Mitigation controls in SAP GRC 10.0 enable you to respond proactively to operational risks. From a monetary point of view, you can evaluate benefits of different types of controls. You can use this monetary benefits evaluation as lessons learned to prioritize future risk responses, using the correct type of automated application control for the specific operational risk. You also can use security and segregation of duties (SoD) controls to mitigate operational risks. The following integration scenarios can be used in response to the operational risk of fraud and money loss in the procure-to-pay (P2P) process:

• SAP Risk Management 10.0 uses an existing SAP Process Control 10.0 automated control to mitigate a risk: The risk manager mitigates a specific risk using a control that has just been created before in SAP Process Control 10.0 by the internal audit department: See the section “Assign a Control to Mitigate the Risk” for more details.
• SAP Process Control Design Assessment updates the completeness of a risk response in SAP Risk Management. See the section “The Control Design Assessment Phase.”
• SAP Process Control Testing updates the effectiveness of a risk response in SAP Risk Management (not in the scope of this article).
• SAP Access Control SoD risk analysis results are used as an SAP Process Control 10.0 automated control to mitigate an operational risk that drives conflict of interest. A potential conflict of interest can lead to fraud over a process that generates an operational risk.

To perform a monetary benefits evaluation correctly, you must start from the implementation of the key risk indicator (KRI) to evaluate implementation effort. You need first to design and implement an effective KRI to measure transparently the level of the risk. Performing the risk analysis in SAP Risk Management, you can also quantify the expected money loss before and after a specific control has been implemented in SAP Process Control 10.0.

We explain this approach and analyze in detail the risk before and after the automatic control that is related to changes to tolerance key settings that are implemented in SAP Process Control 10.0. Evaluating the difference between implementation costs related to automated control and money loss related to the risk for each single mitigation control, you can evaluate which is the best control to use in response to a specific risk.

Use a KRI to Assess the Monetary Impact of the Risk

The first step during risk assessment is the identification of the KRI. Risk owners use the KRI as a thermometer to measure the severity of a specific operational risk, so it is important to design the KRI to be as reliable as possible, measurable, automatic, and effective.

The risk owner needs the KRI to evaluate independently, without the influence of other enterprise departments, the effect of the risk of fraud and money loss in the P2P process. In this way you can measure objectively the effectiveness of the different types of risk response (such as automated application control, policy, or security) put in place by the internal audit and security department, without the influence of other departments. Here is an example of the implementation of a KRI to evaluate the hypothetical financial cost increase caused by the risk of fraud and monetary loss in the P2P process.

All currency references are not related to any company, as our purpose is to propose an integrated model to assess the monetary effect of a specific operational risk. The financial cost may vary from company to company depending on business strategy, policies, and internal control systems.

We use a KRI manually powered by a risk owner who periodically extracts the balance of the G/L account purchasing price variance. To better understand the importance of this G/L account and the related business process, refer to the section “Mitigation 4” in Maurizio’s article “Use a Three-Way Invoice Control Assessment to Reduce the Risk of Fraud and Money Loss.” The risk owner uses transaction code FS10N by following menu path > SAP menu > Accounting > Financial Accounting > General Ledger >Account > FS10N - Display Balances. Enter the company code, fiscal year, and the purchasing price variance G/L account as input parameters (Figure 1).

Figure 1

Display the account balance for a G/L account purchasing price variance

You then can evaluate the debit or credit balance during different fiscal periods. To complete this step use transaction FS10N (Figure 2).

Figure 2

Debit and credit account balances

The risk owner must monitor the balance of G/L account 231000 loss price variance periodically to measure the financial exposure of the impact related to the specific risk of money loss over a P2P process. If the component SAP-CO-material ledger has been activated, the price difference between the material price recorded in the purchase order and the vendor invoice price is posted on this G/L account. Therefore, the risk owner uses the balance as a KRI to measure in terms of money the value of the received material that has been incorrectly inflated by the vendor. We show you how to create new risk master data in SAP Risk Management 10.0 later.

