ProcessControl v2.0 User Guide PDF

User Guide
SAP GRC Process Control Version 2.0
COPYRIGHT Copyright2006SAPAG.Allrightsreserved. SAPLibrarydocumentclassification:PUBLIC Nopartofthispublicationmaybereproducedortransmittedinanyformorforanypurposewithouttheexpress permissionofSAPAG.Theinformationcontainedhereinmaybechangedwithoutpriornotice. SomesoftwareproductsmarketedbySAPAGanditsdistributorscontainproprietarysoftwarecomponentsof othersoftwarevendors. Microsoft,Windows,Outlook,andPowerPointareregisteredtrademarksofMicrosoftCorporation. IBM,DB2,DB2UniversalDatabase,OS/2,ParallelSysplex,MVS/ESA,AIX,S/390,AS/400,OS/390,OS/400,iSeries, pSeries,xSeries,zSeries,z/OS,AFP,IntelligentMiner,WebSphere,Netfinity,Tivoli,andInformixaretrademarksor registeredtrademarksofIBMCorporationintheUnitedStatesand/orothercountries. OracleisaregisteredtrademarkofOracleCorporation. UNIX,X/Open,OSF/1,andMotifareregisteredtrademarksoftheOpenGroup. Citrix,ICA,ProgramNeighborhood,MetaFrame,WinFrame,VideoFrame,andMultiWinaretrademarksor registeredtrademarksofCitrixSystems,Inc. HTML,XML,XHTML,andW3CaretrademarksorregisteredtrademarksofW3C,WorldWideWebConsortium, MassachusettsInstituteofTechnology. JavaisaregisteredtrademarkofSunMicrosystems,Inc. JavaScriptisaregisteredtrademarkofSunMicrosystems,Inc.,usedunderlicensefortechnologyinventedand implementedbyNetscape. MaxDBisatrademarkofMySQLAB,Sweden. Virsa,VirsaSystems,AccessEnforcer,ComplianceOne,ComplianceCalibrator,ConfidentCompliance,Continuous Compliance,Firefighter,RiskTerminator,RoleExpert,therespectivetaglines,logosandservicemarksare trademarksofSAPGovernance,RiskandCompliance,Inc.,whichmayberegisteredincertainjurisdictions. SAP,R/3,mySAP,mySAP.com,xApps,xApp,SAPNetWeaver,andotherSAPproductsandservicesmentioned hereinaswellastheirrespectivelogosaretrademarksorregisteredtrademarksofSAPAGinGermanyandin severalothercountriesallovertheworld.Allotherproductandservicenamesmentionedarethetrademarksof theirrespectivecompanies.Datacontainedinthisdocumentservesinformationpurposesonly.Nationalproduct specificationsmayvary. Thesematerialsaresubjecttochangewithoutnotice.ThesematerialsareprovidedbySAPAGanditsaffiliated companies(SAPGroup)forinformationalpurposesonly,withoutrepresentationorwarrantyofanykind,and SAPGroupshallnotbeliableforerrorsoromissionswithrespecttothematerials.TheonlywarrantiesforSAP Groupproductsandservicesarethosethataresetforthintheexpresswarrantystatementsaccompanyingsuch productsandservices,ifany.Nothinghereinshouldbeconstruedasconstitutinganadditionalwarranty.
SAPImportant Disclaimers SAPLibrarydocumentclassification:PUBLIC Thisdocumentisforinformationalpurposesonly.Itscontentissubjecttochangewithoutnotice,andSAPdoesnot warrantthatitiserrorfree.SAPMAKESNOWARRANTIES,EXPRESSORIMPLIED,OROF MERCHANTABILITY,ORFITNESSFORAPARTICULARPURPOSE. Coding Samples Anysoftwarecodingand/orcodelines/strings(Code)includedinthisdocumentationareonlyexamplesandare notintendedtobeusedinaproductivesystemenvironment.TheCodeisonlyintendedtobetterexplainand visualizethesyntaxandphrasingrulesofcertaincoding.SAPdoesnotwarrantthecorrectnessandcompleteness oftheCodegivenherein,andSAPshallnotbeliableforerrorsordamagescausedbytheusageoftheCode,except ifsuchdamageswerecausedbySAPintentionallyorweregrosslynegligent. Internet Hyperlinks TheSAPdocumentationmaycontainhyperlinkstotheInternet.Thesehyperlinksareintendedtoserveasahint wheretofindsupplementarydocumentation.SAPdoesnotwarranttheavailabilityandcorrectnessofsuch supplementarydocumentationortheabilitytoserveforaparticularpurpose.SAPshallnotbeliableforany damagescausedbytheuseofsuchdocumentationunlesssuchdamageshavebeencausedbySAPsgross negligenceorwillfulmisconduct. Accessibility TheinformationcontainedintheSAPLibrarydocumentationrepresentsSAPscurrentviewofaccessibilitycriteria asofthedateofpublication;itisinnowayintendedtobeabindingguidelineonhowtoensureaccessibilityof softwareproducts.SAPspecificallydisclaimsanyliabilitywithrespecttothisdocumentandnocontractual obligationsorcommitmentsareformedeitherdirectlyorindirectlybythisdocument.Thisdocumentisforinternal useonlyandmaynotbecirculatedordistributedoutsideyourorganizationwithoutSAPspriorwritten authorization.
CONTENTS
Preface AboutthisGuide ............................................................................14 Conventions.........................................................................14 AlertStatements.....................................................................14 ProductDocumentation ......................................................................15 DocumentationFormats ..............................................................15 InstallationGuides,ConfigurationGuide,UserGuide,andReleaseNotes...................15 ContactingSAPGRC........................................................................16 1 Overview Introduction ................................................................................18 WhatisProcessControl? ..............................................................18 ProcessControlBenefits ..............................................................18 ProcessControlDetails...............................................................19 2 Key Concepts Introduction ................................................................................22 Controls ...................................................................................22 Risks ......................................................................................23 Rules......................................................................................23 RuleCriteria ................................................................................23 Assessment.................................................................................23 Signoff ....................................................................................24 Deficiency ..................................................................................24 DeficiencyType .............................................................................24 ExceptionCase .............................................................................25 ControlCategory ............................................................................25 ControlType...............................................................................26 SAPOrganizationUnit.......................................................................27 OrganizationsandOrganizationHierarchy .....................................................27 SignificantAccounts .........................................................................28 Assertions ..................................................................................28
5
SAP GRC Process Control Version 2.0 User Guide
ProcessesandSubprocesses ..................................................................29 UserGroups ................................................................................30 3 Key User Processes KeyUserProcesses ..........................................................................32 AnalysisReporting ...................................................................32 AssessmentsandSignOff .............................................................32 UserInboxManagement ..............................................................32 CaseManagementandRemediation ....................................................33 4 User Interface LoggingIntoProcessControl.................................................................36 UserInterfaceElements ......................................................................38 CommonIcons..............................................................................39 FilteringanItem ............................................................................41 ModifyinganItem ..........................................................................42 DeletinganItem ............................................................................43 UploadingandRevisingaDocument..........................................................44 5 Main Modules MainTabsandModules .....................................................................48 HomePage..........................................................................48 ControlExecutionMonitor(CEM) ..............................................49 Inbox........................................................................50 ControlStatusReports.........................................................50 ReportsModule .....................................................................52 ProcessManagerModule .............................................................53 6 Management Reports Introduction ................................................................................56 ManagementReports ........................................................................57 ManagementReportbyProcess ........................................................57 ManagementReportbyAssertion ......................................................59
Contents
Compliance Reports Introduction ................................................................................64 ComplianceReports .........................................................................65 ComplianceReportRiskControlMatrix ...............................................65 ComplianceReportAccountAssertionMatrix ..........................................67
Remediation Reports Introduction ................................................................................70 RemediationReports ........................................................................71 RemediationStatusbyProcess .........................................................72 RemediationStatusbyLocation ........................................................73 RemediationStatusbyGroups .........................................................76
Test Results Reports Introduction ................................................................................80 TestResultsReport ..........................................................................81 AutomatedControlTestReport ........................................................83 PDFFileAttachment..........................................................86 ManualControlTestReport ...........................................................88
10
Assessments Through Surveys Introduction ................................................................................92 AssessmentsThroughSurveys ................................................................93 TypesofAssessments ................................................................93 SurveyCategories ....................................................................94 SurveyMasterData..................................................................95 SurveyrelatedUserRoles......................................................95 GeneralSurveyDataConfiguration.............................................96 SurveyIDs ...................................................................96 SurveyParametersandDefaults................................................97 SurveyStatuses ...............................................................98 OverviewOfFunctionalFlowForSurveys .....................................................99 CreatingaQuestionLibrary ..........................................................100 CreatingorCopyingaSurvey ........................................................103 CreatingaSurvey ............................................................103 CopyingaSurvey ............................................................107 SchedulingaSurvey .................................................................108 SendingSurveyTasksandInstances ...................................................109
7
RecallingaSurveyInstance ..........................................................109 RespondingtoandReturningaSurveyInstance ........................................111 RespondingtoaSurveyInstance ...............................................111 ReturningaSurveyInstance...................................................112 ResendingaSurveyInstance .........................................................113 ReviewingandDisapprovingaSurveyInstance .........................................113 ReviewingaSurveyInstance ..................................................113 DisapprovingaSurveyInstance ...............................................114 MaintainingtheSurveyFlow .........................................................114 SurveyCases .......................................................................115 DeactivatingaSurvey ...............................................................115 11 Sign-Off Assessment Introduction ...............................................................................118 SignoffRequirements......................................................................119 SignoffAssessment .................................................................119 SurveyMasterData.................................................................120 SurveyrelatedUserRoles.....................................................120 SignoffSurveyDataConfiguration............................................120 SurveyIDs ..................................................................121 SurveyParametersandDefaults...............................................121 SurveyStatuses ..............................................................122 OverviewOfFunctionalFlowForSignoff .....................................................123 CreatingaQuestionLibrary ..........................................................124 CreatingorCopyingaSurvey ........................................................124 SchedulingaSurvey .................................................................124 SendingSurveyTasksandInstances ...................................................126 RecallingaSurveyInstance ..........................................................127 RespondingtoandReturningaSurveyInstance ........................................127 RespondingtoaSurveyInstance ...............................................127 ReturningaSurveyInstance...................................................128
Contents
12
User Inbox Introduction ...............................................................................130 UserInbox ................................................................................131 MyTasks ..........................................................................131 AccessingaTask.............................................................132 RespondingToaWorkflowTask ..............................................134 RespondingToaTestPlanorTestStepTask ....................................135 RespondingToanAssessmentSurveyTask.....................................137 MyDocuments.....................................................................141 AccessingaDocument .......................................................141 MyCases ..........................................................................142 AccessingACase ............................................................143
13
Case Management and Remediation Introduction ...............................................................................146 CaseCategoriesandIDs ....................................................................147 CreatingaCase............................................................................149 CreateCaseSteps...................................................................150 CaseHeaderSteps ..................................................................150 CaseDetailsSteps ...................................................................153 AssignmentSteps ...................................................................155 DocumentsSteps ...................................................................156 CaseList ..................................................................................157 EditingaCase .............................................................................159 EditCaseSteps.....................................................................160 CaseHeaderSteps ..................................................................160 CaseDetailsSteps ...................................................................161 AssignmentSteps ...................................................................161 DocumentsSteps ...................................................................161 CaseTrailSteps .....................................................................161 TimeSpentTrailSteps ...............................................................162 ResolutionSteps....................................................................163
SAP Financial Accounting Documented Controls FinancialAccountingDocumentedControls...................................................166 FICLPEP_03AC1 ....................................................................166 FICLPEP_03AC2 ....................................................................167 FICLPEP_03AC4 ....................................................................167 FICLPEP_03BC1....................................................................168 FIEXCHRT_01AC1 ..................................................................168 FIINVPOST_01BC1..................................................................169 FIMDCOA_02C1 ....................................................................170 FIMDCOA_02C2 ....................................................................170 FIMDDIS_1005C1 ...................................................................171 FIMDDIS_1005C2 ...................................................................171 FIMDDIS_1006C1 ...................................................................172 FIMDDIS_1006C2 ...................................................................172 FIMDDIS_1007AC1 .................................................................173 FIMDDIS_1007BC1 ..................................................................174 FIMDDOC_05AC1..................................................................174 FIMDDOC_05AC2..................................................................175 FIMDDOC_05AC3..................................................................175 FIREPDIS_05BC1 ...................................................................176
SAP Procure To Pay Documented Controls ProcureToPayDocumentedControls ........................................................178 LOIMMTYP_09BC1.................................................................179 LOIMMTYP_09BC2.................................................................179 LOMMMV_06BC1 ..................................................................180 LOMMMV_06BC2 ..................................................................180 LOPURPIR_02BC1..................................................................181 LOPURREL_05AC1.................................................................181 LOPURREL_05AC2.................................................................182 LOPURREL_05AC3.................................................................182 LOPURREL_05BC1 .................................................................183 LOPURREL_05BC2 .................................................................184 LOPURSRC_01AC1.................................................................185 LOPURSRC_02AC1.................................................................185 LOPURTP_06BC1 ...................................................................186 LOPURTP_06BC2 ...................................................................187
10
Contents
LOPURVAP_01AC1 .................................................................187 LOPURVAP_07AC1 .................................................................188 LOPURVAP_07AC2 .................................................................189 LOPURVAP_07BC1.................................................................189 LOPURVAP_07BC2.................................................................190 LOPURVAP_08BC1.................................................................190 MMIMCTR_06AC1 .................................................................191 MMIMCTR_07AC1 .................................................................192 MMIMCTR_07AC2 .................................................................192 MMIMCTR_07AC3 .................................................................193 MMIMCTR_07BC1 ..................................................................193 MMIMCTR_07BC2 ..................................................................194 C SAP Order To Cash Documented Controls OrderToCashDocumentedControls .........................................................196 SDBILL_04AC3 .....................................................................196 SDBILL_04AC4 .....................................................................197 SDCMM_01C1 ......................................................................198 SDCMM_01C2 ......................................................................198 SDCMM_01C3 ......................................................................199 SDCMM_05C1 ......................................................................199 SDCMM_05C2 ......................................................................200 SDCMM_05C3 ......................................................................201 SDCMM_05C4 ......................................................................201 SDCMM_10C1 ......................................................................202 SDCMM_11BC1 ....................................................................202 SDCMMD_11BC1 ...................................................................203 SDCMMD_12BC1 ...................................................................204 SDMDCTR_01C1 ...................................................................204 SDMDCTR_01C2 ...................................................................205 SDMDCTR_01C3 ...................................................................205 SDPRICTR_01AC1..................................................................206 SDPRICTR_01AC2..................................................................207 SDSOP_08BC1 ......................................................................207 SDSOP_08BC2 ......................................................................208 SDSRP_07BC1 ......................................................................208 SDSRP_08BC1 ......................................................................209
11
SAP IT Documented Controls ITDocumentedControls ....................................................................212 BCSCFPAR_100AC1 ................................................................212 BCSCFPAR_100AC2 ................................................................212 BCSCFSYS_100AC1.................................................................213 BCTRNCFS_100AC1 ................................................................214
12
PREFACE
TOPICS
COVERED IN THIS PREFACE

About this Guide Conventions Alert Statements Product Documentation Documentation Formats Installation Guides, Configuration Guide, User Guide, and Release Notes Contacting SAP GRC
13
About this Guide

Conventions
Thefollowingconventionsareobservedthroughoutthisdocument:

Boldsansseriftextisusedtodesignatefileandfoldernames,dialogboxtitles,
namesofbuttons,icons,andmenus,andtermsthatareobjectsofauserselection. Boldtextisusedtoindicatedefinedtermsandwordemphasis. Italictextisusedtoindicateuserspecifiedtext,documenttitles,andwordemphasis. Monospacetext(Courier)isusedtoshowliteraltextasyouwouldenterit,orasit wouldappearonscreen.
Alert Statements
ThealertstatementsNote,Important,andWarningareformattedinthefollowing styles:
Note Information that is related to the main text flow, or a point or tip provided in addition to the previous statement or instruction. Advises of important information, such machine or data error that could occur should the user fail to take or avoid a specified action. Requires immediate action by the user to prevent actual loss of data or where an action is irreversible, or when physical damage to the machine or devices is possible.
Important
Warning
14
Product Documentation Preface
Product Documentation
Documentation Formats
Documentationisprovidedinthefollowingelectronicformats:
AdobeAcrobatPDFfiles YoumusthaveAdobeReaderinstalledtoreadthePDFfiles.AdobeReader installationprogramsforcommonoperatingsystemsareavailableforfreedownload fromtheAdobeWebsiteatwww.adobe.com.
SAPNotes
Installation Guides, Configuration Guide, User Guide, and Release Notes

YoucandownloadtheInstallationGuides,ConfigurationGuide,UserGuide,andRelease NotesinPDFformatfromtheSAPServiceMarketplaceatservice.sap.com.
15
Contacting SAP GRC

ForinformationoncontactingSAPGovernance,Risks,andCompliance(SAPGRC),goto theSAPSupportPortalwhichcanbefoundontheSAPServiceMarketplaceat: service.sap.com. InordertousetheSAPSupportPortalyouwillneedtologinusingyourSAPuser account.IfyoudonotalreadyhaveanexistingSAPuseraccount,youmustfirstcreatea newaccount.AtthebottomrightareaoftheSAPServiceMarketplacepage,underthe QuestionsRegardingLogin?heading,clicktheNewUser?Registerhere!link.You willbepromptedforaCustomerNumberorInstallationNumberwhichyoucangetfrom yourSAPBasisAdministrator.(InanSAPsystemyoucanfindyourinstallationnumber underSystem>Status>SAPSystemdata.) Tosubmityoursupportrequest(s)fromtheSAPSupportPortal,usethequicklink MessagesandfollowtheSAPMessageWizardprocedure.Allsupportrequests shouldbeloggedunderthefollowingSAPGRCsupportcomponents:

GRCSAEVirsaAccessEnforcer GRCSCCVirsaComplianceCalibrator GRCSFFVirsaFirefighterforSAP GRCSREVirsaRoleExpert GRCSPCSAPGRCProcessControl
FormoreinformationontheSAPSupportPortal,usethequicklinksprovidedbelow:

SAPNotesSearchHereyoucansearchforreferencematerialandpossiblesolutions foranyquestionsregardingtheGRCcomponents. MessagesHereyoucancreateSupportMessagesfortheGRCcomponents. SoftwareDownloadHereyoucandownloadinstallations,upgrades,andsupport packages. SAPServiceChannelYourInboxHereyoucanmonitorthestatusofyouropen messages.
16
1
OVERVIEW
TOPICS
COVERED IN THIS CHAPTER

Introduction What is Process Control? Process Control Benefits Process Control Details
17
Process Control Version 2.0 User Guide
Introduction
ThisuserguideisdesignedtohelpyounavigatethevarioususerfeaturesoftheProcess Controlapplication.Alongwiththisguide,theProcessControlVersion 2.0 ConfigurationGuideandProcessControlVersion 2.0InstallationGuideareavailablefor additionaltopics.Thesedocumentsprovideoperationalassistancetosupportapplication specificfunctions.
What is Process Control?

TheSarbanesOxleyActof2002requirestheidentificationofchangestoaccounting systemsandthereasonsforsuchchanges,topreventsecuritybreachandfraudulent activities.SAPGRCProcessControlapplicationisanopenplatformsolutionbuiltto meetthemoststringentregulatoryrequirements.ProcessControlautomatesthemost timeconsumingtasksrelatedtoSarbanesOxleycompliance:controlsassessment. Furthermore,itcontinuouslymonitorsandreportstheactivitiesinenterprise applications,andprovidesdrilldowncapabilitiestofacilitateanalysis,topinpointthe causeofcontrolviolations,andtoperformremediation,allinrealtime.
Process Control Benefits

ProcessControloffersthefollowingbenefits:

Providesrealtimecontrolsassessment. Automatessecuritychecksandcontrolsmonitoring. Performsbeyondtodaysdocumentationsolutions. Providesrealtimeverificationoffinancialcontrolseffectiveness. Integratesseamlesslywithenterpriseapplicationsforcompliancereporting. Pinpointscontrolviolationsinrealtime. Reducesauditcosts. Lowersremediationresourcerequirements. Reducesongoingcompliancecosts. Simplifiesremediationandreportingprocedures. Deliversspeed,simplicity,andflexibility.
18
Introduction Chapter 1 Overview
Process Control Details

ProcessControlisastandalonewebbasedapplicationwithinJ2EEandNetWeaver environments.ItisconnectedtomultipledatasourcessuchasLDAPandSAPbackend systems.ThefollowingdetailsapplytoProcessControl:

TheProcessControlfrontenduserinterfaceintegrateswiththeSAPbackend system,aswellasothersystems. TheProcessControldatabaseisaseparatedatabaseandmaynotresidewithinan SAPdatabase. Allthecases,remediationdetails,anduserlogininformationarecontainedinthe ProcessControldatabasesystem. InformationistransferredbackandforthbetweentheProcessControlfrontenduser interfaceandtheSAPbackend,anddisplayedintheProcessControluserinterface. YoudonotneedaSAPloginunlessyouaregoingtosetupconnectionsormake changesandmodificationstotheSAPdatabaseoroperations.
19
20
2
KEY CONCEPTS
TOPICS

Introduction Controls Risks Rules Rule Criteria Assessment Sign-off Deficiency Deficiency Type Exception Case Control Category Control Type SAP Organization Unit Organizations and Organization Hierarchy Significant Accounts Assertions Processes and Subprocesses User Groups
21
Process Control Version 2.0 Configuration Guide
Introduction
ThischapterdescribesthekeyconceptsofProcessControl.Thesekeyconceptsreferto itemsusedthroughouttheProcessControlapplication.Onceyouunderstandthis conceptualinformation,youcanmoreeasilyidentifythevariousinterrelated componentsofthisapplication,whattheyare,whytheyexist,orhowtheyareused.
Controls
Acontrolisapolicy,directedbyanorganizationscorporateexecutives,thatsupports complianceobjectivesinthefollowingareas:
EffectivenessandefficiencyofoperationsThisaddressesanorganizationsbasic businessobjectives,includingperformanceandprofitabilitygoalsandsafeguarding ofresources. ReliabilityoffinancialreportinganddisclosuresThisrelatestothepreparationof reliablepublishedfinancialstatements,includinginterimandcondensedfinancial statementsandselectedfinancialdataderivedfromsuchstatements,suchas earningsreleases,reportedpublicly. CompliancewithapplicablelawsandregulationsThisdealswithcompliancewith thelawsandregulationstowhichthecompanyissubject.
Thesedistinctbutoverlappingareasaddressdifferentcomplianceneeds. SAPGRCcurrentlydelivers70SAPpredefineddocumentedcontrolswiththeProcess ControlVersion 2.0application.EachcontrolhasadifferentID,description,andcontrol objective.Formoreinformation,seetheappendicesintheProcessControlVersion 2.0 UserGuide. YourbusinessenvironmentsetupforSarbanesOxleycompliancemightincludesome SAPstandardbuiltincontrols.Furthermore,youmighthavecreatedyourownsetof customcontrols.ThepredefinedcontrolsfromSAPGRC,standardSAPcontrols,and customcontrolsareallautomatedcontrols;theycanallbevalidatedelectronically. Themajorityofyourcontrolsaremostlikelymanualcontrolsthatcannotbevalidated electronically.Inaddition,youmightwanttocreatesomecontrolsbasedonqueries,and othercontrolstointerfacewithothersystemssuchasComplianceCalibrator,Cisco,or alegacysystem.Forthisreason,ProcessControlallowsyoutointegrateintoits environmentnotonlythepredefinedset,butthemanual,SAPstandard,custom,query, andComplianceCalibrator/Cisco/legacysystemcontrolsaswell.
22
Risks Chapter 2 Key Concepts
Risks
InProcessControl,ariskisapossiblecomplianceorsecurityproblem.Youdesign controlsforyourbusinesstopreventtheserisks,andthustherisksetupbecomesapart ofyourcontroldesignprocess. ProcessControlletsyouconfiguretheriskimpactlevel,theacceptancelevel,andthe probabilityofoccurrenceofyourrisks,aswellasassignariskowner.
Rules
Rulesareasetofparametersandvaluesthatnormallychecktheoperationofacontrol. Youdefinetheserulesbasedonyourorganizationspoliciesandguidelines,andassign themtoacontrol.Youcanassignmultipledifferentrulestoonecontrol.However,you cannotassignthesameruletodifferentcontrols. SAPGRCdeliversasetofpredefinedrulesfortheProcessControlapplicationthatyou canuse.Youcanalsoconfigureyourownrulesforyourorganization.
Note Rules apply only to automated controls. For manual controls, you would set up test plans instead of rules.
Rule Criteria
Rulecriteriaarevariablesthatyoudefinefortherules.Oneoftherulecriteriavariablesisa fieldinatableinSAPthatischeckedwhentherulesareexecuted,toverifywhetherthe controlsareoperatingproperly.Differentcontrolsandrulescanusethesamerulecriteria. SAPGRCdeliversasetofpredefinedrulecriteriaalongwiththeProcessControl Version 2.0application.Eachrulecriterionhasitsownnameanddescription.Youcan alsoconfigureyourownrulecriteriaforyourorganization.
Assessment
AssessmentintheSarbanesOxleyenvironmentisaprocessofascertainingwhethera particularprocessorcontrolisdesignedproperlyandeffectively.Managementhasaduty toinstalltheproperprocessesinplaceforeffectivefinancialreportinganddisclosure,and toperiodicallyreportwhethertheseinternalcontrolsareeffective.Auditorshaveaduty toverifymanagementsstatementsandtoperformindependentevaluationof managementsclaims.TheProcessControlapplicationsupportsyourcomplianceprocess byautomatingtheprocessofcreating,distributing,andtabulatinguserdefinablesurveys forassessments.
23
Sign-off
WithintheProcessControlapplication,signoffmeanstocertifyandconfirmthestateof internalcontrolsandrelatedissues,ifany,atapointintime.Atmanycompanies,thisis doneviasubcertificationsandsurveysthatarehierarchicalinnature.Thatis,theperson responsibleforanorganizationsignsoffastothestateofinternalcontrolsinhis/her organizationafterreviewingthesignoffbylowerlevelprocessand/orsubprocess owners.ProcessControlprovidesworkflowtriggered,hierarchicalsignoff,andguides thesignoffprocesswithrelatedreportdrilldownanddocumentation.
Deficiency
Adeficiency(orviolation)occurswhenacontroleitherdoesnotexist,ordoesnotworkas designedbytheorganizationscorporateexecutives. ThePublicCompanyAccountingOversightBoard(PCAOB)definescontroldeficiencies accordingtothefollowingconditions:
Acontroldeficiencyexistswhen:
Thedesignoroperationofacontroldoesnotallowmanagementoremployees topreventordetectmisstatementsonatimelybasis,inthenormalcourseof performingtheirassignedfunctions.
Adeficiencyinoperationexistswhen:

Aproperlydesignedcontroldoesnotoperateasdesigned. Thepersonperformingthecontroldoesnotpossessthenecessaryauthorityor qualificationstoperformthecontroleffectively.
Adeficiencyindesignexistswhen:

Acontrolnecessarytomeetthecontrolobjectiveismissing. Anexistingcontrolisnotproperlydesignedsothat,evenifthecontroloperates asdesigned,thecontrolobjectiveisnotalwaysmet.
Deficiency Type
Adeficiencytypeclassifiesthelevelofthedeficiencyfoundornotfound,whenyouexecute yourcontroltestsorperformyourassessment/signoff.DeficiencytypeIDsarecreatedin theSAPbackendandhencecannotbecreatedordeletedfromtheProcessControl application.ProcessControlprovidesthefollowingpredefineddeficiencytypes:

CriticalThedeficiencyposesthehighest,mostcriticalriskandshouldbeaddressed urgently. MediumThedeficiencyposesmediumriskandshouldbeaddressed,butatalower prioritythantheCriticallevel.
24
Exception Case Chapter 2 Key Concepts
LowThedeficiencyposeslowriskandshouldbeaddressed,butatalowerpriority thantheCriticalandMediumlevels. AdequateNodeficiencywasfoundwhenyouexecutedacontroltest.Inthis situation,anexceptioncasewasnotcreated.

Note You cannot create or delete a deficiency type from the Process Control front end. You can only modify the deficiency type description and the color assigned to it for graphical reporting. Use the SAP back end to create new deficiency types.
Inadditiontothepredefineddeficiencytypesabove,adeficiencystatuscalledPending Review indicatesthatadeficiencyhastobereviewedbythecontrolownerortestplan ownerorsurveyrespondent/optionalreviewer,todeterminetheactualdeficiencytype. WhenyoutesttheSAPstandard,custom,orquerycontrols,thedeficiencystatuswillbe PendingReviewbydefault.TheComplianceCalibrator(SoDconflict)isalsoassigneda PendingReviewstatus.Thecontrolownerortestplanownerorsurveyrespondent/ optionalreviewerneedstoreviewthecontrol/surveyresultsandthenassignthe appropriatedeficiencytypeCritical,Medium,Low,orAdequate.
Exception Case
Whenadeficiencyoccurs,anexceptioncaseprovidesdetailedinformationtohelpyoudrill downtotherootviolationcausewithintheERPsystem.Therearemanytypesofcasesin theProcessControlapplication.Forexample,duringtheexecutionofyourautomated controltests,ProcessControlautomaticallygeneratesanexceptioncaseifadeficiencyis found.Youcanalsocreateacasemanuallytofurtherdocumentinformationforother issuesnotdocumentedinanautomaticcase.Formanualcontrols,thetestplanownercan createanexceptioncaseforthetestplansthathaveresultedinfailure.Foranassessment survey,thesurveyrespondentorreviewercanalsocreateacaseforscheduledsurveys withnegativeratings.Youcanthenadministertheremediationprocesstoresolvethe controldeficiencycapturedintheexceptioncase.
Control Category
Acontrolcategoryisusedtodifferentiatethemainsetsofcontrols.Thethreepredefined controlcategoriesareasfollows:

AutomatedThesecontrolsaremonitoredautomaticallybythesystem. ManualThesecontrolsinvolveactivitiesthatcannotbemonitoredautomaticallyand havetobeperformedmanually. QueryThesecontrolsareconfiguredtochecktablesandfieldsthatsatisfysome particularconditions.
25
Control Type
Acontroltyperepresentsagroupofsimilaractivitiesinanapplicationsystem.Eachgroup canbemonitoredandanalyzedseparately,basedonitsowncriteria,todeterminethe violationsintheprocesscontrols.Thefollowinglistdescribesthecontroltypesfor automatedcontrols.Youcancustomizeandusecontroltypesformanualcontrolsaswell. Automatedcontrolsusuallyfallintooneofthefollowingfivetypes:
ConfigurationcontrolThesecontrolsmonitorandreportconfigurationsettingsand changes. Forexample:Electronicpurchasesmustbemadeatacompanyapprovedelectronic vendor.
MasterDatacontrolThesecontrolsmonitorandreportmasterdatasettingsand changes. Forexample:Specificsaboutthecompanyapprovedelectronicvendorsprices.
TransactioncontrolThesecontrolsmonitorandreportbusinesstransactions. Forexample:Detailsofthepurchasesfromacompanyapprovedelectronicvendor.
SODConflictAnalysiscontrolThesecontrolsarerelatedtoSegregationofDuties conflicts. Forexample:Financialtransactionsrelatedtoacompanyapprovedelectronic vendorshouldbehandledbydifferentuserstoavoidconflictinginterests.
NetworkingMonitoringcontrolThesecontrolsmonitornetworkingactivitiesfor violationofcontrolpolicies. Forexample:Detailsofthepurchasesfromacompanyapprovedelectronicvendoris broadcasttoanexternalsourceviavoiceoverIP(VOIP),whichviolatesacontrol policy.
Thecontroltypes,towhichaparticularcontrolbelongs,derivethebusinessrulesusedto determineacontroldeficiency.Forexample,aMasterDatacontrolmayhaveabusiness rulewhichchecksagainstafieldvaluesuchaspaymenttermsonthemasterdata.For TransactionReporting,thebusinessrulemaycheckforatransactionamountgreaterthan thepredefinedlimitfortheuserwhoperformedthetransaction.
26
SAP Organization Unit Chapter 2 Key Concepts
SAP Organization Unit

AnSAPorganizationunitreferstoadepartmentofacompany,andisdefinedinSAP. SAP organizationunitsrangefrommanufacturingplantsandsupplystationstopurchase organizationsandcorporateheadquarters,andarespreadoutinvariousgeographical locations.YoucanusetheSAPorganizationunitsforgeneratingreportsforaselected frequencyrange. ProcessControlprovidesthefollowingpredefinedorganizationunitsaspartofpre definedrulecriteria.Theseorganizationunitsareusedinorganizationgroups:

Companycode Plant Salesorganization Purchasingorganization
ItisassumedthatyouknowtheseSAPorganizationunitvaluesastheyexistintheSAP tablesandfields.
Organizations and Organization Hierarchy

ProcessControlenablesyoutodefineanorganizationstructuretoprovidesupportfor analysisreportingbyorganization.Anorganizationisthelevelofinstancethatrequires compliancetoaregulatoryact.Organizationsarecommonlyidentifiedbygeographical entities,suchasEMEAorUSAorastateoracity;however,anorganizationmightbea businessunitandnotbeaphysicallocationatall.Organizationsarefurthergroupedas nodesinanorganizationhierarchyflowingdowntolegalentitiesorprofitcenters,suchasa company,aplant,abusinessunit,aregionalunit,oradivision.Theseunitsmustreport thatrisksaremitigatedbyinternalcontrols,toprovethecomplianceofbusinessprocesses andsubprocessesataspecificorganization. Onceyouhavesetupyourorganizationhierarchy,youcanassociateyourcontrolswitha nodeinthehierarchy,inotherwords,anorganization.Thetestresultsforyourreports canbeanalyzedandmonitoredbyorganization.Youcandrilldownthroughthe organizationhierarchytogettoinformationspecifictoanorganization.Inaddition,your dataaccesscanbecontrolledbytheorganizationowners.
27
Significant Accounts
Asignificantaccountisanaccountthatcontainserrorsthathaveamaterialeffectonthe financialstatementandcouldadverselyaffectthecompanysreputationorrelationship withcustomers,shareholders,orpublic. Toconsiderifanaccountissignificant,considerthefollowing:

Sizeandcompositionoftheaccount Natureoftheaccount Typeoftransactionswithintheaccount Volumeoftransactionsintheaccount Susceptibilityoftheaccounttomanipulationorloss
Assertions
Anassertionisarepresentationofansignificantaccountthatiscompliantand/oran internalcontrol.Forexample,anassertionmaybemadethatthefinancialstatements reflectacompleterecordofallofthefinancialtransactionscarriedoutbyanorganization inaperiod,andanauditormustcarryoutprocedurestotestthatassertion. ProcessControlallowstheconfigurationofbothfinancialandotherassertions.Thepre definedassertionsinProcessControlincludethefollowing:

ExistenceorOccurrence(financialassertion) Completeness(financialassertion) RightsorObligations(financialassertion) ValuationorAllocation(financialassertion) PresentationandDisclosure(financialassertion) Accuracy Authorization RestrictedAccess SafeguardingAssets Validity
28
Processes and Subprocesses Chapter 2 Key Concepts
Processes and Subprocesses

Aprocessreferstoapredeterminedsequenceofworkstepsthataretobecompletedin ordertoproduceaspecificresult.Thisincludesalltheoperationalstepsrequiredto producetheoutput,thesequentialrelationshipbetweentheprocesssteps,thebusiness decisionsthatareapartofthebusinesseventresponse,andtheflowofmaterialand/or informationbetweentheprocesssteps. Forexample,theOrdertoCashprocessstartswithordergenerationandendswithcash collectionsfromcustomers,forthegoodsorservicesrenderedbythebusiness. ProcessControlprovidesthefollowingpredefinedprocessesasgroupingsofautomated controls:

ManageFinancialAccounting ProcureToPay OrdertoCash SystemConfiguration AccessControl TransportGroup HireandRetire
Youcanaddmanualcontrolstothesepredefinedprocessesifyouwish. Mostoftheseprocesses(exceptforHireandRetire)provideaccesstosubprocessesata lowerlevel.Asubprocessreferstoasubsetofactivitieswithinabusinessprocess.Thepre definedsubprocessesinProcessControlaredisplayedinTable 1andTable 2.

