The 5 Key Attributes of an Effective SAP Control

Optimization Framework

Clark Oeler
Deloitte & Touche LLP
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2016 Wellesley Information Services. All rights reserved.
In This Session
The challenge The opportunity
Greater focus on increasing performance and maximizing Many large organizations cannot Getting controls right
productivity has led to business reorganization, reductions in operate effectively without an enables organizations to
staff, complex relationships with customers and third parties, optimized control framework. effectively manage risks. It
increased risk of employee fraud, and increasingly complex Adequately designed controls also keeps costs down,
systems. These changes can create challenges aligning help organizations manage protects revenue, secures
effective, efficient, and sustainable controls. critical risks and proactively plan assets, and supports
for the future enhancing compliance obligations.
operations, managing
Many organizations have performance, and minimizing
made significant Getting controls wrong costs.
investments improving and wastes resources, leaves
tightening controls, organizations exposed,
particularly in response to increases compliance costs,
new regulatory requirements and distracts management Business performance can be When management knows
but sometimes at the from running the business.. enhanced by improving the that they have the right
expense of efficiency. effectiveness of controls across controls, they can rely on
functions closely linked to the those controls to manage
In challenging times, even the most mature organizations financial statements. the potential risks.
consider whether their controls are relevant, efficient, and
adaptable.
1
In This Session (cont.)
Learn
Key reasons for optimizing SAP Controls

Streamline control environment that has grown over years

Reduce and manage the cost of compliance

Strengthen Audit Committee, External Audit, and Management confidence in control

framework
Build a foundation for technology enablement, automation, and continuous controls

monitoring
Leverage corporate or system initiatives to optimize SAP controls

Intended audience and roles for optimizing SAP controls

SAP Teams

Internal Audit

Business Owners

2
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

3
Need for Controls Optimization

Addressing SAP Controls Optimization can be an important strategy for your enterprise
initiatives and your compliance requirements
Enterprise Initiatives Compliance Requirements
Set out a clear definition of
how your enterprise initiative
Scope Provides focused risk
assessment and control
can ascertain that SAP Business
activities to address material
Process Controls
appropriate security and business processes and
controls are implemented information technology (IT)
SAP Application
Appropriate controls are Security systems
optimized during the Provides management with
initiatives to ensure that risk Data Quality and foundational control
considerations can be Integrity frameworks that form basis
assessed and dealt with in a Infrastructure of ongoing assessment and
cost-effective and efficient Security and monitoring
manner Controls

SAP Controls Optimization is an important component that can help bridge these two states

4
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

5
Defining Success: Five Key Attributes

SAP controls optimization requires the following attributes to be considered for an

effective implementation:

Five Attributes for Building an Effective SAP Control Optimization Framework

1. An appropriate controls governance organization and assigned roles and responsibilities are in place and functioning to
design, operate, and audit the newly optimized controls structure
2. The approach for controls optimization is determined and executed, taking into consideration a top-down approach or a
controls redesign (bottom-up) approach
3. Approach should leverage continued utilization of technology, automation, and continuous controls monitoring functionality
4. A rollout of the approach should be executed to address defined processes for localization of controls
5. Optimization is not complete until both design and implementation of the controls structure is achieved, which requires rollout,
training, operation, and the eventual monitoring, management testing, and operating effectiveness of the controls

6
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

7
Attribute 1: Governance
A governance model that balances responsibility for SAP optimization activities is
required
Establish Controls Optimization
Develops and maintains baseline components
of control structure
Develops and maintains the control
methodology, tools, and approach for SAP
optimization
Updates and optimizes baseline control
structure
Provides Business Unit with internal controls
subject matter expert support
Manages integration to testing program.
Provides Internal Audit support, remediation
support, etc.
Deploy and Operate
Accountable for business processes and
documentation, maintenance, and execution of
related internal controls
Periodically assesses and asserts on risk
management and the control environment
Develops and implements action plans for
improvement based on Controls and Audit
feedback
Adjusts and updates the control baseline
documentation to reflect Business-Unit-specific
Monitor and Evaluate processes and controls
Periodically assesses the adequacy of the control
baseline maintained by Controls Group
Audits business processes and operational
effectiveness of the Business Unit (financial, IT,
operational audits)
8
Attribute 1: Governance (cont.)

Key questions to consider

Are roles and responsibilities defined for a Controls Group, Internal Audit, and
Business Units for controls?
Are resources assigned controls roles to design or optimize controls across each
geographical location and business unit?
Are control design/optimization resources appropriately staffed, trained, and focused
with right level of consistency for an SAP optimization initiative?
Is control ownership at the business level defined to accept and ensure operation of
controls?
What is the process for ongoing sustainability and maintenance of optimized controls?

