Show TOC

Process documentationMonitoring of Automated and Semi-automated Controls Locate this document in the navigation structure

 

Process Control facilitates the monitoring of data to ensure controls in your ERP system are operating effectively, and to identify weaknesses or potential deficiencies on a timely basis. You can create the following monitoring controls within Process Control to identify exceptions in your ERP system based on your deficiency parameters:

  • Configuration Controls – to identify potential unauthorized configuration settings or parameters in the ERP system.

  • Master Data Controls – to identify suspect master data in the ERP system.

  • Transaction Data Controls – to identify unusual business transactions in the ERP system

You can customize your automated monitoring controls to review data based on your filter parameters and test period. You then schedule the automated monitoring controls at any frequency you choose based upon your configuration.

Note Note

If issues are identified for automated control monitoring, redoing the monitoring control for the same period returns the same results. For this reason and to ensure that issues are identified on a timely basis, some companies perform control monitoring more frequently than either manual testing or automated testing of control effectiveness.

End of the note.

Automated test rules can automate your monitoring procedures. The rule filters and the deficiencies set within them identify exceptions in the data within the ERP system. For more information, see Performing Automated and Semi-automated Tests of Effectiveness, Creating a Business Rule, and Creating and Changing Data Sources.

  • If exceptions are found, the system automatically creates an issue when exceptions are Identified.

  • If no exceptions are found, no results are returned. The activity is logged with an Adequate deficiency rating in the Job Monitor. If you discover an issue that should be addressed, you can create an ad hoc issue, regardless of the deficiency rating. For more information, see Identifying, Creating and Assigning Ad Hoc Issues.

The following figure illustrates the steps in performing automated controls monitoring:

This graphic is explained in the accompanying text.

A monitoring control may be semi-automated based on its control design. However, if issues are found, the workflow tasks between automated and semi-automated control monitoring are the same. Shown below is the test failure routing for automated and semi-automated control monitoring based upon delivered business content.

Note Note

The receiver of issues and tasks in the table below represent the predelivered configuration by SAP. You can define your own settings in the Customizing activity found at   Governance, Risk and Compliance   General Settings   Workflow   Maintain Custom Agent Determination Rules  . For more information, see the SAP BusinssObjects Process Control 10.0 Security Guide.

End of the note.
Test Failure Routing for Automated and semi-automated Control Monitoring

Rule with Issue Deficiency Rating

Automated: Issues Go to

Semiautomated: Issues Go to

Rule with Deficiency (H/M/L)

Control Owner

Control Owner

Rule with Review Required

Control Owner

Control Owner

Rule with No Deficiency

N/A

N/A

Process

System Execution of Automated Control Monitoring
  1. Process Control performs automated control monitoring based on the schedule you create in the Monitoring Scheduler. The schedule triggers the monitoring in the ERP system based upon the rules to determine if the data represents an exception. For more information, see Creating a Business Rule and Assigning a Business Rule to a Control.

  2. The ERP system returns any exceptions to Process Control. The issues have a deficiency rating of High, Medium, Low, or Review Required, depending on the rule settings. You define your tolerance settings for deficiencies in the rule.

  3. If no exceptions are identified, the monitoring job schedule is completed and no workflow is required. The job monitor shows that the job has completed its execution with Adequate deficiency rating.

    If you discover an issue that should be addressed, you can create an ad hoc issue, regardless of the deficiency rating. For more information, see Identifying, Creating and Assigning Ad Hoc Issues.

  4. If exceptions are identified, this automatically creates an issue. The system routes the issue to the person assigned the task to receive the issues. In the delivered Business Configuration (BC) set, this person has the Control Owner role.

    Note Note

    You have the option of assigning the task to another role, depending on your business requirements and organization.

    End of the note.