One of the initial challenges related to the implementation of SAP® GRC Process Control was focused on Automatic Controls using the CCM (Continuous Control Monitoring) tool.
This project was presented at the SAP® GRC Europe Event in Amsterdam on June 15, 2017, as “Case Study: How Votorantim Cimentos España Automated SOX Controls for Business and IT in SAP® Process Control and Improved Risk Visibility.“
VCEAA is the subsidiary of Votorantim Cimentos in Europe, Africa, and Asia. Votorantim Cimentos is among the TOP 10 largest cement companies in the world.
THE CHALLENGE
The complexity of this project arose from two different directives: on the one hand, the technological aspect, as the CCM tool was not widely used by SAP® user organizations at that time, and on the other hand, the organizational aspect, due to a lack of clarity about the tool’s possibilities in relation to the processes implemented in SAP®.
Given this uncertainty, a pilot was decided upon to understand the possibilities, seeking to automate Controls for areas like Accounts Receivable, Accounts Payable, Controlling, and HR. Initially, a scope of 20 Automatic Controls for all the aforementioned areas was established.
INPROSEC SOLUTION
It was agreed to implement SAP® GRC Process Control since the VCEAA organization already had the license. Additionally, the project would focus on automating controls through CCM, as it was the area where the highest ROI (Return on Investment) could be obtained.
Thus, the project would complete the general configuration of the SAP® GRC Process Control system and additionally implement the CCM setup.
To accurately evaluate the controls to be implemented, both their design and feasibility, an initial meeting with department heads was held to identify recurring manual controls being executed to seek their automation. It was identified in these meetings that much of the HR area information was not included in SAP®, thus making automation impossible, leading to a decision to modify the scope of the pilot by replacing the HR area with IT.
Key activities with their initially planned dates are detailed below.
- Installation and General Configuration of SAP® GRC Process Control:
- January 2017
- Implementation of Controls in Accounts Payable
- February 2017
- Implementation of Controls in Controlling
- February/March 2017
- Implementation of Controls in Accounts Receivable
- February/March 2017
- Implementation of Controls in IT
- March 2017
The Inprosec Project team faced a product that was technologically quite unstable, as seen in the next image where the list of necessary SAP© notes to be installed during the project appears.
Due to this situation, the dates included in the initial plan had to be updated. Additionally, a criterion was established where the most priority controls of each area would be implemented before those of lesser priority:
Regarding training, a training session was established for each area included in the project scope. However, in some cases, a second training session was necessary. It’s important to understand that such projects involve an additional activity in the daily business as it’s common to need a refresh of the knowledge imparted in the first training session.
Moreover, it’s crucial to understand that, although we might have only one control at the definition level, technically automation may require the implementation of several business rules within the CCM module.
Details of the Controls in Accounts Payable
Details of the Controls in Accounts Receivable
Details of the Controls in Controlling
RESULTS
All the challenges and objectives of the project were met, significantly increasing the ROI of the SAP®GRC Process Control License. A total of 16 Controls were automated, involving the implementation of 36 “Business Rules”. Additionally, the Self Assessment process (manual evaluation) was implemented, to cover one of the IT controls related to the review of external SAP® users. The pilot result in Spain was quite satisfactory, which meant that more Automatic Controls were implemented in the following years, both for the Business and IT areas. Additionally, in the years following this pilot, more countries incorporated the use of the CCM module within the SAP®GRC Process Control tool.
As with any presentation of a “Case Study” at SAP® GRC events, it’s necessary to highlight 7 key points of the project mentioned below.
- The application of CCM can increase the ROI of your SAP®GRC Process Control License. However, consider that many Controls may require the configuration of several rules (Business Rules).
- Carefully plan the deployment of such projects. Since, in this case, the initial version and the final version of the plan had a delay of one month, mainly because the technological part required the implementation of many SAP® notes.
- For these types of projects where the technological part is not very stable, it’s important to reserve dedicated SAP® BASIS resources for these initiatives.
- It’s important to clarify what the CCM tool can do, identifying the advantages and disadvantages in each of the designed controls.
- Estimate double the time in relation to the training part.
- This is a key point because no matter how good the system implemented is, it’s useless if users don’t know how to use it.
- Be careful when you have a multilingual SAP® environment, as it complicates implementation in these types of projects. This case has been mentioned in the implementation of SAP®GRC Access Control, and for SAP© GRC Process Control, it would be the same. Avoid a multi-language environment if possible.
- Always check the current status of your Support Package (SP) in GRC, in this case, having a lower SP necessitated the implementation of many notes to make the CCM system function properly.
