All companies require process optimization to adapt to constant changes in their business, such as new technologies, new methods of processing transactions, and new business units that are opened or acquired.

Whenever you select the controls that best fit the business, there is an inherent struggle with balancing business flexibility and minimizing the cost of supporting controls. Typically, there is a trade-off between configurable controls (low cost to implement and operate) and detective controls (allow business processes flexibly at a much higher cost). See “Issues with Configurable Control” for more.

Continuous Monitoring

Continuous monitoring is the process or technology that is used to constantly review something against expected criteria. Continuous monitoring involves:

• The set of the expected criteria
• An automation to review against that criteria to identify exceptions
• A notification method (in most cases workflow or email based)

Continuous Control Monitoring (CCM)

CCM is a technique that monitors the effectiveness of controls on a real-time basis by identifying exceptions that would indicate an issue with that control. An example of CCM is monitoring the release strategy configuration (a key control supporting approval configuration) for compliance with the expected control configuration. CCM may monitor transactions, master data, or configuration to identify control issues.

Continuous Transaction Monitoring (CTM)

CTM is a technique that analyzes all transactions to identify those that meet certain criteria. If a transaction is identified that meets the criteria, there is a notification of the event and usually some sort of workflow-based follow-up occurs. The automatic analysis of data is done daily or more frequently, thereby allowing real-time notification (in some cases with enough time to prevent the transaction from going out). An example of a CTM is monitoring all purchase orders processed to identify duplicate purchase orders or purchase orders processed outside budget or approval limits.

Because of the high automation of these controls and their detective nature, CTM has created a new control type known as real-time or automated detective controls (Figure 1).

Figure 1

Control types and control monitoring

Real-time detective controls allow maximum business flexibility and risk coverage with minimal cost because of automation (Figure 2).

Figure 2

Control quadrant: cost versus flexibility

The optimal state is using real-time detective controls to maximize business flexibility with preventive supporting controls to reduce exceptions generated to the greatest extent possible without compromising the business process flexibility.

CTM versus CCM

Much confusion revolves around the differences with these techniques. CTM may be used as a method of CCM. For example, if the key control is the release strategy to enforce appropriate approvals and validity of purchase orders (POs). Management wants to implement a CCM solution that monitors that the release strategy was properly configured. Instead of monitoring the actual configuration in the system, management may choose to monitor all POs for compliance with expected approval limits or rules. This technique is in effect a form of CTM.

It is important to note that CTM has a broader application than just as a CCM technique. CTM may also be used for the following:

• CTM as a key control. CTM is configured to identify all POs outside set approval limits and all split POs attempting to bypass approval limits. 
• CTM as a supporting control – for example, the key control is ensuring the segregation of creation and approval of POs from all users by way of user access (preventive control). A CTM configured to identify all POs created and approved by the same person as a back-up control to ensure that if the access control fails and someone uses the unauthorized access, management is made aware of the exception immediately. Management can rely on this type of control as a compensating control in the event of issues with user access (this control would ensure that the issue was identified and the risk was still mitigated).

SAP’s Solutions: Process Control and Oversight Systems

SAP has two continuous monitoring solutions:

1. SAP Process Control (core competency CCM or to automate the evaluation of the effectiveness of controls)
2. SAP’s endorsed business solution from Oversight Systems (core competency CTM or to automate the operation of key controls)

The tools are separate pieces of functionality that are licensed and sold separately. There is much confusion between the two products as some of the functionality of the two applications overlaps. Both tools can connect to source systems and flag exceptions based on preset criteria. However, the tools were built for different purposes and therefore have different strengths. Table 1 compares the strengths of these two solutions.

Table 1

SAP Process Control’s and Oversight Systems’ strengths

SAP Process Control and Oversight Systems as Used to Support Control Operations

Now that the strengths and core purposes are clear, there is a further complication as Process Control has the technical capability to use continuous monitoring beyond just its control effectiveness monitoring capacity. To clarify the differences between the tools when used to support the operation of the key controls (as compared to evaluate the effectiveness), Table 2 includes some real-world examples of continuous monitoring configuration. Note that both tools have large libraries of standard content and have many more rules than just those listed in Table 2. The purpose of the table is only to provide some comparable examples for a better understanding of possible functionality.

Table 2

SAP Process Control and Oversight Systems: Real-world examples

Note, if you are using SAP Process Control to support the operation of controls (not limited to evaluation of effectiveness of controls), it is important to keep in mind that the exceptions generated in these scenarios are part of the control’s operation and would therefore not constitute a deficiency. Careful consideration throughout the design is required to ensure that exceptions generated for these types of rules do not translate to a control failure as generally an exception in SAP Process Control translates to a control deficiency owing to its core purpose being support of the evaluation of control effectiveness.  

The Continuous Monitoring Roadmap

Ultimately, if you wish to have continuous monitoring solutions in place, the ideal scenario is to implement both SAP Process Control and Oversight. Each has a different strength, and both solutions integrate well together to maximize your ability to continuously optimize your processes and controls. However, the reality is that new technologies are costly to implement, to train the organization on how to use them, and to embed them in processes. Most organizations do not have the critical mass to undertake the implementation of both tools at the same time. Therefore, organizations need to choose which solution to focus on first. The easiest way to do this is first determine what benefits you wish to realize first from a continuous monitoring tool implementation. Deciding this and articulating it up front enables you to:

• Select the appropriate tool that supports that most immediate initiative
• Clearly articulate to the project team and stakeholders what will be met in the current phase of the roadmap and what will be accomplished with later functionality
• Successfully meet the stakeholders’ objectives

Figure 3 is a diagram to help walk you through some of the key considerations in that decision.

Figure 3

Considerations for what technology to pursue first

If Oversight is implemented first, you should implement SAP Process Control next to manage the compliance framework and receive automatic feeds to SAP Process Control of breakdowns in controls based on Oversight integrity checks. In the interim, you can integrate Oversight controls into compliance activities where there is no SAP Process Control tool implemented through having the compliance function use the dashboards and workbench in Oversight and evaluating the information to determine how the exceptions affect the effectiveness current controls. Root cause analysis, days exceptions are left open, and true positives are all easy to analyze through the reporting function in Oversight and are meaningful to compliance when assessing the current controls.

If SAP Process Control is implemented first, you will want to implement Oversight next to obtain the more advanced or mature transaction monitoring techniques. If it is the decision of management to implement Oversight next, then you would need to consider this throughout your SAP Process Control project. It may make more sense to hold off on designing some of the rules supporting controls until Oversight is implemented. This would save time and cost as you would not have design rules and build workflow in SAP Process Control and then redo that work in Oversight (the configuration cannot be migrated).

Jamie Levitt

Jamie Levitt, CPA, CISA, is a manager for PwC in the US. Jamie has more than nine years' experience in SAP. Jamie has helped develop a significant amount of PwC’s thought leadership and tools, including SAP ITGCs/Basis for PwC globally. She has extensive experience with risk and controls optimization programs from both an external audit and advisory capacity, training of the PwC global firm, and client training. Her current core focus is continuous monitoring methodologies specializing in the process solutions of continuous controls monitoring and continuous transaction analysis. Jamie has spoken at GRC in 2011, 2012, and now in 2013. Previously Jamie worked for Turnkey Consulting in the US. She led Turnkey's US operations. Prior to her role at Turnkey, she worked for PricewaterhouseCoopers in the UK and US as a manager.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.