Escolar Documentos
Profissional Documentos
Cultura Documentos
COPYRIGHT Copyright2006SAPAG.Allrightsreserved. SAPLibrarydocumentclassification:PUBLIC Nopartofthispublicationmaybereproducedortransmittedinanyformorforanypurposewithouttheexpress permissionofSAPAG.Theinformationcontainedhereinmaybechangedwithoutpriornotice. SomesoftwareproductsmarketedbySAPAGanditsdistributorscontainproprietarysoftwarecomponentsof othersoftwarevendors. Microsoft,Windows,Outlook,andPowerPointareregisteredtrademarksofMicrosoftCorporation. IBM,DB2,DB2UniversalDatabase,OS/2,ParallelSysplex,MVS/ESA,AIX,S/390,AS/400,OS/390,OS/400,iSeries, pSeries,xSeries,zSeries,z/OS,AFP,IntelligentMiner,WebSphere,Netfinity,Tivoli,andInformixaretrademarksor registeredtrademarksofIBMCorporationintheUnitedStatesand/orothercountries. OracleisaregisteredtrademarkofOracleCorporation. UNIX,X/Open,OSF/1,andMotifareregisteredtrademarksoftheOpenGroup. Citrix,ICA,ProgramNeighborhood,MetaFrame,WinFrame,VideoFrame,andMultiWinaretrademarksor registeredtrademarksofCitrixSystems,Inc. HTML,XML,XHTML,andW3CaretrademarksorregisteredtrademarksofW3C,WorldWideWebConsortium, MassachusettsInstituteofTechnology. JavaisaregisteredtrademarkofSunMicrosystems,Inc. JavaScriptisaregisteredtrademarkofSunMicrosystems,Inc.,usedunderlicensefortechnologyinventedand implementedbyNetscape. MaxDBisatrademarkofMySQLAB,Sweden. Virsa,VirsaSystems,AccessEnforcer,ComplianceOne,ComplianceCalibrator,ConfidentCompliance,Continuous Compliance,Firefighter,RiskTerminator,RoleExpert,therespectivetaglines,logosandservicemarksare trademarksofSAPGovernance,RiskandCompliance,Inc.,whichmayberegisteredincertainjurisdictions. SAP,R/3,mySAP,mySAP.com,xApps,xApp,SAPNetWeaver,andotherSAPproductsandservicesmentioned hereinaswellastheirrespectivelogosaretrademarksorregisteredtrademarksofSAPAGinGermanyandin severalothercountriesallovertheworld.Allotherproductandservicenamesmentionedarethetrademarksof theirrespectivecompanies.Datacontainedinthisdocumentservesinformationpurposesonly.Nationalproduct specificationsmayvary. Thesematerialsaresubjecttochangewithoutnotice.ThesematerialsareprovidedbySAPAGanditsaffiliated companies(SAPGroup)forinformationalpurposesonly,withoutrepresentationorwarrantyofanykind,and SAPGroupshallnotbeliableforerrorsoromissionswithrespecttothematerials.TheonlywarrantiesforSAP Groupproductsandservicesarethosethataresetforthintheexpresswarrantystatementsaccompanyingsuch productsandservices,ifany.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.
SAPImportant Disclaimers SAPLibrarydocumentclassification:PUBLIC Thisdocumentisforinformationalpurposesonly.Itscontentissubjecttochangewithoutnotice,andSAPdoesnot warrantthatitiserrorfree.SAPMAKESNOWARRANTIES,EXPRESSORIMPLIED,OROF MERCHANTABILITY,ORFITNESSFORAPARTICULARPURPOSE. Coding Samples Anysoftwarecodingand/orcodelines/strings(Code)includedinthisdocumentationareonlyexamplesandare notintendedtobeusedinaproductivesystemenvironment.TheCodeisonlyintendedtobetterexplainand visualizethesyntaxandphrasingrulesofcertaincoding.SAPdoesnotwarrantthecorrectnessandcompleteness oftheCodegivenherein,andSAPshallnotbeliableforerrorsordamagescausedbytheusageoftheCode,except ifsuchdamageswerecausedbySAPintentionallyorweregrosslynegligent. Internet Hyperlinks TheSAPdocumentationmaycontainhyperlinkstotheInternet.Thesehyperlinksareintendedtoserveasahint wheretofindsupplementarydocumentation.SAPdoesnotwarranttheavailabilityandcorrectnessofsuch supplementarydocumentationortheabilitytoserveforaparticularpurpose.SAPshallnotbeliableforany damagescausedbytheuseofsuchdocumentationunlesssuchdamageshavebeencausedbySAPsgross negligenceorwillfulmisconduct. Accessibility TheinformationcontainedintheSAPLibrarydocumentationrepresentsSAPscurrentviewofaccessibilitycriteria asofthedateofpublication;itisinnowayintendedtobeabindingguidelineonhowtoensureaccessibilityof softwareproducts.SAPspecificallydisclaimsanyliabilitywithrespecttothisdocumentandnocontractual obligationsorcommitmentsareformedeitherdirectlyorindirectlybythisdocument.Thisdocumentisforinternal useonlyandmaynotbecirculatedordistributedoutsideyourorganizationwithoutSAPspriorwritten authorization.
CONTENTS
Preface AboutthisGuide ............................................................................14 Conventions.........................................................................14 AlertStatements.....................................................................14 ProductDocumentation ......................................................................15 DocumentationFormats ..............................................................15 InstallationGuides,ConfigurationGuide,UserGuide,andReleaseNotes...................15 ContactingSAPGRC........................................................................16 1 Overview Introduction ................................................................................18 WhatisProcessControl? ..............................................................18 ProcessControlBenefits ..............................................................18 ProcessControlDetails...............................................................19 2 Key Concepts Introduction ................................................................................22 Controls ...................................................................................22 Risks ......................................................................................23 Rules......................................................................................23 RuleCriteria ................................................................................23 Assessment.................................................................................23 Signoff ....................................................................................24 Deficiency ..................................................................................24 DeficiencyType .............................................................................24 ExceptionCase .............................................................................25 ControlCategory ............................................................................25 ControlType...............................................................................26 SAPOrganizationUnit.......................................................................27 OrganizationsandOrganizationHierarchy .....................................................27 SignificantAccounts .........................................................................28 Assertions ..................................................................................28
5
ProcessesandSubprocesses ..................................................................29 UserGroups ................................................................................30 3 Key User Processes KeyUserProcesses ..........................................................................32 AnalysisReporting ...................................................................32 AssessmentsandSignOff .............................................................32 UserInboxManagement ..............................................................32 CaseManagementandRemediation ....................................................33 4 User Interface LoggingIntoProcessControl.................................................................36 UserInterfaceElements ......................................................................38 CommonIcons..............................................................................39 FilteringanItem ............................................................................41 ModifyinganItem ..........................................................................42 DeletinganItem ............................................................................43 UploadingandRevisingaDocument..........................................................44 5 Main Modules MainTabsandModules .....................................................................48 HomePage..........................................................................48 ControlExecutionMonitor(CEM) ..............................................49 Inbox........................................................................50 ControlStatusReports.........................................................50 ReportsModule .....................................................................52 ProcessManagerModule .............................................................53 6 Management Reports Introduction ................................................................................56 ManagementReports ........................................................................57 ManagementReportbyProcess ........................................................57 ManagementReportbyAssertion ......................................................59
Contents
Compliance Reports Introduction ................................................................................64 ComplianceReports .........................................................................65 ComplianceReportRiskControlMatrix ...............................................65 ComplianceReportAccountAssertionMatrix ..........................................67
Remediation Reports Introduction ................................................................................70 RemediationReports ........................................................................71 RemediationStatusbyProcess .........................................................72 RemediationStatusbyLocation ........................................................73 RemediationStatusbyGroups .........................................................76
Test Results Reports Introduction ................................................................................80 TestResultsReport ..........................................................................81 AutomatedControlTestReport ........................................................83 PDFFileAttachment..........................................................86 ManualControlTestReport ...........................................................88
10
Assessments Through Surveys Introduction ................................................................................92 AssessmentsThroughSurveys ................................................................93 TypesofAssessments ................................................................93 SurveyCategories ....................................................................94 SurveyMasterData..................................................................95 SurveyrelatedUserRoles......................................................95 GeneralSurveyDataConfiguration.............................................96 SurveyIDs ...................................................................96 SurveyParametersandDefaults................................................97 SurveyStatuses ...............................................................98 OverviewOfFunctionalFlowForSurveys .....................................................99 CreatingaQuestionLibrary ..........................................................100 CreatingorCopyingaSurvey ........................................................103 CreatingaSurvey ............................................................103 CopyingaSurvey ............................................................107 SchedulingaSurvey .................................................................108 SendingSurveyTasksandInstances ...................................................109
7
RecallingaSurveyInstance ..........................................................109 RespondingtoandReturningaSurveyInstance ........................................111 RespondingtoaSurveyInstance ...............................................111 ReturningaSurveyInstance...................................................112 ResendingaSurveyInstance .........................................................113 ReviewingandDisapprovingaSurveyInstance .........................................113 ReviewingaSurveyInstance ..................................................113 DisapprovingaSurveyInstance ...............................................114 MaintainingtheSurveyFlow .........................................................114 SurveyCases .......................................................................115 DeactivatingaSurvey ...............................................................115 11 Sign-Off Assessment Introduction ...............................................................................118 SignoffRequirements......................................................................119 SignoffAssessment .................................................................119 SurveyMasterData.................................................................120 SurveyrelatedUserRoles.....................................................120 SignoffSurveyDataConfiguration............................................120 SurveyIDs ..................................................................121 SurveyParametersandDefaults...............................................121 SurveyStatuses ..............................................................122 OverviewOfFunctionalFlowForSignoff .....................................................123 CreatingaQuestionLibrary ..........................................................124 CreatingorCopyingaSurvey ........................................................124 SchedulingaSurvey .................................................................124 SendingSurveyTasksandInstances ...................................................126 RecallingaSurveyInstance ..........................................................127 RespondingtoandReturningaSurveyInstance ........................................127 RespondingtoaSurveyInstance ...............................................127 ReturningaSurveyInstance...................................................128
Contents
12
User Inbox Introduction ...............................................................................130 UserInbox ................................................................................131 MyTasks ..........................................................................131 AccessingaTask.............................................................132 RespondingToaWorkflowTask ..............................................134 RespondingToaTestPlanorTestStepTask ....................................135 RespondingToanAssessmentSurveyTask.....................................137 MyDocuments.....................................................................141 AccessingaDocument .......................................................141 MyCases ..........................................................................142 AccessingACase ............................................................143
13
Case Management and Remediation Introduction ...............................................................................146 CaseCategoriesandIDs ....................................................................147 CreatingaCase............................................................................149 CreateCaseSteps...................................................................150 CaseHeaderSteps ..................................................................150 CaseDetailsSteps ...................................................................153 AssignmentSteps ...................................................................155 DocumentsSteps ...................................................................156 CaseList ..................................................................................157 EditingaCase .............................................................................159 EditCaseSteps.....................................................................160 CaseHeaderSteps ..................................................................160 CaseDetailsSteps ...................................................................161 AssignmentSteps ...................................................................161 DocumentsSteps ...................................................................161 CaseTrailSteps .....................................................................161 TimeSpentTrailSteps ...............................................................162 ResolutionSteps....................................................................163
SAP Financial Accounting Documented Controls FinancialAccountingDocumentedControls...................................................166 FICLPEP_03AC1 ....................................................................166 FICLPEP_03AC2 ....................................................................167 FICLPEP_03AC4 ....................................................................167 FICLPEP_03BC1....................................................................168 FIEXCHRT_01AC1 ..................................................................168 FIINVPOST_01BC1..................................................................169 FIMDCOA_02C1 ....................................................................170 FIMDCOA_02C2 ....................................................................170 FIMDDIS_1005C1 ...................................................................171 FIMDDIS_1005C2 ...................................................................171 FIMDDIS_1006C1 ...................................................................172 FIMDDIS_1006C2 ...................................................................172 FIMDDIS_1007AC1 .................................................................173 FIMDDIS_1007BC1 ..................................................................174 FIMDDOC_05AC1..................................................................174 FIMDDOC_05AC2..................................................................175 FIMDDOC_05AC3..................................................................175 FIREPDIS_05BC1 ...................................................................176
SAP Procure To Pay Documented Controls ProcureToPayDocumentedControls ........................................................178 LOIMMTYP_09BC1.................................................................179 LOIMMTYP_09BC2.................................................................179 LOMMMV_06BC1 ..................................................................180 LOMMMV_06BC2 ..................................................................180 LOPURPIR_02BC1..................................................................181 LOPURREL_05AC1.................................................................181 LOPURREL_05AC2.................................................................182 LOPURREL_05AC3.................................................................182 LOPURREL_05BC1 .................................................................183 LOPURREL_05BC2 .................................................................184 LOPURSRC_01AC1.................................................................185 LOPURSRC_02AC1.................................................................185 LOPURTP_06BC1 ...................................................................186 LOPURTP_06BC2 ...................................................................187
10
Contents
LOPURVAP_01AC1 .................................................................187 LOPURVAP_07AC1 .................................................................188 LOPURVAP_07AC2 .................................................................189 LOPURVAP_07BC1.................................................................189 LOPURVAP_07BC2.................................................................190 LOPURVAP_08BC1.................................................................190 MMIMCTR_06AC1 .................................................................191 MMIMCTR_07AC1 .................................................................192 MMIMCTR_07AC2 .................................................................192 MMIMCTR_07AC3 .................................................................193 MMIMCTR_07BC1 ..................................................................193 MMIMCTR_07BC2 ..................................................................194 C SAP Order To Cash Documented Controls OrderToCashDocumentedControls .........................................................196 SDBILL_04AC3 .....................................................................196 SDBILL_04AC4 .....................................................................197 SDCMM_01C1 ......................................................................198 SDCMM_01C2 ......................................................................198 SDCMM_01C3 ......................................................................199 SDCMM_05C1 ......................................................................199 SDCMM_05C2 ......................................................................200 SDCMM_05C3 ......................................................................201 SDCMM_05C4 ......................................................................201 SDCMM_10C1 ......................................................................202 SDCMM_11BC1 ....................................................................202 SDCMMD_11BC1 ...................................................................203 SDCMMD_12BC1 ...................................................................204 SDMDCTR_01C1 ...................................................................204 SDMDCTR_01C2 ...................................................................205 SDMDCTR_01C3 ...................................................................205 SDPRICTR_01AC1..................................................................206 SDPRICTR_01AC2..................................................................207 SDSOP_08BC1 ......................................................................207 SDSOP_08BC2 ......................................................................208 SDSRP_07BC1 ......................................................................208 SDSRP_08BC1 ......................................................................209
11
SAP IT Documented Controls ITDocumentedControls ....................................................................212 BCSCFPAR_100AC1 ................................................................212 BCSCFPAR_100AC2 ................................................................212 BCSCFSYS_100AC1.................................................................213 BCTRNCFS_100AC1 ................................................................214
12
PREFACE
TOPICS
13
Alert Statements
ThealertstatementsNote,Important,andWarningareformattedinthefollowing styles:
Note Information that is related to the main text flow, or a point or tip provided in addition to the previous statement or instruction. Advises of important information, such machine or data error that could occur should the user fail to take or avoid a specified action. Requires immediate action by the user to prevent actual loss of data or where an action is irreversible, or when physical damage to the machine or devices is possible.
Important
Warning
14
Product Documentation
Documentation Formats
Documentationisprovidedinthefollowingelectronicformats:
SAPNotes
15
FormoreinformationontheSAPSupportPortal,usethequicklinksprovidedbelow:
16
1
OVERVIEW
TOPICS
17
Introduction
ThisuserguideisdesignedtohelpyounavigatethevarioususerfeaturesoftheProcess Controlapplication.Alongwiththisguide,theProcessControlVersion 2.0 ConfigurationGuideandProcessControlVersion 2.0InstallationGuideareavailablefor additionaltopics.Thesedocumentsprovideoperationalassistancetosupportapplication specificfunctions.
Providesrealtimecontrolsassessment. Automatessecuritychecksandcontrolsmonitoring. Performsbeyondtodaysdocumentationsolutions. Providesrealtimeverificationoffinancialcontrolseffectiveness. Integratesseamlesslywithenterpriseapplicationsforcompliancereporting. Pinpointscontrolviolationsinrealtime. Reducesauditcosts. Lowersremediationresourcerequirements. Reducesongoingcompliancecosts. Simplifiesremediationandreportingprocedures. Deliversspeed,simplicity,andflexibility.
18
TheProcessControlfrontenduserinterfaceintegrateswiththeSAPbackend system,aswellasothersystems. TheProcessControldatabaseisaseparatedatabaseandmaynotresidewithinan SAPdatabase. Allthecases,remediationdetails,anduserlogininformationarecontainedinthe ProcessControldatabasesystem. InformationistransferredbackandforthbetweentheProcessControlfrontenduser interfaceandtheSAPbackend,anddisplayedintheProcessControluserinterface. YoudonotneedaSAPloginunlessyouaregoingtosetupconnectionsormake changesandmodificationstotheSAPdatabaseoroperations.
19
20
2
KEY CONCEPTS
TOPICS
21
Introduction
ThischapterdescribesthekeyconceptsofProcessControl.Thesekeyconceptsreferto itemsusedthroughouttheProcessControlapplication.Onceyouunderstandthis conceptualinformation,youcanmoreeasilyidentifythevariousinterrelated componentsofthisapplication,whattheyare,whytheyexist,orhowtheyareused.
Controls
Acontrolisapolicy,directedbyanorganizationscorporateexecutives,thatsupports complianceobjectivesinthefollowingareas:
Thesedistinctbutoverlappingareasaddressdifferentcomplianceneeds. SAPGRCcurrentlydelivers70SAPpredefineddocumentedcontrolswiththeProcess ControlVersion 2.0application.EachcontrolhasadifferentID,description,andcontrol objective.Formoreinformation,seetheappendicesintheProcessControlVersion 2.0 UserGuide. YourbusinessenvironmentsetupforSarbanesOxleycompliancemightincludesome SAPstandardbuiltincontrols.Furthermore,youmighthavecreatedyourownsetof customcontrols.ThepredefinedcontrolsfromSAPGRC,standardSAPcontrols,and customcontrolsareallautomatedcontrols;theycanallbevalidatedelectronically. Themajorityofyourcontrolsaremostlikelymanualcontrolsthatcannotbevalidated electronically.Inaddition,youmightwanttocreatesomecontrolsbasedonqueries,and othercontrolstointerfacewithothersystemssuchasComplianceCalibrator,Cisco,or alegacysystem.Forthisreason,ProcessControlallowsyoutointegrateintoits environmentnotonlythepredefinedset,butthemanual,SAPstandard,custom,query, andComplianceCalibrator/Cisco/legacysystemcontrolsaswell.
22
Risks
InProcessControl,ariskisapossiblecomplianceorsecurityproblem.Youdesign controlsforyourbusinesstopreventtheserisks,andthustherisksetupbecomesapart ofyourcontroldesignprocess. ProcessControlletsyouconfiguretheriskimpactlevel,theacceptancelevel,andthe probabilityofoccurrenceofyourrisks,aswellasassignariskowner.
Rules
Rulesareasetofparametersandvaluesthatnormallychecktheoperationofacontrol. Youdefinetheserulesbasedonyourorganizationspoliciesandguidelines,andassign themtoacontrol.Youcanassignmultipledifferentrulestoonecontrol.However,you cannotassignthesameruletodifferentcontrols. SAPGRCdeliversasetofpredefinedrulesfortheProcessControlapplicationthatyou canuse.Youcanalsoconfigureyourownrulesforyourorganization.
Note Rules apply only to automated controls. For manual controls, you would set up test plans instead of rules.
Rule Criteria
Rulecriteriaarevariablesthatyoudefinefortherules.Oneoftherulecriteriavariablesisa fieldinatableinSAPthatischeckedwhentherulesareexecuted,toverifywhetherthe controlsareoperatingproperly.Differentcontrolsandrulescanusethesamerulecriteria. SAPGRCdeliversasetofpredefinedrulecriteriaalongwiththeProcessControl Version 2.0application.Eachrulecriterionhasitsownnameanddescription.Youcan alsoconfigureyourownrulecriteriaforyourorganization.
Assessment
AssessmentintheSarbanesOxleyenvironmentisaprocessofascertainingwhethera particularprocessorcontrolisdesignedproperlyandeffectively.Managementhasaduty toinstalltheproperprocessesinplaceforeffectivefinancialreportinganddisclosure,and toperiodicallyreportwhethertheseinternalcontrolsareeffective.Auditorshaveaduty toverifymanagementsstatementsandtoperformindependentevaluationof managementsclaims.TheProcessControlapplicationsupportsyourcomplianceprocess byautomatingtheprocessofcreating,distributing,andtabulatinguserdefinablesurveys forassessments.
23
Sign-off
WithintheProcessControlapplication,signoffmeanstocertifyandconfirmthestateof internalcontrolsandrelatedissues,ifany,atapointintime.Atmanycompanies,thisis doneviasubcertificationsandsurveysthatarehierarchicalinnature.Thatis,theperson responsibleforanorganizationsignsoffastothestateofinternalcontrolsinhis/her organizationafterreviewingthesignoffbylowerlevelprocessand/orsubprocess owners.ProcessControlprovidesworkflowtriggered,hierarchicalsignoff,andguides thesignoffprocesswithrelatedreportdrilldownanddocumentation.