Table 1 Sub-Processes
Procure to Pay Subprocesses Order to Cash Subprocesses
Manage Financial Accounting Subprocesses
ManageGeneralLedger PerformClosing AccountsPayable MaintainChartof Accounts
PerformProcurement ManageInventory MaintainProcuretoPay MasterData InventoryValuation ManagePayables RFQChecks ReceiveGoodsand Services PerformInvoice Verification
ExecuteCredit Management MaintainCustomer Master PerformRevenue Recognition ProcessBilling Documents ProcessSalesOrder ProcessSalesReturns
29
Table 2
Sub-Processes (continued)
Access Control Subprocesses Transport Group Subprocess
System Configuration Subprocesses
Parameters System
SegregationofDuties Configuration
ConfigurationandStatus
User Groups
Ausergroupisagroupofuserswhocanbeassignedasownersofcertainobjectsinthe ProcessControlapplication(suchasprocesses,subprocesses,controls,testplans,andso on),andalsoasassessmentsurveyrespondentsorreviewers.Ausergroupcanbe assignedtocaseremediationactivitiesaswell.Youcreateusergroupstotrack informationaboutthepeoplethathaveownership,respondent,reviewer,and/or remediationresponsibilities.Youcanconfiguredifferentusergroupscomprisedofjust oneuser,ormultipledifferentusers.
30
3
KEY USER PROCESSES
TOPICS

Key User Processes Analysis Reporting Assessments and Sign-Off User Inbox Management Case Management and Remediation
31
Key User Processes

TheProcessControlkeyuserprocessesaredescribedinmoredetailinthefollowing sections.
Analysis Reporting
Onceyouhavesetupandexecutedyourcontroltests(forinformation,seetheProcess ControlVersion 2.0ConfigurationGuide),ProcessControlcapturestheanalysis informationinreportsthatsummarizethecompliancestatusofyourorganization. Executives,auditors,andotheruserscanviewtheconfigurationsettingsortheexception transactionsinthesereportstodrilldowntotherootviolationcausewithinyourERP systems. Formoreinformationregardingthisprocess,seethefollowingchapters:

Chapter 6,ManagementReports Chapter 7,ComplianceReports Chapter 8,RemediationReports Chapter 9,TestResultsReports
Assessments and Sign-Off

TheassessmentandsignofffeaturesinProcessControlhelpyourenterprisetomeetthe regulatoryrequirementsforcomplianceinitiativessuchasSarbanesOxley.Aspartof Section404andSection302oftheSarbanesOxleycertificationprocess,assessmentsand signoffareeffectivetoolstohelpthebusinessownerstoevaluatethedesignand effectivenessoftheinternalcontrolswithintheirorganization.Thisprocessisgenerally accomplishedintheformofasurveywhereasetofquestionsaresenttokeyindividuals acrossyourorganizationforfeedback. Formoreinformationregardingthisprocess,seethefollowingchapters:

Chapter 10,AssessmentsThroughSurveys Chapter 11,SignOffAssessment
User Inbox Management

Youcaneasilyaccessandviewallofyourtasks,documents,andcasesinoneareacalled yourInbox.Asthecurrentloggedinuser,youwouldseeonlythosetasksandcases specificallyassignedtoyou.Youcanthenproceedtoperformyourtasksandtoremedy deficienciesfoundinyourcases,ifany.Youwouldalsoseeonlythosedocumentsthat youhavecheckedout,tohelpyoumaintainyourlistofdocuments. Formoreinformationregardingthisprocess,seeChapter 12,UserInbox.
32
Key User Processes Chapter 3 Key User Processes
Case Management and Remediation

Whenadeficiencyoccurs,acaseprovidesdetailedinformationtohelpyoudrilldownto therootviolationcausewithintheERPsystem.Therearemanycategoriesofcasesinthe ProcessControlapplication. Forexample,duringtheexecutionofanautomatedcontroltest,ProcessControl automaticallygeneratesacaseifadeficiencyorviolationisfound.Fortheexecutionofa manualcontroltest,thetestplanownercanalsogenerateacaseasaresultofthetestplan failure.Forassessmentsurveysthatgenerateddeficiencies(negativeratings),thesurvey respondentoroptionalreviewercanalsocreateacase. Remediationdenotestheprocessinvolvedinresolvingthedeficiencycapturedinthese exceptioncases.ProcessControlsendsalertstonotifytheassignedusersresponsiblefor theremediationtask.ProcessControlenablesyoutotrackeachcaseandadministerthe remediationprocess,byprovidingthefunctionalitytodocumentandcommunicatecase remediationactivities. Formoreinformationregardingthisprocess,seeChapter 13,CaseManagementand Remediation.
33
34
4
USER INTERFACE
TOPICS

Logging Into Process Control User Interface Elements Common Icons Filtering an Item Modifying an Item Deleting an Item Uploading and Revising a Document
35
Logging Into Process Control

X To log into the Process Control application: 1
FollowtheinstructionsintheProcessControlVersion 2.0InstallationGuidetogetto theProcessControlstartpage.
Figure 1
Process Control Start Page 2
IntheProcessControlstartpage,clickUser Login.TheUser Loginpaneappears.
Figure 2 3 4
User Login Pane
IntheUser ID field,enteryouruserID. InthePassword field,enteryourpassword.
36
Logging Into Process Control Chapter 4 User Interface
5 6
IntheLanguagedropdownmenu,selectyourdefaultlanguage. ClickLogon.
Note Your login user ID controls your access within the Process Control application. The roles associated with your user ID will determine which modules, and features within those modules, are accessible. You can create new user IDs and passwords and modify existing ones using the User Management Engine (UME) of NetWeaver.
37
User Interface Elements

Figure 3showsanexampleProcessControlscreenandthevarioususerinterface elements.Theseelementsarereferredtothroughoutthisguide.
Navigation menu Menu Submenu Commandbutton
Tab
Pane
Page
Pane
Icon Figure 3
Checkbox
SelectableField Icon
TextField
Dropdownmenu
User Interface Elements
38
Common Icons Chapter 4 User Interface
Common Icons
ThefollowingiconsareusedinvariousareasintheProcessControlapplication.Table 3 liststheiconnames,functions,andlocations.
Table 3
Icon
Icons Information
Name Function Location
Search
Displaysapopupwindowlisting Nexttoatextfield itemsfromthedatabaseforyour selection.Inthepopupwindow, youcanfilteryourlistofitemsas desired.Youcanenteraname,ora wildcardcharactersuchas*to displaythelistofallitemsthat matchyourenteredexpression. Displaysashortlistofitemsfrom Insideaselectablefield thedatabase.Youcanentera name,orawildcardcharactersuch as*todisplaythelistofallitems thatmatchyourentered expression. Displaysacalendartoallowdate selection. Displaysinatablethefirstsetof rows. Displaysinatablethelastsetof rows. Nexttoadatefield Belowatabledisplaying itemsfromthedatabase Belowatabledisplaying itemsfromthedatabase
Select
Calendar FirstSet LastSet PreviousSet NextSet Previous Columns NextColumns Plus
Displaysinatablethepreviousset Belowatabledisplaying ofrows. itemsfromthedatabase Displaysinatablethenextsetof rows. Belowatabledisplaying itemsfromthedatabase
Displaysinatablethepreviousset Belowatabledisplaying ofcolumns. itemsfromthedatabase Displaysinatablethenextsetof columns. Addsanewrowtoallowinputof anothervaluerange. Deletesarowofvaluerange. Belowatabledisplaying itemsfromthedatabase Nexttothevaluerange elements,orbelowthe tableofvalueranges Nexttothevaluerange elements,orbelowthe tableofvalueranges Inacolumninthetable Nexttoafield
Minus
Up Show
Movesaniteminatablelist upward. Showsthelistofpreviously selecteditemsbelowafield.
39
Table 3
Icon
Icons Information (Continued)

Name Function Location
Down Hide Expand
Movesaniteminatablelist downward. Hidesthelistofpreviously selecteditemsbelowafield. Expandsandshowsitemsinthe lowerlevelsinahierarchy structure. Collapsesandhidesitemsinthe lowerlevelsinahierarchy structure.
Inacolumninthetable Nexttoafield Inahierarchylevel
Collapse
Inahierarchylevel
Details
Jumpstoanotherpage,ordisplays Inthetablerow apopupwindow,togivemore displayinganitemfrom detailedinformationforanitem. thedatabase Allowsusertonavigatetoafolder Inthetablerow locationtouploadadocumentfile. displayinganitemfrom thedatabase,ornextaUI label Allowsusertodownloaddatato anExcelfile. Displaysapalettetoallowcolor selection. MovesaniteminaSortlist upward. MovesaniteminaSortlist downward. DeletesanitemfromtheSortlist. Atthebottomright cornerofapage Nexttoacolorfield NexttotheSortlist NexttotheSortlist NexttotheSortlist
Upload
Download ColorPalette MoveUp MoveDown Delete
40
Filtering an Item Chapter 4 User Interface
Filtering an Item
Whenyouwanttoviewalistofitems,youmightnotwanttoseetheentirelistofallthe itemsstoredinthedatabase,asthismightbeaverylonglisttobrowsethrough.Inthe ProcessControlapplication,youcanfiltermanydifferentitemstodisplayashortlistof onlythespecificitemsthatfulfillyourfilterselections. Thestepswithinthissectionshowyouhowtofilterasampleitem,therulecriteria.You canfollowthesestepsandapplythesameuseractionstofilterotheritemswithasimilar userinterface.
Figure 4 X
Rule Criteria Page
To filter an item list: 1
ClickShow Filter.Thisdisplaysthefieldsordropdownmenusforyoutoenteror selectyourfilterelements.Youcanfilterbasedononekeyelement,orbasedon multipledifferentelements,dependingontheitem. Iffield(s)aredisplayed,enteryourspecificfilterinformationintothefield(s)(Rule

Criteria name inthisexample),oraportionoftheinformationfollowedbya
wildcardcharactersuchas*toseethelistofallitemsmatchingthisexpression.If theSearch iconorSelect iconisavailable,clicktheicon,enteranameora wildcardcharactersuchas*,andselectaspecificitemfromthepopuplist.

3 4
Ifdropdownmenu(s)aredisplayed,selectyoursearchfilteritem(s)fromthe menu(s). Whenyouaredoneenteringyourfilterelements,clickGo. ProcessControlsearchesthedatabasefordatamatchingyourselectedfilter elements.A tabledisplaystheresultsofyourfiltertransaction.
Ifyouwishtohidethefilterelements,clickHide Filter.
41
Modifying an Item
IntheProcessControlapplication,youcanmodifymanydifferentitemsusingdifferent menusorsubmenus.Themodificationstepsaresimilarforthesevariousitems.Thesteps withinthissectionshowyouhowtomodifyasampleitem,therulecriteria.Youcan followthesestepsandapplythesameuseractionstomodifyotheritemswithasimilar userinterface.
X To modify an item: 1
Inthetablelistingalloftheitems(rulecriteriainthisexample)foundinthedatabase (seeFigure 4onpage 41),selectthecheckboxfortheitemthatyouwanttomodify. ClickEdit. Anewpageappearstodisplaytheitemyouselected,withitsassociatedinformation.
Makethenecessarymodificationstotheinformationfields.
Note Some fields might not be editable. Also, some fields might be automatically populated by the database.
ClickSave tosaveyourmodifications(thetablereappearsshowingthemodified iteminformation),orclickCanceltoreturntothepreviouspagewithoutsaving.
42
Deleting an Item Chapter 4 User Interface
Deleting an Item
IntheProcessControlapplication,youcandeletemanydifferentitemsusingdifferent menusorsubmenus.Thedeletionstepsaresimilarforthesevariousitems.Thesteps withinthissectionshowyouhowtodeleteasampleitem,therulecriteria.Youcanfollow thesestepsandapplythesameuseractionstodeleteotheritemswithasimilaruser interface.
X To delete an item: 1
Inthetablelistingalloftheitems(rulecriteriainthisexample)foundinthedatabase (seeFigure 4onpage 41),selectthecheckbox(es)nexttotheitem(s)thatyouwantto delete. ClickDelete. Refreshyourscreentomakesurethattheselecteditem(s)aredeletedfromthetable.

Note You can refresh the screen using the F5 key on your computer keyboard (for Windows OS).
2 3
43
Uploading and Revising a Document

IntheProcessControlapplication,youcanuploadvariousdocumentstoprovide additionalsupportinginformation.Onceuploaded,youcanthenproceedtoedityour documentsnamesanddescriptions,deleteyourdocuments,checkoutandcheckinyour documentstomakemodifications,andgenerateatrailthatdisplaystheirrevisionhistory. Youcanuploadandreviseyourdocumentsusingthe Upload Documentpane.Thispane organizesyourdocuments,andallowsyoutoviewinformationrelatedtoyour documents.
Figure 5
Upload Document Pane
ThetableintheUpload Documentpanedisplaysthefollowing:
Table 4
Item
Name File Description Version
Upload Document Information

Description
Documentname. Linktotheuploadeddocumentfile. Descriptionofthedocument. Versionnumbergeneratedautomaticallytokeeptrackofyour revisionhistory.Whenyouuploadthedocumentforthefirsttime, theversionnumberstartsoutat1.0.Eachtimeyoucheckoutthe documentandmakechangesthencheckitbackin,theversion numberincrementsautomaticallyby0.1. Forexample:Ifthecurrentversionnumberis1.2,thenextversion willincrementto1.3.Ifthecurrentversionnumberis1.9,thenext versionwillincrementto2.0.
Checked Out
Indicatestheuserwhocurrentlycheckedoutthedocumentandisthe onlypersonwhocanmodifythedocument.Thissameuserneedsto checkinthedocumentbeforeitcanbemodifiedbysomeoneelse. Onlythepersonwhocheckedoutadocumentcancheckitbackin.
44
Uploading and Revising a Document Chapter 4 User Interface
To upload and revise a document: 1
Foreachsupportingdocumentthatyouwanttoupload,dothefollowing:
a
ClickAdd.TheAdd Documentspaneappears.
Figure 6 b c d 2
Add Documents Pane
IntheNameandDescriptionfields,enterthenameanddescriptionforthe documentyouareabouttoupload. ClickBrowse,navigatetothefoldercontainingthedocumentfiletoupload, andselectyourfile. ClickSave.Thedocumentfileyouuploadappearsinthetablewithversion number1.0.
Ifyouwanttoeditthenameand/ordescriptionofadocument,selecttheradio buttonforyourdesireddocument,thenclickEdit.Modifythenameand/or descriptionandclickSave. Ifyouwanttodeleteadocument,selecttheradiobuttonforyourdesireddocument, thenclickDelete. Ifyouneedtomakechangestoadocument,selecttheradiobuttonforyourdesired document,thenclickCheck Out.Thisasksyoutoopenthefilewhereveritisstored onyoursystemsothatyoucanmakeyourchanges,andpreventssomeoneelsefrom overwritingyourdocumentfilewhileyouareupdatingit. Onceyouarefinishedsavingyourchanges,gobacktotheUpload Documentpane (seeFigure 5)andselecttheradiobuttonforyourdocument,thenclickCheck In.
a
3 4
TheCheckin Documentspaneappears.
Figure 7 b c
Checkin Documents Pane
ClickBrowse,navigatetothefoldercontainingthedocumentfiletocheckin, andselectyourfile. ClickSave.Thisuploadstherevisedversionofyourdocumentfile,increments thefileversionnumber,andallowsforthedocumentfiletobemodifiedagain.
45
Ifyouwanttoseeahistorytrailofrevisionsmadetoadocument,selecttheradio buttonforyourdesireddocument,thenclickTrail.
a
TheTrail paneappears.
Figure 8
Trail Pane
EachrowinthetableintheTrail paneshowsaninstancewhenthedocument waseitheruploadedormodified,anddisplaysthefollowing:

Table 5
Item
Name Version
Trail Information
Description
Documentname. Versionnumbergeneratedautomaticallytokeeptrackof yourrevisionhistory. Indicatestheuserwhoinitiallyuploadedthedocument. Indicatesthedatewhenthedocumentwasinitially uploaded. Indicatestheuserwholastmodifiedthedocument. Indicatesthedatewhenthedocumentwaslastmodified.
Created By Created Date
Last Modified By Last Modified Date
Clicktheversionnumbertodisplaythatversionofthedocumentfile, containingthechangesspecifictothatversion.
46
5
MAIN MODULES
TOPICS

Main Tabs and Modules Home Page Reports Module Process Manager Module
47
Main Tabs and Modules

Forthisguide,threemaintabsintheProcessControlapplicationgiveyouaccessto modulesthathelpyoucontrolaccesstoyourcompanysvitalsecurityandcompliance statistics.Thesemodulesarethefollowing:

HomePage ReportsModule ProcessManagerModule
Thesetabsandmodules(orpartialareaswithin)aredescribedinthefollowingsections. OthertabsandmodulesintheProcessControlapplicationaredescribedintheProcess ControlVersion 2.0ConfigurationGuide. YouruserIDcontrolsyourProcessControlapplicationaccess.Yourindividualrole settingswilldeterminewhichmodule,andwhichfeatureswithinthemodule,are accessible.
Home Page
ThefirstpagethatauserwillseeuponloggingintotheProcessControlapplicationisthe Homepage.TheHomepageshowstheControl Execution Monitor,Inboxstatus,and twoControl Status reports.
Figure 9
Home Page
48
Main Tabs and Modules Chapter 5 Main Modules
Control Execution Monitor (CEM)
TheControlExecutionMonitor(CEM)providesarealtimedisplayofthecontroltest executionstatus.Thisfeatureusestheremediationmasterdatasettingsandlogicto displaytheteststatusoftheexecutedcontrols.Youcandeterminewhetherascheduled jobforyourcontroltesthasbeenperformedsuccessfullybyviewingtheCEM.

X To view and navigate the CEM report: 1
IntheHomepage(seeFigure 9onpage 48),theControl Execution Monitor(CEM) paneappearsintheupperleftcorner.
Figure 10
Control Execution Monitor Pane
TheCEMdisplaysatableofcontrolinformation.Eachrowinthetableliststhe controlID,theorganization,thedeficiencytyperesultingfromthecontroltest,and thecasenumberifacaseisassociatedwiththecontroltest.

2
ClicktheFull ViewlinkintheupperrightcornerofthepanetodisplaytheList of Test Resultspage.Formoreinformation,seesectionTestResultsReporton page 81inChapter 9,TestResultsReports. ClicktheDown iconintheupperrightcornerofthepanes.Theperiodand organizationdropdownmenusappear. Intheperioddropdownmenus,selectyourdesiredperiodfortheCEM. Intheorganizationdropdownmenu,selectyourdesiredorganizationfortheCEM. Eachorganizationwasconfiguredintheorganizationhierarchy.Formore information,seetheOrganizationHierarchysectionintheProcessControl Version 2.0ConfigurationGuide. ClickGotoviewtheresults.
3 4 5
49
Inbox
TheInboxareadisplaysthetasksandcasesassignedtoyou,asthecurrentloggedinuser. Youcanthenproceedtocarryoutyourtasksandtoresolvethedeficiencyfoundinyour casesforremediationpurposes.ForinformationabouttheInbox,seeChapter 12,User Inbox.

X To view and navigate the Inbox: 1
IntheHomepage(seeFigure 9onpage 48),theInboxpaneappearsintheupper rightcorner.
Figure 11 2
Inbox Pane
ClicktheFull ViewlinkortheMy Tasks linktodisplaytheMy Tasks pagethat displaysintabularformatinformationrelatedtoyourtasks.Allofthesetasksare locatedinonespecificareasothatyoucanaccessandviewthemeasily.Formore information,seesectionMyTasksonpage 131inChapter 12,UserInbox. ClicktheMy Cases linktodisplaytheMy Cases pagethatdisplaysintabularformat informationrelatedtoyourcases.Allofthesecasesarelocatedinonespecificareaso thatyoucanaccessandviewthemeasily.Formoreinformation,seesectionMy Casesonpage 142inChapter 12,UserInbox.
Control Status Reports
TheControl Status reportsshowinbarchartformatthenumberofreportedcontroltests thathaveresultedineachtypeofstatus,fortwodifferentperiods.Bydefault,theleftside reportisforthecurrentperiod,andtherightsidereportisforthepreviousperiod.You canselectdifferentperiodstofilterthesereportsasdesired.Youcanthencomparethe resultsfromthetwoselectedperiodssidebyside. Thevariousstatusesareasfollows:

FailThecontroltestsexecutedduringtheselectedperiodresultedinadeficiency. PassThecontroltestsexecutedduringtheselectedperioddidnotresultina deficiency. PendingTheresultsforthecontroltestsexecutedduringtheselectedperiodareto bedeterminedbytheownersoftheentitiesassociatedwiththecontroltests.
50
To filter and display the Control Status reports: 1
IntheHomepage(seeFigure 9onpage 48),theControl Status panesappearinthe lowerportion.
Figure 12
Control Status Panes 1 2 3 4
ClicktheDown iconintheupperrightcornerofthepanes.Theperiodand organizationdropdownmenusappear. Intheperioddropdownmenus,selectyourdesiredperiodforthisreport. Intheorganizationdropdownmenu,selectyourdesiredorganizationforthis report. ClickGotoviewtheresultofthereport.
51
Reports Module
YouclicktheReports tabtoaccesstheReportsmodule.TheReports pageappears.
Figure 13
Reports Page
TheReportsmoduleprovidesvariousreportsdocumentingcontrolstatusinformation frommanagementsviewpoint,remediationinformationfromreportedorresolved exceptioncases,complianceandtransactioninformationfromtheanalysisreports executedinSAPR/3,andothermiscellaneousinformation.Mostreportsprovideyouwith drilldowncapabilitiestofacilitatefurtheranalysis,topinpointtherootcauseofcontrol violations,andtotakeremedialaction.Thecontrolstatusesorviolationsarereportedin graphicaland/ortabularformats,givingaquickoverviewoftheoverallstateof complianceofyourorganization.Fordetails,seethefollowingchapters:

Chapter 6,ManagementReports Chapter 7,ComplianceReports Chapter 8,RemediationReports Chapter 9,TestResultsReports

Note The Miscellaneous Reports and BI Reports are not documented in this version. These reports will be available in a future version and are just placeholders at the moment.
52
Process Manager Module

YouclicktheProcess Manager tabtoaccesstheProcessManagermodule.TheProcess Managerpageappears.
Figure 14
Process Manager Page
Thisguidewillfocusonthethreehighlightedsubmodulesonly.Theothersubmodules aredescribedintheProcessControlVersion 2.0ConfigurationGuide. TheProcessManagermodulegivesyouaccesstoyourInbox,containingthetasks, documents,andcasesspecificallybelongingtoyouasthecurrentloggedinuser.This modulealsodisplaysthecasesgeneratedforthedeficienciesdetectedduringthe executionofyourcontroltests,orcreatedmanually.Thesecasesprovidethecontrol/ surveyinformation,casestatus,deficiencytype,andremediationactivities,toenable continuouscorporategovernanceovertime.Youalsoperformtheassessmentandsign offactivitiesusingthismodule. Fordetails,seethefollowingchapters:

Chapter 10,AssessmentsThroughSurveys Chapter 11,SignOffAssessment Chapter 12,UserInbox Chapter 13,CaseManagementandRemediation
53
54
6
MANAGEMENT REPORTS
TOPICS

Introduction Management Reports Management Report by Process Management Report by Assertion
55
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithinSAP. OnesetofreportstheManagementreportsdeliversahighleveloverviewof compliancestatusfromanexecutivessummaryviewpoint,basedonprocessesand assertions.Thesereportsprovidetheoverallstatusofthecontroltestsexecuted,and allowsyoutodrilldowntotheexceptioncasesreportedforaparticulartimeperiod. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheManagementreportsbyclickingtheappropriatelinksasshownin Figure 15.
Figure 15
Reports Page
56
Management Reports Chapter 6 Management Reports
Management Reports
YoucanselectManagementreportsforvariouskeyitems,suchasprocessesand subprocesses(formoreinformation,seesectionProcessesandSubprocessesonpage 29 inChapter 2,KeyConcepts)andassertions(formoreinformation,seesection Assertionsonpage 28inChapter 2,KeyConcepts). Youcansearchforspecifickeyitemsforyourreportbyselectingyourdesiredfilters.You canfilteryourreportforonespecifickeyitem,orforacombinationofvariousmultiple keyitemsbyselectingthemfromthefilterdropdownmenu(s). Eachreportgenerallydisplaysthereporttitleatthetop,andtheresultsingraphicaland/ ortabularformatsbelow.Youcanclickthelinksifavailableinthereporttodrilldownto otherpageswithmoreinformation. ThefollowingManagementreportsareavailable:

ManagementReportbyProcess ManagementReportbyAssertion
Thefollowingsectionsdescribeeachreportinmoredetail.
Management Report by Process

Thisreportdisplaysinbothpiechartandtabularformatstheresultsfromthecontroltests executedwithinagivenperiod,groupedbyprocessesatthehighestlevel,thenby subprocessesatalowerlevel. Eachlevelinthisreportliststheassociatedcontroltestresultsbytheirdeficiencystatus Critical,Medium,Low,Adequate,orPendingReviewandallowsyoutofurtherdrill downtomorespecificdetailsofthecasesrelatedtothesecontroltests.Forthepiechart, thelegendsforthereportarecolorcodedbythedeficiencystatus. Inthetable,thenumberoftestresultsfoundforeachprocess,oreachsubprocessata lowerlevel,areaddedtogethertoderiveatthetotalsinthelastcolumn. Youcanfilterandviewtheresultsofspecificcontroltestsbyselectingyourdesired process,subprocess,timeperiod,andorganization.
X To view and navigate the Management Report by Process report: 1
IntheReportspage(seeFigure 15onpage 56),selectManagement Reports by Process.TheManagement Report by Process pageappears.
57
Figure 16
Management Report by Process Page 2 3 4
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess, Period,andLocationfieldsordropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlytheresultsof thecontroltestsapplicabletoyourfilters. Clickaspecificprocesslinkintheleftmostcolumntodrilldowntothesubprocess levelforthatprocess(ifthesubprocess(es)exist).TheManagement Report by Subprocess pageappearslistingthecontroltestresultsbysubprocess.
Figure 17 58
Management Report by Subprocess Page
Atthesubprocesslevel,clickaspecificsubprocesslinkintheleftmostcolumnto drilldowntotheCase List page,listingthecasesrelevanttothecontroltests associatedwiththatsubprocess.Formoreinformation,seesectionCaseListon page 157inChapter 13,CaseManagementandRemediation.IntheCase List page,youcanthenselectindividualcasesandclickEdittoviewthecaseinformation. Formoreinformation,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. Ateithertheprocessorsubprocesslevel,youcanalsoclickthenumbersinthetable todrilldowntomorespecificinformation:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingthecasesrelevanttothe controltestsassociatedwithaparticularprocessorsubprocess.Formore information,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingthetestresultsforthecontroltestsassociatedwitha particularprocessorsubprocess.IntheList of Test Resultspage,youcanthen selectindividualtestreportsbyclickingaControl IDlinktoviewtheresultfor thatparticularcontroltest.Formoreinformation,seesectionTestResults Reportonpage 81inChapter 9,TestResultsReports.
Management Report by Assertion

Thisreportdisplaysinbothpiechartandtabularformatstheresultsfromthecontroltests executedwithinagivenperiod,groupedbyassertions. Eachassertioninthisreportliststheassociatedcontroltestresultsbytheirdeficiency statusCritical,Medium,Low,Adequate,orPendingReviewandallowsyoutofurther drilldowntomorespecificdetailsofthecasesrelatedtothesecontroltests.Forthepie chart,thelegendsforthereportarecolorcodedbydeficiencystatus. Inthetable,thenumberoftestresultsfoundforeachassertionareaddedtogetherto deriveatthetotalsinthelastcolumn. Youcanfilterandviewtheresultsofspecificcontroltestsbyselectingyourdesired significantaccountandtimeperiod.
X To view and navigate the Management Report by Assertion report: 1
IntheReportspage(seeFigure 15onpage 56),selectManagement Reports by Assertion.TheManagement Report by Assertion pageappears.
59
Figure 18
Management Report by Assertion Page 2 3 4
ClickShow FiltertospecifyyoursearchfiltersusingtheAssertions andPeriod dropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlytheresultsof thecontroltestsapplicabletoyourfilters. ClickaspecificassertionlinkintheleftmostcolumntodrilldowntotheCase List page,listingthecasesrelevanttothecontroltestsassociatedwiththatassertion.For moreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formoreinformation, seesectionEditingaCaseonpage 159inChapter 13,CaseManagementand Remediation. Youcanalsoclickthenumbersinthetabletodrilldowntomorespecific information:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingthecasesrelevanttothe controltestsassociatedwithaparticularassertion.Formoreinformation,see sectionCaseListonpage 157inChapter 13,CaseManagementand Remediation.IntheCase Listpage,youcanthenselectindividualcasesand clickEdittoviewthecaseinformation.Formoreinformation,seesection EditingaCaseonpage 159inChapter 13,CaseManagementand Remediation.
60
ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingthetestresultsforthecontroltestsassociatedwitha particularassertion.IntheList of Test Resultspage,youcanthenselect individualtestreportsbyclickingaControl IDlinktoviewtheresultforthat particularcontroltest.Formoreinformation,seesectionTestResultsReport onpage 81inChapter 9,TestResultsReports.
61
62
7
COMPLIANCE REPORTS
TOPICS

Introduction Compliance Reports Compliance ReportRisk Control Matrix Compliance ReportAccount Assertion Matrix
63
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithintheERPsystem. OnesetofreportstheCompliancereportsdeliversahighleveloverviewof compliancestatusfortheSOXteam,theinternalauditors,theorganizationownersand processowners,basedoncontrols,risks,assertions,andsignificantaccounts.These reportsprovidetheoverviewstatusofthecontrolsorassessmentsexecuted,andthe numberofcontrolorsurveycasesreportedforaparticulartimeperiod. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheCompliancereportsbyclickingtheappropriatelinksasshownin Figure 19.
Figure 19
Reports Page
64
Compliance Reports Chapter 7 Compliance Reports
Compliance Reports
YoucanselectCompliancereportsforvariouskeyitems,suchascontrols(formore information,seesectionControlsonpage 22inChapter 2,KeyConcepts),risks(for moreinformation,seesectionRisksonpage 23inChapter 2,KeyConcepts), significantaccounts(formoreinformation,seesectionSignificantAccountsonpage 28 inChapter 2,KeyConcepts),andassertions(formoreinformation,seesection Assertionsonpage 28inChapter 2,KeyConcepts). Youcansearchforspecifickeyitemsforyourreportbyselectingyourdesiredfilters.You canfilteryourreportforonespecifickeyitem,orforacombinationofvariousmultiple keyitemsbyselectingthemfromthefilterdropdownmenu(s). Eachreportgenerallydisplaysthereporttitleatthetop,andtheresultsingraphicaland/ ortabularformatsbelow.Youcanclickthelinksifavailableinthereporttodrilldownto otherpageswithmoreinformation. ThefollowingCompliancereportsareavailable:

ComplianceReportRiskControlMatrix ComplianceReportAccountAssertionMatrix
Compliance ReportRisk Control Matrix

Thisreportdisplaysintabularformattheriskandcontrolmatrix,providingthe deficiencystatusofthemostrecentcontroltestexecutedorassessmentsurveysubmitted duringatimeperiod,andthenumberofreportedexceptioncasesresultingfromallofthe controltestsandassessmentsurveysperformedduringthattimeperiod. Eachrowinthisreportliststhedeficiencyandthenumberofcontrolandsurvey exceptioncasesassociatedwithaparticularorganizationunit/process/subprocess/risk/ controlcombination,andallowsyoutofurtherdrilldowntothecaseinformationata lowerlevel. Youcanfilterandviewyourspecificreportbyselectingyourdesiredprocess, organization,objective,deficiencystatus,sortitem,and/ortimeperiod.
X To view and navigate the Risk and Control Matrix report: 1
IntheReportspage(seeFigure 19onpage 64),selectCompliance Reports - Risk Control Matrix.TheRisk Control Matrix pageappears.
65
Figure 20
Risk Control Matrix Page 2
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Organization, Deficiency,Sort By,FromDate,andTo Datefieldsordropdownmenus.

Note The From Date and To Date information can be for an arbitrary date range, and not necessarily coincide with a scheduling period.
ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythematrix informationapplicabletoyourfilters.Eachrowinthetabledisplaysthefollowing:
Table 6
Item
Organization Unit
Risk Control Matrix Report Information

Description
Organizationunitasdefinedintheorganizationhierarchy.Formore information,seesectionOrganizationsandOrganization Hierarchyonpage 27inChapter 2,KeyConcepts. Processassociatedwiththeorganizationunit.Formoreinformation, seesectionProcessesandSubprocessesonpage 29inChapter 2, KeyConcepts. Subprocessassociatedwiththeorganizationunit.Formore information,seesectionProcessesandSubprocessesonpage 29in Chapter 2,KeyConcepts. Riskassociatedwiththeprocess/subprocess.Formoreinformation, seesectionRisksonpage 23inChapter 2,KeyConcepts. UniqueIDforthecontrol. Briefdescriptionofthecontrol. Controlcategory:automated,manual,orquery. Controlpurpose:preventordetect. Frequencyofcontrolactivityonaregularbasis. Systemthatthecontroltestwasperformedon.
Process
Subprocess
Risk
Control ID Control Description Control Category Control Purpose Control Frequency System Type
66
Compliance Reports Chapter 7 Compliance Reports
Table 6
Item
Deficiency
Risk Control Matrix Report Information (Continued)

Description
Controltestdeficiencystatus:Critical,Medium,Low,Adequate,or PendingReview. Thisdeficiencyistheresultofthelatest(mostrecent)controltest completedwithintheselecteddaterange(seeStep 2onpage 66).This deficiencyisnotbasedonthereportedcontrolcase(s).
Control Cases Survey Rating
Numberofcasesresultingfromcontroltests. Assessmentsurveyratingstatus:Critical,Medium,Low,or Adequate. Thisistheratingofthelatest(mostrecent)assessmentsurvey completedwithintheselecteddaterange(seeStep 2onpage 66).This deficiencyisnotbasedonthereportedsurveycase(s).
Survey Cases
Numberofcasesresultingfromassessmentsurveys.
Clickthenumbersinthetablerelatedtothecontrolorsurveycasestodisplaythe Case List page,listingonlytherelevantcases.Formoreinformation,seesection CaseListonpage 157inChapter 13,CaseManagementandRemediation.Inthe Case Listpage,youcanthenselectindividualcasesandclickEdittoviewthecase information.Formoreinformation,seesectionEditingaCaseonpage 159in Chapter 13,CaseManagementandRemediation.
Compliance ReportAccount Assertion Matrix

Thisreportdisplaysintabularformattheaccountandassertionmatrix,providingthe deficiencystatusofthemostrecentcontroltestexecutedorassessmentsurveysubmitted duringatimeperiod,andthenumberofreportedexceptioncasesresultingfromallofthe controltestsandassessmentsurveysperformedduringthattimeperiod. Eachrowinthisreportliststhenumberofcontrolandsurveyexceptioncasesassociated withaparticularorganizationunit/process/subprocess/significantaccount/assertion/ controlcombination,andallowsyoutofurtherdrilldowntothecaseinformationata lowerlevel. Youcanfilterandviewaspecificreportbyselectingyourdesiredprocess,organization, objective,deficiencystatus,sortitem,and/ortimeperiod.
X To view and navigate the Account and Assertion Matrix report: 1
IntheReportspage(seeFigure 19onpage 64),selectCompliance Reports Account Assertion Matrix.TheAccount Assertion Matrix pageappears.
67
Figure 21
Account Assertion Matrix Page 2
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Location, Deficiency,Sort By,FromDate,andTo Datefieldsordropdownmenus.

