Process Control

Administration Guide | PUBLIC
2021-02-08
SAP Process Control

© 2021 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Introduction to SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 What's New in SAP Process Control 12.0 SP10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 What's New History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1 What's New in SAP Process Control 12.0 SP09. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.5 What's New in SAP Process Control 12.0 SP05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
3.11 What's New in SAP Process Control for SAP S/4HANA 10.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1 Integration of Shared Data (Data Model). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Integration with Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.3 Integration with Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Risk Harmonization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.4 Integration of Continuous Controls Monitoring with SAP S/4HANA Cloud. . . . . . . . . . . . . . . . . . . . 27
5 Key Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1 Master Data Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Master Data Change Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
5.2 Navigating Compliance Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
5.3 Standard Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
5.4 Top-Down, Risk-Based Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.5 Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Performing Automated Testing and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Performing Evaluations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Performing Manual Tests of Effectiveness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Remediating Evaluation Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Remediating CAPA Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Using Flexible Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Using SAP Interactive Forms by Adobe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
SAP Process Control

2 PUBLIC Content
Complete Sign-off. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.6 Multiple-Compliance Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.7 Continuous Monitoring Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.8 Operational Data Provisioning in PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
CDF Support in ODP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Search and Analytic Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6 Work Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

6.1 My Home. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Work Inbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Ad Hoc Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
My Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Embedded Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
My Delegation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Additional User Experience Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
6.2 Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Regulations and Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Activities and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Risks and Responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
Reports (Master Data). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
6.3 Rule Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Continuous Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425
Scheduling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Legacy Automated Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Reports (Rule Setup). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
6.4 Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Surveys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Manual Test Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Assessment Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Planner Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Sign-Off Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Reports (Assessments). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
6.5 Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
GRC Role Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
6.6 Reports and Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
7 Enterprise Services in SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
SAP Process Control

Content PUBLIC 3
7.1 Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
7.2 Issue Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Ad Hoc Issue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
8 Archiving in SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
SAP Process Control

4 PUBLIC Content
1 Introduction to SAP Process Control
SAP Process Control is an enterprise software solution for compliance and policy management. The
compliance management capabilities enable organizations to manage and monitor their internal control
environments. This provides the ability to proactively remediate any identified issues, and then certify and
report on the overall state of the corresponding compliance activities.
The policy management capabilities support the management of the overall policy lifecycle, including the
distribution and attestation of policies by target groups.
These combined capabilities help reduce the cost of compliance and improve management transparency and
confidence in overall compliance management processes.
Key Capabilities
Unified repository for compliance, control, and policy information
● Ensure cross-function standardization and drive consistency across your organization

● Manage multiple regulatory policies and compliance procedures with a single solution
● Optimize the planning of control assessment and testing activities
Embedded controls to strengthen business processes
● Align internal controls and policies with business objectives and risks
● Monitor key business processes like reconcile-to-report, order-to-cash, procure-to-pay, IT, and more
● Leverage the power and speed of SAP HANA to monitor high volume of transactions in key S/4 HANA
business processes in real time
Improved compliance and control processes at optimal cost
● Perform comprehensive online and offline control evaluations with flexible workflows and configurable
forms
● Manage the complete policy lifecycle with collaborative tools and surveys
● Streamline issue management and certifications with best practice workflows (ex. CAPA integrated with
audit management)
SAP Process Control

Introduction to SAP Process Control PUBLIC 5
2 What's New in SAP Process Control 12.0
SP10
Technical Data
Product Version 12.0 Support Package 10
Area SAP Process Control
Country Relevance Valid for all countries
New and Enhanced Features
Planner
● Checks and warnings are implemented to make sure that there are always objects selected in plan
activities and every object has recipients. For more information, please refer to the SAP note 2930229
● An occurrence of a recurring manual control performance plan is named in the pattern "Plan name_Control
Name_Frequency_ Occurrence Timeframe" so that the occurrences of the same plan can be easily
differentiated.
More Information
For more information, see the application help for SAP Process Control at http://help.sap.com/pc .
SAP Process Control

6 PUBLIC What's New in SAP Process Control 12.0 SP10
3 What's New History
Related Information
What's New in SAP Process Control 12.0 SP09 [page 7]

What's New in SAP Process Control for SAP S/4HANA 10.1 [page 17]
3.1 What's New in SAP Process Control 12.0 SP09
Technical Data
Continuous Control Monitoring

You can adjust the schedule of the CCM jobs to make sure they will not fail due to the downtime of the target
systems. For more information, please refer to the SAP note 2889719 .
SAP Process Control

What's New History PUBLIC 7
Configurable Notification Templates
You can configure the fields available for notification templates depending on the plan activities. For more
information, please refer to the SAP note 2899780 .
More Information
Technical Data
● New Fiori app Complete Sign-off is available that provides better use experience in performing sign-off
tasks.
Compared to the old UI where you have to complete one step before you can go on to the next, the Fiori
App is an one-click-through design, where all the steps are displayed on one screen and you can scroll up
and down to whichever step you like.
For more information, please see Complete Sign-off [page 70]
● In downloaded reporting worksheets, the selection and filter criteria for the report is hidden so as to
provide a clear view for you to read.
More Information
SAP Process Control

8 PUBLIC What's New History
Technical Data
● With the newly-added standard reporting Central Business Process Use List, you are able to see a complete
list of the local objects that reference a central object, for example, the organizations that reference a
particular central control.
● More variables such as ISSUE_NAME, OBJECT_TYPE, OBJECT_NAME and DUE_DATE are now available for
Ad Hoc Issue initial notification template, making the notifications more informative.
More Information
Technical Data
SAP Process Control

● When checking Monitor Issue Status reports, you can know which organization, if any, an issue concerns,
according to the issue list or issue details, which now present the organization names.
● Now you can decide whether to limit the number of query entries shown in the Query Center Ad Hoc
Query Result to 500. If you want to remove the limitation, set the indicator LIMIT_QUERY_CNT_ROWS in
the view V_GRPCCUST1 to false.
More Information
Technical Data
● A new option Display technical name of column is available for reporting, which enables the Field ID of each
column, as are defined in the Customizing activity Maintain Report Configuration Report Column ,
to be displayed in your report.
● Configurable Notification is available for Automated Monitoring and Disclosure Survey, with which, you can
○ Enable configurable notifications for each Automated Monitoring job, and define the notification rules
and templates in Notification Template Maintenance. When there are tasks generated by Automated
Monitoring jobs, notifications will be sent out based on the rules.
○ Check sent notifications Notification History.
● When there are changes made to a business rule, it is possible to enable the scheduled Automated
Monitoring jobs that are based on this business rule and that are yet to be run to be run on the changed
rule. And when checking Job step results, you’ll see a message telling this step is based on the changed
business rule. For instructions, refer to 2723158
SAP Process Control

● It is now possible to add new attachments to closed issue, closed control effectiveness test and closed
manual control performance tasks in Edit Closed Issues.
More Information
Technical Data
You are now able to add a Manual Control Performance link to an email notification template in Notification
Template Maintenance via Rule Details Details Task Link .
It is now possible to disable mandatory review for Manual Control Performance for a specific sub-process via
Master Data Organizations Subprocess Review Settings .
Locked or expired users have been added to the data source for SOD integration and can now be included in
the scope of SOD integration analysis.
You can now select multiple users to remove some or all roles assigned to them, or replace them with new
assignees, or copy their role assignment to other users with Mass Role Reassignment [page 514].
SAP Process Control

More Information
Technical Data
Search work items
A new feature Search Work Items can be found under Assessments Assessment Planning , which allows
user to search for work items matching specific criteria.
Please note this feature doesn't support search for Policy Acknowledgement, Quiz and Survey work items
because these activities have no items generated in Work Inbox.
Mass termination of ongoing delegation

You are now able to terminate all the ongoing delegation of a particular delegate at one time. For guidance, see
Central Delegation [page 513].
English notifications sent in the absence of notifications in default language

When user's default language is not English and no notification templates in the default language exist,
notifications in English will be sent instead.
One deficiency spreadsheet per email notification

Now, following a CCM job, a PDF file reporting an issue detected by a business rule, along with the one Excel
spreadsheet that presents the deficiencies, or exceptions, relevant to this exact issue, is sent via each email.
You can still allow all the deficiency spreadsheets to be sent together in one email, regardless of which specific
issue this email regards.
Ability to upload multi-language test plans via MDUG

It's now possible to upload test plans in multiple languages using the tool MDUG.
SAP Process Control

Enhanced "Save Variants" functionality for reporting
SAP Process Control provides powerful reporting capability. Now you can save not only your frequently-used
field selections but also personalization settings to reuse for your reports, instead of manually repeating the
configuration each time you create a report.
● Save as Selection variants

Selections in the fields under the Selection section, such as Year and Organization, can be saved as a
Selection variant.
● Save as Layout personalization variants
Report settings configured via the Personalize button can be saved as a Layout personalization variant.
● Save as selection and layout personalization variants
If you want to save your field selections and personalization settings as a whole, save them as a Selection
and Layout personalization variant.
● Global variants
If you save a variant as a global variant, it can be used across all report types.
More Information
For more information on the CCM ABAP Report Monitor Value Analysis subscenario, see the guide, CCM ABAP
Report Monitor Value Analysis, which you can find under Continuous Control Monitoring on the SAP Process
Control product page at http://help.sap.com/pc .
Technical Data
● Email notifications on plans in status "Error"

Now you can enable automatic email notifications about plans in status "Error". See Planner Monitor [page
499].
SAP Process Control

● Quick link My Processes-Hierarchy View
With the quick link My Processes-Hierarchy View in My Objects, you are able to directly access the
hierarchical presentation of My Processes.
● Visibility of Role in My Processes
Now in My Processes you can see the roles assigned to you for a process or a control.
● Displaying risks assigned to sub-processes in standard reports
It's now possible to show the central risks assigned to a central sub-process in a standard report.
● More detailed CCM deficiency email notifications
In standard CCM deficiency email notifications, more information about the objects with issues are
provided.
More Information
Technical Data
New Features
● New continuous monitoring app, Queries Center, for ad hoc queries

The Queries Center app allows you to execute ad hoc queries for business rules, data sources, and tables,
without impacting on existing business rule or data source definitions.
● Monitor value analysis in CCM ABAP Report scenario
The ABAP Report scenario in continuous controls monitoring now allows monitoring of values. For more
information on how to configure this, see the separate guide, CCM ABAP Report Monitor Value Analysis, on
the SAP Process Control page of the Help Portal.
SAP Process Control

● Delegation harmonization between SAP Process Control, SAP Risk Management, and SAP Access Control
Customers who have licensed SAP Access Control 12.0 SP01 along with SAP Process Control 12.0 SP01
and/or SAP Risk Management 12.0 SP01 now have greater flexibility when delegating tasks.
● Ability to reschedule all failed job steps
You can now reschedule all failed job steps at once rather than having to reschedule each one individually.
● Regulation assignment included in audit log
The audit log report now shows the assignment of regulation or regulation requirements to a control.
● Ability to change default assignment option for subprocesses
The default assignment method for subprocesses is to not allow local changes, but you can now change
this default assignment method in Customizing.
More Information
Technical Data
Product Version 12.0
New Features
● Continuous Control Monitor: Standalone Job

The Standalone Job function enables you to directly check the results of a Business Rule, but without
needing to assign it to a Control. So, for example, you could use this to make an ad hoc check on the result
of a Business Rule across your whole enterprise scope, without needing to define it as a recurring job.
Standalone jobs are created using the Continuous Monitoring Scheduler in a similar manner to other job
types.
● Manually Maintain Compliance Test Results for (Semi-) Automated Tests
Adding a test plan to a control will generate workflow even if no deficiencies are found, regardless of
whether the test automation is Automated, Semi-Automated, or Manual. You can then review results and
add issues to automated and semi-automated jobs in the same way that you can for manual jobs.
SAP Process Control

To enable this feature, assign a manual test plan to a Control with test automation set to Automated or
Semi-Automated in Governance, Risk and Compliance Process Control Evaluation Setup Enable
Test Plan Assignment for Auto and Semi-Auto Controls .
Then assign a business rule to the Control in Continuous Monitoring Business Rule Assignment , and
create a Test Control Effectiveness using the Planner.
● Continuous Control Monitoring Integration with SAP S/4 HANA Cloud
You can now integrate your OnPremise Process Control system with the SAP S/4 Hana Cloud, enabling
Continuous Monitoring of your SAP S/4 HANA Cloud instance. After the integration is implemented, S/4
Cloud is available as an option for the Connection Type parameter when creating a Configurable data
source, and in all other respects you work with the system as you would normally.
For details of how to implement this feature, see Setting Up Continuous Control Monitoring Integration
(2OH)
● Configurable Fiori Launchpad
The Fiori Launchpad offers users fast access to the apps linked to their role, along with options to
personalize and organize the launchpad depending on their requirements and the system set up.
What the user sees on the launchpad depends on their role. Default user roles are delivered, and you can
also configure new roles as required to enable users to open whichever apps and functions they need
directly from the launchpad.
For information on launchpad configuration and user roles, see Security Guide: SAP Process Control 12.0
Business Catalog Roles for the SAP Fiori Launchpad at https://help.sap.com/pc
For genaral information on the SAP Fiori Launchpad, see SAP Fiori Launchpad
● New Fiori apps available with SAP Fiori 1.0 for SAP Process Control and SAP Risk Management
The following new apps are available for users of SAP Fiori 1.0 for SAP Process Control and SAP Risk
Management:
○ Test Control Effectiveness - enables you to perform, review, and process Control Effectiveness Tests.
The app displays all the Control tests the user is currently assigned to, with details of the required test
steps, the relevant Control, and other test-related information. You are also able to upload relevant
documentation, and record your results.
○ My Compliance Tasks - gives you a clear overall picture of the status of your current work items. You
can review key metrics, and filter the results to focus on your priorities. Having identified the area you
wish to work on, you can use the links built into the charts in the app to open the selected items
directly in Test Control Effectiveness.
○ Monitor Issue Status - with this app you can review and track issues resulting from control testing.
● Fresh UI look and feel
Updated UI theme provides an enhanced user experience.
More Information
SAP Process Control

3.11 What's New in SAP Process Control for SAP S/4HANA
10.1
Technical Data
Product Version 10.1
Key features:
● Ability to run exclusively on SAP S/4HANA – SAP Access Control, Process Control and Risk
Management 10.1 on S/4HANA run on SAP S/4HANA.
● Ability to run on SAP HANA or non-HANA database – SAP Access Control, Process Control, and Risk
Management 10.1 run on SAP NetWeaver 740 SP02 on non-HANA or on SAP HANA databases.
● Enhanced User Experience with Entry Page and Side Panel – The entry page enhancement provides a
role-based home page for a couple of delivered business sample roles. The entry pages can be easily
configured and personalized according to specific user behaviors. In the meantime, in order to provide
additional, context-sensitive information to existing WebDynpro-based screens, now you can use side
panel in selected areas.
● Embedded Search for Business Entities and Documents – Designed to provide the end user with a
simple and fast access to PC related documents and objects with a search engine UI, by leveraging the
capability of SAP NetWeaver Enterprise Search, PC 10.1 now has a unified, comprehensive and real-time
search function to search data and information.
● Operational Data Provisioning Enablement – This new feature allows real-time analytics and reporting in
a reusable way. You can now use ODP (Operational Data Provider) data models to construct your own
reports, dashboards, and other analytic applications.
● HANA-Based CCM – HANA Based CCM provides the power to perform high volume cross-system
monitoring. The monitoring feature of HANA system brings more value to the customers’ HANA
investments. Many customers have multiple SAP and non-SAP systems to monitor. Previously, a single
data source/business rule is only able to monitor one system at a time. With data stored in HANA and
made available to the GRC automated rule engine, they can now monitor processes across systems and
with great performance despite potentially large data volumes. The customers can also reuse their HANA
analytics investments.
● Import/Export of Data Source and Business Rule – The importing and exporting of CCM content enables
the CCM content delivery from SAP or SAP partners to the customer. Compared with the previous
transport approach via change requests, the improved importing and exporting function of CCM data
source and business rules allows you to do it in a much simpler and faster way.
● Disclosure Survey – This is a new type of survey that allows you to collect and confirm the performance of
controls and processes from a variety of users. The documented information can be used as part of
disclosed financial, operational, or regulatory reporting according to SOX 302 requirements.
● Context Sensitive Help – You can directly access the help topics for the process that you are executing
through the Help Center by clicking on the application screen or pressing F1.
SAP Process Control

More Information
For more information, see the application help for SAP Process Control at http://help.sap.com/pc.
SAP Process Control

4 Integration
Important Integration Information
The processes and user interfaces of the following products are closely linked, as they have interconnected
features:
● SAP Access Control

● SAP Process Control
● SAP Risk Management
You can access the features and documentation of one or several of these products only after licensing and
installing the relevant products.
The integration topics describe the integration scenarios that leverage 12.0 features across multiple
applications.
For more information, see the relevant integration topics.
4.1 Integration of Shared Data (Data Model)
Use
● Organizations can optionally be shared between Process Control, Risk Management, and Access Control.
Some organization data may be shared, and other data may be specific to a single application. The access
to this data is controlled by the user’s authorizations.
● Controls may be shared between Process Control and Access Control. There is application-specific
information for Process Control and Access Control applications. The access to this data is controlled by
the user’s authorizations.
● The Shared Risk Catalog is used by Process Control and Risk Management. There is application-specific
information for Process Control and Access Control applications. The access to this data is controlled by
user’s authorizations.
● You can configure UI properties of attributes (fields) to be application-specific.
More Information
See: Security Guide for SAP Process Control 12.0
SAP Process Control

Integration PUBLIC 19
4.2 Integration with Access Control
Use
In Governance, Risk, and Compliance (GRC) 12.0 solutions, technical platforms are united on SAP NetWeaver
(ABAP), enabling increased harmonization of key master data. Organization, process and control structures
can now be shared across components of Access Control, Process Control and Risk Management, which
support a more integrated approach to governance, risk, and compliance.
Prerequisites
● You have configured the GRC 12.0 application through the Customizing activities.
● You have started the GRC 12.0 application.
Features
● Process Control is integrated with the Access Risk Analysis component in Access Control to monitor
Segregation of Duties (SoD) violations
● Process Control and Access Control share a compliance structure in the following ways:
○ Process Control and Access Control share organizations.
○ Controls in Process Control are used as mitigation controls in Access Control.
○ Processes in Process Control are used as business processes in Access Control.
4.3 Integration with Risk Management
Use
The Process Control and Risk Management applications share certain capabilities. The menu areas common to
both applications are:
● GRC Role Assignments [page 507]

● Central Delegation [page 513]
● Embedded Search [page 390]
● Process Control Planner [page 497] and also see the Risk Management User Guide topic Risk Management
Planner.
SAP Process Control

20 PUBLIC Integration
Process Control and Risk Management Entity Hierarchies
Both applications share the corporate and organization objects. For Risk Management, activity is optional.
Prerequisites
● You have configured both the Process Control (PC) and Risk Management (RM) applications through the
Customizing activities.
● You have started both applications.
● You have set up the roles and business events in both applications.
Features
Process Control and Risk Management have the following integration points:
● Risk Management can use existing Process Control controls as risk responses in Risk Management. For
more information, see the topic Using PC Controls in the application help for SAP Risk Management .
SAP Process Control

● Risk Management can propose new controls to Process Control. For more information about the integrated
workflow, see the topic Sample Workflow: Control Proposal Notification in the application help for SAP Risk
Management.
● Process Control must evaluate the request after a control is proposed from Risk Management. If it is
acceptable, Process Control approves the control proposal workflow and assigns a control to meet the
request.
● Risk Management can use Process Control evaluation results. For more information, see the topic
Monitoring Control Effectiveness and Assessment Results in the application help for SAP Risk Management.
More Information
For more information about Risk Management, see the topic Integration with Process Control in the
documentation for SAP Risk Management.
4.3.1 Risk Harmonization
Use
 Note
Risk harmonization is only relevant if you have licensed both SAP Risk Management and SAP Process
Control.
Risk harmonization allows both SAP Risk Management and SAP Process Control users to share a more unified
source of risk repository. The interchange of risk and control information between the two applications
facilitates a top-down, risk-based internal control approach with which risks in processes can now be
automatically identified and responses can be automatically provided.
If risk harmonization is not enabled, SAP Process Control (PC) and SAP Risk Management (RM) use separate
risk information objects and they are not fully integrated with each other. PC and RM share the same risk
catalogs and risk templates, but without risk harmonization the risks and risk assessment results from RM
cannot be used by PC users, nor can they be used to display harmonized risk and control information. In such a
case you can only link an RM risk to a PC subprocess through an RM activity.
The risk harmonization feature allows direct relationships to be established between RM risks and PC
subprocesses and controls. It also allows PC users to use RM risk assessment results and to display the
harmonized data in the frequently used reports.
With the risk harmonization feature activated, SAP Process Control users can add SAP Risk Management risks
to local SAP Process Control subprocesses. Subsequently, any controls added to these risks are automatically
recognized on the SAP Risk Management side as responses to the risks.
SAP Process Control

Related Information
Activating and Customizing Risk Harmonization [page 23]

Assigning RM Risks to Local PC Subprocesses [page 24]
Assigning PC Controls to RM Risks as Responses [page 25]
Assigning RM Risks to PC Controls [page 26]
Risk-Based Scoping [page 26]
Reporting [page 27]
4.3.1.1 Activating and Customizing Risk Harmonization
 Note
Control.
Activating Risk Harmonization
You can activate risk harmonization in Customizing for Governance, Risk and Compliance under Shared
Master Data Settings Activate the Risk Harmonization Feature .
Customizing Risk Harmonization
You maintain the mapping relationships between risk levels and risk scores in Customizing for Governance, Risk
and Compliance under Process Control Scoping Maintain Risk Score and Risk Level Mapping .
You choose which SAP Risk Management risk analysis type you want to use in SAP Process Control in
Customizing for Governance, Risk and Compliance under Process Control Scoping Maintain Risk Analysis
Type .
Email Notifications
You can define the recipient of email notifications for different business events in Customizing for Governance,
Risk and Compliance under General Settings Workflow Maintain Custom Agent Determination Rules .
SAP Process Control

You use the following agent slots to define which roles receive e-mail notifications:
Agent Slot Description
0RM_NOTIF_RESP_OWNER_CONTROL Notify control owner on assigning and removing control from

risk.
0RM_NOTIF_RESP_OWNER_RISK Notify risk owner on assigning and removing control from

risk.
Additional Authorization Settings
To allow the SAP Process Control internal control manager to be able to create and remove a PC control as an
activity or response under an RM risk, the following authorization settings need to be added to the relevant
roles:
Authorization Object Field Value
GRFN_API ACTVT 01 Create or generate
02 Change
03 Display
06 Delete
GRC_DATAPT *
GRC_ENTITY ACTIVITY
RESPONSE
GRC_SUBTYP *
4.3.1.2 Assigning RM Risks to Local PC Subprocesses
Context
 Note
Control.
SAP Process Control

With the risk harmonization feature activated, SAP Process Control users can add SAP Risk Management risks
to local SAP Process Control subprocesses. Subsequently, any controls added to these risks are automatically
recognized on the SAP Risk Management side as responses to the risks.
Procedure
1. To allow risks to be assigned to a local subprocess in PC, you need to select the Allow Local Change option
when you assign a central subprocess to the organization.
2. In SAP Risk Management, create a risk, and in the Organization Unit field, choose the same organization
under whose subprocess you want to assign this risk.
3. In SAP Process Control, assign the risk to a local subprocess. Note that all risks from SAP Risk
Management have the source Inherent to Organization.
4.3.1.3 Assigning PC Controls to RM Risks as Responses
Context
 Note
Control.
With risk harmonization, SAP Risk Management is able to automatically identify SAP Process Control controls
as responses to SAP Risk Management risks. The control-risk relationship works as follows:
● When a PC control is assigned to an RM risk as a response, the risk is automatically added to the control on
PC side.
● When an RM risk is assigned to a PC control, the control is automatically added to the risk as a response.
 Note
You must first assign these risks to the local subprocess under which the local controls are located, then
you are able to add the risks to the controls.
Procedure
1. In SAP Risk Management, open a risk, assign an SAP Process Control control to the risk as a response. You
can also remove an existing SAP Process Control control from the risk. Note: If you have enabled the email
notification feature for this activity, the system sends out a notification email to the relevant user when the
control is assigned to or removed from the risk as response.
SAP Process Control

2. In SAP Process Control, open the local control. The SAP Risk Management risk is automatically added to or
removed from the control.
4.3.1.4 Assigning RM Risks to PC Controls
Context
 Note
Control.
With risk harmonization activated, you can assign SAP Risk Management Risks to SAP Process Control
controls.
Procedure
1. In SAP Process Control, open a local control and assign an SAP Risk Management risk to the control. You
can also remove an existing SAP Risk Management risk from the control. Note: If you have enabled the
email notification feature for this activity, the system sends out a notification email to the relevant user
when the risk is assigned to or removed from the local control.
2. In SAP Risk Management, open the risk. The SAP Process Control control has been automatically added to
or removed from the risk as a response.
4.3.1.5 Risk-Based Scoping
 Note
Control.
As a result of shared risk and control information between SAP Process Control and SAP Risk Management,
the risk harmonization feature allows the use of SAP Risk Management risk assessment results in SAP Process
Control, so that the SAP Process Control user is able to perform risk-based scoping for control evaluation.
SAP Process Control

When you add an SAP Risk Management risk to an SAP Process Control local subprocess, and assign a control
to the risk, you are able to use the SAP Risk Management risk assessment result together with the control risk
assessment result to determine the test strategy for the control. To do so, proceed as follows:
1. In SAP Risk Management, create a risk.

