Procure to Pay Process Controls Governance ， Risk and Compliance V1.53 (CN) SAP Best Practices

Procure to Pay Process Controls

Governance ， Risk and Compliance V1.53 (CN)

SAP Best Practices

© SAP 2008 / SAP Best Practices Page 2

Scenario Overview 1

Compliance structure in C-sox regulation has been set up for P2P processes.

(Organization, Process, Sub-process, Control) Scoping has been done to identify the significant accounts. Compliance assessment

should be implemented for the signified sub-processes in P2P management.

Business relevance: Significant control points should be monitored this year in P2P (from Purchase Requisition, Purchase Order, PO Release ,Goods Movement ,Physical Inventory until Account Payment):

Compliance testing plan:

Manual: Material Price Control updating and Stock-taking Mechanism and Process

Automatic: Overpaid Purchase Order Management

Semi-Automatic: Purchase Order Approval Strategies

Prerequisite

Business Relevance


Purpose Process Controls in Procure to Pay are used to describe the lifecycle of

compliance assessments in Procure to Pay business processes. Compliance testing can be implemented manually, or via automatic control or

semi-automatic control. You can test control design, or to detect business violation by monitoring

underlying transactions in ERP systems.

Benefits Highlight key points in compliance testing in business process Procure to Pay. The procedures can be reused in continuous monitoring and control in purchase

and Inventory operations.

Purpose and Benefits

Scenario Overview 2


SAP Applications Required

Company Roles Involved in Process Flows

Scenario Overview 3

Compliance testing plan: Manual Test; Auto Test; Semi-auto Test. Issue validation (issue owner) and issue remediation plan proposal. Remediation plan detailed (process control owner) Remediation plan review and issue close (issue owner).

Key Process Flows Covered

Required SAP GRC PC3.0 SAP ECC 6.0 EhP3

System Roles Planner Process Tester Control Owner Issue Owner Remediation Plan Owner

Company Roles Internal Control Manager Internal Control Specialist Purchase Manager Warehouse Manager Purchase Clerk Warehouse Clerk Payment Clerk


Purpose Identified valuation impact due to changes to the price control of materials

based upon established threshold values. Identifies Stock-taking Gain & Loss significantly Disbursements are accurately calculated and recorded and only made for goods

and services received. Purchase orders are placed for approved requisitions and it approved by the

correct release procedure.

Benefits Valid material price control has the significantly material price ,it is match for

nature of business. PI transactions made in accordance with management's intentions resulting in

inventory adjustments. Defend: the invoice overpayments Defend: Changes to a release strategy not made in accordance with

management's intentions could allow an unauthorized requisition item to be released for the issue of a purchase order.

Detailed Process Description

Scenario Overview 4


Process Flow Diagram 1/4Process Controls in Procure to Pay with Manual Test Plan

(Material Price Control updating)

Set up and schedule manual test plan with activity “Test Control Effectiveness”

Follow the steps in manual test plan, to perform manual Test of effectiveness

Ev

en

tP

lan

ne

rP

2P

P

roc

es

s

Co

ntr

ol

Ow

ne

r

Compliance Manual Test Plan

Get task in control owner’s Work inbox

check the issueIs

su

e O

wn

er

Valid Issue?

Yes

No

Propose the remediation plandelegate a plan owner

The test has

passed

Get task in issue owner’s Work inbox

Need remediation Plan?

Close issue with comment

but without remediation

plan

No

Yes

Enter details for remediation planSubmit remediation plan for review and completeness

Receive email in remediation plan owner’s Work inbox

Validate remediation plan?

Yes

Close remediatio

n plan


Re

me

dia

tio

n

Pla

n O

wn

er

No


Process Flow Diagram 2/4Process Controls in Procure to Pay with Manual Test Plan

(Stock-taking Mechanism and Process)


Follow the steps in manual test plan, to perform manual Test of effectiveness

Ev

en

tP

lan

ne

rP

2P

P

roc

es

s

Co

ntr

ol

Ow

ne

r


Get task in control owner’s Work inbox

check the issueIs

su

e O

wn

er

Valid Issue?

