Data analytics and continuous monitoring can help the business and also internal audit teams simplify and improve the internal control system and the audit process. Continuous monitoring increases operational efficiencies, reduces costs, and helps detecting potential fraud, errors, and abuse earlier —all while providing a higher quality internal control system.
Continuous monitoring is increasingly becoming a way for organizations to create value. The use of data analytics tools and techniques is also helping to fundamentally transform and improve audit approaches. Consider the traditional audit approach, which is based on a cyclical process that involves manually identifying control objectives, assessing, and testing controls, performing tests, and sampling only a small population to measure control effectiveness oroperational performance.
Fast forward to a continuous auditing approach using repeatable and sustainable data analytics and the approach becomes much more risk-based and comprehensive — audit at the speed of the business. With data analytics, organizations have the ability to review every transaction — not just a sampling — which enables a more efficient analysis on a greater scale.
remQ solutions offer a platform that enables business users (in finance, procurement, sales and other lines of business), and also compliance and audit teams, to automate and standardize the organization’s internal control system.
They can set up and run automated controls in SAP ERP and S/4HANA systems, work together on identified issues using the case management system, and review findings and provide prove of an effective internal control system to audit.
remQ facilitates the continuous, automated monitoring of data and processes to ensure controls in your SAP ERP or S/4HANA system are operating effectively, and to identify weaknesses or potential control deficiencies on a timely basis. In particular, you can identify suspect master data or transactions in your SAP system and prevent errors and fraud.
remQ provides monitoring controls for transactions, master data and configuration. Standard controls are delivered for the following processes/areas:
• Procure to Pay (P2P)
• Order to Cash (O2C)
• Inventory (INV)
• Asset Accounting (FIAA)
• Human Resources and Payroll (HR)
It is easy to see why automation greatly improves the internal control system while at the same time reduces the costs:
Problems implementing a continuous audit/monitoring approach are availability and quality of data, handling the data (export, transformation, load into analytics tool), effectively leverage data analytics and apply it, handling exceptions and false positives, implementing an efficient workflow to manage cases, and other. remQ is an add-on for your SAP system, it can access all data in the system, but no data leaves the system: all your SAP security mechanism are at work, and the data is protected against manipulation or data loss.
remQ is a continuous monitoring software for SAP ERP and S/4HANA, with a large library of built-in controls that helps check master data and business processes to avoid financial losses through errors and frauds. remQ can be set up in less than a day, works regardless of organization size and industry, requires no consulting project, and reduces cost of compliance through automation.
remQ - Follow the Money Compliance is an innovative solution that enables automated, continuous control of masterdata and business transactions in SAP ERP and S/4HANA. The software scans thedata and applies remQ-delivered or custom definedcontrols.
Here are a few examples of areas that are covered by the controls that are part of the remQ - Follow the Money Compliance module:
Suspicious transactions and data get flagged and an alert is created. Users (from lines of business, controlling, compliance and audit teams) can access the alerts in their remQ in box together with relevant background information. Based on the users’ authorizations they get an overview on open alerts as well as details for each alert. They can update the alert and add comments and information directly in the application. Finally, the alert is accepted or rejected, depending on the result of the investigation. All alert and case data is archived for reporting and review.
remQ also can be set up to immediately stop a transaction that looks suspicious: financial documents or business partners can be blocked, giving enough time to experts to look into the issue and resolve it.
One important application is setting up controls for Access Violation Management: the SAP authorization concept is an important piece in the SAP security concept. But access to critical functions (e.g. maintaining bank data ofvendors), or critical combinations of functions (e.g. maintaining vendor masterdata, and starting payment runs), are unavoidable, and mitigating the residual risks is crucial: thus, monitoring access with remQ reduces risks and audit findings by implementing a digital 4-eyes principal.
SAP authorization teams try to limit access to critical functions (single actions), or critical combinations of functions (Segragation-of-Duties, SoD) authorizations are preventive controls: they limit what users can do.