2. Create a risk analysis for the risk.
3. In SAP Process Control, assign the risk to a local subprocess.
4. In SAP Process Control, assign a local control to the risk.
5. In the Planner, create a control risk assessment plan for the control and complete the assessment task.
6. Open the local control and, in the Level of Evidence field and the Control Risk field, select the Use System
Suggested option. The Level of Evidence value is automatically determined based on the risk analysis result
and the control risk assessment result.
4.3.1.6 Reporting
 Note
Control.
With the risk harmonization feature activated, you are able to monitor the risk coverage with the following
reports:
Report Location
Risk Control Matrix Master Data Reports
Risk Coverage Master Data Reports
Risk Coverage with Evaluations Assessments Reports
Risk Coverage with Ratings by Organization Assessments Reports
For example, you can use the Risk Coverage with Ratings by Organization report to monitor which risks have
been covered by controls with risk level information. You can also navigate to the SAP Risk Management risk
(with risk source Inherent to Organization) through the link, to see the details of the risk.
4.4 Integration of Continuous Controls Monitoring with

SAP S/4HANA Cloud
To set up the integration of continuous controls monitoring in your on-premise SAP Process Control system
with SAP S/4HANA Cloud, you must perform the following configuration steps.
SAP Process Control

Prerequisites
Scope item Continuous Control Monitoring Integration (2OH) must be active. You can check this in the Manage
Your Solution app under View Solution Scope.
A user must exist for creating a communication system in SAP S/4HANA Cloud to access the on-premise SAP
Process Control system. This user must have the following privileges:
● SAP_GRC_FN_BASE: Base role to run GRC applications

● SAP_GRC_FN_ALL: GRC Power User
You must have a user with sufficient authorization in Customizing for SAP Process Control, for example, GRC
System Administrator.
Activities
Set Up Cloud Connector

To enable communication via remote call between the on-premise and cloud systems, you need to enable SAP
Cloud Platform Cloud Connector (Cloud Connector) in your SAP S/4HANA Cloud environment and create a
communication arrangement for the scenario SAP_COM_0200
 Note
When configuring the access control list for the cloud to on-premise scenario, you need to specify function
modules (resources) which can be invoked on the on-premise host. The SAP Cloud Platform Cloud
Connector uses very strict whitelists for its access control.
Use GRFN as the function module name for the communication scenario SAP_COM_0230 (Process Control
& Risk Management Integration).
For more information, go to the SAP Help Portal and search for the SAP S/4HANA Cloud product page. In the
Product Assistance, navigate to the following chapter: SAP S/4HANA Cloud Generic Information General
Functions for the Key User Integration Scenarios How to Set Up SAP Cloud Platform Cloud Connector .
SAP S/4HANA Cloud Configuration

On the SAP S/4HANA Cloud side, you must perform the following tasks:
1. Create a communication user. You can do this using the Maintain Communication Users app.
 Note
To perform this step, you must have a role that contains the business catalog SAP_CORE_BC_COM
(Communication Management).
2. Create a communication system which defines the host name of the SAP Process Control system and
handles users for both inbound and outbound communications. You can do this using the Communication
Systems app.
When creating the system, you must add the virtual host name for the SAP Process Control system and
choose Use Cloud Connector.
SAP Process Control

In the Cloud Connector technical settings, you must enter the Instance Number and Client, which are
system connection parameters for the SAP Process Control system.
Add the new inbound communication user that you created in step 1, and add a new outbound
communication user for communication back to the SAP Process Control system. The outbound user is
used to log onto the SAP Process Control system, so ensure it has sufficient authorization.
3. Creat a communication arrangement, which defines all the relevant information for communication with
the SAP Process Control system. You can do this in the Communication Arrangements app.
Create the new communication arrangement with communication scenario SAP_COM_0230, and add the
communication system you created in step 2. Define the inbound communication user as the one created
in step 1.
SAP Process Control Configuration

On the SAP Process Control side, you must perform the following tasks:
1. Create an RFC connector to communicate with the SAP S/4HANA Cloud system.
You can do this in Customizing for Governance, Risk and Compliance under Common Component
Settings Integration Framework Create Connectors .
The RFC destination of the created connector must be the system ID of the SAP S/4HANA Cloud system
and the connection type must be 3 (ABAP Connection).
You must also add the target SCC host name and instance number, and for the logon details you include
the user name you created on the SAP S/4HANA side above.
2. Define the connection types that are used when connecting to the SAP S/4HANA Cloud system.
Settings Integration Framework Maintain Connectors and Connection Types .
For the new connector, define the following:
○ Target connector: Provide the RFC destination created in step 1.
○ Connection type: S4HANA
○ Source connector: Provide the RFC destination of the current client of the SAP Process Control
system.
○ Logical port: Again, provide the RFC destination of the current client of the SAP Process Control
system.
3. Assign the connectors to an integration scenario.
Settings Integration Framework Maintain Connection Settings .
Enter AM as the integration scenario. Configure the subscenario by adding the connector link to the RFC
destination created in step 1.
4. Maintain the whitelist to indicate the tables that the SAP S/4HANA system is allowed to read.
Settings Continuous Monitoring Maintain Whitelist for S/4HANA Integration .
Create new entries with the tables that you want to whitelist in SAP S/4HANA.
SAP Process Control

5 Key Concepts
This section explains the following key concepts:
● Master Data Flow [page 30]

● Navigating Compliance Tasks [page 33]
● Standard Roles and Authorization Objects [page 37]
● Top-Down, Risk-Based Compliance [page 39]
● Workflows [page 40]
● Multiple-Compliance Framework [page 72]
● Continuous Monitoring Overview [page 73]
● Operational Data Provisioning in PC [page 75]
● Additional User Experience Features [page 393]
5.1 Master Data Flow
Use
We recommend that master data objects be created in the following order:
● Regulations – Regulation Group, Regulation, and Regulation Requirement

● Organizations
● Risk Catalog – Risk Category and Risk Template
● Control Objectives
● Account Groups
● Business Processes – Processes, Subprocesses, and Controls
 Recommendation
For more information on creating these master data objects, see the Master Data [page 397] section of this
help.
Perform the master data assignments after all related objects are created, including:
● Assign corporate and organization roles

● Assign regulations to subprocesses and controls
● Assign subprocesses to organizations
● Assign local subprocess and local control roles
Indirect entity-level controls may be created at any time and assigned to existing organizations.
SAP Process Control

30 PUBLIC Key Concepts
Example
The following is a graphical representation of the suggested order of creation of the master data.
5.1.1 Master Data Change Workflow
Use
You can require all master data changes (such as account group, control objective, process) go through an
approval workflow.
Prerequisites
● You have set up the Activate Workflows for Master Data Changes Customizing activity under Governance,
Risk, and Compliance Shared Master Data Settings .
You must activate the BC Set GRFN-MDC.
SAP Process Control

Key Concepts PUBLIC 31
● You have configured roles to approve the change requests and to receive the change notifications.
For more information, see Configuring Master Data Change Workflow [page 32].
Process
1. A user submits a change master data request.

1. Open the entity you want to change, such as subprocess.
2. Select Request Change. The Change Request screen appears.
3. Enter the information for the change request and select OK to submit the request. The request
appears in the approver's Work Inbox as a task.
2. The approver processes the request.
1. The approver opens their Work Inbox, and opens the change request task.
2. Enter a Comment. This is required.
3. Choose Approve or Reject to process the request. The request appears in the requestor's Work inbox
as a task.
3. The requestor opens their Work Inbox and processes the request.
○ Approved
Open the task and implement the changes.
○ Rejected
If rejected, no action is required, the workflow ends.
4. Process Control sends notification of the change to the approver and stakeholders.
5.1.1.1 Configuring Master Data Change Workflow
Use
Prerequisites
You set up the Activate Workflow for Master Data Changes Customizing activity located under Governance,
Risk, and Compliance Shared Master Data Settings .
You must also activate the BC Set GRFN-MDC.
Process
1. Activate the master data change workflow.

1. Open the Activate Workflow for Master Data Changes Customizing activity. The master data entity
table appears.
2. Select the entities to require for Approval and Notify.
SAP Process Control

3. Select Save.
2. Configure business events through the Customizing activity Maintain Custom Agent Determination Rules,
located under Governance, Risk, and Compliance General Settings Workflow .
In this activity you choose the roles to perform master data change approvals, and the roles to receive
notification when a master data change occurs.
1. Open the Maintain Custom Agent Determination Rules activity. The Customized Business Events table
appears.
2. Choose roles and entities for the following business events:
○ 0FN_MDCHG_APPR
Approve master data change.
○ 0FN_MDCHG_NTFY
Notify users of changes to master data entities.
○ 0FN_MDCHG_NTFY_L
Notify local owners for changes to master data central entities.
More Information
SAP Access Control 12.0 / Process Control 12.0 and Risk Management 12.0 Security Guide
5.2 Navigating Compliance Tasks
This table lists the following:
● Main compliance tasks.

● Roles that perform the tasks.
● Where you perform the tasks in the user interface.
Compliance Task Activity Role Work Center Navigation Path
Documenting com Creating and editing or Cross Regulation Or Master Data Master Data
pliance initiatives ganizations ganization Administra
Organizations
tor, Cross Regulation
Organization Owner Organizations
Assigning users to Cross Regulation Or Access Management Access Management

global roles ganization Administra
GRC Role
tor, Global Regulation
Administrator, Cross Assignments
Regulation Internal Organizations
Control Manager
SAP Process Control

Creating and editing Global Regulation or Master Data Master Data

regulations and policies Policy Administrator Regulations and
Policies Regulations,
Master Data
Regulations and
Policies Policies
Creating and editing in Cross Regulation Proc Master Data Master Data
direct entity-level con ess and Control Admin Activities and
trols istrator
Processes Indirect
Entity-Level Controls
Creating and editing Cross Regulation Proc Master Data Master Data Risk
risk catalog ess and Control Admin
and Responses Risk
istrator
Catalog
Creating and editing Cross Regulation Proc Master Data Master Data
account groups ess and Control Admin
Accounts
istrator
Accounts
control objectives ess and Control Admin
Objectives Control
istrator
Objectives
global process and con ess and Control Admin Activities and
trol catalog istrator
Processes Business
Processes
Creating and assigning Cross Regulation Test Assessment Assessment

test plans Plan Administrator,
Manual Test Plans
Global Process Admin
istrator, Cross Regula Manual Test Plans
tion Internal Auditor
Assigning subpro Cross Regulation Inter Master Data Master Data

cesses to organizations nal Controls Manager
Organizations
Organizations Open
Subprocess tab
SAP Process Control

Assigning persons to Internal Controls Man Access Management Access Management

compliance-initiative ager
GRC Roles
specific roles
Assignments
Organizations
Access Management
GRC Role
Assignments
Business Processes
Assigning indirect en Internal Controls Man Master Data Master Data
tity-level controls to or ager
Organizations
ganizations
Organizations Open
Indirect Entity-Level
Controls
Creating and editing Cross Regulation Ques Assessment Assessment

the question library tion/Survey Adminis
Surveys Questions
trator
Library
Creating and editing Cross Regulation Ques Assessment Assessment

the assessment sur tion/Survey Adminis
Surveys Survey
veys trator
Library
Planning Creating and editing Internal Controls Man Master Data Master Data
the consolidated ac ager, Global Organiza
Accounts
count group balances tion Owner
Consolidated Account
(Financial Compliance
only) Group Balances
Creating and editing Internal Controls Man Master Data Master Data
the organization level ager, Global Organiza
Accounts
balances (Financial tion Owner
Organization-Level
Compliance only)
Account Group
Balances
Determining organiza Internal Controls Man Compliance Specific In Compliance

tions and processes are ager, Global Organiza itiative
Structure Accounts
in scope of assess tion Owner
ments Organization-Level
Account Group
Balances
SAP Process Control

Creating and editing Internal Controls Man Assessment Assessment

the risk assessment ager
Assessment Planning
Planner Risk
Assessment type
Creating and editing Internal Controls Man Assessment Assessment

the controls risk as ager
Assessment Planning
sessment
Planner Control-Risk
Assessment type
Planning assessments Internal Controls Man Compliance Specific In Assessment

and tests ager itiative
Assessment Planning
Planner
Creating and editing Cross Regulation Con Rule Setup Rule Setup
the business rules tinuous Monitoring Continuous Monitoring
Business Rule Special
Business Rule
ist
the data sources. tinuous Monitoring Continuous Monitoring
Business Rule Special
Data Sources
ist
the automated control tinuous Monitoring Job
Scheduling
monitoring Specialist
Automated Control
Monitoring
Scheduling event moni Cross Regulation Con Rule Setup Rule Setup
toring jobs tinuous Monitoring Job
Scheduling Event
Specialist
Queue
Creating Ad Hoc Issues Business User, Cross My Home My Home Ad Hoc

Regulation Issue Ad
Tasks Issues
ministrator
Performing assess Assessing and testing Process Tester, Organi My Home My Home Work
ments and tests zation Owner, Organi
Inbox
zation Tester, Internal
Auditor, Process
Owner, Subprocess
Owner, Control Owner
SAP Process Control

Remediating issues Remediating issues Flexible assignment My Home My Home Work
Inbox
Viewing reports All All Report Center
Certifying results Planning sign-off Internal Controls Man Assessment Assessment

ager
Assessment Planning
Planner Sign-Off
type
Monitoring sign-off Internal Controls Man Assessment Certification Sign-

ager
off Monitor Sign-off
Monitor
Policy Management Adapt policy as needed Policy Administrator, Master Data Master Data
Policy Manager and Regulations and
Policy Owner
Policies Policies
5.3 Standard Roles and Authorization Objects
Use
The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some
general SAP standard roles are delivered with Process Control as described below.
You can copy and adjust these default roles in the Customizing activities under SAP NetWeaver Application
Server System Administration Users and Authorizations Maintain Authorizations and Profiles using Profile
Generator Maintain Roles (transaction PFCG).
In the Process Control application, the power user can assign these roles to the corresponding entities.
Features
The standard roles that are delivered are:
● Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use Risk Management or
Process Control. This role contains all necessary authorizations to make the necessary Customizing
settings for this application. This role does not contain any authorizations for the portal interface.
SAP Process Control

● Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform
operations on assigned entities. We recommend that a user with this role also be assigned a portal role for
in order to use the web interface of the application.
● Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also
has authorization for administrative functions through the Customizing activities, such as the definition of
organizations.
 Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to
business users. If the power user needs to delegate his authorization to others, he must ask the IT
department to assign the PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity
dependent. For more information, see My Delegation Overview. [page 391]
● Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all data in the portal. This role is
useful for external auditors, for example. We recommend using this role in addition to the business user
role.
 Note
For more information, see the documentation on the individual roles in transaction PFCG.
Activities
To work with user roles, the following steps are necessary:
1. The system administrator assigns the basic role SAP_GRC_FN_BASE to all users working with the
application. This role contains the technical authorizations required to run the application. Without this
role, assigned users cannot run the application.
2. The system administrator copies the delivered power user role SAP_GRC_FN_ALL, makes any necessary
adjustments, and assigns the modified copy of the standard role to a user who then becomes a power user
for the application. Alternatively, the delivered standard role can be used directly.
3. The system administrator copies the delivered display user role SAP_GRC_FN_DISPLAY, makes any
necessary adjustments, and assigns the modified copy of the standard role to other users who become
display users for the application. Alternatively, the delivered standard role can be used directly.
4. The system administrator copies the delivered business user role SAP_GRC_FN_BUSINESS_USER, makes
any necessary adjustments, and assigns the modified copy of the standard role to other users who become
business users for the application. Alternatively, the delivered standard role can be used directly. The
business users' authorizations within the application can be defined further by the application roles.
5. The portal administrator copies the delivered roles, makes any necessary adjustments, and assigns the
modified copy of the enterprise portal roles to the end users to grant them the required access to the Risk
Management application. Alternatively, the delivered standard role can be used directly.
SAP Process Control

5.4 Top-Down, Risk-Based Compliance
The Process Control risk model allows you to identify the subprocesses and account groups or assertions to be
audited, based on risks assigned to the account groups or assertions, and to the controls. Relationships can be
associated between account groups or assertions, as well as between subprocesses and control objectives.
Compliance efforts are directed to areas that present the highest risk, such as the financial statement close
process, and controls that are designed to prevent fraud.
The top-down, risk-based approach of the application comprises materiality analysis, risk assessment,
control risk assessment, and level of evidence determination.
The following table summarizes the approach:
Aspect Description
Identify significant accounts and assertions Consider materiality, likelihood of errors or fraud, accounting
and reporting complexities, and subjectivity.
Identify risks of financial misstatements To determine the sources and likelihood of misstatements,
ask: “What could go wrong?”
Identify significant locations and processes Consider significant accounts and assertions plus other
risks of financial misstatements
Assess the financial reporting risks Rate the risks, considering the impact and likelihood of ma
terial misstatements in financial reports.
Identify controls to address financial reporting risks Consider entity-level, transaction, IT, and monitoring con
trols.
Evaluate control operating effectiveness Consider control risk factors to determine the nature, extent,
and timing of evaluations.
Process Control uses the following mechanisms to develop a testing strategy and level of evidence:
● Materiality analysis: Organizations and subprocesses in scope of assessments

For more information, see:
○ Consolidated Balances [page 421]
○ Accounts [page 418]
● Control risk assessment and level of evidence
○ The Customizing activity Set Level of Evidence Value under Governance, Risk and Compliance
Process Control Scoping
○ Business Processes [page 412]
○ Reports and Analytics [page 515]
SAP Process Control

5.5 Workflows
A workflow is a sequence of steps processed either by people or by the SAP system. The chronological and
logical sequence of steps is linked to the evaluation of conditions. The evaluations are monitored by persons
assigned to the role tasked with this obligation (this can vary depending on your business' needs).
5.5.1 Performing Automated Testing and Monitoring
Use
You can automate the testing of control effectiveness and monitoring of controls in the ERP system. All
automated tests of effectiveness and monitoring of controls use automated test rules to determine the
exception data to extract from the ERP system. The following graphic illustrates that an automated test rule is
assigned to a control within Process Control to run a program within the ERP system to test or monitor data in
the ERP system:
You can use automated test rules to do the following:
● Transaction data — Identify transactions based on thresholds or identify transactions outside of the
tolerance settings
SAP Process Control

● Configuration data — Monitor all or specific changes to configuration settings, identify values within
configuration settings, or perform blank checks.
● Master data — Monitor all or specific changes to master data, identify values of critical fields, or perform
blank checks.
 Note
Adding a test plan to a control will generate workflow even if no deficiencies are found, regardless of
whether the test automation is Automated, Semi-Automated, or Manual. You can then review results and
add issues to automated and semi-automated jobs in the same way that you can for manual jobs.
Process Control records historical information in a change log to monitor changes to configuration settings and
master data over the entire timeframe of the control. For more information, see the SAP Process Control 12.0
Operations Guide.
You can use automated test rules to fully or partially automate the testing of a control when no manual test
plan is assigned, as follows:
● Fully automated testing — The system determines the control rating and creates issues for remediation
processing, based on test results.
● Semi-automated testing — You manually review the test results and determine the control rating and the
issues for remediation.
When a manual test plan is assigned, you can input a manual test result for the control.
Process
1. Create a business rule

You must create a rule and define your testing or monitoring parameters. You create and maintain the rules
by choosing: Rule Setup Continuous Monitoring Business Rules .
2. Assign business rules to controls
You assign one or more automated test rules to the control that you want to test or monitor. You can also
specify one or more testing or monitoring frequencies for each control-rule assignment. You assign the
rules to the controls by choosing: Rule Setup Continuous Monitoring Business Rule Assignment .
For more information, see Assigning a Business Rule to a Control [page 435].
3. Schedule the monitoring or the test of control effectiveness
○ You use the Scheduler to schedule a control monitoring job. See the relevant sections under
Continuous Monitoring Scheduler Overview [page 436].
○ You use the Process Control Planner [page 497] to schedule control effectiveness testing. This
executes the rules based upon the business rule assignments. The monitoring schedule and control
effectiveness testing can recur regularly or execute on a one-time basis.
SAP Process Control

The system executes the testing and monitoring activities as follows:
1. On the start date, Process Control executes the test or monitoring activities and passes the rule
information to the program (plug-in) in the ERP system.
2. The program executes based upon the business rule assignment.
1. The business rules identify exceptions in configuration data and transaction data based on the rule for
a given period.
2. When the rule execution is complete, the program on the ERP system sends an exception report to
Process Control.
5.5.1.1 Monitoring of Automated and Semi-automated

Controls
Use
Process Control facilitates the monitoring of data to ensure controls in your ERP system are operating
effectively, and to identify weaknesses or potential deficiencies on a timely basis. You can create the following
monitoring controls within Process Control to identify exceptions in your ERP system based on your deficiency
parameters:
● Configuration Controls – to identify potential unauthorized configuration settings or parameters in the ERP
system.
● Master Data Controls – to identify suspect master data in the ERP system.
● Transaction Data Controls – to identify unusual business transactions in the ERP system
You can customize your automated monitoring controls to review data based on your filter parameters and test
period. You then schedule the automated monitoring controls at any frequency you choose based upon your
configuration.
 Note
If issues are identified for automated control monitoring, redoing the monitoring control for the same
period returns the same results. For this reason and to ensure that issues are identified on a timely basis,
some companies perform control monitoring more frequently than either manual testing or automated
testing of control effectiveness.
Automated test rules can automate your monitoring procedures. The rule filters and the deficiencies set within
them identify exceptions in the data within the ERP system. For more information, see Performing Automated
and Semi-automated Tests of Effectiveness [page 44], Creating a Business Rule [page 431], and Creating and
Changing Data Sources [page 425].
● If exceptions are found, the system automatically creates an issue when exceptions are identified.
● If no exceptions are found, no results are returned. The activity is logged with an Adequate deficiency rating
in the Job Monitor. If you discover an issue that should be addressed, you can create an ad hoc issue,
regardless of the deficiency rating. For more information, see Identifying, Creating and Assigning Ad Hoc
Issues [page 385].
● If a test plan is assigned, and no exceptions are found, the results of the test will still be visible in the
workflow and can be edited manually. Issues that are added manually are processed in the same way as
issues that are generated by the system.
SAP Process Control

The following figure illustrates the steps in performing automated controls monitoring:
A monitoring control may be semi-automated based on its control design. However, if issues are found, the
workflow tasks between automated and semi-automated control monitoring are the same. Shown below is the
test failure routing for automated and semi-automated control monitoring based upon delivered business
content.
 Note
The applications determine the agent (or recipient) of a workflow task based on the mapping of business
events and roles. You can override the default configuration and maintain your own agent determination
rule in the Customizing activities (using the SPRO transaction). Carry out the activity Maintain Custom
Agent Determination Rules under Governance, Risk, and Compliance General Settings Workflow
In the Customized Business Events table, you configure rules for determining the recipient of a workflow
task by customizing the business events, sort, roles, entities, and subentities.
SAP Process Control

