United Utilities is reducing the risk of compliance failures or fraud with a continous controls monitoring system using SAP Process Controls.
The Northern English water firm has completed a SAP process controls project to automate manual controls - like employee access - to mitigate risk within the firm.
Following a substantial SAP refresh in 2013 where all back office systems were upgraded, the utility created an SAP centre of excellence to maximise its investment. As part of this the GRC team were tasked with moving the traditionally manual governance, risk, compliance (GRC) solution to an automated function, using the SAP Process Control tool as a repository for risk control data.
The GRC team monitor business processes like the three way match for supply chain. access to senstive data for the BACs process, financial open and close periods as well as HR's payroll and wage data, for example.
The project took four months and was delivered "under budget" VIcky Howarth, SAP GRC manager for United Utilities said during the SAP Insider conference in Nice.
Continous control testing enables United Utiities to reduce effort time, improve control testing, provide visibility in a centralised way across the firm and spot inefficient existing controls. Crucially, it is hoped it will identify "potential gaps in control framework, thus reducing the overall risk of compliance failures or fraud."
Using continous control monitoring got instant appreciation from business users who had never used GRC before, Howarth added.
She said: "business process owners that would receive alerts [about potential risks by email] would not have used GRC. Its selling point was that it could - once capturing information on the majority of their controls - reduce internal and external audits necessary in the future.
"It also became a test ground for external and internal audits. Now the data can be collected and create an audit trail so that GRC can be relied upon as an audit tool.
"Business process owners are coming asking for more automation on their controls now and driving us to implement more rather than the other way round."
The GRC team monitors 7,000 users and 800 controls. It has deployed continous control monitoring for its 14 business process owners and 85 key controls which include giving certain employees access dependant on their risk or role as well as anti-fraud measures on the IT systems' data. It is planning on extending the solution to the wider business.
7 key lessons learned from United Utilities SAP Process Controls project
1. Ensure your master data is up to date before you start.
2. involve business end users at every stage.
3. Make sure you have activated table logging.
4. Think about how long you schedule your jobs to run, as once it is running you cant change the business rule.
5. Create robust training documentation.
6. Be creative with your business rules - what you set up could help you do your job.
7. understand what bau tasks will be post implementation and who will do what