9
Attribute 1: Governance (cont.)

Key lessons learned

Executive leadership support is required to optimize controls and is essential to
overcoming hesitancy to challenge existing approaches
Controls governance is essential

A set of roles and responsibilities that balances design, operation, assessment, and

audit of controls is required

Working with internal and external audit is important and the process should include
regular communication, support, and buy-in

10
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

11
Attribute 2: Approach
Two approaches are possible to SAP optimization a review of existing frameworks or
control redesign approach
Approaches to Optimization
Scope Top-Down Rationalization Controls Redesign/Bottom-Up
Approach/ Management to rationalize existing control frameworks access and Management to select geography, business units, or location to conduct
between locations bottom-up control redesign
Outcomes Apply principles of control rationalization including: Controls redesign approach may leverage in-progress SAP
Risk-based scoping and risk assessment implementation or other initiative
Review of multi-location scoping Goal to create a common control framework for rollout to additional
Top-down approach to controls identification geographies, business units, or locations
Consider approaches for automation Principles of control rationalization would be followed (risk-based scoping,
Risk-based testing strategy and design top-down approach, etc.)
A pilot or proof-of-concept location would be selected to start with a roll-out Common control framework would be basis for deployment to other
strategy for deployment of rationalization and localization guidelines locations, along with localization guidelines

Benefits/ Benefits: Benefits:

Leverages existing control frameworks Ability to leverage in-progress SAP implementations to further drive
Risks Ability to consolidate frameworks early and anticipate challenges across process standardization and automated controls
locations Process not anchored to existing control inefficiencies; ability to design
More control over timing of rationalization efforts with leading practice controls and testing strategies
Risks:
Risks: Additional effort/cost to redesign framework
Resistance to change in controls rationalization efforts less effective than Common control framework difficult to define based on individual location
a redesign of controls Risk of greater localization based on initial control design
Risk localization undermines rationalization Less control over timing and rationalization efforts

12
Attribute 2: Approach Top-Down Optimization
A top-down optimization can start with existing frameworks. This can be performed with a pilot or reviewed
across business units and processes. Steps to take include:
Top-down risk-based scoping

Focus on high-risk areas

Address multi-location/

conduct BU-specific risk

assessments
Control optimization

Entity-level controls

IT general controls

Business process controls

Automated controls review

Risk-based testing Copyright 2016 Deloitte Development LLC. All rights reserved.

Apply greater use of analytics

13
Attribute 2: Approach Top-Down Optimization (cont.)

The top-down approach allows you to adjust mix of controls

Copyright 2016 Deloitte Development LLC. All rights reserved.

14
Attribute 2: Approach Top-Down Assessment

There may be different stages at an organization

A scorecard process may be required to understand current state

15
Attribute 2: Approach Controls Redesign Approach

An alternate approach to consider is to optimize controls from a standalone perspective

or leverage an in-progress system implementation to develop a Common Template for
rollout to other businesses/regions

16
Attribute 2: Approach

Key Questions to Consider Top-Down

What is the scope of SAP optimization? Financial reporting, operational, compliance
controls? What is the focus?
What does optimization mean in terms of work product? Frameworks, narratives,
process flows, test plans?
Have risk assessments been reviewed? Review of locations?

Has SAP control optimization been applied previously, including top-down scoping,
review of entity-level, process controls, IT general controls?
Have testing plans been reviewed?

Has current state been assessed and reviewed?

What is the intended approach to optimization?

17
Attribute 2: Approach (cont.)

Key Questions to Consider Control Redesign

Have prior initiatives or implementations leveraged a controls design approach?

Are there current enterprise initiatives suitable for controls redesign as a pilot or to
build a common controls framework?
Do processes and approaches exist for controls design in an implementation?

What are the challenges to such an approach?