Test Failure Routing for Automated and semi-automated Control Monitoring
Rule with Issue Deficiency Rating Automated: Issues Go to Semiautomated: Issues Go to
Rule with Deficiency (H/M/L) Control Owner Control Owner
Rule with Review Required Control Owner Control Owner
Rule with No Deficiency N/A N/A
Process
System Execution of Automated Control Monitoring
1. Process Control performs automated control monitoring based on the schedule you create in the
Monitoring Scheduler. The schedule triggers the monitoring in the ERP system based upon the rules to
determine if the data represents an exception. For more information, see Creating a Business Rule [page
431] and Assigning a Business Rule to a Control [page 435].
2. The ERP system returns any exceptions to Process Control. The issues have a deficiency rating of High,
Medium, Low, or Review Required, depending on the rule settings. You define your tolerance settings for
deficiencies in the rule.
3. If a test plan is assigned to the control, then workflow is generated even if no deficiencies are found. The
test results can then be edited manually, and issues added.
If no exceptions are identified, and there is no test plan assigned, the monitoring job schedule is completed
and no workflow is required. The job monitor shows that the job has completed its execution with Adequate
deficiency rating.
If you discover an issue that should be addressed, you can create an ad hoc issue, regardless of the
deficiency rating. For more information, see Identifying, Creating and Assigning Ad Hoc Issues [page 385].
If exceptions are identified, this automatically creates an issue. The system routes the issue to the person
assigned the task to receive the issues. In the delivered Business Configuration (BC) set, this person has
the Control Owner role.
4.  Note
You have the option of assigning the task to another role, depending on your business requirements
and organization.
5.5.1.2 Performing Automated and Semi-Automated Tests

of Effectiveness
Use
Process Control can facilitate automation of the effectiveness testing of controls that exist in your ERP system.
This increases testing efficiency and standardizes testing if several organizations have similar controls. You can
customize your automated tests based on filter parameters. You can also run the automated tests at any
SAP Process Control

frequency based upon your configuration. Automated test rules automate the test procedures. Automated test
rules can fully or partially automate your tests of effectiveness.
Test of Effectiveness
In a fully automated test of effectiveness, the system creates an issue when the system identifies exceptions
based upon your rule criteria. The following figure displays the process flow for an automated test of
effectiveness scenario (note: this example assumes that Review is not required, but Remediation Plans are):
1. The system performs the test of control effectiveness. If the test passes, the work flow is complete, unless
a test plan has been assigned. If a test plan has been assigned, the owner can edit the result and create
issues manually.
2. If the test fails, the system creates issues and routes them to the issue owner.
3. The issue owner reviews the issues for validity. If it is not a valid issue, the work flow is complete.
4. If it is a valid issue, the issue owner assigns a remediation plan owner and submits it.
The plan owner creates, executes, and completes the plan.
5. The issue owner reviews the remediation activities and closes the issue. The work flow is complete.
Semi-automated Test of Effectiveness
In a semi-automated test of effectiveness, the tester receives the test results, with any identified issues. The
tester must review and validate the exceptions. The tester can then void the issue or assign the issue to an
owner for processing.
Automated and semi-automated tests of effectiveness have differences in certain workflow tasks. Shown below
is the routing of tasks for automated and semi-automated tests of effectiveness.
SAP Process Control

 Note
The receiver of issues and tasks in the table below represent the predelivered configuration by SAP. You can
define your own settings in the Customizing activity found at Governance, Risk and Compliance
General Settings Workflow Maintain Custom Agent Determination Rules . For more information, see
the SAP Process Control 12.0 Security Guide.
Routing of Tasks for Automated and Semi-automated Tests of Effectiveness
Deficiency Rating of Issue Automated Issues Go to: Semi-automated: Tasks Go to:
Rule with Deficiency (High/Medium/ Subprocess Owner Tester

Low)
Rule with Review Required
Procedure
System Execution of Automated or Semi-automated Test of Effectiveness
1. Process Control performs automated tests based on the plan you created in the Planner. The plan includes
information such as start and due date of testing, organization name, and control selection. When the plan
start date occurs, the test executes in the ERP system based on business rule assignments.
Automatic retesting is not applicable to automated and semi-automated tests of effectiveness. This is
because if the test is rerun for the same period, it would return the same results based upon the ERP data.
For this reason, some companies perform automated testing on a more frequent basis than manual
testing.
For more information, see Planner [page 497] and Assigning a Business Rule to a Control [page 435]
2. The ERP system returns any test exceptions to Process Control. The exceptions have a deficiency rating of
High, Medium, Low, or Review Required depending on the rule settings and the data in your ERP system.
You define your tolerance settings for High, Medium, Low deficiencies within the rule parameters for
specific rule criteria.
3. If no exceptions are identified, the system performs the following depending on whether the test is fully or
partially automated:
○ Automated Test of Effectiveness — Testing of the plan is complete. The system assigns the test a
deficiency rating of Adequate.
○ Semi-automated Test of Effectiveness — The system assigns the test a deficiency rating of
Adequate.
 Note
For monitoring, no task is generated if no exceptions are found. For testing purposes, a task is
generated, even if no exceptions are found.
SAP Process Control

4. If exceptions are identified, the system performs the following depending on whether the test is fully or
○ Automated Test of Effectiveness — The system automatically creates an issue. The system routes
the issue to the person assigned the task Receive Issues from Automated Test of Control Effectiveness.
In the delivered business content (BC Set), this person has the role Subprocess Owner.
○ Semi-automated Test of Effectiveness — The system automatically creates an issue. The system
routes the test results to the person assigned the task Perform semi-automated Test of Effectiveness.
In the BC set, this person has the Process Tester role. The tester can void the issue or assign the issue
to an owner for processing.
 Note
You can assign this task to another role, depending on your business requirements.
Accessing Tasks Related to Automated or Semi-automated Test of Effectiveness
To access your tasks and reports for compliance tests or control monitoring, choose My Home Work Inbox
Work Inbox
Performing Tasks Related to Issues from Automated/Semi-automated Test of Effectiveness
1. To perform the task, select, and open the task.

2. To review exceptions, select the Evaluation tab. Choose the Fail link under the Results column to display
details.
The following instructions apply to semi-automated test of effectiveness only:
○ To review and validate the exceptions, select the Issue tab. Enter issue owner and choose Submit. Issue
status changes to Ready.
○ To void the issue, select the Issue tab. Choose Void the Issue. Choose Submit. Issue status changes to
Canceled.
 Note
The overall rating of the test is based upon the issues.

○ Adequate (green icon)
– Test with no open issues
○ Deficient (yellow icon) – Test with open issues, none of which are high priority.
○ Significantly Deficient (red icon) – Test with open issues, at least one of which is high priority.
3. To perform tasks related to remediation, see Remediation of Open Issues [page 55].
5.5.2 Performing Evaluations
Procedure
1. Access your task list at My Home Work Inbox Work Inbox
SAP Process Control

2. Use the existing queries or define new ones to list all tasks and reports that have been delivered to your
Work Inbox.
3. Choose the Task Name to view the details. The task opens and displays the following tabs:
○ Evaluation
This tab outlines the steps you must take to complete the assessment.
○ Additional
This tab contains contextual information such as object details and attachments.
 Note
At any point in performing the assessment, you have the option to change it. Accessing the
assessment changes its status from Ready to Reserved. If needed, you can then complete it later.
4. On the Evaluation tab, complete the assessment by answering the survey questions:
 Note
Survey questions require an answer type.

○ Rating – The ratings can be configured to match your business needs through the Customizing
activity: Governance, Risk and Compliance Common Component Settings Surveys Define
Ratings for Survey Questions .
○ Yes, No, or Not Applicable
○ Text
 Caution
Depending on the question, the answer may require an explanation. If required, you must enter your
explanation in the comments field next to the question before you submit the assessment.
5. (Optional) On the Attachments and Links tab, attach or link documents as evidence or additional support.
 Note
The system automatically completes the Date Performed based upon the system date.
6. Assign one of the following overall ratings to the evaluation. The names of these ratings can vary based
upon your configuration.
○ Adequate (green icon)
○ Deficient (yellow icon)
○ Significantly Deficient (red icon)
 Caution
Ratings other than Adequate require an issue to be created before submitting the assessment.
7. If necessary, create an issue. Otherwise, select Submit. For more information about creating issues, see
Identifying, Creating, and Assigning Issues [page 53].
SAP Process Control

5.5.2.1 Re-evaluating Objects
Prerequisites
After the task owners have closed all remediation plans and issues related to an assessment, the system
creates a task to verify the completeness.
 Note
This is configurable through the Customizing activity Governance, Risk and Compliance Process
Control Evaluation Setup Specify Reevaluation Necessity and Timelag .
The system routes this task to the original assessor.
Procedure
1. The original assessor repeats the assessment. For more information about the steps involved, see
Performing Evaluations [page 47]. The only difference between performing an initial evaluation and
repeating one is there is an additional tab containing the history.
Control Design Self-Assessment Subprocess De Indirect Entity-

Assessment (Control) sign Assessment Level Control As
sessment
Perform Task Delivered Role Control Owner Control Owner Subprocess Owner Organization
Owner
Task Perform Control Perform Self-As Perform Subpro Perform Entity-

Design Assess sessment cess Design As Level Control As
ment sessment sessment
Review Task Delivered Role Subprocess Owner Subprocess Owner Process Owner Corporate Audit
Manager
Task Review Control De Review Self-As Review Subpro Review Entity-
sign Assessment sessment cess Design As Level Control As
sessment sessment
Available Tabs Control Subprocess Entity-Level Con

trol
Control Objectives and Risks Control Objectives
and Risks
Account Groups (with assertions)
Assertions (sub
process assertion
gap)
SAP Process Control

Control Design Self-Assessment Subprocess De Indirect Entity-
Assessment (Control) sign Assessment Level Control As
sessment
Evaluation
Attachments and Links
5.5.3 Performing Manual Tests of Effectiveness
Use
Prerequisites
● You have created and assigned test plans.

● You have triggered the workflow in the Planner.
● You have created the query to display manual testing-related tasks in your task list.
Process
1. Test performance - The test of effectiveness uses a test plan that may include both step and test
activities. Step refers to the preparation or gathering of information for the test. Test refers to the
validation of data to determine whether the control is effective.
1. During creation of the test plan, you designate each test as Required or Not Required and indicate
whether Fail Ends Test. These fields, with the test results of Pass/Done or Fail/Not Done, determine
whether the test fails and if the remaining activities must be completed. See Creating and Editing
Manual Test Plans [page 495].
2. To trigger a workflow for manual tests of effectiveness, you create a plan for a test period with a start
date and due date. For information about creating and activating a plan, see Planner [page 497].
3. Once the plan start date occurs, the system routes the tasks of performing manual tests to the testers.
2. Identification and creation of issues - If the overall test fails, the process tester creates one or more
issues and assigns an issue owner for each. The system defaults the issue owner as the person assigned to
the task Receive Issues from Manual Test of Control, but this can be changed. In the BC Set, this task is
assigned to the role Subprocess Owner. If the test passes, submission of issues is not permitted.
3. Remediation - Once the issue owner receives the issue and assigns a remediation plan with a start date
and due date, the remediation plan owner receives a task to create the remediation plan. The remediation
plan owner is defaulted to the person assigned the Receive Remediation Plans from Manual Test of Control
task. In the BC Set, this task is assigned to the role Control Owner. The plan owner creates the plan,
performs the remediation, and completes the remediation activity.
4. Close issue without plan - If the issue was resolved without a remediation plan, the issue owner can close
the issue without a plan. No remediation plan owner exists, and the issue owner closes the issue directly.
SAP Process Control

5. Re-evaluation - The issue owner verifies that the remediation activity has resolved the issue and closes the
issue. Then the system routes the task of redoing the manual test to the original tester. All issues and
remediation plans must be closed before the retest workflow is sent.
 Note
You can assign the tasks to a different role, depending on your organizational structure and business
requirements. You can also choose to enable or disable retesting through the Customizing activities.
Example
This is an example of creating and planning a manual test.
SAP Process Control

5.5.3.1 Performing Tests
Procedure
1. Navigate to Assessments Manual Test Plans .

2. Select the manual test. To perform the Manual Test of Effectiveness, the status must be Ready or
Reserved. The selected test opens and displays multiple tabs:
○ General tab – Outlines the steps to complete the test.
○ Additional tabs – Contain contextual information to assist you in completing the test such as control
details, control objectives and risks, account groups and assertions, and attachments and links.
 Note
At any point, you can make changes to the test. This changes the status from Ready to Reserved and
allows you to complete the test later, if needed.
3. On the General tab, perform the following activities:

1. (Optional) Enter a revised sample size. Do this if you need to change the sample from what was
originally suggested.
2. (Optional) Enter the number of failed items. This indicates how many items out of the revised sample
failed.
3. Enter a result of Pass or Fail/Done or Not Done for each test activity or step. Some activities may not
be required.
4. (Optional) Attach or link documents as test evidence or additional support.
5. Enter the date performed, which may differ from today's date.
6. Assign an overall test result of Pass or Fail.
Overall Test Result Required Test Activity Status
Fail N/A Create at least one issue. See Identi

fying, Creating, and Assigning Issues
[page 53].
Pass N/A All issues must be closed or voided.
Pass Fail Warning message about the discrep

ancy. Request confirmation of sub
mission.
7. Choose Submit.
8. To understand the interaction of the overall test result, the result of individual test and step activities,
and test plan attributes, see table Actions upon Submission of Test [page 53].
SAP Process Control

5.5.3.2 Identifying, Creating, and Assigning Issues
Context
There are two types of issues:
● Issues related to evaluation tests – If your overall rating for a test is Fail, you are required to create at least
one issue. This procedure details this creation process.
● Ad Hoc Issues – This issue can be a question, problem, action item, or planned task. Navigate to My
Home Ad Hoc Tasks Issues . See Identifying, Creating, and Assigning Ad Hoc Issues [page 385].
Procedure
1. Enter the following details:

○ Issue Name (required)
○ Priority (required) – High, medium, low
○ Owner (required) – Enter the owner name, or use search functionality to select the owner
○ Description – Provide any details about the issue
○ Compensating Controls
○ Potential Impact
2. Insert files or links on the Attachment and Links tab.
3. Choose Save Draft to save changes or Cancel to abort the session.
 Note
If the issue was raised in error, you can void the issue before submitting your test.
4. Choose Submit. To understand the interaction of the test result, the individual test and step activities, and
test plan attributes, see the table below.
Actions Upon Submission of Test
Options Individual Test Activ Overall Test Result

ities / Steps
Required Fail Ends Test Pass Fail
Yes Yes Pass or Done (all or All activities pass – At least one activity
most activities) Test is submitted suc fails – Test can be
Yes No cessfully. No open is submitted after creat
sues exist. ing at least one issue.
If all activities pass,
SAP Process Control

Options Individual Test Activ Overall Test Result
ities / Steps
No No If one or more activity the overall test result

fails, the system dis is set to Pass.
plays a warning that
you have set the over
all test result to Pass
but one or more tests
to Fail. You are asked
if you want to submit
the test as is.
No – returns you to
the test.
Yes – allows the test

to be submitted pro
vided that no open is
sues exist.
Yes Yes Fail or Not Done (at If any required test Test can be submitted
least one activity) steps fail, then the after creating at least
overall test result one issue.
must be set as Fail.
Remaining steps do
not need to be com
pleted, even if other
wise required.
Yes No A warning appears

that you have set the
No No overall test result to
Pass but one or more
tests to Fail. You are
asked if you want to
submit the test as is.
No – returns you to
the test.
Yes – allows the test

to be submitted pro
vided that no open is
sues exist.
No Yes This combination (Required - No and Fail Ends Test – Yes) is not al
lowed during the creation of a test plan.
SAP Process Control

 Note
If the result for any required step or test activity is blank, you cannot submit the test. However, if at
least one test activity with Fail Ends Test = Yes has already been set to Fail, all required steps and tests
are no longer needed to submit your test.
5. After you have submitted your test, the actions depend on the Review Required setting established in the
Customizing activity located at Governance, Risk and Compliance Process Control Specify Whether
Review is Necessary.
Issues Review Not Required Review Required Workflow Sent to Subprocess Owner*
Approve Reject
Enter Review Comments
Submitted without issues Done Done Test is returned to tester for

rework
Submitted with issues Workflow is sent to assigned Workflow is sent to assigned
issue owner issue owner
*Based upon delivered business content for roles.
6. If a review is required, the reviewer has visibility to the test including related issues, contextual information,
and attachments or links.
○ If the reviewer chooses Reject, comments are required.
○ If approved, comments are optional.
The workflow between the reviewer and tester continues until agreement is reached and the reviewer
approves the test. Each role can change only his or her own comments.
5.5.4 Remediating Evaluation Issues
Use
All of the evaluations, assessment surveys, manual test plans, automated and semi-automated control testing,
and control monitoring, follow these basic steps:
1. Evaluation
 Note
This process does not apply to ad hoc issues.
2. Identification and creation of issues

3. Remediation of open issues
4. Reevaluation (for manual evaluations only). This is dependent upon the configuration done through the
SAP Process Control

Prerequisites
You have created an evaluation with an issue and it has been approved, if review is required.
Process
1. The tester receives the task to perform the manual test of effectiveness.
2. The tester performs the test and submits it. If the test passes, the task is complete.
3. If the test fails, the tester creates an issue and assigns it to an issue owner.
4. The issue owner assigns the remediation task to an owner and submits it.
5. The remediation owner creates, executes, and completes the remediation plan.
6. The issue owner reviews the remediation and closes the issue.
7. The tester performs the test of effectiveness again and submits it. If the test passes, the task is complete.
8. If the test fails, the tester creates an issue and assigns it to an issue owner.
The process continues until issues are closed.
 Note
The process flow above is an example of manual tests of effectiveness and does not include Review
Required nor Forwarding functionality. See Performing Tasks Related to Remediation [page 58].
SAP Process Control

5.5.4.1 Remediating Ad Hoc Issues
Use
Ad hoc issue management allows the creation and management of issues identified outside the standard
testing and assessment process. It also provides the following functionality:
● Supports central categorization and management of issues

● Allows flexible determination of responses and remediation procedures
● Provides enterprise-wide visibility of issues and their remediation statuses
Process
The following chart shows an end-to-end scenario of ad hoc issue creation and remediation
● Report Issue: You can create ad hoc issues outside of evaluation process with a one-step or two-step
approach.
● Remediate Issue: You can configure whether to use a remediation plan or CAPA plan for issue remediation.
● Monitor Issue: You can monitor issue processing statuses
SAP Process Control

5.5.4.2 Performing Tasks Related to Remediation
Prerequisites
Complete the Customizing activities under Governance, Risk, and Compliance Process Control Evaluation
Setup .
Procedure
1. From the My Home work center, navigate to Work Inbox.

2. View the task. The system sends the Start Issue Remediation task to the issue owner.
3. Select the task.
A screen displays the issue details. The system presents the following options:
○ Assign Remediation Plan / Assign CAPA (if CAPA is enabled for the regulation of the issue)
If the issue requires a remediation plan, you must assign a remediation plan owner, start date, due
date, and description. To do so, select OK and Submit.
○ Close Without Plan
If permitted, you can close the issue without a remediation plan. For example, you can use this option
for a minor change. To do so, enter remediation comments and select OK to save and close the issue.
Then select Submit.
○ Reassign the Issue
You can reassign the issue to another user. To do so, select a user and choose OK. Then select Submit.
The issue is rerouted to the selected user.
○ Void
If the issue must be canceled, select Void and enter comments. The system changes the status to
Canceled. Select Submit.
4. The system sends the Enter Details for Remediation Plan task to the remediation plan owner. Depending on
whether you set Review Required during the configuration or maintenance of local objects, one of two
process flows occurs: With Plan Review or Without Plan Review.
With Plan Review has the following options:

○ Reassign the Plan
If you want to direct the remediation plan to another user, you can reassign the plan. Select a user and
choose OK. Then select Submit.
○ Review
This option allows you to document your remediation plan and submit it for review. Enter the details in
the description text box and attach or link any documents. Select Submit.
The system sends the Review Remediation Plan Details task to the reviewer who then has the following
options:
○ Reject
Selecting this option returns the plan to the plan owner for rework. Select Reject and enter review
comments. Select OK and Submit.
SAP Process Control

○ Approve
Selecting this option initiates the next remediation activity. Select Approve and enter review
comments, if desired. Select OK and Submit.
Without Plan Review has the following options:
○ Reassign the Plan

If you want to direct the plan to another user, you can reassign it. Choose a user, select OK, and
Submit.
5. To initiate the next remediation activity, select Next. The system sends the Update Remediation Plan
Progress task to the remediation plan owner who performs the following activities:
○ Selects the task
○ Enters the plan progress in the Description Text box (optional)
○ Updates the percentage of completion and chooses one of the following:
○ Submit to record the current status of the plan. The owner continues to update the task until it is
complete.
○ Complete and Submit.
6. The system sends the Review and Close Remediation Plan task to the issue owner who has the following
options:
○ Reopen – This restarts the remediation process and sends the workflow to the remediation plan owner.
○ Close – This closes the issue. The status of the Remediation Plan and the Issue changes to Closed. No
further activity can be performed on this task.
 Note
If the issue owner and the remediation owner are the same user, the workflow is streamlined.
5.5.5 Remediating CAPA Issues
Use
Corrective and Preventive Action (CAPA) is a regulatory concept within Good Manufacturing Practice (GMP). It
focuses on the systematic investigation of discrepancies (failures and/or deviations) in an attempt to prevent
their recurrence. Process Control enables you to use CAPA remediation processes in your compliance and
regulatory initiatives.
 Note
CAPA remediation is available for the following:
● Manual testing of controls

● Automated and semi-automated testing of controls
● Self-assessment of controls
SAP Process Control

Features
The CAPA remediation process has the following features:
● Root cause analysis

● Corrective actions
● Preventive action
● Audit trail
● E-signature
● CAPA plan approval
● CAPA plan execution approval
● Verification of appropriateness and effectiveness
5.5.5.1 Configuring CAPA
Use
To use CAPA remediation, you must enable the CAPA business process in the Customizing activities and assign
the CAPA relevant roles to users. You can also choose to enable e-signature, approval, and audit trail.
Prerequisites
Enabling CAPA Business Process
1. Open the Customizing activity. Select Governance, Risk, and Compliance Process Control Multiple-
Compliance Framework Configure Compliance Initiatives . The Define Regulation Configuration screen
appears.
2. Select Define Regulation Type and choose Operational.
3. Select Business Transaction.
4. Choose CAPA.
5. Select Enable.
6. Choose Save.
Procedure
Enabling E-signature, Approval, and Audit Trail
The CAPA e-signature, approval, and audit functions are optional.
1. Open the Customizing activity. Select Governance, Risk, and Compliance Process Control Multiple-
Compliance Framework Configure Compliance Initiatives . The Define Regulation Configuration screen
appears.
SAP Process Control

2. Select Define Regulation Type and choose Operational.
3. Select Business Transaction.
4. Choose CAPA.
5. Select Settings.
6. In the Settings table, select Activate for the following:
○ Audit Trail
○ CAPA Execution Approval
○ CAPA Plan Approval
○ E-signature
7. Choose Save.
Assigning CAPA Roles to Users
To authorize users to perform CAPA approval activities, you must assign them the following roles:
● CAPA Plan Approver

● CAPA Execution Approver
You assign the roles at the compliance initiative level. For more information, see Assigning Users to Roles for
Corporate and Organization Objects [page 508].
Using CAPA for Ad Hoc Issues
For ad hoc issue reporting, you have completed the Customizing activity Governance, Risk and Compliance
Common Component Settings Ad Hoc Issues Enable CAPA by Regulation Type .
For more information, see Identifying, Creating and Assigning Ad Hoc Issues [page 385].
More Information
Configuring CAPA Plan Values [page 63]
5.5.5.1.1 Using e-signatures
Use
You use e-signatures as a formal method of confirming actions and assigning accountability in the CAPA
remediation process. The e-signature in Process Control complies with the requirements of 21 CFR Part 11.
Prerequisites
You have enabled e-signatures in the Customizing activities.
For more information, see Configuring CAPA [page 60].
SAP Process Control

Features
For the CAPA remediation process, the following roles and activities require e-signatures:
Role Action Requiring E-signature
CAPA Issue Owner ● Submit CAPA plan for approval
CAPA Plan Approver ● Approve plan

● Send plan back to issue owner for rework
● Cancel plan
CAPA Plan Execution Approver ● Approve plan execution

● Send plan back to issue owner for re-execution
You commit the e-signature by entering your password in the e-signature screen and selecting Sign. You can
also enter a comment.
5.5.5.1.2 Using the CAPA Audit Trail
Use
The CAPA audit trail tracks the details of the activities performed by users associated with a specific CAPA
remediation. The audit trail is visible as a tab within the CAPA plan, and can also be exported to a write-
protected (PDF) format.
Prerequisites
● You have enabled CAPA business process and audit trail.

