One of the most complex success cases within the SAP© GRC Area has been the realization of a project for the implementation of Automatic Controls through the Continuous Control Monitoring tool in SAP© GRC Process Control.
This case was presented at the SAP© GRC Event in Amsterdam on June 15, 2017.
“How VCEAA automated SOX controls for business and IT in SAP© Process Control and improved risk visibility”.
Votorantim Cimentos Europe, Africa & Asia is part of the Votorantim Cimentos Group. This group is the largest cement producer in Brazil and the eighth largest in the world. The company was founded in 1933 and is headquartered in São Paulo. Votorantim Cimentos operates in Brazil, Argentina, Bolivia, Canada, Spain, USA, Uruguay, Tunisia, Turkey, Morocco.
The challenge
The difficulty of the project lay in two parts, on the one hand, the technological part since the Automatic Controls tool was quite new at that time and, on the other hand, the functional part related to change management, since the VCEAA team had not worked with Process Control automatic controls so far.
The VCEAA organization saw that the focus should be on the automation of SoX controls (Sarbanes Oxley) to reduce the efforts that were being spent on the execution of these controls, and that the vast majority of the work would be spent on analyzing control incidents or deviations. The key was that the Automatic Controls tool would do the analysis work, and the VCEAA team would focus on making decisions about the deviations that the system would detect.
Inprosec Solution
Inprosec’s solution was to perform a short project for the implementation of 19 automatic controls for the Accounts Payable, Controlling, Accounts Receivable and IT Areas.
The Controls agreed upon in the scope were as follows:
Accounts Payable
-
- Vendor Master Creations and Modifications.
- Vendor Open Items
- Modification in General Ledger Accounts
- Opening and Closing of Accounting Periods
- Risk Control P003
Controlling
-
- Creations and Modifications on the Materials Master
- Modifications on Cost Apportionment Cycles
- Modifications on Key Tables
Accounts Receivable
-
- Creations and Modifications on Customer Master
- Open Customer Items
- Alert Management
- Changes in Blocking by Customer Credit Limit
- Credit Limit Modifications
- Customer Debts more than 15 days before due date
- Modifications on Key Program
- Bank Returns
- Approvals of Credit Limits by the Commercial Director
IT
-
- External Users
- Quarterly User Review
Throughout the execution of the project, we identified that although, from a functional point of view the VCEAA organization identified an Automated Control, from a technical point of view it was necessary to create 2-3 Automated Controls Rules to fully comply with the Control.
On the other hand, out of the 19 proposed Controls, 3 were identified that could not be automated since not all the information related to the control was in the SAP© system, and therefore the Automatic Controls tool could not correctly complete the analysis. This was, for example, the case of the “External Users Control”, since most of the information related to the identification of the External accounts was outside the SAP© system. For this case, the decision was made to take advantage of the Assessments module of Process Control to activate the following flow
- The Security Team created and uploaded the file containing the details of the information that applied to the control.
- The Control owner included a series of comments within the file.
- The Security Team made changes to the actions that had been agreed upon.
One of the lessons learned during this project was related to the VCEAA organization’s knowledge of the technological possibilities of the tool. This meant that some controls in the first stage were thought of as a report, which would later be worked on by the VCEAA teams to detect deviations. Precisely what we were looking for was the opposite, we wanted the system to do all the analysis so that the teams could work and focus only on what the system was detecting as a deviation.
Another of the lessons learned was related to the technological part, since the system needed the installation of many SAP© notes in order to function correctly. The following graphic shows all the notes that were necessary to be able to work with the Automatic Controls tool:
The Automatic Controls tool supports the use of several languages, but it is recommended that only one language be set to avoid problems.
Automatic Controls were deployed through different phases based on defined priorities:
- Accounts Payable High Priority
- Controlling Medium Priority
- Accounts Receivable Medium Priority
- IT Low Priority which was later modified to Medium.
Two training sessions were held, since we were using a new technology and therefore it was necessary that the people who would be using it had as much knowledge as possible about it. The first session was conducted as part of the testing process by VCEAA, and a second training session was conducted as part of the deployment stage, in order to be able to teach real cases that were identified by the system.
Additionally, a third training session was conducted since some teams were very involved in day-to-day tasks and did not remember correctly what they had to do within the GRC system.
Results
The implementation of the GRC automatic controls tool was a success, and marked a start in the automation of controls within the VCEAA organization. The different groups that were part of the project understood the possibilities of the system and the efforts it could be saving them, and that meant a remarkable increase in the number of controls that have been automated since the project was completed. The project was initially carried out in Spain, but subsequently the partial migration of several of the automatic controls implemented throughout this project was carried out in other countries within the Group.
In relation to the technical part, for a total of 16 Controls defined by VCEAA it was necessary to establish 36 Business Rules within the SAP© GRC system. This is important, since many times the functional description of a control implies the technical implementation of several rules in order to comply 100% with the control definition.