Note The From Date and To Date information can be for an arbitrary date range, and not necessarily coincide with a scheduling period.
ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythematrix informationapplicabletoyourfilters.Eachrowinthetabledisplaysthesame informationdescribedinTable 6,exceptforthefollowingtwocolumnsinsteadofthe Riskcolumn:

Table 7
Item
Significant Account
Account Assertion Matrix Report Information

Description
Significantaccountassociatedwiththeorganizationunit.Formore information,seesectionSignificantAccountsonpage 28in Chapter 2,KeyConcepts. Financialassertionassociatedwiththesignificantaccount.Formore information,seesectionAssertionsonpage 28inChapter 2,Key Concepts.
Assertion
Clickthenumbersinthetablerelatedtothecontrolorsurveycasestodisplaythe Case List page,listingonlytherelevantcases.Formoreinformation,seesection CaseListonpage 157inChapter 13,CaseManagementandRemediation.Inthe Case Listpage,youcanthenselectindividualcasesandclickEdittoviewthecase information.Formoreinformation,seesectionEditingaCaseonpage 159in Chapter 13,CaseManagementandRemediation.
68
8
REMEDIATION REPORTS
TOPICS

Introduction Remediation Reports Remediation Status by Process Remediation Status by Location Remediation Status by Groups
69
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithinSAP. ThischapterdescribestheRemediationreportsthatprovidethenumberofreportedand resolvedexceptioncases,groupedbytheirdeficiencystatuses.Areportedcaseisacase thathasbeengeneratedorcreatedbecauseofadeficiencyorviolation.Aresolvedcaseis acasethathasbeenthroughtheremediationprocessthatfinallyresolvedthedeficiency. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheRemediationreportsbyclickingtheappropriatelinkasshownin Figure 22.
Figure 22
Reports Page
70
Remediation Reports Chapter 8 Remediation Reports
Remediation Reports
YoucanselectRemediationreportsforvariouskeyitems,suchasprocessesand subprocesses(formoreinformation,seesectionProcessesandSubprocessesonpage 29 inChapter 2,KeyConcepts),organizations(formoreinformation,seesection OrganizationsandOrganizationHierarchyonpage 27inChapter 2,KeyConcepts), andusergroups(formoreinformation,seesectionUserGroupsonpage 30in Chapter 2,KeyConcepts). Youcansearchforspecifickeyitemsforyourreportbyselectingyourdesiredfilters.You canfilteryourreportforonespecifickeyitem,orforacombinationofvariousmultiple keyitemsbyselectingthemfromthefilterdropdownmenu(s). Eachreportgenerallydisplaysthereporttitleatthetop,andtheresultsingraphicaland/ ortabularformatsbelow.Youcanclickthelinksifavailableinthereporttodrilldownto otherpageswithmoreinformation.
X To access the Remediation reports:
IntheReportspage(seeFigure 22onpage 70),selectRemediation Reports.The Remediation Reports pageappears.
Figure 23
Remediation Reports Page
ThefollowingRemediationreportsareavailable:

RemediationStatusbyProcess RemediationStatusbyLocation RemediationStatusbyGroups
71
Remediation Status by Process

Thisreportdisplaysintabularformatthereportedandresolvedexceptioncases,grouped byprocessesatthehighestlevel,andbysubprocessesatalowerlevel. Eachlevelinthisreportliststheassociatedreportedandresolvedexceptioncasesbytheir deficiencystatusCritical,Medium,Low,Adequate,orPendingReview. Inthetable,thenumberofreportedandresolvedcasesforeachprocess,oreach subprocessatalowerlevel,areaddedtogethertoderiveatthetotalsinthelasttwo columns. Youcanfilterandviewspecificexceptioncasesbyselectingyourdesiredprocess, subprocess,and/ortimeperiod.
X To view and navigate the Remediation Status by Process report: 1
IntheRemediation Reportspage(seeFigure 23onpage 71),selectRemediation Status by Process.TheRemediation Status by Process pageappears.
Figure 24
Remediation Status by Process Page 2 3 4
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess,and Perioddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythereported andresolvedexceptioncasesapplicabletoyourfilters. Clickaspecificprocesslinkintheleftmostcolumntodrilldowntothesubprocess levelforthatprocess(ifthesubprocess(es)exist).TheRemediation Status by Subprocess pageappearslistingthereportedandresolvedexceptioncasesby subprocess.
72
Figure 25
Remediation Status by Subprocess Page 5
Atthesubprocesslevel,clickaspecificsubprocesslinkintheleftmostcolumnto drilldowntotheCase List page,listingonlytherelevantcases.Formore information,seesectionCaseListonpage 157inChapter 13,CaseManagement andRemediation.IntheCase Listpage,youcanthenselectindividualcasesand clickEdittoviewthecaseinformation.Formoreinformation,seesectionEditinga Caseonpage 159inChapter 13,CaseManagementandRemediation. Ateithertheprocessorsubprocesslevel,youcanalsoclickthenumbersinthetable todrilldowntomorespecificinformation:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingonlytherelevantcases. Formoreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingonlytherelevanttestresults.IntheList of Test Resultspage,youcanthenselectindividualtestreportsbyclickingaControl IDlinktoviewtheresultforthatparticularcontroltest.Formoreinformation, seesectionTestResultsReportonpage 81inChapter 9,TestResults Reports.
Remediation Status by Location

Thisreportdisplaysintabularformatthereportedandresolvedexceptioncases,grouped byorganizationsatthehighestlevel,andbysuborganizationsatlowerlevels. Eachlevelinthisreportliststheassociatedreportedandresolvedexceptioncasesbytheir deficiencystatusCritical,Medium,Low,Adequate,orPendingReview. Inthetable,thenumberofreportedandresolvedcasesforeachorganization,oreachsub organizationatlowerlevels,areaddedtogethertoderiveatthetotalsinthelasttwo columns. Youcansearchandviewspecificexceptioncasesbyselectingyourdesiredprocess, subprocess,and/ortimeperiod.
73
To view and navigate the Remediation Status by Location report: 1
IntheRemediation Reportspage(seeFigure 23onpage 71),selectRemediation Status by Location.TheRemediation Status by Location pageappears.
Figure 26
Remediation Status by Location Page 2 3 4
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess,and Perioddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythecases applicabletoyourfilters. Clickaspecificorganizationlinkintheleftmostcolumntodrilldowntothe suborganizationlevelforthatorganization(ifthesuborganization(s)exist).The Remediation Status by Sub-Location pageappearslistingthereportedand resolvedexceptioncasesbysuborganization.
Figure 27
Remediation Status by Sub-Location Page 5
Youcancontinueclickingasuborganizationlinkintheleftmostcolumntodrill downtoalowersuborganizationlevel,untilyoureachthelowestsuborganization levelintheorganizationhierarchy. Atthelowestsuborganizationlevel,clickaspecificsuborganizationlinkinthe leftmostcolumntodrilldowntotheCase List page,listingtherelevantcases.For moreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formoreinformation, seesectionEditingaCaseonpage 159inChapter 13,CaseManagementand Remediation.
74
Atanyoftheorganizationorsuborganizationlevels,youcanalsoclickthenumbers inthetabletodrilldowntomorespecificinformation:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingonlytherelevantcases. Formoreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation. ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingonlytherelevanttestresults.IntheList of Test Resultspage,youcanthenselectindividualtestreportsbyclickingaControl IDlinktoviewtheresultforthatparticularcontroltest.Formoreinformation, seesectionTestResultsReportonpage 81inChapter 9,TestResults Reports.
75
Remediation Status by Groups

Thisreportdisplaysintabularformatthereportedandresolvedexceptioncases,grouped byusergroups. Eachusergroupinthisreportliststheassociatedreportedandresolvedexceptioncases bytheirdeficiencystatusCritical,Medium,Low,Adequate,orPendingReview. Inthetable,thenumberofreportedandresolvedcasesforeachusergroupareadded togethertoderiveatthetotalsinthelasttwocolumns. Youcansearchandviewspecificexceptioncasesbyselectingyourdesiredprocess, subprocess,and/ortimeperiod.
X To view and navigate the Remediation Status by Groups report: 1
IntheRemediation Reportspage(seeFigure 23onpage 71),selectRemediation Status by Groups.TheRemediation Status by Groups pageappears.
Figure 28
Remediation Status by Groups Page 2 3 4
ClickShow FiltertospecifyyoursearchfiltersusingtheProcess,Subprocess,and Perioddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlythecases applicabletoyourfilters. Attheusergrouplevel,clickaspecificusergrouplinkintheleftmostcolumnto drilldowntotheCase List page,listingtherelevantcases.Formoreinformation,see sectionCaseListonpage 157inChapter 13,CaseManagementand Remediation.IntheCase Listpage,youcanthenselectindividualcasesandclick Edittoviewthecaseinformation.Formoreinformation,seesectionEditingaCase onpage 159inChapter 13,CaseManagementandRemediation. Youcanalsoclickthenumbersinthetabletodrilldowntomorespecific information:
a
ClickthenumbersinthetableundertheCritical,Medium,Low,orPending ReviewcolumnstodisplaytheCase List page,listingonlytherelevantcases. Formoreinformation,seesectionCaseListonpage 157inChapter 13,Case ManagementandRemediation.IntheCase Listpage,youcanthenselect individualcasesandclickEdittoviewthecaseinformation.Formore information,seesectionEditingaCaseonpage 159inChapter 13,Case ManagementandRemediation.
76
ClickthenumbersinthetableundertheAdequatecolumntodisplaytheList of Test Results page,listingonlytherelevanttestresults.IntheList of Test Resultspage,youcanthenselectindividualtestreportsbyclickingaControl IDlinktoviewtheresultforthatparticularcontroltest.Formoreinformation, seesectionTestResultsReportonpage 81inChapter 9,TestResults Reports.
77
78
9
TEST RESULTS REPORTS
TOPICS

Introduction Test Results Report Automated Control Test Report Manual Control Test Report
79
Introduction
TheReportsmoduleprovidesvariousreportsdocumentingmanytypesofinformationin graphicaland/ortabularformats,givingyouaquickoverviewoftheoverallstateof complianceofyourorganization. Mostreportsprovidedrilldowncapabilitiestothelowestlevels,totrackdifferentaspects ofabusinesscontrol,andtodeterminetherootviolationcausewithinSAP. ThischapterdescribestheTestResultsreportsthatdeliverthedetailedresultsfromthe automatedcontroltests,providinginformationontheobjectsrelatedtothecontroltests, theoverallstatusofthetestsexecuted,andtheexceptioncasesreportedforaparticular timeperiod. YouaccesstheReportsmodulebyclickingtheReportstabtodisplaytheReportspage. ThenyouaccesstheTestResultsreportsbyclickingtheappropriatelinkasshownin Figure 29.
Figure 29
Reports Page
80
Test Results Report Chapter 9 Test Results Reports
Test Results Report

TheTestResultsreportprovidestheconfigurationandtransactiondetailsofthe automatedcontroltestsscheduledandexecutedintheProcessControlapplication.For moreinformationonhowtoconfigureyourcontrolsandscheduleyourcontroltests,see theProcessControlVersion 2.0ConfigurationGuide. Onceyouexecutethecontroltests,ProcessControlcapturestheresultsinthisreportto helpyousummarizethecompliancestatusofyourorganization. Youcansearchforspecificcontroltestresultsbyselectingyourfilters.Thisreport displaysthecontroltestresultsorganizedbycontrolIDs. Inthedisplayedreportinformation,youcanclickthecontrolIDlinktodrilldowntothe controltestdetails,theruleIDlinktodrilldowntotheruledetails,orthecaseIDlinkto drilldowntothecasedetails.
Important The Test Results reports are available only for automated control tests. Manual control tests will not generate Test Results reports. However, you can view the Control Execution Monitor or the Management reports to see the results from the manual control tests. For more information, see section Control Execution Monitor (CEM) on page 49 in Chapter 5, Main Modules and Chapter 6, Management Reports.
To view and navigate the Test Results report: 1 2 3
IntheReportspage(seeFigure 29onpage 80),selectTest Results.TheList of Test Results pageappears. YoucanspecifyyoursearchfiltersusingtheProcess,Subprocess,Location, Frequency,and Control ID,andDeficiency Type fieldsanddropdownmenus. ClickGotoviewtheresultsofyourreport.Thereportwilldisplayonlytheresultsof thecontroltestsapplicabletoyourfilters.
81
Figure 30
List of Test Results Page
Eachrowinthetabledisplaysthefollowing:
Table 8
Item
Control ID Description Location Period Status
Test Results Report Information

Description
UniqueIDforthecontrol. Briefdescriptionofthecontrol. Organizationassociatedwiththecontrol. Timeperiodwhenthecontroltestwasexecuted. Overalldeficiencystatusresultingfromthecontroltest.
ClickaControl IDlinkinthetable. Apageappearsdisplayingthecontroltestresults.Thispagevariesdependingon whetherthecontrolwasanautomatedcontroloramanualcontrol.Forthe automatedcontroltestresults,seesectionAutomatedControlTestReporton page 83.Forthemanualcontroltestresults,seesectionManualControlTest Reportonpage 88.
82
Automated Control Test Report

X To view the results from an automated control test: 1
ClickaControl IDlinkintheList of Test Results page(seeFigure 30onpage 82). TheControl Test Resultspageappearswithcontroltestdetails,groupedbysystem atthehighestlevel,thenbycontrolIDatalowerlevelundereachsystem.
Figure 31
Control Test Results Page (Automated Control)
YoucanclicktheDown iconnexttothelevellabeltoexpandorcollapsethepanes showingthetestdetails.

2
ClicktheDown iconnexttotheControlIDandControlDescriptionlabelatthe top.Theheaderpaneforthecontroltestappears.
Figure 32
Control Test Header Pane
EachcontrolIDlevelcontainsthetestresultheaderdataatthetop,andtestresult lineitemdatainatablebelowifapplicable.
83
Theheaderpanedisplaysthefollowingheaderinformation:
Table 9
Item
Rule ID Description Version Location
Control Test Result Header Information

Description
UniqueIDfortheruleassociatedwiththecontroltest. Descriptionfortheruleassociatedwiththecontroltest. Versionnumberfortheruleassociatedwiththecontroltest. Organizationassociatedwiththecontroltest.Formoreinformation, seesectionOrganizationsandOrganizationHierarchyonpage 27 inChapter 2,KeyConcepts. Processassociatedwiththecontroltest.Formoreinformation,see sectionProcessesandSubprocessesonpage 29inChapter 2,Key Concepts. Subprocessassociatedwiththecontroltest.Formoreinformation, seesectionProcessesandSubprocessesonpage 29inChapter 2, KeyConcepts. Originorsourceofthecontrol.Thevarioussourcesare: SAPGRC Customized SAPStandard
Process
Subprocess
Control Origin
Total Records Analyzed Overall Status
Totalnumberofcontrolexecutionrecordsanalyzedforthiscontrol test. Controltestdeficiencystatus.Thisoverallstatusisthehighest deficiencyfoundfromallthelineitemviolations:Critical,Medium, orLow.Ifnoviolationsoccurred,thenthestatuswouldbeAdequate. Forexample,assumethatthecontroltestresultedin6totallineitem violations,ofwhich2areCritical,3areMedium,and1isLow.The overallstatuswouldbeCriticalsincethisisthehighestdeficiency statusfromthe6violations.
Total Violations
Totalnumberoflineitemviolationsresultingfromthiscontroltest. Followingthepreviousexample,thetotalviolationswouldbe6.
Critical
Totalnumberofcriticalpriorityviolationsresultingfromthiscontrol test. Followingthepreviousexample,thenumberofcriticalviolations wouldbe2.
Medium
Totalnumberofmediumpriorityviolationsresultingfromthis controltest. Followingthepreviousexample,thenumberofmediumviolations wouldbe3.
Low
Totalnumberoflowpriorityviolationsresultingfromthiscontrol test. Followingthepreviousexample,thenumberoflowviolationswould be1.
Run by User
IDoftheuserwhoperformedthecontroltest.
84
Table 9
Item
Control Test Result Header Information (Continued)

Description
Date & Run Time System Case Number Period Risk Value
Dateandtimeofcontroltestexecution. Systemthatthecontroltestwasperformedon. Numberofthecaseresultingfromthecontroltest. Timeperiodthatthetestwasexecutedfor. Aggregatedriskamountforthiscontroltest,computedfromthe significantaccountassociatedwiththecontroltest,ifapplicable. Significantaccountassociatedwiththecontroltest.Formore information,seesectionSignificantAccountsonpage 28in Chapter 2,KeyConcepts.
Significant Account
Ifyouwanttodrilldowntotheruleinformation,clicktheRule IDlinktogoto theRules Library Detailspage.Formoreinformation,seetheRulesLibrary sectionintheProcessControlVersion 2.0ConfigurationGuide. Ifyouwanttodrilldowntothecaseinformation,clicktheCase Number linkto gototheView/Edit Casepage.Formoreinformation,seesectionEditinga Caseonpage 159inChapter 13,CaseManagementandRemediation.
The same automated control test executed on multiple instances of different systems might have different test results and violations. However, the Rule ID links and Case Number links from the header area for each system will all point to the same rule and case information.
Note
Belowtheheaderinformation,therowsinthetable(seeFigure 31onpage 83) representtheviolationsfoundfromlineitemtransactions,asaresultofthiscontrol test.

Note If the test result deficiency status is Adequate, meaning no violation was found, then there would be no violation table.
Thecolumnsinthetabledisplaydifferentinformationdependingonthetypeof controlandrule/rulecriteriaconfiguredforthiscontroltest.Table 10describessome commoncolumnsthatmightappear:

Table 10
Item
Sequence Number Deficiency Type
Line Item Violation Information

Description
Sequencenumberforthelineitemtransaction. Deficiencytypeofthelineitemviolation:Critical,Medium,or Low.Formoreinformation,seesectionDeficiencyTypeon page 24inChapter 2,KeyConcepts. Briefdescriptionofthedeficiencyissue. Theoldvaluebeforethelineitemtransactionoccurred,if applicable.
Deficiency Description Old Value
85
Table 10
Item
New Value
Line Item Violation Information

Description
Thenewvalueafterthelineitemtransactionoccurred,if applicable. TheIDoftheuserwhomadethistransaction,ifapplicable. Thedatethatthetransactionwaslogged,ifapplicable. Thetimethatthetransactionwaslogged,ifapplicable. AnXinthiscolumnindicatesthatsomechangeoccurred fromthelineitemtransaction.
User ID Change Date Change Time Change Control Indicator (CCI)
PDF File Attachment
YoucanclickaniconwithinthetestresultheaderpanetodownloadanattachedPDFfile thatcontainsadditionalanalysisreportinformation.
Note This functionality is available only for the SAP standard and custom controls. Controls delivered by SAP GRC do not include attached PDF files.
To view and download the attached PDF file: 1 2
FollowthestepsdescribedinsectionTestResultsReportonpage 81tosearchand viewyourdesiredanalysisreport. Ifcontroldataexistwithinyoursearchcriteria,theywillbedisplayedinthecontrol headerpaneasshowninFigure 33.
Figure 33
Control Header Pane
86
ClicktheUpload iconnexttotheReport File field.ThePDFfileopensinanew browserwindow.Figure 34showsanexample.
Figure 34
PDF File in Browser
87
Manual Control Test Report

X To view the results from a manual control test: 1
ClickaControl IDlinkintheList of Test Results page(seeFigure 30onpage 82). TheControl Test Resultspageappearswiththeheaderpaneandsequenceofsteps.
Figure 35
Control Test Results Page (Manual Control)
Theheaderpanedisplaysthefollowingheaderinformation:
Table 11
Item
Location
Control Test Result Header Information

Description
Organizationassociatedwiththecontroltest.Formoreinformation, seesectionOrganizationsandOrganizationHierarchyonpage 27 inChapter 2,KeyConcepts. Ownergroupforthetestplan. Processassociatedwiththecontroltest.Formoreinformation,see sectionProcessesandSubprocessesonpage 29inChapter 2,Key Concepts. Deficiencytyperesultingfromthemanualcontroltest:Critical, Medium,orLow.Formoreinformation,seesectionDeficiency Typeonpage 24inChapter 2,KeyConcepts. Subprocessassociatedwiththecontroltest.Formoreinformation, seesectionProcessesandSubprocessesonpage 29inChapter 2, KeyConcepts. Aggregatedriskamountforthiscontroltest,computedfromthe significantaccountassociatedwiththecontroltest,ifapplicable. IDofthemanualcontrol. Controltestoverallstatus:passorfail. Supportingdocumentsassociatedwiththetestplan. Supportingdocumentsyoucanuploadwiththetestplan.
Test Plan Owner Process
Deficiency Type
Subprocess
Risk Value
Control ID Status Documents Add Documents
88
Table 11
Item
Control Test Result Header Information (Continued)

Description
Case Number Case Description
Numberofthecaseresultingfromthecontroltest. Descriptionofthecaseresultingfromthecontroltest.
Ifyouwanttodrilldowntothecaseinformation,clicktheCase Number linktogo totheView/Edit Casepage.Formoreinformation,seesectionEditingaCaseon page 159inChapter 13,CaseManagementandRemediation.

2
Belowtheheaderinformation,therowsinthetabledisplaythesequenceofsteps performedforthemanualcontroltest,andthestatusofeachstep. Thetabledisplaysthefollowingteststepinformation:

Table 12
Item
# Step Description Owner Status Last Updated Documents
Test Step Information

Description
Teststepnumber. Teststepname. Teststepdescription. Teststepowner. Teststepstatus:fail,pass,orpending. Whentheteststepwaslastupdated. Supportingdocumentsassociatedwiththeteststep.
89
90
10
ASSESSMENTS THROUGH SURVEYS
TOPICS

Introduction Assessments Through Surveys Types of Assessments Survey Categories Survey Master Data Overview Of Functional Flow For Surveys Creating a Question Library Creating or Copying a Survey Scheduling a Survey Sending Survey Tasks and Instances Recalling a Survey Instance Responding to and Returning a Survey Instance Resending a Survey Instance Reviewing and Disapproving a Survey Instance Maintaining the Survey Flow Survey Cases Deactivating a Survey
91
Introduction
ProcessControlisasolutionthataidsthecertificationprocessunderSection302and Section404oftheSarbanesOxleyActof2002.Aspartofthiscertificationprocess,thereis aneedtoperformassessmentactivitiesthroughouttheorganization.Youcanperform theseassessmentactivitiesintheProcessManagermodule. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Manager page.ThenyouaccesstheassessmentfeaturesfromtheSurvey ManagementsubmodulehighlightedinFigure 36.
Figure 36
ThefollowingsectionsdescribethefeaturesintheSurveyManagementsubmodule.You accessthesefeatureseitherbyselectingfromthenavigatormenuintheleftsidebar,orby clickingthecorrespondinglinkintherightsideofthepage.

Important The following sections list only the steps for creating an item. For information regarding how to filter, how to modify, or how to delete the item, if applicable, see sections Filtering an Item on page 41, Modifying an Item on page 42, and Deleting an Item on page 43 in Chapter 4, User Interface.
92
Assessments Through Surveys Chapter 10 Assessments Through Surveys
Assessments Through Surveys

Assessmentisaneffectivetooltohelpthebusinessownersinvariouscapacitiestocertify theeffectivenessofthevariouscontrolenvironmentsinyourenterprise,tomeetthe regulatoryrequirementsforGovernance,Risk,andComplianceforcertificationssuchas Section302andSection404oftheSarbanesOxley(SOX)Act.Theassessmentfeatures enableyoutodeterminethatthebusinesscontrolssetisworkingasdesignedandis effective.
Types of Assessments
Thetypesofassessmentsinclude:
ControlDesignAndEffectivenessAssessmentTheinternalauditors,theSOXteam, thebusinessprocessowners,orthecontrolownersconductperiodicsurveysto assessthedesignortesteffectivenessofcontrols,dependinguponyour organizationscompliancepolicy. ProcessDesignAndEffectivenessAssessmentTheinternalauditors,theSOXteam, orthebusinessprocessownersconductperiodicsurveystoassessthedesignortest effectivenessofsubprocesses,dependinguponyourorganizationscompliance policy. EntityLevelControlAssessmentYoureviewandtesttheentitylevelcontrols throughassessment.Entitylevelcontrols(alsoreferredtoascompanylevelor pervasivecontrols)existatahigherlevelintheorganizationthanprocessoriented controlactivitiesandoftenrelatetoallorganizationsandbusinessunits.These controlsareusuallyassessedfairlyhighintheorganizationbypersonswithastrong viewofthebigpictureandhowtheentitylevelcontrolsaffectoverallcompliance. SelfAssessmentTheprocessownerorcontrolownerconductsanindependenttest orotherreviewtoevaluatehisownsubprocessesorcontrolsunderhispurview.A selfassessmentmightormightnotrequireformaltesting,butusuallyself assessmenttestingislessformalandpossiblylesscomprehensivethanatestof effectivenessperformedbyauditors.Selfassessmentisoftenusedasawayto monitorcontrolsandtoidentifyandremediateissuesbeforetheformaltestof effectivenessisperformed.
Note Self-assessment differs from testing of effectiveness in that it involves the survey functionality, rather than the test of effectiveness functionality with formal test plans and execution usually performed by independent internal auditors.
SignOffAssessmentYouusethesurveyfunctionalitytoperformhierarchybased signoffbyresponsiblepartiesattheorganization,process,andsubprocesslevels.
Thischapterdescribesthefirstfourtypesofassessments,asthesearesimilartoeach other.Fordetailsonthelasttypeofassessment,SignOffAssessment,seeChapter 11, SignOffAssessment. Formoreinformationrelatedtotheconfigurationoforganizations,controls,processes, subprocesses,andentitylevelcontrols,seetheProcessControlVersion 2.0Configuration Guide.
93
Survey Categories
WithinProcessControl,youperformassessmentsviasurveys,asetofquestionsthatare senttoindividualsacrossyourorganizationforfeedback,withoptionalreviewbyother personnel.Basedonthefeedback,theinternalauditdepartmentorSOXteamwill performanassessment,suchasaprocessassessmentorcontrolassessment,andsoon. Thegeneralsurveyrequirementsdictatetheneedforaconfigurablesurveycategoryto choosewhichtypeofsurveyyouarecreating.Basedonthecategory,someofthesurvey dataandattributeswillchange.Thepredefinedsurveycategoriesarebasedonthe assessmenttypes(fordetails,seesectionTypesofAssessmentsonpage 93). Thedifferenttypesofsurveycategories,theirrelatedobjects,andtheirusesaredescribed inTable 13.
Table 13 Survey Categories Information
Related Objects Use
Survey Category
ProcessDesign Assessment
Organizationsubprocess
Youusethissurveycategory atthesubprocesslevelfor processdesignassessment. Youcanalsousethissurvey categoryforaself assessmentsurveyatthe subprocesslevel. Youusethissurveycategory atthecontrollevelforcontrol designassessment.Youcan alsousethissurveycategory foraselfassessmentsurvey atthecontrollevel. Youusethissurveycategory attheentitylevelcontrol levelforELCassessment. Youcanalsousethissurvey categoryforaself assessmentsurveyatthe entitycontrollevel. Youusethissurveycategory forsignoffandcertification.
ControlDesign Assessment
Organizationcontrol
EntityLevelControl Assessment
OrganizationELC(entitylevelcontrol)
SignOff
Configurabletoincludeorganization, process,andsubprocess
Important
Self-assessment is not a separate survey category. To create a self-assessment survey, you choose Self Assessment as a sub-category of the Process Design or Control Design or ELC survey category. You can differentiate the self-assessment surveys by assigning a different survey name and a different short reporting name.
94
Survey Master Data

Thesurveymasterdataincludetheusers,usergroups,andauthorizationsforthesurvey relatedrolesassociatedwiththeusergroups,aswellasthesurveyparameters/defaults andsurveystatus.YousetuptheusergroupsusingtheAdministrationmodule.Formore information,refertotheUserGroupssectionintheProcessControlVersion 2.0 ConfigurationGuide.
Survey-related User Roles
Thesurveyrelateduserrolesinclude:

SurveyAdministratorIsresponsibleforcreating,editing,scheduling,monitoring, recalling,andresendingthesurveys. SurveyRespondentIsresponsibleforreturningthesurveytotheadministratorif necessary,respondingtosurveyquestions,optionallyprovidingratings/deficiency levelsforsurveyinstancesattheobjectlevelwithinorganizations,andsubmittingthe survey.Anobjectcanbeacontrol,subprocess,orentitylevelcontrol,dependingon thesurveycategory.

Note The survey respondent might be one person, or several people, depending on the configuration of the user group assigned to be the respondent.
SurveyReviewerIsresponsibleforreturningthesurveytotherespondentif necessary,reviewingandoptionallyprovidingratings/deficiencylevelsforsurvey instancesattheobjectlevelwithinorganizations,andsubmittingthesurvey.An objectcanbeacontrol,subprocess,orentitylevelcontrol,dependingonthesurvey category.

Note Survey reviews are optional for the process/control/ELC/selfassessment survey categories. The sign-off survey category does not require a review. The survey reviewer might be one person, or several people, depending on the configuration of the user group assigned to be the reviewer.
Formoreinformationontherespondent/reviewerassignments,seeFigure 42onpage 108, andtheSubprocess,Control,orEntityLevelControlsectionsintheProcessControl Version 2.0ConfigurationGuide.
95
General Survey Data Configuration
Thegeneralsurveydataconfigurationincludesthefollowingactivities:
Youdefinewhetherthesurveyissubjecttoreview.Defaultvalue=no. YoudefinethisoptionbyconfiguringtheReview Required dropdownmenuwhen youcreateasurvey.SelectYesifthesurveyissubjecttoreview.Otherwise,selectNo. Formoreinformation,seesectionCreatingorCopyingaSurveyonpage 103.
Youdefinewhetherthesurveyrating/deficiencylevelisenteredbytherespondentor bythereviewer.Defaultvalue=respondent. YoudefinethisoptionbyconfiguringtheReviewer Can Change Ratingdropdown menuwhenyoucreateasurvey.SelectYesifthereviewercansettheratingofthe survey.Otherwise,selectNotoindicatethattherespondentcansettheratingofthe survey.Eitherthereviewerortherespondentcansetthesurveyrating,butnotboth. Formoreinformation,seesectionCreatingorCopyingaSurveyonpage 103. Bydefault,theratings/deficienciesaredefinedasanAdequaterating(positive responsefromsurvey)oradeficiencyofCritical,Medium,orLowpriority(negative responsesfromsurvey).
Youprovideconfigurabletextforemailnotificationsandforremindingthe administratororrespondents/reviewersoftheirresponsibilities.Forinformation,see theStandardTextsectionintheProcessControlVersion 2.0ConfigurationGuide.
Survey IDs
Whenyoucreateasurvey,ProcessControlautomaticallyprovidesyourcreatedsurvey withauniqueID.Whenyouscheduleasurvey,ProcessControlalsoautomatically providesyourscheduledsurveyinstanceswithuniqueIDs,differentfromthecreated surveysID.TheseIDsarebasedonaconfigurablenumberrangeforwhichyoucandefine adifferentIDprefixforeachtypeofsurvey,foreasyidentification.Formoreinformation, seetheNumberRangesectionintheProcessControlVersion 2.0ConfigurationGuide. Onceyouhavedefinedyourvariousnumberranges,youthenassociateaparticular numberrangewiththeappropriatesurveycategory.Formoreinformation,seethe SurveyDefaultssectionintheProcessControlVersion 2.0ConfigurationGuide,andthe nextsection.
96
Survey Parameters and Defaults
Thesurveyparametersanddefaultsaresomecontrolpointsthatarepredefinedfor efficientuserexperienceandformanagingthesurveyfeature.Youcanoverwriteand updatetheseparametersasappropriate.Thesurveyparametersanddefaultsare describedinTable 14.

Table 14
Survey Parameter
Survey Parameters and Defaults Information

Default Value Description
DefaultSeries NumberRange
Defaultnumberrangehas3 charactersfortheIDprefix, andupto9 charactersfor theIDnumber.
Youmaydefineandassignadifferentnumber rangeforeachsurveycategoryforeasy identification.ProcessControlgeneratesthe surveyIDsbasedonyourassignednumber range.ThesurveyIDconsistsofupto 12 alphanumericcharacters(3charactersforthe IDprefix,upto9 charactersfortheIDnumber). Youcanconfigureyournumberrangestohave differentprefixestodistinguisheachsurvey category. Thisisthedefaultnumberofdaysafterthe surveyissent,whenProcessControlwillsend theremindernotificationtotherespondentsif theyhavenotyetresponded.Enterthisvalueas apositivenumber,indicatingthenumberof daysafterthesurveystartdate. Thisisthedefaultnumberofdaysafterthe surveyissent,whenProcessControlescalates thesurveytothehigherlevelrespondents,ifthe currentsurveyrespondentshavenotyet answeredandsubmittedthesurvey.Enterthis valueasapositivenumber,indicatingthe numberofdaysafterthesurveystartdate.The defaulthigherlevelrespondentsaretheowners oftheobjects(control,subprocess,orentity levelcontrol). Thisisthedefaultlevel(s)atwhichthe hierarchicalsignoffsfromthebottomupwillbe performed.Thisparameteronlyappliestothe Signoffsurveycategory.Formoreinformation, seesectionSurveyParametersandDefaults onpage 121inChapter 11,SignOff Assessment.
DefaultReminder Defaultvalue=0days inDays
DefaultEscalation Defaultvalue=0days inDays
DefaultSignOff Level
Defaultvalue=none.
Formoreinformationonhowtoconfigurethesurveyparametersanddefaults,seethe SurveyDefaultssectionintheProcessControlVersion 2.0ConfigurationGuide.
97
Survey Statuses
ProcessControlprovidesthesurveystatusesasnonconfigurablesystemvalues.Process Controlcapturesthesurveystatuschangealongwiththeuserandtimestampinformation forreportingpurposes.Thepredefinedsurveystatusesareasfollows:

OpenThesurveyisscheduledforoneormoreorganizationobjectcombinations,but notyetsenttotherespondents. AssignedThesurveyissenttotherespondents. InProcessAsurveyinstanceisopenedorpartiallyanswered. SentforReviewAsurveyinstancethatissubjecttoreviewisnowunderreview. RecalledAsurveyinstancehasbeenrecalledbythesurveyadministratorfor selectedorganizationobjects. ResentAsurveyinstancehasbeenresentbythesurveyadministratortothe respondents. ReturnedAsurveyinstancehasbeenreturnedbytherespondenttothesurvey administrator,becausehe/sheisnottheproperrespondent. ReworkAsurveyinstancethatissubjecttoreviewhasbeenreturnedbythereviewer totherespondentforrework. CompletedAsurveyinstanceiscompleted.Forasurveythatisnotsubjecttoreview, thismeansthatthesurveyinstancehasbeensubmittedbytherespondent.Fora surveythatissubjecttoreview,thismeansthatthesurveyinstancehasbeen reviewedandacceptedbythereviewer.
98
Overview Of Functional Flow For Surveys Chapter 10 Assessments Through Surveys
Overview Of Functional Flow For Surveys

Thissectionbrieflydescribestheimportantactivitiesthatoccurthroughthelifecycleof anassessmentthroughasurvey.Theseactivitiesinclude:
1
Youdefinethesurveymasterdata,includingtheusers,usergroups,numberranges, andsurveyparametersanddefaults.Formoreinformation,seesectionSurvey MasterDataonpage 95. Youcreateandmaintainthesurveyquestionlibrary.Formoreinformation,see sectionCreatingaQuestionLibraryonpage 100. Thesurveyadministratorcreatesanewsurveyforaparticularsurveycategoryfrom scratch,orcopiesanexistingsurveyandthenmakestheappropriatemodifications. Forinformation,seesectionCreatingorCopyingaSurveyonpage 103. ThesurveyadministratorschedulesasurveyusingtheSchedulerfeature.For informationontheschedulingprocess,seesectionSchedulingaSurveyon page 108. ProcessControlsendsthesurveytotherespondentsonthedefinedscheduleddate. Forinformationonthesurveysendingprocess,seesectionSendingSurveyTasks andInstancesonpage 109. Thesurveyadministratorcanrecallselectedsurveyinstancesiftheyhavebeen definedincorrectly(incorrectquestionsorincorrectrespondents)andtheyhavenot beensubmittedbytherespondents.Thesurveyadministratorfixestheerrorsas appropriate,andthenreschedulesthesurveyinstancestobesentagaintothe respondents.Forinformation,seesectionRecallingaSurveyInstanceonpage 109. Oncethesurveyisscheduledandsent,therespondentsreceivecommunicationvia emailandalsoasataskintheirMyTaskslist.Therespondentsreadthesurvey questionnaireandrespondtothesurveyinstances.Iftherespondentsfeelthata surveyinstancewassentincorrectlytothem,theycanreturnthatsurveyinstanceto thesurveyadministrator.Forinformation,seesectionRespondingtoandReturning aSurveyInstanceonpage 111.ForinformationontheMyTaskslist,seesection MyTasksonpage 131inChapter 12,UserInbox. Forthesurveyinstancesthathavebeenreturnedbytherespondents,thesurvey administratorproceedstofixtheassignmentsandthenresendsthesesurvey instancestotheproperrespondents.Forinformation,seesectionResendinga SurveyInstanceonpage 113. Ifthesurveyissubjecttobereviewed,oncearespondentrespondsandsubmitsa surveyinstance,itisthenroutedtothereviewer.Thereviewerreviewsandaccepts thesurveyinstance.Inthecaseofadispute,thereviewercanreturnthesurvey instancetotherespondentforrework,orthesurveyinstanceismutuallydiscussed betweentherespondentandthereviewer,untilthefinalsurveyresponseis submittedandaccepted.Forinformation,seesectionReviewingandDisapproving aSurveyInstanceonpage 113. information,seesectionMaintainingtheSurveyFlowonpage 114.
2 3
10 ProcessControlmaintainsthesurveyprocessanditsflowautomatically.Formore
99
11 Ifasurveyinstanceresultsinadeficiency,ProcessControlgeneratesacasewhich
thenfollowsthestandardremediationpath.Forasurveyinstanceresultingina deficiency,therespondentorreviewercanalsocreateamanualcaseifdesired.For moreinformation,seesectionSurveyCasesonpage 115.

12 ProcessControlupdatesthesurveyresponseandcompilestheresultsforanalysis
reportingandforupdatingtheSurvey Statuspage(seeFigure 43onpage 110).For informationontheanalysisreports,seeChapter 7,ComplianceReports.

