Data analytics and continuous monitoring can help the business, and internal audit teams simplify and improve the internal control system and audit process. Continuous monitoring increases operational efficiencies, reduces costs, and helps detect potential fraud, errors, and abuse earlier - all while providing a higher-quality internal control system.
Continuous monitoring is increasingly becoming a way for organizations to create value. The use of data analytics tools and techniques is also helping to fundamentally transform and improve audit approaches. Consider the traditional audit approach, which is based on a cyclical process that involves manually identifying control objectives, assessing and testing controls, performing tests, and sampling only a small population to measure control effectiveness or operational performance.
Fast forward to a continuous auditing approach using repeatable and sustainable data analytics, and the approach becomes much more risk-based and comprehensive; audit at the speed of the business. With data analytics, organizations have the ability to review every transaction - not just a sampling - which enables a more efficient analysis on a larger scale.
remQ solutions offer a platform that enables business users (in finance, procurement, sales, and other lines of business), as well as compliance and audit teams, to automate and standardize the organization’s internal control system.
They can set up and run automated controls in SAP ERP and S/4HANA systems, work together on identified issues using the case management system, review findings, and provide proof of an effective internal control system to auditors.
remQ facilitates the continuous, automated monitoring of data and processes to ensure controls in your SAP ERP or S/4HANA system are operating effectively and to identify weaknesses or potential control deficiencies on a timely basis. In particular, you can identify suspect master data or transactions in your SAP system and prevent errors and fraud.
remQ provides monitoring controls for transactions, master data and configuration. Standard controls are delivered for the following processes/areas:
It is easy to see why automation greatly improves the internal control system while at the same time reducing the costs:
Problems implementing a continuous audit/monitoring approach are availability and quality of data, handling the data (export, transformation, load into analytics tool), effectively leveraging data analytics and applying it, handling exceptions and false positives, implementing an efficient workflow to manage cases, and others. remQ is an add-on for your SAP system, it can access all data in the system, but no data leaves the system: all your SAP security mechanism is at work, and the data is protected against manipulation or data loss.
remQ - Follow the Money Compliance is an innovative solution that enables automated, continuous control of master data and business transactions in SAP ERP and S/4HANA. The software scans the data and applies remQ-delivered or custom defined controls.
Here are a few examples of areas that are covered by the controls that are part of the remQ - Follow the Money Compliance module:
Suspicious transactions and data get flagged and an alert is created. Users (from lines of business, controlling, compliance and audit teams) can access the alerts in their remQ in a box together with relevant background information. Based on the users’ authorizations they get an overview of open alerts as well as details for each alert. They can update the alert and add comments and information directly to the application. Finally, the alert is accepted or rejected, depending on the result of the investigation. All alert and case data is archived for reporting and review.
remQ also can be set up to immediately stop a transaction that looks suspicious: financial documents or business partners can be blocked, giving enough time to experts to look into the issue and resolve it.
One important application is setting up controls for Access Violation Management: the SAP authorization concept is an important piece in the SAP security concept. But access to critical functions (e.g. maintaining bank data of vendors), or critical combinations of functions (e.g. maintaining vendor master data, and starting payment runs), are unavoidable, and mitigating the residual risks is crucial: thus, monitoring access with remQ reduces risks and audit findings by implementing a digital 4-eyes principal.
SAP authorization teams try to limit access to critical functions (single actions), or critical combinations of functions (segragation-of-duties, SoD) authorizations are preventive controls: they limit what users can do.
But usually, residual risks remain: all organizations have single action risks, and cannot cover all SODs requirements through 4 eyes. remQ Access Violation management introduces a digital 4-eyes principle to mitigate the risks through advanced DID DO monitoring.
Access violations and monitoring can be defined on different levels:
Level 1: Authorizations. can do-analysis is performed based on the SAP authorizations assigned to users. Typically many results.
Level 2: Transaction codes started. The lowest level for DID DO-analysis, analysis on basis of transactions users started. This often does not take into account whether a user only displayed data or entered/changed data. Fewer results than level 1.
Level 3: Simple analysis of change logs/change documents. Getting a list of users who changed a certain document type and also changed another document type (e.g.combine analysis of changes to vendor master data and incoming invoices). Fewer results than level 2.
Level 4: Advanced DID DO-analysis for connected documents. This analysis takes into account whether the documents changed b the same user also are connected in the same business process. For example, changes to vendor master data and incoming invoices must be for the same vendor, not just vendor A and invoice from vendor B. Most specific results, only real-risk transaction are detected.
remQ Access Violation Management investigates SOD violations on level 4, giving you the most accurate assessment of risk and the lowest possible false positive rate.
It also is a great mitigating control for residual access risks known in your access control tool such as SAP GRC Access Control or setQ.
The remQ - Payroll Compliance module is an add-on for the remQ - Follow the Money Compliance module: It adds controls to HR and payroll, focusing on employee master data and payroll.
Examples of use cases: master data, pay changes, hiring dates, unusual transactions, and detecting ghost employees.
remQ - Payroll Compliance seamlessly plugs into the platform and users can add new checks, and use all the case management and reporting features.
remQ - Payroll Compliance is an add-on module and needs to be licensed separately.
Access risks such as in the SAP GRC Access Control SOD matrix can be avoided in some cases by changing SAP authorization roles, or assigning different roles to users when re-organizing work and processes. But in many cases, organizations cannot avoid granting high-risk combinations of authorizations to users, simply because there are not enough users. In that case, you find residual risks in SAP GRC Access Control and you accept them.
remQ Access Violation Management allows you to set up controls for residual risks that you have in SAP GRC, and monitor all activities related to them. You then can review activities and have compensating control for those risks.
Other business/transactional risks can also be mitigated by automated continuous monitoring, with the option to add auto-reaction methods (such as blocking a vendor or an invoice, for instance). Like this remQ covers IT and business risks and delivers actionable alerts.
Organizations that use SAP GRC Process Controls can integrate remQ with a simple to set-up SAP QUERY and assign remQ transaction monitoring alerts to SAP GRC PC risks and risk owners via the risk-control-matrix, making use of a type of remQ control, organizational unit/company code, etc.
Integration with SAP GRC tools and remQ Access Violation Management and transaction monitoring close the gap between SAP GRC Access Control and SAP GRC Process Control.
remQ - Follow the Money Compliance helps to prevent errors and fraud in critical business processes. It also helps to identify weak processes, such as data quality issues for important master data.
remQ’s license model is based on the size of the organization. We also offer a trial: setting up the software in your SAP ERP test system and results are available within 1 day.
Beyond direct financial returns, remQ helps detect weaknesses in processes and improve business processes and the internal control system.
Whether you are already a customer, would like to become one, have a technical question, would like to work with us, or are interested in an investment: we are here for you!
We’ll help you out. Get connected with our support team at supq(at)voquzlabs.com or call us directly at one of the numbers below.
- American Customers: +19176364290
- All other regions: +4989925191260
