FACET_TM_SAP_GRC_PC_UserGuide_V006
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Finance and Accounting Control Effectiveness<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © Copyright
Version History<br />
Version Date Changes<br />
V002<br />
Control Evaluation Questionnaire added<br />
V003 08.12.2015 Modify OrgUnit, Process, Subprocess, Controls, and issues added<br />
V004 16.12.2015 Assign / add new control to subprocess<br />
V005 12.01.2015 Add Roll-Forward Certification; Modified CEQ<br />
<strong>V006</strong> 12.01.2015 Update RFC<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 2
The major activities in the current SOX-Timetable<br />
can be mapped to the aspired future FMC ICS Cycle<br />
Reporting to Group Corporate, Hard<br />
Close Reporting to the Audit and<br />
Corporate Governance Committee and<br />
Year-End Confirmation via email to<br />
Group Corporate<br />
5 Sign-off<br />
Yearly Risk Assessment<br />
Risk based Scoping Approach<br />
1. Risk Assessment<br />
& Scoping<br />
Remediation of deficiencies<br />
4. Remediation<br />
ICS Cycle<br />
3. Control<br />
Assessment<br />
2. Control<br />
Documentation<br />
& Implementation<br />
Process and documentation<br />
review incl. control updates<br />
and implementation of new<br />
controls Implementation of<br />
<strong>SAP</strong> process control<br />
Management Assessment<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 3
ICS Software Solution to support the ICS Lifecycle<br />
Resulting objectives from the ICS Lifecycle support<br />
Support a corporate wide approach by providing regional local<br />
flexibility<br />
Provide the possibility to include all FMC control catalogues in<br />
order to provide transparency on the ICS<br />
Support the ICS-lifecycle and allow different testing<br />
approaches<br />
Consider usability and simplicity for the end-users<br />
Support the concept of control automation/ automated testing<br />
of effectiveness in order to lower manual work efforts by<br />
increasing security<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 4
Table of Symbols<br />
Important/<br />
Additional<br />
!<br />
information<br />
i<br />
<br />
Next page<br />
available<br />
Modify<br />
local Data<br />
Receive E-Mail<br />
Plan<br />
Assessment<br />
Back to Table<br />
of Content<br />
Reporting<br />
Role<br />
assignment<br />
Master Data<br />
/ Local Data<br />
Perform<br />
Assessment<br />
ICS Tool<br />
Miscellaneous<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 6
Content Overview<br />
• Create an Organization<br />
• Create a Central Process<br />
• Create a Central Subprocess<br />
• Create a Central Control<br />
• Create Test Plan<br />
• Assign Test Plan to Central Control<br />
• Create a Central Risk Category<br />
• Create a Central Risk Template<br />
• Assign a Subprocess to an OrgUnit<br />
• Create Ad-Hoc Issue<br />
• Create Questions<br />
• Create Surveys<br />
• Plan Test of Effectiveness (ToE)<br />
• Plan Roll-Forward Certification<br />
• Plan Risk Assessment /<br />
Documentation Review<br />
• Plan Control Evaluation<br />
Questionnaire<br />
• Export report to Microsoft Excel<br />
• Planner Monitor<br />
• Risk and Control Matrix<br />
• Test Step Status<br />
• Assessment Survey Details<br />
• Report personalization<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
• Assign an User to OrgUnit<br />
• Assign an User to Process /<br />
Sub & Control<br />
• Use Central Delegation<br />
• Modify OrgUnit<br />
• Modify Process<br />
• Modify Subprocess<br />
• Modify Control<br />
• Create Control Specific Issue<br />
• Assign / add new controls to<br />
Subprocess<br />
• Perform Ad-Hoc Issue &<br />
Remediation Plan<br />
• Perform Risk Assessment<br />
/ Documentation review<br />
• Perform Roll-Forward<br />
Certification<br />
• Perform Test of<br />
Effectiveness<br />
Miscellaneous<br />
• Allow Referencing<br />
• Sign-Off<br />
Preparation<br />
Operational Tool Usage / ICS Cycle<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 7
Guide Content<br />
1 Set up Master Data<br />
2 Assign User<br />
3<br />
Maintain local Data<br />
4<br />
Plan an Assessment<br />
5<br />
Perform an Assessment<br />
6<br />
Reporting<br />
7 Miscellaneous<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 8
Section 1 – Set up Master Data<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
1.1 Create Organization<br />
1.2 Create Central Process<br />
1.3 Create Central Subprocess<br />
1.4 Create Central Control<br />
1.5 Create Test Plan<br />
1.6 Assign Test Plan to Central Control<br />
1.7 Create Central Risk Category<br />
1.8 Create Central Risk Template<br />
1.9 Assign Subprocess to OrgUnit<br />
Note: Unless otherwise stated, whenever the masculine gender is used, both men and women are included.<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 9