Deficiency
Adeficiency(orviolation)occurswhenacontroleitherdoesnotexist,ordoesnotworkas designedbytheorganizationscorporateexecutives. ThePublicCompanyAccountingOversightBoard(PCAOB)definescontroldeficiencies accordingtothefollowingconditions:
Acontroldeficiencyexistswhen:
Adeficiencyinoperationexistswhen:
Adeficiencyindesignexistswhen:
Deficiency Type
Adeficiencytypeclassifiesthelevelofthedeficiencyfoundornotfound,whenyouexecute yourcontroltestsorperformyourassessment/signoff.DeficiencytypeIDsarecreatedin theSAPbackendandhencecannotbecreatedordeletedfromtheProcessControl application.ProcessControlprovidesthefollowingpredefineddeficiencytypes:
24
Exception Case
Whenadeficiencyoccurs,anexceptioncaseprovidesdetailedinformationtohelpyoudrill downtotherootviolationcausewithintheERPsystem.Therearemanytypesofcasesin theProcessControlapplication.Forexample,duringtheexecutionofyourautomated controltests,ProcessControlautomaticallygeneratesanexceptioncaseifadeficiencyis found.Youcanalsocreateacasemanuallytofurtherdocumentinformationforother issuesnotdocumentedinanautomaticcase.Formanualcontrols,thetestplanownercan createanexceptioncaseforthetestplansthathaveresultedinfailure.Foranassessment survey,thesurveyrespondentorreviewercanalsocreateacaseforscheduledsurveys withnegativeratings.Youcanthenadministertheremediationprocesstoresolvethe controldeficiencycapturedintheexceptioncase.
Control Category
Acontrolcategoryisusedtodifferentiatethemainsetsofcontrols.Thethreepredefined controlcategoriesareasfollows:
25
Control Type
Acontroltyperepresentsagroupofsimilaractivitiesinanapplicationsystem.Eachgroup canbemonitoredandanalyzedseparately,basedonitsowncriteria,todeterminethe violationsintheprocesscontrols.Thefollowinglistdescribesthecontroltypesfor automatedcontrols.Youcancustomizeandusecontroltypesformanualcontrolsaswell. Automatedcontrolsusuallyfallintooneofthefollowingfivetypes:
TransactioncontrolThesecontrolsmonitorandreportbusinesstransactions. Forexample:Detailsofthepurchasesfromacompanyapprovedelectronicvendor.
26
ItisassumedthatyouknowtheseSAPorganizationunitvaluesastheyexistintheSAP tablesandfields.
27
Significant Accounts
Asignificantaccountisanaccountthatcontainserrorsthathaveamaterialeffectonthe financialstatementandcouldadverselyaffectthecompanysreputationorrelationship withcustomers,shareholders,orpublic. Toconsiderifanaccountissignificant,considerthefollowing:
Assertions
Anassertionisarepresentationofansignificantaccountthatiscompliantand/oran internalcontrol.Forexample,anassertionmaybemadethatthefinancialstatements reflectacompleterecordofallofthefinancialtransactionscarriedoutbyanorganization inaperiod,andanauditormustcarryoutprocedurestotestthatassertion. ProcessControlallowstheconfigurationofbothfinancialandotherassertions.Thepre definedassertionsinProcessControlincludethefollowing:
ExistenceorOccurrence(financialassertion) Completeness(financialassertion) RightsorObligations(financialassertion) ValuationorAllocation(financialassertion) PresentationandDisclosure(financialassertion) Accuracy Authorization RestrictedAccess SafeguardingAssets Validity
28
PerformProcurement ManageInventory MaintainProcuretoPay MasterData InventoryValuation ManagePayables RFQChecks ReceiveGoodsand Services PerformInvoice Verification
ExecuteCredit Management MaintainCustomer Master PerformRevenue Recognition ProcessBilling Documents ProcessSalesOrder ProcessSalesReturns
29
Table 2
Sub-Processes (continued)
Access Control Subprocesses Transport Group Subprocess
Parameters System
SegregationofDuties Configuration
ConfigurationandStatus
User Groups
Ausergroupisagroupofuserswhocanbeassignedasownersofcertainobjectsinthe ProcessControlapplication(suchasprocesses,subprocesses,controls,testplans,andso on),andalsoasassessmentsurveyrespondentsorreviewers.Ausergroupcanbe assignedtocaseremediationactivitiesaswell.Youcreateusergroupstotrack informationaboutthepeoplethathaveownership,respondent,reviewer,and/or remediationresponsibilities.Youcanconfiguredifferentusergroupscomprisedofjust oneuser,ormultipledifferentusers.
30
3
KEY USER PROCESSES
TOPICS
31
Analysis Reporting
Onceyouhavesetupandexecutedyourcontroltests(forinformation,seetheProcess ControlVersion 2.0ConfigurationGuide),ProcessControlcapturestheanalysis informationinreportsthatsummarizethecompliancestatusofyourorganization. Executives,auditors,andotheruserscanviewtheconfigurationsettingsortheexception transactionsinthesereportstodrilldowntotherootviolationcausewithinyourERP systems. Formoreinformationregardingthisprocess,seethefollowingchapters:
32
33
34
4
USER INTERFACE
TOPICS
35
Figure 1
Figure 2 3 4
36
5 6
IntheLanguagedropdownmenu,selectyourdefaultlanguage. ClickLogon.
Note Your login user ID controls your access within the Process Control application. The roles associated with your user ID will determine which modules, and features within those modules, are accessible. You can create new user IDs and passwords and modify existing ones using the User Management Engine (UME) of NetWeaver.
37
Tab
Pane
Page
Pane
Icon Figure 3
Checkbox
SelectableField Icon
TextField
Dropdownmenu
38
Common Icons
ThefollowingiconsareusedinvariousareasintheProcessControlapplication.Table 3 liststheiconnames,functions,andlocations.
Table 3
Icon
Icons Information
Name Function Location
Search
Displaysapopupwindowlisting Nexttoatextfield itemsfromthedatabaseforyour selection.Inthepopupwindow, youcanfilteryourlistofitemsas desired.Youcanenteraname,ora wildcardcharactersuchas*to displaythelistofallitemsthat matchyourenteredexpression. Displaysashortlistofitemsfrom Insideaselectablefield thedatabase.Youcanentera name,orawildcardcharactersuch as*todisplaythelistofallitems thatmatchyourentered expression. Displaysacalendartoallowdate selection. Displaysinatablethefirstsetof rows. Displaysinatablethelastsetof rows. Nexttoadatefield Belowatabledisplaying itemsfromthedatabase Belowatabledisplaying itemsfromthedatabase
Select
Displaysinatablethepreviousset Belowatabledisplaying ofcolumns. itemsfromthedatabase Displaysinatablethenextsetof columns. Addsanewrowtoallowinputof anothervaluerange. Deletesarowofvaluerange. Belowatabledisplaying itemsfromthedatabase Nexttothevaluerange elements,orbelowthe tableofvalueranges Nexttothevaluerange elements,orbelowthe tableofvalueranges Inacolumninthetable Nexttoafield
Minus
Up Show
39
Table 3
Icon
Movesaniteminatablelist downward. Hidesthelistofpreviously selecteditemsbelowafield. Expandsandshowsitemsinthe lowerlevelsinahierarchy structure. Collapsesandhidesitemsinthe lowerlevelsinahierarchy structure.
Collapse
Inahierarchylevel
Details
Jumpstoanotherpage,ordisplays Inthetablerow apopupwindow,togivemore displayinganitemfrom detailedinformationforanitem. thedatabase Allowsusertonavigatetoafolder Inthetablerow locationtouploadadocumentfile. displayinganitemfrom thedatabase,ornextaUI label Allowsusertodownloaddatato anExcelfile. Displaysapalettetoallowcolor selection. MovesaniteminaSortlist upward. MovesaniteminaSortlist downward. DeletesanitemfromtheSortlist. Atthebottomright cornerofapage Nexttoacolorfield NexttotheSortlist NexttotheSortlist NexttotheSortlist
Upload
40
Filtering an Item
Whenyouwanttoviewalistofitems,youmightnotwanttoseetheentirelistofallthe itemsstoredinthedatabase,asthismightbeaverylonglisttobrowsethrough.Inthe ProcessControlapplication,youcanfiltermanydifferentitemstodisplayashortlistof onlythespecificitemsthatfulfillyourfilterselections. Thestepswithinthissectionshowyouhowtofilterasampleitem,therulecriteria.You canfollowthesestepsandapplythesameuseractionstofilterotheritemswithasimilar userinterface.
Figure 4 X
Ifyouwishtohidethefilterelements,clickHide Filter.
41
Modifying an Item
IntheProcessControlapplication,youcanmodifymanydifferentitemsusingdifferent menusorsubmenus.Themodificationstepsaresimilarforthesevariousitems.Thesteps withinthissectionshowyouhowtomodifyasampleitem,therulecriteria.Youcan followthesestepsandapplythesameuseractionstomodifyotheritemswithasimilar userinterface.
X To modify an item: 1
Makethenecessarymodificationstotheinformationfields.
Note Some fields might not be editable. Also, some fields might be automatically populated by the database.
42
Deleting an Item
IntheProcessControlapplication,youcandeletemanydifferentitemsusingdifferent menusorsubmenus.Thedeletionstepsaresimilarforthesevariousitems.Thesteps withinthissectionshowyouhowtodeleteasampleitem,therulecriteria.Youcanfollow thesestepsandapplythesameuseractionstodeleteotheritemswithasimilaruser interface.
X To delete an item: 1
2 3
43
Figure 5
ThetableintheUpload Documentpanedisplaysthefollowing:
Table 4
Item
Name File Description Version
Documentname. Linktotheuploadeddocumentfile. Descriptionofthedocument. Versionnumbergeneratedautomaticallytokeeptrackofyour revisionhistory.Whenyouuploadthedocumentforthefirsttime, theversionnumberstartsoutat1.0.Eachtimeyoucheckoutthe documentandmakechangesthencheckitbackin,theversion numberincrementsautomaticallyby0.1. Forexample:Ifthecurrentversionnumberis1.2,thenextversion willincrementto1.3.Ifthecurrentversionnumberis1.9,thenext versionwillincrementto2.0.
Checked Out
44
Foreachsupportingdocumentthatyouwanttoupload,dothefollowing:
a
ClickAdd.TheAdd Documentspaneappears.
Figure 6 b c d 2
Ifyouwanttoeditthenameand/ordescriptionofadocument,selecttheradio buttonforyourdesireddocument,thenclickEdit.Modifythenameand/or descriptionandclickSave. Ifyouwanttodeleteadocument,selecttheradiobuttonforyourdesireddocument, thenclickDelete. Ifyouneedtomakechangestoadocument,selecttheradiobuttonforyourdesired document,thenclickCheck Out.Thisasksyoutoopenthefilewhereveritisstored onyoursystemsothatyoucanmakeyourchanges,andpreventssomeoneelsefrom overwritingyourdocumentfilewhileyouareupdatingit. Onceyouarefinishedsavingyourchanges,gobacktotheUpload Documentpane (seeFigure 5)andselecttheradiobuttonforyourdocument,thenclickCheck In.
a
3 4
TheCheckin Documentspaneappears.
Figure 7 b c
45
Ifyouwanttoseeahistorytrailofrevisionsmadetoadocument,selecttheradio buttonforyourdesireddocument,thenclickTrail.
a
TheTrail paneappears.
Figure 8
Trail Pane
Trail Information
Description
Clicktheversionnumbertodisplaythatversionofthedocumentfile, containingthechangesspecifictothatversion.
46
5
MAIN MODULES
TOPICS
47
Home Page
ThefirstpagethatauserwillseeuponloggingintotheProcessControlapplicationisthe Homepage.TheHomepageshowstheControl Execution Monitor,Inboxstatus,and twoControl Status reports.
Figure 9
Home Page
48
Figure 10
ClicktheFull ViewlinkintheupperrightcornerofthepanetodisplaytheList of Test Resultspage.Formoreinformation,seesectionTestResultsReporton page 81inChapter 9,TestResultsReports. ClicktheDown iconintheupperrightcornerofthepanes.Theperiodand organizationdropdownmenusappear. Intheperioddropdownmenus,selectyourdesiredperiodfortheCEM. Intheorganizationdropdownmenu,selectyourdesiredorganizationfortheCEM. Eachorganizationwasconfiguredintheorganizationhierarchy.Formore information,seetheOrganizationHierarchysectionintheProcessControl Version 2.0ConfigurationGuide. ClickGotoviewtheresults.
3 4 5
49
Inbox
Figure 11 2
Inbox Pane
ClicktheFull ViewlinkortheMy Tasks linktodisplaytheMy Tasks pagethat displaysintabularformatinformationrelatedtoyourtasks.Allofthesetasksare locatedinonespecificareasothatyoucanaccessandviewthemeasily.Formore information,seesectionMyTasksonpage 131inChapter 12,UserInbox. ClicktheMy Cases linktodisplaytheMy Cases pagethatdisplaysintabularformat informationrelatedtoyourcases.Allofthesecasesarelocatedinonespecificareaso thatyoucanaccessandviewthemeasily.Formoreinformation,seesectionMy Casesonpage 142inChapter 12,UserInbox.
50
Figure 12
51
Reports Module
YouclicktheReports tabtoaccesstheReportsmodule.TheReports pageappears.
Figure 13
Reports Page
52
Figure 14
Thisguidewillfocusonthethreehighlightedsubmodulesonly.Theothersubmodules aredescribedintheProcessControlVersion 2.0ConfigurationGuide. TheProcessManagermodulegivesyouaccesstoyourInbox,containingthetasks, documents,andcasesspecificallybelongingtoyouasthecurrentloggedinuser.This modulealsodisplaysthecasesgeneratedforthedeficienciesdetectedduringthe executionofyourcontroltests,orcreatedmanually.Thesecasesprovidethecontrol/ surveyinformation,casestatus,deficiencytype,andremediationactivities,toenable continuouscorporategovernanceovertime.Youalsoperformtheassessmentandsign offactivitiesusingthismodule. Fordetails,seethefollowingchapters:
53
54
6
MANAGEMENT REPORTS
TOPICS
55
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithinSAP. OnesetofreportstheManagementreportsdeliversahighleveloverviewof compliancestatusfromanexecutivessummaryviewpoint,basedonprocessesand assertions.Thesereportsprovidetheoverallstatusofthecontroltestsexecuted,and allowsyoutodrilldowntotheexceptioncasesreportedforaparticulartimeperiod. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheManagementreportsbyclickingtheappropriatelinksasshownin Figure 15.
Figure 15
Reports Page
56
Management Reports
YoucanselectManagementreportsforvariouskeyitems,suchasprocessesand subprocesses(formoreinformation,seesectionProcessesandSubprocessesonpage 29 inChapter 2,KeyConcepts)andassertions(formoreinformation,seesection Assertionsonpage 28inChapter 2,KeyConcepts). Youcansearchforspecifickeyitemsforyourreportbyselectingyourdesiredfilters.You canfilteryourreportforonespecifickeyitem,orforacombinationofvariousmultiple keyitemsbyselectingthemfromthefilterdropdownmenu(s). Eachreportgenerallydisplaysthereporttitleatthetop,andtheresultsingraphicaland/ ortabularformatsbelow.Youcanclickthelinksifavailableinthereporttodrilldownto otherpageswithmoreinformation. ThefollowingManagementreportsareavailable:
ManagementReportbyProcess ManagementReportbyAssertion
Thefollowingsectionsdescribeeachreportinmoredetail.
57
Figure 16
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess, Period,andLocationfieldsordropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlytheresultsof thecontroltestsapplicabletoyourfilters. Clickaspecificprocesslinkintheleftmostcolumntodrilldowntothesubprocess levelforthatprocess(ifthesubprocess(es)exist).TheManagement Report by Subprocess pageappearslistingthecontroltestresultsbysubprocess.
Figure 17 58
Atthesubprocesslevel,clickaspecificsubprocesslinkintheleftmostcolumnto drilldowntotheCase List page,listingthecasesrelevanttothecontroltests associatedwiththatsubprocess.Formoreinformation,seesectionCaseListon page 157inChapter 13,CaseManagementandRemediation.IntheCase List page,youcanthenselectindividualcasesandclickEdittoviewthecaseinformation. Formoreinformation,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. Ateithertheprocessorsubprocesslevel,youcanalsoclickthenumbersinthetable todrilldowntomorespecificinformation:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingthecasesrelevanttothe controltestsassociatedwithaparticularprocessorsubprocess.Formore information,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingthetestresultsforthecontroltestsassociatedwitha particularprocessorsubprocess.IntheList of Test Resultspage,youcanthen selectindividualtestreportsbyclickingaControl IDlinktoviewtheresultfor thatparticularcontroltest.Formoreinformation,seesectionTestResults Reportonpage 81inChapter 9,TestResultsReports.
59
Figure 18
ClickShow FiltertospecifyyoursearchfiltersusingtheAssertions andPeriod dropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlytheresultsof thecontroltestsapplicabletoyourfilters. ClickaspecificassertionlinkintheleftmostcolumntodrilldowntotheCase List page,listingthecasesrelevanttothecontroltestsassociatedwiththatassertion.For moreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formoreinformation, seesectionEditingaCaseonpage 159inChapter 13,CaseManagementand Remediation. Youcanalsoclickthenumbersinthetabletodrilldowntomorespecific information:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingthecasesrelevanttothe controltestsassociatedwithaparticularassertion.Formoreinformation,see sectionCaseListonpage 157inChapter 13,CaseManagementand Remediation.IntheCase Listpage,youcanthenselectindividualcasesand clickEdittoviewthecaseinformation.Formoreinformation,seesection EditingaCaseonpage 159inChapter 13,CaseManagementand Remediation.
60
ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingthetestresultsforthecontroltestsassociatedwitha particularassertion.IntheList of Test Resultspage,youcanthenselect individualtestreportsbyclickingaControl IDlinktoviewtheresultforthat particularcontroltest.Formoreinformation,seesectionTestResultsReport onpage 81inChapter 9,TestResultsReports.
61
62
7
COMPLIANCE REPORTS
TOPICS
63
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithintheERPsystem. OnesetofreportstheCompliancereportsdeliversahighleveloverviewof compliancestatusfortheSOXteam,theinternalauditors,theorganizationownersand processowners,basedoncontrols,risks,assertions,andsignificantaccounts.These reportsprovidetheoverviewstatusofthecontrolsorassessmentsexecuted,andthe numberofcontrolorsurveycasesreportedforaparticulartimeperiod. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheCompliancereportsbyclickingtheappropriatelinksasshownin Figure 19.
Figure 19
Reports Page
64
Compliance Reports
YoucanselectCompliancereportsforvariouskeyitems,suchascontrols(formore information,seesectionControlsonpage 22inChapter 2,KeyConcepts),risks(for moreinformation,seesectionRisksonpage 23inChapter 2,KeyConcepts), significantaccounts(formoreinformation,seesectionSignificantAccountsonpage 28 inChapter 2,KeyConcepts),andassertions(formoreinformation,seesection Assertionsonpage 28inChapter 2,KeyConcepts). Youcansearchforspecifickeyitemsforyourreportbyselectingyourdesiredfilters.You canfilteryourreportforonespecifickeyitem,orforacombinationofvariousmultiple keyitemsbyselectingthemfromthefilterdropdownmenu(s). Eachreportgenerallydisplaysthereporttitleatthetop,andtheresultsingraphicaland/ ortabularformatsbelow.Youcanclickthelinksifavailableinthereporttodrilldownto otherpageswithmoreinformation. ThefollowingCompliancereportsareavailable:
ComplianceReportRiskControlMatrix ComplianceReportAccountAssertionMatrix
Thefollowingsectionsdescribeeachreportinmoredetail.
IntheReportspage(seeFigure 19onpage 64),selectCompliance Reports - Risk Control Matrix.TheRisk Control Matrix pageappears.
65
Figure 20
ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythematrix informationapplicabletoyourfilters.Eachrowinthetabledisplaysthefollowing:
Table 6
Item
Organization Unit
Organizationunitasdefinedintheorganizationhierarchy.Formore information,seesectionOrganizationsandOrganization Hierarchyonpage 27inChapter 2,KeyConcepts. Processassociatedwiththeorganizationunit.Formoreinformation, seesectionProcessesandSubprocessesonpage 29inChapter 2, KeyConcepts. Subprocessassociatedwiththeorganizationunit.Formore information,seesectionProcessesandSubprocessesonpage 29in Chapter 2,KeyConcepts. Riskassociatedwiththeprocess/subprocess.Formoreinformation, seesectionRisksonpage 23inChapter 2,KeyConcepts. UniqueIDforthecontrol. Briefdescriptionofthecontrol. Controlcategory:automated,manual,orquery. Controlpurpose:preventordetect. Frequencyofcontrolactivityonaregularbasis. Systemthatthecontroltestwasperformedon.
Process
Subprocess
Risk
Control ID Control Description Control Category Control Purpose Control Frequency System Type
66
Table 6
Item
Deficiency
Survey Cases
Numberofcasesresultingfromassessmentsurveys.
Clickthenumbersinthetablerelatedtothecontrolorsurveycasestodisplaythe Case List page,listingonlytherelevantcases.Formoreinformation,seesection CaseListonpage 157inChapter 13,CaseManagementandRemediation.Inthe Case Listpage,youcanthenselectindividualcasesandclickEdittoviewthecase information.Formoreinformation,seesectionEditingaCaseonpage 159in Chapter 13,CaseManagementandRemediation.
IntheReportspage(seeFigure 19onpage 64),selectCompliance Reports Account Assertion Matrix.TheAccount Assertion Matrix pageappears.
67
Figure 21
Significantaccountassociatedwiththeorganizationunit.Formore information,seesectionSignificantAccountsonpage 28in Chapter 2,KeyConcepts. Financialassertionassociatedwiththesignificantaccount.Formore information,seesectionAssertionsonpage 28inChapter 2,Key Concepts.
Assertion
Clickthenumbersinthetablerelatedtothecontrolorsurveycasestodisplaythe Case List page,listingonlytherelevantcases.Formoreinformation,seesection CaseListonpage 157inChapter 13,CaseManagementandRemediation.Inthe Case Listpage,youcanthenselectindividualcasesandclickEdittoviewthecase information.Formoreinformation,seesectionEditingaCaseonpage 159in Chapter 13,CaseManagementandRemediation.
