Gaining Insights of the Risk Based Scoping

Risk-Based Scoping

Compliance efforts should be directed to areas that present the highest risk. Regulatory agencies such as the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) encourage organizations to incorporate a top-down approach to planning an audit. SAP Process Control allows you to identify the specific subprocesses, and account groups and assertions to be audited by risk. Risks are linked to specific account groups and assertions, specific control definitions, or may be inherent to the subprocess.

The SAP Process Control risk model facilitates a top-down, risk-based approach to compliance. It accomplishes this through the utilization of materiality analysis, risk assessment and control risk assessment. Materiality analysis assesses the importance of significant accounts and account balances at the organization and subprocess levels. This analysis helps in the identification of organizations that should be in scope. Moreover, organizations have the flexibility to establish their own risk threshold, which also assists in determining the appropriate scope. Once the relevant organizations are identified, risks can be assessed systematically using a workflow driven assessment process.

SAP Process Control provides a Risk Assessment for Financial Scoping which allows the organization to evaluate the probability and potential impact of a particular risk. The outcome of the risk assessment is the level of evidence, which defines the appropriate test strategies for each control.

SAP Process Control provides a workflow driven Control Risk Assessment which is determined by evaluating the complexity of the control, the history of control failure, the judgment and expertise required to properly execute the control, and potential for management to override the control. The outcome of the Control Risk Assessment is a defined risk rating.

For demo purpose there will be only showed the Control Risk assessment.

As Ian Robb as Internal Control Manager has the responsibility to ensure that the company's internal controls are effective in mitigating risks. He creates a control risk assessment for the a specific control "Account payable invoicing" for the month June 2024.

To ensure the accuracy and reliability of the financial records related to accounts payable. This assessment helps identifying potential risks and controls associated with the invoicing process, such as the risk of duplicate invoicing, unauthorized payments, or errors in recording invoices.

He activates the Plan in the Planner app and triggers the workflow.

Mae Wong is a Control Performer, due to the organization set up she is responsible for the control assessment for Account Payable Invoicing.

After Ian starts an assessment, Mae receives an item in her Work Inbox. Her task is to accurately determine the risk rating of the controls by addressing specific questions related to them.

She carefully goes through each control, evaluating its complexity, history of failure, judgment to operate, and potential for management override. After selecting the rating for each control, she reviews the overall rating and is pleased to see that no control poses a high risk.

Once Mae completes her assessment, Ian, the internal control manager, will review her work to confirm the correct risk rating.

Thanks to this collaborative effort, the company can identify the controls with the highest risk.

Risk Harmonization and Integration of Shared Data Model

Process Control and Risk Management share the same Risk catalogs and templates but maintain separate risk objects. In deployment models where internal control system and the Risk Management framework have different views on the level of risks (process or even transaction - oriented risks versus strategic risks) this is sufficient. However, for customers who want to fully integrate their Risk Management and Internal Controls Frameworks, this approach poses a serious limitation. With the risk harmonization feature activated, Process Control users can add Risk Management risks to local Process Control subprocesses. Subsequently, any controls added to these risks are automatically recognized on the Risk Management side as responses to the risks.

Process Control and Access Control share a compliance structure in several ways. This includes the sharing of organizations, where both components utilize the same organizational structure. Additionally, controls in Process Control can be utilized as mitigation controls in Access Control, enhancing compliance measures. Moreover, processes in Process Control can be used as processes in Access Control, ensuring consistency in compliance efforts. Key features of this integration is the ability of Process Control to monitor Segregation of Duties (SoD) violations through the Access Risk Analysis conducted in Access Control.