18
Attribute 2: Approach (cont.)

Key lessons learned:

The approach to controls optimization can take a top-down rationalization approach,
leveraging existing frameworks, or a bottom-up controls redesign approach
In either approach, agreeing to and standardizing the risks to the extent possible
among similar functions/locations will improve consistency and efficiency
Utilize a pilot approach, based off of geographic location and/or business unit, to
provide an optimization proof of concept in either approach that will help illustrate
the efficiency gains that are possible to the business and control teams
While quick results can be possible, achieving optimum results may require
approaches integrating into and with other corporate initiatives

19
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

20
Attribute 3: Technology Enablement

SAP Control Optimization should leverage technology to enhance the streamlining and
efficiency of the controls program. Areas of technology enablement for optimization
include:
Access and Security Controls

Controls Automation

Automated Controls Testing

Governance through Process and Workflow

Continuous Controls Monitoring

Integration with Risk Management Capability

Enhanced and Automated Fraud Monitoring

Streamlined Audit Processing

21
Attribute 3: Technology Enablement (cont.)

SAP GRC 10.1 and its modules can contribute to SAP Controls Optimization through
enablement, automation, and efficiency
Access Process Risk Fraud Global Trade Sustainability Audit
Control Control Management Management Services Management Management

Manage access Ensure effective Preserve and Achieve Optimize global Manage Drive a unified
risk and prevent controls and grow value effective and trade and environmental fraud
fraud ongoing efficient fraud screen restricted compliance management
compliance management parties function

22
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Access Control
Some benefits to SAP Control Optimization:
Automate segregation of duties (SOD) management

Optimize segregation of duties across applications and

departments
Automate access management

Promote Controls, Internal Audit, and Business

collaboration
Enforce accountability with review and approval
processes
Enhance preventative security access processes

Roll out and maintain SAP security control consistently

across business
Sustain SAP security controls efficiently

Copyright SAP AG 2011

23
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Process Control Some benefits to SAP Control Optimization:
Automate business controls

Automate continuous control monitoring

Automate controls testing

Enforce governance through control owners and workflow

Conduct top-down optimization using risk assessment and

master data availability
Simplify and remove redundant controls with visibility and
access to control framework
Manage a unified repository of control data for rollout and
localization
Conduct testing and remediation to monitor and sustain
controls

Copyright SAP AG 2011

24
 Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Process Controls Continuous Controls
Monitoring
Category Features Benefits
Transaction Identifies suspicious transactions for review Identifies inappropriate flows (e.g., duplicate payments)
Monitoring Isolates transactions out of compliance with business rules Provides evidence of control operation, quickly identifies
Issues

Master Data Monitors changes to master data for suspicious activity Identifies and addresses suspicious changes to master
Monitoring Identifies unusual additions and deletions data
Detects stale master data files

Access Controls and Monitors changes to user access, role access, and testing Detects unauthorized modification to user access and
SOD Monitoring documentation role access
Detects executed transactions that violate SOD rules Identifies SOD conflicts that increase risk of fraud and
error
Application Detects changes to system configuration Demonstrates the continued effectiveness of application
Configuration controls

An end state for SAP Controls Optimization is the automation toward Continuous Control Monitoring

25
Attribute 3: Technology Enablement (cont.)
SAP GRC 10.1 Risk Management
Benefits to SAP Control Optimization:
Risk Planning Formal integration of risk management with
SAP Control Optimization Strategy
Automate and optimize manual and fragmented
Risk Identification
risk and control activities across lines of
business
Risk Analysis Repeatable framework to analyze and mitigate
risk to organization and initiative
Continuous monitoring of key risk indicators
Risk Response
across defined optimization objectives
Automatically identify and prioritize risks
Risk Monitoring through proactive alerts and escalations

26
Attribute 3: Technology Enablement (cont.)
Benefits to SAP Control Optimization:
Improve operational efficiency through
Fraud Global Trade Sustainability Audit automating fraud monitoring and direct integration
Management Services Management Management
with SAP control optimization activities
Automate compliance to import and export
regulations such as International Traffic in Arms
Regulations (ITAR)
Address environmental controls and compliance
processes
Streamline the audit lifecycle, including creating,
Achieve effective Optimize global Manage Drive a unified fraud
and efficient fraud trade and screen environmental management reviewing, approving, and linking audits
management restricted parties compliance function
throughout your organization

Copyright 2016 Deloitte Development LLC. All rights reserved.

27
Attribute 3: Technology Enablement (cont.)

Key Questions to Consider

What capabilities are currently leveraged in SAP GRC? What areas can benefit from
greater optimization and automation?
How are Access and Security Controls managed? Are there opportunities to enhance
access controls, processes, and segregation of duties?
What technology enablement will support your optimization? Automating controls,
automating testing, enhancing accountability and workflow?
How will optimization manage a changing control framework, including rollout and
localization of controls?
How will implementation and sustainability be addressed?