Now we show you the procedure to insert a KRI in SAP GRC 10.0 manually . To create a new KRI, follow menu path Rule Setup > Key Risk Indicators > KRI Value Input. For technical reasons, you first need to retrieve an XML template for your KRIs implemented in the system. Select the KRI as shown in Figure 3. Select Manual Input in the Input Mode section and KRI Template + Organizational Unit in the Selection Mode section. Click the Next button.

Figure 3

KRI manual value input: Select the KRI

In the next screen, click the Get XML Template link (Figure 4).

Figure 4

The link to the XML template for KRI

In the pop-up screen that appears (Figure 5), click the Save button to save the template locally.

Figure 5

Save the XML template for a KRI locally

Using a simple XML editor program, you can change the value of the KRI in the tag <VALUE> … </VALUE>. Figure 6 shows the final XML file to be downloaded in the GRC system to update the KRI value (115.773€) related to the balance of the G/L account 231000 loss price variance. This value has to be updated because it changes every month and represents the money loss linked to the risk.

Figure 6

Procedure of manual value input of the KRI: XML file to be downloaded in GRC

This manual procedure updates the old value of the KRI in GRC (Figure 7).

Figure 7

Procedure of the manual value input of the KRI: Review

To display the trend of the KRI over time, follow menu path Assessment Work Center > Risk And Opportunities > Key Risk Indicator Tab. In the screen that appears, click the Show History button (Figure 8).

Figure 8

Monitor the KRI value trend history

Create a New Risk in SAP GRC 10.0

To create a new risk in SAP GRC 10.0, follow menu path Work Center Assessments > Risk Assessments > Risk and Opportunities. Figure 9 shows an implementation example of the operational risk fraud and money loss over P2P. The risk is linked to the organization unit 00 – AGRC HQ Spa and the impact related to the Y is financial loss owing to additional costs.

Figure 9

Risk master data

To analyze and update this risk master data in a more user-friendly view, click the Switch to Graphical View button. This view is more user-friendly because it’s possible to see different risk master data parameters in one screen view, without having to navigate laboriously into different sheets shown in Figure 9 (e.g., General, Key Risk Indicator, Analysis).

As you can see on the left side of Figure 10, another important aspect that makes the process more user-friendly is that the procedure of risk master data maintenance is divided into three phases:

• Identify Risk
• Assess Risk
• Mitigate Risk

In the first phase, you can add the new driver to the risk, using the drop-down functionality.We add Commodity Prices as a driver for the risk of money loss over P2P because we think that unexpected changes in commodity prices can reduce a producer’s profit margin and make budgeting difficult. Therefore, a driver for a specific risk is the cause of the risk that generates an effect (e.g., operational direct costs increase).

Figure 10

Add new drivers in the Identify Risk phase of risk master data maintenance

The activity linked to the risk of fraud and money loss over P2P is related to the Process Purchase Order Processing. During the creation of a purchase order, if the SAP back-end system is not correctly implemented, it is possible to purchase material with a price higher than the real market value (see the previously referenced article). To create a new Activity in SAP GRC 10.0, follow menu path Work Center Risk Assessments > Risk Assessments > Activities.

In the second phase you can assess the risk to evaluate the risk level, risk score, total loss, and probability (Figure 11). You can decide if it is necessary to remediate the risk using a different type of risk response. If some responses are just in place for this risk, you can evaluate and balance the cost of remediation with the monetary effect of the risk.

Figure 11

The Assess Risk phase of risk master data maintenance

To perform a detailed risk analysis for a risk in SAP GRC 10.0, follow menu path Work Center Assessments > Risk Assessments > Risk and Opportunities. Click the Analysis tab (Figure 12).

Figure 12

Inherent risk input and analysis history of risk master data maintenance

If you insert an inherent risk probability of 60 percent and an impact of 115.773 euros, the system updates the total loss in the analysis history graph to 105,000 euros. As you can see in Figure 12, the inherent, residual, and planned total loss levels are the same because as of December 31, 2011, no remediation plans were put in place.