For more information, see Configuring CAPA [page 60].
● You have been assigned a CAPA plan and submitted it.
For more information, see Performing CAPA Remediation. [page 64]
Features
The audit trail tracks the following information:
● Issue owner
● Task performer
● Root cause
● Immediate cause
SAP Process Control

● Attachments
Time stamp of when attachments are added or deleted.
● E-signature
● Time stamp
The audit trail timestamps the following recorded activities
○ Issue submission
○ CAPA plan submission
○ CAPA plan approval
○ CAPA plan execution
○ CAPA plan execution approval
Activities
To view the audit trail for an issue:
1. On the Issue Evaluation screen, choose the CAPA Worklog/Audit Trail tab.
○ You can filter the audit trail by user or date range. Leave those fields empty to view all activities related
to the issue.
2. Select Go.
5.5.5.1.3 Configuring CAPA Plan Values
Procedure
Process Control provides a list of default values for fields on the CAPA remediation screens. However, you can
also customize the values through the Customizing activities.
Discrepancy Evaluation Results
On this screen, you can configure values for the fields:
● Potential Impact
● Seriousness
To configure the values:
1. Open the Customizing activity. Select Governance, Risk, and Compliance Process Control Multiple
Compliance Framework Edit Business Process Transactions . The Business Transactions Overview
screen appears.
2. Select Business Transactions.
3. Choose CAPA.
4. Select Attributes. The following attributes appear:
○ Immediate Causes – This attribute affects the values listed for the Immediate Causes field.
○ Potential Impacts
○ Seriousness
SAP Process Control

○ Techniques – This attribute affects the Root Cause Analysis screen.
5. Select an attribute and choose Values. The Work Area screen appears.
6. In the Regulation Type field, enter Operational and choose execute. The values table appears.
7. Update the values in the table.
8. Select Save.
More Information
Configuring CAPA [page 60]
5.5.5.2 Performing CAPA Remediation
Use
CAPA remediation is available for issues coming from manual test of controls, automated test of controls, and
self-assessment. It is also available for ad hoc issues.
If CAPA is configured for your compliance initiative through the Customizing activities, the following CAPA
functions are available:
● Assign CAPA Plan pushbutton

● CAPA tab
● CAPA Worklog/Audit Trail tab
Prerequisites
● You have configured the CAPA business process. See Configuring CAPA. [page 60]
● You have configured e-signature and approval. This is only required if you use e-signature and approval in
the CAPA remediation process. See Configuring CAPA Plan Values [page 63].
● An issue has been triggered by manual or automated tests, or by self-assessment. Or, an issue has been
created through the ad hoc process.
SAP Process Control

Process
This figure illustrates the CAPA remediation process:
1. The issue owner creates a plan and submits it for approval.

For more information, see Creating a CAPA Plan [page 66].
2. The plan approver approves the plan.
You receive the Approve CAPA Plan task in your Work Inbox. You have the following options:
○ Approve the CAPA plan
○ Cancel the CAPA plan
○ Send the plan back to the issue owner for rework
3. The remediators complete the corrective and preventative actions and submit the plan for approval.
A user may be assigned:
○ only corrective actions or
○ both corrective and preventive actions.
 Note
All corrective actions must be completed before the preventive actions. If you are assigned both
actions, you must complete and submit all corrective actions before the preventive action tasks are
available in your Work Inbox.
4. The CAPA plan execution approver reviews and approves the execution.
SAP Process Control

You receive the Approve CAPA Execution task in your Work Inbox. You have the following options:
○ Approve the CAPA plan.
You must answer all the Verification of Appropriateness and Effectiveness of the CAPA Plan questions.
○ Send the CAPA plan back to the issue owner for re-execution.
More Information
● Configuring CAPA. [page 60]

● Configuring CAPA Plan Values [page 63]
● Creating a CAPA Plan [page 66]
● Identifying, Creating and Assigning Ad Hoc Issues [page 385]
5.5.5.2.1 Creating a CAPA Plan
The issue owner opens the remediation task in their Work Inbox, selects the Issues tab, and performs the
following tasks:
1. Perform discrepancy evaluation.

Select the Discrepancy Evaluation Results tab, and complete the required information for Potential Impact
and Seriousness. You can optionally choose a Priority of Remedial Action.
2. Assign CAPA plan.
1. Select Assign CAPA Plan and enter the plan name, dates, and description.
2. Select OK.
A CAPA tab appears in the issue evaluation screen. Select the CAPA tab.
3. Perform root cause analysis.
1. Select the Root Cause Analysis tab.
2. Under the Immediate Causes section select Add, and choose an immediate cause from the dropdown
menu.
You can also attach or link to additional documentation by choosing Documents.
3. Select OK.
4. Enter information for the Root Causes field. You can also attach or link to additional documentation by
choosing Documents.
5. Select Techniques. The Techniques table appears. Select a technique and choose OK.
For more information, see Configuring CAPA Plan Values [page 63].
4. List corrective actions and assign actions to remediators.
1. Select the Corrective Actions tab and choose the Add button. The Add a Corrective Action screen
appears.
2. Enter information for the required fields.
3. Choose a remediator by selecting Remediator. The Select Owner screen appears. Choose a user and
select OK.
4. On the Add a Corrective Action screen, select OK.
The action appears in the Corrective Actions section, and displays the status as Draft.
You can add or remove as many actions as required.
SAP Process Control

5. List preventive actions and assign to remediators.
1. Select the Preventive Actions tab and choose the Add button. The Add a Preventive Action screen
appears.
2. Enter information for the required fields.
3. Choose a remediator by selecting Remediator. The Select Owner screen appears. Choose a user and
select OK.
4. On the Add a Preventive Action screen, select OK.
The action appears in the Preventive Actions section, and displays the status as Draft. You can add or
remove as many preventive actions as required.
6. List contingencies (optional).
On the General tab, enter information in the Contingency field.
7. Submit CAPA plan for approval.
1. Select Submit. The e-signature screen appears.
2. Enter required information for the e-signature [page 61] and choose OK.
A status message is displayed at the top of the screen confirming the submission.
If the CAPA plan approval step is enabled in the Customizing activity at Governance, Risk, and Compliance
Process Control Multiple-Compliance Framework Configure Compliance Initiatives , the plan is submitted
to the CAPA Plan Approver for approval.
5.5.6 Using Flexible Workflows
Use
You can assign one or more tester and remediator for each manual test plan and the associated issues and
remediations. Primary testers and remediators may choose to complete a portion of a task and assign the
remainder of the task to a different user.
Flexible retesting is also allowed for processes, subprocesses, and indirect entity-level controls.
Features
Flexible workflow includes the following capabilities:
● Multiple testers can perform a manual test plan – Each step can be associated with a specific user, or the
same test step can be forwarded to other tester(s). The process starts and ends with the test owner.
For more information, see Assigning Multiple Testers. [page 68]
● The remediation process supports multiple remediators. The process captures the comments and all
executed activities.
For more information, see Assigning Multiple Remediators. [page 68]
● Authorized users can configure what triggers a retest and reassessment task through the Customizing
activities located under Governance, Risk, and Compliance Process Control Evaluation Setup
For more information, see Reevaluations [page 69].
SAP Process Control

5.5.6.1 Assigning Multiple Testers
Use
For manual test plans, you can use multiple testers.
Process
1. The test owner opens the task from the Work Inbox.
2. The test owner then has the choice to Assign to Next Tester.
3. The assigned tester opens the task from the Work Inbox.
4. On the General tab, the assigned tester performs the first step.
5. The assigned tester then selects Submit to send the task back to the test owner.
6. The test owner receives the test plan in their Work Inbox and opens it.
7. The test owner performs the second step in the test plan.
8. The test owner finds an issue and reports it. The test owner assigns an issue owner who can remediate the
issue. When the test owner selects Submit, it is forwarded to this person, if a new review is required.
9. The assigned issue owner receives the plan and remediates the issue.
5.5.6.2 Assigning Multiple Remediators
Use
For remediation plans, you can use multiple remediators.
Process
1. The remediation owner starts the issue remediation. The remediation owner opens the task from their
Work Inbox.
2. On the Remediation Plan tab, the remediation owner selects Start the Plan.
3. The remediation owner then selects Assign to Next Processor and selects the correct user from the user
search result.
4. The assigned processor opens the task from their Work Inbox and selects Complete after the work is
finished.
5. The issue owner receives the completed remediation plan in their Work Inbox.
6. The issue owner selects the task. After evaluating it, they select Reopen due to deficiencies.
7. The issue owner reassigns it to another Owner on the Remediation Plan tab.
SAP Process Control

5.5.6.3 Reevaluations
Use
You can customize the reevaluation of assessments and tests. You can automatically extend the due date of the
reassessment. You can configure different retesting procedures for controls and subprocesses. You can decide
if an action requires a review.
Prerequisites
You have configured the following Customizing activities under Governance, Risk, and Compliance Process
Control Evaluation Setup :
● Extend Due Date for Repeat Assessment and Test

● Specify Reevaluation Necessity and Time Lag
Process
1. To enable the reassessment, retest or review for a process, subprocess or indirect entity-level control,
access the General tab.
2. Configure the Repeat Settings and Review Settings sections to fit your business needs.
5.5.7 Using SAP Interactive Forms by Adobe
Use
SAP Interactive Forms by Adobe enables a process by which auditors and reviewers can download and
complete the manual test plans offline. This might be useful when the tester has unreliable network access or
perhaps wants to complete test documentation when not connected. SAP Interactive Forms by Adobe test
plans can be configured to resemble the format of existing test plans. Auditors can download the test plan and
input results later.
Prerequisites
Some configuration is required to map the test plan. SAP solution experts can configure test plan input screens
to resemble existing processes. The SAP Interactive Forms by Adobe option is enabled by default. To disable it,
access the Customizing activity Governance, Risk, and Compliance Process Control Evaluation Setup
Enable SAP Interactive Forms by Adobe .
SAP Process Control

Activities
The following steps summarize utilizing SAP Interactive Forms by Adobe for test plans:
● Download test plans

● Perform offline test plans
● Perform offline issue reporting
● Upload test plan data
● Upload attachments
1. Access test plans from the My Home work center, Work Inbox.
2. Choose Download Forms to enter offline data.
3. Review the manual test offline. Store data for future upload.
4. Upload the test plan after you have collected the data.
5. Load attachments to support the test results
5.5.8 Complete Sign-off
We provide a Fiori app Complete Sign-off , in addition to the old NWBC UI, to help you perform sign-off tasks.
This chapter is intended for the introduction to the Fiori app.
Prerequisites
The Fiori app Complete Sign-off is available on your Fiori Launchpad. To be able to use the app, you have to
switch it on in the Customizing activity Process Control Sign-off Maintain settings for Sign-off Fiori App
by checking the option Enable Fiori app for sign-off. This Customizing activity is also where you do the
configurations for the app.
The Fiori Launchpad is the only access to the app. You'll still be redirected to the old NWBC UI upon clicking on
a sign-off task in your work inbox .
Use and Configuration
The app provides a work list of all your sign-off tasks.
To perform a sign-off task, select it and complete all the required steps on its detail page. The detail page shows
whether this is a sign-off at organizational unit or corporate level and includes all or some of the following
sections, depending on the configurations.
 Note
The configurations described below are all done in the Customizing activity Maintain settings for Sign-off
Fiori App.
SAP Process Control

Section Purpose Configuration
Instructions Instructions provides written guid The instructions can be customized. Follow the steps
ance on performing sign-off, such as described under Templates to create instructions.
the background information, how to do
a sign-off, what happens after a sign-
off and any thing that the person who
is doing sign-off may want to know.
Review state of Internal In the section, you review the internal ● The issue types that are shown for review can be
Controls
control work in your organizational unit configured via Choose the columns to be displayed
and the subordinate organizational on Fiori app. The available types are Self
units , if any. Assessment,Design Assessment and Testing
● It's possible to provide information about this step
Issues found during the tests, evalua
on UI to help the person who is performing sign
tions and assessments, etc, are listed
off, which will be shown in an info box under the
here. To see issues details, export
section title. To provide the information, enter it in
them to a worksheet.
Notes Internal Control Note .
At the end of the section there is a con
● The checkbox text is customizable. Type the de
sent checkbox. By ticking the check
sired text, such as "I hereby confirm that....", in
box, you confirm that you've reviewed
the internal control status. Confirmation Texts Internal Control .
Additional Documents Here you see the documents provided ● To enable Additional Documents, check the op
for the sign-off, if any.
tion Show Additional Documents; otherwise, the
At the end of the section there is a con section is not visible on UI.
sent checkbox. By ticking the check ● It's possible to provide information about this step
box, you agree that you've read the on UI to help the person who is performing sign
documents. off, which will be shown in an info box under the
section title. To create the information, enter it in
Notes Additional documents Note

● The checkbox text is customizable. Type the de
sired text in Confirmation Texts Additional
Documents .
Attachments In the section, you upload attachments

or add links as needed.
Respond to Survey The section is a survey. You answer the To enable this section, check the option Enable
questions and leave your comments
Response to Survey and then when creating a sign-off
for each question.
task in Planner, you can choose a survey from Survey
Library for the task. When the option is not checked,
the section is not visible on UI, and it's impossible to
choose a survey while creating sign-off tasks.
SAP Process Control

Section Purpose Configuration
Sign-off and Comment This is the last step. By ticking the con ● The checkbox text is customizable. Type the de
sent checkbox at the end, you agree to
sign off. You can also leave comments sired text in Confirmation Texts Sign off .
in the Comments box. ● It's possible to provide a placeholder text in the
Comments input box as an example. Follow the
steps described under Templates to create the pla
ceholder text .
After you've finished all the steps above, click the Sign-Off button at the bottom.
5.6 Multiple-Compliance Framework
Use
The Process Control multiple-compliance framework enables you to implement a variety of compliance
initiatives, such as financial compliance, operational compliance, or others as needed.
Prerequisites
Complete the following Customizing activities:
● Complete all activities under Governance, Risk and Compliance Process Control Multiple-
Compliance Framework
● Governance, Risk and Compliance General Settings Workflow Maintain Custom Agent
Determination Rules
● After compliance initiatives have been set up, complete the following activities:
○ Governance, Risk and Compliance Process Control Authorizations Maintain Regulation Role
Assignment
○ Governance, Risk and Compliance General Settings Authorizations Maintain Entity Role
Assignment
Features
● Compliance initiative agnostic framework: You can implement any compliance initiative.
● Multiple-compliance initiatives: You can implement one or more compliance initiatives and document their
requirements. You can also group compliance initiatives.
● Common compliance processes and reporting: You can implement shared testing and assessments across
compliance initiatives.
SAP Process Control

● In reporting, you can see the compliance information and test results from different regulations.
● Regulation-specific information of organization, subprocess, control, and indirect entity level control is now
moved to object detail UI to make it easier to share objects across multiple regulations.
● Organization, subprocess, control, and indirect entity-level control can have regulation-specific attribute
values.
● The regulation-specific attribute values of these objects can be maintained on the Regulation tab in the
object detail UI.
● For these objects, attributes can be configured as regulation-specific.
● You can configure the UI property for User Defined Fields depending on the different compliance initiatives.
● When you schedule a plan, you can indicate if you want to share the test results across multiple
regulations.
● A user with regulation-specific roles can edit the data for that regulation, but can see data from other
regulations and data on the General tab. Users with a cross regulation role can edit data for all regulations
and data on the General tab.
Example
A company may choose to implement both financial (SOX) and operational (FDA) compliance initiatives.
Sample SOX and FDA data is provided in the Business Configuration (BC) sets, downloaded from the
Customizing activity: Governance, Risk and Compliance General Settings Activate Business
Configuration (BC) Sets
More Information
SAP Access Control 12.0 /Process Control 12.0 and Risk Management 12.0 Security Guide
5.7 Continuous Monitoring Overview
Use
The figure illustrates the continuous monitoring process in the Process Control application.
SAP Process Control

Process
1. Define and set up controls monitoring.

1. Define your data sources, which can leverage SAP tables, queries and reports, BI queries, third-party
connectors, and custom programs.
2. Define the business rules that leverage these data sources and define filter and deficiency criteria to
identify exceptions.
2. Map the business rules to the applicable controls defined in your compliance structure.
3. Schedule the continuous monitoring. For example, controls are scheduled for continuous monitoring. As
these controls are executed across various business systems, the exceptions to rules are identified and
issues are raised for review.
The relevant business owner is notified of the exception, reviews the issue, and determines whether any
remedial action must be taken. Dashboards and reporting give management access to the results of the
continuous monitoring and issue remediation process.
SAP Process Control

More Information
● Continuous Monitoring [page 425]

● For S4HANA integration, see: Setting up Continuous Control Monitoring Integration
5.8 Operational Data Provisioning in PC
Use
The structure contains the documents that describe operational reporting for Governance, Risk, and
Compliance based on Operational Data Provisioning (ODP). ODP is a metadata concept in SAP NetWeaver that
provides a technical infrastructure that you can use to support application scenarios such as data replication
and operational analytics. With ODP, you can use operational reporting for real-time analysis of data, and you
can also access the data in your system directly without having to replicate it into a separate BW system.
In GRC, predefined search and analysis models are delivered for reporting and enterprise search. You can use
these models directly or create your own models in the modelling environment.
For more information about ODP and models, see the documentation at http://help.sap.com , under SAP
NetWeaver SAP NetWeaver Platform SAP NetWeaver 7.3 Including Enhancement Package 1 Application
Help SAP NetWeaver Library: Function-Oriented View Search and Operational Analytics Operational Data
Provisioning .
Related Information
Authorization [page 75]

CDF Support in ODP [page 77]
Search and Analytic Models [page 78]
5.8.1 Authorization
An authorization allows a user to perform a specific action on a specific object. You can define authorization
checks to be performed for the nodes in a business object by adding authorization objects to the node. In this
way, you can configure that only authorized users can access the data in search results or reporting.
SAP Process Control

To assign an authorization object to a PFCG role:
1. Go to transaction PFCG, enter the role name and choose Change.

2. In the Authorization tab, assign the authorization object in Maintain Authorization Data and Generate
Profiles.
In GRC, the following types of authorization objects are available:
Authorization Object Description
GRFN_ODP Authorization check for HR objects based on entity and ob

ject ID
GRFN_ODP_C Authorization check for special HR objects with complex IDs
GRFN_ODP_E Entity level authorization check for non-HR objects
GRFN_ODP_R Authorization check for regulation specific entities
GRFN_ODPRC Authorization check for complex ID and regulation specific

entities
 Note
Ad-hoc Issue and Policy use role-user assignment authorization. The assignment information is stored in
table GRFNROLEASSNMT.
Special HR Objects with Complex ID
Some objects contain special entity IDs that cover two HR object types. In such cases, the object ID length of
these entities are extended to 9, allowing one extra character for identification. These objects use the special
complex ID authorization check GRFN_AUTH_C. The following is a list of special HR objects that uses complex
ID authorization check.
Object Type Object ID Format Example Description
8 digit number + S 50****01S Activities mapped from sub

process
Activity
8 digit number 50****01 Newly created activities
8 digit number + X 50****01X Activity categories mapped

from subprocess
Activity Category
8 digit number 50****01 Newly created activity cate
gories
SAP Process Control

Object Type Object ID Format Example Description
L + 8 digit number L50****01 Local change allowed con

trols
Control
8 digit number 50****01 Local change not allowed
controls
8 digit number + X 50****01X Risk template

Risk
8 digit number 50****01 Local risk
5.8.2 CDF Support in ODP
Use
This chapter discusses how to add customer defined fields (CDF) in ODP models which has BW data source.
Prerequisites
You have implemented CDF support to the master data used in the ODP model.
Procedure
To add a customer defined field in an ODP model:
1. Go to transaction RSA6, find your data source and choose Enhance Extraction Structure.
2. Enter the structure name and choose continue to create a new structure.
3. Enter the necessary fields according to the CDF definition. Make sure the field name completely matches
the CDF structure. Now the BI structure should have the newly created structure appended.
 Note
As the data source extractor always pass values according to the field name, normally this should work
and return the CDF value in the data source. If not, check if the datamart is filled with the CDF.
4. Go to the ODP modeler, open the corresponding model and update the node. The newly appended field
appears. Adjust the related settings and generate the ODP again.
For more information, see SAP NetWeaver help document at http://help.sap.com under SAP NetWeaver
SAP NetWeaver Platform SAP NetWeaver 7.3 Including Enhancement Package 1 Application Help SAP
SAP Process Control

NetWeaver Library: Function-Oriented View Search and Operational Analytics Creating Search and Analysis
Models Using the Search and Analytics Modeler Creating or Extending Search and Analysis Models
5.8.3 Search and Analytic Models
A search and analytic model reflects a business entity consisting of segments modeled via nodes. Nodes can
be connected to other nodes by means of composition or association relationships using foreign-key
dependencies.
The following structure contains both common models and product specific models.
Related Information
Search and Analytic Models (Common) [page 78]

Search and Analytic Models (PC) [page 201]
5.8.3.1 Search and Analytic Models (Common)
The following structure contains the common search and analytics models shared between Process Control
and Risk Management.
Related Information
Ad-Hoc Issue [page 79]

Business Rule [page 83]
Data Source [page 88]
Organization Unit [page 93]
Organization Hierarchy [page 117]
Policy [page 119]
Risk [page 122]
Timeframe [page 134]
Timeframe Frequency [page 157]
Timeframe Year [page 179]
SAP Process Control

5.8.3.1.1 Ad-Hoc Issue
Use
Search and Analytics Model: 0GFN_AI
This search and analytics model is used to get the ad-hoc issue data.
Technical Data
Model Usage Application Model
Software Component for Search and Analytics GRCFND_A
Root Node: GRC Ad-Hoc Issue Attributes
Technical Name 0GFN_AI_ATTR
DataSource 0GFN_AI_ATTR
Operational Data Provider: GRC Ad-Hoc Issue Attributes
Technical Name 0GFN_AI
ODP-Semantics Master Data Attributes
View Data Extraction
Direct Access Enabled Yes
Operational Data Provider: GRC Ad-Hoc Issue Text
Technical Name 0GFN_AI
ODP-Semantics Texts
SAP Process Control

Authorization Checks
Check ID ABAP Authorization Object Description
CN_IS GRFN_ODP_C GRC ODP authorization for complex ID
IELC_IS GRFN_ODP GRC ODP authorization
SP_IS GRFN_ODP GRC ODP authorization
Node Relationship: GRC Ad-Hoc Issue Text
Node 0GFN_AI_TEXT
Association
Cardinality Arbitrary
Reverse Cardinality Exactly One
Sub-query No
Foreign Key
Attribute of Parent Value Attribute of Child Value Join-Operator

Node Node
GUID GUID Equal
TF_FREQ TF_FREQ Equal
TF_YEAR TF_YEAR Equal
TIMEFRAME TIMEFRAME Equal
Node Relationship: GRC Ad-Hoc Issue Priority Text
Node 0GFN_AIPRIO.0GFN_AI_PRIORITY_TEX
Association 0GFN_AI_ATTR20GFN_AI_PRIORITY_TE
SAP Process Control

Sub-query No
Foreign Key

Node Node
AI_PRIORITY ATTR Equal
Node Relationship: GRC Ad-Hoc Issue Status Text
Node 0GFN_AI_STATUS.0GFN_AI_STATUS_TEXT
Association 0GFN_AI_ATTR20GFN_AI_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
AI_STATUS ATTR Equal
Node Relationship: GRC Timeframe
Node 0GFN_TF.0GFN_TF_ATTR
Association 0GFN_AI_ATTR20GFN_TF_ATTR
Cardinality Exactly One
Reverse Cardinality Arbitrary
Sub-query No
Foreign Key
SAP Process Control

Node Node
Node Relationship: GRC Timeframe Year
Node 0GFN_TF_YEAR.0GFN_TF_YEAR
Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Timeframe Year Frequency
Node 0GFN_TF_FREQ.0GFN_TF_FREQ
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

5.8.3.1.2 Business Rule
Use
Search and Analytics Model: 0GFN_BR
This search and analytics model is used to get the business rule data.
Technical Data
Root Node: GRC Business Rule Attributes
Technical Name 0GFN_BR_ATTR
DataSource 0GFN_BR_ATTR
Operational Data Provider: GRC Business Rule Attribute
Technical Name 0GFN_BR
Operational Data Provider: GRC Business Rule Texts
Technical Name 0GFN_BR
ODP-Semantics Texts
SAP Process Control

EO GRFN_ODP GRC ODP authorization
Node Relationship: GRC Business Rule Texts
Node 0GFN_BR_TEXT
Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Node Relationship: GRC Data Source Attribute
Node 0GFN_EO.0GFN_DS_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
Sub-query No
Foreign Key

Node Node
EO_ID OBJID Equal
Node Relationship: GRC Business Rule Analysis Type Text
Node 0GFN_BRANTY.0GFN_BR_ANYSTYPE_TEX
Association 0GFN_BR_ANYSTYPE_TEX20GFN_BR_ATT
Sub-query No
Foreign Key

Node Node
BR_ANYSTYPE ATTR Equal
SAP Process Control

Node Relationship: GRC Business Rule Category Texts
Node 0GFN_BRCATE.0GFN_BR_CATEGORY_TEX
Association 0GFN_BR_CATEGORY_TEX20GFN_BR_ATT
Sub-query No
Foreign Key

Node Node
BR_CATEGORY ATTR Equal
Node Relationship: GRC Business Rule Status Text
Node 0GFN_BRSTAT.0GFN_BR_STATUS_TEXT
Association 0GFN_BR_STATUS_TEXT20GFN_BR_ATTR
Sub-query No
Foreign Key

Node Node
BR_STATUS ATTR Equal
Node Relationship: GRC Job Steps Attribute
Node 0GFN_JP.0GFN_JP_ATTR
SAP Process Control

