Strategies to Leverage an SAP System Implementation for Reduced Cost of Compliance

  • by Shweta Jain, Manager, Axis Risk Consulting
  • January 11, 2012
Be sure your internal control structure is adequately designed during an SAP system implementation or upgrade. It can be expensive to redo this structure after the designed processes are in place, as an SAP system implementation is a major transformational activity involving organization-wide process changes.
Key Concept
Internal controls are an integral part of business processes. The control activities that are part of a compliance initiative form part of a business process. For example, performing a credit control on a customer before delivering orders is a business activity and also a control activity for compliance. For a business owner, it is part of a process. For a controller, however, it is a control activity. Because an SAP system implementation or upgrade is an event when processes are reengineered and major changes are made to processes, it is essential to realign the compliance activities to the new processes in the organization. An effective, efficient compliance program should be conceptualized for the purpose.

A major change such as an upgrade or implementation provides an opportunity to reassess to-be processes for compliance. It is best to remeasure and reengineer compliance processes at the early stages of a project. Waiting until later when these processes become embedded in the organization can be expensive in terms of the cost of implementation of the functionality in an SAP system. Furthermore, remeasuring or reengineering compliance processes in the late stages of a project may result in having to revamp the entire process.

Many manual business processes can be automated by leveraging the SAP system. This automation is not limited only to inherent configurable functionalities of the SAP system that can be enabled; additional activities may be enabled from custom development. For example, configuring a closing cockpit (standard SAP functionality) for facilitating smooth closure of books has a major impact on how the closing activities are performed and results in a complete reengineering of the closing process. However, a decision to implement nonstandard approval workflow or custom reports is an example of a custom requirement that may cost less if identified early in the implementation rather than later. Therefore, it would be prudent to reassess the to-be processes at the initial stages instead of later when the processes become ingrained in the organization.

An effective, efficient compliance program during an SAP implementation or upgrade has the following objectives:

  • Design the right internal control structure
  • Align and integrate  compliance initiatives with SAP implementation activities

What Is the Right Design of an Internal Control Structure?

The right internal control structure follows industry best practices and available frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) — Internal Control — Integrated Framework/Risk Management — Integrated Framework;  the IT Governance Institute’s Control Objectives for Information Technology (COBIT); ISO 17799; and the Canadian Institute of Chartered Accountants’ (CICA) IT control guidelines. The right internal control structure also is supported by an organization’s policy and procedure documents. It embeds the correct mix of controls with standardization, automation, and optimization. It also establishes effective assessment and monitoring procedures (Figure 1).

Shweta Jain

Shweta Jain is a chartered accountant (ICAI) and certified information system auditor (CISA) with more than eight years of experience. She is currently working as a manager in Axis Risk Consulting (a Genpact subsidiary). She specializes in business process controls and managing governance, risk, and compliance initiatives. She has previously worked as a senior consultant at Infosys Technologies, Ltd., and has been involved in various compliance projects on  SAP platform for global clients.

If you have comments about this article or GRC Expert, or would like to submit an article idea, please contact the GRC Expert editor Gary Byrne.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.