68
8
REMEDIATION REPORTS
TOPICS
69
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithinSAP. ThischapterdescribestheRemediationreportsthatprovidethenumberofreportedand resolvedexceptioncases,groupedbytheirdeficiencystatuses.Areportedcaseisacase thathasbeengeneratedorcreatedbecauseofadeficiencyorviolation.Aresolvedcaseis acasethathasbeenthroughtheremediationprocessthatfinallyresolvedthedeficiency. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheRemediationreportsbyclickingtheappropriatelinkasshownin Figure 22.
Figure 22
Reports Page
70
Remediation Reports
YoucanselectRemediationreportsforvariouskeyitems,suchasprocessesand subprocesses(formoreinformation,seesectionProcessesandSubprocessesonpage 29 inChapter 2,KeyConcepts),organizations(formoreinformation,seesection OrganizationsandOrganizationHierarchyonpage 27inChapter 2,KeyConcepts), andusergroups(formoreinformation,seesectionUserGroupsonpage 30in Chapter 2,KeyConcepts). Youcansearchforspecifickeyitemsforyourreportbyselectingyourdesiredfilters.You canfilteryourreportforonespecifickeyitem,orforacombinationofvariousmultiple keyitemsbyselectingthemfromthefilterdropdownmenu(s). Eachreportgenerallydisplaysthereporttitleatthetop,andtheresultsingraphicaland/ ortabularformatsbelow.Youcanclickthelinksifavailableinthereporttodrilldownto otherpageswithmoreinformation.
X To access the Remediation reports:
Figure 23
ThefollowingRemediationreportsareavailable:
Thefollowingsectionsdescribeeachreportinmoredetail.
71
Figure 24
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess,and Perioddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythereported andresolvedexceptioncasesapplicabletoyourfilters. Clickaspecificprocesslinkintheleftmostcolumntodrilldowntothesubprocess levelforthatprocess(ifthesubprocess(es)exist).TheRemediation Status by Subprocess pageappearslistingthereportedandresolvedexceptioncasesby subprocess.
72
Figure 25
Atthesubprocesslevel,clickaspecificsubprocesslinkintheleftmostcolumnto drilldowntotheCase List page,listingonlytherelevantcases.Formore information,seesectionCaseListonpage 157inChapter 13,CaseManagement andRemediation.IntheCase Listpage,youcanthenselectindividualcasesand clickEdittoviewthecaseinformation.Formoreinformation,seesectionEditinga Caseonpage 159inChapter 13,CaseManagementandRemediation. Ateithertheprocessorsubprocesslevel,youcanalsoclickthenumbersinthetable todrilldowntomorespecificinformation:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingonlytherelevantcases. Formoreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingonlytherelevanttestresults.IntheList of Test Resultspage,youcanthenselectindividualtestreportsbyclickingaControl IDlinktoviewtheresultforthatparticularcontroltest.Formoreinformation, seesectionTestResultsReportonpage 81inChapter 9,TestResults Reports.
73
Figure 26
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess,and Perioddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythecases applicabletoyourfilters. Clickaspecificorganizationlinkintheleftmostcolumntodrilldowntothe suborganizationlevelforthatorganization(ifthesuborganization(s)exist).The Remediation Status by Sub-Location pageappearslistingthereportedand resolvedexceptioncasesbysuborganization.
Figure 27
Youcancontinueclickingasuborganizationlinkintheleftmostcolumntodrill downtoalowersuborganizationlevel,untilyoureachthelowestsuborganization levelintheorganizationhierarchy. Atthelowestsuborganizationlevel,clickaspecificsuborganizationlinkinthe leftmostcolumntodrilldowntotheCase List page,listingtherelevantcases.For moreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formoreinformation, seesectionEditingaCaseonpage 159inChapter 13,CaseManagementand Remediation.
74
Atanyoftheorganizationorsuborganizationlevels,youcanalsoclickthenumbers inthetabletodrilldowntomorespecificinformation:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingonlytherelevantcases. Formoreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingonlytherelevanttestresults.IntheList of Test Resultspage,youcanthenselectindividualtestreportsbyclickingaControl IDlinktoviewtheresultforthatparticularcontroltest.Formoreinformation, seesectionTestResultsReportonpage 81inChapter 9,TestResults Reports.
75
Figure 28
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess,and Perioddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythecases applicabletoyourfilters. Attheusergrouplevel,clickaspecificusergrouplinkintheleftmostcolumnto drilldowntotheCase List page,listingtherelevantcases.Formoreinformation,see sectionCaseListonpage 157inChapter 13,CaseManagementand Remediation.IntheCase Listpage,youcanthenselectindividualcasesandclick Edittoviewthecaseinformation.Formoreinformation,seesectionEditingaCase onpage 159inChapter 13,CaseManagementandRemediation. Youcanalsoclickthenumbersinthetabletodrilldowntomorespecific information:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingonlytherelevantcases. Formoreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation.
76
ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingonlytherelevanttestresults.IntheList of Test Resultspage,youcanthenselectindividualtestreportsbyclickingaControl IDlinktoviewtheresultforthatparticularcontroltest.Formoreinformation, seesectionTestResultsReportonpage 81inChapter 9,TestResults Reports.
77
78
9
TEST RESULTS REPORTS
TOPICS
79
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithinSAP. ThischapterdescribestheTestResultsreportsthatdeliverthedetailedresultsfromthe automatedcontroltests,providinginformationontheobjectsrelatedtothecontroltests, theoverallstatusofthetestsexecuted,andtheexceptioncasesreportedforaparticular timeperiod. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheTestResultsreportsbyclickingtheappropriatelinkasshownin Figure 29.
Figure 29
Reports Page
80
IntheReportspage(seeFigure 29onpage 80),selectTest Results.TheList of Test Results pageappears. YoucanspecifyyoursearchfiltersusingtheProcess,Subprocess,Location, Frequency,and Control ID,andDeficiency Type fieldsanddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlytheresultsof thecontroltestsapplicabletoyourfilters.
81
Figure 30
Eachrowinthetabledisplaysthefollowing:
Table 8
Item
Control ID Description Location Period Status
82
ClickaControl IDlinkintheList of Test Results page(seeFigure 30onpage 82). TheControl Test Resultspageappearswithcontroltestdetails,groupedbysystem atthehighestlevel,thenbycontrolIDatalowerlevelundereachsystem.
Figure 31
Figure 32
EachcontrolIDlevelcontainsthetestresultheaderdataatthetop,andtestresult lineitemdatainatablebelowifapplicable.
83
Theheaderpanedisplaysthefollowingheaderinformation:
Table 9
Item
Rule ID Description Version Location
UniqueIDfortheruleassociatedwiththecontroltest. Descriptionfortheruleassociatedwiththecontroltest. Versionnumberfortheruleassociatedwiththecontroltest. Organizationassociatedwiththecontroltest.Formoreinformation, seesectionOrganizationsandOrganizationHierarchyonpage 27 inChapter 2,KeyConcepts. Processassociatedwiththecontroltest.Formoreinformation,see sectionProcessesandSubprocessesonpage 29inChapter 2,Key Concepts. Subprocessassociatedwiththecontroltest.Formoreinformation, seesectionProcessesandSubprocessesonpage 29inChapter 2, KeyConcepts. Originorsourceofthecontrol.Thevarioussourcesare: SAPGRC Customized SAPStandard
Process
Subprocess
Control Origin
Total Violations
Totalnumberoflineitemviolationsresultingfromthiscontroltest. Followingthepreviousexample,thetotalviolationswouldbe6.
Critical
Medium
Low
Run by User
IDoftheuserwhoperformedthecontroltest.
84
Table 9
Item
Date & Run Time System Case Number Period Risk Value
Dateandtimeofcontroltestexecution. Systemthatthecontroltestwasperformedon. Numberofthecaseresultingfromthecontroltest. Timeperiodthatthetestwasexecutedfor. Aggregatedriskamountforthiscontroltest,computedfromthe significantaccountassociatedwiththecontroltest,ifapplicable. Significantaccountassociatedwiththecontroltest.Formore information,seesectionSignificantAccountsonpage 28in Chapter 2,KeyConcepts.
Significant Account
Ifyouwanttodrilldowntotheruleinformation,clicktheRule IDlinktogoto theRules Library Detailspage.Formoreinformation,seetheRulesLibrary sectionintheProcessControlVersion 2.0ConfigurationGuide. Ifyouwanttodrilldowntothecaseinformation,clicktheCase Number linkto gototheView/Edit Casepage.Formoreinformation,seesectionEditinga Caseonpage 159inChapter 13,CaseManagementandRemediation.
The same automated control test executed on multiple instances of different systems might have different test results and violations. However, the Rule ID links and Case Number links from the header area for each system will all point to the same rule and case information.
Note
85
Table 10
Item
New Value
YoucanclickaniconwithinthetestresultheaderpanetodownloadanattachedPDFfile thatcontainsadditionalanalysisreportinformation.
Note This functionality is available only for the SAP standard and custom controls. Controls delivered by SAP GRC do not include attached PDF files.
Figure 33
86
Figure 34
87
ClickaControl IDlinkintheList of Test Results page(seeFigure 30onpage 82). TheControl Test Resultspageappearswiththeheaderpaneandsequenceofsteps.
Figure 35
Theheaderpanedisplaysthefollowingheaderinformation:
Table 11
Item
Location
Organizationassociatedwiththecontroltest.Formoreinformation, seesectionOrganizationsandOrganizationHierarchyonpage 27 inChapter 2,KeyConcepts. Ownergroupforthetestplan. Processassociatedwiththecontroltest.Formoreinformation,see sectionProcessesandSubprocessesonpage 29inChapter 2,Key Concepts. Deficiencytyperesultingfromthemanualcontroltest:Critical, Medium,orLow.Formoreinformation,seesectionDeficiency Typeonpage 24inChapter 2,KeyConcepts. Subprocessassociatedwiththecontroltest.Formoreinformation, seesectionProcessesandSubprocessesonpage 29inChapter 2, KeyConcepts. Aggregatedriskamountforthiscontroltest,computedfromthe significantaccountassociatedwiththecontroltest,ifapplicable. IDofthemanualcontrol. Controltestoverallstatus:passorfail. Supportingdocumentsassociatedwiththetestplan. Supportingdocumentsyoucanuploadwiththetestplan.
Deficiency Type
Subprocess
Risk Value
88
Table 11
Item
Numberofthecaseresultingfromthecontroltest. Descriptionofthecaseresultingfromthecontroltest.
89
90
10
ASSESSMENTS THROUGH SURVEYS
TOPICS
91
Introduction
ProcessControlisasolutionthataidsthecertificationprocessunderSection302and Section404oftheSarbanesOxleyActof2002.Aspartofthiscertificationprocess,thereis aneedtoperformassessmentactivitiesthroughouttheorganization.Youcanperform theseassessmentactivitiesintheProcessManagermodule. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Manager page.ThenyouaccesstheassessmentfeaturesfromtheSurvey ManagementsubmodulehighlightedinFigure 36.
Figure 36
92
Types of Assessments
Thetypesofassessmentsinclude:
ControlDesignAndEffectivenessAssessmentTheinternalauditors,theSOXteam, thebusinessprocessowners,orthecontrolownersconductperiodicsurveysto assessthedesignortesteffectivenessofcontrols,dependinguponyour organizationscompliancepolicy. ProcessDesignAndEffectivenessAssessmentTheinternalauditors,theSOXteam, orthebusinessprocessownersconductperiodicsurveystoassessthedesignortest effectivenessofsubprocesses,dependinguponyourorganizationscompliance policy. EntityLevelControlAssessmentYoureviewandtesttheentitylevelcontrols throughassessment.Entitylevelcontrols(alsoreferredtoascompanylevelor pervasivecontrols)existatahigherlevelintheorganizationthanprocessoriented controlactivitiesandoftenrelatetoallorganizationsandbusinessunits.These controlsareusuallyassessedfairlyhighintheorganizationbypersonswithastrong viewofthebigpictureandhowtheentitylevelcontrolsaffectoverallcompliance. SelfAssessmentTheprocessownerorcontrolownerconductsanindependenttest orotherreviewtoevaluatehisownsubprocessesorcontrolsunderhispurview.A selfassessmentmightormightnotrequireformaltesting,butusuallyself assessmenttestingislessformalandpossiblylesscomprehensivethanatestof effectivenessperformedbyauditors.Selfassessmentisoftenusedasawayto monitorcontrolsandtoidentifyandremediateissuesbeforetheformaltestof effectivenessisperformed.
Note Self-assessment differs from testing of effectiveness in that it involves the survey functionality, rather than the test of effectiveness functionality with formal test plans and execution usually performed by independent internal auditors.
SignOffAssessmentYouusethesurveyfunctionalitytoperformhierarchybased signoffbyresponsiblepartiesattheorganization,process,andsubprocesslevels.
93
Survey Categories
WithinProcessControl,youperformassessmentsviasurveys,asetofquestionsthatare senttoindividualsacrossyourorganizationforfeedback,withoptionalreviewbyother personnel.Basedonthefeedback,theinternalauditdepartmentorSOXteamwill performanassessment,suchasaprocessassessmentorcontrolassessment,andsoon. Thegeneralsurveyrequirementsdictatetheneedforaconfigurablesurveycategoryto choosewhichtypeofsurveyyouarecreating.Basedonthecategory,someofthesurvey dataandattributeswillchange.Thepredefinedsurveycategoriesarebasedonthe assessmenttypes(fordetails,seesectionTypesofAssessmentsonpage 93). Thedifferenttypesofsurveycategories,theirrelatedobjects,andtheirusesaredescribed inTable 13.
Table 13 Survey Categories Information
Related Objects Use
Survey Category
ProcessDesign Assessment
Organizationsubprocess
Youusethissurveycategory atthesubprocesslevelfor processdesignassessment. Youcanalsousethissurvey categoryforaself assessmentsurveyatthe subprocesslevel. Youusethissurveycategory atthecontrollevelforcontrol designassessment.Youcan alsousethissurveycategory foraselfassessmentsurvey atthecontrollevel. Youusethissurveycategory attheentitylevelcontrol levelforELCassessment. Youcanalsousethissurvey categoryforaself assessmentsurveyatthe entitycontrollevel. Youusethissurveycategory forsignoffandcertification.
ControlDesign Assessment
Organizationcontrol
EntityLevelControl Assessment
OrganizationELC(entitylevelcontrol)
SignOff
Configurabletoincludeorganization, process,andsubprocess
Important
Self-assessment is not a separate survey category. To create a self-assessment survey, you choose Self Assessment as a sub-category of the Process Design or Control Design or ELC survey category. You can differentiate the self-assessment surveys by assigning a different survey name and a different short reporting name.
94
Thesurveyrelateduserrolesinclude:
95
Thegeneralsurveydataconfigurationincludesthefollowingactivities:
Youdefinewhetherthesurveyrating/deficiencylevelisenteredbytherespondentor bythereviewer.Defaultvalue=respondent. YoudefinethisoptionbyconfiguringtheReviewer Can Change Ratingdropdown menuwhenyoucreateasurvey.SelectYesifthereviewercansettheratingofthe survey.Otherwise,selectNotoindicatethattherespondentcansettheratingofthe survey.Eitherthereviewerortherespondentcansetthesurveyrating,butnotboth. Formoreinformation,seesectionCreatingorCopyingaSurveyonpage 103. Bydefault,theratings/deficienciesaredefinedasanAdequaterating(positive responsefromsurvey)oradeficiencyofCritical,Medium,orLowpriority(negative responsesfromsurvey).
Survey IDs
Whenyoucreateasurvey,ProcessControlautomaticallyprovidesyourcreatedsurvey withauniqueID.Whenyouscheduleasurvey,ProcessControlalsoautomatically providesyourscheduledsurveyinstanceswithuniqueIDs,differentfromthecreated surveysID.TheseIDsarebasedonaconfigurablenumberrangeforwhichyoucandefine adifferentIDprefixforeachtypeofsurvey,foreasyidentification.Formoreinformation, seetheNumberRangesectionintheProcessControlVersion 2.0ConfigurationGuide. Onceyouhavedefinedyourvariousnumberranges,youthenassociateaparticular numberrangewiththeappropriatesurveycategory.Formoreinformation,seethe SurveyDefaultssectionintheProcessControlVersion 2.0ConfigurationGuide,andthe nextsection.
96
DefaultSeries NumberRange
Youmaydefineandassignadifferentnumber rangeforeachsurveycategoryforeasy identification.ProcessControlgeneratesthe surveyIDsbasedonyourassignednumber range.ThesurveyIDconsistsofupto 12 alphanumericcharacters(3charactersforthe IDprefix,upto9 charactersfortheIDnumber). Youcanconfigureyournumberrangestohave differentprefixestodistinguisheachsurvey category. Thisisthedefaultnumberofdaysafterthe surveyissent,whenProcessControlwillsend theremindernotificationtotherespondentsif theyhavenotyetresponded.Enterthisvalueas apositivenumber,indicatingthenumberof daysafterthesurveystartdate. Thisisthedefaultnumberofdaysafterthe surveyissent,whenProcessControlescalates thesurveytothehigherlevelrespondents,ifthe currentsurveyrespondentshavenotyet answeredandsubmittedthesurvey.Enterthis valueasapositivenumber,indicatingthe numberofdaysafterthesurveystartdate.The defaulthigherlevelrespondentsaretheowners oftheobjects(control,subprocess,orentity levelcontrol). Thisisthedefaultlevel(s)atwhichthe hierarchicalsignoffsfromthebottomupwillbe performed.Thisparameteronlyappliestothe Signoffsurveycategory.Formoreinformation, seesectionSurveyParametersandDefaults onpage 121inChapter 11,SignOff Assessment.
DefaultSignOff Level
Defaultvalue=none.
97
Survey Statuses
OpenThesurveyisscheduledforoneormoreorganizationobjectcombinations,but notyetsenttotherespondents. AssignedThesurveyissenttotherespondents. InProcessAsurveyinstanceisopenedorpartiallyanswered. SentforReviewAsurveyinstancethatissubjecttoreviewisnowunderreview. RecalledAsurveyinstancehasbeenrecalledbythesurveyadministratorfor selectedorganizationobjects. ResentAsurveyinstancehasbeenresentbythesurveyadministratortothe respondents. ReturnedAsurveyinstancehasbeenreturnedbytherespondenttothesurvey administrator,becausehe/sheisnottheproperrespondent. ReworkAsurveyinstancethatissubjecttoreviewhasbeenreturnedbythereviewer totherespondentforrework. CompletedAsurveyinstanceiscompleted.Forasurveythatisnotsubjecttoreview, thismeansthatthesurveyinstancehasbeensubmittedbytherespondent.Fora surveythatissubjecttoreview,thismeansthatthesurveyinstancehasbeen reviewedandacceptedbythereviewer.
98
Youdefinethesurveymasterdata,includingtheusers,usergroups,numberranges, andsurveyparametersanddefaults.Formoreinformation,seesectionSurvey MasterDataonpage 95. Youcreateandmaintainthesurveyquestionlibrary.Formoreinformation,see sectionCreatingaQuestionLibraryonpage 100. Thesurveyadministratorcreatesanewsurveyforaparticularsurveycategoryfrom scratch,orcopiesanexistingsurveyandthenmakestheappropriatemodifications. Forinformation,seesectionCreatingorCopyingaSurveyonpage 103. ThesurveyadministratorschedulesasurveyusingtheSchedulerfeature.For informationontheschedulingprocess,seesectionSchedulingaSurveyon page 108. ProcessControlsendsthesurveytotherespondentsonthedefinedscheduleddate. Forinformationonthesurveysendingprocess,seesectionSendingSurveyTasks andInstancesonpage 109. Thesurveyadministratorcanrecallselectedsurveyinstancesiftheyhavebeen definedincorrectly(incorrectquestionsorincorrectrespondents)andtheyhavenot beensubmittedbytherespondents.Thesurveyadministratorfixestheerrorsas appropriate,andthenreschedulesthesurveyinstancestobesentagaintothe respondents.Forinformation,seesectionRecallingaSurveyInstanceonpage 109. Oncethesurveyisscheduledandsent,therespondentsreceivecommunicationvia emailandalsoasataskintheirMyTaskslist.Therespondentsreadthesurvey questionnaireandrespondtothesurveyinstances.Iftherespondentsfeelthata surveyinstancewassentincorrectlytothem,theycanreturnthatsurveyinstanceto thesurveyadministrator.Forinformation,seesectionRespondingtoandReturning aSurveyInstanceonpage 111.ForinformationontheMyTaskslist,seesection MyTasksonpage 131inChapter 12,UserInbox. Forthesurveyinstancesthathavebeenreturnedbytherespondents,thesurvey administratorproceedstofixtheassignmentsandthenresendsthesesurvey instancestotheproperrespondents.Forinformation,seesectionResendinga SurveyInstanceonpage 113. Ifthesurveyissubjecttobereviewed,oncearespondentrespondsandsubmitsa surveyinstance,itisthenroutedtothereviewer.Thereviewerreviewsandaccepts thesurveyinstance.Inthecaseofadispute,thereviewercanreturnthesurvey instancetotherespondentforrework,orthesurveyinstanceismutuallydiscussed betweentherespondentandthereviewer,untilthefinalsurveyresponseis submittedandaccepted.Forinformation,seesectionReviewingandDisapproving aSurveyInstanceonpage 113. information,seesectionMaintainingtheSurveyFlowonpage 114.
2 3
10 ProcessControlmaintainsthesurveyprocessanditsflowautomatically.Formore
99
11 Ifasurveyinstanceresultsinadeficiency,ProcessControlgeneratesacasewhich
Inthenavigationmenu,selectSurvey Management >Question Library. Alternatively,clicktheQuestion LibrarylinkintheProcess Manager page(see Figure 36onpage 92). The Question Librarypageappearsshowingatablelistingallofthequestionsfound inthedatabase.