13 Ifsomesurveysarenolongerrequiredinthedatarepository,thenthesurvey
administratorcandeactivatethem.Forinformation,seesectionDeactivatinga Surveyonpage 115. Thefollowingsectionsdiscusstheseactivitiesinfurtherdetail.
Creating a Question Library

Thesurveyadministratorcreatesaquestionlibrarythatbecomesarepositoryforthe varioussurveycategories.Thislibraryprovidesareadyreferencequestionlistwhenyou createanewsurvey.Youcanselectthequestionsforyoursurveyfromthisquestionlist. Thequestionlistcanbeprinted,uploaded,ordownloaded.YoucanuploadfromanExcel filethequestiondata,insteadofcreatingitfromscratch.Touploadthisdata,youneedto formatitproperlyusingapredefinedtemplate.Formoreinformation,seetheUpload MasterDatasectionintheProcessControlVersion 2.0ConfigurationGuide.
X To create the questions in the question list: 1
Inthenavigationmenu,selectSurvey Management >Question Library. Alternatively,clicktheQuestion LibrarylinkintheProcess Manager page(see Figure 36onpage 92). The Question Librarypageappearsshowingatablelistingallofthequestionsfound inthedatabase.
Figure 37
Question Library Page
100
ClickCreate.TheCreate Question paneappears.
Figure 38 3 4 5
Create Question Pane
TheQuestion IDwillbecreatedbythesystemautomatically. IntheCategorydropdownmenu,selectthesurveycategoryapplicabletothis question.Formoreinformation,seesectionSurveyCategoriesonpage 94. IntheFrequencydropdownmenu,selectthenormalfrequencyforthequestion. Thisfrequencyisusedprimarilyforfilteringpurposes.Whenyoucreateasurvey, youmightwanttoseeonlythelistofquestionsforaparticularfrequencytimeframe toselectfrom,insteadofseeingtheentirelonglistofavailablequestions.The followingpredefinedchoicesareavailable:

Daily Fortnightly (Bi-weekly) Half Yearly Monthly Quarterly Random Weekly Yearly
IntheActivedropdownmenu,selectYesifyouconsiderthisquestionasactive. Otherwise,selectNotomakeitinactive. Aquestionisactiveifitcanbedisplayedinalistandcanbeusedforasurvey.Ifyou donotwanttouseaquestionforasurvey,oryoudonotwanttohavethequestion displayedinafilteredlist,thenmakeitinactive.
IntheQuestiontextbox,enterthequestiontextdescription.
101
IntheAnswer Type dropdownmenu,selectthetypeofanswerforthisquestion, fromthefollowingchoices:
Rating Theanswertothisquestionwillconsistofaratingfrom1to5(lowto high,negativetopositive).Thisratingrange(15)ispredefinedandcannotbe changed. TextTheanswertothisquestionwillconsistoffreetext. Yes/No/NATheanswertothisquestionwillbeYes,No,orNotApplicable.
IfyouselectedRating orYes/No/NAforyouranswertype,then intheNegative Answersarea,indicatewhatconstitutesanegativeansweroranswersforthis question,byselectingthecheckboxesnexttoeachtypeofansweryouconsidertobe negative.Thisindicationisusedforreportingpurposesandforrequiringacomment fornegativeanswers. Forexample,fortheYes/No/NA answertype,youcanindicatethatananswerofNo orNAisconsideredtobeanegativeresponse.FortheRatinganswertype,youcan indicatethataresponse<3isconsiderednegativebyselectingthecheckboxesfor1 and2.
Note The Text answer type does not have the ability to indicate a negative response.
10 TheCreated On and Created Byfieldsareautomaticallypopulatedbythesystem.
Whenaquestionismodified,thesystemalsocapturesthechangedateand change byinformationforreportingpurposes.

11 IntheLinksarea,selectthecheckboxfortheanalysisreport(s)thatyouwanttolink
thequestionto.Youcanselectanyorallofthefollowingreports:
ManagementReportsByProcess(formoreinformation,seeChapter 6, ManagementReports) ManagementReportsByAssertion(formoreinformation,seeChapter 6, ManagementReports) ComplianceReportSignificantAccountandAssertionMatrix(formore information,seeChapter 7,ComplianceReports) ComplianceReportControlandRiskMatrix(formoreinformation,see Chapter 7,ComplianceReports)
Whentherespondent(andoptionallythereviewer)receivesthesurveyinstances senttothem,theywillseethelinkstotheselectedreportsforeachquestion.Theycan clickthelinktothedesiredreporttoviewadditionalinformationthatmighthelp themanswerthequestion.

12 ClickSave.ProcessControlautomaticallyassignsauniqueIDforeachquestionthat
youcreate.
102
Creating or Copying a Survey

Aftercreatingaquestionlist,thesurveyadministratorthencreatesasurveyforasurvey category.
Note It is a best practice to create uniform surveys for all organizations. This reduces manual administration and facilitates comparative reporting.
Creating a Survey
X To create a survey: 1
Inthenavigationmenu,selectSurvey Management >Survey.Alternatively,click theSurveylinkintheProcess Manager page(seeFigure 36onpage 92). The Surveypageappearsshowingatablelistingallofthesurveysfoundinthe database.
Figure 39
Survey Page
103
ClickCreate.TheCreate Survey andQuestion panesappear.
Figure 40 3 4
Create Survey and Question Panes
IntheCategorydropdownmenu,selectthesurveycategory.Formoreinformation, seesectionSurveyCategoriesonpage 94. IntheSub Categorydropdownmenu,selectthesurveysubcategory. Ifthepreviouslyselectedsurveycategoryiseitherforacontrol/process/ELC assessment,youcanselectfromthefollowingchoices:
<Blank>Thisindicatesthatthissurveyisforaregularcontrol/process/ELC assessment,notforaselfassessment. Self AssessmentThisindicatesthatthissurveyisforaselfassessment.
IfthepreviouslyselectedcategoryisSign-Off Certification,youcanselectfromthe followingchoices:
302Thisindicatesthatthesignoffsurveyistofulfilltherequirementsfrom
Section302oftheSarbanesOxleyAct.
5
IntheFrequencydropdownmenu,selectthenormalfrequencyforthesurvey.This frequencyisusedprimarilyforfilteringpurposes.Whenyoufilterorschedulea survey,youmightwanttoseeonlythelistofsurveysforaparticularfrequency timeframetoselectfrom,insteadofseeingtheentirelonglistofavailablesurveys. Thefollowingpredefinedchoicesareavailable:

Daily Fortnightly (Bi-weekly) Half Yearly Monthly
104
Quarterly Random Weekly Yearly
6 7 8 9
ProcessControlautomaticallyassignsauniqueIDforeachsurveythatyoucreate. IntheSurvey TitleandSurvey Short Title fields,enterthetitleornameforthe survey,andtheshorttitleforuseintabularreporting. TheCreated ByandCreated On fieldsareautomaticallypopulatedbythesystem. TheComments fieldisnoteditableuntilafteryouhavesavedthesurvey.Oncea surveyhasbeensaved,nexttotheCommentsfield,clickthePlus iconorthe Add/View Alllinktodisplayapopupwindow,thenenteryourcommentsandclick Add. Otherwise,selectNotomakeitinactive. Asurveyisconsideredactiveifitisinuseandcanbescheduledanddisplayedinthe reportsanddashboards.Anactivesurveycannotbedeleted.Youcandeleteasurvey onlyafteritisdeactivated.
10 IntheActivedropdownmenu,selectYesifyouconsiderthissurveyasactive.
11 IntheReview Requireddropdownmenu,selectYesifthissurveyissubjecttoa
formal,documentedreviewbyasurveyreviewer.Otherwise,selectNo.Thesurvey reviewisoptional.
12 Ifthesurveyissubjecttoareview,intheReviewer Can Change Ratingdropdown
menu,selectYesifthereviewercansettherating/deficiencyforthesurvey. Otherwise,selectNotoindicatethattherespondentcansettherating/deficiencyfor thesurvey.Eitherthereviewerortherespondentcansetthesurveyrating/deficiency, butnotboth.Bydefault,theselectionisNotoindicatetherespondent. Theratings/deficienciesaredefinedasfollows:

AdequateratingPositiveresponsefromsurvey. Critical,Medium,orLowdeficiencyNegativeresponsesfromsurvey, accordingtodeficiencylevel.
13 IntheValidity field,enterthedatefromtheCalendar
iconthatisthestartingdate forthevaliditydaterangeforthissurvey.IntheTo field,enterthedatefromthe Calendar iconthatistheendingdateforthevaliditydaterangeforthissurvey. Youcannotschedulethesurveyforatimeperiodoutsidethisvaliditydaterange. However,youcanstillcopythesurveytoanewsurvey,ifdesired,atanytime.
14 TheSurvey Documents fieldisnotshownuntilafteryouhavesavedthesurvey.
NexttotheSurvey Documentslabel,clicktheUpload icontoattachdocumentsto providesupportinginformationforthissurvey.Apopupwindowappearsshowing theUpload Documentpane.Formoreinformation,seesectionUploadingand RevisingaDocumentonpage 44inChapter 4,UserInterface.
105
15 IntheSurvey Instructionsfield,enterthenameofthestandardtextcontainingthe
instructionsforansweringthissurvey.YoucanalsoclicktheSearch icon displayednexttothisfield,enteranameorclickSearch,andselectaspecific standardtextfromthepopuplist.Youcanconfiguredifferentstandardtext messagesfordifferentpurposes.Formoreinformation,seetheStandardTextsection intheProcessControlVersion 2.0ConfigurationGuide.

16 Setupthesurveyquestionsasdescribedinthefollowingsection,andclickSave.
Note Keep in mind that you can suppress the questions for a given survey if you wish, by simply not adding any questions when you create the survey.
To add or delete the survey questions for a survey: 1
IntheSurvey Questionspane(seeFigure 40),clickAdd Questions.Apopup windowappears.
Figure 41 2
Search Questions Pop-up Window
IntheSearch Questions popupwindow,dothefollowing:

a
IntheSelect Survey Category dropdownmenu,thesurveycategorythatyou selectedpreviouslywhenyoucreatethesurveyappears.Youcanoverwriteand selectadifferentsurveycategoryforfilteringthisquestionifyouwish.Formore information,seesectionSurveyCategoriesonpage 94. IntheSelect FrequencyTypedropdownmenu,thefrequencythatyou selectedpreviouslywhenyoucreatethesurveyappears.Youcanoverwriteand selectadifferentfrequencyforfilteringthisquestionifyouwish. IntheQuestionfield,enterthequestiontextdescription.Youcanenterthe entiredescription,oraportionofthedescriptionfollowedbyawildcard charactersuchas*,todisplaythelistofallquestionsthatmatchyourentered expression. ClickSearch.Question(s)fromalistfilteredbaseduponthepreviouslyselected surveycategoryandfrequencyandquestiondescriptionappear.
106
Inthelistofavailablequestions,selectthecheckbox(es)forthequestion(s)you wanttoadd.ClickSelect. Eachquestionselectedwillbringinthequestiontext,frequency,andanswer typefromthequestionlistdefinedearlier(seesectionCreatingaQuestion Libraryonpage 100).Yourselectedquestionsappearinthetableinthe Questionpane.
3 4
RepeatfromStep 1ifyouwishtoaddmorequestion(s)fromdifferentcategoriesor frequencies. Inthetableshowingthelistofquestionsthatyouhaveadded,clicktheUpload icontoattachdocumentstoexplainhowtoanswereachquestionortoprovide clarifications.ClicktheUp icontomovethecurrentquestionupinthelist.Click theDown icontomovethecurrentquestiondowninthelist. Todeleteaquestionormultiplequestions,selectthecheckbox(es)forthequestion(s) thatyouwanttodelete,andclickDelete Questions.
Copying a Survey
YoucanuploadfromanExcelfilethesurveydefinitiondata,insteadofcreatingitfrom scratch.Touploadthisdata,youneedtoformatitproperlyusingapredefinedtemplate. Formoreinformation,seetheUploadMasterDatasectionintheProcessControl Version 2.0ConfigurationGuide.Thesurveyadministratorcanalwayscopyanexistingor uploadedsurveyandmodifyittocreateanewsurvey.

X To copy a survey: 1
Inthenavigationmenu,selectSurvey Management >Survey.Alternatively,click theSurveylinkintheProcess Manager page(seeFigure 36onpage 92). The Surveypageappearsshowingatablelistingallofthesurveysfoundinthe database(seeFigure 39onpage 103).
Ifyouwanttocopyanexistingsurvey,selectthebuttonforthesurveythatyouwant tocopyfrom,andclickCopy. TheCopy SurveyandQuestion panesappear(similartotheCreate Survey and Question panes,seeFigure 40onpage 104),populatedwithinformationfromthe selectedsurvey.
Makeyourchangesasappropriate,includinggivingthesurveyanewtitle.For informationoneachsurveyelement,seesectionCreatingorCopyingaSurveyon page 103.Ifyouwanttochangethesurveyquestionsthemselves,youneedtoedit thequestionlistintheQuestionLibrary.Forinformationoneachquestionelement, seesectionCreatingaQuestionLibraryonpage 100. ClickSave.Thiscreatesanewsurveybasedonthecopiedsurveybutwithyour latestmodifications.
107
Scheduling a Survey
Aftercreatingasurvey,thesurveyadministratorthenschedulesthesurveytobesentto therespondentsandoptionalreviewersusingtheSchedulerfeature.Formore information,seetheSchedulersectionintheProcessControlVersion 2.0Configuration Guide.
Note The survey administrator can schedule surveys in advance for any time periods, and can also change the send date at any time before the survey is actually sent to the respondents.
IntheSchedulerfeature,thesurveyadministratorselectsthesurveytimeperiodand frequency,andtheorganizationobjectcombinationsforwhichthesurveywillbe scheduledandsent.Anobjectcanbeacontrol,subprocess,orentitylevelcontrol, dependingonthesurveycategory.Oncethesurveyadministratorsavesaschedule, ProcessControlcreatesasurveyschedulerecordandautomaticallygeneratesthe appropriatesurveytasksandsurveyinstancestobesenttotheappropriaterespondents andoptionallyreviewers. ProcessControlderivesthesurveyrespondents,andoptionallythesurveyreviewers, fromtheassignmentsattheobjectlevel.Figure 42showstheAssign Ownerspane,where youconfiguretheobjectsurveyrespondent/surveyreviewerinformation,byselectingthe appropriateusergroup.
Figure 42
Assign Owners Pane
Formoreinformationontherespondent/reviewerassignments,seetheSubprocess, Control,orEntityLevelControlsectionsintheProcessControlVersion 2.0Configuration Guide. ProcessControlautomaticallyassignsauniqueIDforeachsurveyschedulerecord, preparestheresultingsurveytasksbygroupingbyrespondentandoptionallyby reviewer,andcreatesalinktoeachofthesurveyinstances(oneinstanceforeach scheduledorganizationobjectcombination). EachsurveyschedulerecordcanresultinmultiplesurveytaskstobesenttotheMyTask list,onesurveytaskforeachrespondentandlateron,optionallyonesurveytaskforeach reviewer.Eachsurveytaskprovideslinkstomultiplesurveyinstances,oneinstancefor eachorganizationobjectcombinationscheduledforthesurvey.Areviewerwillreceive theirsurveyinstancesaftertherespondenthasrespondedtoandsubmittedtheirsurvey instances.
108
Example:
Thesurveyadministratorselectsforasurveyscheduletwosubprocessesinone organizationandthreesubprocessesinanotherorganization.ProcessControlgenerates fivesurveyinstancestotal,oneforeachorganizationsubprocesscombination.Each surveyinstanceincludesquestionsapplicabletoaparticularsubprocess,andwillrecord therating/deficiencygivenforthatsubprocess.Apersonwhoisasurveyrespondentfor thetwoscheduledsubprocessesinoneorganizationaswellasthethreescheduled subprocessesinanotherorganizationwillreceiveonesurveytaskintheirMyTasklist. Thissurveytaskprovideslinkstothefivesurveyinstancesfortherelevantorganization objectcombinations,groupedbyorganization.
Sending Survey Tasks and Instances

Afterthesurveyadministratorcreatesasurveyschedulerecord,ProcessControlformats thescheduledsurveytasksandinstancestobesent,baseduponthesurveydetailsasset upbythesurveyadministrator. ProcessControlthensendsthescheduledsurveytasksandinstancesviaworkflowtothe respondentsMyTaskslistintheirInbox.Formoreinformation,seesectionMyTasks onpage 131inChapter 12,UserInbox.ProcessControlalsosendsemailnotificationto therespondents.Thisprovidestwomethodsofnotificationsothatarespondentcannot easilymisplacethesurvey.Boththeworkflowtaskandtheemailnotificationshowthe duedateofthesurveythatthesurveyadministratordefinedwhenhe/shescheduledthe survey.
Recalling a Survey Instance

Thesurveyadministratorhastheabilitytorecallascheduledsurveyinstancetorecover fromerrors,ifthesurveyinstancehasbeensentbuthasnotbeencompletedbythe respondentsorreviewers.
Note If the survey instance has been scheduled but not yet sent (this is possible because the survey administrator can set the schedule start date to be some future date) the survey administrator can fix the errors by just editing the original survey and modifying the current schedule record, without having to perform a recall.
Therearetwomainpossibilitiesforerror:

Thesurveyadministratorsentthewrongsurvey(thatis,thewrongsurveyora surveythatcontainssomeerrors). Thesurveyadministratorsentthesurveytothewrongorganizationsand/orobjects.
Ifyourethesurveyadministrator,youcanexecutethesurveyrecallforallorganizations, orforsomeorganizations,orforsomeorganizationobjectcombination,forwhichthe surveywassent.Youcanaccomplishthisbyselectingtheindividualsurveyinstances wantedforrecall.Byrecallingasurveyinstance,youconsiderthatsurveyinstanceas cancelled.Therecallfunctionremovesthelinksfortherecalledsurveyinstances,sendsan emailnotificationofsurveyrecalltotheaffectedrespondents,andmarksthesurvey statusforthatinstanceasRecalled. Afterrecallingthedesiredsurveyinstance(s),youcaneditthesurveyinformationandfix theerrorsasappropriate,andthenlaterrescheduletherecalledsurveyinstancesif

109
needed.Toreschedule,youcreateanewschedulerecordandselectonlytheorganization objectcombinationsforthoseinstancesthatyouhaverecalledpreviously.Youcandefine thesametimeperiod/frequencyasbefore,orselectdifferenttimeframes.ProcessControl thenresendstherecalledinstancesbasedonyournewschedulerecord,totheappropriate respondents. Agivensurveyinstancescheduledforatimeperiodcannotbesenttothesame organizationandobjectwithinthesametimeperiod,unlessthissurveyinstancewas previouslyrecalled.

Example:
YoucreateaProcessDesignAssessmentsurvey,withreportingtitlePDA,andschedule itforQ12006tobesenttoorganizationUSFinanceforallprocesses.Youcanschedule thissamesurveyforadifferentperiod,fordifferentorganizationprocesscombinations, butthissurveycannotbesenttothesameorganizationprocesscombinationswithinthe sametimeperiodunlessitssurveyinstanceswerepreviouslyrecalled.

X To recall a survey instance: 1
Inthenavigationmenu,selectSurvey Management >SurveyStatus.Alternatively, clicktheSurveyStatuslinkintheProcess Manager page(seeFigure 36on page 92). ClickShow Filterandenteryourfilterselections.ThenclickGo. The SurveyStatuspageappearsshowingthelistofsurveyinstancesandtheir currentstatuses,basedonyourfilteringselections.
Figure 43
Survey Status Page 3
Selectacheckboxnexttothesurveyinstance(s)thatyouwanttorecall,andclick Recall. Ifyouwanttorecallallofthesurveysforaparticularorganization,makesurethat youselectalloftheinstanceshavingthesameorganizationname.

Note You can recall a survey instance only if the status for that instance is not Completed.
110
Responding to and Returning a Survey Instance

Responding to a Survey Instance
Afterthesurveyadministratorschedulesasurveyandtheresultingsurveytasksand instancesaresent,therespondentsneedtorespondtothesurveyquestionnaire,by openingupthesurveytasksthataresenttotheirMyTaskslistintheirInbox.Eachtime thesurveyadministratorschedulesanewsurveyrecord,ProcessControlgeneratesnew surveytaskstobesenttotherespondents. Thesurveytaskispersonalizedforeachrespondent;thatis,itprovideslinkstothesurvey instancesfortheobjects(controls,subprocesses,orentitylevelcontrols,dependingonthe surveycategory)assignedtoeachrespondent,groupedbyorganization. Therespondentsopenthesurveyinstancessenttothem,answerthequestions,and providetheratings/deficienciesifconfiguredtodoso(fordetails,seesectionGeneral SurveyDataConfigurationonpage 96).Keepinmindthatyoucansuppressthe questionsforagivensurvey,bysimplynotaddinganyquestionswhenyoucreatethe survey.Inthiscase,therespondentwouldnothavetoansweranyquestions,onlyprovide therating/deficiencyifconfiguredtobethepersontodoso. Iftherespondentisresponsibleforthescheduledobjects(controls,subprocesses,or entitylevelcontrols)inmultipleorganizations,therespondentwillreceiveonesurvey task,whichgroupstheinstancesbyeachorganization.Inthecasethattherespondent receivesmultiplesurveyinstancesforthesamesurveycategoryandthesametimeperiod, butfordifferentorganizationsandobjects,therespondentcanchoosetocopythesurvey answersfromoneopensurveyinstancetotheothersurveyinstances,toimproveresponse time.TherespondentclickstheCopybutton,whichpopulatestheanswerstotheother surveyinstancesbasedupontheinformationinthecurrentopensurveyinstance. Negativeanswerstoquestions,ifusedasdefinedinthequestionlist,requireacomment. Fornonnegativeanswers,acommentisoptional. Therespondentscanviewthesurveyattachmentstohelpthemunderstandthesurvey instructionsandthestatusoftheirobjects.Therespondentscanalsoattachoneormore documentstosupportthesurveyanswersand/orratings. Therespondent(orlater,thereviewer)cansavethesurveyinstancewithoutsubmitting andcanreturntocompletethesurveyinstanceatalatertime. Therespondentcannotsubmitasurveyinstanceunlessallquestionsareanswered,evenif theanswertosomequestionsisN/A.Thisshortensthereviewprocess,ifapplicable,and helpstoensuremeaningfulandcomparabledata. Whentherespondentsconsiderthesurveyinstancetobecomplete,theysubmitthe surveyinstance.Oncethesurveyinstanceissubmitted,itcannotbechangedunlessitis subjecttoreviewandareworkisrequestedbythereviewer.Therespondentcanchooseto submitalloftheirsurveyinstancesatonce,oroneindividualinstanceatatime.Ifthe surveyissubjecttoreview,assoonasasurveyinstanceissubmittedbyarespondent,itis thenroutedtotheappropriatereviewer. Aftersubmission,ProcessControlupdatesthesurveystatusforeachsurveyinstance,and removesthelinktothatsubmittedinstance.Onceallofthesurveyinstancesfora particularrespondenthavebeensubmitted,thesurveytaskisnolongeravailableinthat respondentsMyTasklist.
111
Ifthesurveyissubjecttoreview,oncetherespondentsubmitsasurveyinstancefora particularorganizationobject,ProcessControltriggerssendingthatinstanceviatask workflowandemailnotificationtotheapplicablereviewer,andthesurveystatusforthat instanceischangedtoReview.Ifthesurveyisnotsubjecttoreview,thesurveystatus forthatinstanceischangedtoCompleted. Neithertherespondentnorthereviewercanchangethequestionsthemselves,changethe objectsincludedonthesurvey,orchangeotherdatasetbythesurveyadministrator duringthecreationofthesurvey. Formoreinformationonthesurveyresponseprocedure,seesectionRespondingToan AssessmentSurveyTaskonpage 137inChapter 12,UserInbox.
Example of Copy option:
TherespondentisresponsibleforaparticularAccountsPayablesubprocessinmultiple organizations.TheCopyoptiontakestheresponsesfromoneopensurveyinstancefor oneorganization,andcopiestheseresponsestotheothersurveyinstancesforthatsame subprocess,butfordifferentorganizations.Thentherespondentwouldopen,review, changeasnecessary,andsubmittheadditionalsurveyinstancesforeachadditional organization,withouthavingtoanswerthesamequestionsrepeatedly.

Returning a Survey Instance
Inthecasethattherespondentsbelievethattheyhavebeensentthewrongsurvey,the respondentscanchoosetoreturnthesurveyinstance(s)tothesurveyadministrator.For example,somerespondentsmightfeelthattheyareimproperlyassignedtooneormore objectsscheduledforthesurvey,becauseofincorrectrespondentconfigurationatthe objectlevel. Therespondentscanchoosetoreturnalloftheirsurveyinstancesatonce,orone individualinstanceatatime.Assoonasasurveyinstanceisreturned,itisthenmarkedas Returned,andthesurveyadministratorcanthenaccessthesereturnedinstancesinthe Survey Statuspage(seeFigure 43onpage 110). ProcessControlhandlesthesurveyreturnprocedureasfollows:
1 2
Therespondentprovidesamandatorycommenttoexplainwhytheywanttoreturn thesurveyinstanceandwhotheproperobjectrespondentmightbe. TherespondentclicksReturn (orReturn All).Thereturnedsurveyinstance(s)will notsaveanyanswersthattherespondenthasentered.
Formoreinformationonthesurveyreturnprocedure,seesectionRespondingToan AssessmentSurveyTaskonpage 137inChapter 12,UserInbox.

Example:
Arespondentwascorrectlyassignedtotwosubprocessesforasurveyschedule,andthe samerespondentisassignedtoathirdscheduledsubprocess,butthissubprocessshould havebeenassignedtoadifferentrespondent.Therespondentreturnsthesurveyinstance forthethirdsubprocess.Inthiscase,thesurveyadministratorwouldcorrectthe respondentassignmentforthethirdsubprocess,andwouldresendthesurveyinstancefor thissubprocess.Theoriginalrespondentthenseesthelinksforonlythetwocorrect subprocessinstancesinsteadofthree,andthecorrectednewrespondentwouldreceivea surveytaskwithonesubprocessinstance.
112
Resending a Survey Instance

AsdescribedintheprevioussectionReturningaSurveyInstance,inthecasethatthe respondentsbelievethattheyhavebeensentthewrongsurvey,therespondentscan choosetoreturnthesurveyinstance(s)tothesurveyadministrator. ProcessControltracksthereturnedsurveyinstance(s)intheSurvey Statuspage(see Figure 43onpage 110)forthesurveyadministrator,whowillresearchtherespondent assignmentthatledtotheerror,andthenproceedtofixtheincorrectassignment.For moreinformationontherespondent/reviewerassignmentconfiguration,seethe Subprocess,Control,orEntityLevelControlsectionsintheProcessControlVersion 2.0 ConfigurationGuide. Thesurveyadministratorthenresendsthereturnedsurveyinstance(s).ProcessControl readsthecorrectedrespondentassignmentandresendsthesurveyinstance(s)tooneor morerespondentsaccordingly.
X To resend a survey instance after fixing the respondent assignment: 1
Inthenavigationmenu,selectSurvey Management >SurveyStatus.Alternatively, clicktheSurveyStatuslinkintheProcess Manager page(seeFigure 36on page 92). ClickShow Filterandenteryourfilterselections.FortheStatusdropdownmenu, selectRejected by Respondent.ThenclickGo. The SurveyStatuspageappearsshowingthelistofsurveyinstancesandtheir currentstatuses,basedonyourfilteringselections(seeFigure 43onpage 110).In particular,thetablelistsallofthesurveyinstancesreturnedbytherespondent.
Selectacheckboxnexttothesurveyinstance(s)withthatyouwanttoresend,and clickResend. ProcessControlresendstheselectedsurveyinstance(s)totheappropriatelistof respondents,forthesameperiodandduedateasoriginallyscheduled.
Reviewing and Disapproving a Survey Instance

Reviewing a Survey Instance
Ifasurveyissubjecttoreview,thereviewprocessingflowsasfollows:
1
Aftertherespondentsubmitsasurveyinstance,thesurveyinstanceautomatically routes,viataskworkflowandemailnotification,tothepeoplewiththesurvey reviewerroleforthescheduledobjects. Eachreviewerreviewsthesurveyanswersandoptionalattachmentsbutcannot changethem. Thereviewerprovidestherating/deficiency,orreviewstherating/deficiency providedbytherespondent,dependingontheinitialsurveymasterdata configuration(fordetails,seesectionGeneralSurveyDataConfigurationon page 96).
Note If the respondent was configured to assign the rating/deficiency, the reviewer is not allowed to change the rating/deficiency provided by the respondent.
2 3
113
Baseduponhis/herreview,thereviewercanacceptandsubmitthesurveyinstance (commentsbythereviewerareoptional,andthesurveystatusforthisinstance becomesCompleted)ordisapproveandreturnthesurveyinstanceforreworkby therespondents(commentsbythereviewerarerequired,andthesurveystatusfor thisinstancebecomesRework). Ifthesurveyinstanceisreturnedforrework,itisroutedviataskworkflowand emailnotificationtotheoriginalrespondentwhosubmittedthesurveyinstance, alongwiththereviewercomments. Therespondentreadsthereviewercomments,performschangestothesurvey instanceand/orsuppliesadditionalcommentsand/orattachments,andthen resubmitsthesurveyinstanceforreview.Formoreinformationinthisprocess,see sectionRespondingtoaSurveyInstanceonpage 111. ThereviewprocessrepeatsasdescribedfromStep 1toStep 6,untiltherevieweris satisfiedandacceptsthesurveyinstance.
Note The reviewer can return a survey instancefor rework multiple times, if necessary.
Oncethereviewerhasacceptedandsubmittedthesurveyinstance,anditsstatusis markedasCompleted,thatsurveyinstancecannotbechangedanyfurther.
Formoreinformationonthesurveyreviewprocedure,seesectionRespondingToan AssessmentSurveyTaskonpage 137inChapter 12,UserInbox.

Disapproving a Survey Instance
Asdescribedintheprevioussection,thereviewercanreturnthesurveyinstancefor reworkbytherespondent,ifthereviewerisnotsatisfiedwiththeprovidedanswersand disapprovesthesubmissionofthesurveyinstancebytherespondent. Formoreinformationonthesurveydisapprovalprocedure,seesectionRespondingTo anAssessmentSurveyTaskonpage 137inChapter 12,UserInbox.
Maintaining the Survey Flow

Ifaparticularsurveyinstanceisnotcompletedandsubmittedbeforethereminderdate (configurableasthesurveystartdate+Xdays,seesectionSurveyParametersand Defaultsonpage 97),ProcessControlautomaticallysendstherespondentorreviewer (whoeveriscurrentlyprocessingthesurveyinstance)anemailreminderwithaURLlink. ThislinkgivesyouaccesstothesurveyinstanceafteryoulogintotheProcessControl application. Ifaparticularsurveyinstanceisnotcompletedandsubmittedbeforetheescalationdate (configurableasthesurveystartdate+Xdays,seesectionSurveyParametersand Defaultsonpage 97),ProcessControlautomaticallynotifiesthenexthigherlevel respondentsofthissurveyinstancebyemail,notingthesurveycategoryandtitle, organization/object,respondent,optionalreviewer,andstatus.Thedefaulthigherlevel respondentistheowneroftheobject(control,subprocess,orentitylevelcontrol).
114
Survey Cases
Eithertherespondentortheoptionalreviewercanprovidearating/deficiencyfortheir surveyinstances.Therating/deficiencyproviderisconfigurable(seesectionGeneral SurveyDataConfigurationonpage 96). Bydefault,theratings/deficienciesaredefinedasanAdequaterating(surveyresultedin positiveresponse)oradeficiencyofCritical,Medium,orLowprioritylevel(survey resultedinnegativeresponses). Ifthesurveyinstanceresultsinadeficiencyfromnegativeresponses,ProcessControl generatesacaseafterthesurveyinstancecompletion,andwilltriggercaseremediation activity.Acaseopenedforasurveyinstanceisprepopulatedwithorganizationand control,subprocess,and/orentitylevelcontroldetails.Therelationshipbetweenthe surveyandthecaseismaintainedsothatlaterdrilldownfromthecompliancereports woulddisplaythesurveyrelatedcasesandtheirremediationactivities. Therespondent(andoptionalreviewer)canalsocreateacasemanuallyiftheywish,ifthe surveyinstanceresultsinadeficiencyfromnegativeresponses. Thestatusofthesurveyinstancehasnoimpactuponthestatusoftherelatedcaseand remediation.Asurveyinstancecanbecompletedandclosedwhiletherelatedcaseis open. Formoreinformationonhowtherespondentortheoptionalreviewercanprovidea rating/deficiencyandcreateacasemanually,seesectionRespondingToanAssessment SurveyTaskonpage 137inChapter 12,UserInbox.Formoreinformationonthecase drilldownfunctionalityfromthereports,seeChapter 7,ComplianceReports.Formore informationonthecasecreationstepsandremediationactivities,refertoChapter 13, CaseManagementandRemediation.
Deactivating a Survey
Ifsomesurveysarenolongerrequiredinthedatarepository,thenthesurvey administratorcandeactivatethem.
X To deactivate a survey: 1
Inthenavigationmenu,selectSurvey Management >Survey.Alternatively,click theSurveylinkintheProcess Manager page(seeFigure 36onpage 92). The Surveypageappearsshowingatablelistingallofthesurveysfoundinthe database(seeFigure 39onpage 103).
Selectthecheckboxforthesurveythatyouwanttodeactivatefromthetable,and clickEdit. TheEdit Survey andQuestion panesappear(similartoFigure 40onpage 104). IntheActivedropdownmenu,selectNotomakethesurveyinactive. ClickSave.The Surveypagereappears(seeFigure 39onpage 103). Atthispoint,theselectedsurveyisconsidereddeactivated.
3 4
115
116
11
SIGN-OFF ASSESSMENT
TOPICS

Introduction Sign-off Requirements Sign-off Assessment Survey Master Data Overview Of Functional Flow For Sign-off Creating a Question Library Creating or Copying a Survey Scheduling a Survey Sending Survey Tasks and Instances Recalling a Survey Instance Responding to and Returning a Survey Instance
117
Introduction
ProcessControlisasolutionthataidsthecertificationprocessunderSection302and Section404oftheSarbanesOxleyActof2002.Aspartofthiscertificationprocess,thereis aneedtoscheduleandperformsignoffandtofreezetheassessmentdata.Youcan performthissignoffactivityintheProcessManagermodule. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Manager page.ThenyouaccessthesignofffeaturesfromtheSurvey ManagementsubmodulehighlightedinFigure 44.
Figure 44
ThefollowingsectionsdescribethefeaturesintheSurveyManagementsubmodule.You accessthesefeatureseitherbyselectingfromthenavigatormenuintheleftsidebar,orby clickingthecorrespondinglinkintherightsideofthepage.

Important The following sections list only the steps for creating an item. For information regarding how to filter, how to modify, or how to delete the item, if applicable, see sections Filtering an Item on page 41, Modifying an Item on page 42, and Deleting an Item on page 43 in Chapter 4, User Interface.
118
Sign-off Requirements Chapter 11 Sign-Off Assessment
Sign-off Requirements
Section302oftheSarbanesOxleyActof2002requiresthatmanagement(typicallythe CEOandCFO)certifyineachsubmittedannualorquarterlyreportthat,aspartoftheir responsibilitiesforinternalcontrols,theyhaveevaluated,presentedconclusionsaboutthe effectivenessoftheircontrols,anddisclosedsignificantdeficienciesand/ormaterial weaknessesand/orsignificantchangestotheirinternalcontrols. Section404,inpart,requiresthatmanagementprepareareportthatcontainsan assessment,asofyearend,oftheeffectivenessoftheinternalcontrolstructureandthe proceduresforfinancialreportinganddisclosure. Tosupporttheserequirements,manypubliccompaniesprepareinternalsub certificationsthatformalizetheresponsibilitiesofthelowerlevelofficers,managers,and businessowners,forevaluationanddisclosureofthestatusofinternalcontrolswithin theirareasofresponsibility.ProcessControlprovidesthepreparationandrollupof surveysrelatedtothispractice.
Sign-off Assessment
Chapter 10,AssessmentsThroughSurveysdescribesthevarioustypesofassessments (andrelatedsurveycategories),includingtheControlDesignAndEffectiveness Assessment,ProcessDesignAndEffectivenessAssessment,EntityLevelControl Assessment,andSelfAssessment.ThischapterdescribestheSignOffAssessmentused toperformhierarchybasedsignoffbyresponsiblepartiesattheorganization,process, andsubprocesslevels. Formoreinformationrelatedtotheconfigurationoforganizations,processes,and subprocesses,seetheProcessControlVersion 2.0ConfigurationGuide. WithinProcessControl,youperformassessmentsviasurveys,asetofquestionsthatare senttoindividualsacrossyourorganizationforfeedback.Atabaselevel,signoffisoneof thesurveycategoriesforassessment. Althoughthesurveyfunctionalitywillbeusedforsignoff,itdiffersfromthatpreviously describedfortheothertypesofassessments(formoreinformation,seeChapter 10, AssessmentsThroughSurveys).Thekeydifferencesinvolvethehierarchical,bottomup progressionofthesignoffactivities.Inthisbottomupapproach,eachbusinessownerof theorganizationlevel(entity)needstosignoffthecontrolenvironmentbeforetheowner ofthenexthigherentitycansignoff.
119
Survey Master Data

Thesignoffsurveymasterdataincludetheusers,usergroups,andauthorizationsforthe surveyrelatedrolesassociatedwiththeusergroups,aswellasthesurveyparameters/ defaultsandsurveystatus.YousetuptheusergroupsusingtheAdministrationmodule. Formoreinformation,refertotheUserGroupssectionintheProcessControlVersion 2.0 ConfigurationGuide.
Survey-related User Roles
Thesurveyrelateduserrolesinclude:

SurveyAdministratorIsresponsibleforcreating,editing,scheduling,monitoring, recalling,andresendingthesurveys. SurveyRespondentIsresponsibleforreturningthesurveytotheadministratorif necessary,respondingtothesurvey,andperformingandsubmittingthesignoffand certification.Therespondentmightincludeanyofthefollowing:
CEO/CFO,representingthoselegallyresponsibleforcertification,astheowner oftheorganizationatthehighestlevelintheorganizationhierarchy Corporatesigner,representingothercorporateleveluserswhowillsignoff,as theowneroftheorganizationatthenextlowerlevelintheorganization hierarchy Otherorganizationownersforotherorganizationsatthenextlowerlevelsinthe organizationhierarchy Processowners Subprocessowners

The survey respondent might be one person, or several people, depending on the configuration of the user group assigned to be the respondent.
Note
Formoreinformationontherespondentassignment,seeFigure 45onpage 125,andthe OrganizationHierarchy,Process,SubprocesssectionsintheProcessControlVersion 2.0 ConfigurationGuide.