1.1 Create Organization<br />
Step by Step<br />
i<br />
You create and edit organizations<br />
as a step in documenting<br />
your compliance initiative.<br />
1. Tab: Master Data<br />
• “Organizations”<br />
• Quick Link: “Organizations”<br />
2. Set a date and click “Apply”<br />
• Select an unit to integrate the new<br />
organization<br />
• Click “Add” and create a new<br />
organization<br />
3. Provide details on organization<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• “Valid From” date &<br />
• “Valid To” date<br />
• Click save<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 10
1.2 Create Central Process<br />
Step by Step<br />
1. Tab: Master Data<br />
• “Activities and Processes”<br />
• Open “Business Processes”<br />
Visual Aid<br />
1<br />
2. Set a date and click “Apply”<br />
• Select an unit to integrate the new<br />
process<br />
• Click “Create” to add a new central<br />
process<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• “Valid From” date &<br />
• “Valid To” date<br />
• Click save<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 11
1.3 Create Central Subprocess<br />
Step by Step<br />
1. Tab: Master Data<br />
• “Activities and Processes”<br />
• Open “Business Processes”<br />
Visual Aid<br />
1<br />
2. Set a date and click “Apply”<br />
• Select an unit to integrate the new<br />
subprocess<br />
• Click “Create” to add a new central<br />
subprocess<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• “Valid From” date &<br />
• “Valid To” date<br />
• Click save<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 12
1.4 Create Central Control<br />
Step by Step<br />
1. Tab: Master Data<br />
• Open “Business Processes”<br />
2. Create new central control<br />
• Set a date and click “Apply”<br />
• Select a subprocess to integrate<br />
the new control<br />
• Click “Create” to add a new central<br />
control.<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• “Valid From” date,<br />
• “Valid To” date,<br />
• “Trigger” has to be set on<br />
“Date”,<br />
• “To be Tested”,<br />
• If “To be Tested is “Yes”,<br />
add a Testplan*,<br />
• “Test Automation”,<br />
• “Control Automation” &<br />
• “Purpose”<br />
4. Add Regulation<br />
• Select Tab “Regulation”<br />
• Click “Add“<br />
• Select correct regulation<br />
• Click “Ok”<br />
• Click save<br />
• A new central control has been<br />
created<br />
*Go to: AssignTestplan to Control<br />
Visual Aid<br />
1 2<br />
4<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 13
1.5 Create Testplan<br />
Step by Step<br />
1. Tab: Assessments<br />
• Open “Manual Test Plans”<br />
2. Create new Test Plan<br />
• Click “Create” to add a test plan<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• “Valid From” date,<br />
• “Valid To” date,<br />
• Click “Add” to add new test steps<br />
and fill in all needed details<br />
• To add more steps, just click “Add”<br />
again<br />
• Click “Save”<br />
• A new test plan has been created<br />
and can be assigned to a central<br />
control<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 14
1.6 Assign Test Plan to Central Control<br />
Step by Step<br />
i<br />
A manual test plan consists of a<br />
sequence of test steps (or<br />
procedures) performed during<br />
testing to determine that a control is<br />
operating effectively. A manual test plan<br />
may test either a manual or automated<br />
control. If the test method is noted as<br />
manual, a manual test plan will apply.<br />
1. Add Testplan<br />
• Open a central control<br />
• Open “Test Plan” List<br />
2. Select Test Plan ID<br />
• Enter a known “Test Plan ID”<br />
• “Test Plan Name”<br />
• “Description”<br />
• Or “Valid From” date to search a<br />
“Test Plan”<br />
• Select a valid “Test Plan Id”<br />
• Click save<br />
3. Alternative<br />
• Tab: Assessment<br />
• Open “Manual Test Plan<br />
• Select an already created control<br />
to assign<br />
• Click “Assign to” and select<br />
“Central Controls”<br />
• Select a control<br />
• Click Ok<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 15
1.7 Create Central Risk Category<br />
Step by Step<br />
1. Tab: Master Data<br />
• Open “Risk Catalog”<br />
2. Set a date and click “Apply”<br />
• Select an unit to integrate the new<br />
risk category<br />
• Click “Create” and select “Risk<br />
category”<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• Click save<br />
• A new risk category has been<br />
created<br />
Visual Aid<br />
1<br />
2<br />
3<br />
2<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 16
1.8 Create Central Risk Template<br />
Step by Step<br />
1. Tab: Master Data<br />
• Open “Risk Catalog”<br />
2. Set a date and click “Apply”<br />
• Select a parent risk category to<br />
integrate the new risk template<br />
• Click “Create” and select “Risk<br />
template”<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Name”,<br />
