaluation results and issues across a heterogeneous system landscape and multiple compliance initiatives improves visibility of compliance programs
• Standardized remediation workflows
• Near real-time information provided for proactive and preventive measures
• Pre-delivered direct integration with enterprise applications permits drill-down on supporting data for faster remediation
• Higher adaptability to changing business processes and compliance needs

I’ll first provide an overview of what exactly is delivered with the ACF, explain the key steps to set up an automated control in SAP BusinessObjects Process Control, and give advice on how to best take advantage of the pre-delivered controls.

Overview of the Automated Control Framework

The ACF includes capabilities to support six different types of control scripts managed and monitored out of SAP BusinessObjects Process Control to run in your SAP or non-SAP back-end systems:

1. More than 120 pre-delivered out-of-the-box automated controls for SAP ERP systems covering all core business processes (Figure 1). The following SAP ERP releases are supported: SAP R/3 4.6C, SAP R/3 4.7, SAP ERP Central Component (SAP ECC) 5.0 and SAP ECC 6.0. The pre-delivered control scripts are delivered as Real-Time-Agents (RTAs) to be installed on your SAP ERP system. For details on their installation, refer to SAP Notes 129197-5, -6, -7, and -8.
2. Configurable control capability, which allows you to set up additional controls remotely in SAP BusinessObjects Process Control. These controls monitor configuration, master data, and transaction tables (and views) in your SAP ERP systems without any programming. This capability also requires the installation of the RTA mentioned above.
3. SAP queries or SAP standard or custom reports in your SAP ERP system
4. SAP NetWeaver Business Warehouse queries in your SAP NetWeaver BW system
5. Event-driven controls integrate with external third-party event engines. For example, third-party solutions raise issues for event-driven controls in SAP BusinessObjects Process Control through the event framework when they detect deficiencies in the IT infrastructure.
6. Control scripts running in Oracle and PeopleSoft applications are included in the software license for SAP BusinessObjects Process Control 3.0 and provided by SAP’s software partner Greenlight Technologies, Inc. You can download them from the SAP Service Marketplace and handle support issues through SAP’s support infrastructure.

Figure 1

SAP BusinessObjects Process Control 3.0 pre-delivered automated controls spanning all core business processes

Value Checks and Change Log Checks

The pre-delivered and configurable controls can perform value checks or change log checks. Value checks are available for configuration settings, master data, or transaction data. Here are some examples for value checks:

• Configuration: Purchase order (PO) receipt tolerance setting exceeds 10% of the PO quantity
• Master data: Vendors with payment terms exceeding 30 days
• Transaction data: POs exceeding $1M being subject for additional approvals

Change log checks are only available for configuration settings and master data, but not for transaction data:

• Configuration: Changes to PO tolerance settings occurred?
• Master data: Changes to critical fields in vendor master data?

By default, change log checks rely on the SAP ERP system’s capabilities to track changes via table logging or change documents. In some cases in which the standard table logging is not active (e.g., to optimize system performance), you can employ the SAP BusinessObjects Process Control change log. It is delivered with the RTA and can be scheduled to take snapshots of the relevant tables. This means that changes that are reverted back before the next snapshot is taken won’t be detected. Use this tool with care and selectively to avoid a negative impact on system performance. If large tables lead to long runtimes, you should instead schedule multiple change log checks analyzing the relevant tables in chunks by company code, plant, or other applicable organizational levels. For details on change logs and how to use the SAP BusinessObjects Process Control change log tool, refer to the attachment of SAP Note 1329589.

Manual, Semi-Automated, and Automated Controls

Controls are created in SAP BusinessObjects Process Control during the master data setup. Control Automation and Test Automation are two attributes of a control among many others. Both attributes can have any of three values: Automated, Manual, and Semi-Automated (Figure 2).

Figure 2

Example control with Control Automation and Test Automation settings both set to Automated

While the Control Automation attribute serves only as a filter for reporting, the Test Automation setting influences the workflow in the aspect of where issues are sent: Manual refers to controls tested via manual test plans sent as surveys per workflow to the testers who create issues and assign them to issue owners, if they find deficiencies. Semi-automated and automated controls rely both on control scripts scheduled in SAP BusinessObjects Process Control to run automatically in the target systems.