Sign-off Survey Data Configuration
Thesignoffsurveydataconfigurationincludesthefollowingactivities:
Youdefinethesignoffsubcategory.Thechoicesareasfollows:
Section302oftheSarbanesOxleyAct.Thedefaultsignoffperiodforthissub category=Quarter.
Section404oftheSarbanesOxleyAct.Thedefaultsignoffperiodforthissub category=Year.
120
Sign-off Requirements Chapter 11 Sign-Off Assessment
Youprovideconfigurabletextrelatedtoconfirmingthesignoffandremindingthe respondentsoftheircorporateresponsibilities.Thistextcanbedifferentbasedupon thelevel/role(thatis,CEO/CFO,corporate,organization,process,orsubprocess).For information,seetheStandardTextsectionintheProcessControlVersion 2.0 ConfigurationGuide.
Survey IDs
Whenyoucreateasignoffsurvey,ProcessControlautomaticallyprovidesyourcreated surveyanditsscheduledsurveyinstanceswithuniqueIDs,basedonaconfigurable numberrange.Formoreinformation,seesectionSurveyIDsonpage 96inChapter 10, AssessmentsThroughSurveys.

Survey Parameters and Defaults
Thesurveyparametersanddefaultsaresomecontrolpointsthatarepredefinedfor efficientuserexperienceandformanagingthesurveyfeature.Youmayoverwriteand updatetheseparametersasappropriate.Formoreinformation,seesectionSurvey ParametersandDefaultsonpage 97inChapter 10,AssessmentsThroughSurveys. FortheDefaultSignOffLevelparameter,youchoosethelevelsatwhichthehierarchical signoffsfromthebottomupwillbeperformed.

Note You cannot change this configuration when the sign-offs for a time period are in process because that can cause inconsistent data and workflow.
Thevariouslevelsthatyoucanselectfromareasfollows:
Organizationonly Thischoiceissuitabletocompaniesthatwanttoscopetheirsignoffreviewbasedon theorganizationhierarchyonly.Forthischoice,thesignoffsurveywillbesenttothe organizationownersfortheorganizationssubjecttosignoff. ProcessControlexecutestherollupbasedonyoursignoffhierarchy(inthiscase, sameastheorganizationhierarchy).Thatis,firstthesignoffsurveyissenttothe organizationownersatlowestlevel,andonlyafterthislevelcompletesthesignoff thatthesignoffwillbesenttotheorganizationowneratahigherlevel,eventually reachingthecorporateorhighestlevelintheorganizationhierarchy.
Processandorganizationonly Thischoiceissuitabletocompaniesthatwanttoscopetheirsignoffreviewbasedon theorganizationhierarchyandalsotheprocesseswithineachorganizationlevel.For thischoice,thesignoffsurveywillbesenttotheorganizationownersforthe organizationssubjecttosignoff,andalsotheprocessownerswithinthese organizations. ProcessControlexecutestherollupbasedonyoursignoffhierarchy.Thatis,first thesignoffsurveyissenttotheprocessownerswithintheorganizationatthelowest level,andonlyaftertheprocessownerscompletethesignoffthatthesignoffwillbe senttotheorganizationowners.Oncetheorganizationsignoffiscompletethenthe surveywillbesenttotheprocessownersfortheorganizationatahigherlevel,andat
121
thecompletionofwhichthesignoffsurveywillthenbeassignedtotheorganization ownersatthathigherlevel.Thesurveycontinuestorollupthroughthehigherlevels (bottomupapproach),eventuallyreachingthecorporateorhighestlevelinthe organizationhierarchy.
Subprocess,process,andorganization Thischoiceissuitabletocompaniesthatwanttoscopetheirsignoffreviewbasedon theorganizationbasedorganizationhierarchy,andalsotheprocessesand subprocesseswithineachorganizationlevel.Forthischoice,thesignoffsurveywill besenttotheorganizationownersfortheorganizationssubjecttosignoff,andalso theprocessownersandsubprocessownerswithintheseorganizations. ProcessControlexecutestherollupbasedonyoursignoffhierarchy.Thatis,first thesignoffsurveyissenttothesubprocessownerswithintheorganizationatthe lowestlevel,andonlyafterthesubprocessownerscompletethesignoffthatthe signoffwillbesenttotheprocessowners,thentheorganizationowners.Oncethe organizationsignoffiscompletethenthesurveywillbesenttothesubprocess ownersfortheorganizationatahigherlevel,andatthecompletionofwhichthe signoffsurveywillthenbeassignedtotheprocessowners,thentheorganization ownersatthathigherlevel.Thesurveycontinuestorollupthroughthehigherlevels (bottomupapproach),eventuallyreachingthecorporateorhighestlevelinthe organizationhierarchy.
Forpurposesofthesignoffrequirement,thecorporatelevelisseenasthehighestlevel intheorganizationhierarchicalstructure.Corporatesignoffisrecommendedatleast onceayear. Althoughmanyassessmentsandtestingactivitiesoccurattheindividualcontrollevel, signoffisnotsupportedatthatlevelbecauseofthepotentiallylargenumberofcontrol owners,andbecauseinternalsubcertificationsusuallydonotgodowntothatlevel. Formoreinformationonhowtoconfigurethesurveyparametersanddefaults,seethe SurveyDefaultssectionintheProcessControlVersion 2.0ConfigurationGuide.

Survey Statuses
ProcessControlprovidesthesurveystatusesasnonconfigurablesystemvalues.Process Controlcapturesthesurveystatuschangealongwiththeuserandtimestampinformation forreportingpurposes.Formoreinformation,seesectionSurveyStatusesonpage 98in Chapter 10,AssessmentsThroughSurveys.
122
Overview Of Functional Flow For Sign-off Chapter 11 Sign-Off Assessment
Overview Of Functional Flow For Sign-off

Thissectionbrieflydescribestheimportantactivitiesthatoccurthroughthesignofflife cycle.Theseactivitiesinclude:
1
Youdefinethesurveymasterdata,includingtheusers,usergroups,numberranges, andsurveyparametersanddefaults.Formoreinformation,seesectionSurvey MasterDataonpage 120. Youcreateandmaintainthesignoffsurveyquestionrepository.Formore information,seesectionCreatingaQuestionLibraryonpage 124. Thesurveyadministratorcreatesasignoffsurveyfromscratch,orcopiesanexisting surveyandthenmakestheappropriatemodifications.Formoreinformation,see sectionCreatingorCopyingaSurveyonpage 124. ThesurveyadministratorschedulesthesignoffsurveyusingtheSchedulerfeature. Forinformationontheschedulingprocess,seesectionSchedulingaSurveyon page 124. ProcessControlsendsthesurveytotherespondentsonthedefinedscheduleddate. Forinformationonthesurveysendingprocess,seesectionSendingSurveyTasks andInstancesonpage 126. Thesurveyadministratorcanrecallsurveyinstancesiftheyhavebeendefined incorrectly(incorrectquestionsorincorrectrespondents)andtheyhavenotbeen submittedbytherespondents.Thesurveyadministratorfixestheerrorsas appropriate,andthenreschedulesthesurveyinstancestobesentagaintothe respondents.Forinformation,seesectionRecallingaSurveyInstanceonpage 127. Oncethesurveyisscheduledandsent,therespondentsreceivecommunicationvia emailandalsoasataskintheirMyTaskslist.Therespondentsreadthesurvey questionnaireandrespondtothesurveyinstances.Iftherespondentsfeelthata surveyinstancewassentincorrectlytothem,theycanreturnthatsurveyinstanceto thesurveyadministrator.Forinformation,seesectionRespondingtoandReturning aSurveyInstanceonpage 127.FormoreinformationontheMyTaskslist,see sectionMyTasksonpage 131inChapter 12,UserInbox. Forthesurveyinstancesthathavebeenreturnedbytherespondents,thesurvey administratorproceedstofixtheassignmentsandthenresendsthesesurvey instancestotheproperrespondents.Forinformation,seesectionResendinga SurveyInstanceonpage 113inChapter 10,AssessmentsThroughSurveys. ProcessControlmaintainsthesurveyprocessanditsflowautomatically.Formore information,seesectionMaintainingtheSurveyFlowonpage 114inChapter 10, AssessmentsThroughSurveys. reportingandforupdatingtheSurvey Statuspage(seeFigure 43onpage 110in Chapter 10,AssessmentsThroughSurveys).Forinformationontheanalysis reports,seeChapter 7,ComplianceReports.
2 3
10 ProcessControlupdatesthesurveyresponseandcompilestheresultsforanalysis
11 Ifsomesignoffsurveysarenolongerrequiredinthedatarepository,thenthesurvey
administratorcandeactivatethem.Formoreinformation,seesectionDeactivatinga Surveyonpage 115inChapter 10,AssessmentsThroughSurveys. Thefollowingsectionsdiscusstheseactivitiesinfurtherdetail.

123
Creating a Question Library

ThecreationofthequestionlibraryisthesameasdescribedinsectionCreatinga QuestionLibraryonpage 100inChapter 10,AssessmentsThroughSurveys,except thatthecategoryofthequestionwillbeSign-Off.ProcessControlusesthisquestion categoryinformationinfilteringyourlistofsurveyquestions.
Creating or Copying a Survey

Aftercreatingaquestionlist,thesurveyadministratorthencreatesasignoffsurvey. ProcessControldeliverssomesamplesurveysforusewithsignoff.Thesurvey administratorcanalwayscopyanexistingsurveyandmodifyittocreateanewsurvey. ThissurveycreationprocessissimilartotheprocessdescribedinsectionCreatingor CopyingaSurveyonpage 103inChapter 10,AssessmentsThroughSurveys,except forasnotedbelow:
1 2
IntheCategorydropdownmenu,selectSign Offasthesurveycategory. IntheSub Categorydropdownmenu,selectfromthefollowingchoices:
3
TheReview Requireddropdownmenuisnotapplicabletosignoffsurveys.
Scheduling a Survey
Aftercreatingasurvey,thesurveyadministratorthenschedulesthesurveytobesentto therespondentsusingtheSchedulerfeature.Formoreinformation,seetheScheduler sectionintheProcessControlVersion 2.0ConfigurationGuide. ThissurveyschedulingprocessissimilartotheprocessdescribedinsectionSchedulinga Surveyonpage 108inChapter 10,AssessmentsThroughSurveysforthecontrol/ process/ELCassessmentsandselfassessments.ProcessControlautomaticallyassignsa uniqueIDforeachsurveyschedulerecord,preparestheresultingsurveytasksby groupingbyrespondent,andcreatesalinktoeachofthesurveyinstances.Thedifferences arenotedasfollows:
InsteadofselectingorganizationobjectcombinationsintheSchedulerfeature,you schedulethesignoffsurveyforallorganizationsbydefault.Youdonotselect individualorganizationsorprocessesorsubprocessesintheSchedulerfeature. IfthelevelthatyouconfiguredfortheDefaultSignOffLevelparameter(seesection SurveyParametersandDefaultsonpage 121)isorganizationonly,Process Controlautomaticallycreatesalinktoeachofthesurveyinstances,oneinstancefor eachorganizationintheorganizationhierarchy.
124
IfthelevelthatyouconfiguredfortheDefaultSignOffLevelparameterisprocess andorganizationonly,ProcessControlautomaticallycreatesalinktoeachofthe surveyinstances,oneinstanceforeachprocessassignedtoeachscheduled organization.YoudonotselectindividualprocessesintheSchedulerfeature. ProcessControlgeneratessurveyinstancesforalloftheprocessesassignedtoeach organization. IfthelevelthatyouconfiguredfortheDefaultSignOffLevelparameteris subprocess,process,andorganization,ProcessControlautomaticallycreatesalink toeachofthesurveyinstances,oneinstanceforeachsubprocessundereachprocess assignedtoeachscheduledorganization.Youdonotselectindividualprocessesor subprocessesintheSchedulerfeature.ProcessControlgeneratessurveyinstances foralloftheprocessesassignedtoeachorganization,andforallofthesubprocesses undereachofthoseprocesses. ProcessControlderivesthesignoffsurveyrespondentsfromtheconfigurationat eachorganizationorprocessorsubprocess.Bydefault,therespondentisthe organizationorprocessorsubprocessowner.Figure 45showstheAssign Owners pane,whereyouconfiguretheownerinformation,byselectingtheappropriateuser group.
Figure 45
Note
Assign Owners Pane
For the sign-off surveys, the respondent is actually the Owner user group, not the Survey Respondent user group (unless they are the same).
Formoreinformationontheownerconfiguration,seetheProcess,Subprocess,and ControlsectionsintheProcessControlVersion 2.0ConfigurationGuide.

Example:
YouconfiguretheDefaultSignOffLevelparameterasprocessandorganizationonly. Letsassumeforthisexamplethatyouhaveoneorganizationthathastwoassigned processesandanotherorganizationthathasthreeassignedprocessesinyourorganization hierarchy.ProcessControlgeneratesfivesurveyinstancestotal,oneforeachassigned process.Eachsurveyinstanceincludesquestionsapplicabletoaparticularprocess,and willrecordthesignoffresultgivenforthatprocess.Apersonwhoistheownerforthe twoprocessesassignedtoonescheduledorganizationaswellasthethreeprocesses assignedtotheotherscheduledorganizationwillreceiveonesurveytaskintheirMy Tasklist.Thissurveytaskprovideslinkstothefivesurveyinstancesfortherelevant processes,groupedbyorganization.
125
Sending Survey Tasks and Instances

Afterthesurveyadministratorschedulesasignoffsurvey,ProcessControlformatsthe scheduledsurveytasksandinstancesbaseduponthesurveydetailsassetupbythe surveyadministrator,andsendsthemtotheappropriaterespondents.Thissurvey sendingprocessissimilartotheprocessdescribedinsectionSendingSurveyTasksand Instancesonpage 109inChapter 10,AssessmentsThroughSurveys.Thedifferences arenotedasfollows:
ProcessControlsendsthesignoffsurveytasksandinstancestotheownersofall levelssubjecttosignoff,baseduponyourconfigurationoftheDefaultSignOff Levelparameterandtheorganizationsscheduledforsignoff. ProcessControlsendsthesignoffsurveytasksandemailnotificationsfirsttothe respondent(ownersoftheobjects)atthelowestlevelsubjecttosignoff(forexample, subprocessownersfirst,thenprocessowners,thenorganizationowners). Aftertherespondentforeachlowerlevelsubjecttosignoffhascompletedthesign offtask,ProcessControlthensendsthesurveytasksandemailnotificationstothe respondentofthenexthigherlevelsubjecttosignoff.Thesignoffsurveytasksand emailnotificationswillproceedupeachlevel,untilfinallyreachingthetopmost levelofthesignoffhierarchy.
Thefollowingdiagramisasimplifiedexampleofsignoffwhereitisconfiguredforthe subprocess,process,andorganizationlevels.
Note
No higher level respondent would receive a survey task for sign-off until the respondent of the lower level subject to sign-off have signed.
126
Recalling a Survey Instance

Thesurveyadministratorhastheabilitytorecallscheduledsurveyinstancestorecover fromerrors,ifthesurveyinstanceshavebeensentbuthavenotbeencompletedbythe respondents.Thesurveyrecallprocessissimilartotheprocessdescribedinsection RecallingaSurveyInstanceonpage 109inChapter 10,AssessmentsThrough Surveys.Thedifferencesarenotedasfollows:
ProcessControlgeneratesthesurveyinstancesbasedontheobjectsatthelevel(s) thatyouconfiguredfortheDefaultSignOffLevelparameter(seesectionSurvey ParametersandDefaultsonpage 121). Thesurveyadministratorscannotrecallindividualinstancesforsomeparticular organizationorprocessorsubprocess,becausetheycannotreschedulethese individualinstances.IntheSchedulerfeature,bydefault,theyhavetoschedulethe signoffsurveyforallorganizations.Therefore,ifthesurveyadministratorswantto performarecall,theywouldhavetorecallalloftheinstancesfortheconfigured objectsoftheDefaultSignOffLevelparameter(forexample,alloftheprocesses andallofthesubprocessesforallorganizations),forapreviousschedulerecord. Afterrecallingthedesiredsurveyinstance(s),thesurveyadministratorcaneditthe surveyinformationandfixtheerrorsasappropriate,andthenlaterreschedulethe recalledsurveyinstancesifneeded.Toreschedule,thesurveyadministratorcreatesa newschedulerecordusingtheSchedulerfeature.
FormoreinformationontheSchedulerfeature,seetheSchedulersectionintheProcess ControlVersion 2.0ConfigurationGuide.
Responding to and Returning a Survey Instance

Responding to a Survey Instance
Afterthesurveyadministratorschedulesasurveyandtheresultingsurveytasksand instancesaresent,therespondentsneedtorespondtothesurveyquestionnaire,by openingupthesurveystasksthataresenttotheirMyTaskslistintheirInbox. ThesurveyresponseprocessissimilartotheprocessdescribedinsectionRespondingto aSurveyInstanceonpage 111inChapter 10,AssessmentsThroughSurveys.The differencesarenotedasfollows:
Therespondentreceivesthesurveyinstance(s)andispresentedwiththesignoff period,signoffcategory,instructions,linkstoavarietyofrelevantreports,andsign offquestionscreatedbythesurveyadministrator.Therespondentthenreviewsthe statusofinternalcontrolsandperformsthesignoff. Iftherespondentfeelsthattheprocessesandcontrolsareadequatelyrepresented andthatnochangesarenecessary,therespondentanswersthesignoffquestions, andoptionallyattachesdocumentsand/orprovidescomments. Therespondentcansignofffortheperiodevenwithnegativityorwhenopenissues exist.Acommentisrequiredforeachnegativeanswer.Therespondentthensubmits thesignoffsurvey.Adialogboxwithconfigurabletextappearstoremindthe respondentofcorporateresponsibilitiesrelativetosignoff,andtoconfirmthedesire tosignoff.
127
Uponsignoffcompletionofaparticularlevel(subprocess,process,ororganization), thesignoffprocessrollsup(bottomupapproach),andProcessControl automaticallydirectsthesignoffsurveyinstancestotherespondent(objectowner) higherupinthesignoffhierarchy.
Formoreinformationonthesurveyresponseprocedure,seesectionRespondingToan AssessmentSurveyTaskonpage 137inChapter 12,UserInbox.

Returning a Survey Instance
Inthecasethattherespondentsbelievethattheyhavebeensentthewrongsurvey,the respondentscanchoosetoreturnthesurveyinstance(s)tothesurveyadministrator.The surveyreturnprocessissimilartotheprocessdescribedinsectionReturningaSurvey Instanceonpage 112inChapter 10,AssessmentsThroughSurveys.
128
12
USER INBOX
TOPICS

Introduction User Inbox My Tasks My Documents My Cases
129
Introduction
Youcanviewthetasksandcasesassignedtoyou,ordocumentsthatyoucheckedout,as thecurrentloggedinuser,byaccessingyourInboxintheProcessManagermodule. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Manager page.ThenyouaccesstheInboxfeaturesfromtheInboxsub modulehighlightedinFigure 46.
Figure 46
ThefollowingsectionsdescribethefeaturesintheInboxsubmodule.Youaccessthese featureseitherbyselectingfromthenavigatormenuintheleftsidebar,orbyclickingthe correspondinglinkintherightsideofthepage.
130
User Inbox Chapter 12 User Inbox
User Inbox
TheInboxsubmodulecontainsthefollowingfeatures:

MyTasks MyDocuments MyCases
Thesefeaturesaredescribedinthefollowingsections.
My Tasks
Tasksareactivitiesthatyouareresponsibleforcompleting.IntheMyTaskslist,youcan accessallofthetasksthatyouhavebeenassigned.Thethreetypesoftasksarethefollowing:
Workflowtasks Afteranautomaticcaseisgeneratedfromacontroltest,oramanualcaseiscreatedby auser,ProcessControlnotifiesthecontrolownertotakeactiontoresolvethecontrol deficiencyandtodocumentthoseactivitiesforremediationpurposes.Thecontrol ownercanchoosetoassignthecasetosomeoneelse,anassignee,tohandlethis responsibility,ifdesired.Thecontrolowner(orassignee)receivestheirrelevantcases intheirMyCaseslist.Formoreinformation,seesectionMyCasesonpage 142. Oncetheowner(orassignee)completestheremediationactivities,changesthecase statustoResolved,andsubmitsthecase,ProcessControlnotifiesthecase approvertoapproveorrejectthecaseresolutionandsubmission.Thisapproval activityisconsideredasaworkflowtask. Youwillseeoneworkflowtaskforeachcase,whetherthecasewasgenerated automaticallyorcreatedmanually.Formoreinformationoncaseremediation,see Chapter 13,CaseManagementandRemediation.
Testplan/teststeptasks Formanualcontrols,ProcessControlnotifiestheownerofateststeptotakeaction, toperformtheteststepactivityandgiveastatusforeachteststep.ProcessControl alsonotifiesthetestplanownertovalidatealloftheteststepsatapreconfigured testfrequency,todeterminetheoverallresultofthemanualcontroltest.These activitiesareconsideredastestplan/teststeptasks. Youwillseeonetestplan/teststeptaskforeachscheduledorganization.Formore informationontestplans/teststeps,seetheTestPlansectionintheProcessControl Version 2.0ConfigurationGuide.
Surveytasks Forassessmentsurveys,ProcessControlnotifiesthesurveyrespondentstorespond tothesurveyquestionsortosignoff,andoptionallynotifiesthereviewerstoreview andacceptthesurvey.Theseactivitiesareconsideredassurveytasks. Youwillseeonesurveytaskforeachsurveyschedulerecord.Afteryouopenthis task,youwillseelinkstothesurveyinstances,groupedbyorganization.Formore informationonassessmentssurveys,seeChapter 10,AssessmentsThrough SurveysandChapter 11,SignOffAssessment.
131
TheworkflowengineofProcessControlautomaticallycreatesthesetasksandpoststhem intheMyTaskslistforyou.TheMyTaskslistdisplaysintabularformatinformation relatedtoyourtasks.Allofthesetasksarelocatedinonespecificareasothatyoucan accessandviewthemeasily,andyoucanthenproceedtoperformyourtasks.Youwould seeonlythosetasksrelevanttoyou,asthecurrentloggedinuser.

Accessing a Task
X To access a task in your My Tasks list: 1
Inthenavigationmenu,selectInbox>My Tasks.Alternatively,clicktheMy Tasks linkintheProcess Manager page(seeFigure 46onpage 130). The My Taskspageappearsshowingthetasksrelevanttoyou,asthecurrentlogged inuser. Thispageisauserspecificdashboardthatorganizesthetasksrelatedtoelements thatyouareresponsiblefor,forexampleateststeporanassessmentsurveythat requiresyourresponse.
Figure 47
My Tasks Page
Table 15
Item
Task Id Task Description Type Start Date End Date
My Tasks Information
Description
UniqueIDforthetask. Briefdescriptionofthetask. Thetypeoftask. Thedatewhenthetaskstarted. Thedatewhenthetaskended.Thereisnoenddateifthetaskhasnot beencompleted.
132
Table 15
Item
Status
My Tasks Information (Continued)

Description
Currentstatusforthetask.Thisstatusisdependentonthetypeof task. Ifitsaworkflowtask,thestatuswouldbeacasestatus.Formore information,seetheCaseStatussectionintheProcessControl Version 2.0ConfigurationGuide. Ifitsatestplan/teststeptask,thatstatuswouldbeFail,Pass,or Pending. Ifitsasurveytask,thestatuswouldbeasurveystatus.Formore information,seesectionSurveyStatusesonpage 98inChapter 10, AssessmentsThroughSurveys.
Details
Accesstolinksthatwilldisplaytheobjectthatrequiresyouraction, forexampleatestplanorasurvey.
IntheDetailscolumn,clicktheDetails icontodisplaythescreensforthistask. Forrespondingtoaworkflowtask,performthestepsinsectionRespondingToa WorkflowTaskonpage 134. Forrespondingtoatestplanorteststeptask,performthestepsinsection RespondingToaTestPlanorTestStepTaskonpage 135. Forrespondingtoorforreviewinganassessmentsurveytask,performthestepsin sectionRespondingToanAssessmentSurveyTaskonpage 137.
133
Responding To a Workflow Task
TherearemanycategoriesofcasesintheProcessControlapplication.Formore information,seesectionCaseCategoriesandIDsonpage 147inChapter 13,Case ManagementandRemediation. Table 16groupsthemaintypesofcasesandliststhedefaultcaseapproverforeach.

Table 16 Case Approver Information
Type of Case Case Approver
Case Creation
Casegeneratedbythe Automaticcontrolcase systemautomatically Querycontrolcase Customcontrolcase Manualcontrolcase Surveycase Casecreatedbya usermanually X Controlorsurveycase
Subprocessorganizationowner Subprocessorganizationowner Subprocessorganizationowner Testplanowner Surveyrespondentorreviewer(whoevergave thesurveyrating) Userwhocreatedthecase
If you are a case approver: 1
Thecaseheaderinformationanddetailsappear.Reviewthecaseremediation informationandattacheddocumentsifavailable.Formoreinformation,seesection EditingaCaseonpage 159inChapter 13,CaseManagementandRemediation.
Figure 48
View Case Pane
134
Ifyouaresatisfiedwithalloftheremediationactivitiesandinformation,click Approve.ThisactionupdatesthestatusforthecasetoClosedandremovesthe workflowtaskfromyourMyTaskslist. Thiscaseisnowconsideredasresolvedandclosed,andwillappearinthe remediationreportsundertheResolvedcolumns.Formoreinformation,see Chapter 8,RemediationReports.
Ifyouarenotsatisfiedwithalloftheremediationactivitiesandinformation,click Reject.ThisactionchangesthestatusforthecasebacktoOpen/Reported,sends thecasebacktotheMyCaseslistofthecaseowner(orassigneeifthereisone),and removestheworkflowtaskfromyourMyTaskslist.Formoreinformationonthe caseownerandassignee,seesectionAssignmentStepsonpage 155inChapter 13, CaseManagementandRemediation,andalsoStep 8onpage 139. Ifthecaseisrejected,thecaseowner(orassignee)needstoreturntotheremediation process,editthecaseinformation,andresubmitthecaseforapprovalagain.For moreinformation,seesectionMyCasesonpage 142.
Responding To a Test Plan or Test Step Task

X If you are a test step owner: 1
Thetestplanheaderinformationandtheteststepsappear.Performtheactivitiesfor theteststeprelatedtoyourtask.
Figure 49 2
Test Plan/Sequence of Steps Panes
IntheSequence of Stepspane,clickthebuttonforyourteststep.TheStatusdrop downmenuandotherfieldsappear.
Figure 50
Test Step Status Pane
135
IntheStatusdropdownmenuthatappears,selectthestatusfortheteststepbased ontheresultofyouractivity,fromthefollowing:

FailTheteststepresultedinfailureduetosomedeficiency. PassTheteststephaspassed,anddidnotresultinanydeficiency. PendingTheteststepstatusispending,waitingonfurtheractivitiesorother
statuses.
4
NexttotheAdd Documentsfield,clicktheUpload icontoattachdocument(s) providingsupplementalinformationfortheteststep,ifyouwish. NexttotheCommentsfield,clickthePlus iconortheAdd/View Alllinkand enteryourcommenttextfortheteststepinthepopupwindow,ifyouwish.Youcan scrolldowninthispopupwindowtoviewpreviouslyenteredcomments,if available. ClickSave.IfyouhavegiventheteststepthestatusofPassorFail,thisaction updatestheteststepstatusinformationforthetestplan,andremovestheteststep taskfromyourMyTaskslist.IfyouhavegiventheteststepthestatusofPending, theteststeptaskremainsinyourMyTaskslist,untilyougiveaPassorFailstatus.
If you are a test plan owner: 1
Thetestplanheaderinformationandtheteststepsappear(seeFigure 49on page 135).Intheheaderarea(theupperpanewithwhitebackground),reviewthe testplaninformation,andtheattacheddocumentsifavailablebyclickingthe Upload iconnexttotheDocumentslabel. IntheSequence of Stepspane,clickthebuttonforeachteststepandreviewthe statusofalloftheteststepsandtheirrelateddocuments.Youcannotchangethetest stepstatuses.YoucanclicktheUpload iconineachrowtoopendocuments attachedbytheteststepownerthatprovideclarificationsforaspecificteststep,if available. Basedonthestatusoftheteststeps,youthendeterminetheoveralldeficiencyand statusforthetestplan.Intheheaderarea,intheDeficiency Typedropdownmenu, selectthedeficiencylevelforthetestplan.Fordetails,seesectionDeficiencyType onpage 24inChapter 2,KeyConcepts. Intheheaderarea,intheStatusdropdownmenu,selecttheoverallstatusforthe testplanfromthefollowing:

FailThetestplanresultedinfailureduetosomedeficiency. PassThetestplanhaspassed,anddidnotresultinanydeficiency. PendingThetestplanstatusispending,waitingonfurtheractivitiesorother
statuses.
Note Even if the test step owners have given pass status to all of the test steps, you can still give the test plan a fail status if you wish, and vice versa. The test plan status is entirely up to you to determine, as the test plan owner.
136
Intheheaderarea,nexttotheAdd Documentsfield,clicktheUpload iconto attachdocument(s)providingsupplementalinformationforthetestplan,ifyou wish. ClickSave.IfyouhavegiventhetestplanthestatusofPassorFail,thisaction removesthetestplantaskfromyourMyTaskslist.Ifyouhavegiventhetestplanthe statusofPending,thetestplantaskremainsinyourMyTaskslist,untilyougivea PassorFailstatus.

Note You can give the test plan deficiency/status, then save and submit the test plan for completion, even if not all of the test steps have been completed.
IfthetestplanresultedinaFailstatus,ProcessControlautomaticallygeneratesa caseforthemanualcontrol,andyoucanalsocreateamanualcaseifyouwish.For moreinformationoncreatingacase,seesectionCreatingaCaseonpage 149in Chapter 13,CaseManagementandRemediation.

Responding To an Assessment Survey Task
X If you are a survey respondent or reviewer: 1
Thelinkstothesurveyinstancesappearintheleftsidepane.Clickonasurveylink todisplaythesurveyheaderinformation,status,andthesurveyquestionsforeach surveyinstance,intherightsidepane.Ifyouarereviewingthesurvey,thenyouwill alsoseetheanswerssubmittedpreviouslybythesurveyrespondents.

Note If you are a respondent (or reviewer) assigned to multiple scheduled organizations, you will see the links to the survey instances grouped under each organization, in the left-side pane.
Figure 51
Survey Instance Page for a Respondent Who Cannot Change the Rating
137
Figure 52 2 3
Survey Instance Page for a Reviewer Who Can Change the Rating
Ifyouwanttohidetheleftsidepane,clicktheHide Pane icon.Ifyouwantto showtheleftsidepane,clicktheShow Pane icon. NexttotheSurvey Instructionslabel,youcanclicktheUpload icontoopen documentsthatexplainhowtoanswerthesurveyorthatprovideclarificationsfor specificquestions.Youcanviewtheseattacheddocument(s)fromyoursurveysto obtainsupplementalinformation. NexttotheAttach Documents label,youcanclicktheUpload icontoattachone ormoredocumentstosupportyoursurveyanswersand/orratings.Apopup windowappearsshowingtheUpload Documentpane.Formoreinformation,see sectionUploadingandRevisingaDocumentonpage 44inChapter 4,User Interface. Ifyouarerespondingtothesurveyinstance,inthesecondcolumnintheQuestions pane,selectorenterananswerforeachquestion.Youcanviewreportsbyclicking thereportlinks,ifavailable.YoucanaddcommentsbyclickingthePlus iconor theAdd/View AlllinkintheCommentscolumn,andenteringyourcommenttextin thepopupwindow.Youcanscrolldowninthispopupwindowtoviewpreviously enteredcomments,ifavailable.
Note Negative answers to questions, if used as defined in the question list, require a comment.
Ifyouarereviewingthesurvey,inthesecondcolumnintheQuestionspane,review theanswersubmittedbytherespondentsforeachquestion.Youcanviewreportsby clickingthereportlinks,ifavailable.Youcanalsoreviewthecommentsenteredby therespondentsbyclickingthePlus iconortheAdd/View Alllinkinthe Commentscolumn.Apopupwindowappears.Youcanscrolldowninthispopup windowtoviewpreviouslyenteredcomments,ifavailable.
138
Ifyou,astherespondentorthereviewer,areconfiguredtoprovidearating/ deficiencyforthissurvey,thenintheRatingdropdownmenuintheheaderarea, selectyourrating/deficiencyfromthefollowingchoices:

AdequateThisindicatesapositiveorpassrating. Critical,Medium,orLowTheseindicatenegativeratingsandthevariouslevels
ofdeficiency.
8
IntheCase Assigneefield,entertheusergroupassignedtothecase,ifthissurvey instanceresultsinadeficiencythatwillgenerateacase,orifyouplantocreateacase manually.Thisusergroupwillberesponsibleforthecaseremediationactivities.You canentertheusergroupnameorawildcardcharactersuchas*toseethelistof usergroupstoselectfrom. ClickSavetosaveyourcurrentsurveyinstance.Youcancomebacktothissurvey instanceatalatertimeandcontinuewithyourresponses. instancetoothersurveyinstances,thenclickSaveandclickCopy.Apopupwindow appearslistingtheothersurveyinstancesassignedtoyou.Inthepopupwindow, selectthecheckboxinfrontofeachsurveyinstancethatyouwanttocopythe answersto,andthenclickCopy.
10 Forrespondents,ifyouwanttocopytheanswersinyourcurrentopensurvey
11 Forrespondents,ifyoufeelthatthissurveyinstancewassenttoyouinerror,for
example,youarenottheappropriaterespondentforthissurveyinstance,youcan choosetoreturnit.First,clickthePlus iconortheAdd/View Alllinknexttothe Commentslabelintheheaderarea,andenteryourreasonforthereturn.Thenclick Return.ProcessControlwillroutethesurveyinstancebacktoitssurvey administratortocorrecttheerror.

Note You are required to enter a comment before returning the survey instance.
Ifyouwanttoreturnallofthesurveyinstancesatonce,thenenteryourreason commentsforallofthesurveyinstances,andclickReturn Allintheleftsidepane.

