A Compliance tool environment is where the fusion between rules containing one or more conditions used to identify risks in a business process and the data extracted from ERP tables to produce exception reports. In a Compliance Tool framework these exceptions allow for further corrective action.
For the Compliance Tool framework to work as designed and for management to be able to rely upon the exceptions produced from the analyses imbedded in a Compliance Tool environment, the following controls need to be in place and need to be working effectively.
1. CCM Roles & Responsibilities
1.1 Control Owner (CO)
- Is there a document that clearly states who owns the control objectives?
- Is there an indication of which controls are automated and which controls are manual?
- Is there a cross-link between the control objective and the rules in the Compliance Tool?
1.2 Business Process Owner (BPO)
- Is there a document that states who owns the Business Process for each Business Unit where the Compliance Tool is implemented?
1.3 Rule Book Owner (BPO)
- Is there a document that states who owns each priority class of the Compliance tool rules?
- Is the rule ownership in the system configured to match the documentation for Rule Book Owners?
1.4 CCM Service Delivery
- Is it clear and reflected in all the E2E process documentation who is responsible for the day-to- day operation of the Compliance tool environment?
- Is the documentation complete?
1.5 Risk Management / Compensating Controls
- Is there a formal body of qualified professionals charged with the determination of risk coverage?
- Is there a clear document that identifies the roles and responsibilities for the management (approval) of the compensating controls?
2. Rule development lifecycle
2.1 Rulebook Hierarchy
- Is there a clearly documented Compliance Tool framework which describes the rulebook hierarchy?
- Is the rule structure logically organised to match the organisation?
2.2 Environment Landscape
- Is there a separate development and test system from production?
- Is there a logical segregation of access for developers and system operations?
- Is there a documented process to migrate objects from development to production?
- Can a rule in production be back-tracked to an approval to transport it into production?
- Is there an audit report which indicates who has moved what into production?
2.3 Naming Conventions for CCM Objects
- Is it clear what the naming convention is for each of the Compliance Tool objects (Rule, Rule Book, Parameter, Parameter List, Compensating Control…)
- Does the naming convention used in the Compliance Tool environment match the Corporate Controls definition documentation?
2.4 Rule Development Specifications
- Is there a development specification document for each rule?
- Do the development specifications have space for corresponding approvals?
- Do the development specifications contain a testing script?
- Take 10 random rules and match the development specification to the production rule.
3. Rule Change management (production updates)
3.1 E2E Process
- Is there a well defined E2E process for rule change management (production updates)?
- Does the Compliance Tool E2E change management (production updates) process include links to the Corporate IT change management system.
- Can the last 10 changes be audited following the change management documentation.
4. Exclusion management
4.1 Compensating Controls Management
- Is there a risk assessment process to define and approve a compensating control before it is assigned?
- Is there approval documentation for each of the existing compensating controls?
- Are the compensating controls effective?
4.2 Exclusion Management Process
- Is there a clearly defined E2E process for exclusion management?
- Are all the exclusions been properly justified?
- Are all the existing exclusions associated with a compensating Control?
5. Delivery services
5.1 Extraction and Analysis Schedules
- Is there a predefined schedule for data extraction from the SAP environments and for data analysis of the Compliance Tool rules maintained in an excel spreadsheet for each Compliance Tool Environment.
- Is the schedule file kept and maintained with the technical support group to ensure:
- The technical support group is responsible for properly scheduling all SAP extractions
- The technical support group is responsible for the initial creation of all the analyses jobs as per the schedule
- The technical support group distributes the schedule to all players every time a change is complete.
- Is there a process to manage permanent changes to the schedule?
- Does the schedule ensure that
- There should be no more than one job running at any given time
- There should be no jobs running during the business hours of the constituents for each of the installations
5.2 Other Interfacing Systems
If the Compliance Tool is connected to an IDM environment…
- Is there a data flow document explaining the data triggers for each interface to the IDM system/s?
- Is there an E2E process document outlining roles and process flow?
- Will the provisioning process stop if Compliance Tool is not available (Synchronous)?
- What SoD rules are in use for the IDM interface? What parameter lists?
- Is it possible for the IDM provisioning process to bypass the SoD checks? Is it by design?
If the Compliance Tool is connected to a Document Management System or Controls Documentation environment…
- Is there a data flow document explaining the data triggers for each interface into the Document Management System?
- Is there an E2E process document outlining roles and process flow?
- What concrete links exist to connect the rules to the controls documentation?
- How are the documents named? Why?
- Where is it reflected the creation and modification date for each document?
5.3 System and Job Monitoring
- Is it clear from the operational documentation who is responsible for monitoring system performance indicators like disk space, memory utilisation and network connectivity.
- Is it clear from the operational documentation who will communicate and troubleshoot any issues concerning system performance.
- Do the support team have an official list of managers and end users to notify issues concerning system availability or any other issues related to system performance?
- Is there a clear operational procedure to follow in case of extraction or analysis failure? Do the operators have the right privileges to execute it?
5.4 Quarlerly Maintenance
Is there a quarterly service maintenance procedure to:
- Verify that the jobs pending in the A1 system match the names and execution times specified in the master schedule?
- Validate and update the documentation with reference to run time?
- Execute the SQL and system maintenance procedures provided by the vendor?
- Verify that all the operating system parameters and database settings are correct?
- Validate system access?
- Update and publish the KPI service reportsRun, evaluate and store the Quarterly Audit