Figure 37
100
Figure 38 3 4 5
TheQuestion IDwillbecreatedbythesystemautomatically. IntheCategorydropdownmenu,selectthesurveycategoryapplicabletothis question.Formoreinformation,seesectionSurveyCategoriesonpage 94. IntheFrequencydropdownmenu,selectthenormalfrequencyforthequestion. Thisfrequencyisusedprimarilyforfilteringpurposes.Whenyoucreateasurvey, youmightwanttoseeonlythelistofquestionsforaparticularfrequencytimeframe toselectfrom,insteadofseeingtheentirelonglistofavailablequestions.The followingpredefinedchoicesareavailable:
Daily Fortnightly (Bi-weekly) Half Yearly Monthly Quarterly Random Weekly Yearly
IntheQuestiontextbox,enterthequestiontextdescription.
101
IfyouselectedRating orYes/No/NAforyouranswertype,then intheNegative Answersarea,indicatewhatconstitutesanegativeansweroranswersforthis question,byselectingthecheckboxesnexttoeachtypeofansweryouconsidertobe negative.Thisindicationisusedforreportingpurposesandforrequiringacomment fornegativeanswers. Forexample,fortheYes/No/NA answertype,youcanindicatethatananswerofNo orNAisconsideredtobeanegativeresponse.FortheRatinganswertype,youcan indicatethataresponse<3isconsiderednegativebyselectingthecheckboxesfor1 and2.
Note The Text answer type does not have the ability to indicate a negative response.
thequestionto.Youcanselectanyorallofthefollowingreports:
ManagementReportsByProcess(formoreinformation,seeChapter 6, ManagementReports) ManagementReportsByAssertion(formoreinformation,seeChapter 6, ManagementReports) ComplianceReportSignificantAccountandAssertionMatrix(formore information,seeChapter 7,ComplianceReports) ComplianceReportControlandRiskMatrix(formoreinformation,see Chapter 7,ComplianceReports)
youcreate.
102
Creating a Survey
X To create a survey: 1
Inthenavigationmenu,selectSurvey Management >Survey.Alternatively,click theSurveylinkintheProcess Manager page(seeFigure 36onpage 92). The Surveypageappearsshowingatablelistingallofthesurveysfoundinthe database.
Figure 39
Survey Page
103
Figure 40 3 4
302Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section302oftheSarbanesOxleyAct.
404Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section404oftheSarbanesOxleyAct.
5
104
6 7 8 9
ProcessControlautomaticallyassignsauniqueIDforeachsurveythatyoucreate. IntheSurvey TitleandSurvey Short Title fields,enterthetitleornameforthe survey,andtheshorttitleforuseintabularreporting. TheCreated ByandCreated On fieldsareautomaticallypopulatedbythesystem. TheComments fieldisnoteditableuntilafteryouhavesavedthesurvey.Oncea surveyhasbeensaved,nexttotheCommentsfield,clickthePlus iconorthe Add/View Alllinktodisplayapopupwindow,thenenteryourcommentsandclick Add. Otherwise,selectNotomakeitinactive. Asurveyisconsideredactiveifitisinuseandcanbescheduledanddisplayedinthe reportsanddashboards.Anactivesurveycannotbedeleted.Youcandeleteasurvey onlyafteritisdeactivated.
10 IntheActivedropdownmenu,selectYesifyouconsiderthissurveyasactive.
11 IntheReview Requireddropdownmenu,selectYesifthissurveyissubjecttoa
formal,documentedreviewbyasurveyreviewer.Otherwise,selectNo.Thesurvey reviewisoptional.
12 Ifthesurveyissubjecttoareview,intheReviewer Can Change Ratingdropdown
13 IntheValidity field,enterthedatefromtheCalendar
105
15 IntheSurvey Instructionsfield,enterthenameofthestandardtextcontainingthe
Figure 41 2
IntheSelect Survey Category dropdownmenu,thesurveycategorythatyou selectedpreviouslywhenyoucreatethesurveyappears.Youcanoverwriteand selectadifferentsurveycategoryforfilteringthisquestionifyouwish.Formore information,seesectionSurveyCategoriesonpage 94. IntheSelect FrequencyTypedropdownmenu,thefrequencythatyou selectedpreviouslywhenyoucreatethesurveyappears.Youcanoverwriteand selectadifferentfrequencyforfilteringthisquestionifyouwish. IntheQuestionfield,enterthequestiontextdescription.Youcanenterthe entiredescription,oraportionofthedescriptionfollowedbyawildcard charactersuchas*,todisplaythelistofallquestionsthatmatchyourentered expression. ClickSearch.Question(s)fromalistfilteredbaseduponthepreviouslyselected surveycategoryandfrequencyandquestiondescriptionappear.
106
3 4
RepeatfromStep 1ifyouwishtoaddmorequestion(s)fromdifferentcategoriesor frequencies. Inthetableshowingthelistofquestionsthatyouhaveadded,clicktheUpload icontoattachdocumentstoexplainhowtoanswereachquestionortoprovide clarifications.ClicktheUp icontomovethecurrentquestionupinthelist.Click theDown icontomovethecurrentquestiondowninthelist. Todeleteaquestionormultiplequestions,selectthecheckbox(es)forthequestion(s) thatyouwanttodelete,andclickDelete Questions.
Copying a Survey
Inthenavigationmenu,selectSurvey Management >Survey.Alternatively,click theSurveylinkintheProcess Manager page(seeFigure 36onpage 92). The Surveypageappearsshowingatablelistingallofthesurveysfoundinthe database(seeFigure 39onpage 103).
Ifyouwanttocopyanexistingsurvey,selectthebuttonforthesurveythatyouwant tocopyfrom,andclickCopy. TheCopy SurveyandQuestion panesappear(similartotheCreate Survey and Question panes,seeFigure 40onpage 104),populatedwithinformationfromthe selectedsurvey.
107
Scheduling a Survey
Aftercreatingasurvey,thesurveyadministratorthenschedulesthesurveytobesentto therespondentsandoptionalreviewersusingtheSchedulerfeature.Formore information,seetheSchedulersectionintheProcessControlVersion 2.0Configuration Guide.
Note The survey administrator can schedule surveys in advance for any time periods, and can also change the send date at any time before the survey is actually sent to the respondents.
IntheSchedulerfeature,thesurveyadministratorselectsthesurveytimeperiodand frequency,andtheorganizationobjectcombinationsforwhichthesurveywillbe scheduledandsent.Anobjectcanbeacontrol,subprocess,orentitylevelcontrol, dependingonthesurveycategory.Oncethesurveyadministratorsavesaschedule, ProcessControlcreatesasurveyschedulerecordandautomaticallygeneratesthe appropriatesurveytasksandsurveyinstancestobesenttotheappropriaterespondents andoptionallyreviewers. ProcessControlderivesthesurveyrespondents,andoptionallythesurveyreviewers, fromtheassignmentsattheobjectlevel.Figure 42showstheAssign Ownerspane,where youconfiguretheobjectsurveyrespondent/surveyreviewerinformation,byselectingthe appropriateusergroup.
Figure 42
Formoreinformationontherespondent/reviewerassignments,seetheSubprocess, Control,orEntityLevelControlsectionsintheProcessControlVersion 2.0Configuration Guide. ProcessControlautomaticallyassignsauniqueIDforeachsurveyschedulerecord, preparestheresultingsurveytasksbygroupingbyrespondentandoptionallyby reviewer,andcreatesalinktoeachofthesurveyinstances(oneinstanceforeach scheduledorganizationobjectcombination). EachsurveyschedulerecordcanresultinmultiplesurveytaskstobesenttotheMyTask list,onesurveytaskforeachrespondentandlateron,optionallyonesurveytaskforeach reviewer.Eachsurveytaskprovideslinkstomultiplesurveyinstances,oneinstancefor eachorganizationobjectcombinationscheduledforthesurvey.Areviewerwillreceive theirsurveyinstancesaftertherespondenthasrespondedtoandsubmittedtheirsurvey instances.
108
Example:
Therearetwomainpossibilitiesforerror:
Inthenavigationmenu,selectSurvey Management >SurveyStatus.Alternatively, clicktheSurveyStatuslinkintheProcess Manager page(seeFigure 36on page 92). ClickShow Filterandenteryourfilterselections.ThenclickGo. The SurveyStatuspageappearsshowingthelistofsurveyinstancesandtheir currentstatuses,basedonyourfilteringselections.
Figure 43
110
Afterthesurveyadministratorschedulesasurveyandtheresultingsurveytasksand instancesaresent,therespondentsneedtorespondtothesurveyquestionnaire,by openingupthesurveytasksthataresenttotheirMyTaskslistintheirInbox.Eachtime thesurveyadministratorschedulesanewsurveyrecord,ProcessControlgeneratesnew surveytaskstobesenttotherespondents. Thesurveytaskispersonalizedforeachrespondent;thatis,itprovideslinkstothesurvey instancesfortheobjects(controls,subprocesses,orentitylevelcontrols,dependingonthe surveycategory)assignedtoeachrespondent,groupedbyorganization. Therespondentsopenthesurveyinstancessenttothem,answerthequestions,and providetheratings/deficienciesifconfiguredtodoso(fordetails,seesectionGeneral SurveyDataConfigurationonpage 96).Keepinmindthatyoucansuppressthe questionsforagivensurvey,bysimplynotaddinganyquestionswhenyoucreatethe survey.Inthiscase,therespondentwouldnothavetoansweranyquestions,onlyprovide therating/deficiencyifconfiguredtobethepersontodoso. Iftherespondentisresponsibleforthescheduledobjects(controls,subprocesses,or entitylevelcontrols)inmultipleorganizations,therespondentwillreceiveonesurvey task,whichgroupstheinstancesbyeachorganization.Inthecasethattherespondent receivesmultiplesurveyinstancesforthesamesurveycategoryandthesametimeperiod, butfordifferentorganizationsandobjects,therespondentcanchoosetocopythesurvey answersfromoneopensurveyinstancetotheothersurveyinstances,toimproveresponse time.TherespondentclickstheCopybutton,whichpopulatestheanswerstotheother surveyinstancesbasedupontheinformationinthecurrentopensurveyinstance. Negativeanswerstoquestions,ifusedasdefinedinthequestionlist,requireacomment. Fornonnegativeanswers,acommentisoptional. Therespondentscanviewthesurveyattachmentstohelpthemunderstandthesurvey instructionsandthestatusoftheirobjects.Therespondentscanalsoattachoneormore documentstosupportthesurveyanswersand/orratings. Therespondent(orlater,thereviewer)cansavethesurveyinstancewithoutsubmitting andcanreturntocompletethesurveyinstanceatalatertime. Therespondentcannotsubmitasurveyinstanceunlessallquestionsareanswered,evenif theanswertosomequestionsisN/A.Thisshortensthereviewprocess,ifapplicable,and helpstoensuremeaningfulandcomparabledata. Whentherespondentsconsiderthesurveyinstancetobecomplete,theysubmitthe surveyinstance.Oncethesurveyinstanceissubmitted,itcannotbechangedunlessitis subjecttoreviewandareworkisrequestedbythereviewer.Therespondentcanchooseto submitalloftheirsurveyinstancesatonce,oroneindividualinstanceatatime.Ifthe surveyissubjecttoreview,assoonasasurveyinstanceissubmittedbyarespondent,itis thenroutedtotheappropriatereviewer. Aftersubmission,ProcessControlupdatesthesurveystatusforeachsurveyinstance,and removesthelinktothatsubmittedinstance.Onceallofthesurveyinstancesfora particularrespondenthavebeensubmitted,thesurveytaskisnolongeravailableinthat respondentsMyTasklist.
111
Ifthesurveyissubjecttoreview,oncetherespondentsubmitsasurveyinstancefora particularorganizationobject,ProcessControltriggerssendingthatinstanceviatask workflowandemailnotificationtotheapplicablereviewer,andthesurveystatusforthat instanceischangedtoReview.Ifthesurveyisnotsubjecttoreview,thesurveystatus forthatinstanceischangedtoCompleted. Neithertherespondentnorthereviewercanchangethequestionsthemselves,changethe objectsincludedonthesurvey,orchangeotherdatasetbythesurveyadministrator duringthecreationofthesurvey. Formoreinformationonthesurveyresponseprocedure,seesectionRespondingToan AssessmentSurveyTaskonpage 137inChapter 12,UserInbox.
Example of Copy option:
Inthecasethattherespondentsbelievethattheyhavebeensentthewrongsurvey,the respondentscanchoosetoreturnthesurveyinstance(s)tothesurveyadministrator.For example,somerespondentsmightfeelthattheyareimproperlyassignedtooneormore objectsscheduledforthesurvey,becauseofincorrectrespondentconfigurationatthe objectlevel. Therespondentscanchoosetoreturnalloftheirsurveyinstancesatonce,orone individualinstanceatatime.Assoonasasurveyinstanceisreturned,itisthenmarkedas Returned,andthesurveyadministratorcanthenaccessthesereturnedinstancesinthe Survey Statuspage(seeFigure 43onpage 110). ProcessControlhandlesthesurveyreturnprocedureasfollows:
1 2
112
Inthenavigationmenu,selectSurvey Management >SurveyStatus.Alternatively, clicktheSurveyStatuslinkintheProcess Manager page(seeFigure 36on page 92). ClickShow Filterandenteryourfilterselections.FortheStatusdropdownmenu, selectRejected by Respondent.ThenclickGo. The SurveyStatuspageappearsshowingthelistofsurveyinstancesandtheir currentstatuses,basedonyourfilteringselections(seeFigure 43onpage 110).In particular,thetablelistsallofthesurveyinstancesreturnedbytherespondent.
Ifasurveyissubjecttoreview,thereviewprocessingflowsasfollows:
1
Aftertherespondentsubmitsasurveyinstance,thesurveyinstanceautomatically routes,viataskworkflowandemailnotification,tothepeoplewiththesurvey reviewerroleforthescheduledobjects. Eachreviewerreviewsthesurveyanswersandoptionalattachmentsbutcannot changethem. Thereviewerprovidestherating/deficiency,orreviewstherating/deficiency providedbytherespondent,dependingontheinitialsurveymasterdata configuration(fordetails,seesectionGeneralSurveyDataConfigurationon page 96).
Note If the respondent was configured to assign the rating/deficiency, the reviewer is not allowed to change the rating/deficiency provided by the respondent.
2 3
113
Baseduponhis/herreview,thereviewercanacceptandsubmitthesurveyinstance (commentsbythereviewerareoptional,andthesurveystatusforthisinstance becomesCompleted)ordisapproveandreturnthesurveyinstanceforreworkby therespondents(commentsbythereviewerarerequired,andthesurveystatusfor thisinstancebecomesRework). Ifthesurveyinstanceisreturnedforrework,itisroutedviataskworkflowand emailnotificationtotheoriginalrespondentwhosubmittedthesurveyinstance, alongwiththereviewercomments. Therespondentreadsthereviewercomments,performschangestothesurvey instanceand/orsuppliesadditionalcommentsand/orattachments,andthen resubmitsthesurveyinstanceforreview.Formoreinformationinthisprocess,see sectionRespondingtoaSurveyInstanceonpage 111. ThereviewprocessrepeatsasdescribedfromStep 1toStep 6,untiltherevieweris satisfiedandacceptsthesurveyinstance.
Note The reviewer can return a survey instancefor rework multiple times, if necessary.
Oncethereviewerhasacceptedandsubmittedthesurveyinstance,anditsstatusis markedasCompleted,thatsurveyinstancecannotbechangedanyfurther.
114
Survey Cases
Eithertherespondentortheoptionalreviewercanprovidearating/deficiencyfortheir surveyinstances.Therating/deficiencyproviderisconfigurable(seesectionGeneral SurveyDataConfigurationonpage 96). Bydefault,theratings/deficienciesaredefinedasanAdequaterating(surveyresultedin positiveresponse)oradeficiencyofCritical,Medium,orLowprioritylevel(survey resultedinnegativeresponses). Ifthesurveyinstanceresultsinadeficiencyfromnegativeresponses,ProcessControl generatesacaseafterthesurveyinstancecompletion,andwilltriggercaseremediation activity.Acaseopenedforasurveyinstanceisprepopulatedwithorganizationand control,subprocess,and/orentitylevelcontroldetails.Therelationshipbetweenthe surveyandthecaseismaintainedsothatlaterdrilldownfromthecompliancereports woulddisplaythesurveyrelatedcasesandtheirremediationactivities. Therespondent(andoptionalreviewer)canalsocreateacasemanuallyiftheywish,ifthe surveyinstanceresultsinadeficiencyfromnegativeresponses. Thestatusofthesurveyinstancehasnoimpactuponthestatusoftherelatedcaseand remediation.Asurveyinstancecanbecompletedandclosedwhiletherelatedcaseis open. Formoreinformationonhowtherespondentortheoptionalreviewercanprovidea rating/deficiencyandcreateacasemanually,seesectionRespondingToanAssessment SurveyTaskonpage 137inChapter 12,UserInbox.Formoreinformationonthecase drilldownfunctionalityfromthereports,seeChapter 7,ComplianceReports.Formore informationonthecasecreationstepsandremediationactivities,refertoChapter 13, CaseManagementandRemediation.
Deactivating a Survey
Ifsomesurveysarenolongerrequiredinthedatarepository,thenthesurvey administratorcandeactivatethem.
X To deactivate a survey: 1
Inthenavigationmenu,selectSurvey Management >Survey.Alternatively,click theSurveylinkintheProcess Manager page(seeFigure 36onpage 92). The Surveypageappearsshowingatablelistingallofthesurveysfoundinthe database(seeFigure 39onpage 103).
Selectthecheckboxforthesurveythatyouwanttodeactivatefromthetable,and clickEdit. TheEdit Survey andQuestion panesappear(similartoFigure 40onpage 104). IntheActivedropdownmenu,selectNotomakethesurveyinactive. ClickSave.The Surveypagereappears(seeFigure 39onpage 103). Atthispoint,theselectedsurveyisconsidereddeactivated.
3 4
115
116
11
SIGN-OFF ASSESSMENT
TOPICS
117
Introduction
ProcessControlisasolutionthataidsthecertificationprocessunderSection302and Section404oftheSarbanesOxleyActof2002.Aspartofthiscertificationprocess,thereis aneedtoscheduleandperformsignoffandtofreezetheassessmentdata.Youcan performthissignoffactivityintheProcessManagermodule. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Manager page.ThenyouaccessthesignofffeaturesfromtheSurvey ManagementsubmodulehighlightedinFigure 44.
Figure 44
118
Sign-off Requirements
Section302oftheSarbanesOxleyActof2002requiresthatmanagement(typicallythe CEOandCFO)certifyineachsubmittedannualorquarterlyreportthat,aspartoftheir responsibilitiesforinternalcontrols,theyhaveevaluated,presentedconclusionsaboutthe effectivenessoftheircontrols,anddisclosedsignificantdeficienciesand/ormaterial weaknessesand/orsignificantchangestotheirinternalcontrols. Section404,inpart,requiresthatmanagementprepareareportthatcontainsan assessment,asofyearend,oftheeffectivenessoftheinternalcontrolstructureandthe proceduresforfinancialreportinganddisclosure. Tosupporttheserequirements,manypubliccompaniesprepareinternalsub certificationsthatformalizetheresponsibilitiesofthelowerlevelofficers,managers,and businessowners,forevaluationanddisclosureofthestatusofinternalcontrolswithin theirareasofresponsibility.ProcessControlprovidesthepreparationandrollupof surveysrelatedtothispractice.
Sign-off Assessment
Chapter 10,AssessmentsThroughSurveysdescribesthevarioustypesofassessments (andrelatedsurveycategories),includingtheControlDesignAndEffectiveness Assessment,ProcessDesignAndEffectivenessAssessment,EntityLevelControl Assessment,andSelfAssessment.ThischapterdescribestheSignOffAssessmentused toperformhierarchybasedsignoffbyresponsiblepartiesattheorganization,process, andsubprocesslevels. Formoreinformationrelatedtotheconfigurationoforganizations,processes,and subprocesses,seetheProcessControlVersion 2.0ConfigurationGuide. WithinProcessControl,youperformassessmentsviasurveys,asetofquestionsthatare senttoindividualsacrossyourorganizationforfeedback.Atabaselevel,signoffisoneof thesurveycategoriesforassessment. Althoughthesurveyfunctionalitywillbeusedforsignoff,itdiffersfromthatpreviously describedfortheothertypesofassessments(formoreinformation,seeChapter 10, AssessmentsThroughSurveys).Thekeydifferencesinvolvethehierarchical,bottomup progressionofthesignoffactivities.Inthisbottomupapproach,eachbusinessownerof theorganizationlevel(entity)needstosignoffthecontrolenvironmentbeforetheowner ofthenexthigherentitycansignoff.
119
Thesurveyrelateduserrolesinclude:
Note
Thesignoffsurveydataconfigurationincludesthefollowingactivities:
Youdefinethesignoffsubcategory.Thechoicesareasfollows:
302Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section302oftheSarbanesOxleyAct.Thedefaultsignoffperiodforthissub category=Quarter.
404Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section404oftheSarbanesOxleyAct.Thedefaultsignoffperiodforthissub category=Year.
120
Survey IDs
Thevariouslevelsthatyoucanselectfromareasfollows:
Processandorganizationonly Thischoiceissuitabletocompaniesthatwanttoscopetheirsignoffreviewbasedon theorganizationhierarchyandalsotheprocesseswithineachorganizationlevel.For thischoice,thesignoffsurveywillbesenttotheorganizationownersforthe organizationssubjecttosignoff,andalsotheprocessownerswithinthese organizations. ProcessControlexecutestherollupbasedonyoursignoffhierarchy.Thatis,first thesignoffsurveyissenttotheprocessownerswithintheorganizationatthelowest level,andonlyaftertheprocessownerscompletethesignoffthatthesignoffwillbe senttotheorganizationowners.Oncetheorganizationsignoffiscompletethenthe surveywillbesenttotheprocessownersfortheorganizationatahigherlevel,andat
121
Subprocess,process,andorganization Thischoiceissuitabletocompaniesthatwanttoscopetheirsignoffreviewbasedon theorganizationbasedorganizationhierarchy,andalsotheprocessesand subprocesseswithineachorganizationlevel.Forthischoice,thesignoffsurveywill besenttotheorganizationownersfortheorganizationssubjecttosignoff,andalso theprocessownersandsubprocessownerswithintheseorganizations. ProcessControlexecutestherollupbasedonyoursignoffhierarchy.Thatis,first thesignoffsurveyissenttothesubprocessownerswithintheorganizationatthe lowestlevel,andonlyafterthesubprocessownerscompletethesignoffthatthe signoffwillbesenttotheprocessowners,thentheorganizationowners.Oncethe organizationsignoffiscompletethenthesurveywillbesenttothesubprocess ownersfortheorganizationatahigherlevel,andatthecompletionofwhichthe signoffsurveywillthenbeassignedtotheprocessowners,thentheorganization ownersatthathigherlevel.Thesurveycontinuestorollupthroughthehigherlevels (bottomupapproach),eventuallyreachingthecorporateorhighestlevelinthe organizationhierarchy.
