Before creating a control, it is important to configure the control settings. The control settings tile serves as the main configuration hub for managing your control framework. It allows you to define how controls are structured, categorized, and evaluated within your organization. Through this tile, you can customize various control settings—such as categories, objectives, frequencies, and related attributes—to align with your specific business requirements.
- User Group Settings
- Assign designated user groups for key business roles such as Compliance Specialist and Compliance Manager. This helps establish clear responsibilities and access control aligned with compliance tasks.
- Teams
- Assign users to teams to group Control Owners and Manual Procedure Owners. This structure supports efficient delegation, ownership, and oversight of controls and manual procedures across the organization.
- Field Settings
- Configure standard fields (for example, Control Group, Risk Level, Monitoring Frequency) and add customized fields to reflect your organization’s control attributes.
- Control Manager Assignments
- Assign Control Managers to specific Control Groups (defined in Field Settings) to ensure accountability and consistent oversight.
- Fiscal Year
- Define your organization’s fiscal start and end dates to align control activities with financial reporting periods.
- Non-Workday Settings
- Specify non-working days (weekends, holidays, company closures) to ensure that reminders and deadlines are scheduled only on business days.
- Email Notifications
- Enable or customize automated email alerts to keep users informed of upcoming tasks and deadlines.
- Limit of Procedure Run
- Set a cap on the number of procedure executions per minute to manage system performance and prevent overload.
Now, let’s examine the layout and components of a control in SAP Risk and Assurance Management.
The Manage Control tile in SAP Risk and Assurance Management provides a centralized workspace for viewing, filtering, and managing your organization’s internal controls. When you open the tile, you are presented with a comprehensive overview of all existing controls, along with powerful filtering options that allow you to quickly narrow down controls by name, status, owner, risk level, or other attributes. Color-coded indicators for the latest run results allow for immediate visual assessment and faster decision-making.
Once a control is selected from the list, a deeper level of detail becomes accessible. The system presents a structured view of all components associated with that control. This view is essential for those who are responsible for maintaining control effectiveness, preparing for audits, or assessing risk exposure.
Besides the capability of linking master data, risks to your control a control is build by a automated and manual procedure. Lets describe what an automated procedure is: An automated procedure is a predefined compliance check that runs based on a set of rules or algorithms, such as SQL scripts. These procedures are directly connected to core systems like SAP ERP, SAP S/4HANA, or SAP S/4HANA Cloud Public Edition and execute automatically through OData Services using defined parameters. This automation helps organizations move from reactive compliance efforts to proactive, continuous monitoring.
In comparison to automated procedure, an manual procedure is used to perform control testing or control assessments when automation is not feasible or desired. These procedures guide users through structured evaluations to ensure controls are operating effectively and in compliance with policies and regulations. A manual procedure can be a step or survey type and with the assurance activity selection you decide how the manual procedure should behave during the test execution. Following assurance activities are selectable:
- Control Performance
- This involves performing control activities to ensure business process compliance. Procedures and work packages with this assurance activity type can be used to perform control activities both automatically and manually. This type uses the manual procedure type Steps.
- Control Effectiveness Test
- This assesses whether a control operates consistently and sufficiently to prevent or detect material misstatements. Procedures and work packages with this assurance activity type are used to test control effectiveness. This also uses the manual procedure type Steps.
- Control Assessment
- This involves testing or evaluating controls to determine how well they are implemented. This includes assessing the design of controls and self-assessments, often through surveys. Procedures and work packages with this assurance activity type use the manual procedure type Survey.
Let's go to the next video to see how a control is structured in SAP Risk and Assurance Management.
Good to know: SAP Risk and Assurance Management provides predefined business content such as controls, automated procedures, and manual procedures. You can use these immediately within the system or adapt them as templates to define your own settings and values tailored to your organization’s needs.
One of the benefits is that there is no need to manually download this content. Once you successfully subscribe to the service, the business content is automatically delivered and integrated into your SAP Risk and Assurance Management system, ensuring you have access to the latest resources without extra effort.
For further information, please visit the SAP Help Portal: https://help.sap.com/docs/risk-and-assurance-management/business-content-risk-and-assurance-management/content-overview