• Click save<br />
• A new risk template has been<br />
created<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 17
1.9 Assign Subprocess to OrgUnit<br />
Step by Step<br />
1. Tab: Master Data<br />
• Open “Organization”<br />
• Set a date and click “Apply”<br />
• Select a parent OrgUnit to assign a<br />
Subprocess<br />
• Click “Open”<br />
2. Click “Assign Subprocess”<br />
3. A new window will popup<br />
• Select correct subprocess and click<br />
“Next”<br />
• Allow local changes if necessary<br />
• Click “Submit” & “Finish”<br />
• Now a subprocess will be assigned<br />
to an orgunit<br />
Visual Aid<br />
1<br />
2<br />
3<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 18
Section 2 – Assign User<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
2.1 Assign User to OrgUnit<br />
2.2 Assign User to Process /Subprocess /Control<br />
2.3 Use “Central Delegation”<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 19
2.1 Assign User to OrgUnit<br />
Step by Step<br />
i<br />
You can use this function to<br />
assign users to roles for<br />
corporate and organization<br />
objects. You typically perform this task<br />
during initial setup, when organizations<br />
or roles (corporate or organization) are<br />
added, or when multiple users are<br />
assigned to roles.<br />
1. Tab: Access Management<br />
• Open “Organizations”<br />
2. Select “Corporate and<br />
Organizations”<br />
• Click next<br />
• Select a parent risk category to<br />
integrate the new risk template<br />
• Click “Create” and select “Risk<br />
template”<br />
3. Select an organization<br />
• Move it with the single arrow in the<br />
middle to the selected window<br />
• Click next<br />
4. Select role to assign a user<br />
• Click on the button to open userlist<br />
• Select a user<br />
• Click “Ok“<br />
• Click “Next“ and “Submit”<br />
Visual Aid<br />
1<br />
2<br />
4<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 20
2.2 Assign User to Process /Subprocess /<br />
Control<br />
Step by Step<br />
i<br />
You can use this function<br />
during initial setup to assign<br />
users to roles for local process<br />
objects. For example, when new<br />
process objects are added, when roles<br />
are added for process hierarchy levels,<br />
or when additional users are assigned<br />
to roles that can be assigned to<br />
multiple users.<br />
1. Tab: Access Management<br />
• Open “Business Processes”<br />
2. Select “Process, Subprocess and<br />
Control” and click “Next”<br />
3. Choose Process, Subprocess or<br />
Control<br />
4. Select your user in the pop-up list<br />
and click “Ok”<br />
Visual Aid<br />
1<br />
2<br />
4<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 21
2.3 Use Central Delegation<br />
Step by Step<br />
i<br />
You can authorize a user (the<br />
delegate) to perform the tasks<br />
and to exercise the access<br />
rights of another user (the delegator).<br />
You delegate access rights by creating<br />
a new delegation in which you<br />
designate one user as the delegator<br />
and another as the delegate. The<br />
delegator’s access rights and tasks<br />
become accessible to the delegate for<br />
the validity period that you specify.<br />
1. Tab: Access Management<br />
• Open “Central Delegation”<br />
2. Click “create”<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “User” (Delegator)<br />
• “User” (Delegate)<br />
• “Start Date” and<br />
• “End Date” of delegation<br />
period<br />
• Click save<br />
• A new delegation has been created<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 22
Section 3 – Maintain local Data<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
3.1 Modify OrgUnit<br />
3.2 Modify Process<br />
3.3 Modify Subprocess<br />
3.4 Modify Control<br />
3.5 Create Control Specific Issue<br />
3.6 Assign / add new controls to Subprocess<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 23
3.1 Modify OrgUnit<br />
Step by Step<br />
1. Tab: My Home<br />
• “My Objects”<br />
• Quick Link: “My Processes”<br />
Visual Aid<br />
1<br />
2. Select Hierarchical View<br />
3. Select Organizational Unit<br />
• Identify Organizational Unit by<br />
column Type “ORGUNIT”<br />
• Select wanted Organizational unit<br />
and click “Open”<br />
4. Modify Org Unit information<br />
• Modify necessary information and<br />
click “Save” to commit changes<br />
2<br />
3<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 24
3.2 Modify Process<br />
Step by Step<br />
1. Tab: My Home<br />
• “My Objects”<br />
• Quick Link: “My Processes”<br />
Visual Aid<br />
1<br />
2. Select Hierarchical View<br />
3. Select Process<br />
• Identify Process by column Type<br />
“PROCESS”<br />
• Select wanted Process and click<br />
“Open”<br />
4. Modify Process information<br />
• Modify necessary information and<br />
click “Save” to commit changes<br />
