During this article we are going to review the concepts for Business Process, Risk, Control and we are going to describe some best practices to define Mitigating Controls.
Each Company has their own Business Process but from a High-Level perspective most of them are similar independently of their activities. As an example, we can use the Purchase to Pay process. The picture below shows a simple P2P process were the process starts with the Purchase Requisitions activities then we move to the Purchase Orders activities, after that we receive the Delivery Note about the goods that we acquire, on the other side we receive the Invoice from the Vendor and finally we perform the payment for the goods that we receive from the Vendor.
Furthermore, based on the previous image we are able to detect that if someone is having all those activities will be a High Risk to the Company. However, if someone is having two activities that are together inside the process this will also be a Risk for the Company as an example:
- Purchase Requisition vs PR Approval.
- Invoice Receipt and Execute Payment.
Because of that, it is easy to find Risk when the Business Process is already defined.
The Definition of Risk could be:
- Effect of uncertainty on objectives
- (Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility
- Combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
On the other side, there are two types of Risk in SAP:
- Segregation of Duties Risk (SoD): when a person requires to have two or more activities in order to create a Risk within the Organization. As an example, the ability to register an Invoice and Execute the Payment will be a Segregation of Duties Risk.
- Critical Action Risk: when a person requires only one activity to create a Risk within the Organization. As an example, the activity of Open Closed Financial Period will be a Critical Action.
Once we know the meaning behind the Risk Concept, we can move forward and understand the aspect of the Financial Risks inside the SAP Risk Matrix. The SAP Matrix is having different Business Process and one of them is the one that is more related with pure Finance activities that is being called “Finance” Risks. During this article we will be focusing on the pure Finance Risks, but we will be covering other Cross Process Risks.
The ones that are indicated by a full circle are the ones that are pure a Finance Risk and the ones that are indicated with a pointed circle are related with Cross Process Risks (where one activity of the Risk is related with a Finance Activity and the other could be related with other Process). As an example, we can use the following SoD Risk to understand the Cross Process Risk:
- M013 – Clear Inventory Differences (Material Management Process) & Post Journal Entry (Finance Process)
The following activities are the ones that we establish like pure Finance activities:
There are different Risk Responses that can be applied to a Risk:
- Avoid: Eliminate Cause of Risk.
- Mitigate: Reduce Probability or Impact of Risk.
- Accept: Contingency Plans for Risks.
- Transfer: Have Third party take on responsibility for risk.
The main Risk Response where we will be focusing during this article is the Mitigation activity. Furthermore, and based on the definition that we described above, in order to mitigate we need to define an activity that will reduce the probability or impact of the Risk and we use the concept of Mitigating Control for it. There are two types of Mitigating Control:
- Preventive: Designed to be implemented prior to a threat event.
- Detective: Designed to find errors after the activity is executed
As an example, we will use a simple scenario where the lock of a door is a preventive control that prevents outsiders to enter your home and the security alarm will be the detective control when an unauthorized person enters your home.
Risk Mitigation Strategy
Once we understood the meaning and the different types of Mitigating Controls we can move forward and describe a strategy to mitigate the 32 SoD Finance Risk that exists inside the SAP Risk Matrix.
Below we will detail two examples, one for SoD Risk F001 and other for F019.
The SoD Risk F001 description says “Maintain fictitious GL account & hide activity via postings”. Based on that, we are able to understand that the functions that generate this Risk are:
- Maintain GL Account
- GL Postings
Once we understand the activities behind the Risk, we need to focus on those, but independently.
Maintain GL Account: This activity could be controlled by the following Mitigating Controls:
- Each creation of the GL Account needs to be approved based in Schedule of Authorities.
- On a Quarterly basis, all the GL Accounts that were created during this period will be reviewed based in Schedule of Authorities.
GL Posting: This activity could be controlled by the following Mitigating Controls:
- Each Manual Posting that is going to be included in the P&L Balance needs to go though a Workflow to be approved based in Schedule of Authorities.
- On a Monthly basis, all the Manual Postings that were created during this period will be reviewed based in Schedule of Authorities.
The SoD Risk F019 description says “Open closed periods and post payments after month end”. Based on that, we are able to understand that the functions that are being this Risk are:
- Maintain GL Periods
- AP Payment
Maintain GL Period: This activity could be controlled by the following Mitigating Controls:
- Any request for open a previously closed GL period needs to be approved by Schedule of Authorities.
- Once the activity is performed, it is required to send all the changes performed to the corresponding approver based on Schedule of Authorities.
AP Payment: This activity could be controlled by the following Mitigating Controls:
- Each AP Payment needs to be referenced to a Vendor Invoice which includes the Approved Purchase Order Number.
- Urgent Payments needs to be approved based on Schedule of Authorities.
- AP Payment need to have an authorized payment proposal.
It is important to review each activity and understand the specific controls. Based on this best practice, we were able to enhance on Customer Risk and Access Control Matrix from a total amount of 548 Control Assignment (user assigned to a mitigating control) to a total of 1.049. So, it is really important when you are in the process of defining Mitigating Control to understand the activities behind the SoD Risk and to review them individually to find out the most relevant Mitigating Controls.
Finally, and just focusing on the 32 SoD Finance Risks that are appearing inside the SAP Matrix, if you are able to mitigate 3 activities: “GL Posting”, “Maintain GL Period” and “Assets Master Maintenance” you will be able to mitigate 60% of the Finance SoD Risks.
- Document all the Business Process will help to understand most of your Organization SoD Risks.
- Identify the activities behind your SoD Risk.
- Map the activities to the controls individually.
- Do not worry of you do not have Mitigating Controls for all the activities, once you map the controls to the SoD Risk you will find out which of them are having no Mitigating Control assigned.
- Please prioritize Preventive Control from Detective Controls even if the implementation of the Preventive Control could have a higher cost, usually the effort of running a preventive control is lesser than a Detective Control.