122
Youdefinethesurveymasterdata,includingtheusers,usergroups,numberranges, andsurveyparametersanddefaults.Formoreinformation,seesectionSurvey MasterDataonpage 120. Youcreateandmaintainthesignoffsurveyquestionrepository.Formore information,seesectionCreatingaQuestionLibraryonpage 124. Thesurveyadministratorcreatesasignoffsurveyfromscratch,orcopiesanexisting surveyandthenmakestheappropriatemodifications.Formoreinformation,see sectionCreatingorCopyingaSurveyonpage 124. ThesurveyadministratorschedulesthesignoffsurveyusingtheSchedulerfeature. Forinformationontheschedulingprocess,seesectionSchedulingaSurveyon page 124. ProcessControlsendsthesurveytotherespondentsonthedefinedscheduleddate. Forinformationonthesurveysendingprocess,seesectionSendingSurveyTasks andInstancesonpage 126. Thesurveyadministratorcanrecallsurveyinstancesiftheyhavebeendefined incorrectly(incorrectquestionsorincorrectrespondents)andtheyhavenotbeen submittedbytherespondents.Thesurveyadministratorfixestheerrorsas appropriate,andthenreschedulesthesurveyinstancestobesentagaintothe respondents.Forinformation,seesectionRecallingaSurveyInstanceonpage 127. Oncethesurveyisscheduledandsent,therespondentsreceivecommunicationvia emailandalsoasataskintheirMyTaskslist.Therespondentsreadthesurvey questionnaireandrespondtothesurveyinstances.Iftherespondentsfeelthata surveyinstancewassentincorrectlytothem,theycanreturnthatsurveyinstanceto thesurveyadministrator.Forinformation,seesectionRespondingtoandReturning aSurveyInstanceonpage 127.FormoreinformationontheMyTaskslist,see sectionMyTasksonpage 131inChapter 12,UserInbox. Forthesurveyinstancesthathavebeenreturnedbytherespondents,thesurvey administratorproceedstofixtheassignmentsandthenresendsthesesurvey instancestotheproperrespondents.Forinformation,seesectionResendinga SurveyInstanceonpage 113inChapter 10,AssessmentsThroughSurveys. ProcessControlmaintainsthesurveyprocessanditsflowautomatically.Formore information,seesectionMaintainingtheSurveyFlowonpage 114inChapter 10, AssessmentsThroughSurveys. reportingandforupdatingtheSurvey Statuspage(seeFigure 43onpage 110in Chapter 10,AssessmentsThroughSurveys).Forinformationontheanalysis reports,seeChapter 7,ComplianceReports.
2 3
10 ProcessControlupdatesthesurveyresponseandcompilestheresultsforanalysis
11 Ifsomesignoffsurveysarenolongerrequiredinthedatarepository,thenthesurvey
302Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section302oftheSarbanesOxleyAct.
404Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section404oftheSarbanesOxleyAct.
3
TheReview Requireddropdownmenuisnotapplicabletosignoffsurveys.
Scheduling a Survey
Aftercreatingasurvey,thesurveyadministratorthenschedulesthesurveytobesentto therespondentsusingtheSchedulerfeature.Formoreinformation,seetheScheduler sectionintheProcessControlVersion 2.0ConfigurationGuide. ThissurveyschedulingprocessissimilartotheprocessdescribedinsectionSchedulinga Surveyonpage 108inChapter 10,AssessmentsThroughSurveysforthecontrol/ process/ELCassessmentsandselfassessments.ProcessControlautomaticallyassignsa uniqueIDforeachsurveyschedulerecord,preparestheresultingsurveytasksby groupingbyrespondent,andcreatesalinktoeachofthesurveyinstances.Thedifferences arenotedasfollows:
124
IfthelevelthatyouconfiguredfortheDefaultSignOffLevelparameterisprocess andorganizationonly,ProcessControlautomaticallycreatesalinktoeachofthe surveyinstances,oneinstanceforeachprocessassignedtoeachscheduled organization.YoudonotselectindividualprocessesintheSchedulerfeature. ProcessControlgeneratessurveyinstancesforalloftheprocessesassignedtoeach organization. IfthelevelthatyouconfiguredfortheDefaultSignOffLevelparameteris subprocess,process,andorganization,ProcessControlautomaticallycreatesalink toeachofthesurveyinstances,oneinstanceforeachsubprocessundereachprocess assignedtoeachscheduledorganization.Youdonotselectindividualprocessesor subprocessesintheSchedulerfeature.ProcessControlgeneratessurveyinstances foralloftheprocessesassignedtoeachorganization,andforallofthesubprocesses undereachofthoseprocesses. ProcessControlderivesthesignoffsurveyrespondentsfromtheconfigurationat eachorganizationorprocessorsubprocess.Bydefault,therespondentisthe organizationorprocessorsubprocessowner.Figure 45showstheAssign Owners pane,whereyouconfiguretheownerinformation,byselectingtheappropriateuser group.
Figure 45
Note
For the sign-off surveys, the respondent is actually the Owner user group, not the Survey Respondent user group (unless they are the same).
YouconfiguretheDefaultSignOffLevelparameterasprocessandorganizationonly. Letsassumeforthisexamplethatyouhaveoneorganizationthathastwoassigned processesandanotherorganizationthathasthreeassignedprocessesinyourorganization hierarchy.ProcessControlgeneratesfivesurveyinstancestotal,oneforeachassigned process.Eachsurveyinstanceincludesquestionsapplicabletoaparticularprocess,and willrecordthesignoffresultgivenforthatprocess.Apersonwhoistheownerforthe twoprocessesassignedtoonescheduledorganizationaswellasthethreeprocesses assignedtotheotherscheduledorganizationwillreceiveonesurveytaskintheirMy Tasklist.Thissurveytaskprovideslinkstothefivesurveyinstancesfortherelevant processes,groupedbyorganization.
125
ProcessControlsendsthesignoffsurveytasksandinstancestotheownersofall levelssubjecttosignoff,baseduponyourconfigurationoftheDefaultSignOff Levelparameterandtheorganizationsscheduledforsignoff. ProcessControlsendsthesignoffsurveytasksandemailnotificationsfirsttothe respondent(ownersoftheobjects)atthelowestlevelsubjecttosignoff(forexample, subprocessownersfirst,thenprocessowners,thenorganizationowners). Aftertherespondentforeachlowerlevelsubjecttosignoffhascompletedthesign offtask,ProcessControlthensendsthesurveytasksandemailnotificationstothe respondentofthenexthigherlevelsubjecttosignoff.Thesignoffsurveytasksand emailnotificationswillproceedupeachlevel,untilfinallyreachingthetopmost levelofthesignoffhierarchy.
Thefollowingdiagramisasimplifiedexampleofsignoffwhereitisconfiguredforthe subprocess,process,andorganizationlevels.
Note
No higher level respondent would receive a survey task for sign-off until the respondent of the lower level subject to sign-off have signed.
126
ProcessControlgeneratesthesurveyinstancesbasedontheobjectsatthelevel(s) thatyouconfiguredfortheDefaultSignOffLevelparameter(seesectionSurvey ParametersandDefaultsonpage 121). Thesurveyadministratorscannotrecallindividualinstancesforsomeparticular organizationorprocessorsubprocess,becausetheycannotreschedulethese individualinstances.IntheSchedulerfeature,bydefault,theyhavetoschedulethe signoffsurveyforallorganizations.Therefore,ifthesurveyadministratorswantto performarecall,theywouldhavetorecallalloftheinstancesfortheconfigured objectsoftheDefaultSignOffLevelparameter(forexample,alloftheprocesses andallofthesubprocessesforallorganizations),forapreviousschedulerecord. Afterrecallingthedesiredsurveyinstance(s),thesurveyadministratorcaneditthe surveyinformationandfixtheerrorsasappropriate,andthenlaterreschedulethe recalledsurveyinstancesifneeded.Toreschedule,thesurveyadministratorcreatesa newschedulerecordusingtheSchedulerfeature.
Therespondentreceivesthesurveyinstance(s)andispresentedwiththesignoff period,signoffcategory,instructions,linkstoavarietyofrelevantreports,andsign offquestionscreatedbythesurveyadministrator.Therespondentthenreviewsthe statusofinternalcontrolsandperformsthesignoff. Iftherespondentfeelsthattheprocessesandcontrolsareadequatelyrepresented andthatnochangesarenecessary,therespondentanswersthesignoffquestions, andoptionallyattachesdocumentsand/orprovidescomments. Therespondentcansignofffortheperiodevenwithnegativityorwhenopenissues exist.Acommentisrequiredforeachnegativeanswer.Therespondentthensubmits thesignoffsurvey.Adialogboxwithconfigurabletextappearstoremindthe respondentofcorporateresponsibilitiesrelativetosignoff,andtoconfirmthedesire tosignoff.
127
128
12
USER INBOX
TOPICS
129
Introduction
Youcanviewthetasksandcasesassignedtoyou,ordocumentsthatyoucheckedout,as thecurrentloggedinuser,byaccessingyourInboxintheProcessManagermodule. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Manager page.ThenyouaccesstheInboxfeaturesfromtheInboxsub modulehighlightedinFigure 46.
Figure 46
130
User Inbox
TheInboxsubmodulecontainsthefollowingfeatures:
Thesefeaturesaredescribedinthefollowingsections.
My Tasks
Tasksareactivitiesthatyouareresponsibleforcompleting.IntheMyTaskslist,youcan accessallofthetasksthatyouhavebeenassigned.Thethreetypesoftasksarethefollowing:
Workflowtasks Afteranautomaticcaseisgeneratedfromacontroltest,oramanualcaseiscreatedby auser,ProcessControlnotifiesthecontrolownertotakeactiontoresolvethecontrol deficiencyandtodocumentthoseactivitiesforremediationpurposes.Thecontrol ownercanchoosetoassignthecasetosomeoneelse,anassignee,tohandlethis responsibility,ifdesired.Thecontrolowner(orassignee)receivestheirrelevantcases intheirMyCaseslist.Formoreinformation,seesectionMyCasesonpage 142. Oncetheowner(orassignee)completestheremediationactivities,changesthecase statustoResolved,andsubmitsthecase,ProcessControlnotifiesthecase approvertoapproveorrejectthecaseresolutionandsubmission.Thisapproval activityisconsideredasaworkflowtask. Youwillseeoneworkflowtaskforeachcase,whetherthecasewasgenerated automaticallyorcreatedmanually.Formoreinformationoncaseremediation,see Chapter 13,CaseManagementandRemediation.
Testplan/teststeptasks Formanualcontrols,ProcessControlnotifiestheownerofateststeptotakeaction, toperformtheteststepactivityandgiveastatusforeachteststep.ProcessControl alsonotifiesthetestplanownertovalidatealloftheteststepsatapreconfigured testfrequency,todeterminetheoverallresultofthemanualcontroltest.These activitiesareconsideredastestplan/teststeptasks. Youwillseeonetestplan/teststeptaskforeachscheduledorganization.Formore informationontestplans/teststeps,seetheTestPlansectionintheProcessControl Version 2.0ConfigurationGuide.
Surveytasks Forassessmentsurveys,ProcessControlnotifiesthesurveyrespondentstorespond tothesurveyquestionsortosignoff,andoptionallynotifiesthereviewerstoreview andacceptthesurvey.Theseactivitiesareconsideredassurveytasks. Youwillseeonesurveytaskforeachsurveyschedulerecord.Afteryouopenthis task,youwillseelinkstothesurveyinstances,groupedbyorganization.Formore informationonassessmentssurveys,seeChapter 10,AssessmentsThrough SurveysandChapter 11,SignOffAssessment.
131
Inthenavigationmenu,selectInbox>My Tasks.Alternatively,clicktheMy Tasks linkintheProcess Manager page(seeFigure 46onpage 130). The My Taskspageappearsshowingthetasksrelevanttoyou,asthecurrentlogged inuser. Thispageisauserspecificdashboardthatorganizesthetasksrelatedtoelements thatyouareresponsiblefor,forexampleateststeporanassessmentsurveythat requiresyourresponse.
Figure 47
My Tasks Page
Eachrowinthetabledisplaysthefollowing:
Table 15
Item
Task Id Task Description Type Start Date End Date
My Tasks Information
Description
132
Table 15
Item
Status
Currentstatusforthetask.Thisstatusisdependentonthetypeof task. Ifitsaworkflowtask,thestatuswouldbeacasestatus.Formore information,seetheCaseStatussectionintheProcessControl Version 2.0ConfigurationGuide. Ifitsatestplan/teststeptask,thatstatuswouldbeFail,Pass,or Pending. Ifitsasurveytask,thestatuswouldbeasurveystatus.Formore information,seesectionSurveyStatusesonpage 98inChapter 10, AssessmentsThroughSurveys.
Details
Accesstolinksthatwilldisplaytheobjectthatrequiresyouraction, forexampleatestplanorasurvey.
IntheDetailscolumn,clicktheDetails icontodisplaythescreensforthistask. Forrespondingtoaworkflowtask,performthestepsinsectionRespondingToa WorkflowTaskonpage 134. Forrespondingtoatestplanorteststeptask,performthestepsinsection RespondingToaTestPlanorTestStepTaskonpage 135. Forrespondingtoorforreviewinganassessmentsurveytask,performthestepsin sectionRespondingToanAssessmentSurveyTaskonpage 137.
133
Case Creation
Casegeneratedbythe Automaticcontrolcase systemautomatically Querycontrolcase Customcontrolcase Manualcontrolcase Surveycase Casecreatedbya usermanually X Controlorsurveycase
Figure 48
134
Ifyouarenotsatisfiedwithalloftheremediationactivitiesandinformation,click Reject.ThisactionchangesthestatusforthecasebacktoOpen/Reported,sends thecasebacktotheMyCaseslistofthecaseowner(orassigneeifthereisone),and removestheworkflowtaskfromyourMyTaskslist.Formoreinformationonthe caseownerandassignee,seesectionAssignmentStepsonpage 155inChapter 13, CaseManagementandRemediation,andalsoStep 8onpage 139. Ifthecaseisrejected,thecaseowner(orassignee)needstoreturntotheremediation process,editthecaseinformation,andresubmitthecaseforapprovalagain.For moreinformation,seesectionMyCasesonpage 142.
Thetestplanheaderinformationandtheteststepsappear.Performtheactivitiesfor theteststeprelatedtoyourtask.
Figure 49 2
Figure 50
135
IntheStatusdropdownmenuthatappears,selectthestatusfortheteststepbased ontheresultofyouractivity,fromthefollowing:
statuses.
4
NexttotheAdd Documentsfield,clicktheUpload icontoattachdocument(s) providingsupplementalinformationfortheteststep,ifyouwish. NexttotheCommentsfield,clickthePlus iconortheAdd/View Alllinkand enteryourcommenttextfortheteststepinthepopupwindow,ifyouwish.Youcan scrolldowninthispopupwindowtoviewpreviouslyenteredcomments,if available. ClickSave.IfyouhavegiventheteststepthestatusofPassorFail,thisaction updatestheteststepstatusinformationforthetestplan,andremovestheteststep taskfromyourMyTaskslist.IfyouhavegiventheteststepthestatusofPending, theteststeptaskremainsinyourMyTaskslist,untilyougiveaPassorFailstatus.
Thetestplanheaderinformationandtheteststepsappear(seeFigure 49on page 135).Intheheaderarea(theupperpanewithwhitebackground),reviewthe testplaninformation,andtheattacheddocumentsifavailablebyclickingthe Upload iconnexttotheDocumentslabel. IntheSequence of Stepspane,clickthebuttonforeachteststepandreviewthe statusofalloftheteststepsandtheirrelateddocuments.Youcannotchangethetest stepstatuses.YoucanclicktheUpload iconineachrowtoopendocuments attachedbytheteststepownerthatprovideclarificationsforaspecificteststep,if available. Basedonthestatusoftheteststeps,youthendeterminetheoveralldeficiencyand statusforthetestplan.Intheheaderarea,intheDeficiency Typedropdownmenu, selectthedeficiencylevelforthetestplan.Fordetails,seesectionDeficiencyType onpage 24inChapter 2,KeyConcepts. Intheheaderarea,intheStatusdropdownmenu,selecttheoverallstatusforthe testplanfromthefollowing:
statuses.
Note Even if the test step owners have given pass status to all of the test steps, you can still give the test plan a fail status if you wish, and vice versa. The test plan status is entirely up to you to determine, as the test plan owner.
136
Figure 51
Survey Instance Page for a Respondent Who Cannot Change the Rating
137
Figure 52 2 3
Survey Instance Page for a Reviewer Who Can Change the Rating
Ifyouwanttohidetheleftsidepane,clicktheHide Pane icon.Ifyouwantto showtheleftsidepane,clicktheShow Pane icon. NexttotheSurvey Instructionslabel,youcanclicktheUpload icontoopen documentsthatexplainhowtoanswerthesurveyorthatprovideclarificationsfor specificquestions.Youcanviewtheseattacheddocument(s)fromyoursurveysto obtainsupplementalinformation. NexttotheAttach Documents label,youcanclicktheUpload icontoattachone ormoredocumentstosupportyoursurveyanswersand/orratings.Apopup windowappearsshowingtheUpload Documentpane.Formoreinformation,see sectionUploadingandRevisingaDocumentonpage 44inChapter 4,User Interface. Ifyouarerespondingtothesurveyinstance,inthesecondcolumnintheQuestions pane,selectorenterananswerforeachquestion.Youcanviewreportsbyclicking thereportlinks,ifavailable.YoucanaddcommentsbyclickingthePlus iconor theAdd/View AlllinkintheCommentscolumn,andenteringyourcommenttextin thepopupwindow.Youcanscrolldowninthispopupwindowtoviewpreviously enteredcomments,ifavailable.
Note Negative answers to questions, if used as defined in the question list, require a comment.
138
AdequateThisindicatesapositiveorpassrating. Critical,Medium,orLowTheseindicatenegativeratingsandthevariouslevels
ofdeficiency.
8
IntheCase Assigneefield,entertheusergroupassignedtothecase,ifthissurvey instanceresultsinadeficiencythatwillgenerateacase,orifyouplantocreateacase manually.Thisusergroupwillberesponsibleforthecaseremediationactivities.You canentertheusergroupnameorawildcardcharactersuchas*toseethelistof usergroupstoselectfrom. ClickSavetosaveyourcurrentsurveyinstance.Youcancomebacktothissurvey instanceatalatertimeandcontinuewithyourresponses. instancetoothersurveyinstances,thenclickSaveandclickCopy.Apopupwindow appearslistingtheothersurveyinstancesassignedtoyou.Inthepopupwindow, selectthecheckboxinfrontofeachsurveyinstancethatyouwanttocopythe answersto,andthenclickCopy.
10 Forrespondents,ifyouwanttocopytheanswersinyourcurrentopensurvey
11 Forrespondents,ifyoufeelthatthissurveyinstancewassenttoyouinerror,for
youcanchoosetoreturnthesurveytotherespondentsforrework.First,clickthe Plus iconortheAdd/View AlllinknexttotheCommentslabelintheheaderarea, andenteryourreasonforthereturn.ThenclickDisapprove.ProcessControlwill routethesurveybacktotherespondentsforrework. Ifyouwanttoreturnallofthesurveyinstancesatonce,thenenteryourreason commentsforallofthesurveyinstances,andclickReturn All intheleftsidepane.
13 Ifyouprovidenegativeresponsesresultinginasurveydeficiency,youcanclick
Create Casetomanuallycreateacaseforthisassessmentifyouwish.
14 Whenyouarefinishedwithyoursurvey,clickSubmit.Youcannotsubmitasurvey
139
Ifyouarearespondentandthesurveyissubjecttoreview,ProcessControlwillroutethe surveytothereviewerafteryoursubmission.Ifyouarearespondentandthesurveyis notsubjecttoreview,itisconsideredtobecompletedatthispoint. Ifyouareareviewer,thenthesurveyisalsoconsideredtobecompletedafteryour submission.Withyoursubmission,youindicatethatyouhavereviewedandacceptedthe surveytoyoursatisfaction. Ifyouprovidenegativeresponsesresultinginasurveydeficiency,aftersubmissionofthe surveyinstance,ProcessControlwillautomaticallygenerateacase. Aftersubmissionofeachsurveyinstance,thesurveyinstancelinkdisappearsfromthe leftsidepane. Aftersubmissionofallofthesurveyinstancesfromasurveytask,thesurveytask disappearsfromyourMyTasklist.
140
My Documents
YoucanuploadvariousdocumentsintheProcessControlapplicationtoprovide additionalsupportinginformation.TheMyDocumentslistisarepositoryofallofyour documentsthatyouhavepreviouslyuploadedandcheckedout.Allofthesedocuments arelocatedinthisonespecificareasothatyoucanaccessandviewthemeasily.
Accessing a Document
X To access a document in your My Documents list: 1
Inthenavigationmenu,selectInbox>My Documents.Alternatively,clicktheMy DocumentslinkintheProcess Manager page(seeFigure 46onpage 130). The My Documentspageappearsshowingthedocumentsthatyouhavechecked out,asthecurrentloggedinuser. Thispageisauserspecificdashboardthatorganizesyourdocuments,allowingyou toviewtheirstatusandtoopenaparticularversionofadocument.
