ComplianceCompliance is the process that records and monitors the controls, be they physical, logical or of organizational nature, needed to enable compliance with legislative or industry mandates as well as internal policies.

Wikipedia (as of 01. September 2009): Governance, Risk Management and Compliance.

For corporations it is necessary to comply with regulatory requirements and demonstrate reliable internal control frameworks for financial reporting. Compliance with regulations and legislation is getting increasingly more complex. Whether it is the Sarbanes-Oxley Act, the Basel Capital Accord (Basel II), KonTraG, the 8th EU Directive, BilMoG, or whether international accounting standards (U.S. GAAP, IAS / IFRS, local GAAP). The compliance with legal requirements and regulations is a challenging task. For corporations the requirements to establish or expand their internal control framework provide an enormous burden.

The internal control framework serves simultaneously as a control and monitoring system. With an internal control framework laws, regulations and rules can be monitored and controlled that serve to ward off internal and external losses. Furthermore such a framework also reduces the occurrence probability of an error or intentional misconduct of employees.

Executive management needs to be in particularly involved in order to get the regulatory required segregation of duties and the necessary internal controls realized. In addition to legislation and auditors requirements or compliance guidelines further drivers for such a control framework include, among others, the following external requirements:

  • Accurate and understandable financial reporting in accordance with GAAP
  • Parallel accounting
  • Transparent accounting
  • Timely financial information
  • Accounting conformity (e.g. IAS)
  • Compliance with the code of corporate governance
  • Documentation of tax accounting
  • Auditable business processes
  • Transparency of the risk situation

The objective of an internal control framework includes mainly the following four items:

  • Compliance with laws, regulations and contracts
  • Effectiveness and efficiency of business processes
  • Reliability and completeness of financial and operational information
  • Safeguarding of assets

Thus, the internal control framework is a management tool to systematically achieve and ensure the above objectives. The internal control framework must comprise, from the executive management systematically arranged, organizational methods, measures, policies and activities. Often the structure of the internal control framework is based on the COSO model.

The structure and the design of an internal control framework require a methodical approach that includes in general the following five phases:

  • Define objectives
  • Capture processes / design processes
  • Analyze risks
  • Define monitoring and control measures
  • Implement monitoring and control measures

Furthermore the information and communication flow must continuously be defined and secured, as well as the internal control environment consciously designed. Similarly, a permanent monitoring of the internal control framework is necessary.

The United States Securities and Exchange Commission recommends the COSO framework for the management of internal controls. The SAP application SAP BusinessObjective Process Control supports the COSO framework, but is not solely restricted to COSO and the Sarbanes-Oxley Act. In contrary, the solution allows easily to set up and mange multiple compliance frameworks.

003 03 Compliance

The SAP BusinessObjective Process Control application does support not only directly sections 302 and 404 of the Sarbanes-Oxley Act, but provides also the possibility to create and maintain a state of the art internal control framework.

SAP BusinessObjective Process Control supports regulatory compliance through centralized controls over enterprise-wide business processes across both SAP systems as well as third-party applications. SAP BusinessObjective Process Control combines manual control testing with automated continuous monitoring in a single application. With SAP BusinessObjective Process Control companies will receive full control and can monitor compliance needs regarding legal requirements.

The compliance of regulations and regulatory requirements is becoming increasingly complex. For companies it is necessary to comply with regulatory requirements and demonstrate reliable internal control structures for financial reporting. With SAP BusinessObjective Process Control compliance requirements can not only be managed, but also the related costs can be reduced. The technology platform SAP NetWeaver will help more and more to increase the efficiency of GRC processes and will also reduce the complexity and cost.

With SAP BusinessObjective Process Control the ability to perform materiality analysis and risk assessments, in order to determine control coverage and the desired level of evidence, can be improved (risk-based scoping).

