Process Controls as a concept is about providing a centralized controls and compliance management solution. It is designed to assess, document, evaluate, monitor and report the effectiveness of internal controls.
One of the core component of Process Control is Continuous Control Monitoring (CCM). This component monitors the ERP systems based on Business Rule logic and sends exception alerts to the control owners based on the deficieny criteria defined in the Business Rule.
Note: Process Control does not block any business transaction in the ERP system.
For more details how to configure Business Rule for configurable scenario, please refer below wiki.
Business Rule Functionality – Governance, Risk and Compliance – SCN Wiki
Business Scenario: GL account is a master data entity in SAP and it is the heart of financial statements where accounting data is posted from journals and aggregated from subledgers, such as accounts payable, accounts receivable, cash management, fixed assets, purchasing and projects hence monitoring the GL Master Changes settings like blocked for posting in company code is critical to prevent manipulations in the Financial Statements.
T-code FS00 can be used to maintain GL Account and add or remove the block for posting in company code or chart of accounts.
In below example, we will use configurable data source type and business rule in GRC Process Controls to identify the execptions and send alert to the control owner based on a particular company code deemed as sensitive in the enterprise.
Transaction Code FS00
As we are using configurable sub scenario with analysis type as changes, it is mandatory to ensure table logging is active in the ERP system. The table SKB1stores GL Account Master Data Changes.
Go to T-code SE11 then Technical Settings and ensure Log Changes field is selected as shown in below screenshot
Log Changes Active
Once above steps are validated, please setup the GRC Process Control Master Data
- Organization
- Business Process
- Sub process
- Risk
- Control
- Assign a control owner in the roles tab of control
- Create a Data Source
- Create Business Rule by using the data source created in step 7
- Assign Business Rule to the Control
- Go to Scheduling then Automated Monitoring and schedule a job by selecting the control
Create Data Source like shown in the below screenshots
Data Source
Data Source
Data Source data received from ERP system
Now let’s see the setup of Business Rule
Business Rule
Business Rule
Business Rule
Business Rule
Business Rule
Business Rule
Business Rule
Now let’s see the control performance of the automated monitoring
Control Monitoring
Control Result
Control Result
Finally, lets validate the GL account block for posting changed
Compared with FS00 Result
Conclusion: Continuous Control Monitoring can help organizations in enhancing their cybersecurity program. It can reduce the damage before it is too late and management can proactively monitor the critical financial risks and remediate issues.
