In this article, we will review the concepts of Business Process, Risk, Control, and we will describe some of the best practices for defining Mitigation Controls.
Business Process
Every company has its own business process, but from a high-level perspective, most of them are similar regardless of their activities. As an example, we can use the Purchase to Pay process. The image below shows a simple P2P process where the process begins with Purchase Requisition activities, then we move to Purchase Order activities, afterwards we receive the Delivery Note for the goods we acquired, on the other hand, we receive the Supplier Invoice and finally we make the payment for the goods received from the Supplier.
Furthermore, based on the previous image we can detect that if someone is handling all these activities, it will be a High Risk for the Company. However, if someone is handling two activities that are together within the process, this will also be a Risk for the Company, for example:
- Purchase request versus RP approval.
- Invoice reception and payment execution.
Therefore, it is easy to find the Risk when the Business Process is already defined.
Risk
The definition of risk could be:
- Effect of uncertainty on objectives.
- (Exposure to) the possibility of loss, injury, or other adverse or undesirable circumstance; an opportunity or situation that involves such a possibility.
- Combination of the consequences of an event (including changes in circumstances) and the associated probability of occurrence.
On the other hand, there are two types of risk in SAP:
- Segregation of Functions (SoD) Risk: when a person requires having two or more activities to create a Risk within the Organization. For example, the ability to record an invoice and execute the payment will be a segregation of functions risk.
- Critical Action Risk: when a person requires only one activity to create a Risk within the Organization. As an example, the activity of Opening Closed Financial Period will be a Critical Action.
Once we know the meaning behind the Concept of Risk, we can move forward and understand the aspect of Financial Risks within the SAP Risk Matrix. The SAP Matrix has different Business Processes and one of them is the one that is more related to purely financial activities called “Financial” Risks. During this article, we will focus on pure financial risks, but we will cover other cross-process risks.
Those indicated with a full circle are purely Financial Risk and those indicated with a dotted circle are related to Cross-Process Risks (where one activity of the Risk is related to a Financial Activity and the other could be related to another Process). As an example, we can use the following SoD Risk to understand Cross-Process Risk:
- M013 – Compensate inventory differences (materials management process) and record the entry (financial process)
The following activities are those we establish as pure Finance activities:
Risk Response
There are different risk responses that can be applied:
- Avoid: Eliminate the cause of the risk
- Mitigate: Reduce the probability or impact of the risk.
- Accept: Contingency Plans for Risks.
- Transfer: A third party assumes the responsibility of the risk.
The main Risk Response that we will focus on during this article is the activity of Mitigation. Additionally, based on the definition we have previously described, to mitigate we need to define an activity that reduces the probability or impact of the Risk and for this, we use the concept of Mitigating Control. There are two types of mitigation control:
- Preventive: Designed to be implemented before a threat event.
- Detection: Designed to find errors after the execution of the activity.
As an example, we will use a simple scenario where the lock on a door is a preventive control that prevents the entry of strangers to your house and the security alarm will be the detection control when an unauthorized person enters your house.
Risk Mitigation Strategy
Once we have understood the meaning and different types of Mitigation Controls we can move forward and describe a strategy to mitigate the 32 SoD Financial Risks that exist within the SAP Risk Matrix.
Next, we will detail two examples, one for SoD risk F001 and another for F019.
The description of SoD Risk F001 says “Maintain a fictitious ledger account and conceal activity through postings”. Based on this, we can understand that the functions that generate this risk are:
- Update the ledger account
- GL Posting
Once we understand the activities behind the risk, we have to focus on them, but independently.
Maintain the ledger account: This activity could be controlled by the following mitigation controls:
-
- Every creation of the ledger account must be approved based on the List of Authorities.
- Quarterly, all ledger accounts created during this period will be reviewed, based on the authorities’ calendar.
GL Posting: This activity could be controlled by the following mitigation controls:
-
- Every manual posting to be included in the profit and loss statement must go through a workflow for approval based on the list of authorities.
- Monthly, all manual postings created during this period will be reviewed based on the list of authorities.
The description of SoD Risk F019 says “Open closed periods and post payments after the end of the month.” Based on this, we can understand that the functions that are being this Risk are:
- Update GL periods
- AP Payment
Update GL periods: This activity could be controlled by the following mitigation controls:
- Any request to open a previously closed GL period must be approved by the List of Authorities.
- Once the activity is completed, all changes made must be sent to the corresponding approver based on the List of Authorities.
AP Payment: This activity could be controlled by the following mitigation controls:
-
- Each AP payment must be referenced to a supplier invoice that includes an approved purchase order number.
- Urgent payments must be approved based on the list of authorities.
- The AP payment needs to have an authorized payment proposal.
It is important to review each activity and understand the specific controls. Based on this best practice, we managed to improve in the Client’s Access and Risk Control Matrix from a total of 548 Control Assignments (user assigned to a mitigating control) to a total of 1,049. Therefore, it is really important when in the process of defining the Mitigation Control to understand the activities behind the SoD Risk and review them individually to find the most relevant Mitigation Controls.
Finally, and focusing only on the 32 SoD Risks in Finance that appear within the SAP Matrix, if you are able to mitigate 3 activities: “General Ledger Posting”, “Maintain General Ledger Period” and “Asset Master Maintenance”, you will be able to mitigate 60% of the SoD Risks in Finance.
Key points to consider
- Documenting all business processes will help you understand most of the risks in your organization.
- Identify the activities behind your SoD Risk.
- Assign activities to controls individually.
- Don’t worry if you don’t have Mitigation Controls for all activities, once you map the controls to the SoD Risk you will find out which of them have no Mitigation Control assigned.
- Please prioritize Preventive Control over Detection Controls, even if the implementation of Preventive Control may have a higher cost, usually the effort to execute a preventive control is less than a Detection Control.