2<br />
3<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 25
3.3 Modify Subprocess<br />
Step by Step<br />
1. Tab: My Home<br />
• “My Objects”<br />
• Quick Link: “My Processes”<br />
Visual Aid<br />
1<br />
2. Select Hierarchical View<br />
3. Select Subprocess<br />
• Identify Subprocess by column<br />
Type “SUBPROCESS”<br />
• Select wanted Process and click<br />
“Open”<br />
4. Modify Subprocess information<br />
• Modify necessary information and<br />
click “Save” to commit changes<br />
2<br />
3<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 26
3.4 Modify Control<br />
Step by Step<br />
1. Tab: My Home<br />
• “My Objects”<br />
• Quick Link: “My Processes”<br />
Visual Aid<br />
1<br />
2. Select Hierarchical View<br />
3. Select Control<br />
• Identify controls by column Type<br />
“CONTROL”<br />
• Select wanted Process and click<br />
“Open”<br />
4. Modify Control information<br />
• Modify necessary information and<br />
click “Save” to commit changes<br />
2<br />
3<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 27
3.5 Create Control Specific Issue<br />
Step by Step<br />
1. Tab: My Home<br />
• “My Objects”<br />
• Quick Link: “My Processes”<br />
Visual Aid<br />
1<br />
2. Select Hierarchical View<br />
3. Select Control<br />
• Identify controls by column Type<br />
“CONTROL”<br />
• Select wanted Process and click<br />
“Open”<br />
2<br />
4. Select Issues tab<br />
• Create new issue by clicking<br />
“Create<br />
• Please refer to Slide 37 for detailed<br />
procedure on how to create an<br />
issue and remediation plan<br />
3<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 28
3.6 Assign / add new controls to Subprocess<br />
Step by Step<br />
1. Tab: My Home<br />
• “My Objects”<br />
• Quick Link: “My Processes”<br />
Visual Aid<br />
1<br />
2. Select Hierarchical View<br />
3. Select Subprocess<br />
• Identify Organizational Unit by<br />
column Type “Subprocess”<br />
• Select wanted Subprocess and click<br />
“Open”<br />
4. Add / Assign new controls<br />
• Click the controls tab<br />
• Click “Add”<br />
• If you want to create a new control<br />
select the first option<br />
<br />
• To add a control from the central<br />
Subprocess select the second<br />
option. With this option you can<br />
add all controls which are related<br />
to the central Subprocess but not<br />
added in the local one.<br />
2<br />
3<br />
4<br />
5. Save<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 29
Section 4 – Plan an Assessment<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
4.1 Create Ad-Hoc Issue<br />
4.2 Create Questions<br />
4.3 Create Surveys<br />
4.4 Plan Test of Effectiveness (ToE)<br />
4.5 Plan Roll-Forward Certification<br />
4.6 Plan Risk Assessment / Documentation Review<br />
4.7 Plan Control Evaluation Questionnaire<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 30
4.1 Create Ad-Hoc Issue<br />
Step by Step<br />
1. Create an Ad-Hoc Issue:<br />
• Go to Tab My Home-> “Ad Hoc<br />
Tasks” -> “Issues” -> open<br />
• “Ad Hoc Issues” view will open -><br />
click on “Create” button<br />
2. Maintain Issue Details:<br />
• Issue Details Tab<br />
• Following fields are mandatory:<br />
• “Issue Name”<br />
• “Description”<br />
• “Priority”<br />
• “Issue Date”<br />
• Following fields are optional:<br />
• “Object type”<br />
• “Object name”<br />
• “Owner”<br />
• “Source”<br />
• “Due Date”<br />
• Attachments and links Tab<br />
• Add document as<br />
attachment or link in<br />
SharePoint if needed<br />
3. Submit or Save issue<br />
• press “Submit” to finalize the issue<br />
• Issue will be saved<br />
• Issue owner will be<br />
informed via e-mail.<br />
• Click “Save draft” in order to<br />
add/modify some issue details later<br />
on.<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 31
4.2 Create Questions<br />
Step by Step<br />
i<br />
The Question Library lists the<br />
user-defined questions that you<br />
can use within your surveys.<br />
1. Tab: Assessments<br />
• Open “Survey Library”<br />
Visual Aid<br />
1<br />
2. Create Question<br />
• Click “Create”<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Category”<br />
• “Question” &<br />
• “Answer Type”<br />
• “Save”<br />
• Now you can select questions in<br />
your “Survey Library”<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 32
4.3 Create Surveys<br />
Step by Step<br />
i<br />
A survey is a structured list of<br />
questions. Within <strong>GRC</strong>, surveys<br />
are used to obtain information<br />
about [..] the design or operational<br />
adequacy of controls. Surveys are used<br />
to carry out assessments of objects<br />
such as risks, activities, or policies, for<br />
example. These assessments are<br />
defined via plans in the Planner.<br />
Surveys are created and maintained in<br />
the Survey Library and sent via the<br />