12 Forreviewers,ifyouarenotsatisfiedwiththeanswersprovidedbytherespondents,
youcanchoosetoreturnthesurveytotherespondentsforrework.First,clickthe Plus iconortheAdd/View AlllinknexttotheCommentslabelintheheaderarea, andenteryourreasonforthereturn.ThenclickDisapprove.ProcessControlwill routethesurveybacktotherespondentsforrework. Ifyouwanttoreturnallofthesurveyinstancesatonce,thenenteryourreason commentsforallofthesurveyinstances,andclickReturn All intheleftsidepane.
13 Ifyouprovidenegativeresponsesresultinginasurveydeficiency,youcanclick
Create Casetomanuallycreateacaseforthisassessmentifyouwish.
14 Whenyouarefinishedwithyoursurvey,clickSubmit.Youcannotsubmitasurvey
unlessallquestionsareanswered,eveniftheanswertosomequestionsisN/A.Once yousubmitthesurveyinstance,itcannotbechangedunlessitissubjecttoreview andthereviewerreturnsittotherespondentforrework. Ifyouwanttosubmitallofthesurveyinstancesatonce,thenprovideanswerstoall ofthequestionsforallsurveyinstances,andclickSubmit All intheleftsidepane.
139
Ifyouarearespondentandthesurveyissubjecttoreview,ProcessControlwillroutethe surveytothereviewerafteryoursubmission.Ifyouarearespondentandthesurveyis notsubjecttoreview,itisconsideredtobecompletedatthispoint. Ifyouareareviewer,thenthesurveyisalsoconsideredtobecompletedafteryour submission.Withyoursubmission,youindicatethatyouhavereviewedandacceptedthe surveytoyoursatisfaction. Ifyouprovidenegativeresponsesresultinginasurveydeficiency,aftersubmissionofthe surveyinstance,ProcessControlwillautomaticallygenerateacase. Aftersubmissionofeachsurveyinstance,thesurveyinstancelinkdisappearsfromthe leftsidepane. Aftersubmissionofallofthesurveyinstancesfromasurveytask,thesurveytask disappearsfromyourMyTasklist.
140
My Documents
YoucanuploadvariousdocumentsintheProcessControlapplicationtoprovide additionalsupportinginformation.TheMyDocumentslistisarepositoryofallofyour documentsthatyouhavepreviouslyuploadedandcheckedout.Allofthesedocuments arelocatedinthisonespecificareasothatyoucanaccessandviewthemeasily.
Accessing a Document
X To access a document in your My Documents list: 1
Inthenavigationmenu,selectInbox>My Documents.Alternatively,clicktheMy DocumentslinkintheProcess Manager page(seeFigure 46onpage 130). The My Documentspageappearsshowingthedocumentsthatyouhavechecked out,asthecurrentloggedinuser. Thispageisauserspecificdashboardthatorganizesyourdocuments,allowingyou toviewtheirstatusandtoopenaparticularversionofadocument.
Figure 53
My Documents Page 2
ThelistintheMy Documentspagewilldisplayonlythedocumentsthatyouhave checkedout.Formoreinformation,seesectionUploadingandRevisinga Documentonpage 44inChapter 4,UserInterface.IntheFile column,youcan clickafilelinktoopenthatparticularversionofadocument.

Note You cannot check back in a document from the My Documents page. You need to go back to the entity where you originally checked out the document to check it back in.
141
My Cases
Whenadeficiencyoccurs,anexceptioncaseprovidesdetailedinformationtohelpyoudrill downtotherootviolationcausewithintheERPsystem.Therearemanycategoriesof casesintheProcessControlapplication(formoreinformation,seetheCaseCategories andIDsonpage 147inChapter 13,CaseManagementandRemediation).Ingeneral, thecasesareeithercontrolrelated,orsurveyrelated. Forexample,duringtheexecutionofanautomatedcontroltest,ProcessControl automaticallygeneratesacaseifacontroldeficiencyorviolationisfound.Forthe executionofamanualcontroltest,thetestplanownercanalsogenerateacaseasaresult ofthetestplanfailure.Forassessmentsurveysthathavedeficiencies(negativeratings), thesurveyrespondentorreviewercanalsocreateacase. TheMyCaseslistdisplaysintabularformatinformationrelatedtoyourcases.Allofthe casesrelevanttoyouarelocatedinthisonespecificareasothatyoucanaccessandview themeasily,andyoucanthenproceedtoeditanddocumentyourcasesforremediation purposes.Remediationdenotestheprocessinvolvedinresolvingthecontroldeficiency capturedintheseexceptioncases. Asacaseowner(orassigneeifpreviouslyassigned),youwouldseeonlythosecasesthat belongtoyou(orhavebeenspecificallyassignedtoyou)forremediation,intheMyCases list.Table 17groupsthetypesofcasesandliststhedefaultcaseownerforeachtypeofcase. Youcanchangethecaseowner/assigneeatanytime(seeAssignmentStepsonpage 155 inChapter 13,CaseManagementandRemediation,andalsoStep 8onpage 139).
Table 17 Case Approver Information
Type of Case Default Case Owner
Case Creation
Casegeneratedbythe Automaticcontrolcase systemautomatically Querycontrolcase Customcontrolcase Manualcontrolcase Surveycase
Controlorganizationowner Controlorganizationowner Controlorganizationowner Controlorganizationowner Objectowner(control,entity levelcontrol,orsubprocess owner,dependingonthe surveycategory) Controlorganizationowner
Casecreatedbya usermanually
Controlorsurveycase
142
Accessing A Case
X To access a case in your My Cases list: 1
Inthenavigationmenu,selectInbox>My Cases.Alternatively,clicktheMy Cases linkintheProcess Manager page(seeFigure 46onpage 130). The My Casespageappearsshowingthecasesassignedtoyou,asthecurrent loggedinuser. Thispageisauserspecificdashboardthatorganizestheexceptioncasesthathave beenassignedtoyouforremediation.
Figure 54
My Cases Page
Table 18
Item
Case Number
My Cases Information
Description
CaseIDnumbergeneratedbasedonaconfigurablenumberrange. Whenyouconfigureeachnumberrange,youcandefineadifferent IDprefixforeachtypeofcase,foreasyidentification.Formore information,seetheNumberRangesectionintheProcessControl Version 2.0ConfigurationGuide. Currentstateintheremediationprocessforthecase.Formore information,seetheCaseStatussectionintheProcessControl Version 2.0ConfigurationGuide. Thedescriptionforthiscase. Thisdescribestheinsufficientlevelofcompliancedeterminedafter ananalysisiscompleted.Fordetails,seesectionDeficiencyType onpage 24inChapter 2,KeyConcepts.
Case Status
Case Description Deficiency Type
143
Table 18
Item
Priority
My Cases Information (Continued)

Description
ThePriorityistheimportancelevelofthecase.Thepredefined priorityleveloptionsareasfollows: Immediate High Medium Low
Frequency Type
Thefrequencyofthecontroltestexecutionorofthesurveythat generatedthecase.Thepredefinedfrequencytypesareasfollows: Daily Fortnightly (Bi-weekly) Half Yearly Monthly Quarterly Weekly Yearly Random
Period Year
Theyearofthecontroltestexecutionorofthesurveysubmissionthat generatedthecase. Theshortnameoftheperiodofthecontroltestexecutionorofthe surveysubmissionthatgeneratedthecase. Nameofthecaseowner/assignee.Thisisausergrouporuser assignedtothecaseforremediationpurposes.Formoreinformation, seesectionAssignmentStepsonpage 155inChapter 13,Case ManagementandRemediation,andalsoStep 8onpage 139. Thetimewhenthecaseiscreated.
Period Name
Owner
Create Time
IntheCase Number column,clickthecasenumberlinktodisplaytheEdit Case pageshowingthecasedetails.Makeyourmodificationstothecaseinformationfor remediationpurposes.Formoreinformation,seesectionEditingaCaseon page 159inChapter 13,CaseManagementandRemediation. Whenyouaredonewithyourremediationactivities,intheheaderareaoftheEdit
Casepage,intheCase Statusdropdownmenu,selectResolved.
3 4
ClickSave.ThisactionremovesthecasefromyourMyCaseslist,andsendsa workflowtasktothecaseapprovertoapprovetheresolutionofthiscase.Formore informationonworkflowtasks,seesectionMyTasksonpage 131.
144
13
CASE MANAGEMENT AND REMEDIATION
TOPICS
Introduction Case Categories and IDs Creating a Case Create Case Steps Case Header Steps Case Details Steps Assignment Steps Documents Steps Case List Editing a Case Edit Case Steps Case Header Steps Case Details Steps Assignment Steps Documents Steps Case Trail Steps Time Spent Trail Steps Resolution Steps Case Categories and IDs
145
Introduction
Whenadeficiencyoccurs,anexceptioncaseprovidesdetailedinformationtohelpyou drilldowntotherootviolationcausewithintheERPsystem.Youcanthenproceedto resolvethedeficiencyandtodocumenttheseactivities.Thistaskiscalledremediation. TheProcessManagermoduledeliversthesummarystatus,impact,andpriority informationforthereportedexceptioncases,anddetailsregardingtheirremediation activities. YouaccesstheProcessManagermodulebyclickingtheProcess Managertabtodisplay theProcess Managerpage.Thenyouaccessthecasemanagementandremediation featuresfromtheCaseManagementsubmodulehighlightedinFigure 55.
Figure 55
ThefollowingsectionsdescribethefeaturesintheCaseManagementsubmodule.You accessthesefeatureseitherbyselectingfromthenavigatormenuintheleftsidebar,orby clickingthecorrespondinglinkintherightsideofthepage.

Important For information regarding how to filter, how to modify, or how to delete the item, if applicable, see sections Filtering an Item on page 41, Modifying an Item on page 42, and Deleting an Item on page 43 in Chapter 4, User Interface.
146
Case Categories and IDs Chapter 13 Case Management and Remediation
Case Categories and IDs

TherearemanycategoriesofcasesintheProcessControlapplication.Thesecase categoriesincludethefollowing:
AutomaticControlAutoCaseProcessControlautomaticallygeneratesthesecases asaresultofautomatedcontroltesting.Afteryouscheduleanautomatedcontrol test,ProcessControlgeneratesanexceptioncaseforeachcontroldeficiencyfound. AutomaticControlManualCaseYoumanuallycreatethesecasestodocument otherdeficienciesresultingfromthescheduledtestingofanautomatedcontrol.Ina manualcase,youcanfurtherdocumentmoredetailedinformationforotherissues notdocumentedintheautomaticcase. CustomControlAutoCaseProcessControlautomaticallygeneratesthesecasesas aresultofcustomcontroltesting.Yourorganizationmighthavecreatedyourown setofcustomcontrolsthatyouwanttointegrateintotheProcessControlapplication forautomaticmonitoring.Afteryouscheduleacustomcontroltest,ProcessControl generatesanexceptioncaseforeachcontroldeficiencyfound. CustomControlManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromthescheduledtestingofyourcustomcontrol.Inamanual case,youcanfurtherdocumentmoredetailedinformationforotherissuesnot documentedintheautomaticcase. TestPlanControlAutoCaseProcessControlautomaticallygeneratesthesecases asaresultofmanualcontrol(testplan)testing.Afterthetestplanownerhas scheduledthetestplanandtheteststepownershavecompletedtheirtasks,ifthetest planownerthensubmitsthatthetestplanhasresultedinfailure,ProcessControl automaticallygeneratesacase. TestPlanControlManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromthescheduledtestingofyourmanualcontrol(testplan). Inamanualcase,youcanfurtherdocumentmoredetailedinformationforother issuesnotdocumentedintheautomaticcase. QueryControlAutoCaseProcessControlautomaticallygeneratesthesecasesasa resultofquerycontroltesting.Youcanbuildaquery,configurethequeryasa control,andschedulethequerycontrolforautomaticmonitoring.ProcessControl generatesanexceptioncaseforeachcontroldeficiencyfoundfromyourquery controltesting. QueryControlManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromthescheduledtestingofyourquerycontrol.Inamanual case,youcanfurtherdocumentmoredetailedinformationforotherissuesnot documentedintheautomaticcase. SurveyAutoCaseProcessControlautomaticallygeneratesthesecasesasaresult ofsurveyassessment.Youcancreateasurveyandschedulethesurveytobeassessed byrespondentsandpossiblyreviewers,ortobesignedoff.Ifthesurveyresultsina negativerating,ProcessControlautomaticallygeneratesacase.
147
SurveyManualCaseYoumanuallycreatethesecasestodocumentother deficienciesresultingfromsurveyassessment.Afteryouschedulethesurveytobe assessedorsignedoff,ifthesurveyresultsinanegativerating,youcancreatea manualcasetofurtherdocumentmoredetailedinformationforotherissuesnot documentedintheautomaticcase.
Eachcase,foraparticularcategory,whetherthecaseisgeneratedautomaticallyorcreated manually,hasauniqueIDwhichiseithernumericoralphanumeric.ProcessControl generatestheseIDsbasedonaconfigurablenumberrange.Whenyouconfigureeach numberrange,youcandefineadifferentIDprefixforeachtypeofcase,foreasy identification.Formoreinformation,seetheNumberRangesectionintheProcess ControlVersion 2.0ConfigurationGuide. Onceyouhavedefinedyourvariousnumberranges,youthenassociateaparticular numberrangewiththeappropriatecasecategory.Formoreinformation,seetheCase NumberRangeAssignmentsectionintheProcessControlVersion 2.0ConfigurationGuide.
148
Creating a Case Chapter 13 Case Management and Remediation
Creating a Case
Youcancreateanexceptioncasemanuallyandassignallthenecessarycaseinformation thatwasnotautomaticallygeneratedbytheProcessControlapplication.Inamanual case,youcanfurtherdocumentinformationforissuesfoundatalevellowerthanthelevel whereProcessControlwouldautomaticallygeneratethecase.Afteryoucreatethecase,it canthenproceedthroughtheremediationprocessandbetrackedinreports.Seethe Create Casepageforanexamplemanualcaseentry.
Figure 56
Create Case Page
149
Create Case Steps

X To manually create a case: 1
Inthenavigationmenu,selectCase Management >Create Case.Alternatively,click theCreate CaselinkintheProcess Manager page(seeFigure 55onpage 146). TheCreate Case pageappears(seeFigure 56onpage 149).
Performthestepsinthefollowingsections:

CaseHeaderStepsonpage 150 CaseDetailsStepsonpage 153 AssignmentStepsonpage 155 DocumentsStepsonpage 156
ClickSave tocreatethecase.
Case Header Steps

Youentergeneraldetailsrelatedtoacaseinthe case headerarea(upperportionofthe Create Case pagewithwhitebackground,seeFigure 56onpage 149).
X To enter case header information: 1 2
TheCase Numberwillbegeneratedautomaticallybythesystem.TheCase Number isauniqueIDnumberforeachcase. Inthefieldsanddropdownmenus,enterorselectthefollowing:

Table 19
Item
Case Category Case Type
Case Header Information

Description
Thecategoryassociatedwiththiscase:controlorsurvey. Theclassificationthatdistinguishesbetweendifferentgroupsof cases.YoucancreatenewcasetypesintheAdministrationmodule. Fordetails,refertotheCaseTypesectionintheProcessControl Version 2.0ConfigurationGuide. Thebriefdescriptionforthecase. Theimportancelevelofthecase.Youcanselectfromthefollowing predefinedpriorityleveloptions: Immediate High Medium Low
Case Description Priority
Case Status
Thecurrentstateofacaseintheremediationprocess.Youcancreate newcasestatusesintheAdministrationmodule.Fordetails,referto theCaseStatussectionintheProcessControlVersion 2.0 ConfigurationGuide.
150
Table 19
Item
Case Header Information (Continued)

Description
Deficiency Type
Theinsufficientlevelofcompliancedeterminedafterananalysisis completed.TheDeficiency Typevariesdependingontheselected Case Type.Fordetails,seesectionDeficiencyTypeonpage 24in Chapter 2,KeyConcepts. Afteracasehasbeenreassignedwithanewdeficiencytypestatus, thereportsandtheControl Execution Monitor automaticallyupdate anddisplaytherevisedstatusforthatcase/controltest.For informationabouttheControlExecutionMonitor,seesection ControlExecutionMonitor(CEM)onpage 49inChapter 5,Main Modules.Forinformationaboutthereports,seeChapter 6, ManagementReports,Chapter 7,ComplianceReports, Chapter 8,RemediationReports,Chapter 9,TestResultsReports, andChapter 10,BusinessIntelligence(BI)Reports.
Control ID or Survey Instance ID
IfyouselectedControl CasefortheCase Category,thentheControl ID istheIDforthecontrolthatisrelatedtothiscase.

Instance ID
IfyouselectedSurveyCase fortheCase Category,thentheSurvey istheIDforthesurveyinstancethatisrelatedtothis case.
ClicktheSearch icondisplayednexttothisfieldandselecta specificcontrolorsurveyinstancefromthepopupwindow.Toview aparticularlistofcontrolsorsurveyinstances,clickShow Filter, selectyoursearchfilteritem(s)fromthedropdownmenu(s),and clickGo.Thenselectyourdesireditemfromthedisplayedlistand clickSelect.
151
Table 19
Item
Case Header Information (Continued)

Description
Remediation Usergroup
Ifyoucurrentlyhaveremediationsoftware,similarissuesinthat systemcanbelinkedtotheProcessControlsystemviaanexternal remediationID.Youcreateanameand/ornumberforeachmatching issueorincident,andenterthisinformationintotheRemediation Usergroup fieldtobesavedwithinacase. Thetimeperiodapplicabletothiscase,includingthePeriodType, Year,andPeriodID.Theseitemsareeditableonlyforacontrolcase, notforasurveycase. ThepredefinedPeriodTypesareasfollows: Daily Fortnightly (Bi-weekly) Half Yearly Monthly Quarterly Weekly Yearly Random Theseperiodtypesareselectableonlyiftheressomedefineddate rangesforthem.Formoreinformationonhowtodefinethedate ranges,seetheFrequencyDatessectionintheProcessControl Version 2.0ConfigurationGuide. YouselectthePeriodTypeandYearapplicabletothiscase.Oncethe PeriodTypeandYearareselected,thedaterangeswillshow automaticallyforthePeriod IDdropdownmenu. ThePeriodIDrepresentsthespecificdaterangecorrespondingtothe selectedPeriodTypeandYear.Thisdaterangecanbearegular (predetermined)period(forexample,M11from11/01/06to11/30/ 06)orarandom(userdefined)period(forexample,A1from11/01/ 06to11/15/06).
Period Reported
152
Case Details Steps

Youviewandenterspecificdetailsrelatedtoacaseinthe Case Detailspane.
X To view and enter case details information: 1
ClicktheCase DetailstabtodisplaytheCase Detailspane. TheinformationinthispanevariesdependingontheCase Categoryandthe Control IDorSurvey Instance IDthatyouselectedinsectionCaseHeaderSteps onpage 150.
Figure 57
Case Details Pane for a Control Case
Table 20liststheitemsthatareautomaticallypopulatedbythesystemforacontrol case,basedontheconfigurationoftheselectedControl ID.Formoreinformationon theseitems,seetheControlconfigurationsectionintheProcessControlVersion 2.0 ConfigurationGuide.

Table 20
Item
Process Subprocess Location
Case Details Information for a Control Case

Description
Thisistheprocessassociatedwiththecontrolrelatedtothiscase. Thisisthesubprocessassociatedwiththecontrolrelatedtothiscase. Thisistheorganizationassociatedwiththecontrolrelatedtothis case. Thisisusedtodifferentiatethecontrols.Forinformation,seesection ControlCategoryonpage 25inChapter 2,KeyConcepts. Thisisabriefdescriptionforthecontrolrelatedtothiscase. Thisrepresentsagroupofsimilaractivitiesinanapplicationsystem, whichcanbemonitoredandanalyzeddifferentlybasedonitsown criteria,todeterminethecontrolviolations.Forinformation,see sectionControlTypeonpage 26inChapter 2,KeyConcepts. Forinformationregardingassertions,seesectionAssertionson page 28inChapter 2,KeyConcepts.
Control Category
Control Description Control Type
Assertion
153
Table 20
Item
Case Details Information for a Control Case (Continued)

Description
Source Script
Thisisthesource(origin)ofthecontrol.Thepredefinedoptions include: GRC Customized SAP Standard
Comments Risk Value Relevant
Thisisgeneralcommentinformationforthecontrol. Thisindicateswhetherquantitydollarvaluescanbesummedupand reportedinthecontrolheaderinformation. Thisindicatesthepersonwholastmodifiedthecase. Thisisthetimeloggedwhenthecaseiscreated.
Last Modified By Create Time
Figure 58
Case Details Pane for a Survey Case
Table 21liststheitemsthatareautomaticallypopulatedbythesystemforasurvey case,basedontheconfigurationoftheselectedSurvey Instance ID.Formore information,seeChapter 10,AssessmentsThroughSurveysandChapter 11,Sign OffAssessment.

Table 21
Item
Survey Level Subprocess
Case Details Information for a Survey Case

Description
Thecategoryofthesurveyrelatedtothiscase. IftheselectedSurvey Instance IDisoftheProcessDesign Assessmentcategory,then thisisthesubprocessassociatedwiththe surveyrelatedtothiscase. Thisisthemaintitleofthesurveyrelatedtothiscase. Thisistheshorttitle(forcolumnarreportingpurposes)ofthesurvey relatedtothiscase. Thisistheorganizationassociatedwiththesurveyrelatedtothis case. IftheselectedSurvey Instance IDisoftheControlDesign AssessmentorEntityLevelControlAssessmentcategory,then thisis thecontrolorentitylevelcontrolassociatedwiththesurveyrelated tothiscase.
Title Short Title
Location
Control Description
154
Table 21
Item
Case Details Information for a Survey Case (Continued)

Description
Last Modified By Create Time
Thisindicatesthepersonwholastmodifiedthecase. Thisisthetimeloggedwhenthecaseiscreated.
ClickAdvanced Optionstodisplaymoreuserinterfaceelementsforyoutoenteror viewyourcasedetails.Thefirsttwofieldsareeditable.Thelasttwofieldsarefor viewingonly.

Table 22
Item
Actual Number of Days Service Level
Advanced Options Information

Description
Youenterthenumberofdaysthatyou(asthecasecreator)expect remediationforthiscasetobecompletedwithin. Youenterthepercentagethatyou(asthecasecreator)expectthe remediationactivitywillmeetyourtargetedremediationgoal(0%to 100%).
Assignment Steps
Youselecttheusergrouporuserassignedtothecaseforremediationpurposesinthe Assignmentpane.
X To enter Assignment information: 1
ClicktheAssignmenttabtodisplaytheAssignmentpane.
Figure 59
Assignment Pane
155
Inthedropdownmenus,selectthefollowing:
Table 23
Item
Remediation Group
Assignment Information
Description
Youselectthegroupthatreviewsthiscasetoresolveissuesand recommendsolutions,andtoeditanddocumentthecasefor remediationpurposes.Thisusergrouprepresentstheownerofthe case. Foracontrolcase,thisusergroupisbydefaultthecontrol organizationowner.Forasurveycase,thisusergroupisbydefault theobject(control,entitylevelcontrol,orsubprocess)owner.

To User ID
Onceyouselectausergroup,itsmembersareavailableintheAssign dropdownmenu.
YoucancreatenewusergroupsintheAdministrationmodule.For details,refertotheUserGroupssectionintheProcessControl Version 2.0ConfigurationGuide.

Assign To User ID
Youcantransfertheremediationresponsibilitytoanotheruserifyou wish,byselectingthe userIDofthisassignee.Thisassigneeisa memberoftheUser Groupthatyouselectedpreviously.Process Controlwillsendanemailtotheassigneestonotifythemofthe remediationresponsibility.
Documents Steps
Youcanattachdocumentscontainingsupportinginformationregardingtheresolutionof acaseintheDocuments pane.
X To enter Documents information: 1
ClicktheDocumentstabtodisplaytheUpload Documentpane.
Figure 60 2
Upload Document Pane
Thispaneorganizesyourdocuments.Followthestepsdescribedinsection UploadingandRevisingaDocumentonpage 44inChapter 4,UserInterfaceto upload/modifythedocuments,andviewtheirrevisionhistory.
156
Case List Chapter 13 Case Management and Remediation
Case List
TheCaseListisalistofexceptioncasesstoredinthedatabase.Thislistincludesthecases thatyouhavecreatedmanually,aswellascasesthatProcessControlgenerated automatically.Youcanperformanadvancedcasesearchbyselectingyourspecificfilters, andviewtheresultsofyoursearchintabularformat. ProcessControldisplaysallqualifiedcasesfoundfromyoursearchinatablewiththeir information.Youcanmodifyandupdatethecaseinformationasdesired,ifyoubelongin thecaseownerusergrouporifyouarethecaseassignee.Formoreinformation,see sectionAssignmentStepsonpage 155.
X To filter and view the cases in the case list: 1
Inthenavigationmenu,selectCase Management >Case List.Alternatively,click theCase ListlinkintheProcess Manager page(seeFigure 55onpage 146). TheCase List pageappearsshowingallofthecaseswiththeircaseIDs.
Figure 61
Case List Page
Ifyouwanttoseethelistofcasesorderedbycreationdate,inthenavigationmenu, selectCase Management >Case List By Creation Date.Alternatively,clickthe Case List By Creation DatelinkintheProcess Manager page(seeFigure 55on page 146). TheCase List By Creation Date pageappearsshowingallofthecasesorderedby theirtimeanddateofcreation.ThedisplayedinformationissimilartoFigure 61, exceptthattheCreate Timecolumnistheleftmostcolumn.
2
FortheCase List page,ifyouwanttofilteryourcaselist,clickShow Filtertospecify yoursearchfiltersusingtheProcess,Subprocess,Case Status,Assertion, Deficiency Type,Organization,Owner,Assign To User ID,Case Category,Case Number,Reporting Period,andRangefieldsanddropdownmenus.Fordetailson theseitems,seesectionCreatingaCaseonpage 149. FortheCase List By Creation Date page,ifyouwanttofilteryourcaselist,click Show FiltertospecifyyoursearchfiltersusingtheFrom Date andTo Date fields.
157
ClickGotoviewtheresults. ProcessControldisplaysallqualifiedcasesfromyourfiltertransactioninatable withtheirCase Number,Case Status,CaseDescription,Deficiency Type, Priority,Owner,andCreate Timeinformation.Fordetailsontheseitems,see sectionCreatingaCaseonpage 149.
158
Editing a Case Chapter 13 Case Management and Remediation
Editing a Case
Asacaseowner(orassigneeifpreviouslyassigned,seeAssignmentStepsonpage 155), youwouldseethosecasesthatyouareresponsibleforremediation,intheMyCaseslist. Formoreinformation,seesectionMyCasesonpage 142inChapter 12,UserInbox. FromtheMyCaseslistorfromtheCase List page(seeFigure 61onpage 157),youcan editanexistingcasetodocumentallthenecessaryremediationinformationrelatedtothe resolutionofthecontroldeficiencycapturedinthatcase.SeetheEdit Casepageforan example.
Figure 62
Edit Case Page

Important You can edit and save the information for a case only if you belong in the case owner user group or if you are the case assignee. If the case has not been assigned yet to an assignee, then anyone in the user group can edit the case. Once the case has been assigned to an assignee, then only that assignee can edit the case.
159
Edit Case Steps

X To edit a case and add remediation information: 1
SelectoneofthecasesfromthetableintheCase List page(seeFigure 61on page 157)orCase List By Date page,andclickEdit. TheEdit Case pageappears(seeFigure 62onpage 159).
Performthestepsinthefollowingsections:

CaseHeaderStepsonpage 160 CaseDetailsStepsonpage 161 AssignmentStepsonpage 161 DocumentsStepsonpage 161 CaseTrailStepsonpage 161 TimeSpentTrailStepsonpage 162 ResolutionStepsonpage 163
ClickSave tocreatethecase.
Case Header Steps

Fordescriptionsofthecaseheaderitemsandsteps,seesectionCaseHeaderStepson page 150.Mostoftheseitemsarefordisplayonlyandarenoteditable.Youcaneditonly thefollowingitems:

Case DescriptionYoucaneditthedescriptionofthecase. Case StatusYoucanselectthecasestatusfromthefollowingchoices:
Open/ReportedIndicatesthecasehasbeenenteredintothesystemandis movingthroughtheremediationprocess. AssignedIndicatesthattheuserhasgiventhecasetoanotheruserorhastaken
thecaseforhim/herself.Ifthisstatusisselected,itismandatoryfortheuserto entertheassigneeinformation.Also,thecasestatuswillbechangedto Assignediftheuserenterstheassigneesinformationfirst.

Work in ProgressIndicatesasavedcaseisongoing. On HoldIndicatesthecaseistemporarilysavedforalaterdateortime,anda Case IDisassigned. ResolvedIndicatesthecasehasbeencompletedbytheuserassignedtothe case.Resolvedcasescannotbedeletedfromthesystem.
CommentsYoucanaddyourcommentsbyclickingthePlus iconortheAdd/ View Alllink,enteringyourcommentsinthepopupwindow,andclickingAdd.
160
Inaddition,ifthecaseresultsfromanautomatedcontroltest,youcanclickontheTest Resultslink(upperrightcorneroftheheaderpane)tojumptotheControl Test Results page(seesectionAutomatedControlTestReportonpage 83inChapter 9,TestResults Reports),andtheShow Ruleslink(upperrightcorneroftheheaderpane)tojumptothe Rules Library page(seetheRulesLibrarysectionintheProcessControlVersion 2.0 ConfigurationGuide),andviewmoredetailedinformationrelatedtothiscase.
Note The Show Rules link will not be available for cases from manual control tests. Neither the Test Results link nor the Show Rules link will be available for manually created cases or survey cases.
Case Details Steps

Fordescriptionsofthecasedetailsitemsandsteps,seesectionCaseDetailsStepson page 153.Mostoftheseitemsarefordisplayonlyandarenoteditable.Youcaneditonly thefollowingitems:

Actual Number of DaysYoucaneditthenumberofdaysthatyouexpectthe
remediationforthiscasewillbecompletedwithin.
Service Level Youcaneditthepercentagevaluethatyouexpecttheremediation activitywillmeetyourtargetedremediationgoal(0%to100%).
Assignment Steps
Fordescriptionsoftheassignmentitemsandsteps,seesectionAssignmentStepson page 155.
Documents Steps
Fordescriptionsofthedocumentsitemsandsteps,seesectionDocumentsStepson page 156.
Case Trail Steps

Eachtimeachangeismadetoacase,ProcessControlautomaticallyupdatestheitemsin theCase Trailpanetoprovideyouwithhistoricalinformation.Theseitemsarefor displayonlyandarenoteditable.
X To view the Case Trail information: 1
ClicktheCase TrailtabtodisplaytheCase Trailpane.
Figure 63
Case Trail Pane
161
Youcanviewthefollowingitemsinthedisplayedtable:
Table 24
Item
Date Change Type Changed By Status Old Status New
Case Trail Information

Description
Thisisthedatethatachangewasmadeforthiscase. Thisindicatestheitemthatwaschanged. Thisindicatesthepersonwhomadeachangeinthiscase. Thisindicatesthecasestatusorvaluebeforethechange. Thisindicatesthecasestatusorvalueafterthechange.
Time Spent Trail Steps

YouentertheinformationfortheitemsintheTime Spent Trailpanetodocumentyour remediationactivities.
X To enter the Time Spent Trail information: 1
ClicktheTime Spent TrailtabtodisplaytheTime Spent Trailpane.
Figure 64
Time Spent Trail Pane
Youcanenterthefollowingitems:
Table 25
Item
Work Log/Activity
Time Spent Trail Information

Description
Youenterthedescriptionoftheremediationactivityperformedfor thiscase. Youentertheactualtimespentinhoursworkingonthisremediation activity.
Time Spent (Hours)
162
Youcanviewthefollowingitemsinthetable:
Table 26
Item
Seq #
Time Spent Trail Information

Description
Thisisthesequencenumberforeachpreviouslyloggedremediation activity. Thisisthedatethataremediationactivitywaspreviouslyperformed forthiscase. Thisisthepersonwhoperformedthatremediationactivity. Thisisthedescriptionofthepreviouslyloggedremediationactivity. Thisistheactualtimespentinhoursworkingonthispreviously loggedremediationactivity.
Date
User ID Work Log/Activity Time Spent (Hours)
Resolution Steps
YouentertheinformationrelatedtotheresolutionofacaseintheResolutionpane.
X To enter Resolution information: 1
ClicktheResolutiontabtodisplaytheResolutionpane.
Figure 65
Resolution Pane
TheResolution Date fieldisautomaticallypopulatedbythesystemwithtodays dateandcurrenttime.