As the risk of fraud and money loss increases day by day (Figure 13), it’s important to assign a control as a risk response plan. The goal is to reduce the actual residual risk.

Figure 13

Analysis history evaluation and total loss increase of risk master data maintenance

Assign a Control to Mitigate the Risk

In SAP GRC 10.0, you can assign a new control in response to a specific risk. Follow menu path Work Center Assessments > Risk Assessments > Risk and Opportunities >Assign > Control. Select the control created in SAP Process Control 10.0. In Figure 14, we include all the controls related to tolerance key settings assessed and explained in the previously referenced article.

Figure 14

Analysis history evaluation and total loss increase of risk master data maintenance

To perform the risk analysis, you evaluate objectively the probability reduction given by every control proposed. As you can see in Figure 14, we set to 10 percent the probability of risk reduction for a single control related to a tolerance key setting. There are other settings to implement in the SAP ERP Central Component (ECC) target system. The total probability reduction planned, putting in place all the tolerance key setting controls (five in total), is 50 percent at analysis date December 31, 2011.

If the total probability reduction is 50 percent, the residual risk planned is half of the initial inherent risk. As you can see in Figure 15, if you click the Start Report button, you see the detailed risk analysis per date. The expected total loss related to the residual risk (planned) that we plan to have after the first remediation cycle is 56.704, 27 euros.

Figure 15

A risk analysis detailed report

Note
This is only the residual risk planned and not actual risk exposure. After the control design assessment has been performed, control effectiveness has been evaluated, the control issue has been fully remediated by the control owner, and the remediation plan is fully completed, you can evaluate the actual residual risk. The KRI is used to analyze in an objective and transparent way whether the remediation control is effective. This is the scope of the KRI: To provide objectivity to the risk analysis.

Now we explain how SAP GRC 10.0 automates the control design assessment phase to evaluate whether a control in place has been correctly designed. At this stage you can automate a manual control.

The Control Design Assessment Phase

To ensure that the automated control owner periodically receives the work item in his or her work inbox, as shown in Figure 16, you schedule the control design assessment job. Follow menu path Assessments > Assessment Planning > Planner > Create.

Figure 16

Schedule a job for control design assessment

In the next screen, click Perform Control Design Assessment (Figure 17).

Figure 17

Schedule a job for control design assessment

Now you select organizations (Step 2— Select Organizations) and controls for which you intend to assess the design (Step 3— Select Object[s]) as shown in Figure 17. The job is scheduled, as shown in Figure 18. Now the control owner receives in his or her work inbox the work item to evaluate if the control is properly designed.

Figure 18

Perform control design assessment work item

The control is ineffective because it’s a manual control, so the control owner selects a rating of significantly deficient to the design of control 2.2 Tolerance Key PE Settings (Figure 19).

Figure 19

The control design assessment is rated significantly deficient

The control owner reports the issue by clicking the Report Issue button. In the dialog box that appears, the control owner asks the automated controls specialist to remediate this issue by automating this manual control (Figure 20).

Figure 20

Control design assessment: Report an issue

The automated control specialist receives the work item to keep track of the completion percentage of the activity related to control automation (Figure 21).

Figure 21

Control design assessment issue: Completion percentage

Automate the Control with SAP Process Control 10.0

The automated control specialist uses the SAP Process Control 10.0 framework to automate the manual control. In our example, we show you how to create an automated control that reports the issue to the control owner in case some changes to tolerance key PE that are not in line with management strategy or policy are performed in the SAP back end.

To check the tolerance key PE settings, follow menu path SPRO > Material Management > Purchasing > Purchase Order > Set Tolerance Limits for Price Variance. The first step is to analyze the goal of the control from an organizational point of view. As you can see in the screen in Figure 22,  the customization of the tolerance key PE (technical name T169G-T0LSL) depends on the organizational level company code  (technical name T169G-BUKRS), so it’s important to decide if the control has to be local or central for all company codes.

