Top 10 Q/A: Internal Control
As our newest tool in the CN Suite, Internal Control is an SAP-integrated framework supporting the documentation and execution of your company’s controls. We are continuously developing it, and the feedback we have received from our many customers has been invaluable in order to build the most efficient tool and helping our customers to move from today’s manually handled control environment to an automated one. We have collected 10 of the most common and relevant questions regarding Internal Control and crafted this blog post for you to learn about the more technical functions of IC.
1. How does the workflow work?
The workflow is predefined between the following roles in CN Internal Control; Executer, Approver and Compliance Manager. The individual control persons are allocated through specifying the email address. The notification email can be configured to support needs. You can also add additional persons for each role as well as defining a substitute that will cover in case of absence. Along with the notification email the tasks allocated to person workspaces in SAP. The workspaces for the Executer, Approver and Compliance Manager will also be available as a Fiori in the Launchpad.
2. Are there any predefined controls?
Yes, IC is delivered with a control library of around 150 predefined controls supporting Finance, Procure to Pay, Order to Cash, HR & Payroll, Basis & Security and more. The Control Library is extended on an ongoing basis, and we encourage customers of CN Internal Control to share controls in the hope of generating a sharing control community supporting among CN Internal Control customers.
3. What does it take to install Internal Control?
Basically, it is very easy to install CN Internal Control. The ComplianceNow add-on needs to be installed on your SAP system as well as the application server (webserver) need to be set up. You can choose to have the webserver hosted by ComplianceNow. This way the CN team will take care of all related to the webserver. If you choose to self-host, you will need some knowledge about Apache, php and MySQL. We will naturally support you in the process as standard of our fixed priced installation package. Expect that installation to have a duration of 2-3 days.
If you want to learn more about our installation process, please book us for a 30 minutes “Pre-installation” meeting. Here we will cover the ComplianceNow architecture and go over the steps of installation.
4. Can I upload my external auditors control library?
Of course! You can easily upload new controls, maintain existing or extend the control library by defining your own controls. From the up- and download centre of CN Internal Control you can use the Excel template to document all controls and upload these in one simple action.
5. Can I assign the control to multiple departments, areas, countries etc.?
The controls can be configured to support the exact needs of your organisation. Around 30 fields can be modified on the individual control, with some of the key fields being Control Executer, Frequency, Due Date, Compliance Manager and Approver. If you choose to derive a control to e.g. France, Germany and the UK a specific field will apply for the individual derived controls to specify unique characteristics, actions or other information for, in this case, the country.
6. Can IC deliver email reminders?
If a task is overdue, an e-mail-reminder is generated and sent to the responsible person, the deputy and/ or superior. E-mail reminders is an important function in a control process, but we must be careful not to overdo the information level. Therefore, you can specify the level of reminders for both Executers, Approvers and Compliance Managers if and how often they should receive a notification email.
7. Can I get an overview of the open controls?
The easy-to-access information and overview from the Control Dashboard will support the team working with controls. Different Dashboard views support each step of the control process, delivering insights into overdue controls, findings, and other key control indicators. From all Dashboard views you can download more details into an Excel file.
8. Can the controls be linked to the overall company risks?
In the Enterprise Risk Management module (ERM) you can define your overall enterprise risks. The key logic of ERM is that you link the operational control specified in the Control Library to the overall risk defined in the ERM. Each enterprise risk is measured in levels of severity and likelihood delivering important input to the Risk Map with a real-time update if the company has mitigated the defined risk.
The ERM and the Risk Map will keep you updated of the present status and to what extent severe risks with a high likeliness are not mitigated by the appointed controls. To quickly react to gaps in the control process you can drill down directly from the ERM to the individual control template, identifying individuals responsible for executing and approving the controls.
9. Why is IC running in SAP and not as a SharePoint solution?
ComplianceNow is an SAP Certified Suite of multiple compliance add-on components supporting the company’s operation of Compliance. The control process is critical and sensitive data and information needs to be processed and stored. SAP is a solid and proven platform to run the process and trust storing the data. Furthermore, by using SAP’s authorization and user management concept we can rely on a well-defined concept and with little effort setting up control users and workflow.
10. Why should I implement an internal control system? What do I have to consider?
Companies with unmatured or no controls process often have a perception of no risks and/or no unmitigated risks. By investing in a control process/system the company will unlock and get documented the risks having potential operational, financial, or reputational damage to the company. Implementing a system-based control process will support driving and maturing the entire control process. Furthermore, it will increase the transparency and drive a reporting and information level throughout the year moving toward the auditor’s arrival. Learn more about the basics of internal controls in our expert interview with PwC: Basics of internal control – Audience at the Auditor – ComplianceNow
Yes, we know that this was supposed to be a Top 10. Though, we chose to add two more bonus questions we also feel could be relevant information for you.
11. Does your tool support Three Lines Model?
Yes, CN Internal Control support the Three Lines Model. Governing Body – CN Internal Control (IC) will provide a framework and a process delivering accountability to stakeholders throughout the organisation. Management – IC has defined process and roles for provision of control operation reporting back to the Governing Body. Internal Audit – can independently follow the process, status and level of documentation interacting and aligning with the Management.
12. How does the tool support audit logs and general documentation?
CN Internal Control logs all changes to the Control Library. This regardless of if the controls are changed directly or indirectly through uploads. Furthermore, a control already circled for control will not be changed despite an adjustment to the master template. As goes for the control being circulated IC has a log capturing all documentation, comments and uploaded files.
Interested to learn more….?
We always look forward presenting Internal Control to present customers, possible new customers, partners and network. So, if you want to learn more, have questions or would like to see a live demo of CN Internal Control please contact us.