workflow.<br />
1. Tab: Assessments<br />
• Open “Survey Library”<br />
2. Create Question<br />
• Click “Create”<br />
3. Provide details:<br />
• Following inputs are mandatory:<br />
• “Category” &<br />
• “Title”<br />
• Active „Yes“<br />
• Click „Add“ to add a “question”<br />
• Click “Ok”<br />
Visual Aid<br />
1<br />
2 3<br />
4<br />
4. Select a question<br />
• Click save<br />
• A new survey has been created<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 33
4.4 Plan Test of Effectiveness (ToE)<br />
Step by Step<br />
1. Tab Assessments<br />
• Open “Planner”<br />
• Click “Create” to create a new<br />
assessment<br />
2. Provide details:<br />
• Following inputs are mandatory:<br />
• “Plan Name”,<br />
• “Plan Activity”, select “Test<br />
Control Effectiveness”<br />
• “Period”<br />
• “Year”<br />
• “Start Date”<br />
• “Due Date”<br />
• Click “Next”<br />
3. Select Regulation<br />
• Following inputs are mandatory:<br />
• “Regulation”<br />
• “Evaluation Results<br />
Sharing”<br />
• Select a regulation<br />
• Select if you want to share results<br />
with other regulations<br />
4. Select Organizations<br />
5. Select Subprocess (no screens.)<br />
6. Click “Finish” and “Activate<br />
Plan”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
4<br />
6<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 34
4.5 Plan Roll-Forward Certification<br />
Step by Step<br />
1. Tab Assessments<br />
• Open “Planner”<br />
• Click “Create” to create a new<br />
Assessment<br />
2. Provide details:<br />
• Following inputs are mandatory:<br />
• “Plan Name”,<br />
• “Plan Activity” select<br />
“Perform Roll-forward<br />
Certification”,<br />
• Select a survey<br />
• “Period”,<br />
• “Year”,<br />
• “Start Date” &<br />
• “Due Date”<br />
• Click “Next”<br />
3. Select Regulation<br />
• Following inputs are mandatory:<br />
• “Regulation” &<br />
• “Evaluation Results<br />
Sharing”<br />
• Select a regulation or share<br />
4. Select “Organizations”<br />
5. Select “Subprocess” (no<br />
screens.)<br />
6. Click “Finish” and “Activate<br />
plan”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
4<br />
6<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 35
4.6 Plan Risk Assessment / Documentation<br />
Review<br />
Step by Step<br />
1. Tab Assessments<br />
• Open “Planner”<br />
• Click “Create” to create a new<br />
assessment<br />
2. Provide details:<br />
• Following inputs are mandatory:<br />
• “Plan Name”,<br />
• “Plan Activity” select<br />
Perform Risk Assessment /<br />
Documentation Review,<br />
• “Survey”, select<br />
“Documentation Review<br />
Questionaire”,<br />
• “Period”,<br />
• “Year”,<br />
• “Start Date” &<br />
• “Due Date”<br />
• Click “Next”<br />
3. Select Regulation<br />
• Following inputs are mandatory:<br />
• “Regulation” &<br />
• “Evaluation Results<br />
Sharing”<br />
• Select a regulation or share<br />
4. Select “Organizations”<br />
5. Select “Subprocess” (no screen)<br />
6. Click “Finish” and “Activate<br />
plan”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
4<br />
6<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 36
4.7 Plan Control Evaluation Questionnaire<br />
Step by Step<br />
1. Tab Assessments<br />
• Open “Planner”<br />
• Click “Create” to create a new<br />
Assessment<br />
2. Provide details:<br />
• Following inputs are mandatory:<br />
• “Plan Name”,<br />
• “Plan Activity” select<br />
“Perform Control<br />
Evaluation Questionnaire”,<br />
• Select a survey<br />
• “Period”,<br />
• “Year”,<br />
• “Start Date” &<br />
• “Due Date”<br />
• Click “Next”<br />
3. Select Regulation<br />
• Following inputs are mandatory:<br />
• “Regulation” &<br />
• “Evaluation Results<br />
Sharing”<br />
• Select a regulation or share<br />
4. Select “Organizations”<br />
5. Select “Subprocess” (no<br />
screens.)<br />
6. Click “Finish” and “Activate<br />
plan”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
4<br />
6<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 37
Section 5 – Perform an Assessment<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
5.1 Perform Ad-Hoc Issue & Remediation Plan<br />
5.2 Perform Risk Assessment / Documentation review<br />
5.3 Perform Roll-Forward Certification<br />
5.4 Perform Test of Effectiveness<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 38
5.1 Perform Ad-Hoc Issue & Remediation Plan<br />
(1/3)<br />
Step by Step<br />
1. Receive an issue task:<br />
• Get an email notification with<br />
following subject “An Issue has<br />
been logged”<br />
• Log-in to the System<br />
• Go to “My Home Tab”<br />
• Open “Work Inbox” link<br />
Visual Aid<br />
1<br />
2. Perform issue:<br />
• Select an issue from the list<br />
• Click “Open”<br />
• Check issue content: “Description”,<br />
“Notes” and “Due Date”<br />
• If no remediation plan needed:<br />
• Perform issue<br />
• Leave a note<br />