However, if you run a test of effectiveness and the system detects a deficiency for a semi-automated control, the system automatically creates an issue and routes the test results by default to the holder of the role Process Tester. The tester can void the issue or assign the issue to an owner for processing. Issues created by the system for automated controls, however, are sent by default to the holder of the role Subprocess Owner. Controls based on SAP reports or custom reports only support the semi-automated workflow model. For continuous control monitoring, there is no difference between automated and semi-automated controls: Issues are created automatically by the system and sent for both control types to the Process Tester.

Best Practices on Control Types

A smart test strategy is paramount to limit the number of controls to test. A recommended approach is a top-down, risk-based scoping, which is fully supported by SAP BusinessObjects Process Control. This scoping approach identifies controls belonging to higher-risk areas and requiring continuous monitoring and testing. At the same time, it identifies controls that do not necessarily require testing. 

For the controls requiring testing, see first whether they are covered with the out-of-the-box automated controls coming with SAP BusinessObjects Process Control. Later in this article, I will explain how to make the best use of them. This is in most cases the least time- and cost-intensive way to implement an automated control. If your control is not among the pre-delivered automated controls, check whether you can implement them as a configurable control. This is the case when your control can be implemented as a value check or change log check of a particular table or view in your SAP ERP back-end system containing the relevant configuration settings, master data, or transactional data.

You can browse tables and views and their fields available in your SAP ERP system out of SAP BusinessObjects Process Control when building a configurable control. This approach doesn’t require any programming or query building in your SAP ERP system. However, it may require the creation of a view with transaction SE11 if you need to join tables and no suitable view is available in the system yet. Refer to the attachment of SAP Note 1329589 for more details. SAP NetWeaver BW or SAP queries are the next-best option when configurable controls aren’t applicable. They are relatively easy to build and don’t require profound ABAP development skills. In addition, you can use them both for semi-automated and automated controls, whereas SAP standard or custom ABAP reports can only serve as control scripts for semi-automated controls.

Four Key Steps to Control Automation

To automate a control with one of the different control script types described above proceed as follows:

1. Create a rule script
2. Create a rule
3. Perform control-rule assignments
4. Schedule periodic control monitoring and plan a test of effectiveness

You can think of rule scripts as references in SAP BusinessObjects Process Control to control scripts running in your back-end systems, whereas the rules contain the criteria applied to the results delivered by the control scripts to detect deficiencies. The link between the mechanics of rule scripts and rules on one side and the control documentation on the other side is established by the control-rule assignment. You can assign multiple rules to a control, if the rules monitor or test different aspects of the same control. Rule scripts and rules are created in Global Compliance Office > Evaluation Setup while control assignments, scheduling, and planning are done in the context of a specific compliance initiative, for example in SOX > Evaluation Setup.

Rule Scripts and Script Criteria

You create rule scripts by following menu path Global Compliance Office > Global Evaluation Setup > Automated Test Customizing > Rule Script. Enter a name and a description for the new rule script. Choose a Script Type and the user interface dynamically displays the appropriate fields and tabs for each. For example, during its creation the GRC Configurable script type displays the Table Lookup button and next to it the Table Name field, whereas the Query script type displays the Query Lookup button and next to it the Program Name field (Figure 3). Both lookup buttons permit you to search remotely in your SAP ERP system for tables and queries, respectively. The following 10 script types are available from the drop-down list:

