In the last post, we presented 5 critical conflicts of segregation of duties (SoD). When reading that post, some of you may have wondered how many such potential conflicts exist and if there might not be a more efficient way of auditing for such conflicts in SAP. It is the latter question that many of you will be most concerned with, especially those of you who have ever experienced the pain of performing such audits manually.
However, before we come to the number of conflicts, I would first like to explain our approach so that we can arrive at a common understanding of how actual conflicts of SoD are analyzed.
Process Mining: Everyone's talking about it
If you have taken part in one of the many conferences in our field, you will know that Process Mining has become quite a hot topic for auditing. SAP itself has even entered the fray, introducing Celonis onto the market, something which recently caused quite a bit of a furore. Celonis have also confirmed their expansion into the American market and announced that they are planning an IPO over the next few years. In addition to Celonis, however, there are a large number of other competitors on the market: MyInvenio, ProcessGold, Signavio, Fluxicon and many more, which offer pure Process Mining Tools. However, the solutions mentioned are limited to the hypothesis-free visualization of processes. Defining a questionnaire takes a long time and is usually something that you have to do by yourself. For this reason, we have pre-defined 125 audit questions relating to SAP processes from the point of view of auditing / accounting. The detection of conflicts of SoD is just one of these audit questions.
What is Process Mining really all about?
Process Mining describes a method in which processes are reconstructed and visualized using event logs. In abstract terms, an event log consists of a variety of events that are related to one another. The Star Trek fans among you will probably remember the logbook of the USS Enterprise and that’s quite a good way of thinking about it. A file with chronological events that are related to each other and can be uploaded to a Process Mining Tool. What could be easier, you might think. Unfortunately, it’s quite that straightforward. Neither the chronological order of the events nor their interconnectedness can simply be taken for granted. As a rule, the information is scattered over various database tables, as in the case of SAP, and must first be aggregated, something which can be a very complex process. It is at this point that the advantages of zapliance start to be clear to see. It is the very high degree of automation we offer that set us apart from other process mining tools. Thanks to the three-year research project “Virtual Accounting Worlds”, we know which tables are necessary to perform a given analysis and can completely and fully reconstruct all processes that have led to a posting in finance. There is no pre-defined project to determine the necessary tables and table structures. They already exist. Of course, there are also very clear restrictions. Only what is available in the SAP standard can be automated. Your special locks – as we like to call your Z-tables and Z-columns – cannot yet be audited automatically because of the poor generalizability of data structures. As with any other supplier, the auditing of your special locks is an individual project, one which we will be happy to implement together with you.
If the visualization of processes also gives rise to questions that require further professional audit or accounting expertise that goes beyond the pure optimization of processes, then such a project can quickly become a huge undertaking, which may swallow up huge sums of money and will hopefully in the end at least show processes that are transparent and provide initial results from further analyses. So, wouldn’t it be great if all your financial processes could be reconstructed automatically, at the push of a button, and without having to perform any installations in ABAP, and if professional questions relating to auditing / accounting were included in the package, all at a fixed price?
This is what we call: Financial Process Mining.
Why Financial Process Mining?
The focus is on the reconstruction of all processes that led to a posting in SAP's finance system. The underlying Financial Process Mining algorithm finds all the processes in your SAP system fully automatically by successively processing all related documents in the accounting process until the process is complete.
Documents are related when a document line item is cleared by another document. For example, the goods receipt in SAP is often cleared by the invoice, and the invoice is cleared by the corresponding initial payment. In such a case, the Financial Process Mining Algorithm jumps from the receipt of the goods received to the corresponding invoice and then to the corresponding payment. These three documents are then said to be related together in a ‘sequence’. All the sequences found will then required in what follows for analysis with indicators. For the Financial Process Mining Algorithm, the open line item accounts in SAP are thus the place where related documents really "meet". These types of accounts act as the "hubs" of a process-oriented view of your accounting processes. The original function of the Financial Process Mining Algorithm can be found in the scientific essay by Prof. Dr. Gehrke: "Basic Principles of Financial Process Mining - A Journey through Financial Data in Accounting Information Systems". It is not just all the documents in your accounting processes that are taken into account in the sequence, but the following non-accounting transactions are also included as well: purchase requisitions, purchase orders, orders, deliveries, sales documents, change documents, and master data changes. All processes are reconstructed "end-to-end".
How does Financial Process Mining help to identify conflicts of SoD?
By enriching the sequences with non-accounting business transactions, you have all data that may be relevant to an analysis of conflicts of SoD at your disposal. The transaction codes used are also found in the sequence, as they are related to the documents. Want to know which person has posted both the goods receipt (SAP transaction "MB01") and the incoming invoice (SAP transaction "MR01")? Answering these kind of questions now couldn’t be easier. An algorithm simply goes through all the sequences and checks if there are people who have executed the mentioned transaction codes within a sequence / process flow. Of course, not all false positives can be eliminated in this way, since downstream systems of control are not included in the analysis, but it is still a very powerful way of narrowing things down.
How many conflicts are automatically analyzed using the procedure?
Four out of five conflicts of SoD from the last blog post were from purchase-to-pay and only one was from the area of order-to-cash. All those who have gone through the manual procedure themselves know just how time-consuming and inefficient it is to execute the query and subsequently evaluate the results for the 5 conflicts mentioned. With the use of the Financial Process Mining Algorithm and the automation of data analysis, a much higher number of conflicts can be analyzed in a much shorter time.
Our extensive rule set for the analysis of the conflicts includes more than 50,000 transactions being potentially in conflict with another transaction. A conflict is constituted when there is a combination of at least two transaction codes that cannot be executed by a single user within a sequence. Assuming the mining algorithm has already reconstructed the process sequences, a complete analysis of conflicts for approximately 6,000,000 documents in the BKPF (accounting document header) table and 15,000,000 accounting lines in the BSEG (accounting document segment) table, will take between 3 and 5 minutes, depending on IT hardware at your disposal. The two tables are the focal point of SAP Financial Accounting and are therefore a good benchmark for analysis in SAP FI. Of course, the rules do not just analyze the two tables BKPF and BSEG, but they provide a very good illustration of what the analysis can do.
Today, business processes are mostly reflected in ERP systems. This makes data analyses more relevant to the auditor than ever before. Sample analyses and interviews are history; digitization is now what everyone is talking about for the future.
But how is it done, you may ask? Especially for those having little or no experience in data analysis? We have made it our mission to address precisely these kind of concerns and have developed zap Audit as an out-of-the-box solution, which can be used independent of your level of experience in data analysis. So do not hesitate to get in touch with us below.