Figure 53
My Documents Page 2
141
My Cases
Whenadeficiencyoccurs,anexceptioncaseprovidesdetailedinformationtohelpyoudrill downtotherootviolationcausewithintheERPsystem.Therearemanycategoriesof casesintheProcessControlapplication(formoreinformation,seetheCaseCategories andIDsonpage 147inChapter 13,CaseManagementandRemediation).Ingeneral, thecasesareeithercontrolrelated,orsurveyrelated. Forexample,duringtheexecutionofanautomatedcontroltest,ProcessControl automaticallygeneratesacaseifacontroldeficiencyorviolationisfound.Forthe executionofamanualcontroltest,thetestplanownercanalsogenerateacaseasaresult ofthetestplanfailure.Forassessmentsurveysthathavedeficiencies(negativeratings), thesurveyrespondentorreviewercanalsocreateacase. TheMyCaseslistdisplaysintabularformatinformationrelatedtoyourcases.Allofthe casesrelevanttoyouarelocatedinthisonespecificareasothatyoucanaccessandview themeasily,andyoucanthenproceedtoeditanddocumentyourcasesforremediation purposes.Remediationdenotestheprocessinvolvedinresolvingthecontroldeficiency capturedintheseexceptioncases. Asacaseowner(orassigneeifpreviouslyassigned),youwouldseeonlythosecasesthat belongtoyou(orhavebeenspecificallyassignedtoyou)forremediation,intheMyCases list.Table 17groupsthetypesofcasesandliststhedefaultcaseownerforeachtypeofcase. Youcanchangethecaseowner/assigneeatanytime(seeAssignmentStepsonpage 155 inChapter 13,CaseManagementandRemediation,andalsoStep 8onpage 139).
Table 17 Case Approver Information
Type of Case Default Case Owner
Case Creation
Casecreatedbya usermanually
Controlorsurveycase
142
Accessing A Case
X To access a case in your My Cases list: 1
Inthenavigationmenu,selectInbox>My Cases.Alternatively,clicktheMy Cases linkintheProcess Manager page(seeFigure 46onpage 130). The My Casespageappearsshowingthecasesassignedtoyou,asthecurrent loggedinuser. Thispageisauserspecificdashboardthatorganizestheexceptioncasesthathave beenassignedtoyouforremediation.
Figure 54
My Cases Page
Eachrowinthetabledisplaysthefollowing:
Table 18
Item
Case Number
My Cases Information
Description
CaseIDnumbergeneratedbasedonaconfigurablenumberrange. Whenyouconfigureeachnumberrange,youcandefineadifferent IDprefixforeachtypeofcase,foreasyidentification.Formore information,seetheNumberRangesectionintheProcessControl Version 2.0ConfigurationGuide. Currentstateintheremediationprocessforthecase.Formore information,seetheCaseStatussectionintheProcessControl Version 2.0ConfigurationGuide. Thedescriptionforthiscase. Thisdescribestheinsufficientlevelofcompliancedeterminedafter ananalysisiscompleted.Fordetails,seesectionDeficiencyType onpage 24inChapter 2,KeyConcepts.
Case Status
143
Table 18
Item
Priority
Frequency Type
Thefrequencyofthecontroltestexecutionorofthesurveythat generatedthecase.Thepredefinedfrequencytypesareasfollows: Daily Fortnightly (Bi-weekly) Half Yearly Monthly Quarterly Weekly Yearly Random
Period Year
Theyearofthecontroltestexecutionorofthesurveysubmissionthat generatedthecase. Theshortnameoftheperiodofthecontroltestexecutionorofthe surveysubmissionthatgeneratedthecase. Nameofthecaseowner/assignee.Thisisausergrouporuser assignedtothecaseforremediationpurposes.Formoreinformation, seesectionAssignmentStepsonpage 155inChapter 13,Case ManagementandRemediation,andalsoStep 8onpage 139. Thetimewhenthecaseiscreated.
Period Name
Owner
Create Time
IntheCase Number column,clickthecasenumberlinktodisplaytheEdit Case pageshowingthecasedetails.Makeyourmodificationstothecaseinformationfor remediationpurposes.Formoreinformation,seesectionEditingaCaseon page 159inChapter 13,CaseManagementandRemediation. Whenyouaredonewithyourremediationactivities,intheheaderareaoftheEdit
Casepage,intheCase Statusdropdownmenu,selectResolved.
3 4
144
13
CASE MANAGEMENT AND REMEDIATION
TOPICS
COVERED IN THIS CHAPTER
Introduction Case Categories and IDs Creating a Case Create Case Steps Case Header Steps Case Details Steps Assignment Steps Documents Steps Case List Editing a Case Edit Case Steps Case Header Steps Case Details Steps Assignment Steps Documents Steps Case Trail Steps Time Spent Trail Steps Resolution Steps Case Categories and IDs
145
Introduction
Whenadeficiencyoccurs,anexceptioncaseprovidesdetailedinformationtohelpyou drilldowntotherootviolationcausewithintheERPsystem.Youcanthenproceedto resolvethedeficiencyandtodocumenttheseactivities.Thistaskiscalledremediation. TheProcessManagermoduledeliversthesummarystatus,impact,andpriority informationforthereportedexceptioncases,anddetailsregardingtheirremediation activities. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Managerpage.Thenyouaccessthecasemanagementandremediation featuresfromtheCaseManagementsubmodulehighlightedinFigure 55.
Figure 55
146
AutomaticControlAutoCaseProcessControlautomaticallygeneratesthesecases asaresultofautomatedcontroltesting.Afteryouscheduleanautomatedcontrol test,ProcessControlgeneratesanexceptioncaseforeachcontroldeficiencyfound. AutomaticControlManualCaseYoumanuallycreatethesecasestodocument otherdeficienciesresultingfromthescheduledtestingofanautomatedcontrol.Ina manualcase,youcanfurtherdocumentmoredetailedinformationforotherissues notdocumentedintheautomaticcase. CustomControlAutoCaseProcessControlautomaticallygeneratesthesecasesas aresultofcustomcontroltesting.Yourorganizationmighthavecreatedyourown setofcustomcontrolsthatyouwanttointegrateintotheProcessControlapplication forautomaticmonitoring.Afteryouscheduleacustomcontroltest,ProcessControl generatesanexceptioncaseforeachcontroldeficiencyfound. CustomControlManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromthescheduledtestingofyourcustomcontrol.Inamanual case,youcanfurtherdocumentmoredetailedinformationforotherissuesnot documentedintheautomaticcase. TestPlanControlAutoCaseProcessControlautomaticallygeneratesthesecases asaresultofmanualcontrol(testplan)testing.Afterthetestplanownerhas scheduledthetestplanandtheteststepownershavecompletedtheirtasks,ifthetest planownerthensubmitsthatthetestplanhasresultedinfailure,ProcessControl automaticallygeneratesacase. TestPlanControlManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromthescheduledtestingofyourmanualcontrol(testplan). Inamanualcase,youcanfurtherdocumentmoredetailedinformationforother issuesnotdocumentedintheautomaticcase. QueryControlAutoCaseProcessControlautomaticallygeneratesthesecasesasa resultofquerycontroltesting.Youcanbuildaquery,configurethequeryasa control,andschedulethequerycontrolforautomaticmonitoring.ProcessControl generatesanexceptioncaseforeachcontroldeficiencyfoundfromyourquery controltesting. QueryControlManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromthescheduledtestingofyourquerycontrol.Inamanual case,youcanfurtherdocumentmoredetailedinformationforotherissuesnot documentedintheautomaticcase. SurveyAutoCaseProcessControlautomaticallygeneratesthesecasesasaresult ofsurveyassessment.Youcancreateasurveyandschedulethesurveytobeassessed byrespondentsandpossiblyreviewers,ortobesignedoff.Ifthesurveyresultsina negativerating,ProcessControlautomaticallygeneratesacase.
147
Eachcase,foraparticularcategory,whetherthecaseisgeneratedautomaticallyorcreated manually,hasauniqueIDwhichiseithernumericoralphanumeric.ProcessControl generatestheseIDsbasedonaconfigurablenumberrange.Whenyouconfigureeach numberrange,youcandefineadifferentIDprefixforeachtypeofcase,foreasy identification.Formoreinformation,seetheNumberRangesectionintheProcess ControlVersion 2.0ConfigurationGuide. Onceyouhavedefinedyourvariousnumberranges,youthenassociateaparticular numberrangewiththeappropriatecasecategory.Formoreinformation,seetheCase NumberRangeAssignmentsectionintheProcessControlVersion 2.0ConfigurationGuide.
148
Creating a Case
Youcancreateanexceptioncasemanuallyandassignallthenecessarycaseinformation thatwasnotautomaticallygeneratedbytheProcessControlapplication.Inamanual case,youcanfurtherdocumentinformationforissuesfoundatalevellowerthanthelevel whereProcessControlwouldautomaticallygeneratethecase.Afteryoucreatethecase,it canthenproceedthroughtheremediationprocessandbetrackedinreports.Seethe Create Casepageforanexamplemanualcaseentry.
Figure 56
149
Inthenavigationmenu,selectCase Management >Create Case.Alternatively,click theCreate CaselinkintheProcess Manager page(seeFigure 55onpage 146). TheCreate Case pageappears(seeFigure 56onpage 149).
Performthestepsinthefollowingsections:
ClickSave tocreatethecase.
Thecategoryassociatedwiththiscase:controlorsurvey. Theclassificationthatdistinguishesbetweendifferentgroupsof cases.YoucancreatenewcasetypesintheAdministrationmodule. Fordetails,refertotheCaseTypesectionintheProcessControl Version 2.0ConfigurationGuide. Thebriefdescriptionforthecase. Theimportancelevelofthecase.Youcanselectfromthefollowing predefinedpriorityleveloptions: Immediate High Medium Low
Case Status
150
Table 19
Item
Deficiency Type
Theinsufficientlevelofcompliancedeterminedafterananalysisis completed.TheDeficiency Typevariesdependingontheselected Case Type.Fordetails,seesectionDeficiencyTypeonpage 24in Chapter 2,KeyConcepts. Afteracasehasbeenreassignedwithanewdeficiencytypestatus, thereportsandtheControl Execution Monitor automaticallyupdate anddisplaytherevisedstatusforthatcase/controltest.For informationabouttheControlExecutionMonitor,seesection ControlExecutionMonitor(CEM)onpage 49inChapter 5,Main Modules.Forinformationaboutthereports,seeChapter 6, ManagementReports,Chapter 7,ComplianceReports, Chapter 8,RemediationReports,Chapter 9,TestResultsReports, andChapter 10,BusinessIntelligence(BI)Reports.
151
Table 19
Item
Remediation Usergroup
Ifyoucurrentlyhaveremediationsoftware,similarissuesinthat systemcanbelinkedtotheProcessControlsystemviaanexternal remediationID.Youcreateanameand/ornumberforeachmatching issueorincident,andenterthisinformationintotheRemediation Usergroup fieldtobesavedwithinacase. Thetimeperiodapplicabletothiscase,includingthePeriodType, Year,andPeriodID.Theseitemsareeditableonlyforacontrolcase, notforasurveycase. ThepredefinedPeriodTypesareasfollows: Daily Fortnightly (Bi-weekly) Half Yearly Monthly Quarterly Weekly Yearly Random Theseperiodtypesareselectableonlyiftheressomedefineddate rangesforthem.Formoreinformationonhowtodefinethedate ranges,seetheFrequencyDatessectionintheProcessControl Version 2.0ConfigurationGuide. YouselectthePeriodTypeandYearapplicabletothiscase.Oncethe PeriodTypeandYearareselected,thedaterangeswillshow automaticallyforthePeriod IDdropdownmenu. ThePeriodIDrepresentsthespecificdaterangecorrespondingtothe selectedPeriodTypeandYear.Thisdaterangecanbearegular (predetermined)period(forexample,M11from11/01/06to11/30/ 06)orarandom(userdefined)period(forexample,A1from11/01/ 06to11/15/06).
Period Reported
152
ClicktheCase DetailstabtodisplaytheCase Detailspane. TheinformationinthispanevariesdependingontheCase Categoryandthe Control IDorSurvey Instance IDthatyouselectedinsectionCaseHeaderSteps onpage 150.
Figure 57
Thisistheprocessassociatedwiththecontrolrelatedtothiscase. Thisisthesubprocessassociatedwiththecontrolrelatedtothiscase. Thisistheorganizationassociatedwiththecontrolrelatedtothis case. Thisisusedtodifferentiatethecontrols.Forinformation,seesection ControlCategoryonpage 25inChapter 2,KeyConcepts. Thisisabriefdescriptionforthecontrolrelatedtothiscase. Thisrepresentsagroupofsimilaractivitiesinanapplicationsystem, whichcanbemonitoredandanalyzeddifferentlybasedonitsown criteria,todeterminethecontrolviolations.Forinformation,see sectionControlTypeonpage 26inChapter 2,KeyConcepts. Forinformationregardingassertions,seesectionAssertionson page 28inChapter 2,KeyConcepts.
Control Category
Assertion
153
Table 20
Item
Source Script
Figure 58
Thecategoryofthesurveyrelatedtothiscase. IftheselectedSurvey Instance IDisoftheProcessDesign Assessmentcategory,then thisisthesubprocessassociatedwiththe surveyrelatedtothiscase. Thisisthemaintitleofthesurveyrelatedtothiscase. Thisistheshorttitle(forcolumnarreportingpurposes)ofthesurvey relatedtothiscase. Thisistheorganizationassociatedwiththesurveyrelatedtothis case. IftheselectedSurvey Instance IDisoftheControlDesign AssessmentorEntityLevelControlAssessmentcategory,then thisis thecontrolorentitylevelcontrolassociatedwiththesurveyrelated tothiscase.
Location
Control Description
154
Table 21
Item
Thisindicatesthepersonwholastmodifiedthecase. Thisisthetimeloggedwhenthecaseiscreated.
Assignment Steps
Youselecttheusergrouporuserassignedtothecaseforremediationpurposesinthe Assignmentpane.
X To enter Assignment information: 1
ClicktheAssignmenttabtodisplaytheAssignmentpane.
Figure 59
Assignment Pane
155
Inthedropdownmenus,selectthefollowing:
Table 23
Item
Remediation Group
Assignment Information
Description
Onceyouselectausergroup,itsmembersareavailableintheAssign dropdownmenu.
Documents Steps
Youcanattachdocumentscontainingsupportinginformationregardingtheresolutionof acaseintheDocuments pane.
X To enter Documents information: 1
ClicktheDocumentstabtodisplaytheUpload Documentpane.
Figure 60 2
156
Case List
TheCaseListisalistofexceptioncasesstoredinthedatabase.Thislistincludesthecases thatyouhavecreatedmanually,aswellascasesthatProcessControlgenerated automatically.Youcanperformanadvancedcasesearchbyselectingyourspecificfilters, andviewtheresultsofyoursearchintabularformat. ProcessControldisplaysallqualifiedcasesfoundfromyoursearchinatablewiththeir information.Youcanmodifyandupdatethecaseinformationasdesired,ifyoubelongin thecaseownerusergrouporifyouarethecaseassignee.Formoreinformation,see sectionAssignmentStepsonpage 155.
X To filter and view the cases in the case list: 1
Inthenavigationmenu,selectCase Management >Case List.Alternatively,click theCase ListlinkintheProcess Manager page(seeFigure 55onpage 146). TheCase List pageappearsshowingallofthecaseswiththeircaseIDs.
Figure 61
Ifyouwanttoseethelistofcasesorderedbycreationdate,inthenavigationmenu, selectCase Management >Case List By Creation Date.Alternatively,clickthe Case List By Creation DatelinkintheProcess Manager page(seeFigure 55on page 146). TheCase List By Creation Date pageappearsshowingallofthecasesorderedby theirtimeanddateofcreation.ThedisplayedinformationissimilartoFigure 61, exceptthattheCreate Timecolumnistheleftmostcolumn.
2
FortheCase List page,ifyouwanttofilteryourcaselist,clickShow Filtertospecify yoursearchfiltersusingtheProcess,Subprocess,Case Status,Assertion, Deficiency Type,Organization,Owner,Assign To User ID,Case Category,Case Number,Reporting Period,andRangefieldsanddropdownmenus.Fordetailson theseitems,seesectionCreatingaCaseonpage 149. FortheCase List By Creation Date page,ifyouwanttofilteryourcaselist,click Show FiltertospecifyyoursearchfiltersusingtheFrom Date andTo Date fields.
157
ClickGotoviewtheresults. ProcessControldisplaysallqualifiedcasesfromyourfiltertransactioninatable withtheirCase Number,Case Status,CaseDescription,Deficiency Type, Priority,Owner,andCreate Timeinformation.Fordetailsontheseitems,see sectionCreatingaCaseonpage 149.
158
Editing a Case
Asacaseowner(orassigneeifpreviouslyassigned,seeAssignmentStepsonpage 155), youwouldseethosecasesthatyouareresponsibleforremediation,intheMyCaseslist. Formoreinformation,seesectionMyCasesonpage 142inChapter 12,UserInbox. FromtheMyCaseslistorfromtheCase List page(seeFigure 61onpage 157),youcan editanexistingcasetodocumentallthenecessaryremediationinformationrelatedtothe resolutionofthecontroldeficiencycapturedinthatcase.SeetheEdit Casepageforan example.
Figure 62
159
SelectoneofthecasesfromthetableintheCase List page(seeFigure 61on page 157)orCase List By Date page,andclickEdit. TheEdit Case pageappears(seeFigure 62onpage 159).
Performthestepsinthefollowingsections:
CaseHeaderStepsonpage 160 CaseDetailsStepsonpage 161 AssignmentStepsonpage 161 DocumentsStepsonpage 161 CaseTrailStepsonpage 161 TimeSpentTrailStepsonpage 162 ResolutionStepsonpage 163
ClickSave tocreatethecase.
160
Inaddition,ifthecaseresultsfromanautomatedcontroltest,youcanclickontheTest Resultslink(upperrightcorneroftheheaderpane)tojumptotheControl Test Results page(seesectionAutomatedControlTestReportonpage 83inChapter 9,TestResults Reports),andtheShow Ruleslink(upperrightcorneroftheheaderpane)tojumptothe Rules Library page(seetheRulesLibrarysectionintheProcessControlVersion 2.0 ConfigurationGuide),andviewmoredetailedinformationrelatedtothiscase.
Note The Show Rules link will not be available for cases from manual control tests. Neither the Test Results link nor the Show Rules link will be available for manually created cases or survey cases.
remediationforthiscasewillbecompletedwithin.
Service Level Youcaneditthepercentagevaluethatyouexpecttheremediation activitywillmeetyourtargetedremediationgoal(0%to100%).
Assignment Steps
Fordescriptionsoftheassignmentitemsandsteps,seesectionAssignmentStepson page 155.
Documents Steps
Fordescriptionsofthedocumentsitemsandsteps,seesectionDocumentsStepson page 156.
Figure 63
161
Youcanviewthefollowingitemsinthedisplayedtable:
Table 24
Item
Date Change Type Changed By Status Old Status New
Figure 64
Youcanenterthefollowingitems:
Table 25
Item
Work Log/Activity
162
Youcanviewthefollowingitemsinthetable:
Table 26
Item
Seq #
Date
Resolution Steps
YouentertheinformationrelatedtotheresolutionofacaseintheResolutionpane.
X To enter Resolution information: 1
ClicktheResolutiontabtodisplaytheResolutionpane.
Figure 65
Resolution Pane
Inthefieldsanddropdownmenus,enterorselectthefollowing:
Table 27
Item
Reason Code
Resolution Information
Description
163
Table 27
Item
164
A
SAP FINANCIAL ACCOUNTING DOCUMENTED CONTROLS
TOPICS
165
FICLPEP_03AC1(PeriodControlCompanyLevelChanges) FICLPEP_03AC2(PostingPeriodVariant) FICLPEP_03AC4(LogisticsPeriodCutoff) FICLPEP_03BC1(PriorPeriodPostingEntries) FIEXCHRT_01AC1(MonitoringExchangeRateChanges) FIINVPOST_01BC1(AnalysisofVendorInvoicesAgainstToleranceLimit) FIMDCOA_02C1(ChartofAccountsGLChanges) FIMDCOA_02C2(CompanyCodeGLChanges) FIMDDIS_1005C1(GLPostingsatAccountLevel) FIMDDIS_1005C2(GLPostingsatAccountItemLevel) FIMDDIS_1006C1(GLPostingsatDocumentTypeLevel) FIMDDIS_1006C2(GLPostingsatLineItemLevel) FIMDDIS_1007AC1(RecurringEntriesScheduleChanges) FIMDDIS_1007BC1(AnalysisofRecurringEntries) FIMDDOC_05AC1(ChangestoAccountingDocumentOccurrence) FIMDDOC_05AC2(AccountingPostingChanges) FIMDDOC_05AC3(AccountingDocumentChanges) FIREPDIS_05BC1(AnalysisofMaterialPriceChangestoFinancialAccounting)
Thefollowingsectionsdescribethesecontrolsinmoredetail.
FICLPEP_03AC1
Control Description
PeriodControlCompanyLevelChanges
Control Details
Risk Description
Changesinvariantassignmentforgeneralledgerpostingscanmisstatefinancial statementreporting.
166
Financial Accounting Documented Controls Appendix A SAP Financial Accounting Documented Controls
Control Objective
FICLPEP_03AC2
Control Description
PostingPeriodVariant
Control Details
Risk Description
Changestothepostingperiodvariant,whichcontrolsthepostingperiodsopenfora companycode,canmisstatefinancialstatementreporting.
Control Objective
FICLPEP_03AC4
Control Description
LogisticsPeriodCutoff
Control Details
Risk Description
Thecompanypolicyofnotallowingbackpostinginthepreviousperiodcanbeviolated.