Figure 22

Tolerance key PE customization settings and fields with technical names

Our advice is to have one control owner for all companies who controls tolerance key settings centrally to reduce costs and efforts and to provide a central governance. Figure 22 also shows technical names of important fields that you need to monitor using SAP Process Control 10.0, such as technical field T169G-PROZ2. To understand the importance of this field from the functional point of view, refer to the section “Tolerance Key PE” of the previously referenced article. 

Create a Data Source in SAP Process Control 10.0

The first step to create an automated control in SAP Process Control 10.0 is to create the Data Source. As shown in Figure 23, to create a new data source, follow menu path Rule Setup > Continuous Monitoring > Data Sources.

The information related to tolerance key PE is stored in table T169G of the SAP back end. As shown in Figure 23, the data source that is used to implement the automated control in SAP Process Control 10.0 uses this table for the analysis. To customize the data source, you need to select the tab named Object Field. Select a sub-scenario type (e.g., configurable if you want to control specific table changes), the main connector (e.g., ZMGCLNT800, the physical connector to the SAP back-end system on which the table you need to control resides), and the main table (e.g., T169G).

Figure 23

Table linked to the Data Source used to create the automated control

Figure 24 shows the list of technical fields belonging to the table T169G that are included in the Data Source. Because a company code can be used as an organizational level filter, different control owners can receive the control issue automatically filtered according to this organizational level. Other fields are used in the business rule to filter control data and automatically detect the deficiency declared in the specific control and business rule.

Figure 24

The fields of table T169G used by the automated control for analysis scope

To use the Data Source to implement a new automatic control, you need to activate it by changing the status of the Data Source from In Review to Active (Figure 25).

Figure 25

Activate the Data Source

Create the Business Rule in SAP Process Control 10.0

The second step to create an automatic control in SAP Process Control 10.0 is to create the business rule. To create a new business rule, follow menu path Rule Setup > Continuous Monitoring > Business Rules. You need to insert the name of the business rule, a description, and business rule category (e.g., Value Check in case you need to filter an issue depending on deficiency criteria; Figure 26).

Figure 26

Create a new business rule

Figure 27 shows how to set up filter criteria to select from a specific table (e.g., T169G) a relevant value, such as PE. So, you need to click Select/Unselect Filters and select fields to be filtered (in our example we choose Client and Tolerance key). Next, you need to select the filter value. Click Add and select Range limit included > Equal to > PE (that is the specific Tolerance Key value that you want to monitor).

Figure 27

Set filter criteria

To set all the other fields, select the Deficiency Criteria tab and select Value Check under the Field Analysis Type column. In our example, the field percentage tolerance limit is set up with three deficiency types (Figure 28):

• High, if the purchase order price is greater than 20 percent of the price stored in the material master data accounting view
• Medium, if the purchase order price is from 10 to 19 percent more than the price stored in the material master data accounting view
• Low, if the purchase order price is from 0 to  9 percent more than the price stored in material the master data accounting view

Figure 28

Set deficiency types for the percentage tolerance limit rule

Assign the Business Rule to Automatic Control Master Data

The last step to create an automatic control in SAP Process Control 10.0 is to assign the business rule to the control master data. To create a new business rule, follow menu path Rule Setup > Continuous Monitoring > Business Rule Assignment. In our example we show you how to filter the control 2.2 Tolerance Key PE Settings for the Organization 00 – AGRC HQ Spa. First, you may mark the control as relevant for the Sarbanes-Oxley regulation. To do this, select the specific control (e.g., 2.2. Tolerance Key PE Settings & Changes). Select the tab Regulation-Specific Business Rules and then select SOX as regulation type. Now select the indicator for Maintain Regulation-Specific Business Rules. Click the Add button and then select the specific business rule (e.g., Tolerance Key PE Analysis; Figure 29). To maintain the frequency of the automated control, click the Maintain Frequencies button. In our example, we set the frequency as Any Frequency.