28
Attribute 3: Technology Enablement (cont.)

Key lessons learned

Some control owners prefer the security of manual controls because they are more
easily observed and documented training the business on the acceptability and
efficiency of automated controls is often needed
The background and skill sets of the individuals who originally identified the controls
affects the types of controls identified, i.e., someone with no system experience will
document manual controls that monitor activities performed within an IT system rather
than identifying an automated control within the system
SAP GRC technology for access control and process control capabilities can provide
standardization for controls rollout, automated controls, and enhanced controls testing

29
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

30
Attribute 4: Rollout and Localization

A key principle of either approach selected requires rollout to locations from an initial
pilot or Common Controls Framework

Copyright 2016 Deloitte Development LLC. All rights reserved.

31
Attribute 4: Rollout and Localization (cont.)

A Degrees of Freedom approach to localization allows flexibility for the control

environment, while meeting the control objectives
Controls in the customer-facing processes must adhere
to the control baseline (objectives); however,
management allows for a certain degree of freedom for
specific control activities
Degree of Freedom = + (Acceptable Freedom)

Control Differential Value An allowable and acceptable degree

of freedom for specific critical controls.

Controls in back-office-facing processes are critical to

organization and must follow strict adherence to the
control baseline (objectives). There is very limited degree
of freedom.
Degree of Freedom = 0 (Zero Tolerance)

A control environment with proper Degrees of Freedom allows for localization

32
Attribute 4: Rollout and Localization (cont.)

This can be applied to both the Process and Type of Control

Copyright 2016 Deloitte Development LLC. All rights reserved.

33
Attribute 4: Rollout and Localization (cont.)

Key Questions to Consider

What approach to rationalization and rollout is planned?

Are there prior experiences for rollout with lessons learned?

Is there a location or business unit better suited to pilot or apply controls design?

What are prior experiences with localization?

What is the estimate of current localization of controls?

Has a process to define localization allowances or limits been established or enforced?

Some key lessons learned

Rollout organizationally requires careful selection of geographies/locations. A process
to define localization of controls is beneficial.
Full implementation requires controls communication and training to control owners
and must be monitored through management testing
34
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

35
Attribute 5: Implementation and Sustainment

SAP control optimization is not complete until both design and implementation of the
SAP controls is achieved, which requires rollout, training, operation, and the eventual
monitoring, management testing, and operating effectiveness of the controls
Key Questions to Consider
How will control optimization be rolled out? Centralized group to each region, local
resources?
If local teams optimize, is there a central controls group to review, provide quality
assurance, and monitor?
How will local control owners be trained on controls?

What will be the initial management testing process? Will there be oversight and early
testing to head off deficiencies and address remediation?
What will be the communication process with internal and external auditors?

36
Attribute 5: Implementation and Sustainment (cont.)

Key lessons learned

Working with internal and external audit is important and the process should include
regular communication, support, and buy-in
Full implementation requires controls communication and training to control owners
and must be monitored through management testing

37
What Well Cover

Need for SAP controls optimization

Defining success Five attributes for an effective SAP Control Optimization Framework
Governance

Approach

Technology enablement

Rollout and localization

Implementation and sustainment

Wrap-up

38
Where to Find More Information

www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/grc-at-
heart-of-managing-business.html
Deloitte Insights, GRC At the heart of managing business (Deloitte, 2014).

www2.deloitte.com/content/dam/Deloitte/global/Documents/Technology/dttl_technology_
GrupoModeloManagesRiskWithSAPsLatestSolutionsForGRC.pdf
Ken Murphy, Brewing Up Process Change: Grupo Modelo Manages Risk with SAPs
Latest Solutions for GRC (insiderPROFILES, 2013).
www.deloitte.com/view/en_US/us/Services/audit-enterprise-risk-services/dbf8f10c3f
889210VgnVCM200000bb42f00aRCRD.html
Continuous Monitoring and Continuous Auditing: From Idea to Implementation
(Deloitte, 2010).

39
7 Key Points to Take Home

Assemble a team of subject matter specialists with the right skill set, industry knowledge,
and understanding of operations
Take an approach either existing or redesign to yield greater efficiencies and
consistency
Work side-by-side with corporate and local leadership as a core team, and leverage
existing resources where possible
Demonstrate quicker results through a global controls template approach and focused
redesign in an area for rapid results
Leverage enabling technology such as SAP GRC 10.1 to roll out consistent frameworks
and more automated testing of controls
Integrate and align with other enterprise initiatives
Enforce accountability through local/regional localization training and rollout of a uniform
and repeatable approach
40
Your Turn!

How to contact me:

Clark Oeler
coeler@Deloitte.com

Please remember to complete your session evaluation

41
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a
legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and
its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not
be available to attest clients under the rules and regulations of public accounting.

This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax,
or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision
or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional
advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright 2016 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited.

42
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright 2016 Wellesley Information Services. All rights reserved.