One of our company’s greatest success stories in the SAP© GRC area has been the implementation of a Process Control project. This project focused on the implementation of all the Assessment flows that are available in SAP© GRC Process Control.
Founded in 1979 and with a 2020 revenue volume of 3.2B USD and more than 22,000 employees, Nemak is a Mexican multinational company specialized in the production of highly complex aluminum components for the automotive industry, such as cylinder heads, engine blocks, transmission parts and other structural components.
The difficulty of the project was on the one hand to identify the Internal Control processes that could be automated in the Process Control tool, and on the other hand to update all the information related to these processes in the tool.
The automation point was easily achievable since the Process Control tool already had that functionality built in. The key was to adapt the current process to the technology available in GRC, and on the other hand to perform a correct change management for all the stakeholders working in the process.
The project was divided into 3 Phases where the first 2 were related to the “Assessments” functionality provided by SAP© GRC Process Control, and later a small Phase 3 was completed to understand the possibilities of the Continuous Control Monitoring module in Nemak.
First we identified the processes that would be part of the scope of the project, and then prioritized each of them according to their criticality, based on the Internal Control perspective. In this way we were clear about the automation priority of each process:
Internal Control Questionnaire (Subprocess Design Assessment)
Throughout the project, a format of questions related to the internal control process was defined to be answered by the Finance Manager. Once the file is completed, it will be forwarded to the Plant Manager for review. At this stage the Plant Manager cannot modify the information included by the Finance Manager, and in case of disagreement will reject the request so that it goes back to the Finance Manager for review.
This process is critical for the Sarbanes Oxley (SOX) regulation and therefore it was necessary and a priority to automate it in SAP© GRC Process Control. The process starts with programming by Corporate Audit and is received by the different owners of existing controls in the Nemak organization. They answer a defined questionnaire and if they register any incidence in the process, a deficiency is generated that will use the Issue Management Standard Workflow.
Test of Effectiveness
This flow is a little more complex since it is necessary to include the “Test Plan” of each Control so that it can be executed by the operator.
In the case of Nemak, and in order to increase the ROI of this process, the implementation was divided into two Phases, where the first one focused on the Critical Controls and the second one was the integration of the rest of the Controls in SAP© GRC Process Control. The process from the point of view of the flow is simple, but the key is in the elaboration of the Manual Tests so that the “Control Tester” can complete the process without difficulties.
Control Design Assessment
This flow was implemented additionally because it was included in the functionalities available in Process Control. It is a simple flow in which a series of questions are sent to the Control Owner and if any incident is registered it follows the Standard Issue Management Workflow.
All communications made through the Assessments module used the “Interactive Adobe Forms” functionality, since it facilitated the execution by the users and reduced the efforts by the approvers, since it did not require them to enter the SAP© GRC system.
Continuous Control Monitoring
The project was mainly oriented to the implementation of the Process Control Assessment functionality, however, an exploration of the options that the Continuous Control Monitoring (CCM) module brought and the advantages it had in Nemak was done. We started by generating a couple of Automatic Controls related to the Purchasing Process at Nemak. The results were very interesting and from then on we have continued with the implementation of Automatic Controls.
The implementation of SAP© GRC allowed Nemak not only to automate the Internal Control Processes, but also to reduce the efforts dedicated by the Internal Control team to these processes:
- The Internal Control Questionnaire and Self Assessment processes were handled through Excel files. About 100 Excel files were obtained for each Self Assessment process, and having a tool that allowed not only the launching of the process, but also the generation of the files for each Control Owner and then the collection of all the responses, greatly simplified the management of the process by the Internal Control Team.
- In relation to the Internal Control Questionnaire process, the key was related to obtaining the signature from the Plan Manager and Process Control, in order to have not only the evidence of confirmation, but also to provide a monitoring of how the Process was doing that was not previously available.
Additionally, the use of “Interactive Adobe Forms” and the Customization of Notifications allowed the approvers to have clear instructions on the activities they had to perform in each process. Training manuals were attached to the notifications to support people who had to execute the process for the first time.
Finally, exploring the possibilities of Continuous Control Monitoring was the first step in the automation of Controls at Nemak, which subsequently increased over the years.