But usually residual risks remain: all organizations have single action risks, and cannot cover all SODs requirements through 4 eyes. remQ Access Violation management introduces a digital 4-eyes principle to mitigate the risks through advanced DID DO monitoring.
Access violations and monitoring can be defined on different levels:
Level 1: Authorizations. cando-analysis is performed based on the SAP authorizations assigned to users. Typically many results.
Level 2: Transaction codes started. Lowest level for DID DO-analysis, analysis on basis of transactions users started. This often does not take into account whether a user only displayed data or entered/changed data. Fewer results than level 1.
Level 3: Simple analysis of change logs/change documents. Getting a list of users who changed a certain document type and also changed another document type (e.g.combine analysis of changes to vendor master data and incoming invoices). Fewer results than level 2.
Level 4: Advanced DID DO-analysis for connected documents. This analysis takes into account whether the documents changed b the same user also are connected in the same business process. For example, changes to vendor master data and incoming invoices must be for the same vendor, not just vendor A and invoice from vendorB. Most specific results, only real risk transaction are detected.
remQ Access Violation Management investigates SOD violations on level 4, giving you the most accurate assessment of risk and the lowest possible false positive rate.
It also is a great mitigating control for residual access risks known in your access control tool such as SAP GRC Access Control or setQ.
Organizations are increasingly exposed to compliance requirements. Efforts to adopt innovative ways to assessand manage risk and enhance performance are critical.That’s where data analytics and continuous monitoring arehelping to simplify and improve the internal control system,increase operational efficiencies, reduce costs, and detect fraud and errors earlier. Internal controls become a way for organizations to create value.
The remQ - Payroll Compliance module is an add-on for the remQ - Follow the Money Compliance module: It adds controls to HR and payroll, focusing on employee master data and payroll.
Examples of use cases: master data, pay changes, hiring dates, unusual transactions, detecting ghost employees.
remQ - Payroll Compliance seamlessly plugs into the platform and users can add new checks, and use all the case management and reporting features.
remQ - Payroll Compliance is an add-on module and needs to be licensed separately.
Access risks such as in the SAP GRC Access Control SOD matrix can be avoided in some cases by changing SAP authorization roles, or assigning different roles to users when re-organizing work and processes. But in many cases, organizations cannot avoid to grant high risk combinations of authorizations to users, simply because there are not enough users. In that case, you find residual risks in SAP GRC Access Control and you accept them.
remQ Access Violation Management allows you to set up controls for residual risks that you have in SAP GRC, and monitor all activities related to them. You then can review activities and have a compensating control for those risks.
Otherbusiness/transactional risks can also be mitigated by automated continuous monitoring, with the option to add auto-reaction methods (such as blocking avendor or a invoice, for instance). Like this remQ covers IT and business risks and delivers actionable alerts.
Organizations that use SAP GRC Process Controls can integrate remQ with a simple to set up SAP QUERY and assign remQ transaction monitoring alerts to SAP GRC PC risks and risk owners via therisk-control-matrix, making use of type of remQ control, organizational unit/company code, etc.
Integration with SAP GRC tools and remQ Access Violation Management and transaction monitoring close the gap between SAP GRC Access Control and SAP GRC Process Control.
remQ - Follow the Money Compliance helps to prevent errors and fraud in critical business processes. It also helps to identify weak processes, such as data quality issues for important master data.
remQ’s license model is based on the size of the organization. We also offer a trial: setting up the software in your SAP ERP test system and results are available within 1 day.
Beyond direct financial returns, remQ helps detecting weaknesses in processes and improving business processes and the internal control system.
We live from satisfied customers. That’s why we are always available for our actual customers and those who think about it. Regardless whether you seek technical support or answers on complex licensing and user management issues.
Just contact us, often a quick hint is all you need. And we always enjoy to give that hint!
Wir helfen Dir gerne weiter. Kontaktiere unser Support-Team unter supq(at)voquzlabs.com oder ruf uns direkt unter einer der folgenden Nummern an.
Amerikanische Kunden: +19176364290
Alle anderen Regionen: +4989925191260