2
Inthefieldsanddropdownmenus,enterorselectthefollowing:
Table 27
Item
Reason Code
Resolution Information
Description
Youselectthereasonforthedeficiencyrelatedtothiscase.Youcan createnewreasoncodesintheAdministrationmodule.Fordetails, refertotheReasonCodesectionintheProcessControlVersion 2.0 ConfigurationGuide. YouselectYesorNotoindicatewhethertheresolutionforthecase hasbeendocumented. Youentercommentsrelatedtotheresolutionofthecase.
Resolution Documented Resolution Comments
163
Table 27
Item
Resolution Information (Continued)

Description
Resolution Communicated Communication Comments
YouselectYesorNotoindicatewhethertheresolutionforthecase hasbeencommunicated. Youentercommentsrelatedtothecommunicationofthecase.
164
A
SAP FINANCIAL ACCOUNTING DOCUMENTED CONTROLS
TOPICS
COVERED IN THIS APPENDIX

Financial Accounting Documented Controls
165
Financial Accounting Documented Controls

ProcessControlcurrentlydeliversasetof18SAPFinancialAccountingdocumented automatedcontrols.Thesecontrolsare:

FICLPEP_03AC1(PeriodControlCompanyLevelChanges) FICLPEP_03AC2(PostingPeriodVariant) FICLPEP_03AC4(LogisticsPeriodCutoff) FICLPEP_03BC1(PriorPeriodPostingEntries) FIEXCHRT_01AC1(MonitoringExchangeRateChanges) FIINVPOST_01BC1(AnalysisofVendorInvoicesAgainstToleranceLimit) FIMDCOA_02C1(ChartofAccountsGLChanges) FIMDCOA_02C2(CompanyCodeGLChanges) FIMDDIS_1005C1(GLPostingsatAccountLevel) FIMDDIS_1005C2(GLPostingsatAccountItemLevel) FIMDDIS_1006C1(GLPostingsatDocumentTypeLevel) FIMDDIS_1006C2(GLPostingsatLineItemLevel) FIMDDIS_1007AC1(RecurringEntriesScheduleChanges) FIMDDIS_1007BC1(AnalysisofRecurringEntries) FIMDDOC_05AC1(ChangestoAccountingDocumentOccurrence) FIMDDOC_05AC2(AccountingPostingChanges) FIMDDOC_05AC3(AccountingDocumentChanges) FIREPDIS_05BC1(AnalysisofMaterialPriceChangestoFinancialAccounting)
Thefollowingsectionsdescribethesecontrolsinmoredetail.
FICLPEP_03AC1
Control Description
PeriodControlCompanyLevelChanges
Control Details

ControlType:Configuration Process:ManageFinancialAccountingandControlling Subprocess:ManageGeneralLedger
Risk Description
Changesinvariantassignmentforgeneralledgerpostingscanmisstatefinancial statementreporting.
166
Financial Accounting Documented Controls Appendix A SAP Financial Accounting Documented Controls
Control Objective
InSAP,thefiscalyearvariantandthepostingperiodvariantareassignedtoacompany code.Thisassignmentdefinesthegeneralledgerpostingstothedifferentperiodsina fiscalyear.Anychangestotheseassignmentswillimpactthepostingsandmayresultin inaccuratefinancialreporting.Thiscontrolreportssuchchangestotheperiod assignments.
FICLPEP_03AC2
Control Description
PostingPeriodVariant
Control Details

Risk Description
Changestothepostingperiodvariant,whichcontrolsthepostingperiodsopenfora companycode,canmisstatefinancialstatementreporting.
Control Objective
SAPisconfiguredtomonitortheperiodpostingsinFinancialAccountingforeachlegal entity,bysettingupthepostingperiodvariant. Thiscontrolanalyzesthechangestothepostingperiodvariantandtheuserswhomade suchchanges.Forexample,thenumberofopenpostingperiodscannotexceedmorethan twoperiods.Thiscontroltracksallchangesandreportsthemasadeficiencywhenthe openperiodsaregreaterthantwoperiods.
FICLPEP_03AC4
Control Description
LogisticsPeriodCutoff
Control Details

ControlType:Configuration Process:ManageFinancialAccountingandControlling Subprocess:PerformClosing
Risk Description
Thecompanypolicyofnotallowingbackpostinginthepreviousperiodcanbeviolated.
167
Control Objective
InSAP,logisticsclosurehastobeperformedeveryperiod.Thebackpostingsetting controlsthelogisticpostingstopreviousperiod,andcanbeconfiguredwhethertoallow thisbackpostingornot.Thiscontrolreportsmaterialmodificationsofthebackposting setting.
FICLPEP_03BC1
Control Description
PriorPeriodPostingEntries
Control Details

ControlType:Transaction Process:ManageFinancialAccountingandControlling Subprocess:PerformClosing
Risk Description
Priorperiodpostingscanmanipulatefinancialstatements.
Control Objective
Thedisclosureandmaintenanceoftheproperbooksofaccountsisakeyprocessfor financialreporting.Postingstopriorperiodshavetobeanalyzedbasedontheinternal controlpoliciesoftheorganization. Thiscontrolanalyzestheamountspostedtodifferentpreviousperiods,toamaximumof threepriorperiodsfromthedateofanalysis.Rulesaredefinedateachorganizationentity levelandpostingstopriorperiodsareanalyzedaccordingly.Forexample,postingstothe immediatepreviousperiodarealloweduntilthefirstweekofthecurrentperiod,toclose theaccountsforthepreviousperiod.Theanalysisisforpostingsatthedebittotaland credittotallevel,foreachdocumenttype. ThiscontrolreportsallpostingstotheGeneralLedgeraccount,eitherasadebitorcredit total,exceedingamountsallowedatthedocumentlevelasdefinedbycorporatepolicy.
FIEXCHRT_01AC1
Control Description
MonitoringExchangeRateChanges
Control Details

ControlType:MasterData Process:ManageFinancialAccountingandControlling Subprocess:ManageGeneralLedger
Risk Description
Whoeverhasaccesstoexchangeratemaintenancecanmanipulatetheserates,usedfor transactionposting.Consequentlyfinancialaccountingandreportingcanbemisstated.
168
Control Objectives
ExchangeratesaremaintainedinstandardSAPtables.Thesystemusestheseexchange ratestocalculatetheforeigncurrencyexchangeduringfinancialtransactions. Exchangeratesarerequiredto:

Translateforeigncurrencyamountswhenpostingorclearing,ortocheckan exchangerateenteredmanually. Determinethegainandlossfromexchangeratedifferences. Evaluatetheopenitemsinforeigncurrencyandtheforeigncurrencybalancesheet accounts.
Monitoringexchangeratesiscriticalforfinancialaccountingandreporting.Thiscontrol reportsthefollowing:

Whetheranupdateofexchangerateshasoccurred. Thechangesmadetotheexchangerates. Theuserswhohaveaccesstotheexchangeratesmaintenance.
FIINVPOST_01BC1
Control Description
AnalysisofVendorInvoicesAgainstToleranceLimit
Control Details

ControlType:Transaction Process:ManageFinancialAccountingandControlling Subprocess:ManageGeneralLedger
Risk Description
Postingsplitinvoicesandbypassingtolerancelimitscanjeopardizetheinternalcontrols systemswithintheorganization.
Control Objective
Theobjectiveofthiscontrolistoanalyzepostedvendorinvoicesandtoreportany invoicesthatviolatethetolerancesdefinedforeachusergroup.Thiscontrolcomparesthe splitfinancialinvoicescreatedwiththesamevendor,samedocumenttype,andsame invoicereferenceinformation,againstthetolerancelimitssetfortheuserswhocreated theseinvoices,andreportsanyinvoicesthatexceedtheselimits.
169
FIMDCOA_02C1
Control Description
ChartofAccountsGLChanges
Control Details

Risk Description
AdeficiencycanarisefromchangestospecificfieldsattheChartofAccountslevelinthe generalledger(GL)accounts.
Control Objective
TheChartofAccountsisanimportantlevelofcontrolforthefinancialaccounting statements.ChangestothegeneralledgermasterattheChartofAccountslevelimpacts theoverallfinancialreporting. ThiscontrolenablesyoutoviewtheChartofAccountsdeficienciesinthegeneralledger masterdatabytrackingchangestospecificfieldsattheChartofAccountslevel.This controltrackswhohascreatednewGLaccounts,whenthesechangesoccurred,andalso reportsthenumberofchanges.
FIMDCOA_02C2
Control Description
CompanyCodeGLChanges
Control Details

Risk Description
AdeficiencycanarisefromchangestospecificfieldsattheCompanyCodelevelin generalledgeraccounts.
Control Objective
TheChartofAccountswithcompanycodeviewiscriticalforfinancialintegrationwith othermodules.ChangestotheCompanyCodeintheGLmasterimpactstheoverall financialreporting. ThiscontrolenablesyoutoviewtheCompanyCodedeficienciesinthegeneralledger masterdatabytrackingchangestospecificfieldsattheCompanyCodelevel.Thiscontrol trackswhohascreatednewGLaccounts,whenthesechangesoccurred,andalsoreports thenumberofchanges.
170
FIMDDIS_1005C1
Control Description
GLPostingsatAccountLevel
Control Details

Risk Description
Theadjustmentsmadetotherevenuerecognitionaccountscanexceedthedeficiency limitsdefinedintherules.
Control Objective
Revenuerecognitioniscriticalforfinancialreporting.Postingstotherevenueaccounts havetobeanalyzedforeachcompanycodetoreportanydeficiencies.Eachcompanyor groupsofcompanieshastheirowninternalpoliciesfortheanalysisofrevenue recognition,guidedbystandardaccountingpractices. ThiscontrolanalyzestherevenuespostedattheGLaccountlevel.Youcandefinerulesat eachorganizationentityleveltoanalyzethepostingstorevenueaccountsanddetermine whichpostingswillbecategorizedashigh,medium,orlow.Theanalysisisnotforthe accountbalance,butratherforthedebittotalandcredittotallevelpostingsforeach revenueaccount.Thiscontrolreportsthetotaladjustmentsmadetotherevenue recognitionaccountsexceedingthedeficiencylimitsdefinedintherules.
FIMDDIS_1005C2
Control Description
GLPostingsatAccountItemLevel
Control Details

Risk Description
Theadjustmentlineitemsmadetotherevenuerecognitionaccountscanexceedthe deficiencylimitsdefinedintherules.
Control Objective
Revenuerecognitioniscriticalforfinancialreporting.Postingstotherevenueaccounts havetobeanalyzedforeachcompanycodetoreportanydeficiencies.Eachcompanyor groupsofcompanieshastheirowninternalpoliciesfortheanalysisofrevenue recognition,guidedbystandardaccountingpractices.
171
Thiscontrolanalyzesthelineitemspostedineachrevenueaccountforacompanycode. Youcandefinerulesateachorganizationentityleveltoanalyzethepostingstorevenue accountsanddeterminewhichpostingswillbecategorizedashigh,medium,orlow.The analysisisforthedebitlineitemandcreditlineitempostingsforeachrevenueaccount. Thiscontrolreportstheadjustmentlineitemsmadetotherevenuerecognitionaccounts exceedingthedeficiencylimitsdefinedintherules.
FIMDDIS_1006C1
Control Description
GLPostingsatDocumentTypeLevel
Control Details

Risk Description
Postingstoageneralledgeraccountexceedingtheamountsallowedatthedocumentlevel asdefinedbycorporatepolicy.
Control Objective
AnaccountingdocumentisarepresentationwithintheSAPR/3systemofthedocument thattriggeredafinancialposting(forexampleaninvoice).Adocumenttypeisa classificationofanaccountingdocument.Whenyouposttoanaccountingdocument,the SAPsystemupdatesthetransactionfiguresandthedocumenttypeinthegeneralledger accounts. Thedisclosureandmaintenanceoftheproperaccountsinformationisimportantfor financialreporting.Thiscontrolanalyzesthetransactionspostedtothedifferent documenttypes.Thedebittotalandcredittotallevelforeachdocumenttypeare analyzedandreportedbasedontheinternalcontrolpoliciesoftheorganization.Youcan definerulesateachorganizationentityleveltoanalyzethepostingstodocumenttypes, anddeterminewhichpostingswillbecategorizedashigh,medium,orlow.
FIMDDIS_1006C2
Control Description
GLPostingsatLineItemLevel
Control Details

172
Risk Description
Postingstoageneralledgeraccountexceedingtheamountsallowedatthelineitemlevel asdefinedbycorporatepolicy.
Control Objective
AnaccountingdocumentisarepresentationwithintheSAPR/3systemofthedocument thattriggeredafinancialposting(forexampleaninvoice).Adocumenttypeisa classificationofanaccountingdocument.Whenyouposttoanaccountingdocument,the SAPsystemupdatesthetransactionfiguresandthedocumenttypeinthegeneralledger accounts. Thedisclosureandmaintenanceoftheproperaccountsinformationisimportantfor financialreporting.Thiscontrolanalyzesthelineitemtransactionspostedtothedifferent documenttypes.Thedebitlineitemandcreditlineitemlevelforeachdocumenttypeare analyzedandreported,basedontheinternalcontrolpoliciesoftheorganization.Youcan definerulesateachorganizationentityleveltoanalyzethelineitempostingstodocument types,anddeterminewhichlineitempostingswillbecategorizedashigh,medium,or low.
FIMDDIS_1007AC1
Control Description
RecurringEntriesScheduleChanges
Control Details

ControlType:Configuration Process:ManageFinancialAccountingandControlling Subprocess:PerformClosing
Risk Description
Manipulatingrunschedulestopostorskippostingsinsomeperiodscanmisstate financialreporting.
Control Objective
InSAP,youcanspecifypostingstorecurbyusingtherecurringentryprogram.Todo this,youenterarecurringentrydocument,andthenexecutetherecurringentryprogram atcertainintervalsusingtherunschedule. Thiscontrolreportsthedeficienciesarisingoutofchangestotherunschedules,for example,changestotherecurringGLscheduleortheclosingentriesschedule.Thereport detailsthechangestospecificfieldslocatedattheChartofAccountslevelinthegeneral ledgeraccounts.
173
FIMDDIS_1007BC1
Control Description
AnalysisofRecurringEntries
Control Details

ControlType:Transaction Process:ManageFinancialAccountingandControlling Subprocess:PerformClosing
Risk Description
Manipulativeentriespostedinthebackground,orskippedforpostingswhichare supposedtoberecordedateveryperiodend,canmisstatefinancialreporting.
Control Objective
Postingrecurringentriesisaregularclosingactivityinfinancialaccounting.Youcanpost recurringentriesautomaticallyinthebackgroundinSAPtoupdatethegeneralledger accounts,usingrunschedules. Thiscontrolshowsalldeficienciesarisingoutofrecurringentriespostedinthegeneral ledgerforaperiod,arisingatthecompanycodelevelordocumenttypelevel,asdefined intherules.
FIMDDOC_05AC1
Control Description
ChangestoAccountingDocumentOccurrence
Control Details

Risk Description
Changestoaccountingdocumentpostingsettingscanmisstatefinancialstatement reporting.
Control Objective
Adocumenttypeisaclassificationofanaccountingdocument.Whenyouposttoan accountingdocument,theSAPsystemupdatesthetransactionfiguresandthedocument typeinthegeneralledgeraccounts.Changestothedocumenttypesettingscanaffectthe documentpostingprocessandfinancialaccounting.Thiscontrolreportsthenumberof changestothesedocumenttypes.
174
FIMDDOC_05AC2
Control Description
AccountingPostingChanges
Control Details

Risk Description
Specificaccountingdocumentscontrolledforpostingstospecificaccountcategories,such astheonlyassetpostings,canbemanipulated.
Control Objective
AnaccountingdocumentisarepresentationwithintheSAPR/3systemofthedocument thattriggeredafinancialposting(forexampleaninvoice).Whenyouposttoan accountingdocument,thesystemincorporatesyourinformationbasedontheaccount typesettingsinthedocumenttypeconfiguration. Thiscontrolreportsthechangestotheaccounttypesettings,whentheyoccurred,and alsotheuserswhomadethesechanges.
FIMDDOC_05AC3
Control Description
AccountingDocumentChanges
Control Details

Risk Description
Manipulationofsensitivefieldsinthedocumenttypescanleadtofinancialweakness.
Control Objective
AnaccountingdocumentisarepresentationwithintheSAPR/3systemofthedocument thattriggeredafinancialposting(forexampleaninvoice).Whenyouposttoan accountingdocument,theSAPsystemupdatesthetransactionfiguresandthedocument typeinthegeneralledgeraccounts. Thiscontrolreportsdetailedchangestothesensitivefieldsinanaccountingdocument, suchasthenumberrangesandtheauthorizedaccess.
175
FIREPDIS_05BC1
Control Description
AnalysisofMaterialPriceChangestoFinancialAccounting
Control Details

Risk Description
Manipulatingmaterialpricechangestoaffectinventoryvaluationcanmisstatefinancial reporting.
Control Objective
Materialsarevaluatedateitherastandardpriceoramovingaverageprice,dependingon theorganizationspolicy.Achangeinthematerialpriceimpactstheinventoryvaluation, thereforethischangeshouldbeanalyzedandmonitored.Theobjectiveofthiscontrolisto ensurethatinventoryvaluationfollowsthestandardpoliciesoftheorganization.Material pricesaretypicallystableforconsiderableperiods.Frequentchangestothematerialprice shouldbeproperlyauthorizedanddisclosed. Thiscontrolcanruncompanywiseorplantwise,toreportwhethertheproposed materialpricechangeswouldimpactfinancialaccounting,whenthechangesareanalyzed againstpreviouslysetrules.
176
B
SAP PROCURE TO PAY DOCUMENTED CONTROLS
TOPICS

Procure To Pay Documented Controls
177
Procure To Pay Documented Controls

ProcessControlcurrentlydeliversasetof26SAPProcureToPaydocumentedautomated controls.Thesecontrolsare:

LOIMMTYP_09BC1(InventoryDocumentPostedOtherThanSystemDate) LOIMMTYP_09BC2(CompanyLevelInventoryDocumentPostedOtherThan SystemDate) LOMMMV_06BC1(MaterialValuationRevisionsatStandardPrice) LOMMMV_06BC2(MaterialValuationRevisionsatMovingAveragePrice) LOPURPIR_02BC1(GR/IRPostingAccuraciesandValidity) LOPURREL_05AC1(ApprovalProcessBasedonOrderValue) LOPURREL_05AC2(ApprovalProcessBasedonApproversCount) LOPURREL_05AC3(EffectivenessofPurchaseApprovalProcess) LOPURREL_05BC1(UnauthorizedHighValuePurchaseOrders) LOPURREL_05BC2(UnauthorizedPurchasesatCompanyLevel) LOPURSRC_01AC1(AnalysisofVendorSourceEffectiveness) LOPURSRC_02AC1(SourceListRecordingAccuracies) LOPURTP_06BC1(PaymentsWithoutGoodsReceipt) LOPURTP_06BC2(CompanyLevelPaymentsWithoutGoodsReceipt) LOPURVAP_01AC1(AccuracyofInvoiceTolerances) LOPURVAP_07AC1(VendorEligibilityforDuplicatePayments) LOPURVAP_07AC2(CompanyLevelDuplicatePaymentControl) LOPURVAP_07BC1(OverpaidPurchaseOrders) LOPURVAP_07BC2(CompanyLevelOverpayments) LOPURVAP_08BC1(EvaluationofDuplicateVendorInvoice) MMIMCTR_06AC1(AutomaticPurchaseOrderCreationatGoodsReceipt) MMIMCTR_07AC1(DocumentLevelPhysicalInventoryTolerance) MMIMCTR_07AC2(ItemLevelPhysicalInventoryTolerance) MMIMCTR_07AC3(ChangestoPhysicalInventoryTolerances) MMIMCTR_07BC1(DocumentLevelPhysicalInventoryDifferences) MMIMCTR_07BC2(ItemLevelPhysicalInventoryDifferences)
178
Procure To Pay Documented Controls Appendix B SAP Procure To Pay Documented Controls
LOIMMTYP_09BC1
Control Description
InventoryDocumentPostedOtherThanSystemDate
Control Details

ControlType:Transaction Process:ProcureToPay Subprocess:ManageInventory
Risk Description
Misrepresentationofinventorystatement.
Control Objective
IntheSAPsystem,itispossibletoposttheinventorydocumentsonadatedifferentthan thesystemdate.Thereasonmaybeagenuinedelayindataentry.However,itisnotgood practicetofrequentlypostadocumentwithadatedifferentfromtheactualdate.Thiscan createdataintegrityproblemsinthesystem.Also,thisactivitymaybemisusedtopostthe inventorytransactionsinpastorfutureperiods,tomanipulatetheinventorystatementsin thebalancesheet. Thiscontrolprovidesalistofalltheinventorydocumentspostedonadateotherthanthe systemdateandthedollaramountoftheseposteddocuments.
LOIMMTYP_09BC2
Control Description
CompanyLevelInventoryDocumentPostedOtherThanSystemDate
Control Details

Risk Description
Misrepresentationofinventorystatement.
Control Objective
IntheSAPsystem,itispossibletoposttheinventorydocumentsonadatedifferentthan thesystemdate.Thereasonmaybeagenuinedelayindataentry.However,itisnotgood practicetofrequentlypostadocumentwithadatedifferentfromtheactualdate.Thiscan createdataintegrityproblemsinthesystem.Also,thisactivitymaybemisusedtopostthe inventorytransactionsinpastorfutureperiods,tomanipulatetheinventorystatementsin thebalancesheet. Thiscontrolprovidesthedollaramountimpactoftheinventorydocumentspostedona dateotherthanthesystemdate,atthecompanylevel.
179
LOMMMV_06BC1
Control Description
MaterialValuationRevisionsatStandardPrice
Control Details

ControlType:Transaction Process:ProcureToPay Subprocess:PerformInventoryValuation
Risk Description
Misrepresentationofstockvaluation.
Control Objective
Materialmastervaluationrepresentsthevaluedpriceforthematerialstocksinan organization.Anychangeinthematerialpricedatawouldhaveadirectimpactonthe materialstockvaluation. Thiscontrolprovidesthedollaramountimpactonthematerialvaluation,asaresultof changestothestandardpriceofmaterials.Thiscontrolidentifiestheimpactamountto thetotalvaluationresultingfromthemanualchangestothestandardprice(absolute value)andtheratioofthechangedvaluationamountcomparedtothevaluationamount priortothepricechange(%value).Thevaluationimpactamountexceedingthedeficiency limitssetwithinthecontrolrulewillbereportedinthecontroloutput.
LOMMMV_06BC2
Control Description
MaterialValuationRevisionsatMovingAveragePrice
Control Details

ControlType:Transaction Process:ProcureToPay Subprocess:PerformInventoryValuation
Risk Description
Misrepresentationofstockvaluation.
Control Objective
Materialmastervaluationrepresentsthevaluedpriceforthematerialstocksinan organization.Anychangeinthematerialpricedatawouldhaveadirectimpactonthe materialstockvaluation. Thiscontrolprovidesthedollaramountimpactonthematerialvaluation,asaresultof changestothemovingaveragepriceofmaterials.Thiscontrolidentifiestheimpact amounttothetotalvaluationresultingfromthemanualchangestothemovingaverage price(absolutevalue)andtheratioofthechangedvaluationamountcomparedtothe
180
valuationamountpriortothepricechange(%value).Thevaluationimpactamount exceedingthedeficiencylimitssetwithinthecontrolrulewillbereportedinthecontrol output.
LOPURPIR_02BC1
Control Description
GR/IRPostingAccuraciesandValidity
Control Details

ControlType:TransactionAnalysis Process:ProcureToPay Subprocess:VendorPayments
Risk Description
Significantandcontinueddifferencesbetweenaninvoiceandrelatedgoodsreceiptfora purchaseorderindicateaweaknessintheprocurementprocess.
Control Objective
Differencesbetweengoodsreceiptsandinvoicepostingsshowdiscrepanciesinthe procurementprocessintermsofmismatch.Areviewofthesediscrepanciesperiodicallyis criticallytokeeptheprocurementprocessundercontrol.Overinvoicing,underreceiving, andfictitiousreceiptsneedtobereviewedtodeterminethevalidityofreceiptandinvoice matching. Goodsreceiptquantitiesandvaluesrelatingtoapurchaseordershouldmatchwiththe invoicequantitiesandvaluesforthesamePO.Thiscontrolchecksthegoodsandinvoice receiptswhenthepurchasingdocumentsshowsomediscrepancy. Thiscontrolmonitorstheaccuracyofgoodsreceiptsandinvoicereceiptstoensurethat theprocurementprocessisinorder.Thiscontrolreportsthefollowing:

Anygoodsandinvoicereceiptsdiscrepancy. Theuserswhomadesuchpostings.
LOPURREL_05AC1
Control Description
ApprovalProcessBasedonOrderValue
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:PerformProcurement
Risk Description
Bypassingtheordervaluelimitcanresultinweaknessinthepurchaseapprovalprocess.
181
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. Thiscontrolidentifiesthereleasegroupandreleasestrategiesthathaveincorrect purchaseapprovalprocedures.Theoutputfromthiscontrolliststhecharacteristics missinginthereleasestrategyaswellasthecriticalapprovallimitassignments.The outputreportliststhedeficiencyintermsofmissingapprovallimitcharacteristicsand amount.
LOPURREL_05AC2
Control Description
ApprovalProcessBasedonApproversCount
Control Details

Risk Description
Bypassingthenumberofapproverscanresultinweaknessinthepurchaseapproval process.
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. Thiscontrolidentifiesthereleasegroupandreleasestrategiesthathaveincorrect purchaseapprovalprocedures.Thecontroloutputliststhedeficiencyintermsofthe inadequateapproversandapprovalsteps.
LOPURREL_05AC3
Control Description
EffectivenessofPurchaseApprovalProcess
Control Details

182
Risk Description
Uncontrolledprocurementofgoodsandservicescanresultinweaknessinthepurchase approvalprocess.
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. IfaPurchaseOrderdocumenttypeisnotrestrictedwithavalidreleaseprocedurethen thePurchaseOrderscanbecreatedandchangedmaliciously.Thiswouldresultin weaknessinthepurchasingprocess. Thiscontrolprovidesthedocumenttypesthatareassignedtoincorrectpurchaserelease procedures.Thecontroloutputliststhedocumenttypesthataredeficient,andthefactors causingthedeficiency.Thesefactorscanincludethefollowing:

Characteristicsmissinginreleasestrategy Totalnetordervalueassignmenttoreleasestrategy Releasestrategynotassigned Releasecodeinadequate Numberofreleasecodesinadequate
LOPURREL_05BC1
Control Description
UnauthorizedHighValuePurchaseOrders
Control Details

ControlType:Transaction Process:ProcureToPay Subprocess:PerformProcurement
Risk Description
Unauthorizedprocurementofgoodsandservicescanresultinweaknessofthe procurementprocess.
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. IfaPurchaseOrderdocumenttypeisnotrestrictedwithavalidreleaseprocedurethen thePurchaseOrderscanbecreatedandchangedmaliciously.Thiswouldresultin weaknessinthepurchasingprocess.Eveniftheapprovalprocessissetup,itispossibleto bypasstheapprovalprocessbymanipulatingthereleaseproceduresfortheordervalue,
183
forthenumberofapprovers,andsoon,resultinginintentionalunauthorized procurementofgoodsandservices. Purchaseorderswithamountsaboveacertainmaximumvalueshouldbeapproved beforetheyareissuedtovendors.Thereleaseprocedureenablesabusinesstoachievethis goal.TheapprovalofPurchaseOrderscanbefurtherrestrictedbasedonthepurchasing organization,purchasingdocumenttypes,purchasinggroup,materialgroup,vendor,and soon. ThiscontrolreportstheunauthorizedPurchaseOrderscreatedusingreleaseprocedures thatweresetincorrectlyornotasdefinedbythepurchaseapprovalprocessguidelines. TheoutputalsoliststhedeficiencyintermsofthedollaramountsofthecreatedPurchase Orders.
LOPURREL_05BC2
Control Description
UnauthorizedPurchasesatCompanyLevel
Control Details

ControlType:Transaction Process:ProcureToPay Subprocess:PerformProcurement
Risk Description
Unauthorizedprocurementofgoodsandservicescanresultinweaknessofthe procurementprocess.
Control Objective
IntheSAPR/3system,thereleaseprocedurereferstotheapprovalprocessforpurchasing documents.Itinvolvescheckingthecorrectnessofthepurchasingdataandgivingthe authorizationtoprocuregoodsandservices.Theobjectiveofthereleaseprocedureisto useanonlineapprovalsystem,ratherthantorelyonmanualsignatures. IfaPurchaseOrderdocumenttypeisnotrestrictedwithavalidreleaseprocedurethen thePurchaseOrderscanbecreatedandchangedmaliciously.Thiswouldresultin weaknessinthepurchasingprocess.Eveniftheapprovalprocessissetup,itispossibleto bypasstheapprovalprocessbymanipulatingthereleaseproceduresfortheordervalue, forthenumberofapprovers,andsoon,resultinginintentionalunauthorized procurementofgoodsandservices. Purchaseorderswithamountsaboveacertainmaximumvalueshouldbeapproved beforetheyareissuedtovendors.Thereleaseprocedureenablesabusinesstoachievethis goal.TheapprovalofPurchaseOrderscanbefurtherrestrictedbasedonthepurchasing organization,purchasingdocumenttypes,purchasinggroup,materialgroup,vendor,and soon. ThiscontrolreportsthetotaldollaramountfromunauthorizedPurchaseOrderscreated usingreleaseproceduresthatweresetincorrectlyornotasdefinedbythepurchase approvalprocessguidelines.Theoutputliststhedeficiencyintermsofthedollaramount atthecompanylevel.
184
LOPURSRC_01AC1
Control Description
AnalysisofVendorSourceEffectiveness
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:ExternalProcurement
Risk Description
Maliciousmodificationofthesourcelistrecordscanresultinweaknessofthepurchasing process,increasingthechancesofprocurementofrawmaterialsfromunauthorizedor unqualifiedvendors.

Control Objective
Thesourcelistisalistofavailablesourcesofsupplyforamaterial,indicatingtheperiods duringwhichprocurementfromsuchsourcesispossible.Thesourcelistfacilitatesthe determinationofthesourcethatisapplicable(effective)atacertainpointintime.Every possiblesourceofsupplyisstoredinasourcelistrecord,togetherwithitsvalidityperiod. Todeterminetheapplicablesource,thesourcelistrequirementsaredefinedattheplant level.Thus,ifasourcelistrequirementexists,thesourcelistforeachmaterialmustbe maintainedforthatplant,beforeyoucanorderthematerial. Onlyqualifiedsupplierscanbeselectedfororderingarawmaterial(compounds,labels, andpackagingmaterials).Thesystemshouldcontrolsupplierselectionbasedon qualificationstatus.Thiscontrolreportsthefollowing:

Changesmadetoplantlevelsourcedetermination. Theuserswhomadesuchcontrolchanges.
LOPURSRC_02AC1
Control Description
SourceListRecordingAccuracies
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:ExternalProcurement
Risk Description
Maliciousmodificationofthesourcelistrecordscanresultinweaknessofthepurchasing process,increasingthechancesofprocurementofrawmaterialsfromunauthorizedor unqualifiedvendors.
185
Control Objective
Thesourcelistisalistofavailablesourcesofsupplyforamaterial,indicatingtheperiods duringwhichprocurementfromsuchsourcesispossible.Thesourcelistfacilitatesthe determinationofthesourcethatisapplicable(effective)atacertainpointintime.Every possiblesourceofsupplyisstoredinasourcelistrecord,togetherwithitsvalidityperiod. Afixedsourcespecifiesthatthesourceofsupplyisthepreferredprocurementoption withinthespecifiedperiod.Ablockedsourcespecifiesthatthesourceisblockedfor orderingpurposes. Changestothesourcelistneedtobereviewedperiodicallytoidentifythatonly authorizedchangesarerecorded.Anyunauthorizedchangesmayhaveanegative influenceontheprocurementpolicies.Thiscontrolreportsthefollowing:

Changesmadetothesourcelistrecords. Theuserswhomadesuchcontrolchanges.
LOPURTP_06BC1
Control Description
PaymentsWithoutGoodsReceipt
Control Details

ControlType:Transaction Process:ProcureToPay Subprocess:PerformInvoiceVerification
Risk Description
Vendorpaymentwithoutreceivingthepurchasedgoods.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. AbusinessneedstocontroltheinvoicesthatareverifiedwithoutaGoodsReceipt reference.Thismethodallowstheseinvoicestobeverifiedandpostedbybypassingthe GoodsReceiptchecks.Theseinvoicescanbeverifiedmaliciouslyresultinginweaknessin theinvoiceverificationprocess. ThiscontrolreportsindividualinvoicesbeingpostedforpaymentwithoutaGoods Receiptreference.
186
LOPURTP_06BC2
Control Description
CompanyLevelPaymentsWithoutGoodsReceipt
Control Details

Risk Description
Vendorpaymentwithoutreceivingthepurchasedgoods.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. AbusinessneedstocontroltheinvoicesthatareverifiedwithoutaGoodsReceipt reference.Thismethodallowstheseinvoicestobeverifiedandpostedbybypassingthe GoodsReceiptchecks.Theseinvoicescanbeverifiedmaliciouslyresultinginweaknessin theinvoiceverificationprocess. Thiscontrolreportsthetotalinvoiceamountforacompanycoderesultingfrominvoices postedforpaymentwithoutaGoodsReceiptreference.
LOPURVAP_01AC1
Control Description
AccuracyofInvoiceTolerances
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:VendorPayments
Risk Description
Changestoinvoicetolerancesettingscanaffectthewaycompanypolicysettingsare bypassed.Unauthorizedincreasestotherisktolerancesettingscancausethefailureto matchdollarfordollarthedeliveriesandinvoices,thusresultinginunduepaymentsto vendors,andhenceimpactingthefinancialdataoftheorganization.
187
Control Objective
Aninvoicetolerancesettingdeterminestheabilitytoposttheinvoicesforpayment,when theinvoicecontainsdifferentamountandtimevaluesthanthoserecordedintheGoods ReceiptorthePurchaseOrder(PO).Thisinvoicetolerancesettingisacriticalbusiness policyfortheprocuretopayprocessandtheaccountspayables. Whenprocessinganinvoice,theSAPsystemchecksforvariancesbetweentheinvoiceand thePurchaseOrderorGoodsReceipt.Thedifferenttypesofvariancesaredefinedinthe tolerancekeys.Ahightolerancemayleadtohigherpaymentsbeingallowed,affectingthe cashflow,andconversely,stringentsettingsmayinvokemoremanualinterventionthus wastingpreciousresourcetime. Thiscontrolmonitorstheaccuracyofinvoicetolerancesettingsforquantityvariations. Thiscontrolreportsthefollowing:

Changesmadetotheinvoicetolerancesettings,andalternately,theviolationstothe invoicetolerancesettings. Theinvoicesexceedingtheactualinvoiceamountwithinandexceedingthetolerance limits,butcontrolledbytherulesettings. Theuserswhomadesuchcontrolchanges.
LOPURVAP_07AC1
Control Description
VendorEligibilityforDuplicatePayments
Control Details

ControlType:MasterData Process:ProcureToPay Subprocess:PerformInvoiceVerification
Risk Description
Uncontrolledchangestothevendormastermayresultinduplicatepaymenttovendors.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Abusinessneedstopreventthesameinvoicefrombeingpostedinthesystemmorethan once.Ifcontrolsarenotinplacethenduplicateinvoicescanbepostedbymistakeor deliberately.Thiswouldresultinweaknessintheinvoiceverificationprocess. Thiscontrolreportsthechangestothevendormaster,suchasthedoubleinvoicecheck settings,whichcanresultinduplicatepaymentstothevendors.Thiswouldalsoinclude changestothemasterdatatobypasstheduplicatepayment.
188
LOPURVAP_07AC2
Control Description
CompanyLevelDuplicatePaymentControl
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:PerformInvoiceVerification
Risk Description
Uncontrolledchangestothecompanylevelparametersmayresultinduplicatepayment tovendors.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Abusinessneedstopreventthesameinvoicefrombeingpostedinthesystemmorethan once.Ifcontrolsarenotinplacethenduplicateinvoicescanbepostedbymistakeor deliberately.Thiswouldresultinweaknessintheinvoiceverificationprocess. Thiscontrolreportsthedeficienciesresultingfromchangestothecompanylevel parametersforduplicateinvoicecheck.Thiscontrolalsoenablesyoutotrackthechanges totheaccountingdocumenttypeforvendorinvoice.
LOPURVAP_07BC1
Control Description
OverpaidPurchaseOrders
Control Details

Risk Description
Postedinvoicesresultinginoverpaymentforapurchaseorder.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess.

