Exploring Surveys and Assessments

Objectives

After completing this lesson, you will be able to:
  • Understand user-definable surveys
  • Describe the different types of available control assessments
  • Explain the significance of assessment in compliance

User-Definable Surveys

Overview of SAP Process Control Key Capabilities, highlighted: the Evaluate Phase.

The "Evaluate" phase in SAP Process Control is pivotal in the control management lifecycle, focusing on assessing control effectiveness and performance. Organizations continuously review control testing outcomes to ensure compliance with policies, regulations, and standards. By analyzing test results against predefined criteria, they identify issues or deficiencies, providing insights for informed decision-making, remediation efforts, and continuous improvement initiatives to strengthen governance, risk management, and compliance practices.

Implementing issue management enhances SAP Process Control by establishing a centralized repository for tracking and managing issues, enhancing transparency, and streamlining compliance efforts without requiring separate documentation tools. Upon issue submission, a remediation workflow is triggered, and a Remediation Plan is sent to the Issue Owner for processing. SAP Process Control includes an audit trail capturing all issue-related field changes with date/time stamps, ensuring transparent issue resolution actions.

This graphics shows the overall assessment workflow.

An assessment is a survey-based evaluation that involves work items to designated agents through an automated workflow. These surveys consist of questions developed by the organization and stored in the central Question Library which you already aware from previous Unit "Identifying the Key Capability: Plan".

The recipients of the workflow tasks depend on the type of assessment and the context of the activity. Examples of recipients may include Internal Control Managers, Auditor Managers, Process Owners, and Control Owners.

The assessment workflow work item includes the survey questions and serves as a comprehensive record of the assessment activity, including all responses, comments, and issues. It also provides access to relevant object details, such as Control Details, regulations, account groups, and risks. The assessment workflow is integrated with Issue Management and Remediation Management, allowing Process Control to require documentation of any identified issues during the assessment.

Standard Process Control surveys serve various purposes, such as assessing the appropriateness of internal controls and subprocesses in terms of their design and effectiveness. They can also assess higher-level, company-wide, or pervasive controls.

SAP Process Control follows best practices and supports multiple levels of review and approval if necessary. The graphic shows the complete assessment survey cycle includes optional steps:

  1. Assessment
  2. Assessment-Level Validation (optional)
  3. Issue Processing (optional)
  4. Remediation Plan Processing (optional)
  5. Issue-Level Validation (optional), and
  6. RE-Assessment (optional).

These optional steps can be customized and adjusted to the company's needs. Survey results and feedback are tracked using standard reports within the system.

Lets understand in more detail the following types of assessments, Self-Assessment, Control Design Assessment, and Test of Effectiveness.

Deep Dive Into Three of the Various Assessments

This graphics displays the three most common assessments in SAP Process Control.

In "Identifying the Key Capability: Plan," we discussed various workflow types such as planner-based, event-based, and scheduler-based workflows, along with the roles of surveys and questions within these workflows.

In this unit, we will delve deeper into 3 different types of assessments and explore their workflow structures, scopes, and significance in the context of internal control.

Self-Assessment

Self-Assessment is conducted periodically by control owners to evaluate their own control. It is used as a way to monitor controls and to identify and remediate issues before a formal test of effectiveness is performed. The self assessment is performed through the survey functionality, which involves sending questionnaires to control owners.

Control Design Assessment

Control Design Assessment ensures that controls are effectively designed, aligned with organizational goals, and compliant with regulations, aiming to mitigate risks and maintain a robust control environment.

The control design assessment is also performed through the survey functionality. The purpose of these questionnaires is to gather specific information and insights about the design effectiveness of the controls.

For the self-assessment & control design assessment the workflow is the same. The performance of the assessment will be conducted by the control owner and the subprocess owner is responsible for the review. After the internal control manager activates the assessment in the planner, the control owner receives the workflow and needs to respond the operating effectiveness of the control as either Adequate or Deficient/Significantly Deficient (self-assessment) or to the design effectiveness as either Adequate or Deficient/Significantly Deficient (control design assessment).

For a failed assessment, the control owner must report an issue, which will be part of Lesson 3 (Issue & Remediation).

When the assessment is finished, the reviewer receives his task in the work inbox. The reviewer can either approve or reject the assessment result after looking at the answers provided to the questionnaire, attachments uploaded, and the issue details for a failed control.

Test of Effectiveness

While Control Design Assessment, Control Self-Assessment assess control design and operational effectiveness, Control Test of Effectiveness focuses on validating the optimal functionality of internal controls. Conducted by independent parties such as internal or external auditors, this assessment involves periodic operating effectiveness tests to ensure controls are effective at a specific point in time.

The Control Test of Effectiveness will be explained in detail in the next lesson.

Workflow of Control Design Assessment

A six-step process workflow of control design assessment. The process is visually represented with a series of connected steps, each assigned a different color (orange for planning, perform, and monitor, blue for issue remediation and closure) and dots connecting the responsible party.

For the workflow explanation of control design assessment , in addition to the Control Owner, Control Tester, and Control Performer covered roles in previous units, it is necessary to define the following roles:

  • Governance, Risk, and Compliance (GRC) Admin: They handle the technical implementation and support of tools for these activities, including scheduling controls using the planner functionality.
  • Internal Audit or internal control team: They receives the workflow and reviews it. They are responsible for decision-making, such as approving or rejecting the assessment result.
  • Issue Owner: Responsible for identifying, investigating, planning resolution, monitoring progress, and documenting compliance issues to ensure timely and effective resolution.
  • Remediation Owner: Oversees the implementation of corrective actions and ensures compliance issues are effectively resolved within the organization.