• Close without plan<br />
3. Reassign the issue<br />
• If you were not the right recipient<br />
or additional task of another<br />
colleague is needed:<br />
• Leave a note<br />
• Reassign the issue<br />
• Choose another user -><br />
“Ok”<br />
• Submit the issue<br />
2<br />
3<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 39
5.1 Perform Ad-Hoc Issue & Remediation Plan<br />
(2/3)<br />
Step by Step<br />
4. Assign remediation plan:<br />
• Press button “Assign remediation<br />
plan”<br />
• Fill in following information:<br />
• “Plan name”,<br />
• “Start Date” and “Due<br />
Date”,<br />
• Person responsible<br />
“Owner” &<br />
• Plan “Description”<br />
• Press “Ok”<br />
Visual Aid<br />
4<br />
5. Submit remediation plan:<br />
• Press “Submit” to forward the<br />
remediation plan task to person<br />
responsible<br />
5<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 40
5.1 Perform Ad-Hoc Issue & Remediation Plan<br />
(3/3)<br />
Step by Step<br />
6. Start remediation plan task:<br />
• “My Home” -> “Work Inbox”<br />
• Open work item by clicking on its<br />
subject.<br />
Visual Aid<br />
6<br />
• Update Remediation Progress:<br />
• Maintain completion progress<br />
• Leave comments if needed<br />
• Press “Submit” to save progress<br />
• Press “Assign Next Processer” in<br />
order to forward the remediation<br />
plan to another responsible user.<br />
7. Complete Remediation Plan<br />
• press “Complete” to finalize<br />
remediation plan activities<br />
• If completion progress was not set<br />
to 100% you will be asked to<br />
update it.<br />
• Press “Submit”, to save results<br />
• Issue status will be set to “closed”<br />
7<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 41
5.2 Perform Risk Assessment /Documentation<br />
review (1/2)<br />
Step by Step<br />
1. Receive to-do in “Work Inbox”:<br />
• log-in to the system<br />
• go to “My Home Tab”<br />
• Open “Work Inbox” link<br />
2. Open Risk Assessment /<br />
Documentation Review<br />
• Open a subject from the list<br />
• “Status” has to be “Ready”<br />
3. Perform Risk Assessment /<br />
Documentation Review<br />
• Evaluate each step by answering<br />
all questions.<br />
• Leave a comment in case of failure<br />
• Set “Rating” to “Appropriate” or<br />
“Inappropriate”<br />
• Optional add “Comments”<br />
• Click Submit to finish “Risk<br />
Assessment / Documentation<br />
Review”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 42
5.2 Perform Risk Assessment /Documentation<br />
review (2/2)<br />
Step by Step<br />
4. Report Issue:<br />
• Click on the “Report Issue” button<br />
• Enter “Issue Name”<br />
• Set a Priority: “high”, “medium” or<br />
“low”<br />
• Choose an “Owner”<br />
• Describe the issue<br />
• Describe possible “Compensating<br />
Controls”<br />
• Fill in “Potential Impact”<br />
• Submit the issue to the issue<br />
owner by clicking “OK”<br />
Visual Aid<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 43
5.3 Perform Roll-Forward Certification<br />
(1/2)<br />
Step by Step<br />
1. Receive Assessment Email with<br />
attached PDF-File:<br />
• Log in to your email program<br />
• Open an email sent by GR<strong>PC</strong> with<br />
general object: “Perform Rollforward<br />
Certification for …“<br />
• Open the attached PDF<br />
2. Perform evaluation:<br />
• Go to “Evaluation” Tab<br />
• Answer the question with “I certify”<br />
or “I don’t certify”<br />
3. Set a Rating (2 Options)<br />
• Option 1: Select<br />
“Inappropriate” if the<br />
answer above is “I don’t<br />
certify” and leave a<br />
comment. In this case<br />
please report an issue.<br />
<br />
• Option 2: Please select<br />
“Appropriate” if the answer<br />
above is “I certify” and<br />
send it back to the system<br />
by clicking “Submit”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 44
5.3 Perform Roll-Forward Certification<br />
(2/2)<br />
Step by Step<br />
4. Report Issue:<br />
• Click on the “Report Issue” button<br />
• Enter “Issue Name”<br />
• Set a Priority: “high”, “medium”<br />
or “low”<br />
• Choose an “Owner”<br />
• Describe the issue<br />
• Describe possible “Compensating<br />
Controls”<br />
• Fill in “Potential Impact”<br />
• Submit the issue to the issue<br />
owner by clicking “OK”<br />
Visual Aid<br />
4<br />
5. Submit Test Results<br />
• Click “Submit” button to send<br />
testing results back to the system<br />
5<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 45
5.4 Perform Test of Effectiveness (1/4)<br />
Step by Step<br />
1. Receive Assessment Email with<br />
attached PDF-File:<br />
• Log into your email program<br />
• Open an email sent by GR<strong>PC</strong> with<br />
general object: “Perform manual<br />
Test of Control Effectiveness… “<br />
Visual Aid<br />
1<br />
2. Perform Test Step evaluation:<br />
• Go to “General Tab” ->”Test Steps”<br />
