Compliance is not a one-time activity but instead is repetitive. As a result, it can be very expensive in terms of cost and resources. If not handled efficiently compliance results in a huge burden on IT, finance, and audit departments. Mid-size companies can’t afford top consultants or to keep a large number of consultants in-house for regular compliance reviews. It is not a revenue-generating core activity for companies in most verticals, such as manufacturing or banking, and is commonly treated as a support activity without the proper focus.

So what is the best way to achieve efficient compliance? A company should follow a precise compliance methodology rather than approaching it haphazardly. We believe that using an interrelation of standardization, optimization, automation, and optionally offshoring, is the best way to approach compliance (Figure 1). We’ll go through an approach to achieve this next, and then look at the individual processes.

Figure 1

Processes for efficient compliance

Approach to Efficient Compliance

Figure 2 outlines an approach you can take. You should start by reviewing and understanding business processes so you can assess the differences in process execution across business units. While considering your business requirements, you need to standardize these processes before validating them with stakeholders. You then review controls in the standardized processes for effectiveness, relevance, and redundancy. After you have identified them, remove redundant controls from the processes and plug key controls into the processes at appropriate places. You can then automate these optimized controls in various applications and technical infrastructure enabling the processes. Once the controls are automated, you can transfer the knowledge to all appropriate team members, including any potential off-site team members who routinely maintain and manage the controls.

Figure 2

Compliance approach

Figure 3 helps in prioritizing the control gaps for remediation. After you identify the control gaps and remediation solutions, you prioritize the remediation plan. This depends on the cost of the risk and cost of the control. It’s important to remember that there is no standard classification of risk—you need to assess it as high, medium, or low (or whatever other measurements you choose to use) depending on the business requirement. Table 1 shows three examples for you to consider.

Figure 3

Remediation guide

Individual Processes

Now we’ll look at how you can standardize, optimize, and automate processes during your SAP implementation. Compliance is parallel along with an implementation: Compliance consultants (or consultants on a company’s own staff) become involved at the beginning in the project planning phase and continue to be involved throughout the implementation process. These consultants work with the internal compliance officers to understand the requirements and draft a suitable plan for ensuring compliance during the SAP implementation. Figure 4 shows some information that they consider at the different stages of the process.

Figure 4

Internal control standardization, optimization, and automation with SAP implementation

Standardization, optimization, and automation of controls are ensured as a part of design effectiveness assessment in the blueprint phase. Such designed controls are tested along with other application features as a part of unit testing and integration testing by a combined team of SAP ERP implementation consultants and compliance consultants. The test plans are intertwined and testing is performed once. Test results and evidence documentation are done separately to suit the needs of compliance auditors. Now we’ll look at each of the processes individually, followed by a consideration of an optional process, offshoring or outsourcing.

Standardization

Standardizing processes is the key to efficient compliance. Standardizing processes across geographies and logical units removes the need for repetitive documentation and testing of controls. Standardization enables easy introduction or removal of activities in the processes across different geographies and facilitates easier management of the processes.

Some of the controls you can use to ensure design effectiveness include IT application controls, business process controls, access and authorization controls, and IT general controls. You need to standardize processes along with the blueprint finalization. Complete standardization is the key to bringing down the cost of compliance as you can avoid redundant tests. You may not achieve complete standardization in the first year; you may have to standardize process by process.

For example, let’s say that a company executes the procure-to-pay process in different ways in different geographies. Location 1 uses a one-time vendor functionality to procure consumables against Location 2, which follows the normal procure-to-pay process with purchase order (PO) approval. This is a classic case of two units of a company using different processing options provided in the SAP system to carry out the same process. After analyzing these processes and ascertaining the requirements, the company standardizes the process and adopts the normal procure-to-pay process with PO approval for both locations. Because it’s better not to use one-time vendor functionality due to control concerns, the company eliminates it.

Optimization

The goal of optimizing is to bring in just the right number of controls. Regulatory compliance does not necessarily require too many controls to be in place. Companies are starting to realize that just having more controls does not mean that they are employing more security. Control is a relative term and each company has to evaluate the cost and benefit of having a control in a process. If the cost of having a control exceeds the benefits of having a control, then you should do away with it unless there is a regulatory requirement. Elimination of redundant controls simplifies the process and frees bandwidth for productive jobs.

You also need to assess the cost of the risk to know the importance of a particular risk before deciding on adding or removing controls in the processes. You can assess the cost of the risk as a product of probability of occurrence and the impact of occurrence. If either of the two factors is rated as high, then the product will be rated as high. You can use Table 2 for guidance to rate the risk.