167
Control Objective
FICLPEP_03BC1
Control Description
PriorPeriodPostingEntries
Control Details
Risk Description
Priorperiodpostingscanmanipulatefinancialstatements.
Control Objective
Thedisclosureandmaintenanceoftheproperbooksofaccountsisakeyprocessfor financialreporting.Postingstopriorperiodshavetobeanalyzedbasedontheinternal controlpoliciesoftheorganization. Thiscontrolanalyzestheamountspostedtodifferentpreviousperiods,toamaximumof threepriorperiodsfromthedateofanalysis.Rulesaredefinedateachorganizationentity levelandpostingstopriorperiodsareanalyzedaccordingly.Forexample,postingstothe immediatepreviousperiodarealloweduntilthefirstweekofthecurrentperiod,toclose theaccountsforthepreviousperiod.Theanalysisisforpostingsatthedebittotaland credittotallevel,foreachdocumenttype. ThiscontrolreportsallpostingstotheGeneralLedgeraccount,eitherasadebitorcredit total,exceedingamountsallowedatthedocumentlevelasdefinedbycorporatepolicy.
FIEXCHRT_01AC1
Control Description
MonitoringExchangeRateChanges
Control Details
Risk Description
Whoeverhasaccesstoexchangeratemaintenancecanmanipulatetheserates,usedfor transactionposting.Consequentlyfinancialaccountingandreportingcanbemisstated.
168
Financial Accounting Documented Controls Appendix A SAP Financial Accounting Documented Controls
Control Objectives
Monitoringexchangeratesiscriticalforfinancialaccountingandreporting.Thiscontrol reportsthefollowing:
FIINVPOST_01BC1
Control Description
AnalysisofVendorInvoicesAgainstToleranceLimit
Control Details
Risk Description
Postingsplitinvoicesandbypassingtolerancelimitscanjeopardizetheinternalcontrols systemswithintheorganization.
Control Objective
169
FIMDCOA_02C1
Control Description
ChartofAccountsGLChanges
Control Details
Risk Description
AdeficiencycanarisefromchangestospecificfieldsattheChartofAccountslevelinthe generalledger(GL)accounts.
Control Objective
FIMDCOA_02C2
Control Description
CompanyCodeGLChanges
Control Details
Risk Description
AdeficiencycanarisefromchangestospecificfieldsattheCompanyCodelevelin generalledgeraccounts.
Control Objective
170
Financial Accounting Documented Controls Appendix A SAP Financial Accounting Documented Controls
FIMDDIS_1005C1
Control Description
GLPostingsatAccountLevel
Control Details
Risk Description
Theadjustmentsmadetotherevenuerecognitionaccountscanexceedthedeficiency limitsdefinedintherules.
Control Objective
Revenuerecognitioniscriticalforfinancialreporting.Postingstotherevenueaccounts havetobeanalyzedforeachcompanycodetoreportanydeficiencies.Eachcompanyor groupsofcompanieshastheirowninternalpoliciesfortheanalysisofrevenue recognition,guidedbystandardaccountingpractices. ThiscontrolanalyzestherevenuespostedattheGLaccountlevel.Youcandefinerulesat eachorganizationentityleveltoanalyzethepostingstorevenueaccountsanddetermine whichpostingswillbecategorizedashigh,medium,orlow.Theanalysisisnotforthe accountbalance,butratherforthedebittotalandcredittotallevelpostingsforeach revenueaccount.Thiscontrolreportsthetotaladjustmentsmadetotherevenue recognitionaccountsexceedingthedeficiencylimitsdefinedintherules.
FIMDDIS_1005C2
Control Description
GLPostingsatAccountItemLevel
Control Details
Risk Description
Theadjustmentlineitemsmadetotherevenuerecognitionaccountscanexceedthe deficiencylimitsdefinedintherules.
Control Objective
171
FIMDDIS_1006C1
Control Description
GLPostingsatDocumentTypeLevel
Control Details
Risk Description
Postingstoageneralledgeraccountexceedingtheamountsallowedatthedocumentlevel asdefinedbycorporatepolicy.
Control Objective
AnaccountingdocumentisarepresentationwithintheSAPR/3systemofthedocument thattriggeredafinancialposting(forexampleaninvoice).Adocumenttypeisa classificationofanaccountingdocument.Whenyouposttoanaccountingdocument,the SAPsystemupdatesthetransactionfiguresandthedocumenttypeinthegeneralledger accounts. Thedisclosureandmaintenanceoftheproperaccountsinformationisimportantfor financialreporting.Thiscontrolanalyzesthetransactionspostedtothedifferent documenttypes.Thedebittotalandcredittotallevelforeachdocumenttypeare analyzedandreportedbasedontheinternalcontrolpoliciesoftheorganization.Youcan definerulesateachorganizationentityleveltoanalyzethepostingstodocumenttypes, anddeterminewhichpostingswillbecategorizedashigh,medium,orlow.
FIMDDIS_1006C2
Control Description
GLPostingsatLineItemLevel
Control Details
172
Financial Accounting Documented Controls Appendix A SAP Financial Accounting Documented Controls
Risk Description
Postingstoageneralledgeraccountexceedingtheamountsallowedatthelineitemlevel asdefinedbycorporatepolicy.
Control Objective
AnaccountingdocumentisarepresentationwithintheSAPR/3systemofthedocument thattriggeredafinancialposting(forexampleaninvoice).Adocumenttypeisa classificationofanaccountingdocument.Whenyouposttoanaccountingdocument,the SAPsystemupdatesthetransactionfiguresandthedocumenttypeinthegeneralledger accounts. Thedisclosureandmaintenanceoftheproperaccountsinformationisimportantfor financialreporting.Thiscontrolanalyzesthelineitemtransactionspostedtothedifferent documenttypes.Thedebitlineitemandcreditlineitemlevelforeachdocumenttypeare analyzedandreported,basedontheinternalcontrolpoliciesoftheorganization.Youcan definerulesateachorganizationentityleveltoanalyzethelineitempostingstodocument types,anddeterminewhichlineitempostingswillbecategorizedashigh,medium,or low.
FIMDDIS_1007AC1
Control Description
RecurringEntriesScheduleChanges
Control Details
Risk Description
Manipulatingrunschedulestopostorskippostingsinsomeperiodscanmisstate financialreporting.
Control Objective
173
FIMDDIS_1007BC1
Control Description
AnalysisofRecurringEntries
Control Details
Risk Description
Manipulativeentriespostedinthebackground,orskippedforpostingswhichare supposedtoberecordedateveryperiodend,canmisstatefinancialreporting.
Control Objective
FIMDDOC_05AC1
Control Description
ChangestoAccountingDocumentOccurrence
Control Details
Risk Description
Changestoaccountingdocumentpostingsettingscanmisstatefinancialstatement reporting.
Control Objective
174
Financial Accounting Documented Controls Appendix A SAP Financial Accounting Documented Controls
FIMDDOC_05AC2
Control Description
AccountingPostingChanges
Control Details
Risk Description
Specificaccountingdocumentscontrolledforpostingstospecificaccountcategories,such astheonlyassetpostings,canbemanipulated.
Control Objective
FIMDDOC_05AC3
Control Description
AccountingDocumentChanges
Control Details
Risk Description
Manipulationofsensitivefieldsinthedocumenttypescanleadtofinancialweakness.
Control Objective
175
FIREPDIS_05BC1
Control Description
AnalysisofMaterialPriceChangestoFinancialAccounting
Control Details
Risk Description
Manipulatingmaterialpricechangestoaffectinventoryvaluationcanmisstatefinancial reporting.
Control Objective
176
B
SAP PROCURE TO PAY DOCUMENTED CONTROLS
TOPICS
177
LOIMMTYP_09BC1(InventoryDocumentPostedOtherThanSystemDate) LOIMMTYP_09BC2(CompanyLevelInventoryDocumentPostedOtherThan SystemDate) LOMMMV_06BC1(MaterialValuationRevisionsatStandardPrice) LOMMMV_06BC2(MaterialValuationRevisionsatMovingAveragePrice) LOPURPIR_02BC1(GR/IRPostingAccuraciesandValidity) LOPURREL_05AC1(ApprovalProcessBasedonOrderValue) LOPURREL_05AC2(ApprovalProcessBasedonApproversCount) LOPURREL_05AC3(EffectivenessofPurchaseApprovalProcess) LOPURREL_05BC1(UnauthorizedHighValuePurchaseOrders) LOPURREL_05BC2(UnauthorizedPurchasesatCompanyLevel) LOPURSRC_01AC1(AnalysisofVendorSourceEffectiveness) LOPURSRC_02AC1(SourceListRecordingAccuracies) LOPURTP_06BC1(PaymentsWithoutGoodsReceipt) LOPURTP_06BC2(CompanyLevelPaymentsWithoutGoodsReceipt) LOPURVAP_01AC1(AccuracyofInvoiceTolerances) LOPURVAP_07AC1(VendorEligibilityforDuplicatePayments) LOPURVAP_07AC2(CompanyLevelDuplicatePaymentControl) LOPURVAP_07BC1(OverpaidPurchaseOrders) LOPURVAP_07BC2(CompanyLevelOverpayments) LOPURVAP_08BC1(EvaluationofDuplicateVendorInvoice) MMIMCTR_06AC1(AutomaticPurchaseOrderCreationatGoodsReceipt) MMIMCTR_07AC1(DocumentLevelPhysicalInventoryTolerance) MMIMCTR_07AC2(ItemLevelPhysicalInventoryTolerance) MMIMCTR_07AC3(ChangestoPhysicalInventoryTolerances) MMIMCTR_07BC1(DocumentLevelPhysicalInventoryDifferences) MMIMCTR_07BC2(ItemLevelPhysicalInventoryDifferences)
Thefollowingsectionsdescribethesecontrolsinmoredetail.
178
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
LOIMMTYP_09BC1
Control Description
InventoryDocumentPostedOtherThanSystemDate
Control Details
Risk Description
Misrepresentationofinventorystatement.
Control Objective
LOIMMTYP_09BC2
Control Description
CompanyLevelInventoryDocumentPostedOtherThanSystemDate
Control Details
Risk Description
Misrepresentationofinventorystatement.
Control Objective
179
LOMMMV_06BC1
Control Description
MaterialValuationRevisionsatStandardPrice
Control Details
Risk Description
Misrepresentationofstockvaluation.
Control Objective
LOMMMV_06BC2
Control Description
MaterialValuationRevisionsatMovingAveragePrice
Control Details
Risk Description
Misrepresentationofstockvaluation.
Control Objective
180
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
LOPURPIR_02BC1
Control Description
GR/IRPostingAccuraciesandValidity
Control Details
Risk Description
Significantandcontinueddifferencesbetweenaninvoiceandrelatedgoodsreceiptfora purchaseorderindicateaweaknessintheprocurementprocess.
Control Objective
Differencesbetweengoodsreceiptsandinvoicepostingsshowdiscrepanciesinthe procurementprocessintermsofmismatch.Areviewofthesediscrepanciesperiodicallyis criticallytokeeptheprocurementprocessundercontrol.Overinvoicing,underreceiving, andfictitiousreceiptsneedtobereviewedtodeterminethevalidityofreceiptandinvoice matching. Goodsreceiptquantitiesandvaluesrelatingtoapurchaseordershouldmatchwiththe invoicequantitiesandvaluesforthesamePO.Thiscontrolchecksthegoodsandinvoice receiptswhenthepurchasingdocumentsshowsomediscrepancy. Thiscontrolmonitorstheaccuracyofgoodsreceiptsandinvoicereceiptstoensurethat theprocurementprocessisinorder.Thiscontrolreportsthefollowing:
Anygoodsandinvoicereceiptsdiscrepancy. Theuserswhomadesuchpostings.
LOPURREL_05AC1
Control Description
ApprovalProcessBasedonOrderValue
Control Details
Risk Description
Bypassingtheordervaluelimitcanresultinweaknessinthepurchaseapprovalprocess.
181
Control Objective
LOPURREL_05AC2
Control Description
ApprovalProcessBasedonApproversCount
Control Details
Risk Description
Bypassingthenumberofapproverscanresultinweaknessinthepurchaseapproval process.
Control Objective
LOPURREL_05AC3
Control Description
EffectivenessofPurchaseApprovalProcess
Control Details
182
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
Risk Description
Uncontrolledprocurementofgoodsandservicescanresultinweaknessinthepurchase approvalprocess.
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. IfaPurchaseOrderdocumenttypeisnotrestrictedwithavalidreleaseprocedurethen thePurchaseOrderscanbecreatedandchangedmaliciously.Thiswouldresultin weaknessinthepurchasingprocess. Thiscontrolprovidesthedocumenttypesthatareassignedtoincorrectpurchaserelease procedures.Thecontroloutputliststhedocumenttypesthataredeficient,andthefactors causingthedeficiency.Thesefactorscanincludethefollowing:
LOPURREL_05BC1
Control Description
UnauthorizedHighValuePurchaseOrders
Control Details
Risk Description
Unauthorizedprocurementofgoodsandservicescanresultinweaknessofthe procurementprocess.
Control Objective
183
forthenumberofapprovers,andsoon,resultinginintentionalunauthorized procurementofgoodsandservices. Purchaseorderswithamountsaboveacertainmaximumvalueshouldbeapproved beforetheyareissuedtovendors.Thereleaseprocedureenablesabusinesstoachievethis goal.TheapprovalofPurchaseOrderscanbefurtherrestrictedbasedonthepurchasing organization,purchasingdocumenttypes,purchasinggroup,materialgroup,vendor,and soon. ThiscontrolreportstheunauthorizedPurchaseOrderscreatedusingreleaseprocedures thatweresetincorrectlyornotasdefinedbythepurchaseapprovalprocessguidelines. TheoutputalsoliststhedeficiencyintermsofthedollaramountsofthecreatedPurchase Orders.
LOPURREL_05BC2
Control Description
UnauthorizedPurchasesatCompanyLevel
Control Details
Risk Description
Unauthorizedprocurementofgoodsandservicescanresultinweaknessofthe procurementprocess.
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. IfaPurchaseOrderdocumenttypeisnotrestrictedwithavalidreleaseprocedurethen thePurchaseOrderscanbecreatedandchangedmaliciously.Thiswouldresultin weaknessinthepurchasingprocess.Eveniftheapprovalprocessissetup,itispossibleto bypasstheapprovalprocessbymanipulatingthereleaseproceduresfortheordervalue, forthenumberofapprovers,andsoon,resultinginintentionalunauthorized procurementofgoodsandservices. Purchaseorderswithamountsaboveacertainmaximumvalueshouldbeapproved beforetheyareissuedtovendors.Thereleaseprocedureenablesabusinesstoachievethis goal.TheapprovalofPurchaseOrderscanbefurtherrestrictedbasedonthepurchasing organization,purchasingdocumenttypes,purchasinggroup,materialgroup,vendor,and soon. ThiscontrolreportsthetotaldollaramountfromunauthorizedPurchaseOrderscreated usingreleaseproceduresthatweresetincorrectlyornotasdefinedbythepurchase approvalprocessguidelines.Theoutputliststhedeficiencyintermsofthedollaramount atthecompanylevel.
184
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
LOPURSRC_01AC1
Control Description
AnalysisofVendorSourceEffectiveness
Control Details
Risk Description
Thesourcelistisalistofavailablesourcesofsupplyforamaterial,indicatingtheperiods duringwhichprocurementfromsuchsourcesispossible.Thesourcelistfacilitatesthe determinationofthesourcethatisapplicable(effective)atacertainpointintime.Every possiblesourceofsupplyisstoredinasourcelistrecord,togetherwithitsvalidityperiod. Todeterminetheapplicablesource,thesourcelistrequirementsaredefinedattheplant level.Thus,ifasourcelistrequirementexists,thesourcelistforeachmaterialmustbe maintainedforthatplant,beforeyoucanorderthematerial. Onlyqualifiedsupplierscanbeselectedfororderingarawmaterial(compounds,labels, andpackagingmaterials).Thesystemshouldcontrolsupplierselectionbasedon qualificationstatus.Thiscontrolreportsthefollowing:
Changesmadetoplantlevelsourcedetermination. Theuserswhomadesuchcontrolchanges.
LOPURSRC_02AC1
Control Description
SourceListRecordingAccuracies
Control Details
Risk Description
185
Control Objective
Thesourcelistisalistofavailablesourcesofsupplyforamaterial,indicatingtheperiods duringwhichprocurementfromsuchsourcesispossible.Thesourcelistfacilitatesthe determinationofthesourcethatisapplicable(effective)atacertainpointintime.Every possiblesourceofsupplyisstoredinasourcelistrecord,togetherwithitsvalidityperiod. Afixedsourcespecifiesthatthesourceofsupplyisthepreferredprocurementoption withinthespecifiedperiod.Ablockedsourcespecifiesthatthesourceisblockedfor orderingpurposes. Changestothesourcelistneedtobereviewedperiodicallytoidentifythatonly authorizedchangesarerecorded.Anyunauthorizedchangesmayhaveanegative influenceontheprocurementpolicies.Thiscontrolreportsthefollowing:
Changesmadetothesourcelistrecords. Theuserswhomadesuchcontrolchanges.
LOPURTP_06BC1
Control Description
PaymentsWithoutGoodsReceipt
Control Details
Risk Description
Vendorpaymentwithoutreceivingthepurchasedgoods.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. AbusinessneedstocontroltheinvoicesthatareverifiedwithoutaGoodsReceipt reference.Thismethodallowstheseinvoicestobeverifiedandpostedbybypassingthe GoodsReceiptchecks.Theseinvoicescanbeverifiedmaliciouslyresultinginweaknessin theinvoiceverificationprocess. ThiscontrolreportsindividualinvoicesbeingpostedforpaymentwithoutaGoods Receiptreference.
186
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
LOPURTP_06BC2
Control Description
CompanyLevelPaymentsWithoutGoodsReceipt
Control Details
Risk Description
Vendorpaymentwithoutreceivingthepurchasedgoods.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. AbusinessneedstocontroltheinvoicesthatareverifiedwithoutaGoodsReceipt reference.Thismethodallowstheseinvoicestobeverifiedandpostedbybypassingthe GoodsReceiptchecks.Theseinvoicescanbeverifiedmaliciouslyresultinginweaknessin theinvoiceverificationprocess. Thiscontrolreportsthetotalinvoiceamountforacompanycoderesultingfrominvoices postedforpaymentwithoutaGoodsReceiptreference.
LOPURVAP_01AC1
Control Description
AccuracyofInvoiceTolerances
Control Details
Risk Description
187
Control Objective
Aninvoicetolerancesettingdeterminestheabilitytoposttheinvoicesforpayment,when theinvoicecontainsdifferentamountandtimevaluesthanthoserecordedintheGoods ReceiptorthePurchaseOrder(PO).Thisinvoicetolerancesettingisacriticalbusiness policyfortheprocuretopayprocessandtheaccountspayables. Whenprocessinganinvoice,theSAPsystemchecksforvariancesbetweentheinvoiceand thePurchaseOrderorGoodsReceipt.Thedifferenttypesofvariancesaredefinedinthe tolerancekeys.Ahightolerancemayleadtohigherpaymentsbeingallowed,affectingthe cashflow,andconversely,stringentsettingsmayinvokemoremanualinterventionthus wastingpreciousresourcetime. Thiscontrolmonitorstheaccuracyofinvoicetolerancesettingsforquantityvariations. Thiscontrolreportsthefollowing:
LOPURVAP_07AC1
Control Description
VendorEligibilityforDuplicatePayments
Control Details
Risk Description
Uncontrolledchangestothevendormastermayresultinduplicatepaymenttovendors.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Abusinessneedstopreventthesameinvoicefrombeingpostedinthesystemmorethan once.Ifcontrolsarenotinplacethenduplicateinvoicescanbepostedbymistakeor deliberately.Thiswouldresultinweaknessintheinvoiceverificationprocess. Thiscontrolreportsthechangestothevendormaster,suchasthedoubleinvoicecheck settings,whichcanresultinduplicatepaymentstothevendors.Thiswouldalsoinclude changestothemasterdatatobypasstheduplicatepayment.
188
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
LOPURVAP_07AC2
Control Description
CompanyLevelDuplicatePaymentControl
Control Details
Risk Description
Uncontrolledchangestothecompanylevelparametersmayresultinduplicatepayment tovendors.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Abusinessneedstopreventthesameinvoicefrombeingpostedinthesystemmorethan once.Ifcontrolsarenotinplacethenduplicateinvoicescanbepostedbymistakeor deliberately.Thiswouldresultinweaknessintheinvoiceverificationprocess. Thiscontrolreportsthedeficienciesresultingfromchangestothecompanylevel parametersforduplicateinvoicecheck.Thiscontrolalsoenablesyoutotrackthechanges totheaccountingdocumenttypeforvendorinvoice.
LOPURVAP_07BC1
Control Description
OverpaidPurchaseOrders
Control Details
Risk Description
Postedinvoicesresultinginoverpaymentforapurchaseorder.
Control Objective
LOPURVAP_07BC2
Control Description
CompanyLevelOverpayments
Control Details
Risk Description
Thecompanylevelduplicateamountwithinagivenperiodresultinginoverpayment.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Uncontrolledchangestothecompanylevelparametersforvendorduplicateinvoicemay leadtouncontrolledsystementriesandinvoicepostings,resultinginoverpayment.The uncheckingofinvoicepostingsrelatedaccountingdocumenttypescanalsoleadto invoicesbeingpostedwithoutavendorinvoicereference,resultinginoverpayment. Thiscontrolidentifiesthetotaloverpaidamountforthepurchaseordersatthecompany levelwithinagivenperiod.
LOPURVAP_08BC1
Control Description
EvaluationofDuplicateVendorInvoice
Control Details
Risk Description
Duplicatepaymenttothevendorseitherbymistakeordeliberately.
190
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Abusinessneedstopreventthesameinvoicefrombeingpostedinthesystemmorethan once.Ifcontrolsarenotinplacethenduplicateinvoicescanbepostedbymistakeor deliberately.Thiswouldresultinweaknessintheinvoiceverificationprocess. Thiscontrolchecksallsystemrecordsandidentifiesthevendorinvoicesthathavebeen allocatedmorethanoncewithinagivenperiod.Thecontroloutputcontainsallthe purchaseorders/invoices/amount/userinformation.