• Evaluate each step by choosing<br />
“Pass” or “Fail” as a “Test Result”.<br />
• Leave a comment in case of failure<br />
2<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 46
5.4 Perform Test of Effectiveness (2/4)<br />
Step by Step<br />
3. Set overall test result:<br />
• Go to “General Tab” -> “Test<br />
Details”<br />
• Enter “Test Date”<br />
• Set overall “Test Result”.<br />
• If “Test Result” is “Fail” -><br />
“Comment” is mandatory<br />
• Finally fill in the field “Test<br />
Performed” by choosing an<br />
appropriate answer<br />
Visual Aid<br />
3<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 47
5.4 Perform Test of Effectiveness (3/4)<br />
Step by Step<br />
4. Report Issue:<br />
• Click on the “Report Issue” button<br />
• Enter “Issue Name”<br />
• Set a Priority: “high”, “medium” or<br />
“low”<br />
• Choose an “Owner”<br />
• Describe the issue<br />
• Describe possible “Compensating<br />
Controls”<br />
• Fill in “Potential Impact”<br />
• Submit the issue to the issue<br />
owner by clicking “OK”<br />
Visual Aid<br />
4<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 48
5.4 Perform Test of Effectiveness (4/4)<br />
Step by Step<br />
5. Submit Test Results<br />
• Click “Submit” button to send<br />
testing results back to the system<br />
Visual Aid<br />
5<br />
• or<br />
6. Assign testing to the next Tester<br />
• Click “Assign to Next Tester”<br />
• Enter a “User Name” or chose one<br />
from the list by clicking “Find User”<br />
• Click “OK” to forward the testing<br />
6<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 49
Section 6 – Reporting<br />
Set up<br />
Master Data<br />
Assign User<br />
Maintain<br />
local Data<br />
Plan an<br />
Assessment<br />
Perform an<br />
Assessment<br />
Reporting<br />
6.1 Planner Monitor<br />
6.2 Risk and Control Matrix<br />
6.3 Test Step Status<br />
6.4 Assessment Survey Details<br />
6.5 Report personalization<br />
6.6 Export report to Microsoft Excel<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 50
6.1 Planner Monitor<br />
Step by Step<br />
i<br />
You can use the Planner Monitor<br />
to track and monitor the execution<br />
status of workflow, e-mail<br />
survey, and user-defined objects<br />
created by the planner within the<br />
application.<br />
Visual Aid<br />
1<br />
1. Tab: Assessment<br />
• Open “Planner Monitor”<br />
2. Displayed Data<br />
• In this report following data is<br />
displayed:<br />
• “Plan Name”,<br />
• “Plan activity”,<br />
• “Organization”,<br />
• “Object”,<br />
• “Frequency”,<br />
• “Start Date”,<br />
• “Due Date”,<br />
• “Recipients” &<br />
• “Status”<br />
2<br />
• Status has three different values:<br />
1. „Error“,<br />
2. „Completed“ &<br />
3. „Overdue“<br />
!<br />
If an error occurs , please<br />
contact your system<br />
administrator<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 51
6.2 Risk & Control Matrix<br />
Step by Step<br />
1. Tab: Reports and Analytics<br />
• “Master Data Reports”<br />
• “Risk and Control Matrix”<br />
2. Following inputs are mandatory:<br />
• “Period”,<br />
• “Year”,<br />
• “Report structure” &<br />
• “Regulation”<br />
• All other inputs can be used as<br />
filter<br />
• Click “Go” to create the report<br />
Visual Aid<br />
1<br />
2<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 52
6.3 Test Step Status<br />
Step by Step<br />
1. Tab: Reports and Analytics<br />
• “Assessment Reports”<br />
• Open “Test Step Status”<br />
report<br />
2. Following inputs are mandatory:<br />
• “Period”,<br />
• “Year”,<br />
• “Report structure”,<br />
• “Regulation”,<br />
• “Rating”,<br />
• “One/All Evaluation” &<br />
• “Test Steps”<br />
• All other inputs can be used as<br />
filter<br />
• Click “Go” to create the Report<br />
Visual Aid<br />
1<br />
2<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 53
6.4 Assessment Survey Details<br />
Step by Step<br />
1. Tab: Reports and Analytics<br />
• “Assessment Reports”<br />
• Open “Assessment Survey<br />
Details” report<br />
2. Following inputs are mandatory:<br />
• “Period”,<br />
• “Year”,<br />
• “Report structure”,<br />
• “Regulation” &<br />
• “Rating”<br />
• All other inputs can be used as<br />
filter<br />
• Click “Go” to create the Report<br />
Visual Aid<br />
1<br />
2<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 54
6.5 Report personalization (1/4)<br />
Step by Step<br />
1. Personalized Selection<br />
• Go to the link “Selection” -> right<br />
mouse click<br />
• Maintain relevant selection fields to<br />
get required data set in the report<br />
!<br />
If you would like to launch the<br />
same report with the same<br />
selection criteria on a regular<br />
basis, you can save your settings in a<br />
selection variant:<br />
1<br />
Visual Aid<br />
• Press button “Save variant”<br />
• Enter variant name<br />