Association 0GFN_JP_ATTR20GFN_BR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID BR_ID Equal
5.8.3.1.3 Data Source
Use
Search and Analytics Model: 0GFN_EO
This search and analytics model is used to get the data source attributes.
Technical Data
Root Node: GRC Data Source Attribute
Technical Name 0GFN_DS_ATTR
SAP Process Control

DataSource 0GFN_DS_ATTR
Operational Data Provider: GRC Data Source Attribute
Technical Name 0GFN_EO
Operational Data Provider: GRC Data Source Texts
Technical Name 0GFN_EO
ODP-Semantics Texts
EO GRFN_ODP GRC ODP authorization
Node Relationship: GRC Data Source Texts
Node 0GFN_DS_TEXT
Association
Sub-query No
Foreign Key

Node Node
SAP Process Control

OBJID OBJID Equal
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Data Source Sub-scenario Text
Node 0GFN_EOSUBS.0GFN_DS_SUBSCENARIO
Association 0GFN_DS_ATTR20GFN_DS_SUBSCENARIO
Sub-query No
Foreign Key

Node Node
DS_SUBSCENARIO ATTR Equal
Node Relationship: GRC Data Source Connection Type Text
Node 0GFN_EOCOTP.0GFN_DS_CONN_TYPE
SAP Process Control

Association 0GFN_DS_ATTR20GFN_DS_CONN_TYPE
Sub-query No
Foreign Key

Node Node
DS_CONNECTTYPE ATTR Equal
Node Relationship: GRC Data Source Connector Texts
Node 0GFN_EOCONN.0GFN_DS_CONNECTOR_TE
Association 0GFN_DS_ATTR20GFN_DS_CONNECTOR_T
Sub-query No
Foreign Key

Node Node
DS_CONNECTOR ATTR Equal
Node Relationship: GRC Business Rule Attribute
Node 0GFN_BR.0GFN_BR_ATTR
Association 0GFN_BR_ATTR20GFN_DS_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
OBJID EO_ID Equal
5.8.3.1.4 Organization Unit
Use
Search and Analytics Model: 0GFN_OU
This search and analytics model is used to get the organization unit attributes.
Technical Data
Root Node: GRC Organization Attributes
Technical Name 0GFN_OU_ATTR
DataSource 0GFN_OU_ATTR
Operational Data Provider: GRC Organization Attributes
SAP Process Control

Technical Name 0GFN_OU
Operational Data Provider: GRC Organization Texts
Technical Name 0GFN_OU
ODP-Semantics Texts
OU GRFN_ODP GRC ODP authorization
Node Relationship: GRC Organizations Texts
Node 0GFN_OU_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
OBJID OBJID Equal
SAP Process Control

Node Relationship: GRC Org. Unit Qualitative Appetite Texts
Node 0GFN_OUQAPP.0GFN_OU_QAPP_TEXT
Association 0GFN_OU_ATTR20GFN_OU_QAPP_TEXT
Sub-query No
Foreign Key

Node Node
OU_QUALITY_APP ATTR Equal
Node Relationship: Region (State, Province, County)
Node 0GFN_REGION.0REGION_TEXT
Association 0GFN_OU_ATTR20REGION_TEXT
Sub-query No
Foreign Key

Node Node
OU_REGION BLAND Equal
OU_REGION_CNTY LAND1 Equal
SAP Process Control

Node Relationship: Country
Node 0GFN_COUNTRY.0COUNTRY_TEXT
Association 0GFN_OU_ATTR20COUNTRY_TEXT
Sub-query No
Foreign Key

Node Node
OU_COUNTRY LAND1 Equal
Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Entity Type Text
Node 0GFN_ENTTYP.0GFN_ENTTYP_TEXT
Association 0GFN_OU_ATTR20GFN_ENTTYP_TEXT
SAP Process Control

Sub-query No
Foreign Key

Node Node
ENTITY_ID ATTR Equal
Node Relationship: GRC Organization Attributes
Node 0GFN_OU.0GFN_OU_ATTR
Association 0GFN_OU_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_PARENT OBJID Equal
Node Relationship: Org. Unit In Scope
Node 0GPC_OUINSC.0GPC_OUINSC_TEXT
Association 0GFN_OU_ATTR20GPC_OUINSC
Sub-query No
SAP Process Control

Foreign Key

Node Node
OU_IN_SCOPE ATTR Equal
Node Relationship: Org. Unit Is Provider
Node 0GPC_OUISPR.0GPC_OUISPR_TEXT
Association 0GFN_OU_ATTR20GPC_OUISPR
Sub-query No
Foreign Key

Node Node
OU_SPROVIDER ATTR Equal
Node Relationship: GRC User Texts
Node 0GFN_USER_TEXT.0GFN_USER_TEXT
Association 0GFN_OU_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
SAP Process Control

OU_RESP_USER ATTR Equal
Node Relationship: Validate iELC Assessment
Node 0GFN_OUVAMC.0GFN_OUVAMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUVAMC
Sub-query No
Foreign Key

Node Node
OU_VAL_EC_ASS ATTR Equal
Node Relationship: Validate iELC Effectiveness Test
Node 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Association 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Sub-query No
Foreign Key

Node Node
OU_VAL_EC_TEST ATTR Equal
SAP Process Control

Node Relationship: Retest iELC Assessment
Node 0GFN_OUREMC.0GFN_OUREMC_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMC
Sub-query No
Foreign Key

Node Node
OU_RTS_EC_ASS ATTR Equal
Node Relationship: Retest iELC Effectiveness Test
Node 0GFN_OUREMT.0GFN_OUREMT_TEXT
Association 0GFN_OU_ATTR20GFN_OUREMT
Sub-query No
Foreign Key

Node Node
OU_RTS_EC_TEST ATTR Equal
Node Relationship: GRC PC Risk Coverage from all sources
Node 0GPC_RSCN.0GPC_SP_RS_CN_ALL
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Subprocess Attributes
Node 0GPC_SPSRC.0GPC_SP_RS_SOURCE_AT
Association 0GPC_SP_RS_SOURCE_AT20GFN_OU_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC PC Process Attributes
Node 0GPC_PR.0GPC_PR_ATTR
Association 0GPC_PR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Control and Risk Matrix Attributes
Node 0GPC_CN_RS.0GPC_CN_RS_ATTR
Association 0GPC_CN_RS_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC PC Control Attributes
Node 0GPC_CN.0GPC_CN_ATTR
Association 0GPC_CN_ATTR20GFN_OU_ATTR_1
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk assignment
Node 0GRM_OU_AC_RS.0GRM_OU_AC_RS
Association 0GRM_OU_AC_RS20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC RM OU-Activity-Opportunity assignment
Node 0GRM_OU_AC_OR.0GRM_OU_AC_OR
Association 0GRM_OU_AC_OR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Opportunity-Enhancement Plan
Node 0GRM_OU_AC_OR_EP.0GRM_OU_AC_OR_RP
Association 0GRM_OU_AC_OR_RP20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC RM OU-Activity-Risk-Response assignment
Node 0GRM_OU_AC_RS_RP.0GRM_OU_AC_RS_RP
Association 0GRM_OU_AC_RS_RP20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM OU-Activity-Risk-Incident assignment
Node 0GRM_OU_AC_RS_IN.0GRM_OU_AC_RS_IN
Association 0GRM_OU_AC_RS_IN20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC PC Test Step Attributes
Node 0GPC_V0.0GPC_V0_ATTR
Association 0GPC_V0_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC PC Indirect Enitity-Level Control Group Attributes
Node 0GPC_EG.0GPC_EG_ATTR
Association 0GPC_EG_ATTR20GFN_OU_ATTR
Reverse Cardinality Up to One
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC PC Indirect Enitity-Level Control Attributes
Node 0GPC_EC.0GPC_EC_ATTR
Association 0GPC_EC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Association 0GFN_JP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Sub-query No
Foreign Key

Node Node
OBJID CN_SS_OU Equal
Node Relationship: GRC RM Enhancement Plan Attributes
Node 0GRM_EP.0GRM_EP_ATTR
Association 0GRM_EP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC RM Opportunity Attributes
Node 0GRM_OR.0GRM_OR_ATTR
Association 0GRM_OR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node 0GPC_SP.0GPC_SP_ATTR
Association 0GPC_SP_ATTR20GFN_OU_ATTR_O
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Association 0GPC_SP_ATTR20GFN_OU_ATTR_SS
Sub-query No
Foreign Key

Node Node
OBJID SP_SS_ORGUNIT Equal
Node Relationship: Hierarchy nodes
Node 0GFN_OU_HIER.HIERARCHY_ELEMENT
Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Node Relationship: GRC RM KRI (Key Risk Indicator) Values
Node 0GRM_KN_KRI_VALUES.0GRM_KN_KRI_VALUES
Association 0GRM_KN_KRI_VALUES20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Activity Attributes
Node 0GRM_AC.0GRM_AC_ATTR
Association 0GRM_AC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
SAP Process Control

Node Relationship: GRC RM Loss Attributes
Node 0GRM_IL.0GRM_IL_ATTR
Association 0GRM_IL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM Incident Attributes
Node 0GRM_IN.0GRM_IN_ATTR
Association 0GRM_IN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC RM Incident-Loss-Impact Category assignment
Node 0GRM_IN_IL_IC.0GRM_IN_IL_IC
Association 0GRM_IN_IL_IC20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: GRC RM KRI Instance Attributes
Node 0GRM_KN.0GRM_KN_ATTR
Association 0GRM_KN_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

Node Relationship: GRC RM Response Attributes
Node 0GRM_RP.0GRM_RP_ATTR
Association 0GRM_RP_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node Relationship: Forecasting Horizon Analysis Attributes
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Association 0GRM_W5_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU Equal
SAP Process Control

Node Relationship: GRC RM Analysis Attributes
Node 0GRM_AL.0GRM_AL_ATTR
Association 0GRM_AL_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
Node 0GPC_M3.0GPC_CN_ATTR
Association M3 CTRL: ORGANIZATION
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
SAP Process Control

5.8.3.1.5 Organization Hierarchy
Use
Search and Analytics Model: 0GFN_OU_HIER
This search and analytics model is used to get the organization hierarchy attributes.
Technical Data
Root Node: Hierarchy header
Technical Name HIERARCHY_HEADER
DataSource 0GFN_OU_GFNH_HIER
Node Relationship: Hierarchy nodes
Node HIERARCHY_ELEMENT
Association
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
HEADERID HEADERID Equal
Node Relationship: Node texts
Node HIERARCHY_FOLDERTEXT
Association
Sub-query No
Foreign Key

Node Node
FOLDERNAME FOLDERNAME Equal
Association HIERARCHY_ELEMENT20GFN_OU_ATTR
Cardinality Up to One
Sub-query No
Foreign Key
SAP Process Control

Node Node
OBJID OBJID Equal
Node Relationship: Header texts
Node HIERARCHY_HEADERTEXT
Association
Sub-query No
Foreign Key

Node Node
5.8.3.1.6 Policy
Use
Search and Analytics Model: 0GFN_PO
This search and analytics model is used to get the policy data.
SAP Process Control

Technical Data
Root Node: GRC Policy Attributes
Technical Name 0GFN_PO_ATTR
DataSource 0GFN_PO_ATTR
Operational Data Provider: GRC Policy Attributes
Technical Name 0GFN_PO
Operational Data Provider: GRC Policy Text
Technical Name 0GFN_PO
ODP-Semantics Texts
PO GRFN_ODP_E GRC ODP authorization for entity level
Node Relationship: GRC Policy Text
Node 0GFN_PO_TEXT
SAP Process Control

Association
Sub-query No
Foreign Key

Node Node
GUID GUID Equal
Node Relationship: GRC Policy Category Text
Node 0GFN_POCATEG.0GFN_PO_CATEG_TEXT
Association 0GFN_PO_ATTR20GFN_PO_CATEG_TEXT
Sub-query No
Foreign Key

Node Node
PO_POLICY_CATEG ATTR Equal
Node Relationship: GRC Policy Status Text
Node 0GFN_POSTATUS.0GFN_PO_STATUS_TEXT
SAP Process Control

Association 0GFN_PO_ATTR20GFN_PO_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
PO_POLICY_STATUS ATTR Equal
Node Relationship: GRC Policy Type Text
Node 0GFN_POTYPE.0GFN_PO_TYPE_TEXT
Association 0GFN_PO_ATTR20GFN_PO_TYPE_TEXT
Sub-query No
Foreign Key

Node Node
PO_POLICY_TYPE ATTR Equal
5.8.3.1.7 Risk
Use
Search and Analytics Model: 0GFN_RS
This search and analytics model is used to get the risk data.
SAP Process Control

Technical Data
Root Node: GRC Risk Attributes
Technical Name 0GFN_RS_ATTR
DataSource 0GFN_RS_ATTR
Operational Data Provider: GRC Risk Attributes
Technical Name 0GFN_RS
Operational Data Provider: GRC Risk Texts
Technical Name 0GFN_RS
ODP-Semantics Texts
RS GRFN_ODP_C GRC ODP authorization for complex ID
Node Relationship: GRC Risk Texts
Node 0GFN_RS_TEXT
SAP Process Control

Association
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Node Relationship: GRC RM Risk Level Texts
Node 0GRM_RSL.0GRM_RSL_TEXT
Association 0GFN_RS_ATTR20GRM_RSL_TEXT
Sub-query No
Foreign Key

Node Node
RS_RSA_RSL ATTR Equal
Node Relationship: GRC Risk Status Texts
Node 0GFN_RSSTAT.0GFN_RS_STATUS_TEXT
Association 0GFN_RS_ATTR20GFN_RS_STATUS_TEXT
SAP Process Control

Sub-query No
Foreign Key

Node Node
RS_STATUS ATTR Equal
Association 0GFN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
SAP Process Control

Foreign Key

Node Node
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Probability Level Texts
Node 0GRM_PBL.0GRM_PBL_TEXT
Association 0GFN_RS_ATTR20GRM_PBL_TEXT
Sub-query No
Foreign Key

Node Node
SAP Process Control

RS_RSA_PRL ATTR Equal
Association 0GFN_RS_ATTR20GPC_SP_RS_CN_ALL
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GPC_CN_RS_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_RP
Sub-query No
Foreign Key

Node Node
SAP Process Control

RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_OU_AC_RS_IN
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_KN_KRI_VALUES
Sub-query No
Foreign Key
SAP Process Control

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IL_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_IN_IL_IC
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_KN_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
RS_ID RS_ID Equal
Association 0GFN_RS_ATTR20GRM_RP_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
Node Relationship: Forecasting Horizon Analysis Attributes
Node 0GRM_W5_ATTR.0GRM_W5_ATTR
Association 0GFN_RS_ATTR20GRM_W5_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
RS_ID RS Equal
Association 0GFN_RS_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
RS_RESP_USER ATTR Equal
Association 0GRM_AL_ATTR20GFN_RS_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
RS_ID RS_ID Equal
5.8.3.1.8 Timeframe
Use
Search and Analytics Model: 0GFN_TF
This search and analytics model is used to get the timeframe attributes.
Technical Data
Root Node: GRC Timeframe
Technical Name 0GFN_TF_ATTR
DataSource 0GFN_TF_ATTR
Operational Data Provider: GRC Timeframe
Technical Name 0GFN_TF
SAP Process Control

Operational Data Provider: GRC Timeframe Texts
Technical Name 0GFN_TF
ODP-Semantics Texts
Node Relationship: GRC Timeframe Texts
Node 0GFN_TF_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
Node Relationship: Organization Attributes for Enterprise Search
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_TEXT
Sub-query No
Foreign Key
SAP Process Control

Node Node
Node Relationship: PC Control Objective Attributes
Node 0GPC_COBJ.0GPC_COBJ_ATTR
Association 0GPC_COBJ_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC FS Account Group Attributes
Node 0GPC_AG.0GPC_AG_ATTR
Association 0GPC_AG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Node Relationship: GRC PC Indirect Entity-Level Control Attributes
Association 0GPC_EC_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Test Plan Attributes
Node 0GPC_TP.0GPC_TP_ATTR
Association 0GPC_TP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GFN_OU_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Testing (Testlog) Attributes
Node 0GPC_TL.0GPC_TL_ATTR
Association 0GPC_TL_ATTR20GFN_TF_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Central Opportunity Texts
Node 0GRM_OC.0GRM_OC_TEXT
Association 0GRM_OC_TEXT20GFN_TF_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_OR_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR_RP20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OU_AC_OR_RP20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OU_AC_RS_RP20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_IL_IC20GFN_TF_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Regulation
Node 0GPC_RE.0GPC_RE
Association 0GPC_RE20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Indirect Entity-Level Control Attributes All Regs
Node 0GPC_EC_REG.0GPC_EC_ATTR_ALL_REG
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key
SAP Process Control

Node Node
Node Relationship: GRC Organizations Attributes All Regulations
Node 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Node
Association 0GPC_EG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Node Relationship: GRC RM Risk Category (Risk Group)
Node 0GRM_RG.0GRM_RG_ATTR
Association 0GRM_RG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Assessment Attributes
Node 0GPC_AS.0GPC_AS_ATTR
SAP Process Control

Association 0GPC_AS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Control Attributes All Regulations
Node 0GPC_CN_REG.0GPC_CN_ATTR_ALL_REG
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_ATT
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association M3 CTRL: TIMEFRAME
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GPC_V0_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Ad-Hoc Issue Attributes
Node 0GFN_AI.0GFN_AI_ATTR
Association 0GFN_AI_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node 0GPC_H2E.0GPC_EC_ATTR
Association H2E IELC: TIMEFRAME
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_AC_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Activity Category Attributes
Node 0GRM_CA.0GRM_CA_ATTR
Association 0GRM_CA_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_RP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM KRI Template Attributes
Node 0GRM_KT.0GRM_KT_ATTR
Association 0GRM_KT_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OU_AC_OR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Opportunity Category Attributes
Node 0GRM_OG.0GRM_OG_ATTR
Association 0GRM_OG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Remediation Plan Attributes
Node 0GPC_PL.0GPC_PL_ATTR
SAP Process Control

Association 0GPC_PL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC RM Org. Unit Objective Attributes
Node 0GRM_OB.0GRM_OB_ATTR
Association 0GRM_OB_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC Risk Attributes
Node 0GFN_RS.0GFN_RS_ATTR
Association 0GFN_RS_ATTR20GFN_TF_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node 0GPC_F5.0GPC_TL_ATTR
Association F5 TESTLOG: TIMEFRAME
Sub-query No
Foreign Key
SAP Process Control

Node Node
Node Relationship: GRC PC Issue Attributes
Node 0GPC_IS.0GPC_IS_ATTR
Association 0GPC_IS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Account Group Assertion Attributes
Node 0GPC_AG_ASSERTION.0GPC_V9_ATTR
Association 0GPC_V9_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

5.8.3.1.9 Timeframe Frequency
Use
Search and Analytics Model: 0GFN_TF_FREQ
This search and analytics model is used to get the timeframe frequency attributes.
Technical Data
Root Node: GRC Timeframe Year Frequency
Technical Name 0GFN_TF_FREQ
DataSource 0GFN_TF_FREQ
Operational Data Provider: GRC Timeframe Year Frequency
Operational Data Provider: GRC Timeframe Frequency Texts
ODP-Semantics Texts
SAP Process Control

Node Relationship: GRC Timeframe Frequency Texts
Node 0GFN_TFFRQ_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
Node Relationship: GRC PC Control Objective Attributes
Association 0GPC_COBJ_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_AG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR20GFN_TF_FREQ_1
Sub-query No
Foreign Key

Node Node
Association 0GPC_TP_ATTR20GFN_TF_FREQ
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GPC_TL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OR_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR_RP20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_AC_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_FREQ
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_RP20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_FREQ
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_KT_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_CA_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_IN_IL_IC20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_RE20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
Association 0GPC_EG_ATTR20GFN_TF_FREQ
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GRM_RG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OC_TEXT20GFN_TF_FREQ
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_EP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_AS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_CN_ATTR20GFN_TF_FREQ_1
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_CN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association M3 CTRL: TIMEFRAME FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_V0_ATTR20GFN_TF_FREQ
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GFN_AI_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_RS_CN_ALL20GFN_TF_FREQ
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association H2E IELC: TIMEFRAME FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_IL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_IN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_RP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OG_ATTR20GFN_TF_FREQ
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GPC_PL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_OB_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GFN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association F5 TESTLOG: FREQUENCY
Sub-query No
Foreign Key

Node Node
Association 0GPC_IS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_V9_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
5.8.3.1.10 Timeframe Year
Use
Search and Analytics Model: 0GFN_TF_YEAR
This search and analytics model is used to get the timeframe year attributes.
Technical Data
Root Node: GRC Timeframe Year
Technical Name 0GFN_TF_YEAR
DataSource 0GFN_TF_YEAR
Operational Data Provider: GRC Timeframe Year
SAP Process Control

Technical Name 0GFN_TF_YEAR
Association 0GPC_COBJ_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_AG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_EC_ATTR20GFN_TF_YEAR_1
Sub-query No
Foreign Key

Node Node
Association 0GPC_TP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GFN_OU_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_BR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_TL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_DS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OC_TEXT20GFN_TF_YEAR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GRM_OR_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR_RP20GFN_TF_YEAR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_OU_AC_RS20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_RS_IN20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OU_AC_RS_RP20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_KRI_VALUES20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_IN_IL_IC20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_RE20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_YEA
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node
Association 0GPC_EG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_RG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_EP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_AS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_YEAR_1
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_CN_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association M3 CTRL: TIMEFRAME YEAR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GPC_V0_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_AI_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GPC_SP_RS_CN_ALL20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association H2E IELC: TIMEFRAME YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_AC_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Node Relationship: Organization Attributes for Enterprise Search
Node 0GFN_OU_ESH.0GFN_OU_ATTR_ESH
Association 0GFN_OU_ATTR_ESH20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_IL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_IN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_CA_ATTR20GFN_TF_YEAR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GRM_KN_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_RP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GRM_KT_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_OU_AC_OR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_PL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GRM_OB_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GFN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GRM_AL_ATTR20GFN_TF_YEAR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association F5 TESTLOG: YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_IS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GPC_V9_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
5.8.3.2 Search and Analytic Models (PC)
The following structure contains search and analytics models used in Process Control.
5.8.3.2.1 Account Group
Use
Search and Analytics Model: 0GPC_AG
This search and analytics model is used to get the account group data.
SAP Process Control

Technical Data
Root Node: GRC PC FS Account Group Attributes
Technical Name 0GPC_AG_ATTR
DataSource 0GPC_AG_ATTR
Operational Data Provider: GRC PC FS Account Group Attributes
Technical Name 0GPC_AG
Operational Data Provider: GRC PC FS Account Group Texts
Technical Name 0GPC_AG
ODP-Semantics Texts
AG2 GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC FS Account Group Texts
Node 0GPC_AG_TEXT
SAP Process Control

Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GPC_AG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GPC_AG_ATTR20GFN_TF_YEAR
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GPC_AG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_RS_CN_ALL20GPC_AG_ATTR
Sub-query No
SAP Process Control

Foreign Key

Node Node
OBJID AG_ID Equal
5.8.3.2.2 Assessment
Use
Search and Analytics Model: 0GPC_AS
This search and analytics model is used to get the assessment data.
Technical Data
Root Node: GRC PC Assessment Attributes
Technical Name 0GPC_AS_ATTR
DataSource 0GPC_AS_ATTR
Operational Data Provider: GRC PC Assessment Attributes
Technical Name 0GPC_AS
SAP Process Control

Operational Data Provider: GRC PC Assessment Texts
Technical Name 0GPC_AS
ODP-Semantics Texts
CN_AS GRFN_ODP_C GRC ODP authorization for complex ID
IELC_AS GRFN_ODP GRC ODP authorization
SP_AS GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC Assessment Texts
Node 0GPC_AS_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
GUID GUID Equal
SAP Process Control

Node Relationship: GRC Rating Texts
Node 0GFN_RATING_TEXT.0GFN_RATING_TEXT
Association 0GPC_AS_ATTR20GFN_RATING_TEXT
Sub-query Yes
Foreign Key

Node Node
AS_RATING ATTR Equal
Node Relationship: Remediation Plan Carry Forward Status Text
Node 0GPC_PL_CF_T.0GPC_PL_CF_T
Association 0GPC_AS_ATTR20GPC_PL_CF_T
Sub-query Yes
Foreign Key

Node Node
AS_CF_STATUS ATTR Equal
SAP Process Control

Association 0GPC_AS_ATTR20GPC_RE
Sub-query Yes
Foreign Key

Node Node
AS_RE OBJID Equal
Association 0GPC_AS_ATTR20GPC_EC_ATTR_ALL_RE
Sub-query Yes
Foreign Key