To illustrate Table 2, I’ll show you a quick example. Say you haven’t set the Company code is productive indicator, which means that your data in that company code is at risk of being deleted or reset when you run a deletion program. This action, though low in probability of occurrence, may result in accidental deletion of production data, which is a very high impact. Incorrect global data settings within the SAP system may affect the integrity of the financial information. Unauthorized organizational data additions or changes could also result in inappropriate transaction processing and inaccurate financial statement data, which would represent a high cost of risk.

To optimize controls, you should categorize control activities in a process as either key or non-key controls. After categorizing controls as key and non-key, you identify redundant controls. Checks performed by these controls can be performed by other controls as well. Not all non-key controls are redundant controls but all redundant controls are non-key controls.

A key control in the process can address the risk addressed by a redundant control as well, so removing the redundant control and relying on the key control is the best policy. You should review business blueprint documents to identify the redundant controls, discuss them with users, and eliminate or retain them after analysis. For example, say there is a repeated check by two AP clerks and a manager of the same payment voucher. Checks conducted by the two clerks are redundant controls, so you can eliminate those checks, while keeping the manager’s payment voucher check, which is a key control.

Automation

IT plays a key role in bringing down the cost of compliance. Automation of controls removes the reliance on the human element in the processes. It enables more preventative controls in the processes than detective controls. More reliance on preventative controls can prevent errors or fraud from happening better than detecting them at a later stage. Automation of controls enables remote access to controls, thereby enabling outsourcing or offshoring of the evaluation of controls.

So how do you decide which controls you need to automate? Cost analysis of automated controls can help measure this more objectively.

Cost of automated control =
Cost of implementing control +
Cost of maintaining the control
for X years

The cost of an automated control is a sum of the cost of implementing the control and the cost of maintaining the control for a given number of years. You evaluate the cost of automated controls against the cost of manual maintenance of controls for that number of years. Invariably the initial cost of automated controls is high due to high implementation costs. However, manual controls vary between medium and high due to periodic changes, knowledge transfer, and so on. This provides a starting point to identify the controls that you need to automate. Figure 5 shows a comparison of estimated data. Though in initial years the cost of automation may be high, over time the cost of automated controls comes down. However, the cost of manual controls either remains the same or increases during the transfer of control maintenance from one individual to another. The human element keeps the cost fluctuation as well, while standardization, optimization, and automation of controls together make control evaluation simple, less time consuming, and more cost effective.

Figure 5

Manual vs. automated controls

The SAP system has many control configurations that you can effectively use without developing any add-ons or placing reliance on any human element to execute the controls. You should configure as many controls as possible out of optimized controls in your SAP system.

For example, you should configure PO value-wise authorization in the SAP system with appropriate access controls. You should assign user IDs with authorization limits in the SAP system. This is a better control as opposed to manually authorizing the PO because automated control prevents an error from happening rather than detecting it at a later point of time. This is easier to enforce and monitor than a manual authorization. If this control is not automated, the person reviewing the approved PO has to verify the signature and, if required, call the authorizer to make sure that the same person has indeed approved the PO. Manual authorization requires the approver to physically sign off the order as opposed to automated control, wherein the approver can access the PO remotely and approve it.

Outsourcing and Offshoring

Some companies choose as an additional part of the process to outsource or offshore some of their processes. This is generally done for cost reasons, as they are often cheaper options than providing the full-time staff or consultants that other companies use.

It’s important to distinguish between offshoring and outsourcing. Offshoring does not necessarily equal outsourcing. Offshoring refers to executing the job from a remote location and can be done by a captive unit as well. Outsourcing refers to outsourcing the job to a third-party service provider specializing in some services to have process efficiency as well as cost savings. Most of the specialist service providers hire specialists and operate on a shared service model. You can use this model for compliance assessments if the controls that you need to test are standardized and automated, which requires less user interaction.

SAP security administrators provide the outsourced consultants with the appropriate auditor access to carry out the periodic assessments from offshore. Companies that choose to offshore usually form a combined team of IT general controls specialists and business process controls specialists, who would in turn split into two teams — an onsite and an offshore team. The offshore team accesses the SAP systems and does the testing from its base location. The onsite team visits the respective client locations and performs the controls evaluation of those controls that require extensive user interaction. The offshore team executes most of the documentation work relating to report preparation to ensure tangible cost savings for the clients. Based on our experience, most companies address their compliance assistance with a 60% offshore and 40% onsite model, so the cost of compliance comes down drastically, sometimes as much as 50%. Costs could go down by another 5% in the subsequent years, because the time spent on understanding the processes and controls in the initial year is reduced.