• Click ok<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 55
6.5 Report personalization (2/4)<br />
Step by Step<br />
2. Ad-Hoc Sort and Filter per column:<br />
• Left mouse click on column header<br />
to get context menu<br />
• Choose preferred sort function:<br />
• “Sort in Ascending Order”<br />
• “Sort in Descending Order”<br />
• Choose preferred filter function:<br />
• “All values”<br />
• “One of the values<br />
available”<br />
• “User-defined filter”<br />
Visual Aid<br />
2<br />
3. Reset Ad-Hoc Filter<br />
• Left mouse click on column header<br />
• Choose “All”<br />
3<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 56
6.5 Report personalization (3/4)<br />
Step by Step<br />
4. Sort and Filter Using Settings<br />
dialogue<br />
• “Tab Sort” -> add required<br />
columns -> maintain sorting<br />
settings for each column<br />
• Click “Apply” to see the<br />
immediately result<br />
• Click “Reset” to reset<br />
settings made previously<br />
• Click “Ok” to save the<br />
results<br />
4<br />
Visual Aid<br />
• “Tab Filter” -> add required<br />
columns -> Set filter value for<br />
each column<br />
• Click “Apply” to see<br />
immediately result<br />
• Click “Reset” to remove all<br />
filter settings made<br />
• Click “Ok” to save the<br />
results<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 57
6.5 Report personalization (4/4)<br />
Step by Step<br />
5. Personalize Report<br />
• Go to “Personalize” link placed left<br />
over the report name<br />
• Right mouse click on the link to get<br />
to the menu<br />
• Choose “Personalize Fields” to<br />
add additional fields from available<br />
or to remove fields selected in the<br />
current view<br />
• Click “Save” to keep<br />
settings<br />
• Click “Reset<br />
Personalization” to undone<br />
settings made<br />
• Click “Cancel” to go back to<br />
the report without saving<br />
any changes<br />
• Choose “Report Personalization”<br />
to set settings like output format<br />
(tabular or hierarchical),<br />
aggregation logic (average of all<br />
ratings, worst rating), include<br />
assessments…<br />
• Choose “Personalize General<br />
Reporting Setting” for example<br />
to change report length (columns)<br />
• Choose “Print Setting” to change<br />
print settings<br />
5<br />
Visual Aid<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 58
6.6 Export report to Microsoft Excel<br />
Step by Step<br />
1. Press “Print or Export” button<br />
under the name of current report<br />
2. Left mouse-click on “Export”<br />
button<br />
• Choose “Export to Microsoft Excel”<br />
3. Confirm,<br />
• that you want to open or save the<br />
report as an excel file by clicking<br />
on “Open” or “Save” button<br />
4. Report will open in Microsoft<br />
Excel<br />
1<br />
2<br />
3<br />
Visual Aid<br />
4<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 59
Section 7 – Miscellaneous<br />
7.1 Allow Referencing<br />
7.2 Sign-Off<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 60
7.1 Allow Referencing (1/2)<br />
Step by Step<br />
i<br />
Any given control in a sub<br />
process may satisfy<br />
control objectives and mitigate<br />
risks in other subprocess, process and /<br />
or organization.<br />
These controls will be referred to as<br />
“Referenced” controls.<br />
A given organization may reference this<br />
control that resides in another<br />
subprocess, process and / or<br />
organization to mitigate its own<br />
associated risk.<br />
At the time a control is set up a<br />
decision is made to allow referencing,<br />
by selecting "allow referencing"<br />
1. Tab: Master Data<br />
• “Organizations”<br />
• Open “Organizations”<br />
2. Select an OrgUnit<br />
• Open “Subprocess”<br />
3. Referenced Control<br />
• Open “Control”<br />
• Activate checkbox “Allow<br />
Referencing”<br />
• Click “Save”<br />
Visual Aid<br />
1<br />
2<br />
3<br />
<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 61
7.1 Allow Referencing (2/2)<br />
Step by Step<br />
!<br />
Choosen subprocess needs same<br />
risk as the original subprocess<br />
Visual Aid<br />
5<br />
5. Tab: Master Data<br />
• Organizations<br />
• Open “Organizations”<br />
6. Select an OrgUnit and click open<br />
7. Open Tab Subprocess<br />
• Select a subprocess<br />
• Click “Open”<br />
8. Open Tab Risks<br />
• Select a risk<br />
• Click “Assign Control”<br />
• Referenced control is available to<br />
select<br />
• Select referenced control<br />
• Click “Ok”, “Save” & “Save”<br />
6<br />
7<br />
8<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 62
7.2 Sign-Off<br />
Step by Step<br />
!<br />
Visual Aid<br />
Sign-Off:<br />
Tool provides functionality,<br />
but currently not used.<br />
!<br />
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 63
<strong>SAP</strong> <strong>GRC</strong> <strong>PC</strong> User Guide, FME © 1/12/2016 Page 64