Node Node
AS_RE RE_ID Equal
EC_ID OBJID Equal
SAP Process Control

Association 0GPC_AS_ATTR20GPC_CN_ATTR_ALL_RE
Sub-query Yes
Foreign Key

Node Node
AS_RE RE_ID Equal
CN_ID OBJID Equal
Association 0GPC_AS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_AS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_AS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_AS_ATTR20GFN_PROCESSOR
Sub-query No
Foreign Key

Node Node
AS_PROCESSOR ATTR Equal
Association 0GPC_AS_ATTR20GFN_REPORTER
Sub-query No
Foreign Key

Node Node
AS_RESP_USER ATTR Equal
Node Relationship: GRC Status Texts
Node 0GFN_STATUS_TEXT.0GFN_STATUS_TEXT
Association 0GPC_AS_ATTR20GFN_STATUS_TEXT
SAP Process Control

Sub-query No
Foreign Key

Node Node
AS_STATUS ATTR Equal
Node Relationship: GRC PC Assessment Category Texts
Node 0GPC_AS_CAT.ASSESSMENT_CATEGORY
Association 0GPC_AS_ATTR2ASSESSMENT_CATEGORY
Sub-query No
Foreign Key

Node Node
AS_CATEGORY ATTR Equal
Node Relationship: GRC PC Evaluation Type Texts
Node 0GPC_EVLTYP.0GPC_EVLTYP_TEXT
Association 0GPC_AS_ATTR20GPC_EVLTYP_TEXT
Sub-query No
Foreign Key
SAP Process Control

Node Node
AS_EVALTYP ATTR Equal
Association 0GPC_PL_ATTR20GPC_AS_ATTR
Sub-query No
Foreign Key

Node Node
GUID AS_ID Equal
Node Relationship: GRC PC Cases
Node 0GPC_CASES.0GPC_CASES
Association 0GPC_CASES20GPC_AS_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
GUID AS_GUID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_AS_ATT
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
AS_RE RE_ID Equal
Node Relationship: GRC PC Subprocess Attributes All Regulations
Node 0GPC_SP_REG.0GPC_SP_ATTR_ALL_REG
Association 0GPC_SP_ATTR_ALL_REG20GPC_AS_ATT
SAP Process Control

Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
AS_RE RE_ID Equal
Association 0GPC_IS_ATTR20GPC_AS_ATTR_1
Sub-query No
Foreign Key

Node Node
GUID AS_ID Equal
SAP Process Control

5.8.3.2.3 Control
Use
Search and Analytics Model: 0GPC_CN
This search and analytics model is used to get the control data.
Technical Data
Root Node: GRC PC Control Attributes
Technical Name 0GPC_CN_ATTR
DataSource 0GPC_CN_ATTR
Operational Data Provider: GRC PC Control Attributes
Technical Name 0GPC_CN
Operational Data Provider: GRC PC Control Texts
Technical Name 0GPC_CN
ODP-Semantics Texts
SAP Process Control

CN GRFN_ODP_C GRC ODP authorization for complex ID
Node Relationship: GRC PC Control Texts
Node 0GPC_CN_TEXT2
Association
Sub-query Yes
Foreign Key

Node Node
CN_ID CN_ID Equal
Node Relationship: GRC PC Control Category Texts
Node 0GPC_CNCATE.0GPC_CNCATE_TEXT
Association 0GPC_CN_ATTR20GPC_CNCATE_TEXT
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
CN_CATEOGRY ATTR Equal
Node Relationship: GRC PC Test Plan Attributes
Association 0GPC_CN_ATTR20GPC_TP_ATTR
Sub-query Yes
Foreign Key

Node Node
CN_TEST_PLAN OBJID Equal
Node Relationship: GRC PC Control Automation Texts
Node 0GPC_CNAUTO.0GPC_CN_AUTOM_TEXT
Association 0GPC_CN_ATTR20GPC_CN_AUTOM_TEXT
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
CN_AUTOM ATTR Equal
Node Relationship: GRC PC Control - Level of Evidence Texts
Node 0GPC_CNEVID.0GPC_CN_EVIDENCE_TEX
Association 0GPC_CN_ATTR20GPC_CN_EVIDENCE_TE
Sub-query Yes
Foreign Key

Node Node
CN_EVIDENCE ATTR Equal
Node Relationship: GRC PC Control Group Texts
Node 0GPC_CNGRP.0GPC_CN_CNGROUP_TEXT
Association 0GPC_CN_ATTR20GPC_CN_CNGROUP_TEX
Sub-query Yes
Foreign Key

Node Node
CN_CNGROUP ATTR Equal
SAP Process Control

Node Relationship: GRC PC Control Nature Texts
Node 0GPC_CNNATU.0GPC_CN_NATURE_TEXT
Association 0GPC_CN_ATTR20GPC_CN_NATURE_TEXT
Sub-query Yes
Foreign Key

Node Node
CN_NATURE ATTR Equal
Node Relationship: GRC PC Control Purpose Texts
Node 0GPC_CNPURP.0GPC_CN_PURP_TEXT
Association 0GPC_CN_ATTR20GPC_CN_PURP_TEXT1
Sub-query Yes
Foreign Key

Node Node
CN_PURP ATTR Equal
Node Relationship: GRC PC Control Testing Technique Texts
Node 0GPC_CNTTEC.0GPC_CN_TTECH_TEXT
SAP Process Control

Association 0GPC_CN_ATTR20GPC_CN_TTECH_TEXT1
Sub-query Yes
Foreign Key

Node Node
CN_TTECH ATTR Equal
Node Relationship: GRC PC Control Significance Texts
Node 0GPC_CN_SIG.0GPC_CN_SIG_TEXT
Association 0GPC_CN_ATTR20GPC_CN_SIG_TEXT1
Sub-query Yes
Foreign Key

Node Node
CN_SIG ATTR Equal
Node Relationship: GRC PC Control Test Automation Texts
Node 0GPC_CNTAUT.0GPC_CN_TSTAUT_TEXT
Association 0GPC_CN_ATTR20GPC_CN_TSTAUT_TEXT
SAP Process Control

Sub-query Yes
Foreign Key

Node Node
CN_TSTAUT ATTR Equal
Node Relationship: GRC PC Control Date/Event Driven Texts
Node 0GPC_CNDTEV.0GPC_CN_DTEVT_TEXT
Association 0GPC_CN_ATTR20GPC_CN_DTEVT_TEXT1
Sub-query Yes
Foreign Key

Node Node
CN_DTEVT ATTR Equal
Node Relationship: GRC PC Subprocess Texts
Association 0GPC_CN_ATTR20GPC_SP_ATTR1
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
SP_ID OBJID Equal
Association CONTROL: OWNER NAME
Sub-query Yes
Foreign Key

Node Node
CN_RESP_USER ATTR Equal
Node Relationship: GRC PC Control Risk ID Texts
Node 0GPC_CNCNRS.0GPC_CN_CNTR_RISK_T
Association CONTROL: RISK TEXT
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
CN_CNTR_RISK ATTR Equal
Node Relationship: GRC Organizations Attributes
Sub-query Yes
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GPC_CN_ATTR20GPC_CN_ATTR
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
CN_SS_CN CN_ID Equal
Sub-query Yes
Foreign Key

Node Node
CN_SS_OU OBJID Equal
Node Relationship: GRC PC Control Maturity Target Texts
Node 0GPC_CNMATA.0GPC_CN_MATAR_TEXT
Association 0GPC_CN_ATTR20GPC_CN_MATAR_TEXT
Sub-query Yes
Foreign Key
SAP Process Control

Node Node
CN_MATAR ATTR Equal
Node Relationship: GRC Entity Type Texts
Association 0GPC_CN_ATTR20GFN_ENTTYP_TEXT
Sub-query Yes
Foreign Key

Node Node
Node Relationship: GRC PC Control Origin Texts
Node 0GPC_CNORIG.0GPC_CN_ORIGIN_TEXT
Association 0GPC_CN_ATTR20GPC_CN_ORIGIN_TEXT
Sub-query Yes
Foreign Key

Node Node
CN_ORIGIN ATTR Equal
SAP Process Control

Node Relationship: Control To Be Tested
Node 0GPC_CNTBTS.0GPC_CNTBTS_TEXT
Association 0GPC_CN_ATTR20GPC_CNTBTS_TEXT
Sub-query Yes
Foreign Key

Node Node
CN_TEST ATTR Equal
Node Relationship: GRC Flag Texts
Node 0GPC_CNALREF.0GFN_CNALREF_TEXT
Association 0GPC_CN_ATTR20GFN_CNALREF_TEXT
Sub-query Yes
Foreign Key

Node Node
CN_ALLOW_REFER ATTR Equal
Node 0GPC_CNISCN.0GPC_CNISCN_TEXT
SAP Process Control

Association 0GPC_CN_ATTR20GPC_CNISCN_TEXT
Sub-query Yes
Foreign Key

Node Node
CN_IS_CONTROL ATTR Equal
Association 0GPC_CN_ATTR20GFN_TF_YEAR_1
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_ATTR_1
SAP Process Control

Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GFN_TF_FREQ_1
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_RS_CN_ALL20GPC_CN_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
CN_ID CN_ID Equal
Association 0GPC_CN_RS_ATTR20GPC_CN_ATTR
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
Association 0GPC_CASES20GPC_CN_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
CN_ID CN_ID Equal
Association 0GPC_V0_ATTR20GPC_CN_ATTR
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
Association 0GFN_JP_ATTR20GPC_CN_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
CN_ID CN_ID Equal
5.8.3.2.4 Control and Risk Matrix
Use
Search and Analytics Model: 0GPC_CN_RS
This search and analytics model is used to get the control and risk matrix data.
Technical Data
Root Node: GRC PC Control and Risk Matrix Attributes
Technical Name 0GPC_CN_RS_ATTR
DataSource 0GPC_CN_RS_ATTR
Operational Data Provider: GRC PC Control and Risk Matrix Attributes
Technical Name 0GPC_CN_RS
SAP Process Control

CN_CN_RS GRFN_ODP_C GRC ODP Autorization for complex ID
OU_CN_RS GRFN_ODP GRC ODP Autorization
PR_CN_RS GRFN_ODP GRC ODP Autorization
RS_CN_RS GRFN_ODP_C GRC ODP Autorization for complex ID
SP_CN_RS GRFN_ODP GRC ODP Autorization
Association 0GPC_CN_RS_ATTR20GPC_SP_ATTR
Sub-query Yes
Foreign Key

Node Node
SP_ID OBJID Equal
SAP Process Control

Association 0GPC_CN_RS_ATTR20GFN_OU_ATTR
Sub-query Yes
Foreign Key

Node Node
OU_ID OBJID Equal
Node Relationship: GRC Process Attributes
Association 0GPC_CN_RS_ATTR20GPC_PR_ATTR
Sub-query Yes
Foreign Key

Node Node
PR_ID OBJID Equal
SAP Process Control

Association 0GPC_CN_RS_ATTR20GPC_CN_ATTR
Sub-query Yes
Foreign Key

Node Node
CN_ID CN_ID Equal
Association 0GPC_CN_RS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_CN_RS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_RS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GFN_RS_ATTR20GPC_CN_RS_ATTR
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
5.8.3.2.5 Control Objective
Use
Search and Analytics Model: 0GPC_COBJ
This search and analytics model is used to get the control objective data.
Technical Data
Root Node: GRC PC Control Objective Attributes
Technical Name 0GPC_COBJ_ATTR
SAP Process Control

DataSource 0GPC_COBJ_ATTR
Operational Data Provider: GRC PC Control Objective Attributes
Technical Name 0GPC_COBJ
Operational Data Provider: GRC PC Control Objective Tests
Technical Name 0GPC_COBJ
ODP-Semantics Texts
COBJ GRFN_ODP GRC ODP Autorization
Node Relationship: GRC PC Control Objective Texts
Node 0GPC_COBJ_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
SAP Process Control

OBJID OBJID Equal
Association 0GPC_COBJ_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GPC_COBJ_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_COBJ_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Node Relationship: GRC PC Control Objective Category Texts
Node 0GPC_COBJCG.0GPC_COBJ_OBJCAT_TEX
Association 0GPC_COBJ_ATTR20GPC_COBJ_OBJCAT_
Sub-query No
Foreign Key

Node Node
CO_OBJCAT ATTR Equal
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GPC_COBJ_ATTR
Sub-query No
Foreign Key

Node Node
OBJID CO_ID Equal
5.8.3.2.6 Control Risk Coverage
Use
Search and Analytics Model: 0GPC_RSCN
This search and analytics model is used to get the PC control risk coverage data.
Technical Data
SAP Process Control

Root Node: GRC PC Risk Coverage from all sources
Technical Name 0GPC_SP_RS_CN_ALL
DataSource 0GPC_SP_RS_CN_ALL
Operational Data Provider: GRC PC Risk Coverage from all sources
Technical Name 0GPC_RSCN
Association 0GPC_SP_RS_CN_ALL20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GPC_SP_ATTR
Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
Association 0GPC_SP_RS_CN_ALL20GPC_CN_ATTR
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GPC_COBJ_ATTR
Sub-query No
Foreign Key

Node Node
CO_ID OBJID Equal
Node Relationship: GRC PC FS Assertion Texts
Node 0GPC_ASS.0GPC_ASS_TEXT
Association 0GPC_SP_RS_CN_ALL20GPC_ASS_TEXT
Sub-query No
Foreign Key

Node Node
ASS_ID ATTR Equal
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GPC_AG_ATTR
Sub-query No
Foreign Key

Node Node
AG_ID OBJID Equal
Association 0GPC_SP_RS_CN_ALL20GPC_SP_RS_SOU
Sub-query No
Foreign Key

Node Node
SOURCE_SP_ID OBJID Equal
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GFN_ENTTYP_TE
Sub-query No
Foreign Key

Node Node
SOURCE_TYPE ATTR Equal
Association 0GFN_RS_ATTR20GPC_SP_RS_CN_ALL
Sub-query No
Foreign Key

Node Node
RS_ID RS_ID Equal
SAP Process Control

5.8.3.2.7 IELC Control
Use
Search and Analytics Model: 0GPC_EC
This search and analytics model is used to get the GRC indirect entity-level control (IELC) data.
Technical Data
Root Node: GRC PC Indirect Entity-Level Control Attributes
Technical Name 0GPC_EC_ATTR
DataSource 0GPC_EC_ATTR
Operational Data Provider: GRC PC Indirect Entity-Level Control Attributes
Technical Name 0GPC_EC
Operational Data Provider: GRC PC Indirect Entity-Level Control Texts
Technical Name 0GPC_EC
ODP-Semantics Texts
SAP Process Control

EC GRFN_ODP GRC ODP Autorization
EG GRFN_ODP GRC ODP Autorization
Node Relationship: GRC PC Indirect Entity-Level Control Texts
Node 0GPC_EC_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GPC_EC_ATTR20GFN_TF_ATTR_1
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GPC_EC_ATTR20GFN_TF_FREQ_1
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR20GFN_TF_YEAR_1
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_EC_ATTR20GPC_EG_ATTR
Sub-query No
Foreign Key

Node Node
EG_ID OBJID Equal
Association 0GPC_EC_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
SAP Process Control

Association 0GPC_EC_ATTR20GPC_TP_ATTR
Sub-query No
Foreign Key

Node Node
EC_TEST_PLAN OBJID Equal
Association IELC AS RATING: TEXT
Sub-query No
Foreign Key

Node Node
RATING_MC ATTR Equal
SAP Process Control

Association IELC TL RATING: TEXT
Sub-query No
Foreign Key

Node Node
RATING_MT ATTR Equal
Association IELC AS STATUS: TEXT
Sub-query No
Foreign Key

Node Node
STATUS_MC ATTR Equal
SAP Process Control

Association IELC TL STATUS: TEXT
Sub-query No
Foreign Key

Node Node
STATUS_MT ATTR Equal
Association IELC AS EVALUATION TYPE TEXT
Sub-query No
Foreign Key

Node Node
EVALTYP_MC ATTR Equal
Association IELC TL EVALUATION TYPE TEXT
SAP Process Control

Sub-query No
Foreign Key

Node Node
EVALTYP_MT ATTR Equal
Association 0GPC_EC_ATTR20GFN_ENTTYP_TEXT
Sub-query No
Foreign Key

Node Node
Node Relationship: Indirect Entity-Level Control To be Tested
Node 0GPC_ECTBTE.0GPC_ECTBTE_TEXT
Association 0GPC_EC_ATTR20GPC_ECTBTE
Sub-query No
Foreign Key
SAP Process Control

Node Node
EC_TB_TESTED ATTR Equal
Association 0GPC_V0_ATTR20GPC_EC_ATTR
Sub-query No
Foreign Key

Node Node
OBJID EC_ID Equal
5.8.3.2.8 Indirect ELC Group
Use
Search and Analytics Model: 0GPC_EG
This search and analytics model is used to get the indirect entity-level control (IELC) group data.
SAP Process Control

Technical Data
Root Node: GRC PC Indirect Enitity-Level Control Group Attributes
Technical Name 0GPC_EG_ATTR
DataSource 0GPC_EG_ATTR
Operational Data Provider: GRC PC Indirect Enitity-Level Control Group Attributes
Technical Name 0GPC_EG
Operational Data Provider: GRC PC Indirect Enitity-Level Control Group Texts
Technical Name 0GPC_EG
ODP-Semantics Texts
EC GRFN_ODP GRC ODP Autorization
EG GRFN_ODP GRC ODP Autorization
SAP Process Control

Node Relationship: GRC PC Indirect Enitity-Level Control Group Texts
Node 0GPC_EG_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GPC_EG_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_EG_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_EG_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_EG_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GPC_EC_ATTR20GPC_EG_ATTR
Sub-query No
Foreign Key

Node Node
OBJID EG_ID Equal
SAP Process Control

5.8.3.2.9 Issue
Use
Search and Analytics Model: 0GPC_IS
This search and analytics model is used to get the issue data.
Technical Data
Root Node: GRC PC Issue Attributes
Technical Name 0GPC_IS_ATTR
DataSource 0GPC_IS_ATTR
Operational Data Provider: GRC PC Issue Attributes
Technical Name 0GPC_IS
Operational Data Provider: GRC PC Issue Texts
Technical Name 0GPC_IS
ODP-Semantics Texts
SAP Process Control

CN_IS GRFN_ODP_C GRC ODP authorization for complex ID
IELC_IS GRFN_ODP GRC ODP authorization
SP_IS GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC Issue Texts
Node 0GPC_IS_TEXT
Association
Sub-query No
Foreign Key

Node Node
GUID GUID Equal
Association ISSUE PROCESSOR
Sub-query No
SAP Process Control

Foreign Key

Node Node
IS_PROCESSOR ATTR Equal
Node Relationship: GRC PC Priority Texts
Node 0GPC_PRIORITY_TEXT.0GPC_PRIORITY_TEXT
Association 0GPC_IS_ATTR20GPC_PRIORITY_TEXT
Sub-query No
Foreign Key

Node Node
IS_PRIORITY ATTR Equal
Node Relationship: GRC PC Issue Category Texts
Node 0GPC_IS_CATEGORY_TEX.0GPC_IS_CATEGORY_TEX
Association 0GPC_IS_ATTR20GPC_IS_CATEGORY_TE
Sub-query No
Foreign Key

Node Node
SAP Process Control

IS_CATEGORY ATTR Equal
Association 0GPC_IS_ATTR20GFN_STATUS_TEXT
Sub-query No
Foreign Key

Node Node
IS_STATUS ATTR Equal
Association 0GPC_IS_ATTR20GPC_PR_ATTR
Sub-query No
Foreign Key

Node Node
PR_ID OBJID Equal
SAP Process Control

Association ISSUE REPORT BY
Sub-query No
Foreign Key

Node Node
IS_RESP_USER ATTR Equal
Association 0GPC_IS_ATTR20GPC_TL_ATTR_1
Sub-query Yes
Foreign Key

Node Node
TL_ID GUID Equal
SAP Process Control

Association 0GPC_IS_ATTR20GPC_AS_ATTR_1
Sub-query Yes
Foreign Key

Node Node
AS_ID GUID Equal
Association 0GPC_IS_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_IS_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_IS_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_PL_ATTR20GPC_IS_ATTR
Sub-query No
Foreign Key

Node Node
GUID IS_ID Equal
Association 0GPC_CASES20GPC_IS_ATTR
Sub-query No
Foreign Key

Node Node
GUID IS_GUID Equal
SAP Process Control

Node Relationship: GRC Control Attributes All Regulations
Association 0GPC_CN_ATTR_ALL_REG20GPC_IS_ATT
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
IS_RE RE_ID Equal
Association 0GPC_RE20GPC_IS_ATTR
Sub-query Yes
Foreign Key

Node Node
IS_RE OBJID Equal
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GPC_IS_ATT
Sub-query Yes
Foreign Key

Node Node
EC_ID OBJID Equal
IS_RE RE_ID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_IS_ATT
Sub-query Yes
Foreign Key

Node Node
SAP Process Control

OU_ID OBJID Equal
IS_RE RE_ID Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_IS_ATT
Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
IS_RE RE_ID Equal
5.8.3.2.10 Process
Use
Search and Analytics Model: 0GPC_PR
This search and analytics model is used to get the process data.
SAP Process Control

Technical Data
Root Node: GRC PC Process
Technical Name 0GPC_PR_ATTR
DataSource 0GPC_PR_ATTR
Operational Data Provider: GRC PC Process Attributes
Technical Name 0GPC_PR
Operational Data Provider: GRC PC Regulation Texts
Technical Name 0GPC_PR
ODP-Semantics Texts
PR GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC Process Texts
Node 0GPC_PR_TEXT
SAP Process Control

Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GPC_PR_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
SAP Process Control

Association 0GPC_PR_ATTR20GFN_ENTTYP_TEXT
Sub-query No
Foreign Key

Node Node
Association 0GPC_PR_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key

Node Node
PR_RESP_USER ATTR Equal
Node Relationship: Validate Subprocess Design Assessment
Node 0GPC_PRVAPD.0GPC_PRVAPD_TEXT
SAP Process Control

Association 0GPC_PR_ATTR20GPC_PRVAPD
Sub-query No
Foreign Key

Node Node
PR_VAL_PD ATTR Equal
Node Relationship: Validate Subprocess Design Remediation Plan
Node 0GPC_PRVAPL.0GPC_PRVAPL_TEXT
Association 0GPC_PR_ATTR20GPC_PRVAPL
Sub-query No
Foreign Key

Node Node
PR_VAL_PLAN ATTR Equal
Node Relationship: Retest Subprcess Design Assessment
Node 0GPC_PRRTPD.0GPC_PRRTPD_TEXT
Association 0GPC_PR_ATTR20GPC_PRRTPD
SAP Process Control

Sub-query No
Foreign Key

Node Node
PR_RTST_PD ATTR Equal
Association 0GPC_IS_ATTR20GPC_PR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID PR_ID Equal
Association 0GPC_SP_ATTR20GPC_PR_ATTR
Sub-query No
SAP Process Control

Foreign Key

Node Node
OBJID PR_ID Equal
Association 0GPC_CN_RS_ATTR20GPC_PR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID PR_ID Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_PR_ATT
SAP Process Control

Sub-query No
Foreign Key

Node Node
OBJID PR_ID Equal
Association 0GPC_V0_ATTR20GPC_PR_ATTR
Sub-query No
Foreign Key

Node Node
OBJID PR_ID Equal
Association 0GFN_JP_ATTR20GPC_PR_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
OBJID PR_ID Equal
Association 0GFN_OU_REG.0GFN_OU_ATTR_ALL_REG
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
SAP Process Control

5.8.3.2.11 Regulation
Use
Search and Analytics Model: 0GPC_RE
This search and analytics model is used to get the regulation data.
Technical Data
Root Node: GRC PC Regulation
Technical Name 0GPC_RE
DataSource 0GPC_RE_TEXT
Operational Data Provider: GRC PC Regulation
Technical Name 0GPC_RE
Operational Data Provider: GRC PC Regulation Texts
Technical Name 0GPC_RE_TEXT
ODP-Semantics Texts
SAP Process Control

RE GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC Regulation Texts
Node 0GPC_RE_TEXT
Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GPC_RE20GFN_TF_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
Association 0GPC_RE20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_RE20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_RE20GPC_SP_RS_SOURCE_AT
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
Association 0GPC_RE20GPC_IS_ATTR
Sub-query No
Foreign Key

Node Node
OBJID IS_RE Equal
SAP Process Control

Association 0GPC_RE20GPC_PL_ATTR
Sub-query No
Foreign Key

Node Node
OBJID PL_RE Equal
Association 0GPC_RE20GPC_CASES
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
SAP Process Control

Association 0GPC_RE20GPC_CN_ATTR_ALL_REG
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
Association TESTLOG: REGULATION ATTRIBUTE
Sub-query No
Foreign Key

Node Node
OBJID TL_RE Equal
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GPC_RE
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
Association 0GPC_V0_ATTR20GPC_RE
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
SAP Process Control

