Impact 20: How to Implement High-Impact CCM Rohan Bhatia

Using SAP S/4HANA Data Protiviti

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2018 Wellesley Information Services. All rights reserved.
In This Session

• Walk through detailed configuration steps to select and implement high-impact

continuous controls monitoring (CCMs) in SAP Process Control. Learn how to leverage
SAP S/4HANA to run SAP Process Control more efficiently and effectively.

• Attend this session to:

 Learn the full breadth of functionality available through CCMs in SAP Process Control

 Understand the variables and decision points to consider when selecting CCMs to
monitor SAP S/4HANA data

1
What We’ll Cover

• What are Continuous Control Monitors (CCMs)?

• Example of a CCM Using Transactional Data
• Impact of SAP S/4HANA on CCMs
• Wrap-up

2
 What are Continuous Control
 Monitors (CCMs)?

3
What Are Continuous Controls Monitors (CCMs)?

• A Continuous Control Monitor (CCM) is an automated

business rule which can be configured with SAP GRC’s
Process Control module. It is valuable to business users
who are required to perform or test controls, whether for
compliance or monitoring business performance.
• CCMs are exception-based, automated, and review specific
configuration settings or data based on deficiency
parameters that are setup within the logic of the CCM.
• CCM alerts notify users when specific events have occurred
in the monitored system that require their attention. The
notification and workflow process is similar to that of SAP
GRC Access Control’s EAM and ARM modules.

4
What Are Continuous Controls Monitors (CCMs)? (cont.)

Business Rule
Identify Criteria
• Identify deficiency
criteria to be
Create ERP Connection evaluated for Monitor Controls
effectiveness, with
• Create connection to ability to assign risk • Assign deficiency
the ERP system (e.g., ratings criteria to the
SAP S/4HANA) to automated control to
allow for the initiate continuous
extraction of data monitoring of controls

Data Source CCM

5
What Are Continuous Controls Monitors (CCMs)? (cont.)
Automated Control Monitoring process:
• No issues created if data is within deficiency parameters
• Automated identification and creation of control issues
• Remediation of open issues

System performs
Exception? No Done
control monitoring

Yes No- Void Issue

System creates and Submit
Issue owner reviews
issue(s) and routes Valid Issue?
issue for validity
to the issue owner
Yes Done
Control Tester
Issue owner assigns Plan owner creates, Issue owner reviews
Issue Owner
remediation plan executes, and remediation activities
owner and submits completes the plan and closes issue Remediation Owner

6
 Example of a CCM Using
 Transactional Data

7
Example of a CCM Using Transactional Data
Accounting documents may be fraudulently posted to previously closed periods and go
Record-to-Report Risk
undetected.

Record-to-Report Control The GL/FA transactional system is configured to prevent posting to previous periods.

Record-to-Report Control
The accounting team mistakenly posts a journal entry to a previously closed period.
Issue

CCM: SAP ECC transactional data is automatically and

continuously monitored to ensure process owners are notified if an
accounting document is back-posted beyond a set threshold.

Accounting team is automatically Business Rule: SAP PC is configured to review the all accounting
notified of the Record-to-Report document transaction and determine the difference between
control exception posting date and document entry date.

Data Source: SAP PC extracts the SAP ECC configurable data

from the BKPF (Accounting Document Header) table.

8
Example of a CCM Using Transactional Data (cont.)

9
Example of a CCM Using Transactional Data (cont.)

10
Example of a CCM Using Transactional Data (cont.)

11
 Impact of SAP S/4HANA on CCMs

12
Impact of SAP S/4HANA on CCMs
When evaluating the impact of S/4HANA on your control environment, consider the following:
ERP functionality in S/4HANA includes over New tables such as ACDOCA (universal journal)
1 400M lines of reengineered ABAP code. 3 have been added in S/4HANA.

Automated control points from previous A sample of key S/4HANA functionality changes
2 versions have been altered or eliminated. 4 are listed below.

What Has Changed? – High Impact Examples

ECC S/4HANA Impact of Functionality Changes
Business Partner functionality (BP) is now capable of centrally
Vendors and Customers Business Partners managing master data for business partners, customers, and vendors
allowing a single point of entry for create, edit, and display.

Credit Management in S/4 SCM (Supply Chain) is replacing legacy FI

Credit Checking in FI
Reconciliation between FI and CO Ledgers
Asset Accounting
Integrated Credit Management in SCM
Universal Journal
New Asset Accounting
credit checking functionality, which takes credit management out of core
ERP modules and relies on configuration in SCM.
SAP has introduced the Universal Journal that brings data from GL, AA,
CO, MM into one journal. There is no longer a need for FI & CO
reconciliation and/or settlement of cost elements. This is made possible
via the ACDOCA table in S/4HANA.
New Asset Accounting is available in S/4HANA allowing parallel
valuation of assets using both the ledger approach and the accounts
approach.

13
Impact of SAP S/4HANA on CCMs (cont.)

ACDOCA table combines data fields from various components.