Yes

No


The test has

passed





plan

No

Yes




Yes

Close remediatio

n plan


Re

me

dia

tio

n

Pla

n O

wn

er

No


Process Flow Diagram 3/4Process Controls in Procure to Pay with Auto-control Test Plan

(Overpaid Purchase Order Management )

Set up and schedule automatic test

Ev

en

tP

lan

ne

r

P2

P

Pro

ce

ss

C

on

tro

l O

wn

er

Compliance Automatic Test Plan

Iss

ue

Ow

ne

r

Pass


Start date reached?

Monitor Job

Yes

Re

me

dia

tio

n

Pla

n O

wn

er

PC

A

uto

-c

on

tro

l

check the issue

Yes




Close issue with

comment but without remediation

plan

No

Yes




Yes

Close remedia

tion plan

No

Yes

No

No

The test has

passed


Process Flow Diagram 4/4Process Controls with Semi-Auto Control Test Plan

(Purchase Order Approval Strategies)

Ev

en

t



Pro

ce

ss

Te

ste

r


Check Issue

Get task in Work inbox

No

The test has

passed

无修复计划，关闭问题并添

加注释

Yes

Yes

No

Void the issue

check the issue

Valid Issue?

Submit the issue

Yes

No





plan


Close remediation plan




Re

me

dia

tio

n

Pla

n O

wn

er

Iss

ue

Ow

ne

r P

lan

ne

r


Legend

Symbol Description Usage Comments

Band: Identifies a user role, such as Accounts Payable Clerk or Sales Representative. This band can also identify an organization unit or group, rather than a specific role.

The other process flow symbols in this table go into these rows. You have as many rows as required to cover all of the roles in the scenario.

Role band contains tasks common to that role.

External Events: Contains events that start or end the scenario, or influence the course of events in the scenario.

Flow line (solid): Line indicates the normal sequence of steps and direction of flow in the scenario.Flow line (dashed): Line indicates flow to infrequently-used or conditional tasks in a scenario. Line can also lead to documents involved in the process flow.

Connects two tasks in a scenario process or a non-step event

Business Activity / Event: Identifies an action that either leads into or out of the scenario, or an outside Process that happens during the scenario

Does not correspond to a task step in the document

Unit Process: Identifies a task that is covered in a step-by-step manner in the scenario

Corresponds to a task step in the document

Process Reference: If the scenario references another scenario in total, put the scenario number and name here.


Sub-Process Reference: If the scenario references another scenario in part, put the scenario number, name, and the step numbers from that scenario here


Process Decision: Identifies a decision / branching point, signifying a choice to be made by the end user. Lines represent different choices emerging from different parts of the diamond.

Does not usually correspond to a task step in the document; Reflects a choice to be made after step execution

Symbol Description Usage Comments

To next / From last Diagram: Leads to the next / previous page of the Diagram

Flow chart continues on the next / previous page

Hardcopy / Document: Identifies a printed document, report, or form

Does not correspond to a task step in a document; instead, it is used to reflect a document generated by a task step; this shape does not have any outgoing flow lines

Financial Actuals: Indicates a financial posting document


Budget Planning: Indicates a budget planning document


Manual Process: Covers a task that is manually done

Does not generally correspond to a task step in a document; instead, it is used to reflect a task that is manually performed, such as unloading a truck in the warehouse, which affects the process flow.

Existing Version / Data: This block covers data that feeds in from an external process

Does not generally correspond to a task step in a document; instead, this shape reflects data coming from an external source; this step does not have any incoming flow lines

System Pass / Fail Decision: This block covers an automatic decision made by the software

Does not generally correspond to a task step in the document; instead it is used to reflect an automatic decision by the system that is made after a step has been executed.

<

Fun

ctio

n>

Ext

ern

al to

S

AP

Business Activity / Event

Unit Process

Process Reference

Sub-Process Reference

Process Decision

Diagram Connection

Hardcopy / Document

Financial Actuals

Budget Planning

Manual Process

Existing Version / Data

System Pass/Fail Decision


© 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, Clear Enterprise, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP France in the United States and in other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Documents

Procure to Pay Process Controls Governance ， Risk and Compliance V1.53 (CN) SAP Best Practices