Historically, controls basically fell into two categories: application controls and IT general controls (ITGC). Whereas IT general controls take care of system operations, including critical user access within the IT functions, application controls focus more on user access to business data, automated configurable controls and manual controls.

IT general controls are designed to preserve the integrity of data and ensure they cannot be manipulated. Application controls assure compliance with the defined business processes and regulatory requirements. To get the most out of the control environment, it’s important to gear the control framework primarily towards making sure that processes are followed and that SAP users can trust the SAP data, rather than merely trying to satisfy the external auditors. To find out about the implications in more detail, let’s now take a look at some areas of control frameworks for S/4 HANA.

Nowadays there is however an important trend to move away from the simplistic separation between business and IT controls. Configurable controls are clearly on the border and a good way to reduce the costs of your control environment. The next level consist in leveraging your data and new technologies (i.e. machine learning) available as a way to further reduce your controls costs while monitoring 100% of your transactions on a real time basis.

Reduce control effort using configurable controls

S/4 HANA introduces several ways of improving and simplifying business processes. Most companies moving to the new version do indeed take these opportunities. They usually capitalise on the new functions available in SAP (for example the function for optimising return on investment) in one of two ways. Some leverage the introduction of S/4 as a trigger and opportunity to transform their finance function (in other words for change management to effect / facilitate organizational adjustments). Others simply use it to reduce the complexity of legacy processes (i.e. to catch up on housekeeping activities).

Many of the new SAP S/4 functionalities are optional. Some, however, are mandatory, and will force your company to adjust its business processes and adapt the corresponding controls.

The impact on automated controls (which may vary from company to company depending on the scope of the S/4 implementation) will primarily be in specific areas where SAP focuses on changing functionality. Examples include:

• SAP Business partners replacing the customers/vendors in SAP, 
• Credit management automated controls
• FI-CO (Finance and Controlling) integration impacting the reporting procedures and activities that are used as part of the financial close

By its nature, the new SAP Finance functionality also entails some specific risks:

• Initial business mapping accuracy and management of changes over time (including access)
• Monitoring and error handling (AIF error handling process for synchronisation)
• Initial configuration impacting transactions in the source/central system
  - Invoices posted in the source cannot be paid/cleared by Central Finance, but
  - Invoices posted in Central Finance can be paid/cleared in Central Finance
  

So far PwC has identified more than 80 SAP S/4 changes that necessitate adjustments to the internal control system for most organisations running SAP.

As mentioned, most companies moving to S/4 HANA will also take the opportunity to ramp up some of their key processes. This will fundamentally alter the way business risks need to be addressed by controls. Here are just some examples of broad changes introduced by companies where the existing control design needs to be reassessed and adjusted:

• Chart of accounts standardisation: chart of account differences merging into one chart of accounts (for 400 company codes)
• Business process standardisation and simplification (e.g. manual journals, financial document type usage)
• SAP authorisation: access/role harmonisation allowing more/less reliance to be placed on access controls
• Implementation of new applications such as Ariba, Concur, Central VIM, Central Payment and EBS

Rethink your control environment

We have touched on how companies often use the move to S/4 as an opportunity to rethink the way they operate their business processes. It is also a chance to rethink and simplify the control environment. SAP S/4 HANA offers various new choices in this context, for example options for continuous monitoring of controls (via Fiori or embedded BW) and fraud detection (possibly via Leonardo), allowing certain manual detective controls to be replaced.

What all new SAP S/4 implementations have in common, however, is the fact that business processes will be less static than they were in the past. SAP will continue to release new versions of S/4 to cover a wide array of processes, Fiori apps will continue to grow exponentially and satellite cloud solutions (such as Ariba, Concur and Fieldglass) will continue to expand. All these changes will have a direct impact on the behaviour of end-users in the system and might possibly trigger different risks. It will be more and more difficult for internal control experts to assume that the control environment is stable and to rely on annual walkthroughs to confirm this assumption.