Association 0GFN_JP_ATTR20GPC_RE
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_RE
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
SAP Process Control

Association 0GPC_SP_ATTR_ALL_REG20GPC_RE
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
Association 0GPC_AS_ATTR20GPC_RE
Sub-query No
Foreign Key

Node Node
OBJID AS_RE Equal
SAP Process Control

Association F5 TESTLOG: REGULATION
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
Association M3 CTRL: REG
Sub-query No
Foreign Key

Node Node
OBJID RE_ID Equal
SAP Process Control

5.8.3.2.12 Regulation-Specific Control Attributes
5.8.3.2.13 Regulation-Specific IELC Attributes
Use
Search and Analytics Model: 0GPC_ECRE
This search and analytics model is used to get the regulation-specific IELC attributes data.
Technical Data
Root Node: GRC PC Indirect Entity-Level Control Attributes All Regs
Technical Name 0GPC_EC_ATTR_ALL_REG
DataSource 0GPC_EC_ATTR_ALL_REGS
Operational Data Provider: GRC PC Indirect Entity-Level Control Attributes All Regs
Technical Name 0GPC_EC_REG
SAP Process Control

EC_REG GRFN_ODP_R GRC ODP Autorization for regulation-

specific entities
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node
Association 0GPC_EC_ATTR_ALL_REG20GPC_IS_ATT
Sub-query No
Foreign Key

Node Node
OBJID EC_ID Equal
RE_ID IS_RE Equal
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GPC_CASES
Sub-query No
Foreign Key

Node Node
OBJID EC_ID Equal
Association 0GPC_EC_ATTR_ALL_REG20GPC_RE
Sub-query No
Foreign Key

Node Node
RE_ID OBJID Equal
SAP Process Control

Association IELC REG AS RATING: TEXT
Sub-query No
Foreign Key

Node Node
RATING_MC ATTR Equal
Association IELC REG TL RATING: TEXT
Sub-query No
Foreign Key

Node Node
RATING_MT ATTR Equal
SAP Process Control

Association IELC REG AS STATUS: TEXT
Sub-query No
Foreign Key

Node Node
STATUS_MC ATTR Equal
Association IELC REG TL STATUS: TEXT
Sub-query No
Foreign Key

Node Node
STATUS_MT ATTR Equal
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GPC_V0_ATT
Sub-query No
Foreign Key

Node Node
OBJID EC_ID Equal
RE_ID RE_ID Equal
Association 0GPC_EC_ATTR_ALL_REG20GFN_ENTTYP
Sub-query No
Foreign Key

Node Node
Node Relationship: Indirect Entity-Level Control To be Tested
Node 0GPC_ECTBTE.0GPC_ECTBTE_TEXT
SAP Process Control

Association 0GPC_EC_ATTR_ALL_REG20GPC_ECTBTE
Sub-query No
Foreign Key

Node Node
EC_TB_TESTED ATTR Equal
Association IELC REG AS EVALTP: TEXT
Sub-query No
Foreign Key

Node Node
EVALTYP_MC ATTR Equal
Association IELC REG TL EVALTP: TEXT
SAP Process Control

Sub-query No
Foreign Key

Node Node
EVALTYP_MT ATTR Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_EC_ATT
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
RE_ID RE_ID Equal
Association 0GPC_AS_ATTR20GPC_EC_ATTR_ALL_RE
SAP Process Control

Sub-query No
Foreign Key

Node Node
RE_ID AS_RE Equal
OBJID EC_ID Equal
Association 0GPC_TL_ATTR20GPC_EC_ATTR_ALL_RE
Sub-query No
Foreign Key

Node Node
OBJID EC_ID Equal
RE_ID TL_RE Equal
SAP Process Control

5.8.3.2.14 Regulation-Specific Organization Unit Attributes
Use
Search and Analytics Model: 0GFN_OURE
This search and analytics model is used to get the regulation-specific attributes of an organization unit.
Technical Data
Root Node: GRC Organizations Attributes All Regulations
Technical Name 0GFN_OU_ATTR_ALL_REGS
DataSource 0GFN_OU_ATTR_ALL_REGS
Operational Data Provider: GRC Organizations Attributes All Regulations
Technical Name 0GFN_OU_REG
OU_REG GRFN_ODP_R GRC ODP authorization for regulation-

specific entities
SAP Process Control

Node Relationship: GRC Org. Unit Qualitative Appetite Texts
Node 0GFN_OUQAPP.0GFN_OU_QAPP_TEXT
Association 0GFN_OU_ATTR_ALL_REG20GFN_OU_QAP
Sub-query No
Foreign Key

Node Node
OU_QUALITY_APP ATTR Equal
Node Relationship: Region (State, Province, County)
Node 0GFN_REGION.0REGION_TEXT
Association 0GFN_OU_ATTR_ALL_REG20REGION_TEX
Sub-query No
Foreign Key

Node Node
OU_REGION BLAND Equal
OU_REGION_CNTY LAND1 Equal
SAP Process Control

Node Relationship: Country
Node 0GFN_COUNTRY.0COUNTRY_TEXT
Association 0GFN_OU_ATTR_ALL_REG20COUNTRY_TE
Sub-query No
Foreign Key

Node Node
OU_COUNTRY LAND1 Equal
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_ATT
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_FRE
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_ATTR_ALL_REG20GFN_TF_YEA
Sub-query No
Foreign Key

Node Node
Association 0GFN_OU_REG20GPC_SP_ATTR_SS
SAP Process Control

Sub-query No
Foreign Key

Node Node
RE_ID RE_ID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_RE
Sub-query No
Foreign Key

Node Node
RE_ID OBJID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_CN_ATT
SAP Process Control

Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_PR_ATT
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
SAP Process Control

Association 0GFN_OU_ATTR_ALL_REG20GPC_PL_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID PL_RE Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_IS_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID IS_RE Equal
SAP Process Control

Association 0GFN_OU_ATTR_ALL_REG20GPC_V0_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_AS_ATT
Sub-query No
Foreign Key
SAP Process Control

Node Node
OBJID OU_ID Equal
RE_ID AS_RE Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_EC_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
Node Relationship: GRC Entity Type Text
Association 0GFN_OU_ATTR_ALL_REG20GFN_ENTTYP
SAP Process Control

Sub-query No
Foreign Key

Node Node
Node Relationship: Org. Unit In Scope
Node 0GPC_OUINSC.0GPC_OUINSC_TEXT
Association 0GFN_OU_ATTR_ALL_REG20GPC_OUINSC
Sub-query No
Foreign Key

Node Node
OU_IN_SCOPE ATTR Equal
Node Relationship: Org. Unit Is Provider
Node 0GPC_OUISPR.0GPC_OUISPR_TEXT
Association 0GFN_OU_ATTR_ALL_REG20GPC_OUISPR
Sub-query No
Foreign Key
SAP Process Control

Node Node
OU_SPROVIDER ATTR Equal
Association 0GFN_OU_ATTR_ALL_REG20GFN_USER_T
Sub-query No
Foreign Key

Node Node
OU_RESP_USER ATTR Equal
Node Relationship: Validate iELC Assessment
Node 0GFN_OUVAMC.0GFN_OUVAMC_TEXT
Association 0GFN_OU_ATTR_ALL_REG20GFN_OUVAMC
Sub-query No
Foreign Key

Node Node
OU_VAL_EC_ASS ATTR Equal
SAP Process Control

Node Relationship: Validate iELC Effectiveness Test
Node 0GFN_OUVAMT.0GFN_OUVAMT_TEXT
Association 0GFN_OU_ATTR_ALL_REG20GFN_OUVAMT
Sub-query No
Foreign Key

Node Node
OU_VAL_EC_TEST ATTR Equal
Node Relationship: Retest iELC Assessment
Node 0GFN_OUREMC.0GFN_OUREMC_TEXT
Association 0GFN_OU_ATTR_ALL_REG20GFN_OUREMC
Sub-query No
Foreign Key

Node Node
OU_RTS_EC_ASS ATTR Equal
Node Relationship: Retest iELC Effectiveness Test
Node 0GFN_OUREMT.0GFN_OUREMT_TEXT
SAP Process Control

Association 0GFN_OU_ATTR_ALL_REG20GFN_OUREMT
Sub-query No
Foreign Key

Node Node
OU_RTS_EC_TEST ATTR Equal
Association 0GPC_CN_ATTR_ALL_REG20GFN_OU_ATT
Sub-query No
Foreign Key

Node Node
OBJID CN_SS_OU Equal
RE_ID RE_ID Equal
SAP Process Control

Association 0GPC_TL_ATTR20GFN_OU_ATTR_ALL_RE
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID TL_RE Equal
Association 0GPC_SP_ATTR_ALL_REG20GFN_OU_ATT
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
SAP Process Control

Association F5 TESTLOG: OU REG
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
Association 0GPC_V9_ATTR20GFN_OU_ATTR_ALL_RE
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
SAP Process Control

Association H2E IELC: REG OU
Sub-query No
Foreign Key

Node Node
OBJID OU_ID Equal
RE_ID RE_ID Equal
5.8.3.2.15 Regulation-Specific Subprocess Attributes
Use
Search and Analytics Model: 0GPC_SPRE
This search and analytics model is used to get the regulation-specific subprocess attributes data.
SAP Process Control

Technical Data
Root Node: GRC PC Subprocess Attributes All Regulations
Technical Name 0GPC_SP_ATTR_ALL_REG
DataSource 0GPC_SP_ATTR_ALL_REGS
Operational Data Provider: GRC PC Subprocess Attributes All Regulations
Technical Name 0GPC_SP_REG
SP_REG GRFN_ODP_R GRC ODP Authorization for regulation-

specific entities
Node Relationship: GRC PC Subprocess Industry Texts
Node 0GPC_SPINDU.0GPC_SPINDU_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPINDU
Sub-query No
Foreign Key
SAP Process Control

Node Node
SP_INDUSTRY ATTR Equal
Node Relationship: GRC PC Subprocess Shared Services Assign Method

Texts
Node 0GPC_SPSSAM.0GPC_SPSSAM_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPSSAM
Sub-query No
Foreign Key

Node Node
SP_SS_ASGN_METH ATTR Equal
Node Relationship: GRC PC Subprocess Transaction Type Texts
Node 0GPC_SPTRTY.0GPC_SPTRTY_TEXT
Association 0GPC_SP_REG20GPC_SPTRTY_L
Sub-query No
Foreign Key

Node Node
SAP Process Control

SP_TRTYPE_O ATTR Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_PR_ATT
Sub-query No
Foreign Key

Node Node
PR_ID PR_ID Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_RE
Sub-query No
Foreign Key

Node Node
RE_ID OBJID Equal
SAP Process Control

Association 0GPC_SP_ATTR_ALL_REG20GPC_CN_ATT
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
RE_ID RE_ID Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_PL_ATT
Sub-query No
Foreign Key
SAP Process Control

Node Node
OBJID SP_ID Equal
RE_ID PL_RE Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_IS_ATT
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
RE_ID IS_RE Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_CASES
SAP Process Control

Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
RE_ID RE_ID Equal
Association 0GPC_SP_ATTR_ALL_REG20GPC_V0_ATT
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
RE_ID RE_ID Equal
SAP Process Control

Association 0GPC_SP_ATTR_ALL_REG20GPC_AS_ATT
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
RE_ID AS_RE Equal
Association 0GPC_SP_ATTR_ALL_REG20GFN_JP_ATT
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
RE_ID RE_ID Equal
SAP Process Control

Node Relationship: Subprocess In Scope
Node 0GPC_SPINSC.0GPC_SPINSC_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPINSC
Sub-query No
Foreign Key

Node Node
SP_IN_SCOPE ATTR Equal
Node Relationship: Subprocess Is Provider
Node 0GPC_SPISPR.0GPC_SPISPR_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPISPR
Sub-query No
Foreign Key

Node Node
SP_IS_PROVIDER ATTR Equal
SAP Process Control

Association 0GPC_SP_ATTR_ALL_REG20GFN_ENTTYP
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_ATTR_ALL_REG20GFN_USER_T
Sub-query No
Foreign Key

Node Node
SP_RESP_USER ATTR Equal
SAP Process Control

Association 0GPC_SP_REG20GPC_SPTRTY_C
Sub-query No
Foreign Key

Node Node
SP_TRTYPE ATTR Equal
Node 0GPC_SPISCOM.0GPC_SPISCOM_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPISCO
Sub-query No
Foreign Key

Node Node
SP_IS_CONSUMER ATTR Equal
Association 0GPC_SP_ATTR_ALL_REG20GFN_OU_ATT
SAP Process Control

Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
RE_ID RE_ID Equal
Node Relationship: Control Design Assessment Validation
Node 0GPC_SPVACD.0GPC_SPVACD_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPVACD
Sub-query No
Foreign Key

Node Node
SP_VAL_ASS_CD ATTR Equal
Node Relationship: Control Self-Assessment Validation
Node 0GPC_SPVACE.0GPC_SPVACE_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPVACE
SAP Process Control

Sub-query No
Foreign Key

Node Node
SP_VAL_ASS_CE ATTR Equal
Node Relationship: Control Effectiveness Test Validation
Node 0GPC_SPVATE.0GPC_SPVATE_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPVATE
Sub-query No
Foreign Key

Node Node
SP_VAL_TEST ATTR Equal
Node Relationship: Control Remediation Plan Validation
Node 0GPC_SPVAPL.0GPC_SPVAPL_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPVAPL
Sub-query No
Foreign Key
SAP Process Control

Node Node
SP_VAL_RMPLAN ATTR Equal
Node Relationship: Repeat Setting Text for Process and Subprocess
Node 0GPC_SPRTCD.0GPC_SPRTCD_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPRTCD
Sub-query No
Foreign Key

Node Node
SP_RTST_CD ATTR Equal
Node 0GPC_SPRTCE.0GPC_SPRTCE_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPRTCE
Sub-query No
Foreign Key

Node Node
SP_RTST_CE ATTR Equal
SAP Process Control

Node 0GPC_SPRTTE.0GPC_SPRTTE_TEXT
Association 0GPC_SP_ATTR_ALL_REG20GPC_SPRTTE
Sub-query No
Foreign Key

Node Node
SP_RTST_TE ATTR Equal
Association 0GFN_OU_REG20GPC_SP_ATTR_SS
Sub-query No
Foreign Key

Node Node
SP_SS_ORGUNIT OBJID Equal
RE_ID RE_ID Equal
SAP Process Control

Association F5 TESTLOG: SUBP REG
Sub-query No
Foreign Key

Node Node
RE_ID RE_ID Equal
OBJID SP_ID Equal
5.8.3.2.16 Remediation Plan
Use
Search and Analytics Model: 0GPC_PL
This search and analytics model is used to get the remediation plan data.
Technical Data
SAP Process Control

Root Node: GRC PC Remediation Plan Attributes
Technical Name 0GPC_PL_ATTR
DataSource 0GPC_PL_ATTR
Operational Data Provider: GRC PC Issue Attributes
Technical Name 0GPC_PL
Operational Data Provider: GRC PC Remediation Plan Texts
Technical Name 0GPC_PL
ODP-Semantics Texts
CN_PL GRFN_ODP_C GRC ODP authorization for complex ID
IELC_PL GRFN_ODP GRC ODP authorization
SP_PL GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC Issue Texts
Node 0GPC_PL_TEXT
Association
SAP Process Control

Sub-query No
Foreign Key

Node Node
GUID GUID Equal
Association 0GPC_PL_ATTR20GPC_IS_ATTR
Sub-query No
Foreign Key

Node Node
IS_ID GUID Equal
Association 0GPC_PL_ATTR20GFN_STATUS_TEXT
SAP Process Control

Sub-query No
Foreign Key

Node Node
PL_STATUS ATTR Equal
Association USER TEXT: REPORTED BY
Sub-query No
Foreign Key

Node Node
PL_RESP_USER ATTR Equal
Association USER TEXT: REMEDIATOR
Sub-query No
SAP Process Control

Foreign Key

Node Node
PL_PROCESSOR ATTR Equal
Association 0GPC_PL_ATTR20GPC_AS_ATTR_1
Sub-query Yes
Foreign Key

Node Node
AS_ID GUID Equal
Node Relationship: Remediation Plan Carry Forward Status Text
Node 0GPC_PL_CF_T.0GPC_PL_CF_T
Association 0GPC_PL_ATTR20GPC_PL_CF_T
Sub-query No
Foreign Key
SAP Process Control

Node Node
PL_CF_STATUS ATTR Equal
Node Relationship: GRC PC Remediation Plan Category Texts
Node 0GPC_PL_CG_T.0GPC_PL_CG_T
Association 0GPC_PL_ATTR20GPC_PL_CG_T
Sub-query No
Foreign Key

Node Node
PL_CATEGORY ATTR Equal
Association 0GPC_PL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_PL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_PL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_CASES20GPC_PL_ATTR
Sub-query No
Foreign Key

Node Node
GUID PL_GUID Equal
Node Relationship: GRC Control Attributes All Regulations
Association 0GPC_CN_ATTR_ALL_REG20GPC_PL_ATT
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
PL_RE RE_ID Equal
SAP Process Control

Association 0GPC_RE20GPC_PL_ATTR
Sub-query Yes
Foreign Key

Node Node
PL_RE OBJID Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_PL_ATT
Sub-query Yes
Foreign Key

Node Node
OU_ID OBJID Equal
PL_RE RE_ID Equal
SAP Process Control

Association 0GPC_SP_ATTR_ALL_REG20GPC_PL_ATT
Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
PL_RE RE_ID Equal
5.8.3.2.17 Subprocess
Use
Search and Analytics Model: 0GPC_SP
This search and analytics model is used to get the subprocess data.
SAP Process Control

Technical Data
Root Node: GRC PC Subprocess Attributes
Technical Name 0GPC_SP_ATTR
DataSource 0GPC_SP_ATTR
Operational Data Provider: GRC PC Subprocess Attributes
Technical Name 0GPC_SP
Operational Data Provider: GRC PC Subprocess Texts
Technical Name 0GPC_SP
ODP-Semantics Texts
SP GRFN_ODP GRC ODP Authorization
Node 0GPC_SP_TEXT
SAP Process Control

Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Node Relationship: GRC PC Subprocess Industry Texts
Node 0GPC_SPINDU.0GPC_SPINDU_TEXT
Association 0GPC_SP_ATTR20GPC_SPINDU_TEXT
Sub-query No
Foreign Key

Node Node
SP_INDUSTRY ATTR Equal
Node Relationship: GRC PC Subprocess Shared Services Assign Method

Texts
Node 0GPC_SPSSAM.0GPC_SPSSAM_TEXT
SAP Process Control

Association 0GPC_SP_ATTR20GPC_SPSSAM_TEXT
Sub-query No
Foreign Key

Node Node
SP_SS_ASGN_METH ATTR Equal
Association 0GPC_SP_ATTR20GPC_SPTRTY_TEXT_L
Sub-query No
Foreign Key

Node Node
SP_TRTYPE_O ATTR Equal
Association 0GPC_SP_ATTR20GPC_PR_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
PR_ID OBJID Equal
Node Relationship: Subprocess In Scope
Node 0GPC_SPINSC.0GPC_SPINSC_TEXT
Association 0GPC_SP_ATTR20GPC_SPINSC
Sub-query No
Foreign Key

Node Node
SP_IN_SCOPE ATTR Equal
Node Relationship: Subprocess Is Provider
Node 0GPC_SPISPR.0GPC_SPISPR_TEXT
Association 0GPC_SP_ATTR20GPC_SPISPR
Sub-query No
SAP Process Control

Foreign Key

Node Node
SP_IS_PROVIDER ATTR Equal
Association 0GPC_SP_ATTR20GFN_OU_ATTR_O
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GPC_SP_ATTR20GFN_OU_ATTR_SS
Sub-query No
Foreign Key
SAP Process Control

Node Node
SP_SS_ORGUNIT OBJID Equal
Association 0GPC_SP_ATTR20GFN_ENTTYP_TEXT
Sub-query No
Foreign Key

Node Node
Association 0GPC_SP_ATTR20GFN_USER_TEXT
Sub-query No
Foreign Key
SAP Process Control

Node Node
SP_RESP_USER ATTR Equal
Node 0GPC_SPISCOM.0GPC_SPISCOM_TEXT
Association 0GPC_SP_ATTR20GPC_SPISCOM
Sub-query No
Foreign Key

Node Node
SP_IS_CONSUMER ATTR Equal
Association 0GPC_SP_ATTR20GPC_SPTRTY_TEXT_C
Sub-query No
Foreign Key

Node Node
SP_TRTYPE ATTR Equal
SAP Process Control

Node Relationship: Control Design Assessment Validation
Node 0GPC_SPVACD.0GPC_SPVACD_TEXT
Association 0GPC_SP_ATTR20GPC_SPVACD
Sub-query No
Foreign Key

Node Node
SP_VAL_ASS_CD ATTR Equal
Node Relationship: Control Self-Assessment Validation
Node 0GPC_SPVACE.0GPC_SPVACE_TEXT
Association 0GPC_SP_ATTR20GPC_SPVACE
Sub-query No
Foreign Key

Node Node
SP_VAL_ASS_CE ATTR Equal
Node Relationship: Control Remediation Plan Validation
Node 0GPC_SPVAPL.0GPC_SPVAPL_TEXT
SAP Process Control

Association 0GPC_SP_ATTR20GPC_SPVAPL
Sub-query No
Foreign Key

Node Node
SP_VAL_RMPLAN ATTR Equal
Node Relationship: Control Effectiveness Test Validation
Node 0GPC_SPVATE.0GPC_SPVATE_TEXT
Association 0GPC_SP_ATTR20GPC_SPVATE
Sub-query No
Foreign Key

Node Node
SP_VAL_TEST ATTR Equal
Node 0GPC_SPRTCD.0GPC_SPRTCD_TEXT
Association 0GPC_SP_ATTR20GPC_SPRTCD
SAP Process Control

Sub-query No
Foreign Key

Node Node
SP_RTST_CD ATTR Equal
Node 0GPC_SPRTCE.0GPC_SPRTCE_TEXT
Association 0GPC_SP_ATTR20GPC_SPRTCE
Sub-query No
Foreign Key

Node Node
SP_RTST_CE ATTR Equal
Node 0GPC_SPRTTE.0GPC_SPRTTE_TEXT
Association 0GPC_SP_ATTR20GPC_SPRTTE
Sub-query No
Foreign Key
SAP Process Control

Node Node
SP_RTST_TE ATTR Equal
Association 0GPC_SP_RS_CN_ALL20GPC_SP_ATTR
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
Association 0GPC_CN_RS_ATTR20GPC_SP_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
OBJID SP_ID Equal
Association 0GPC_CN_ATTR20GPC_SP_ATTR1
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
Association 0GPC_CASES20GPC_SP_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
OBJID SP_ID Equal
Association 0GPC_V0_ATTR20GPC_SP_ATTR
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
Association 0GFN_JP_ATTR20GPC_SP_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
OBJID SP_ID Equal
Association M3 CTRL: SUBPROCESS
Sub-query No
Foreign Key

Node Node
OBJID SP_ID Equal
5.8.3.2.18 Subprocess as Risk Source
Use
Search and Analytics Model: 0GPC_SPSRC
This search and analytics model is used to get the data of subprocess as risk source.
SAP Process Control

Technical Data
Root Node: GRC PC Subprocess Attributes
Technical Name 0GPC_SP_RS_SOURCE_AT
DataSource 0GPC_SP_RS_SOURCE_ATTR
Operational Data Provider: GRC PC Subprocess Attributes
Technical Name 0GPC_SPSRC
Operational Data Provider: GRC PC Subprocess Texts
Technical Name 0GPC_SP_SRC
ODP-Semantics Texts
SP GRFN_ODP GRC ODP Authorization
Node 0GPC_SP_RS_SOURCE_TE
SAP Process Control

Association
Sub-query No
Foreign Key

Node Node
OBJID OBJID Equal
Association 0GPC_SP_RS_SOURCE_AT20GFN_OU_ATT
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
SAP Process Control

Association 0GPC_SP_RS_CN_ALL20GPC_SP_RS_SOU
Sub-query No
Foreign Key

Node Node
OBJID SOURCE_SP_ID Equal
Association 0GPC_RE20GPC_SP_RS_SOURCE_AT
Sub-query No
Foreign Key

Node Node
RE_ID OBJID Equal
SAP Process Control

Node Node
5.8.3.2.19 Testing
Use
Search and Analytics Model: 0GPC_TL
This search and analytics model is used to get the testing data.
Technical Data
Software Component for Search and Ana GRCFND_A

lytics
Root Node: GRC PC Testing (Testlog) Attributes
Technical Name 0GPC_TL_ATTR
DataSource 0GPC_TL_ATTR
Operational Data Provider: GRC PC Testing (Testlog) Attributes
Technical Name 0GPC_TL
Operational Data Provider: GRC PC Testing (Testlog) Texts
SAP Process Control