189
Thiscontrolidentifiesifapurchaseorderhasbeenoverpaid.Theoverpaymentmayoccur asresultofmultipleinvoicesbeingpostedagainstthesamepurchaseorder.Thiscontrol checksallsystemrecordsandreportsonanyinvoicethathasbeenpostedthathas resultedinoverpaymentforapurchaseorder.
LOPURVAP_07BC2
Control Description
CompanyLevelOverpayments
Control Details

Risk Description
Thecompanylevelduplicateamountwithinagivenperiodresultinginoverpayment.
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Uncontrolledchangestothecompanylevelparametersforvendorduplicateinvoicemay leadtouncontrolledsystementriesandinvoicepostings,resultinginoverpayment.The uncheckingofinvoicepostingsrelatedaccountingdocumenttypescanalsoleadto invoicesbeingpostedwithoutavendorinvoicereference,resultinginoverpayment. Thiscontrolidentifiesthetotaloverpaidamountforthepurchaseordersatthecompany levelwithinagivenperiod.
LOPURVAP_08BC1
Control Description
EvaluationofDuplicateVendorInvoice
Control Details

Risk Description
Duplicatepaymenttothevendorseitherbymistakeordeliberately.
190
Control Objective
InLogisticsInvoiceVerification,incominginvoicesareverifiedintermsoftheircontent, price,andarithmetic.InvoicescanbeverifiedwithreferencetothePurchaseOrder, GoodsReceipt,andsoon.Whentheinvoiceisposted,theinvoicedataissavedinthe system.Thesystemupdatesthedatasavedintheinvoicedocumentsduringthematerials managementandfinancialaccountingprocess. Abusinessneedstopreventthesameinvoicefrombeingpostedinthesystemmorethan once.Ifcontrolsarenotinplacethenduplicateinvoicescanbepostedbymistakeor deliberately.Thiswouldresultinweaknessintheinvoiceverificationprocess. Thiscontrolchecksallsystemrecordsandidentifiesthevendorinvoicesthathavebeen allocatedmorethanoncewithinagivenperiod.Thecontroloutputcontainsallthe purchaseorders/invoices/amount/userinformation.
MMIMCTR_06AC1
Control Description
AutomaticPurchaseOrderCreationatGoodsReceipt
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:ReceiveGoodsandServices
Risk Description
AutomaticPurchaseOrdercreationatthetimeofreceiptmayleadtounauthorized procurementofmaterial.
Control Objective
Materialmovementisoneofthecorecomponentsofanybusinessdealingwithmaterials andinventories.Amaterialmovementmaybeareceipt,anissue,atransfer,orachangeto thegoods,andsoon.Informationcapture,analysis,andcontrolofthematerial movementsarecorerequirementsforcompanyinformationsystems. TheSAPR/3systemprovidesparametersettingsthathelpcompaniesefficientlyorganize theirbusinessprocessesinvolvingmaterialmovement.Oneofthecontrolsettingscalled CreatePurchaseOrderAutomaticallyallowstheuserstoautomaticallygeneratea PurchaseOrderatthetimeofgoodsreceipt,thuseliminatingtheneedtocreatethe PurchaseOrdermanually. ThiscontrolreportsdeficienciesasaresultofsuspiciouschangestotheCreatePurchase OrderAutomaticallycontrolsetting.Thiscontroltracksthesechangestopreventthe misuseofthispowerfulsystemcontrolfeature.
191
MMIMCTR_07AC1
Control Description
DocumentLevelPhysicalInventoryTolerance
Control Details

ControlType:Configuration Process:ProcureToPay Subprocess:ManageInventory
Risk Description
Uncontrolledchangestothetolerancelimitsforadocumentlevelcanleadto unauthorizedadjustmentofhighvalueinventoryitems.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted.However,whetherthisdifferencevaluecanbeposted ornotisdeterminedbythetolerancelimits.Ifthetolerancelimitsaresettoohighordo notexist,thiswouldallowthepostingofanexcessivedifferencevalue,andresultin weaknessofthephysicalinventoryprocess. Thiscontroltracksthedeficienciesarisingfromchangesmadetothetolerancelimitsfora documentlevelassociatedwiththephysicalinventorytolerancegroups.Ifthechange amountexceedsthedeficiencylimitssetwithinthecontrolrule,thiscontrolreportsthe tolerancegroup,theuser,andthechangedetails.
MMIMCTR_07AC2
Control Description
ItemLevelPhysicalInventoryTolerance
Control Details

Risk Description
Uncontrolledchangestothetolerancelimitsforalinelevelcanleadtounauthorized adjustmentsofhighvalueinventoryitems.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted.However,whetherthisdifferencevaluecanbeposted ornotisdeterminedbythetolerancelimits.Ifthetolerancelimitsaresettoohighordo
192
notexist,thiswouldallowthepostingofanexcessivedifferencevalue,andresultin weaknessofthephysicalinventoryprocess. Thiscontrolreportsdeficienciesarisingfromchangesmadetothetolerancelimitsfora linelevelassociatedwiththephysicalinventorytolerancegroups.Ifthechangeamount exceedsthedeficiencylimitssetwithinthecontrolrule,thiscontrolreportsthetolerance group,theuser,andthechangedetails.
MMIMCTR_07AC3
Control Description
ChangestoPhysicalInventoryTolerances
Control Details

Risk Description
Uncontrolledchangestothetolerancelimitscanleadtounauthorizedadjustmentofhigh valueinventoryitems.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted.However,whetherthisdifferencevaluecanbeposted ornotisdeterminedbythetolerancelimits.Ifthetolerancelimitsaresettoohighordo notexist,thiswouldallowthepostingofanexcessivedifferencevalue,andresultin weaknessofthephysicalinventoryprocess. Thiscontroltracksthedeficienciesarisingfromchangesmadetothetolerancelimits associatedwiththephysicalinventorytolerancegroups.Thechangemayoccurateither thedocumentlevelorlinelevel,orboth.Ifthenumberofchangesexceedsthedeficiency limitssetwithintherule,thiscontrolreportsthechangedetails.
MMIMCTR_07BC1
Control Description
DocumentLevelPhysicalInventoryDifferences
Control Details

Risk Description
Misrepresentationofinventorystatementsandmisappropriationofstocks.
193
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted. TheSAPsystemallowsyoutopostphysicalinventorydifferencesbasedonusertolerance limits.Thiscontrolensuresthedifferencespostedonthephysicalinventorydocuments areaccurateandwithinlimit. Thiscontrolreportsanydeficiencyresultingfromthedifferencevaluepostedforthe physicalinventorydocument.Thephysicalinventorydocumentprocessedischeckedfor thedifferencevalueposted(absolutevalue)andtheratioofthedifferencevalue comparedtothetotalinventoryvalue(%value).Ifanyvalueexceedsthedeficiencylimits asdefinedbythecontrolrulethenitwillbereportedinthecontroloutput.
MMIMCTR_07BC2
Control Description
ItemLevelPhysicalInventoryDifferences
Control Details

Risk Description
Misrepresentationofinventorystatementsandmisappropriationofstocks.
Control Objective
Duringaphysicalinventorycount,ifanydifferenceisfoundbetweentheactualstockand thesystemstockamounts,thedifferenceiseitheracceptedorrejected.Ifthedifferenceis accepted,itsvalueistobeposted. TheSAPsystemallowsyoutopostphysicalinventorylineitemdifferencesbasedonuser tolerancelimits.Thiscontrolensuresthedifferencespostedonthephysicalinventoryline itemsareaccurateandwithinlimit. Thiscontrolreportsanydeficiencyresultingfromthedifferencevaluepostedforthe physicalinventorylineitem.Thephysicalinventorylineitemprocessedischeckedforthe differencevalueposted(absolutevalue)andtheratioofthelineitemdifferencevalue comparedtothelineiteminventoryvalue(%value).Ifanyvalueexceedsthedeficiency limitsasdefinedbythecontrolrulethenitwillbereportedinthecontroloutput.
194
C
SAP ORDER TO CASH DOCUMENTED CONTROLS
TOPICS

Order To Cash Documented Controls
195
Order To Cash Documented Controls

ProcessControlcurrentlydeliversasetof22SAPOrderToCashdocumentedautomated controls.Thesecontrolsare:

SDBILL_04AC3(ChangestoBillingDocuments) SDBILL_04AC4(BillingTypesRelevanttoRebates) SDCMM_01C1(CreditCheckSalesOrderEntry) SDCMM_01C2(CreditCheckShipping) SDCMM_01C3(CreditCheckItemCategories) SDCMM_05C1(AutomaticCreditControlSeasonalFactor) SDCMM_05C2(AutomaticCreditControlDeviationFactor) SDCMM_05C3(EffectivenessofAutomaticCreditCheck) SDCMM_05C4(ChangestoAutomaticCreditCheck) SDCMM_10C1(CreditExposureforCustomerRiskCategory) SDCMM_11BC1(CompanywiseCreditExposure) SDCMMD_11BC1(OnetimeCustomerAccountforHighValueSales) SDCMMD_12BC1(SalesThroughOnetimeCustomers) SDMDCTR_01C1(ChangestoPaymentTerms) SDMDCTR_01C2(PaymentTermswithLongerCreditPeriod) SDMDCTR_01C3(PaymentTermswithHigherCashDiscount) SDPRICTR_01AC1(ChangestoCustomerPricingProcedure) SDPRICTR_01AC2(ChangestoConditionTypesinCustomerPricing) SDSOP_08BC1(PercentageofOpenSalesOrdersvs.TotalOrders) SDSOP_08BC2(SalesOrderAgeingAnalysis) SDSRP_07BC1(AnalysisofSalesReturns) SDSRP_08BC1(SalesReturnsbyCustomer)
SDBILL_04AC3
Control Description
ChangestoBillingDocuments
Control Details
196
ControlType:Configuration Process:OrdertoCash Subprocess:ProcessBillingDocuments
Order To Cash Documented Controls Appendix C SAP Order To Cash Documented Controls
Risk Description
Exposingtheorganizationtoanerroneousorineffectivebillingprocess.
Control Objective
Aspartofthetransactioncycleforabusiness,severaltypesofbillingdocumentshaveto beconfiguredtotakecareoftheinvoice/billingprocess.Billingdocumentconfigurationis verycriticalandanychangeinthisconfigurationcanbeacauseofinconsistencyinthe billingprocessandconcernforthecompany. Changestotheconfigurationofabillingdocumentshouldbeavoidedasmuchas possible,orelsestrictlymonitoredandapproved,topreventanerroneousorineffective billingprocessintheorganization.Itisimperativethatmanagementcontinuouslytracks anychangestothebillingdocumentconfiguration. Thiscontrolreportsdetailedinformationaboutthechangestothecriticalfieldsorthe configurationofthebillingdocumenttypesfortheSAPclient.
SDBILL_04AC4
Control Description
BillingTypesRelevanttoRebates
Control Details

ControlType:Configuration Process:OrdertoCash Subprocess:ProcessBillingDocuments
Risk Description
Exposingtheorganizationtoanerroneousorineffectivebillingprocessregardingrebate relatedtransactions.
Control Objective
Aspartofthetransactioncycleforabusiness,severaltypesofbillingdocumentshaveto beconfiguredtotakecareoftheinvoice/billingprocess.Billingdocumentconfigurationis verycriticalandanychangeinthisconfigurationcanbeacauseofinconsistencyinthe billingprocessandconcernforthecompany. Billingconfigurationshouldbespecificforparticularbillingtypes.Specificconfiguration setupisessentialforbillingtypesrelevanttorebates.Thekeyconfigurationforthis controlistherebaterelevancyfield,anddeterminingthecheckedorblankvalueofthe rebaterelevancyfieldiscrucial. Theobjectiveofthiscontrolistoensureaconsistentandappropriatebillingprocessforall rebaterelatedtransactions.Thiscontrolreportsthefollowing:

ChangesmadetotherebaterelevancyfieldintheBillingDocument. Theuserswhomadesuchchanges,andthechangetimeanddatedetails.
197
SDCMM_01C1
Control Description
CreditCheckSalesOrderEntry
Control Details

ControlType:Configuration Process:OrdertoCash Subprocess:ExecuteCreditManagement
Risk Description
Lackofvisibilitytothecriticalchangesinthecreditmanagementareaduringthesales orderentryprocess.
Control Objective
OrganizationscanspecifyinSAPdifferentcreditcheckstomeettheircreditmanagement needs.Thesechecksareexecutedatvariouslevelsduringthesalesorderexecutioncycle. Toensurethatthesystemwillperformthesecreditchecksappropriately,youneedto assignthetypeofcreditchecktothesales/deliverydocumenttypesandtheitem categories,duringyourconfiguration.Thisspecificassignmentofthecreditchecktothe salesdocumenttypesiscritical.Anychangetothisassignmentorconfigurationmaylead toineffectiveornocreditcheckatthesalesorderentrylevel. Thiscontrolreportsthedetailsandhistoryofchangestotheconfigurationofcreditcheck assignments,forthesalesdocumenttypesusedinthesalesorderentryprocess.
SDCMM_01C2
Control Description
CreditCheckShipping
Control Details

Risk Description
Lackofvisibilitytothecriticalchangesinthecreditmanagementareaduringthe shippingprocess.
Control Objective
OrganizationscanspecifyinSAPdifferentcreditcheckstomeettheircreditmanagement needs.Thesechecksareexecutedatvariouslevelsduringthesalesorderexecutioncycle. Toensurethatthesystemwillperformthesecreditchecksappropriately,youneedto assignthetypeofcreditchecktothesales/deliverydocumenttypesandtheitem categories,duringyourconfiguration.Thisspecificassignmentofthecreditchecktothe

198
deliverydocumenttypesiscritical.Anychangestothisassignmentorconfigurationmay leadtoineffectiveornocreditcheck. Thiscontrolreportsthedetailsandhistoryofchangestotheconfigurationofcreditcheck assignments,forthedeliverydocumenttypesusedintheshippingprocess.
SDCMM_01C3
Control Description
CreditCheckItemCategories
Control Details

Risk Description
Lackofvisibilitytothecriticalchangesinthecreditmanagementareaduringthesales orderentryandshippingprocesses.
Control Objective
OrganizationscanspecifyinSAPdifferentcreditcheckstomeettheircreditmanagement needs.Thesechecksareexecutedatvariouslevelsduringthesalesorderexecutioncycle. Toensurethatthesystemwillperformthesecreditchecksappropriately,youneedto assignthetypeofcreditchecktothesales/deliverydocumenttypesandtheitem categories,duringyourconfiguration.Thisspecificassignmentofthecreditchecktothe itemcategoriesiscritical.Removingorswitchingoffthischeckleadstonocreditcheckin theautomaticcreditcheckprocess. Thiscontrolreportsthedetailsandhistoryofchangestotheconfigurationofthecredit checkassignmentsforitemcategories.
SDCMM_05C1
Control Description
AutomaticCreditControlSeasonalFactor
Control Details

Risk Description
Exposinganorganizationtoextendedcustomercreditsandlosingcontrolofcustomer creditallocations.
199
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations. StandardSAPprovidesaprocesscalledAutomaticcreditcontrol,whichisdetermined bythecustomerriskcategories,thecreditcontrolarea,andthedocumentcreditgroup. Thisprocessmonitorsallsalesdocumenttypesforwhichadocumentcreditgroupis definedandanautomaticcreditcheckisassigned.Thesystemperformsacreditcheckfor anysalesdocumentwithanautomaticcreditcheckassignment. Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolarea, oranyotherchangetotheconfigurationoftheautomaticcreditcontrolprocess,cancause excessivecustomercreditsandcreditrelatedproblemsinthesystem.Therefore,itis imperativethatmanagementtrackstheeffectivenessoftheautomaticcreditcontrolsetup forthedifferentcreditcontrolareas.Managementneedstoalsotrackthecreditlimit seasonalfactorthathasbeenassignedtothedifferentcreditcontrolareas. Thiscontrolreportsthedetailsofthechangestotheconfigurationofthecustomercredit limitseasonalfactors,andtheuserswhoinitiatedthesechanges.
SDCMM_05C2
Control Description
AutomaticCreditControlDeviationFactor
Control Details

Risk Description
Exposinganorganizationtoineffectivecreditcontrol.
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations. Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolareas, oranyotherchangetotheconfigurationoftheautomaticcreditcontrolprocess,cancause excessivecustomercreditsandcreditrelatedproblemsinthesystem.Therefore,itis imperativethatmanagementtrackstheeffectivenessoftheautomaticcreditcontrolsetup forthedifferentcreditcontrolareas.Managementneedstoalsotrackthedeviationfactor relatedtothedocumentvalues,andthenumberofdaysthataparticularsalesdocument isallowedtobypassthecheckingofitscredithistory. Thiscontrolreportsthedetailsofthechangestothesystemconfigurationthatallowthe possibilityofcertainsalesdocumentstobypasstheircreditcheck,andtheuserswho initiatedthesechanges.
200
SDCMM_05C3
Control Description
EffectivenessofAutomaticCreditCheck
Control Details

Risk Description
Exposinganorganizationtoineffectivecreditcontrolandlackofvisibilityofthecritical checksintheautomaticcreditcontrolscenarios.
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations. Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolareas, oranyotherchangetotheconfigurationoftheautomaticcreditcontrolprocess,cancause excessivecustomercreditsandcreditrelatedproblemsinthesystem.Therefore,itis imperativethatmanagementtrackstheeffectivenessoftheautomaticcreditcontrolsetup forthedifferentcreditcontrolareas. Thiscontrolreportsthedetailsofchangestothesystemconfigurationthatcanaffectthe creditcheckingprocessfortransactionsrelatedtoparticulardocumentcreditgroups, customerriskcategories,andcreditcontrolareas.Thiscontroldetermineswhetherthe dynamiccheckiseffective,andreportsthesystemsstatuswhenthischeckisineffective.
SDCMM_05C4
Control Description
ChangestoAutomaticCreditCheck
Control Details

Risk Description
Exposinganorganizationtoineffectivecreditcontrol.
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditsituationsandothercreditrelated allocations.
201
Anychangeinthedocumentcreditgroups,customerriskcategories,creditcontrolareas, orfrequentchangestothecriticalfieldsrelatedtotheconfigurationoftheautomatic creditcontrolprocess,cancauseexcessivecustomercreditsandcreditrelatedproblemsin thesystem.Therefore,itisimperativethatmanagementtrackstheeffectivenessofthe automaticcreditcontrolsetupforthedifferentcreditcontrolareas,bymonitoringthe frequentchangestothecreditcontrolconfiguration. Thiscontrolreportsthedetailsofchangestothecreditcontrolconfiguration,andfrequent changestothecriticalfieldsrelatedtotheautomaticcreditsetupoftheorganization.
SDCMM_10C1
Control Description
CreditExposureforCustomerRiskCategory
Control Details

ControlType:Transaction Process:OrdertoCash Subprocess:ExecuteCreditManagement
Risk Description
Exposinganorganizationtolargeamountsofcreditforcustomersofdifferentrisk categories.
Control Objective
Foranybusinesstohavebettercontrolofitsfinancialstatus,managementneedstobeable toeffectivelymonitor,evaluate,andcontrolcreditexposureinthemarket.Without effectivemonitoring,anorganizationmightenduplosingcontrolofthecreditsgivento itscustomers.Thiscanleadtofinancialweakness. Toavoidsuchsituationsandtoestablishbettercreditcontrol,managementneedstotrack allcreditexposurefortheircustomers,whoareorganizedintodifferentriskcategories. Thiscontrolreportsthecreditexposureamounts(inthecurrencyofcreditcontrolarea), foreachcustomerriskcategory,irrespectiveofthecreditcontrolarea.
SDCMM_11BC1
Control Description
CompanywiseCreditExposure
Control Details

ControlType:Transaction Process:OrdertoCash Subprocess:ExecuteCreditManagement
Risk Description
Lackofvisibilitytotheriskofhugecreditexposure.
202
Control Objective
Foranybusinesstobeasuccess,managementneedstomonitorthecreditsituation continuouslyandeffectively. Managementshouldbevigilanttoensurethatthetotalexposureoftheorganizationfor eachcreditcontrolareadoesnotexceedcertainlimitsororganizationnorms.Averyhigh levelofexposureseverelyaffectsthecashsituationforthecompany,andexposesthe organizationtoahigherlevelofriskoccurrence. Thisreportprovidesthedetailsoftotalcreditexposureoftheorganizationatthecredit controlarealevel,tohelptheorganizationmanagetheircreditrisk.
SDCMMD_11BC1
Control Description
OnetimeCustomerAccountforHighValueSales
Control Details

ControlType:Transaction Process:OrdertoCash Subprocess:ProcessSalesOrder
Risk Description
Usinganinappropriateaccountgroupforhighvaluesalesordersbypassesmanycritical checks.
Control Objective
AbusinessshouldbeawareofthetransactionsinvolvingtheOnetimecustomer accountgroup.Duringtheorderexecutionprocess,thisaccountgroupbypassesmany criticalcheckssuchasthecreditlimitcheck,theover/underdeliverytolerancecheck,and soon. TheOnetimeCustomeraccountgroupcanbemisusedbythebusinesswhenthis accountgroupprocesseshighvaluesales,becausethiskindoftransactionbypassesmany criticalchecksinthesalescycle.Thisactioncanhappenbymistakeordeliberately, violatingorganizationnorms. IgnoringthepurposeoftheOnetimecustomeraccountgroupandperforminghigh valuebusinesstransactionsthroughthisaccountgroupcanleadtoweaknessinthe financialsystem.Topreventthisproblem,thiscontrolreportshighvaluesales transactionsperformedintheorganizationusingtheOnetimecustomeraccount group,fortheselectedperiodofanalysis.
Additional Functionality
Thesamecontrolreportcanbeusedforthefollowing:

AnalysisofHigh/Lowvaluesalesordersforanaccountgroup AnalysisofHigh/Lowvaluesalesordersforadocumenttype AnalysisofHigh/Lowvaluesalesordersforasalesorganization
203
SDCMMD_12BC1
Control Description
SalesThroughOnetimeCustomers
Control Details

ControlType:Transaction Process:OrdertoCash Subprocess:ProcessSalesOrder
Risk Description
Inappropriateusageoftheonetimecustomeraccountgroupandlackofvisibilitytothe propersalesscenariosintheorganization.
Control Objective
Allbusinesseshaveonetimecustomerswhoconductonetimetransactionswiththe business.InSAP,thereisafacilitytocreateormaintainacommonmasterrecordforall onetimecustomerbusinesstransactions,sincetheorganizationdoesnotexpectlongterm businessrelationshipswithsuchcustomers. Managementshouldbeawareofthevolumeofbusinessunderthisonetimecustomer account.Frequentusageofthisaccountgroupforgeneralbusinesstransactionsisnot advisable. Thiscontrolprovidesthedetailsofthetotalsalesundertheonetimecustomeraccountas comparedtothetotalsalesoftheorganization.Thiscontrolreportsadeficiencywhen salesfromonetimecustomersexceedaspecificpercentageofregularsalesoveraperiod oftime.
SDMDCTR_01C1
Control Description
ChangestoPaymentTerms
Control Details

ControlType:MasterData Process:OrdertoCash Subprocess:MaintainOTCMasterData
Risk Description
Lackofvisibilityintheorganizationtothecriticalchangestopaymentterms.
Control Objective
Todobusinesswithcustomersandvendors,anorganizationneedstoconfigureand managepaymenttermsintheirSAPsystem.Theorganizationalsoneedstochange certainparametersincustomerpricingasdictatedbythemarket.
204
Itisessentialtomonitorthepaymenttermconfigurationchangesandothercriticalfield valuechangessuchasdaylimit,cashdiscountpercentagerates,andpaymentperiod,to preventAR/APinstabilityanddeficiencyinthebusinessprocess. Thiscontrolreportsthedetailsoffrequentchangesmadetothepaymentterms,andthe userswhoinitiatedthesechanges.
SDMDCTR_01C2
Control Description
PaymentTermswithLongerCreditPeriod
Control Details

Risk Description
Organizationalexposuretoanexcessivecreditperiodforcustomers,andlackofvisibility toexistingpaymenttermswithexcessivecreditperiodallocations.
Control Objective
Indoingbusinesswithcustomersandvendors,youneedtoconfigureandmanage paymenttermsinSAP.Asthemarketchanges,youalsoneedtochangecertain parameterssuchasthecredittermsincustomerpricing. Itisessentialtomonitorchangestothecriticalfieldvalueswhichcanleadtoanincrease oradecreaseofthecreditperiodinthecustomerpaymentterms.Theseconfiguration changesmightbedeviatingfromtheorganizationnorms,allowinganexcessivecredit periodtothecustomers. Thiscontrolprovidesdetailsofthecreditperiodallocatedorconfiguredforthecustomer paymentterms.
SDMDCTR_01C3
Control Description
PaymentTermswithHigherCashDiscount
Control Details

Risk Description
Organizationalexposuretoexcessivediscountsforcustomersviapaymentterms,and lackofvisibilitytodecreasingsalesrevenueduetohigherdiscountsforcustomersvia paymentterms.

205
Control Objective
Indoingbusinesswithcustomersandvendors,youneedtoconfigureandmanage paymenttermsinSAP.Asthemarketchanges,youalsoneedtochangecertain parameterssuchasthediscounttermsincustomerpricing. Itisessentialtomonitorchangestothecriticalfieldvalueswhichcanleadtoanincrease oradecreaseofthecustomerdiscountstructureinthecustomerpaymentterms.These configurationchangesmightbedeviatingfromtheorganizationnorms,allowing excessivediscountstothecustomers. Thecontrolprovidesthedetailsofthecustomerdiscountstructureallocatedor configuredforthecustomerpaymentterms.
SDPRICTR_01AC1
Control Description
ChangestoCustomerPricingProcedure
Control Details

ControlType:Configuration Process:OrdertoCash Subprocess:ProcessSalesOrder
Risk Description
Inconsistentcustomerpricingproceduresandfrequentchangestothepricingkey componentscanleadtounstablebusinessprocessesintheorganization.
Control Objective
Abusinessusespricingprocedurestocalculatenetorderorinvoicevalue,byconsidering thebaseprices,discounts,surcharges,andrebatesduringthesalesorderentryand customerinvoicecreation. Abusinessneedstohavedifferentpricingprocedurestocatertovariouscustomer requirements.However,itisimportanttomaintainconsistencyforthesedifferentpricing procedures.Unauthorizedorunwantedchangestopricingprocedurescanleadto inconsistencyinthesystemandcanaffectrevenue. Thiscontrolreportsdeficienciesarisingfromfrequentchangestothecustomerpricing procedure.
206
SDPRICTR_01AC2
Control Description
ChangestoConditionTypesinCustomerPricing
Control Details

ControlType:Configuration Process:OrdertoCash Subprocess:ProcessSalesOrder
Risk Description
Inconsistentcustomerpricingproceduresandfrequentchangestothepricingcondition typescanleadtounstablebusinessprocessesintheorganization.
Control Objective
Conditiontypesplayaveryimportantroleincustomerpricingprocedures.Minimal configurationchangestotheconditiontypesleadtogreaterfunctionalityofthe correspondingpricingprocedures.Maintainingdifferentyetconsistentconditiontypesis essentialtoensurestablepricingprocessesinthebusiness. Thiscontrolreportsdeficienciesthatoccurduetochangesmadetothefieldsinthe conditiontypesusedinthecustomerpricingprocedure.
SDSOP_08BC1
Control Description
PercentageofOpenSalesOrdersvs.TotalOrders
Control Details

ControlType:Transaction Process:OrderToCash Subprocess:ProcessSalesOrder
Risk Description
Ahighvolumeofopenandunprocessedsalesorderscancauseunnecessaryconstraints ontheinventorybyblockingtheconfirmationofmaterialsquantities.
Control Objective
Itisessentialformanagementtoeffectivelymonitorandevaluatetheirorganizations saleslogisticsandbusinessphilosophy.Forexample,lackofmonitoringofopenor unprocessedcasesofhighvolumesalesorderscancauseunnecessaryconstraintsonthe inventory,byblockingtheconfirmationofmaterialsquantities. Toavoidsuchsituations,managementneedstotracksuchopenordersandanalyzethem bycomparingthemtothetotalvolumeofsales. Thiscontrolprovidesthetransactionalfiguresforthenumberofopenorders,totalorders, andpercentageofopenorders,tothetotalnumberofsalesorders,bookedforacertain

207
periodoftime.Youcanobtaindetailstospecificsalesareaandcustomeraccountgroups fromthecontrolreport.
SDSOP_08BC2
Control Description
SalesOrderAgeingAnalysis
Control Details

ControlType:Transaction Process:OrderToCash Subprocess:ProcessSalesOrder
Risk Description
Ahighvolumeofopenandunprocessedsalesorderscancauseunnecessaryconstraints ontheinventorybyblockingtheconfirmationofmaterialsquantities.
Control Objective
Foranybusinesstobeasuccess,managementhastoeffectivelymonitorandevaluatethe organizationssalesscenarios.Lackofmonitoringofopenorunprocessedcasesofhigh volumesalesorderscancauseunnecessaryconstraintsontheinventory,byblockingthe confirmationofmaterialsquantities,thusmakingthesematerialsunavailableforother orders. Toavoidsuchsituations,managementneedstotrackallordersthathavebeenopenor unprocessedforanundulylongtime,andtrytoascertainthereasonsbehindthesedelays. Thiscontrolanalyzestheageingoftheopensalesordersbyordertypeandordernumber. Youcanobtaindetailstospecificsalesarea,salesordertype,andcustomeraccount groupsfromthecontrolreport.
SDSRP_07BC1
Control Description
AnalysisofSalesReturns
Control Details

ControlType:Transaction Process:OrdertoCash Subprocess:ProcessSalesReturns
Risks Descriptions

Inappropriateuseofthereturnsprocess Lackofvisibilityofthevolumeofcustomersalesreturnscomparedtototalsalesin theorganization
208
Control Objective
Whenevercustomerssendtheirpurchasedgoodsback,yourbusinessaccountsforthese returnsbyenteringthemintheSales&Distributionsystem.Youneedtobeawareofthe volumeofreturnscomparedtototalsales,sothatyoucantakecorrectiveactionifthese returnsareexcessivelyhigh. InSAPthereisaprocesstotrackofthereturnsandanalyzethequantityofreturnsper customer,perSalesOrganization,perSalesoffice,perSalesemployee,perCompany,and soon.ThisTheReturnsProcessingprocesscanbemisusedbythebusinesstoshiphuge volumeofgoodsbytheendofeachquarteroryear,becausetheseexcessshipmentscanbe takenbackinthefutureasreturns.Thismisusecanhappenbymistakeorcanbedone deliberatelytoboostsalesfigures,leadingtoweaknessintheSales&Distributionsystem. Thiscontrolreportsdetailedinformationaboutthepercentageofreturnsascomparedto totalsales,andalsothereturndeliverieswithoutreference.Thisinformationhelpsin safeguardinganorganizationagainstmisuseofthereturnsprocessingactivity.
SDSRP_08BC1
Control Description
SalesReturnsbyCustomer
Control Details

ControlType:Transaction Process:OrdertoCash Subprocess:ProcessSalesReturns
Risks Descriptions

Inappropriateuseofthereturnsprocess Lackofvisibilityofthevolumeofcustomersalesreturnsintheorganization
Control Objective
Whenevercustomerssendtheirpurchasedgoodsback,yourbusinessaccountsforthese returnsbyenteringthemintheSales&Distributionsystem.Youneedtobeawareofthe volumeofreturnspercustomer,sothatyoucantakecorrectiveactionifthesereturnsare excessivelyhigh. InSAPthereisaprocesstotrackofthereturnsandanalyzethequantityofreturnsper customer,perSalesOrganization,perSalesoffice,perSalesemployee,perCompany,and soon.ThisTheReturnsProcessingprocesscanbemisusedbythebusinesstoshiphuge volumeofgoodsbytheendofeachquarteroryear,becausetheseexcessshipmentscanbe takenbackinthefutureasreturns.Thismisusecanhappenbymistakeorcanbedone deliberatelytoboostsalesfigures,leadingtoweaknessintheSales&Distributionsystem. Thiscontrolreportsdetailedinformationaboutthevolumeofreturnspercustomer.This informationhelpsinsafeguardinganorganizationagainstmisuseofthereturns processingactivity.
209
210
D
DOCUMENTED CONTROLS SAP IT
TOPICS

IT Documented Controls
211
IT Documented Controls
SAPGRCcurrentlydeliversasetoffourITdocumentedautomatedcontrols.These controlsare:

BCSCFPAR_100AC1(MonitoringSystemProfileParameters) BCSCFPAR_100AC2(MonitoringDatabaseProfileParameters) BCSCFSYS_100AC1(MonitoringDeveloperKeys) BCTRNCFS_100AC1(MonitoringSystemSettings)
BCSCFPAR_100AC1
Control Description
MonitoringSystemProfileParameters
Control Details

ControlType:Configuration Process:SystemConfiguration Subprocess:Parameters
Business Requirement
TheparametersettingsintheSAPstartupprofilesaffecttheSAPR/3systeminsituations relevanttosecurity,protection,andcompliance.
Risk Description
Monitoringthesystemmanifoldcontrollingparametersisnecessarytopreventsecurity breach.
Control Objective
Theobjectiveofthiscontrolistomonitorthesystemprofileparametersonaregularbasis, toensurethattheyareupdatedaccordingtoSAPsmostcurrentrecommendations,and thattheyareadjustedtomatchthecurrentactivitiesonthesystem.Thiscontrolreports anyunexpectedsettingsforthesystemprofileparameters.
BCSCFPAR_100AC2
Control Description
MonitoringDatabaseProfileParameters
Control Details

ControlType:Configuration Process:SystemConfiguration
212
IT Documented Controls Appendix D SAP IT Documented Controls
Subprocess:Parameters
ThedatabasedependentparametersettingsintheSAPstartupprofilesaffecttheSAPR/3 databaseperformanceandactivities.
Risk Description
Monitoringthedatabasemanifoldcontrollingparametersisimportanttopreventsecurity breach.
Control Objective
Theobjectiveofthiscontrolistomonitorthedatabaseprofileparametersonaregular basis,toupdatethemaccordingtoSAPsmostcurrentrecommendations,andtoadjust themtomatchthecurrentactivitiesonthesystem.Thiscontrolreportsanyinaccurate settingsforthedatabaseprofileparameters.
BCSCFSYS_100AC1
Control Description
MonitoringDeveloperKeys
Control Details

ControlType:Configuration Process:SystemConfiguration Subprocess:System
ThedeveloperkeyallowsaregisteredusertomakerepairsontheSAPoriginalobjects andtocreateormodifythecustomobjects.Therefore,anyindividualcangainaccessto performtheseactivitiesintheproductionenvironmentbyobtainingthedeveloperkey.

Risk Description
MonitoringthedeveloperkeysintheSAPlandscapeandreviewingthelistofindividuals withtheSAPSoftwareChangeRegistrationdeveloperkeysareimportanttoprevent unwantedchangestotheproductionenvironment.

Control Objective
Theobjectiveofthiscontrolistorestrictaccesstotheproductionenvironment,andto ensurethatchangestothisenvironmentareconductedviatheSAPstandardtransport channel,notviaaccesstodeveloperkeys.Thiscontrolreportsthefollowing:

Anydeveloperkeyintheproductionenvironment. TheuserswhohavetheabilitytomodifySAPobjectsortocreatecustomobjects directlyintheproductionenvironment.
213
BCTRNCFS_100AC1
Control Description
MonitoringSystemSettings
Control Details

ControlType:Configuration Process:TransportGroup Subprocess:ConfigurationandStatus
Necessarycustomizationofyoursystemsetupshouldbetransportedtotheproduction clientviathechangeandtransportsystem.Itiscriticaltodefinetheobjectswhichshould notbemodifiableintheproductionenvironment,suchastheglobalsettingsandthe businessobjects.Theproductionenvironmentshouldgenerallybeprotectedfromsuch changes.

Risk Description
MonitoringthesystemsettingsinyourSAPproductionenvironmentisimportantto preventsecuritybreach.
Control Objective
Theobjectiveofthiscontrolistolistthemodifiablesystemsettingswiththeirdeficiencies. Thiscontrolreportsthefollowing:

Anymodifiablesystemsettingintheproductionenvironment. Theuserswhohavetheabilitytomodifysuchsystemsettings.
214

ProcessControl v2.0 User Guide PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

ProcessControl v2.0 User Guide PDF

Enviado por

Direitos autorais:

Formatos disponíveis

User Guide

SAP GRC Process Control Version 2.0

SAP GRC Process Control Version 2.0 User Guide

SAP GRC Process Control Version 2.0 User Guide

SAP GRC Process Control Version 2.0 User Guide

SAP GRC Process Control Version 2.0 User Guide

COVERED IN THIS PREFACE

SAP GRC Process Control Version 2.0 User Guide

About this Guide

namesofbuttons,icons,andmenus,andtermsthatareobjectsofauserselection. Boldtextisusedtoindicatedefinedtermsandwordemphasis. Italictextisusedtoindicateuserspecifiedtext,documenttitles,andwordemphasis. Monospacetext(Courier)isusedtoshowliteraltextasyouwouldenterit,orasit wouldappearonscreen.

Product Documentation Preface

AdobeAcrobatPDFfiles YoumusthaveAdobeReaderinstalledtoreadthePDFfiles.AdobeReader installationprogramsforcommonoperatingsystemsareavailableforfreedownload fromtheAdobeWebsiteatwww.adobe.com.

Installation Guides, Configuration Guide, User Guide, and Release Notes

SAP GRC Process Control Version 2.0 User Guide

Contacting SAP GRC

GRCSAEVirsaAccessEnforcer GRCSCCVirsaComplianceCalibrator GRCSFFVirsaFirefighterforSAP GRCSREVirsaRoleExpert GRCSPCSAPGRCProcessControl

COVERED IN THIS CHAPTER

Process Control Version 2.0 User Guide

What is Process Control?

Process Control Benefits

Introduction Chapter 1 Overview

Process Control Details

Process Control Version 2.0 User Guide

COVERED IN THIS CHAPTER

Process Control Version 2.0 Configuration Guide

Risks Chapter 2 Key Concepts

Process Control Version 2.0 Configuration Guide

Thedesignoroperationofacontroldoesnotallowmanagementoremployees topreventordetectmisstatementsonatimelybasis,inthenormalcourseof performingtheirassignedfunctions.

Aproperlydesignedcontroldoesnotoperateasdesigned. Thepersonperformingthecontroldoesnotpossessthenecessaryauthorityor qualificationstoperformthecontroleffectively.

Acontrolnecessarytomeetthecontrolobjectiveismissing. Anexistingcontrolisnotproperlydesignedsothat,evenifthecontroloperates asdesigned,thecontrolobjectiveisnotalwaysmet.

CriticalThedeficiencyposesthehighest,mostcriticalriskandshouldbeaddressed urgently. MediumThedeficiencyposesmediumriskandshouldbeaddressed,butatalower prioritythantheCriticallevel.

Exception Case Chapter 2 Key Concepts

LowThedeficiencyposeslowriskandshouldbeaddressed,butatalowerpriority thantheCriticalandMediumlevels. AdequateNodeficiencywasfoundwhenyouexecutedacontroltest.Inthis situation,anexceptioncasewasnotcreated.

AutomatedThesecontrolsaremonitoredautomaticallybythesystem. ManualThesecontrolsinvolveactivitiesthatcannotbemonitoredautomaticallyand havetobeperformedmanually. QueryThesecontrolsareconfiguredtochecktablesandfieldsthatsatisfysome particularconditions.

Process Control Version 2.0 Configuration Guide

ConfigurationcontrolThesecontrolsmonitorandreportconfigurationsettingsand changes. Forexample:Electronicpurchasesmustbemadeatacompanyapprovedelectronic vendor.

MasterDatacontrolThesecontrolsmonitorandreportmasterdatasettingsand changes. Forexample:Specificsaboutthecompanyapprovedelectronicvendorsprices.

SODConflictAnalysiscontrolThesecontrolsarerelatedtoSegregationofDuties conflicts. Forexample:Financialtransactionsrelatedtoacompanyapprovedelectronic vendorshouldbehandledbydifferentuserstoavoidconflictinginterests.

NetworkingMonitoringcontrolThesecontrolsmonitornetworkingactivitiesfor violationofcontrolpolicies. Forexample:Detailsofthepurchasesfromacompanyapprovedelectronicvendoris broadcasttoanexternalsourceviavoiceoverIP(VOIP),whichviolatesacontrol policy.

SAP Organization Unit Chapter 2 Key Concepts

SAP Organization Unit

Companycode Plant Salesorganization Purchasingorganization

Organizations and Organization Hierarchy

Process Control Version 2.0 Configuration Guide

Sizeandcompositionoftheaccount Natureoftheaccount Typeoftransactionswithintheaccount Volumeoftransactionsintheaccount Susceptibilityoftheaccounttomanipulationorloss

Processes and Subprocesses Chapter 2 Key Concepts

Processes and Subprocesses

ManageFinancialAccounting ProcureToPay OrdertoCash SystemConfiguration AccessControl TransportGroup HireandRetire

Youcanaddmanualcontrolstothesepredefinedprocessesifyouwish. Mostoftheseprocesses(exceptforHireandRetire)provideaccesstosubprocessesata lowerlevel.Asubprocessreferstoasubsetofactivitieswithinabusinessprocess.Thepre definedsubprocessesinProcessControlaredisplayedinTable 1andTable 2.

Manage Financial Accounting Subprocesses

ManageGeneralLedger PerformClosing AccountsPayable MaintainChartof Accounts

Process Control Version 2.0 Configuration Guide

System Configuration Subprocesses

COVERED IN THIS CHAPTER

Process Control Version 2.0 User Guide

Key User Processes

Chapter 6,ManagementReports Chapter 7,ComplianceReports Chapter 8,RemediationReports Chapter 9,TestResultsReports

Assessments and Sign-Off

Chapter 10,AssessmentsThroughSurveys Chapter 11,SignOffAssessment

User Inbox Management

Key User Processes Chapter 3 Key User Processes

Case Management and Remediation

Process Control Version 2.0 User Guide

wildcardcharactersuchastoseethelistofallitemsmatchingthisexpression.If theSearch iconorSelect iconisavailable,clicktheicon,enteranameora wildcardcharactersuchas,andselectaspecificitemfromthepopuplist.