For this reason, more and more organisations are introducing process mining capabilities that enable real-time monitoring of end-users’ compliance with systems and processes. Some tools, such as PwC’s PCT (Process, Controls & Transaction analytics), help identify any new business process path followed by specific users that could indicate that business processes have been modified (e.g. by changes to SAP configuration), that new tools have been introduced or extended (for example Ariba, Concur or Fieldglass) or simply that users have found and are exploiting new back doors.

Figure 2: PwC’s Process, Controls & Transaction Analytics (PCT) toll recognises new user paths.

Tools such as PCT can use process mining analysis as the basis for testing the key controls across all a company’s entities. If potential control gaps are identified, the tool will automatically analyse the transactions to not only assess the problem in qualitative and quantitative terms, but also suggests the root causes and remedial actions to be taken.

Next-generation control monitoring tools like PCT also embed artificial intelligence (AI) capabilities. Business application controls previously set in systems by way of written rules (e.g. a report listing all vendors created and approved by the same individual) are now enriched by an AI engine. The AI engine automatically detects unusual or new user behaviours and prompts internal control owners to accept or reject the new behaviours. This automatically enhances the ruleset and controls that will then be run on a regular basis.

Protect data with proper user access

User access management isn’t a straightforward discipline. It needs to ensure that business functions are able to work as expected while at the same time assuring compliance with the relevant data protection and regulatory requirements. Implementing S/4 HANA entails significant changes to the IT system architecture, so it’s crucial to consider topics relating to SAP compliance and user access and involve the relevant teams. With the legacy SAP ERP, users access the system via the SAP GUI or other portals. Some SAP clients might also use SAP Business Warehouse (BW) separately. Nevertheless, there are two authorisation concepts to be implemented and assured (classic ERP and BW).

You have to make sure that an individual is properly restricted in S/4 HANA to one company code but can access all other company data via the embedded BW.
Achieving compliant user and access management with S/4 HANA requires the following building blocks:

• Repository of regulatory requirements
  Gather regulatory and operational requirements relating to user access and data protection in a central repository that is accessible to the team running access management. This repository can also be used to monitor compliance.
• Unified SAP authorisation concept throughout all systems
  Develop one central, harmonised SAP authorisation concept covering all the different systems and solutions for accessing data in S/4 HANA.
• Using business roles
  Manage user access cross-systems with ‘business roles’. Business roles represent a job function and contain all necessary user accesses in the various systems. Using these roles reduces the risk that a user will gain additional access to a company code that they’re not supposed to have. At the same time, it’s easier for business users to request business roles based on job functions.
• Supporting solutions for analysing compliance
  S/4 HANA already contains a minimal set of solutions for checking access compliance. Nevertheless, they often need manual inputs and are not able to host a regulatory requirements repository. Manual compliance checks in access management are time-consuming and inefficient. It is highly recommended to gather functional requirements for efficient user and access management, to analyse the functionality of existing solutions within the company and to leverage them more efficiently or evaluate alternatives if required.

Establishing SAP compliance and an adequate authorisation concept after a project is very costly, for example, because you have to re-run the test phase or operations are affected. So it pays to think about these things early on in the process: it’s better and more efficient to start building trust in users’ system access during the project than waiting until the SAP S/4 HANA system has gone live.

Leverage reporting functionality to make control reports more effective

Running control reports (for example listing all payments of more than CHF 1 million) and then checking them is not always the most efficient approach. It is much more effective and efficient to use configurable controls. Even so, there are still many occasions where configurable controls are not available or are only possible with additional third-party tools.

Figure 5: Dashboard for efficient monitoring of controls

S/4 HANA not only makes it possible to integrate business processes, but also opens up a wider range of reporting functionalities with the embedded BW, plus BW tools such as Lumira and the HANA platform.

Instead of checking someone’s user access for potential segregation of duty (SoD) conflicts, it’s now possible to build a report showing transactions where the same person placed the purchase order and booked goods received, in real time. With the legacy ERP it wasn’t possible to analyse such very large amount of data over multiple tables, or at least doing so required extensive investment. In addition to checking SoD conflicts, it’s now possible to monitor transactional data to analyse actual abuse of duties. This means you can now combine preventative SoD user access checks with transaction control reporting. Leveraging the reporting functionality for executing and monitoring controls will increase your confidence and trust in data and transactions.

Article overview