The application’s central process catalog comprises enterprise-wide valid processes, sub-processes and control activities (process steps). Furthermore, the within the central process catalog available control objectives, risks and control attributes serve also as a template for org. units. For each process a number of control objectives etc. can be defined. These central master data objects and the relevant context linkage information can be initially uploaded to the SAP BusinessObjective Process Control application easily via the Master Data Upload Generator (MDUG) tool.

The process and control documentation phase within SAP BusinessObjective Process Control may include a manual control objective and risk assignment and the definition which group of accounts is relevant for the process.

A control can be also defined or attributed manually for example with the control purpose, control nature, type of control, frequency, importance, automation, test plan, test procedures etc. Furthermore relevant assertions, in accordance with PCAOB (Public Company Accounting Oversight Board) can be assigned.

With SAP BusinessObjective Process Control a sub-set of roles can be activated and used at different levels. In addition a custom defined authorization concept via the standard SAP authorization function can be utilized.

The Planer functionality of the SAP BusinessObjective Process Control application automatically sends workflow notifications for surveys, design evaluation, assessment and testing tasks to the relevant users. These functions can help to shorten audit cycles, speed response, and reduce overall expense. Organizations due for assessments etc. can be selected and bundled via the Planer function. These plans (survey types) can be easily reused via copy function for the next periodic assessment etc. cycle. In addition, management controls can be documented for e.g. at the org. unit level. Appropriate management controls assessment can be also initiated via the Planer functionality.

The Adobe Interactive Forms function can enable testers and auditors to perform manual tests of controls in offline mode, improving productivity and availability.

For the identified weaknesses issues can be created and remediation measures can be triggered. Does for an assessment a significant deficiency or deviation exist, the corresponding workflow task can only be forwarded if a issue or finding has been recorded. During the remediation of the identified weakness the relevant progress will be documented. If an issue is detected and the weakness remediation has been initiated, various persons can be assigned for the remediation measure. When the identified weakness has been corrected, SAP BusinessObjective Process Control will automatically trigger a workflow task for re-evaluation or re-test purpose.

With SAP BusinessObjective Process Control also an automatic control monitoring in an ERP system can be implemented. A catalog of over 200 control rules for SAP system is provided. The automated testing and monitoring in the SAP BusinessObjective Process Control application refers to the testing or monitoring the effectiveness of certain transactions and master data changes, and possible changes to certain customizing settings. The control rules can be customer-activated and configured. The relevant monitoring results are captured in SAP BusinessObjective Process Control and in the case of a threshold violation a relevant business user is notified automatically.

The automated monitoring and the multiple compliance initiatives functions of SAP BusinessObjective Process Control can also to be an effective approach to address requirements of the COBIT framework. Visibility across any number of compliance and business policy initiatives can be gained within a single system – with different access, reporting, and configuration options – while sharing for e.g. the same workflow and planning and scheduling capability.

During the sign-off procedure each org. unit manager attests, that within his responsible org. unit all documented information is accurate and current. A summary of the overall situation will be added and inserted with comments (if still pending issues at the time of sign-off do exist).

Within SAP BusinessObjective Process Control a subset of detailed reports, which can be personalized, are available. All important compliance and risk aspects are traceable, such as the status of control assessments and tests by org. unit and / or process etc. Reporting data can be easily downloaded for e.g. to an Excel worksheet. With the integration of Crystal Reports and Xcelsius advanced features such as combined graphics and text reporting can be deployed. Furthermore standard SAP extractors (data sources) for extracting data out of SAP BusinessObjective Process Control data are available. By using either metadata search (structured) or document content search (unstructured) methods all relevant documents can be quickly and easily retrieved.

Last but not least, SAP BusinessObjective Process Control and SAP BusinessObjects Risk Management share many components in common such as organization structure, risk object, survey feature, and a common code base for easy implementation and more efficient monitoring and remediation.

With the SAP BusinessObjective Process Control application a continuous visibility across compliance initiatives and increased compliance efficiency can be realized with greater confidence.