Process Controls as a concept is about providing a centralized controls and compliance management solution. It is designed to assess, document, evaluate, monitor and report the effectiveness of internal controls.

One of the core component of Process Control is Continuous Control Monitoring (CCM). This component monitors the ERP systems based on Business Rule logic and sends exception alerts to the control owners based on the deficieny criteria defined in the Business Rule.

Note: Process Control does not block any business transaction in the ERP system. 

For more details how to configure Business Rule for configurable scenario, please refer below wiki.

Business Rule Functionality – Governance, Risk and Compliance – SCN Wiki

 

Business Scenario: GL account is a master data entity in SAP and it is the heart of financial statements where accounting data is posted from journals and aggregated from subledgers, such as accounts payable, accounts receivable, cash management, fixed assets, purchasing and projects hence monitoring the GL Master Changes settings like blocked for posting in company code is critical to prevent manipulations in the Financial Statements.

T-code FS00 can be used to maintain GL Account and add or remove the block for posting in company code or chart of accounts.

In below example, we will use configurable data source type and business rule in GRC Process Controls to identify the execptions and send alert to the control owner based on a particular company code deemed as sensitive in the enterprise.

Transaction%20Code%20FS00

Transaction Code FS00

 

As we are using configurable sub scenario with analysis type as changes, it is mandatory to ensure table logging is active in the ERP system. The table SKB1stores GL Account Master Data Changes.

Go to T-code SE11 then Technical Settings and ensure Log Changes field is selected as shown in below screenshot

Log%20Changes%20Active

Log Changes Active

 

Once above steps are validated, please setup the GRC Process Control Master Data

  1. Organization
  2. Business Process
  3. Sub process
  4. Risk
  5. Control
  6. Assign a control owner in the roles tab of control
  7. Create a Data Source
  8. Create Business Rule by using the data source created in step 7
  9. Assign Business Rule to the Control
  10. Go to Scheduling then Automated Monitoring and schedule a job by selecting the control

Create Data Source like shown in the below screenshots

Data%20Source

Data Source

Data%20Source

Data Source

Data%20Source%20data%20received%20from%20ERP%20system

Data Source data received from ERP system

Now let’s see the setup of Business Rule

Business%20Rule

Business Rule

Business%20Rule

Business Rule

Business%20Rule

Business Rule

Business%20Rule

Business Rule

Business%20Rule

Business Rule

Business%20Rule

Business Rule

Business%20Rule

Business Rule

Now let’s see the control performance of the automated monitoring

Control%20Monitoring

Control Monitoring

Control%20Result

Control Result

Control%20Result

Control Result

Finally, lets validate the GL account block for posting changed

Compared%20with%20FS00%20Result

Compared with FS00 Result

Conclusion: Continuous Control Monitoring can help organizations in enhancing their cybersecurity program. It can reduce the damage before it is too late and management can proactively monitor the critical financial risks and remediate issues.

 

Sara Sampaio

Sara Sampaio

Author Since: March 10, 2022

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x