2. Are there any predefined controls?

Yes, IC is delivered with a control library of around 150 predefined controls supporting Finance, Procure to Pay, Order to Cash, HR & Payroll, Basis & Security and more. The Control Library is extended on an ongoing basis, and we encourage customers of CN Internal Control to share controls in the hope of generating a sharing control community supporting among CN Internal Control customers.

3. What does it take to install Internal Control?

Basically, it is very easy to install CN Internal Control. The ComplianceNow add-on needs to be installed on your SAP system as well as the application server (webserver) need to be set up. You can choose to have the webserver hosted by ComplianceNow. This way the CN team will take care of all related to the webserver. If you choose to self-host, you will need some knowledge about Apache, php and MySQL. We will naturally support you in the process as standard of our fixed priced installation package. Expect that installation to have a duration of 2-3 days.  

If you want to learn more about our installation process, please book us for a 30 minutes “Pre-installation” meeting. Here we will cover the ComplianceNow architecture and go over the steps of installation.  

4. Can I upload my external auditors control library?

Of course! You can easily upload new controls, maintain existing or extend the control library by defining your own controls. From the up- and download centre of CN Internal Control you can use the Excel template to document all controls and upload these in one simple action.

5. Can I assign the control to multiple departments, areas, countries etc.?

The controls can be configured to support the exact needs of your organisation. Around 30 fields can be modified on the individual control, with some of the key fields being Control Executer, Frequency, Due Date, Compliance Manager and Approver. If you choose to derive a control to e.g. France, Germany and the UK a specific field will apply for the individual derived controls to specify unique characteristics, actions or other information for, in this case, the country.

6. Can IC deliver email reminders?

If a task is overdue, an e-mail-reminder is generated and sent to the responsible person, the deputy and/ or superior. E-mail reminders is an important function in a control process, but we must be careful not to overdo the information level. Therefore, you can specify the level of reminders for both Executers, Approvers and Compliance Managers if and how often they should receive a notification email.

7. Can I get an overview of the open controls?

The easy-to-access information and overview from the Control Dashboard will support the team working with controls. Different Dashboard views support each step of the control process, delivering insights into overdue controls, findings, and other key control indicators. From all Dashboard views you can download more details into an Excel file.

8. Can the controls be linked to the overall company risks?

In the Enterprise Risk Management module (ERM) you can define your overall enterprise risks. The key logic of ERM is that you link the operational control specified in the Control Library to the overall risk defined in the ERM. Each enterprise risk is measured in levels of severity and likelihood delivering important input to the Risk Map with a real-time update if the company has mitigated the defined risk.  

The ERM and the Risk Map will keep you updated of the present status and to what extent severe risks with a high likeliness are not mitigated by the appointed controls. To quickly react to gaps in the control process you can drill down directly from the ERM to the individual control template, identifying individuals responsible for executing and approving the controls. 

9. Why is IC running in SAP and not as a SharePoint solution?

ComplianceNow is an SAP Certified Suite of multiple compliance add-on components supporting the company’s operation of Compliance. The control process is critical and sensitive data and information needs to be processed and stored. SAP is a solid and proven platform to run the process and trust storing the data. Furthermore, by using SAP’s authorization and user management concept we can rely on a well-defined concept and with little effort setting up control users and workflow.

10. Why should I implement an internal control system? What do I have to consider?

Companies with unmatured or no controls process often have a perception of no risks and/or no unmitigated risks. By investing in a control process/system the company will unlock and get documented the risks having potential operational, financial, or reputational damage to the company. Implementing a system-based control process will support driving and maturing the entire control process. Furthermore, it will increase the transparency and drive a reporting and information level throughout the year moving toward the auditor’s arrival. Learn more about the basics of internal controls in our expert interview with PwC:  Basics of internal control – Audience at the Auditor – ComplianceNow

Yes, we know that this was supposed to be a Top 10. Though, we chose to add two more bonus questions we also feel could be relevant information for you.

11. Does your tool support Three Lines Model?

Yes, CN Internal Control support the Three Lines Model. Governing Body – CN Internal Control (IC) will provide a framework and a process delivering accountability to stakeholders throughout the organisation. Management – IC has defined process and roles for provision of control operation reporting back to the Governing Body. Internal Audit – can independently follow the process, status and level of documentation interacting and aligning with the Management.

12. How does the tool support audit logs and general documentation?

CN Internal Control logs all changes to the Control Library. This regardless of if the controls are changed directly or indirectly through uploads. Furthermore, a control already circled for control will not be changed despite an adjustment to the master template. As goes for the control being circulated IC has a log capturing all documentation, comments and uploaded files.

.