The Control Design Assessment workflow consists of six steps that must be carried out by various users. These steps are classified into two colors for easier understanding: Orange steps (1-3) pertain to planning, perform, and monitor, while blue steps (4-6) focus on issue remediation and closure.

Lets understand the workflow of Control Design Assessment:

Orange steps: Planning, Perform, and Monitor:

  1. Schedule the planner: In the "Planner" application the GRC Administrator create the plan activity "Perform Control Design". During the creation the survey templates will be selected and added to the plan. This step refers to Unit "Identifying the Key Capability: "Plan".
  2. Perform assessment: The Control Owner receives the workflow item in the SAP Process Control Work Inbox to respond to the survey and rate the design effectiveness of the control as either Adequate or Deficient/Significantly Deficient. For a failed assessment, the control owner must report an issue that will be triggered to the issue owner for the remediation process. This will be in detailed explained in Unit "Identifying the Key Capability: Evaluate".
  3. Review assessment: The reviewer usually a person from internal control team (such internal control manager or process owner) receives the workflow to review the assessment submitted by the control owner. After reviewing the reviewer can either approve or reject the assessment result after looking at the answers provided to the questionnaire, attachments uploaded, and the issue details for a failed control. Please note, that this step is optional and can be enabled during the customizing phase.

Blue steps: Issue Remediation and Closure:

  1. Issue Remediation: This step is applicable only in a control failed scenario in assessment. In this step the issue owner looks at the assessment result and has two options to perform
    1. Assign Remediation Plan: This option is selectable if the issue needs a detailed investigation and an action plan to remediate it. (this is step 5)
    2. Close Issue without Plan: The Issue Owner can address the issue without requiring a remediation plan by providing evidence and comments that justify closing the issue without a plan. (leave out step 5 and goes directly to step 6)
  2. Implementation of Remediation Plan: The Remediation owner (which also can be the control owner) reviews instructions from the issue owner, executes them, and submits evidence to validate the successful implementation of the remediation plan. Please note, this step applies only if the "Assign Remediation Plan" option is enabled during the customizing phase.
  3. Close issue: If the issue is resolved and reviewed, it can be closed. However, in cases where the Issue Owner is also the Remediation Owner, the issue cannot be closed by the same individual. Another person must evaluate the remediation progress and make the decision to either close the issue or reopen the remediation plan for further actions. This ensures an independent review of the remediation process, maintaining the integrity and effectiveness of the internal control procedures.
A six-step process workflow of control design assessment. The process is visually represented with a series of connected steps, each assigned a different color (dark blue for planning, perform, and monitor, green for issue remediation and closure) and dots connecting the responsible party.

As you see here in the graphic there are six steps of control self assessment which needs to be performed by different user. The main difference to Control Design Assessment is that in the perform assessment (step 2) instead of control owner is the control tester. All other predefined users are the same (GRC Admin, Internal Audit, Issue Owner, and Remediation Owner).

Lets explain in more detail the workflow of Control Self-Assessment:

Dark Blue steps: Planning, Perform, and Monitor:

  1. Schedule the planner: In the "Planner" application the GRC administrator can create the plan activity "Perform Self-Assessment". During the creation the survey questions can be selected. This step refers to Unit "Identifying the Key Capability: "Plan".
  2. Perform assessment: The Control tester receives the workflow item in the SAP Process Control Work Inbox to respond to the survey and rate the operating effectiveness of the control as either Adequate or Deficient/Significantly Deficient. For a failed assessment, the control tester must report an issue that will be triggered to the issue owner for the remediation process. This will be in detailed explained in Unit "Identifying the Key Capability: Evaluate".
  3. Review assessment The reviewer usually a person from internal control team (such internal control manager or process owner) receives the workflow to review the assessment submitted by the control owner. After reviewing the reviewer can either approve or reject the assessment result after looking at the answers provided to the questionnaire, attachments uploaded, and the issue details for a failed control. Please note, that this step is optional and can be enabled during the customizing phase.

Green steps: Issue Remediation and Closure (similar to control design assessment):

  1. Issue Remediation: This step is applicable only in a control failed scenario in assessment. In this step the issue owner looks at the assessment result and has two options to perform
    1. Assign Remediation Plan: This option is selectable if the issue needs a detailed investigation and an action plan to remediate it. (this is step 5)
    2. Close Issue without Plan: The Issue Owner can address the issue without requiring a remediation plan by providing evidence and comments that justify closing the issue without a plan. (leave out step 5 and goes directly to step 6)
  2. Implementation of Remediation Plan: The Remediation owner (which also can be the control owner) reviews instructions from the issue owner, executes them, and submits evidence to validate the successful implementation of the remediation plan. Please note, this step applies only if the "Assign Remediation Plan" option is enabled during the customizing phase.
  3. Close issue: If the issue is resolved and reviewed, it can be closed. However, in cases where the Issue Owner is also the Remediation Owner, the issue cannot be closed by the same individual. Another person must evaluate the remediation progress and make the decision to either close the issue or reopen the remediation plan for further actions. This ensures an independent review of the remediation process, maintaining the integrity and effectiveness of the internal control procedures.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn