Reduce Costs for Compliance by Implementing a Risk-Based Internal Control Solution

by Frank Rambo, Director, Regional Implementation Group (RIG) EMEA, SAP GRC (February 2010)

Costs for compliance and fraud prevention have risen significantly in recent years and with the current economic situation we’re likely to manage more regulations in the future, further driving costs up. Companies relish efficiency in the GRC space to garner the true benefits of compliance. One means of more efficient compliance is an integrated solution called Risk-Based Internal Control, which helps ensure continuous compliance with regulatory requirements and company policies including government mandates, industry standards, and internal policies.

Categories: Compliance, Internal Controls, SAP BusinessObjects Access Control (former Virsa tools), SAP BusinessObjects Process Control, SAP BusinessObjects Risk Management

Key Concept

The integrated solution Risk-Based Internal Control (RBIC) consists of three software products: SAP BusinessObjects Process Control 3.0, SAP BusinessObjects Risk Management 3.0, and SAP BusinessObjects Access Control 5.3. SAP BusinessObjects Process Control represents the cornerpiece of RBIC. Its current 3.0 release has been strongly integrated with SAP BusinessObjects Risk Management 3.0 from a technical architecture as well as a data model perspective. An integration scenario with SAP BusinessObjects Access Control 5.3 allows for the inclusion of segregation of duties analysis into the internal control testing framework of the RBIC solution. However, many key features of RBIC already come with SAP BusinessObjects Process Control and can be operated standalone.

A Risk-Based Internal Control (RBIC) process allows you to integrate functionality of SAP BusinessObjects Process Control 3.0, SAP BusinessObjects Risk Management 3.0, and SAP BusinessObjects Access Control 5.3. In doing so, you streamline the management of risk and compliance. The solution provides the following benefits:

The master data catalog is shared across multiple compliance initiatives and allows for centralized management of relevant master data such as organizational hierarchies, processes, subprocesses, controls, control objectives, risks, and account groups
Master data change requests provide a formal change request and approval workflow for master data changes, if required
The multi-compliance framework (MCF) supports parallel management of multiple compliance initiatives such as Sarbanes-Oxley, Japan’s version of Sarbanes-Oxley (J-SOX), and FDA drug regulations. This is a key requirement for companies subject to multiple regulations from various countries, regulatory areas, or internal policies.
Support of operational compliance initiatives including standardized company-wide FDA compliance processes such as corrective action and preventive action (CAPA) workflows for best practice issue remediation
Support of top-down, risk-based scoping according to Audit Standard No.5 by the Public Company Accounting Oversight Board (PCAOB). This recognized methodology helps narrow down the number of controls in scope for testing based on a materiality and risk analysis. It keeps the costs for control testing under control.
The automated rules framework (ARF) enables automated testing based on customer-configured rules or pre-delivered rule content for all core business processes such as financial reporting, order-to-cash, and procure-to-pay. The ARF ensures flexibility and a high degree of automation for internal control testing.
Integration of SAP BusinessObjects Process Control and SAP BusinessObjects Risk Management: A user in SAP BusinessObjects Risk Management can propose a new control or assign an existing control as a risk response while completeness and effectiveness of the risk response is evaluated and updated by SAP BusinessObjects Process Control.
Support of manual control testing including offline test plans with the SAP Interactive Forms software by Adobe. Testers can work in remote locations offline with their test plans without system connectivity and later upload them into the system.
Flexible tabular and graphical reporting and analytics based on Crystal Reports and Xcelsius dashboards supporting drill-down analysis. Users can develop additional reports within the license limitations.
Aggregation of Deficiencies (AoD) provides executive management improved visibility and awareness of control deficiencies and their deficiency levels. It provides a higher assurance over the integrity of the compliance program by focusing on improving controls with highest deficiency levels.
Automated generation of datasheets providing a summary book in PDF format of all assessments and tests for a given period to auditors to accelerate audits.

The RBIC process consists of three main phases (Figure 1):

Would you like to see the full version of this article?

If you are an electronic license holder to GRC Expert, please click here to log in.

If you would like information about becoming an electronic license holder — and having 24/7 unrestricted access to all articles and content in the GRC Expert online knowledgebase — click here to see the available subscription options.

Or call 1-781-751-8799 to speak directly with a subscription and licensing specialist about customized access for you and your team.

Isn't your SAP implementation worth world-class information support?

Copyright © 2010 Wellesley Information Services. All rights reserved. Email: customer.service@grcexpertonline.com.
GRC Expert, 20 Carematrix Drive, Dedham, MA 02026, USA.
Sales and Customer Service: 1-781-751-8799
SAP and the SAP logo are trademarks or registered trademarks of SAP AG in Germany and several other countries.