1. GRC Configurable: A template-based query that you can run against back-end tables or database views. Configurable controls are based on them.
2. GRC Programmed: Refers to out-of-the box control scripts provided as ABAP programs by SAP with the RTA, or scripts for other back-end systems provided by an SAP software partner such as Greenlight Technologies, Inc.
3. GRC 2.5: Runs programmed control rules implemented for SAP BusinessObjects Process Control 2.5. You cannot create new SAP BusinessObjects Process Control 2.5 scripts for SAP systems. However, you can use SAP BusinessObjects Process Control 2.5 scripts that are already in use if you’re upgrading from SAP BusinessObjects Process Control 2.5 to SAP BusinessObjects Process Control 3.0.
4. SAP Standard Report: Calls a standard SAP report in your SAP ERP system
5. Custom (report): Calls a custom-developed report in your SAP target system
6. Query: Calls an SAP query in the SAP back-end system. The rule can query multiple tables to retrieve exception information.
7. Segregation of Duties (SoD): Pulls the SoD analysis results from SAP BusinessObjects Access Control 5.3 (if available)
8. Event-based: Receives violations based on the occurrence of events triggered by third-party event engines such as network alerts
9. Financial Performance Management: SAP BusinessObjects Process Control provides out-of-the-box integration with SAP BusinessObjects Financial Performance Management. The monitoring tests available from this integration have a specific script type.
10. Business Warehouse: SAP BusinessObjects Process Control integrates with SAP NetWeaver BW allowing you to leverage the results from SAP NetWeaver BW queries

Figure 3

Rule scripts of type GRC Configurable (left) and Query (right) both having the tabs General, Script Criteria, and Target Connector

You can select a Script Category and an Analysis Type for most of these script types from drop-down lists (Figure 3). For example, for GRC Configurable scripts you can select from Value Check or Change Log Check as a script category. The available Analysis Types depend on the selected script category and determine whether absolute or percentage values are calculated, or whether the script checks for changes in change logs. For a good summary of all available values, refer to SAP Note 1329589 or to the SAP Help Portal at https://help.sap.com/saphelp_grcpc30/helpdata/en/b3/ac82f7e0cf4ca49f82eeac9e10e0ec/content.htm.

You also have to select a Primary Target Connector for the rule script. This connector establishes remote connections for table and query lookup during design time of the rule script. In the Target Connector tab, you can add additional target systems you potentially want to run the rule script against at run time (Figure 3). In this sense, the tab contains a pool of target systems from which you can choose during rule creation in the next step.

In the Script Criteria tab, you tag fields delivered with the results from the control scripts in the back-end system to be relevant for deficiency detection, query filtering, or data output (Figure 4). The detailed rules for deficiency detection and filters will be defined later in the rule criteria. Note that the Script Criteria tab isn’t available for script types for SAP standard reports and custom reports. This is why these script types can only be employed for semi-automated controls: The system always creates an issue for these two script types after their execution and sends it together with the results of the report to the holder of the Process Tester role who then decides whether to void the issue or follow up on it.

Figure 4

Script criteria of the GRC configurable script shown in Figure 3

Rules and Rule Criteria

Each rule refers to one rule script and contains rule criteria that detect low, medium, and high deficiencies for issue generation. You create rules by following menu path Global Compliance Office > Global Evaluation Setup > Automated Test Rules > Rule. In the General tab, provide a name and a description for the new rule and choose one of the previous rule scripts (Figure 5). Your selection automatically populates the following fields: Script Description, Script Type, Script Category, Connector Choice, Single Connector Value, and System Type.

Figure 5

Rule referring to the GRC Configurable rule script in Figure 3

Note that you can associate only one rule script to a rule, but multiple rules can refer to the same rule script. Next, you can update the connector information. You have the options to schedule the rule on any of the connectors defined as part of the rule script, or select in the Single Connector Value only one of the connectors from the rule script. Finally, provide a valid time frame for the rule, assign a rule group, and select a rule status from the values Released, Work-In-Progress, or Inactive. You can maintain rule groups in the IMG customizing. They serve as an attribute for reporting.