MMIMCTR_06AC1
Control Description
AutomaticPurchaseOrderCreationatGoodsReceipt
Control Details
Risk Description
AutomaticPurchaseOrdercreationatthetimeofreceiptmayleadtounauthorized procurementofmaterial.
Control Objective
Materialmovementisoneofthecorecomponentsofanybusinessdealingwithmaterials andinventories.Amaterialmovementmaybeareceipt,anissue,atransfer,orachangeto thegoods,andsoon.Informationcapture,analysis,andcontrolofthematerial movementsarecorerequirementsforcompanyinformationsystems. TheSAPR/3systemprovidesparametersettingsthathelpcompaniesefficientlyorganize theirbusinessprocessesinvolvingmaterialmovement.Oneofthecontrolsettingscalled CreatePurchaseOrderAutomaticallyallowstheuserstoautomaticallygeneratea PurchaseOrderatthetimeofgoodsreceipt,thuseliminatingtheneedtocreatethe PurchaseOrdermanually. ThiscontrolreportsdeficienciesasaresultofsuspiciouschangestotheCreatePurchase OrderAutomaticallycontrolsetting.Thiscontroltracksthesechangestopreventthe misuseofthispowerfulsystemcontrolfeature.
191
MMIMCTR_07AC1
Control Description
DocumentLevelPhysicalInventoryTolerance
Control Details
Risk Description
Uncontrolledchangestothetolerancelimitsforadocumentlevelcanleadto unauthorizedadjustmentofhighvalueinventoryitems.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted.However,whetherthisdifferencevaluecanbeposted ornotisdeterminedbythetolerancelimits.Ifthetolerancelimitsaresettoohighordo notexist,thiswouldallowthepostingofanexcessivedifferencevalue,andresultin weaknessofthephysicalinventoryprocess. Thiscontroltracksthedeficienciesarisingfromchangesmadetothetolerancelimitsfora documentlevelassociatedwiththephysicalinventorytolerancegroups.Ifthechange amountexceedsthedeficiencylimitssetwithinthecontrolrule,thiscontrolreportsthe tolerancegroup,theuser,andthechangedetails.
MMIMCTR_07AC2
Control Description
ItemLevelPhysicalInventoryTolerance
Control Details
Risk Description
Uncontrolledchangestothetolerancelimitsforalinelevelcanleadtounauthorized adjustmentsofhighvalueinventoryitems.
Control Objective
192
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
MMIMCTR_07AC3
Control Description
ChangestoPhysicalInventoryTolerances
Control Details
Risk Description
Uncontrolledchangestothetolerancelimitscanleadtounauthorizedadjustmentofhigh valueinventoryitems.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted.However,whetherthisdifferencevaluecanbeposted ornotisdeterminedbythetolerancelimits.Ifthetolerancelimitsaresettoohighordo notexist,thiswouldallowthepostingofanexcessivedifferencevalue,andresultin weaknessofthephysicalinventoryprocess. Thiscontroltracksthedeficienciesarisingfromchangesmadetothetolerancelimits associatedwiththephysicalinventorytolerancegroups.Thechangemayoccurateither thedocumentlevelorlinelevel,orboth.Ifthenumberofchangesexceedsthedeficiency limitssetwithintherule,thiscontrolreportsthechangedetails.
MMIMCTR_07BC1
Control Description
DocumentLevelPhysicalInventoryDifferences
Control Details
Risk Description
Misrepresentationofinventorystatementsandmisappropriationofstocks.
193
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted. TheSAPsystemallowsyoutopostphysicalinventorydifferencesbasedonusertolerance limits.Thiscontrolensuresthedifferencespostedonthephysicalinventorydocuments areaccurateandwithinlimit. Thiscontrolreportsanydeficiencyresultingfromthedifferencevaluepostedforthe physicalinventorydocument.Thephysicalinventorydocumentprocessedischeckedfor thedifferencevalueposted(absolutevalue)andtheratioofthedifferencevalue comparedtothetotalinventoryvalue(%value).Ifanyvalueexceedsthedeficiencylimits asdefinedbythecontrolrulethenitwillbereportedinthecontroloutput.
MMIMCTR_07BC2
Control Description
ItemLevelPhysicalInventoryDifferences
Control Details
Risk Description
Misrepresentationofinventorystatementsandmisappropriationofstocks.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted. TheSAPsystemallowsyoutopostphysicalinventorylineitemdifferencesbasedonuser tolerancelimits.Thiscontrolensuresthedifferencespostedonthephysicalinventoryline itemsareaccurateandwithinlimit. Thiscontrolreportsanydeficiencyresultingfromthedifferencevaluepostedforthe physicalinventorylineitem.Thephysicalinventorylineitemprocessedischeckedforthe differencevalueposted(absolutevalue)andtheratioofthelineitemdifferencevalue comparedtothelineiteminventoryvalue(%value).Ifanyvalueexceedsthedeficiency limitsasdefinedbythecontrolrulethenitwillbereportedinthecontroloutput.
194
C
SAP ORDER TO CASH DOCUMENTED CONTROLS
TOPICS
195
SDBILL_04AC3(ChangestoBillingDocuments) SDBILL_04AC4(BillingTypesRelevanttoRebates) SDCMM_01C1(CreditCheckSalesOrderEntry) SDCMM_01C2(CreditCheckShipping) SDCMM_01C3(CreditCheckItemCategories) SDCMM_05C1(AutomaticCreditControlSeasonalFactor) SDCMM_05C2(AutomaticCreditControlDeviationFactor) SDCMM_05C3(EffectivenessofAutomaticCreditCheck) SDCMM_05C4(ChangestoAutomaticCreditCheck) SDCMM_10C1(CreditExposureforCustomerRiskCategory) SDCMM_11BC1(CompanywiseCreditExposure) SDCMMD_11BC1(OnetimeCustomerAccountforHighValueSales) SDCMMD_12BC1(SalesThroughOnetimeCustomers) SDMDCTR_01C1(ChangestoPaymentTerms) SDMDCTR_01C2(PaymentTermswithLongerCreditPeriod) SDMDCTR_01C3(PaymentTermswithHigherCashDiscount) SDPRICTR_01AC1(ChangestoCustomerPricingProcedure) SDPRICTR_01AC2(ChangestoConditionTypesinCustomerPricing) SDSOP_08BC1(PercentageofOpenSalesOrdersvs.TotalOrders) SDSOP_08BC2(SalesOrderAgeingAnalysis) SDSRP_07BC1(AnalysisofSalesReturns) SDSRP_08BC1(SalesReturnsbyCustomer)
Thefollowingsectionsdescribethesecontrolsinmoredetail.
SDBILL_04AC3
Control Description
ChangestoBillingDocuments
Control Details
196
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
Risk Description
Exposingtheorganizationtoanerroneousorineffectivebillingprocess.
Control Objective
Aspartofthetransactioncycleforabusiness,severaltypesofbillingdocumentshaveto beconfiguredtotakecareoftheinvoice/billingprocess.Billingdocumentconfigurationis verycriticalandanychangeinthisconfigurationcanbeacauseofinconsistencyinthe billingprocessandconcernforthecompany. Changestotheconfigurationofabillingdocumentshouldbeavoidedasmuchas possible,orelsestrictlymonitoredandapproved,topreventanerroneousorineffective billingprocessintheorganization.Itisimperativethatmanagementcontinuouslytracks anychangestothebillingdocumentconfiguration. Thiscontrolreportsdetailedinformationaboutthechangestothecriticalfieldsorthe configurationofthebillingdocumenttypesfortheSAPclient.
SDBILL_04AC4
Control Description
BillingTypesRelevanttoRebates
Control Details
Risk Description
Exposingtheorganizationtoanerroneousorineffectivebillingprocessregardingrebate relatedtransactions.
Control Objective
Aspartofthetransactioncycleforabusiness,severaltypesofbillingdocumentshaveto beconfiguredtotakecareoftheinvoice/billingprocess.Billingdocumentconfigurationis verycriticalandanychangeinthisconfigurationcanbeacauseofinconsistencyinthe billingprocessandconcernforthecompany. Billingconfigurationshouldbespecificforparticularbillingtypes.Specificconfiguration setupisessentialforbillingtypesrelevanttorebates.Thekeyconfigurationforthis controlistherebaterelevancyfield,anddeterminingthecheckedorblankvalueofthe rebaterelevancyfieldiscrucial. Theobjectiveofthiscontrolistoensureaconsistentandappropriatebillingprocessforall rebaterelatedtransactions.Thiscontrolreportsthefollowing:
ChangesmadetotherebaterelevancyfieldintheBillingDocument. Theuserswhomadesuchchanges,andthechangetimeanddatedetails.
197
SDCMM_01C1
Control Description
CreditCheckSalesOrderEntry
Control Details
Risk Description
Lackofvisibilitytothecriticalchangesinthecreditmanagementareaduringthesales orderentryprocess.
Control Objective
SDCMM_01C2
Control Description
CreditCheckShipping
Control Details
Risk Description
Lackofvisibilitytothecriticalchangesinthecreditmanagementareaduringthe shippingprocess.
Control Objective
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
SDCMM_01C3
Control Description
CreditCheckItemCategories
Control Details
Risk Description
Lackofvisibilitytothecriticalchangesinthecreditmanagementareaduringthesales orderentryandshippingprocesses.
Control Objective
SDCMM_05C1
Control Description
AutomaticCreditControlSeasonalFactor
Control Details
Risk Description
Exposinganorganizationtoextendedcustomercreditsandlosingcontrolofcustomer creditallocations.
199
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations. StandardSAPprovidesaprocesscalledAutomaticcreditcontrol,whichisdetermined bythecustomerriskcategories,thecreditcontrolarea,andthedocumentcreditgroup. Thisprocessmonitorsallsalesdocumenttypesforwhichadocumentcreditgroupis definedandanautomaticcreditcheckisassigned.Thesystemperformsacreditcheckfor anysalesdocumentwithanautomaticcreditcheckassignment. Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolarea, oranyotherchangetotheconfigurationoftheautomaticcreditcontrolprocess,cancause excessivecustomercreditsandcreditrelatedproblemsinthesystem.Therefore,itis imperativethatmanagementtrackstheeffectivenessoftheautomaticcreditcontrolsetup forthedifferentcreditcontrolareas.Managementneedstoalsotrackthecreditlimit seasonalfactorthathasbeenassignedtothedifferentcreditcontrolareas. Thiscontrolreportsthedetailsofthechangestotheconfigurationofthecustomercredit limitseasonalfactors,andtheuserswhoinitiatedthesechanges.
SDCMM_05C2
Control Description
AutomaticCreditControlDeviationFactor
Control Details
Risk Description
Exposinganorganizationtoineffectivecreditcontrol.
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations. Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolareas, oranyotherchangetotheconfigurationoftheautomaticcreditcontrolprocess,cancause excessivecustomercreditsandcreditrelatedproblemsinthesystem.Therefore,itis imperativethatmanagementtrackstheeffectivenessoftheautomaticcreditcontrolsetup forthedifferentcreditcontrolareas.Managementneedstoalsotrackthedeviationfactor relatedtothedocumentvalues,andthenumberofdaysthataparticularsalesdocument isallowedtobypassthecheckingofitscredithistory. Thiscontrolreportsthedetailsofthechangestothesystemconfigurationthatallowthe possibilityofcertainsalesdocumentstobypasstheircreditcheck,andtheuserswho initiatedthesechanges.
200
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
SDCMM_05C3
Control Description
EffectivenessofAutomaticCreditCheck
Control Details
Risk Description
Exposinganorganizationtoineffectivecreditcontrolandlackofvisibilityofthecritical checksintheautomaticcreditcontrolscenarios.
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations. Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolareas, oranyotherchangetotheconfigurationoftheautomaticcreditcontrolprocess,cancause excessivecustomercreditsandcreditrelatedproblemsinthesystem.Therefore,itis imperativethatmanagementtrackstheeffectivenessoftheautomaticcreditcontrolsetup forthedifferentcreditcontrolareas. Thiscontrolreportsthedetailsofchangestothesystemconfigurationthatcanaffectthe creditcheckingprocessfortransactionsrelatedtoparticulardocumentcreditgroups, customerriskcategories,andcreditcontrolareas.Thiscontroldetermineswhetherthe dynamiccheckiseffective,andreportsthesystemsstatuswhenthischeckisineffective.
SDCMM_05C4
Control Description
ChangestoAutomaticCreditCheck
Control Details
Risk Description
Exposinganorganizationtoineffectivecreditcontrol.
Control Objective
201
SDCMM_10C1
Control Description
CreditExposureforCustomerRiskCategory
Control Details
Risk Description
Exposinganorganizationtolargeamountsofcreditforcustomersofdifferentrisk categories.
Control Objective
SDCMM_11BC1
Control Description
CompanywiseCreditExposure
Control Details
Risk Description
Lackofvisibilitytotheriskofhugecreditexposure.
202
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
Control Objective
SDCMMD_11BC1
Control Description
OnetimeCustomerAccountforHighValueSales
Control Details
Risk Description
Usinganinappropriateaccountgroupforhighvaluesalesordersbypassesmanycritical checks.
Control Objective
AbusinessshouldbeawareofthetransactionsinvolvingtheOnetimecustomer accountgroup.Duringtheorderexecutionprocess,thisaccountgroupbypassesmany criticalcheckssuchasthecreditlimitcheck,theover/underdeliverytolerancecheck,and soon. TheOnetimeCustomeraccountgroupcanbemisusedbythebusinesswhenthis accountgroupprocesseshighvaluesales,becausethiskindoftransactionbypassesmany criticalchecksinthesalescycle.Thisactioncanhappenbymistakeordeliberately, violatingorganizationnorms. IgnoringthepurposeoftheOnetimecustomeraccountgroupandperforminghigh valuebusinesstransactionsthroughthisaccountgroupcanleadtoweaknessinthe financialsystem.Topreventthisproblem,thiscontrolreportshighvaluesales transactionsperformedintheorganizationusingtheOnetimecustomeraccount group,fortheselectedperiodofanalysis.
Additional Functionality
Thesamecontrolreportcanbeusedforthefollowing:
203
SDCMMD_12BC1
Control Description
SalesThroughOnetimeCustomers
Control Details
Risk Description
Inappropriateusageoftheonetimecustomeraccountgroupandlackofvisibilitytothe propersalesscenariosintheorganization.
Control Objective
Allbusinesseshaveonetimecustomerswhoconductonetimetransactionswiththe business.InSAP,thereisafacilitytocreateormaintainacommonmasterrecordforall onetimecustomerbusinesstransactions,sincetheorganizationdoesnotexpectlongterm businessrelationshipswithsuchcustomers. Managementshouldbeawareofthevolumeofbusinessunderthisonetimecustomer account.Frequentusageofthisaccountgroupforgeneralbusinesstransactionsisnot advisable. Thiscontrolprovidesthedetailsofthetotalsalesundertheonetimecustomeraccountas comparedtothetotalsalesoftheorganization.Thiscontrolreportsadeficiencywhen salesfromonetimecustomersexceedaspecificpercentageofregularsalesoveraperiod oftime.
SDMDCTR_01C1
Control Description
ChangestoPaymentTerms
Control Details
Risk Description
Lackofvisibilityintheorganizationtothecriticalchangestopaymentterms.
Control Objective
204
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
SDMDCTR_01C2
Control Description
PaymentTermswithLongerCreditPeriod
Control Details
Risk Description
Organizationalexposuretoanexcessivecreditperiodforcustomers,andlackofvisibility toexistingpaymenttermswithexcessivecreditperiodallocations.
Control Objective
SDMDCTR_01C3
Control Description
PaymentTermswithHigherCashDiscount
Control Details
Risk Description
Control Objective
SDPRICTR_01AC1
Control Description
ChangestoCustomerPricingProcedure
Control Details
Risk Description
Inconsistentcustomerpricingproceduresandfrequentchangestothepricingkey componentscanleadtounstablebusinessprocessesintheorganization.
Control Objective
206
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
SDPRICTR_01AC2
Control Description
ChangestoConditionTypesinCustomerPricing
Control Details
Risk Description
Inconsistentcustomerpricingproceduresandfrequentchangestothepricingcondition typescanleadtounstablebusinessprocessesintheorganization.
Control Objective
SDSOP_08BC1
Control Description
PercentageofOpenSalesOrdersvs.TotalOrders
Control Details
Risk Description
Ahighvolumeofopenandunprocessedsalesorderscancauseunnecessaryconstraints ontheinventorybyblockingtheconfirmationofmaterialsquantities.
Control Objective
periodoftime.Youcanobtaindetailstospecificsalesareaandcustomeraccountgroups fromthecontrolreport.
SDSOP_08BC2
Control Description
SalesOrderAgeingAnalysis
Control Details
Risk Description
Ahighvolumeofopenandunprocessedsalesorderscancauseunnecessaryconstraints ontheinventorybyblockingtheconfirmationofmaterialsquantities.
Control Objective
Foranybusinesstobeasuccess,managementhastoeffectivelymonitorandevaluatethe organizationssalesscenarios.Lackofmonitoringofopenorunprocessedcasesofhigh volumesalesorderscancauseunnecessaryconstraintsontheinventory,byblockingthe confirmationofmaterialsquantities,thusmakingthesematerialsunavailableforother orders. Toavoidsuchsituations,managementneedstotrackallordersthathavebeenopenor unprocessedforanundulylongtime,andtrytoascertainthereasonsbehindthesedelays. Thiscontrolanalyzestheageingoftheopensalesordersbyordertypeandordernumber. Youcanobtaindetailstospecificsalesarea,salesordertype,andcustomeraccount groupsfromthecontrolreport.
SDSRP_07BC1
Control Description
AnalysisofSalesReturns
Control Details
Risks Descriptions
208
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
Control Objective
Whenevercustomerssendtheirpurchasedgoodsback,yourbusinessaccountsforthese returnsbyenteringthemintheSales&Distributionsystem.Youneedtobeawareofthe volumeofreturnscomparedtototalsales,sothatyoucantakecorrectiveactionifthese returnsareexcessivelyhigh. InSAPthereisaprocesstotrackofthereturnsandanalyzethequantityofreturnsper customer,perSalesOrganization,perSalesoffice,perSalesemployee,perCompany,and soon.ThisTheReturnsProcessingprocesscanbemisusedbythebusinesstoshiphuge volumeofgoodsbytheendofeachquarteroryear,becausetheseexcessshipmentscanbe takenbackinthefutureasreturns.Thismisusecanhappenbymistakeorcanbedone deliberatelytoboostsalesfigures,leadingtoweaknessintheSales&Distributionsystem. Thiscontrolreportsdetailedinformationaboutthepercentageofreturnsascomparedto totalsales,andalsothereturndeliverieswithoutreference.Thisinformationhelpsin safeguardinganorganizationagainstmisuseofthereturnsprocessingactivity.
SDSRP_08BC1
Control Description
SalesReturnsbyCustomer
Control Details
Risks Descriptions
Inappropriateuseofthereturnsprocess Lackofvisibilityofthevolumeofcustomersalesreturnsintheorganization
Control Objective
Whenevercustomerssendtheirpurchasedgoodsback,yourbusinessaccountsforthese returnsbyenteringthemintheSales&Distributionsystem.Youneedtobeawareofthe volumeofreturnspercustomer,sothatyoucantakecorrectiveactionifthesereturnsare excessivelyhigh. InSAPthereisaprocesstotrackofthereturnsandanalyzethequantityofreturnsper customer,perSalesOrganization,perSalesoffice,perSalesemployee,perCompany,and soon.ThisTheReturnsProcessingprocesscanbemisusedbythebusinesstoshiphuge volumeofgoodsbytheendofeachquarteroryear,becausetheseexcessshipmentscanbe takenbackinthefutureasreturns.Thismisusecanhappenbymistakeorcanbedone deliberatelytoboostsalesfigures,leadingtoweaknessintheSales&Distributionsystem. Thiscontrolreportsdetailedinformationaboutthevolumeofreturnspercustomer.This informationhelpsinsafeguardinganorganizationagainstmisuseofthereturns processingactivity.
209
210
D
DOCUMENTED CONTROLS SAP IT
TOPICS
211
IT Documented Controls
SAPGRCcurrentlydeliversasetoffourITdocumentedautomatedcontrols.These controlsare:
Thefollowingsectionsdescribethesecontrolsinmoredetail.
BCSCFPAR_100AC1
Control Description
MonitoringSystemProfileParameters
Control Details
Business Requirement
TheparametersettingsintheSAPstartupprofilesaffecttheSAPR/3systeminsituations relevanttosecurity,protection,andcompliance.
Risk Description
Monitoringthesystemmanifoldcontrollingparametersisnecessarytopreventsecurity breach.
Control Objective
BCSCFPAR_100AC2
Control Description
MonitoringDatabaseProfileParameters
Control Details
ControlType:Configuration Process:SystemConfiguration
212
Subprocess:Parameters
Business Requirement
ThedatabasedependentparametersettingsintheSAPstartupprofilesaffecttheSAPR/3 databaseperformanceandactivities.
Risk Description
Monitoringthedatabasemanifoldcontrollingparametersisimportanttopreventsecurity breach.
Control Objective
BCSCFSYS_100AC1
Control Description
MonitoringDeveloperKeys
Control Details
Business Requirement
213
BCTRNCFS_100AC1
Control Description
MonitoringSystemSettings
Control Details
Business Requirement
MonitoringthesystemsettingsinyourSAPproductionenvironmentisimportantto preventsecuritybreach.
Control Objective
Theobjectiveofthiscontrolistolistthemodifiablesystemsettingswiththeirdeficiencies. Thiscontrolreportsthefollowing:
Anymodifiablesystemsettingintheproductionenvironment. Theuserswhohavetheabilitytomodifysuchsystemsettings.
214