14
Impact of SAP S/4HANA on CCMs (cont.)

ACDOCA table combines data fields from various components.

15
Impact of SAP S/4HANA on CCMs (cont.)
Suggested
S/4HANA
Control Type Control S/4 Configuration IMG Path
Control Description
Frequency

IMG / Cross-Application Components / Master

S/4 can be configured to automatically
Data Synchronization / Customer/Vendor
sync customer to business partner master Automatic Pervasive
Integration / Business Partner Settings/ Settings
data.
for Customer Integration

S/4 can be setup to automatically perform

revenue account determination based on
certain master data field settings in either
the material master or the customer
master
IMG / Sales and Distribution / Basic Functions /
Account Assignment and Costing / Revenue
Automatic Pervasive
Account Determination / Define Dependencies of
Revenue Account Determination

Define credit rating procedure used to

process external credit information for IMG / Financial Supply Chain Management /
your business partners. You can use all of Automatic Pervasive Credit Risk Monitoring / Master Data / Define
the ratings available for a business Rating Procedure
partner to calculate the score.

16
Impact of SAP S/4HANA on CCMs (cont.)
• With release 10.1, GRC Process Control supports monitoring data in HANA databases.
This allows customers to process large data volumes rarely possible for other
database systems.
• SAP HANA is an ABAP application running on NetWeaver®, however, the HANA
database provides an alternate means of monitoring the data using HANA Views. Views
in HANA Studio enable users to monitor HANA data using queries. There are three
different types of HANA Views:
 Attribute – establishes the relational connections between backend tables providing
results to users in a meaningful form.
 Analytic – uses HANA’s processing power to perform complex calculations and
aggregate functions quickly.
 Script-Based Calculation – are very similar to Analytic views, but are more
specialized and confined.
• Once custom views have been created, they can be leveraged in Process Control as an
alternative to the traditional “Configurable” sub-scenario within a Business Rule. The
new sub-scenario type is simply called “HANA.”

17
Impact of SAP S/4HANA on CCMs (cont.)

18
Impact of SAP S/4HANA on CCMs (cont.)

Create data source using the

“HANA” sub-scenario in PC 10.1

19
Impact of SAP S/4HANA on CCMs (cont.)
• Similar to having ECC run on a HANA database, the GRC platform can also run on
HANA. The main advantage to running SAP Process Control on HANA is to provide
users with faster processing speeds for large volumes of data.
• For this type of use, users would use the “Configurable” sub-scenario since HANA
Views are not being used by the CCM (which would require use of the “HANA”
sub-scenario as shown on the previous slides). It is important to note that even
with HANA, the normal functionality of PC 10.1 is still available for use (e.g., the
“Configurable” sub-scenario).
• An example of a CCM scenario that would vastly improve using a HANA DB is
checking for duplicate invoices. A CCM that is designed to check for duplicate
invoices not only needs to process a large amount of data, it also required strong
computational speeds to perform the recursive logic of such a scenario (via a
BRF+ rule). This would take a very long time to run using a regular database, but
would run in a fraction of the time when powered by HANA.

20
Impact of SAP S/4HANA on CCMs (cont.)

21
 Wrap-up

22
Where to Find More Information

• Atul Sudhalkar, “SAP Process Control 10.1 Monitoring HANA-Based Applications” (SAP SE,
May 2015).
 https://help.sap.com/doc/1098d94172b24a02bd9466f955f927c7/10.1.16/en-
US/Monitoring%20HANA%20Based%20Applications_v1.5.pdf
• CCM on SAP HANA Setting
 https://websmp205.sap-
ag.de/~sapidp/012002523100007533692015E/Library/FactSheets/GAJ_PC101_EN_XX.htm
• Rahul Urs, “Automating SAP Process Controls: Goodbye Manual Controls” (itelligence, June
2016).
 https://itelligencegroup.com/us/local-blog/automating-sap-process-controls/

• Asokkumar Christian, D. Rajen Iyer, and Atul Sudhalkar, Continuous Controls Monitoring with
SAP GRC (SAP PRESS, 2015).
 www.sap-press.com/continuous-controls-monitoring-with-sap-grc_4021/

23
 Key Points to Take Home

 Advantages of monitoring ECC or S/4 data on a HANA database

• Use HANA views to prep data to be monitor by PC

• Use the new “HANA” sub-scenario when creating a PC Data Source

• Main benefit is the ability to perform complex querying logic as part of a

CCM, which allows for additional monitoring capabilities
 Running PC on a HANA database
• Use the standard “Configurable” sub-scenario when creating a PC Data
Source
• Main benefit is the ability to process CCMs with large volumes of
transactional data (e.g., for duplicate invoice checking) at much higher
speeds that would be possible with a normal database

24
Your Turn!

Rohan Bhatia
Thank You
Any Questions?

rohan.bhatia@protiviti.com 
Please remember to complete
@protiviti t your session evaluation

25
Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

26
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2018 Wellesley Information Services. All rights reserved.