Continue with the Rule Criteria tab. The available rule criteria for deficiency detection and data filters are those previously defined as script criteria. Define filters to keep the data volume to be analyzed under control. Then, specify criteria to detect high, medium, and low level deficiencies. The nature of these criteria depends on the analysis type used in the rule script. The example in Figure 6 shows the rule criteria of the rule in Figure 5 referring to the rule script in Figure 3 and Figure 4, which has the analysis type set to Change. In summary, the rule connects to the target system connector ERP_CLNT800, and reads table T691F. It then filters data records with Credit management: Risk category between 002 (medium-risk category) and 003 (high-risk category). It detects medium-level deficiencies in the case of changes to the Credit check against maximum document value field and the Credit check against overdue open items field, and high-level deficiency in the case of changes to the Credit check: Static check field, respectively.

Figure 6

Rule Criteria tab of the rule shown in Figure 5

Control Rule Assignments

The third step to control automation is the assignment of one or multiple rules to a control in the context of the specific compliance initiative. Navigate to the Evaluation Setup workset within the given compliance initiative. For example, follow menu path SOX > Evaluation Setup > Automated Test Rules > Control Rule Assignment. This opens a screen to select organizations, processes, subprocesses, controls, and rules. When you click Search, the system displays the controls in the upper part of the screen and the already-assigned rules with the associated rule script in the lower part of the screen (Figure 7). Select a control and a rule and click Assign Rules To Selected Control. This opens a window with all available rules from which to select. Select one or multiple rules and click the OK button (Figure 8). Then select one or multiple frequencies for monitoring and compliance for each new rule assigned to the control in the lower part of the screen in Figure 7.

Figure 7

Control rule assignment: select a control

Figure 8

Control rule assignment: select a rule

Scheduling and Planning

There are two types of control testing:

• Monitoring: Monitor continuous operating effectiveness of a control
• Compliance: Test effectiveness of a control for the purpose of reporting to your internal or external auditors

Use the Monitoring Scheduler by following menu path SOX > Evaluation Setup > Automated Control Monitoring to schedule periodic monitoring tasks for your automated or semi-automated controls. First, create a schedule providing a Job Name, Frequency, Test Period From and To, Start time, Target Connector, and a Comment (Figure 9). Then, click the Add button and add controls in the selection screen in Figure 10.

Figure 9

Monitoring Scheduler: create a schedule

Figure 10

Monitoring Scheduler: select an automated or semi-automated control

Use the Planner in menu path SOX > Evaluation Setup > Planner to schedule formal tests of effectiveness for your automated or semi-automated controls. The Planner provides a procedure in five steps to enter plan details, select organizations, select controls, review, and confirm the plan (Figure 11).

Figure 11

Use the Planner to schedule a formal compliance test

The results from the automated compliance tests and continuous monitoring are accessible as reports in menu path SOX > Report Center under Evaluations and Monitoring, respectively (Figure 12).

Figure 12

Results of the automated compliance testing and continuous control monitoring, respectively

How to Use the Pre-Delivered Control Scripts and Rules

SAP BusinessObjects Process Control 3.0 delivers more than 170 rules including rule criteria as well as rule scripts (Table 1). It also provides the required control scripts with the RTA. You can find a detailed documentation of these rules and rule scripts in SAP Note 1314345. 

Table 1

Number of pre-delivered rules per script type

These out-of-the-box rules relate to more than 120 controls spanning all core business processes (Figure 1). This means that some controls are associated with multiple rules. Unlike the rules, the controls aren’t pre-delivered with SAP BusinessObjects Process Control because controls only exist in the context of a customer-specific process catalog in the system. In addition, most companies apply a specific naming convention to their control documentation. For this reason, SAP delivers a detailed documentation of the 120+ controls with SAP Note 1320737, including the corresponding control-to-rule mappings. Use these two SAP Notes to investigate whether the control you desire to automate is already covered with a pre-delivered rule. Assuming you have already created the control according to your naming conventions in SAP BusinessObjects Process Control, copy the suitable pre-delivered rule into the customer name space and start customizing the copied rule. You can modify the following:

• Rule name
• Rule description
• Validity dates
• Connector-related data
• Values and tolerance limits for the rule criteria

Continue with the control rule assignment. Finally, use the Monitoring Scheduler to schedule continuous monitoring as a periodic job, and use the Planner tool to schedule a formal test of effectiveness of your control.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.