Figure 29

Assign a business rule to the control master

By setting the value for any frequency, we can schedule the job related to the automatic control that is scheduled in the Continuous Monitoring Scheduler (Figure 30) with all frequencies (annually, daily, or weekly) without any constraints.

Figure 30

The Continuous Monitoring Scheduler

Automatic Receipt of the Issue in the Work Inbox

After the automated control specialist fully automates the control 2.2 Tolerance Key PE Settings, the control owner receives two work items:

• Remediate Exception > Automated Monitoring. This work item is related to the list of exceptions detected using the automated control (Figure 31).
• Update Remediation Progress > Control Design Assessment. This work item is automatically sent by the SAP GRC 10.0 system to the control owner to evaluate the percentage of completion of the remediation plan associated to the control design assessment.

To analyze the first work item, select the Evaluation tab. In this tab you can review the control results related to customizing settings for tolerance key PE (Figure 31).

Figure 31

Analyze a work item in the control owner work inbox

Because the Business Rule Deficiency value is designed and implemented, we expect that if the Tolerance Limit PE is set to 20 percent for the company 0001 (Figure 32), the deficiency type associated to the issue that the control owner automatically receives is high.

You can check the Tolerance Key PE Settings, as shown in Figure 32, by following menu path SPRO > Material Management > Purchasing > Purchase Order > Set Tolerance Limits for Price Variance.

Figure 32

An example of an exception in SAP ECC customizing

To analyze the detail of the work item received, the control owner needs to click the red fail icon (Figure 31). Now you can see that the control works correctly because you can see in the details of the issue that the percentage limit of 20 for company 0001 has been correctly represented as a high deficiency type (Figure 33).

Figure 33

Details of the control for a work item

To remediate to the deficiency in Figure 32, the control owner sends the remediation plan via SAP Process Control 10.0 to the process owner to correctly address the issue and change the tolerance Key PE Percentage Tolerance Limit setting (Figure 34).

Figure 34

Assign a remediation plan for tolerance key PE

After the process owner sends the remediation plan to the SAP finance functional expert, that sets the correct customizing setting for tolerance key PE. Therefore, the issue that is automatically detected by SAP GRC PC 10.0 is fully remediated. At this time, the deficiency related to control 2.2 Tolerance Key PE Settings & Changes is fully remediated.

Now control 2.2 Tolerance Key PE Settings & Changes is fully automated, so the control owner can set the completion level of the remediation plan (related to control design assessment) to 100 percent to declare that the control is fully automated by the automated control specialist (Figure 35).

Figure 35

Update the remediation progress for the control design assessment issue

The control design can be evaluated as adequate because the control has been fully automated using SAP Process Control 10.0 (Figure 36).

Figure 36

Update the control design assessment rating

Risk Analysis after Control Automation as a Risk Response

After the control design assessment is performed and evaluated as adequate, the completeness of the response plan is 100 percent. The response effectiveness related to control 2.2 Tolerance Key PE Settings & Changes is 90 percent effective, but other controls that have not yet been automated in SAP GRC Process Control 10.0 (e.g., 4.1 Tolerance Key DW Settings & Changes), have been evaluated as ineffective by the risk manager (Figure 37).

Figure 37

The completeness of the response plan

From a monetary point of view, how much is the residual risk after only tolerance key PE control has been implemented? On December 31, 2011, the risk analysis shows that the probability of reducing the actual residual risk (100-81 percent) is 19 percent. To view detailed results, select the Analysis tab and click the Start Report button (Figure 38). This report shows that the actual residual risk expected loss (93761,55 €) has not be reduced as planned (in Figure 38 the residual risk planned expected loss is 45128,07 €). This is because a lot of controls related to tolerance key changes (i.e., DW, PP, B1 in Figure 37),  used as a Risk Response Plan, are manual controls and thus not effective. It’s important that controls used as a Risk Response Plan are automated in SAP GRC Process Control 10.0. This ensures that all controls are effective and the expected loss related to the actual residual risk is the same as the planned residual risk.

Figure 38

Risk analysis results