Introduction to Continuous Control Monitoring in SAP

Continuous control monitoring (CCM) stands as a key feature within SAP Process Control.

It’s designed to automate the evaluation of control effectiveness where the system retrieves data from the target system and analyzes the data based on defined logic to identify potential deviations from the control’s intended objectives. These identified deviations are then reported as deficiencies to the control owner, referred to as the issue owner, who is responsible for taking the necessary corrective actions.

To use the capabilities of this feature, it’s required to have the GRC plug-in (GRCPINW) component installed on the backend system where the relevant data resides.

The standard or conventional process of testing controls in a manual environment relies on the internal audit or controls team. The typical challenges associated with this manual process are as follows:

• The internal audit or controls team is required to collect business information through interviews and walkthrough sessions with process owners. This is a time-consuming activity, and involving key process owners in these interviews or discussions can be quite challenging.
• Data analysis is performed manually using various tools such as Microsoft Excel VLOOKUP and validations. This not only demands significant manual effort to test the complete set of controls but also opens up the possibility of human errors.
• To manage the workload, control testing is scheduled on a quarterly, semiannual, or annual basis depending on the volume of controls that need to be examined.
• Control testing results are based on the samples selected by the testers, rather than testing the entire population. This is due to the difficulties in analyzing the entire dataset, considering the high volumes of transactions that organizations deal with.

The CCM functionality within SAP Process Control is the answer! CCM serves as a vigilant watchdog, continuously monitoring system data and promptly alerting issue owners when deviations are detected in near real time. This approach facilitates the timely resolution of issues, eliminating the need to wait till the quarterly or yearly assessments by internal control or audit teams. CCM can be configured to run at different intervals, whether on an hourly, daily, weekly, monthly, quarterly, or yearly basis, depending on the control’s criticality. Moreover, CCM evaluates 100% of the population, ensuring completeness and accuracy in the testing process and providing comprehensive assurance.

CCM has the capability to monitor system data (including the changes using Remote Function Calls [RFCs]), as highlighted in this table.

8

The figure below provides an overview of how the CCM functionality fetches the data and reports issues to the issue owners.

With CCM, issue owners no longer need to wait for internal control/audit teams to report or highlight an issue. It continuously monitors the controls and triggers email to the owners for issue resolution. Here are several key benefits that organizations can achieve by using the CCM functionality:

• Exception-based monitoring: CCM jobs can be set to run at regular intervals. The GRC team has the capability to schedule controls for an extended duration such as one to two years, and the system automates all the remaining tasks. Issue owners will receive notifications automatically when an exception is detected. If no exceptions are found during a job run, the system won’t generate any notifications.
• 100% population: Testing is conducted across the entire population rather than relying on sample testing, providing a comprehensive view of the control’s operational effectiveness within the organization.
• Find problems faster and easier: Critical or key controls can be scheduled to run more frequently, such as daily or hourly. This allows for near real-time notifications of any process deviations, enabling faster issue resolution without significantly increasing the risk of control failure.
• Workflow driven: Based on the workflow configurations, the issues are routed to the control owner who can either fix the issue on his own or create a remediation plan to the responsible person to fix the issue. All these stages of issue remediation are workflow driven, and evidences of issue fixes will be available as an audit trial that can be reviewed by the audit teams at the end of the year to check the effectiveness of the control.

Editor’s note: This post has been adapted from a section of the book SAP Process Control: The Comprehensive Guide by Raghu Boddu and Ramakrishna Chaitanya.