Technical Name 0GPC_TL
ODP-Semantics Texts
Node Relationship: GRC PC Testing (Testlog) Texts
Node 0GPC_TL_TEXT
Association
Sub-query Yes
Foreign Key

Node Node
GUID GUID Equal
Node Relationship: GRC PC Test Result Texts
Node 0GPC_TLEXCE.0GPC_TL_EXCEPTION_T
Association TESTLOG: TEST RESULT
Sub-query No
Foreign Key
SAP Process Control

Node Node
TL_EXCEPTION ATTR Equal
Association TESTLOG: EVA TYPE TEXT
Sub-query No
Foreign Key

Node Node
TL_EVALTYP ATTR Equal
Association TESTLOG: RATING
Sub-query No
Foreign Key

Node Node
TL_RATING ATTR Equal
SAP Process Control

Association TESTLOG: STATUS
Sub-query No
Foreign Key

Node Node
TL_STATUS ATTR Equal
Association 0GPC_TL_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_TL_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
Association 0GPC_TL_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association TESTLOG: REGULATION ATTRIBUTE
SAP Process Control

Sub-query No
Foreign Key

Node Node
TL_RE OBJID Equal
Association 0GPC_TL_ATTR20GFN_OU_ATTR_1
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GPC_TL_ATTR20GPC_SP_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
Association 0GPC_TL_ATTR20GPC_CN_ATTR_1
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
Association 0GPC_TL_ATTR20GPC_EC_ATTR
SAP Process Control

Sub-query No
Foreign Key

Node Node
EC_ID OBJID Equal
Association TESTLOG: TESTER
Sub-query No
Foreign Key

Node Node
TL_TESTER ATTR Equal
Association TESTLOG: TEST OWNER
SAP Process Control

Sub-query No
Foreign Key

Node Node
TL_TEST_OWNER ATTR Equal
Association TESTLOG: TEST REVIEWER
Sub-query No
Foreign Key

Node Node
TL_VAL_USER ATTR Equal
Node Relationship: GRC PC Testing Category Texts
Node 0GPC_TLCATE.0GPC_TL_CATEGORY_T
Association TESTLOG: CATEGORY TEXT
Sub-query No
Foreign Key
SAP Process Control

Node Node
TL_CATEGORY ATTR Equal
Association TESTLOG: CLOSED BY
Sub-query No
Foreign Key

Node Node
TL_VAL_USER ATTR Equal
Node Relationship: GRC PC Testing (Testlog) Test Automation Texts
Node 0GPC_TLTSTA.0GPC_TL_TEST_AUTOM_T
Association TESTLOG: TEST AUTOMATION
Sub-query No
Foreign Key

Node Node
TL_TEST_AUTOM ATTR Equal
SAP Process Control

Node Relationship: GRC PC Testing (Testlog) Test Method Texts
Node 0GPC_TLTSTM.0GPC_TL_TEST_METH_T
Association TESTLOG: TEST METHOD
Sub-query No
Foreign Key

Node Node
TL_TEST_METH ATTR Equal
Node Relationship: GRC PC Testing (Testlog) Test Method Texts
Node 0GPC_TLTSTM.0GPC_TL_TEST_METH_T
Association TESTLOG: TEST METHOD
Sub-query No
Foreign Key

Node Node
TL_TEST_METH ATTR Equal
SAP Process Control

Association TESTLOG: TEST PLAN ATTRIBUTE
Sub-query No
Foreign Key

Node Node
TL_TEST_PLAN OBJID Equal
Node Relationship: GRC PC Control Testing Technique Texts
Node 0GPC_CNTTEC.0GPC_CN_TTECH_TEXT
Association TESTLOG: TEST TECHNIQUE
Sub-query No
Foreign Key

Node Node
TL_TTECH ATTR Equal
Association 0GPC_IS_ATTR20GPC_TL_ATTR_1
SAP Process Control

Sub-query No
Foreign Key

Node Node
GUID TL_ID Equal
5.8.3.2.20 Test Plan
Use
Search and Analytics Model: 0GPC_TP
This search and analytics model is used to get the PC test plan data.
Technical Data
Software Component for Search and Ana GRCFND_A

lytics
Root Node: GRC PC Test Plan Attributes
Technical Name 0GPC_TP_ATTR
SAP Process Control

DataSource 0GPC_TP_ATTR
Operational Data Provider: GRC PC Test Plan Attributes
Technical Name 0GPC_TP
Operational Data Provider: GRC PC Test Plan Texts
Technical Name 0GPC_TP
ODP-Semantics Texts
TP GRFN_ODP GRC ODP authorization
Node Relationship: GRC PC Test Plan Texts
Node 0GPC_TP_TEXT
Association
Sub-query No
Foreign Key

Node Node
SAP Process Control

OBJID OBJID Equal
Association 0GPC_TP_ATTR20GFN_TF_ATTR
Sub-query No
Foreign Key

Node Node
Association 0GPC_TP_ATTR20GFN_TF_FREQ
Sub-query No
Foreign Key

Node Node
SAP Process Control

Association 0GPC_TP_ATTR20GFN_TF_YEAR
Sub-query No
Foreign Key

Node Node
Association 0GPC_CN_ATTR20GPC_TP_ATTR
Sub-query No
Foreign Key

Node Node
OBJID CN_TEST_PLAN Equal
SAP Process Control

Association 0GPC_V0_ATTR20GPC_TP_ATTR
Sub-query No
Foreign Key

Node Node
OBJID V0_TEST_PLAN Equal
Association 0GPC_EC_ATTR20GPC_TP_ATTR
Sub-query No
Foreign Key

Node Node
OBJID EC_TEST_PLAN Equal
SAP Process Control

Association TESTLOG: TEST PLAN ATTRIBUTE
Sub-query No
Foreign Key

Node Node
OBJID TL_TEST_PLAN Equal
5.8.3.2.21 Test Steps
Use
Search and Analytics Model: 0GPC_V0
This search and analytics model is used to get the test step data.
Technical Data
SAP Process Control

Root Node: GRC PC Test Step Attributes
Technical Name 0GPC_V0_ATTR
DataSource 0GPC_V0_ATTR
Operational Data Provider: GRC PC Test Step Attributes
Technical Name 0GPC_V0
Operational Data Provider: GRC PC Test Step Texts
Technical Name 0GPC_V0
ODP-Semantics Texts
TP_V0 GRFN_ODP GRC ODP Authorization
Node Relationship: GRC PC Test Step Texts
Node 0GPC_V0_TEXT
Association
Sub-query No
Foreign Key
SAP Process Control

Node Node
V0_ID V0_ID Equal
Association 0GPC_V0_ATTR20GPC_CN_ATTR
Sub-query No
Foreign Key

Node Node
CN_ID CN_ID Equal
Association 0GPC_V0_ATTR20GPC_EC_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
EC_ID OBJID Equal
Association 0GPC_V0_ATTR20GFN_OU_ATTR
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
Association 0GPC_V0_ATTR20GPC_PR_ATTR
Sub-query No
Foreign Key
SAP Process Control

Node Node
PR_ID OBJID Equal
Association 0GPC_V0_ATTR20GPC_SP_ATTR
Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
Association 0GPC_V0_ATTR20GPC_RE
Sub-query No
Foreign Key
SAP Process Control

Node Node
RE_ID OBJID Equal
Association 0GPC_V0_ATTR20GPC_TP_ATTR
Sub-query No
Foreign Key

Node Node
V0_TEST_PLAN OBJID Equal
Node Relationship: GRC PC Test Step Final Test Failed Texts
Node 0GPC_V0FAILEND.0GPC_V0FENDS
Association 0GPC_V0_ATTR20GPC_V0FENDS
Sub-query No
Foreign Key
SAP Process Control

Node Node
V-_FAIL_ENDS ATTR Equal
Node Relationship: GRC PC Test Step Result Texts
Node 0GPC_V0RESULT.0GPC_V0_TRESULT_TEXT
Association 0GPC_V0_ATTR20GPC_V0_TRESULT_TEX
Sub-query No
Foreign Key

Node Node
V-_TRESULT ATTR Equal
Node Relationship: GRC PC Test Step Sampling Method Texts
Node 0GPC_V0SAMP.0GPC_V0_SAMPL_MTD_TE
Association 0GPC_V0_ATTR20GPC_V0_SAMPL_MTD_T
Sub-query No
Foreign Key

Node Node
V0_SAMPL_MTD ATTR Equal
SAP Process Control

Node Relationship: GRC PC Test Step Type Texts
Node 0GPC_V0TYPE.0GPC_V0_IS_TEST_TEXT
Association 0GPC_V0_ATTR20GPC_V0_IS_TEST_TEX
Sub-query No
Foreign Key

Node Node
V0_IS_TEST V0_IS_TEST Equal
Association 0GFN_OU_ATTR_ALL_REG20GPC_V0_ATT
Sub-query No
Foreign Key

Node Node
OU_ID OBJID Equal
RE_ID RE_ID Equal
SAP Process Control

Association 0GPC_SP_ATTR_ALL_REG20GPC_V0_ATT
Sub-query No
Foreign Key

Node Node
SP_ID OBJID Equal
RE_ID RE_ID Equal
Association 0GPC_EC_ATTR_ALL_REG20GPC_V0_ATT
Sub-query No
Foreign Key

Node Node
EC_ID OBJID Equal
RE_ID RE_ID Equal
SAP Process Control

SAP Process Control

6 Work Centers
Work centers provide a central access point for the entire GRC functionality. They are organized to provide easy
access to application activities, and contain menu groups and links to further activities.
This documentation is structured according to the structures within the individual work centers, and contains
links to further documentation for the menu groups and links.
 Note
The application provides a standard set of work centers. However, your system administrator can
customize them according to your organization's internal structures. Depending on the product or
products that you have licensed, different areas of the GRC application are displayed (SAP Access Control,
SAP Process Control, SAP Risk Management).
Related Links:
● My Home
● Master Data
● Rule Setup
● Assessments
● Access Management
● Reports and Analytics
6.1 My Home
Use
The My Home work center is shared by the Access Control, Process Control, and Risk Management products in
the GRC Application. The menu groups and quick links available on the screen are determined by the
applications you have licensed. The content in this topic covers the functions specific to Process Control. If you
have licensed additional products, such as Access Control or Risk Management, refer to the relevant topics
below for the application-specific functions.
The Process Control My Home provides a central location where you can view and act on your assigned tasks,
and accessible objects: organizations, processes, subprocesses, controls. It contains the following sections:
● Work Inbox [page 384]

● Ad Hoc Tasks [page 384]
● My Objects [page 386]
● Embedded Search [page 390]
● My Delegation [page 392]
SAP Process Control

Work Centers PUBLIC 383
Activities
The My Home work center allows you to do the following:
● View, access, and address workflow tasks assigned to you, including completed reports that you
scheduled.
● Search for objects and documents throughout the system.
● Assign delegates to perform your tasks or activities.
● View and process your user data.
More Information
Please also see the My Home Work Center topic in the documentation for SAP Access Control.
Please also see the My Home topic in the documentation for SAP Risk Management.
6.1.1 Work Inbox
Use
The Work Inbox lists the tasks you need to process using GRC applications.
Activities
To process a task, choose a hyperlink in the table. The appropriate workflow window appears. Process the task
as required.
The STANDARDVIEW displays the columns.
To change the displayed columns, choose Settings, maintain the columns as required, and save the view.
The new view appears in the View dropdown list.
6.1.2 Ad Hoc Tasks
Use
From the My Home work center, the Ad Hoc Tasks section enables you to process risk proposals, incidents, and
issues, depending on the applications you have licensed.
SAP Process Control

384 PUBLIC Work Centers
Procedure
Select the following links to work with individual ad hoc tasks:
● Risk Proposals — Refer to the topic Proposing a Risk in the application help for SAP Risk Management.
● Ad Hoc Risk Escalation — Refer to the topic Ad-Hoc Risk Escalation in the application help for SAP Risk
Management.
● Response Proposals — Refer to the topic Creating Response Proposals in the application help for SAP Risk
Management.
● Incidents — Refer to the topic Reporting an Ad-Hoc Incident in the application help for SAP Risk
Management.
● Issues — Identifying, Creating, and Assigning Ad Hoc Issues [page 385]
6.1.2.1 Identifying, Creating, and Assigning Ad Hoc Issues
Use
Issues that did not arise from an evaluation-based test can be an issue, question, action item, or planned task.
Ad hoc issues can be prompted by compliance or business events or result from identifying a problem area. An
ad hoc issue can be created for any object, depending on the configuration done through the Customizing
activities.
If an Issue Owner or an object has not been identified, the issue is sent to the Issue Administrator. This person
can then assign an owner, an object or both. The Issue Administrator or the designee then processes the issue.
Prerequisites
Complete the Customizing activities at Governance, Risk and Compliance Common Component Settings
Ad Hoc Issues .
Procedure
1. Navigate to My Home Ad Hoc Tasks Issues

2. Select Create and enter the Issue Details:
○ Issue Name (required)
○ Description (required) – Provide any details about the issue.
○ Priority (required) – Options are high, medium, or low.
○ Object Type – Select the correct object type.
○ Object Name
○ Owner – Enter the object owner name, or use the search functionality to select the owner.
SAP Process Control

 Note
An object owner is not required. If this field is left blank, the issue is routed to the issue
administrator.
○ Source
○ Issue Date (required)
○ Due Date
○ Notes
3. If you need to gather information, save your issue as a draft and return to complete it later.
4. Choose Add to select a regulation from the dialog box on the Regulation tab.
5. Attach files or links on the Attachment and Links tab.
6. Choose Save Draft to save changes or Cancel to abort the session. If the issue was raised in error, you can
void the issue.
7. Choose Submit after you have completed all information.
Ad Hoc Issue Web Service
Web service GRFNAHISSUEIN is provided to create ad hoc issues and trigger workflows to the issue admin.
The following parameters are defined in the web service:
Type Parameter Description
Input Parameters IvIssueName Issue name
IvIssueDesc Issue description
IvIssueReporter Name of the issue reporter
Output Parameters RvCode Returns value “0” if the issue is generated

successfully, and value “4” if not
EtMessage Returns a message about the information of

issue generation
For more information about ad hoc issue web service, see Issue Management [page 525].
6.1.3 My Objects
Use
You can view and manage objects to which you have access using the My Objects section of the My Home work
center. Specifically, you can view and maintain the following objects:
● My Processes: View and maintain all local organizations, processes, subprocesses, and controls for which
you are responsible
● My Risks: View all risks for which you are the owner or for which you have change authorization
SAP Process Control

● My Responses: View and maintain all responses for which you are the author or processor, or for which you
have change authorization
● My Incidents: View and maintain all incidents for which you have change authorization
● My iELCs: View and maintain all local indirect entity-level control groups (iELC groups) and indirect entity-
level controls (iELCs) for which you are responsible
● My Policies: View all policies that pertain to your responsibilities, including policies that were either created
by you or require your review or approval
● Open Issues: View all open issues on objects for which you have reporting authorization, including
evaluation test issues and ad hoc issues
● Open Remediation Plans: View all open remediation plans and corrective and preventive action (CAPA)
plans for which you have reporting authorization
More Information
My Processes [page 387]
My Risks [page 389]
Please also see the My Responses topic in the documentation for SAP Risk Management.
Please also see the My Incidents topic in the documentation for SAP Risk Management.
My iELCs [page 387]
My Policies [page 389]
Open Issues [page 389]
Open Remediation Plans [page 390]
6.1.3.1 My Processes
Use
Access My Processes from the work center My Home My Objects My Processes . Here you can view,
access, and edit all the local organizations, processes, and subprocesses for which you are responsible.
 Note
If you are an organization owner but not an owner of lower-level objects within your organization (such as
controls or subprocesses), you still see those objects within My Processes. This is because you are
responsible for them although you are not the direct owner.
SAP Process Control

Prerequisites
You must be responsible for objects, either as an owner of a higher-level object or as the owner of the object
itself, to be able to see data within My Processes.
Features
The following views are available:
● Hierarchical view — The hierarchical view is most useful if you want to view objects in context or if you are
not sure of the name of an object and you want to explore the hierarchy.
● List view — The list view is useful if you have a few objects or if you want to use filtering to search for a
particular object.
Both views display general information about the object including whether or not you can change it. Once you
select an object, you can choose to open it to access more information or to edit the fields that allow changes.
6.1.3.2 My iELCs (Indirect Entity-Level Controls)
Use
Access My iELCs (Indirect Entity-Level Controls) from the work center My Home My Objects My iELCs .
Here you can view, access, and edit all iELCs for which you are responsible.
Prerequisites
You must be responsible for objects, either as an owner of a higher-level object or as the owner of the object
itself, to be able to see data within My iELCs.
Features
The following views are available:
● Hierarchical view — The hierarchical view is most useful if you want to view objects in context or if you are
not sure of the name of an object and you want to explore the hierarchy.
● List view — The list view is useful if you have a few objects or if you want to use filtering to search for a
particular object.
Both views display general information about the object including whether or not you can change it. Once you
select an object, you can choose to open it to access more information or to edit the fields that allow changes.
SAP Process Control

6.1.3.3 My Risks
Under the My Home work center, you can see all the risks for which you are the owner and for which you have
change authorization under My Objects My Risks .
For more information, see the topic Risk and Opportunities in the application help for SAP Risk Management.
6.1.3.4 My Policies
Use
The My Policies section contains the policies that pertain to your responsibilities (either created by you or
requiring your review or approval).
Under the My Home work center, you can see all the policies with your involvement under My Objects My
Policies .
More Information
● Policies [page 402]

● Regulations and Policies [page 401]
● Creating a Policy Group [page 403]
● Creating a Policy [page 404]
● Reviewing a Policy [page 406]
● Approving a Policy [page 408]
● Publishing a Policy [page 409]
● If you have licensed Risk Management, please also see the Using a Policy as a Risk Response topic in the
documentation for SAP Risk Management.
6.1.3.5 Open Issues
Use
An issue is an exception, actual problem, or incident that has been identified for review. In such cases, a
remediation plan may be implemented to resolve or deal with the issue identified.
Under the My Home work center, you can see all issues for which you have reporting authorization under My
Objects Open Issues . Here you can access both evaluation test issues and ad hoc issues.
SAP Process Control

 Note
● Reporting authorization is granted based on the objects to which the issue is linked to. If you have
reporting authorization for the objects, you also have authorization for the linked issues.
● Ad hoc issues are also located under My Home Ad Hoc Tasks Issues .
More Information
● Identifying, Creating and Assigning Issues [page 53]

● Identifying, Creating, and Assigning Ad Hoc Issues [page 385]
6.1.3.6 Open Remediation Plans
Under Open Remediation Plans, you can maintain all the remediation plans for which you have change
authorization. You assign a remediation plans to an issue when you create a control in Process Control.
For more information, see Remediation of Open Issues [page 55].
6.1.4 Embedded Search
Use
The Embedded Search function in SAP Process Control and SAP Risk Management allows you to search for
objects and documents in a browser-based user interface. The search results include basic information of
objects and documents with hyperlinks, through which you can directly access the related applications and
documents.
Features
In SAP Process Control and SAP Risk Management, the following objects are available for search:
● Account Group
● Activity
● Ad-hoc Issue
● Assessment
● Business Rule
● Control
● Documents
SAP Process Control

● Incident
● Indirect Entity-Level Control
● Issue
● Objective
● Organization
● Policy
● Process
● Response
● Risk
● Subprocess
● Test History
You can configure Embedded Search by activating and deactivating these objects in Customizing activity Open
Administration Cockpit under Governance, Risk and Compliance General Settings Search .
Activities
To use the Embedded Search:
1. Go to My Home Search Embedded Search .

2. Enter your search query and choose Search.
You can use the advanced search function to specify the search scope, save your search terms, and hide/show
search criteria. You can filter the search results by choosing the categories on the left side.
6.1.5 My Delegation Overview
You can delegate the access rights and tasks of one user, the delegator, to another user, the delegate, for a
specific time period or indefinitely. From the My Home work center, choose My Delegation
● My Delegation [page 392]

You authorize users to perform your tasks and exercise your access rights. Business users are authorized
to perform own delegation.
 Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to
business users. If the power user needs to delegate his authorization to others, he must ask the IT
department to assign the PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity
dependent. For more information, see Central Delegation [page 513] and Standard Roles and
Authorization Objects [page 37].
Delegation does not remove access or tasks from the delegator. Instead, it allows the delegate to work with the
same access and tasks on behalf of the delegator. Both the delegator and the delegate can access the system
at the same time, as long as they do not access the same objects or activities.
SAP Process Control

6.1.5.1 My Delegation
Context
You can authorize another business user to perform your tasks, exercise your access rights, and specify the
duration of the delegation.
 Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If power users needs to delegate their authorization to others, they must ask the IT department to
assign the PFCG role SAP_GRC_FN_ALL to specified users. This delegation is not entity-dependent.
Procedure
To delegate your tasks and access rights to another user, proceed as follows:
1. From the My Home work center, choose Delegation My Delegation .
The Assign Own Delegate screen displays your existing delegations. You can create a new delegation, open
and edit an existing delegation, or delete a delegation.
2. To create a new delegation, choose Create.
The Own Delegation screen displays.

3. In the Delegate User field, select the value help pushbutton to display the User List dialog box. Enter or
search for a user name.
 Note
Wildcards (*) are supported in a search.
4. Select a user name and choose OK. The system completes the Delegator and User ID fields.
5. For the Delegation Period the following points apply:
○ The Start Date field defaults to the date the delegation is created. You can change this field.
○ The End Date field defaults to unlimited (December 31, 9999). You can change this field. If you accept
the default of an unlimited End Date, you can change the date later or delete the delegation when it is
no longer needed.
To edit an existing delegation, proceed as follows:
6. Choose the delegation assignment.
7. Choose Open.
The Own Delegation screen appears. You can only change the End Date.
8. Choose Save.
To delete an existing delegation, proceed as follows:
SAP Process Control

9. Choose the delegation assignment and choose Delete.
The system prompts you to confirm the deletion.

10. Choose Yes.
6.1.6 Additional User Experience Features
These features allow you to access the most commonly used applications, view user-specific entity data and
status, search for objects, and perform various other tasks.
SAP Process Control and SAP Risk Management provide the following features:
● Entry Page [page 393]

● Side Panel [page 394]
● Embedded Search
6.1.6.1 Entry Page
Use
Entry page is a role-based Web Dynpro home page that provides user-specific contents and easy access to the
most commonly accessed work center items. Entry page can be configured according to specific user
behaviors. Entry page consists of containers and Collaborative Human Interface Parts (CHIPs). You can
personalize the entry page by adding or removing containers and CHIPs.
Entry page is available for the following roles:
 Note
SAP Process Control roles are only valid if you have also installed and possess a license for the SAP Process
Control application).
● Internal Audit Manager (SAP Process Control)

● Internal Control Manager (SAP Process Control)
● Corporate Risk Manager (SAP Risk Management)
● Operational Risk Manager (SAP Risk Management)
More Information
For more information about available SAP Risk Management CHIPs, see GRC CHIP Catalog [page 394]
SAP Process Control

6.1.6.2 Side Panel
Use
 Note
The following information is only relevant if you have licensed SAP Process Control.
Side panel is a CHIP-based widget-type panel that can be accessed from an existing Web Dynpro application. It
provides additional information and easy access to work center items.
In SAP Process Control, side panel is user-specific. It is available for the following users:
● Internal Audit Manager

● Internal Control Manager
● Organization Unit Owner
In Process Control, you can configure the side panel for My Processes for a single role or a group of roles using
the Customizing activity Configure Side Panel for My Process under Governance, Risk and Compliance >
General Settings > UI Settings.
More Information
GRC CHIP Catalog [page 394]
6.1.6.3 GRC CHIP Catalog
Use
A CHIP (Collaborative Human Interface Part) is a small, widget-type, encapsulated, stateful piece of software
that can be combined in a layout with other CHIPs to form a page or a panel. Entry page and side panel are both
implemented using the CHIP technology.
The following CHIPs are available in SAP Risk Management (and in SAP Process Control, if you have installed
and possess a license for the SAP Process Control application):
CHIP Technical Name Description Use Suggestion
Ad Hoc Issues for Audit Ac GRFN_ACTION_ADIS Display a list of ad hoc issues Use in entry page
tions SUE_LIST_CHIP for audit actions
SAP Process Control

Audit Action and Ad Hoc Is GRFN_ACTION_ISSUE_CHIP Allows you to view ad hoc is Use in side panel
sue sues under specified audit
actions
Audit Dashboard GRFN_DAB_AUDITA Provides risks and audit pro Use in entry page
BLE_CHIP posal information in graphics
Audit Dashboard: Risks by GRFN_DAB_AUDITA Provides risk information by Use in entry page
Auditable Entities BLE_RISKS auditable entities in graphics
Audit Dashboard: Audit Pro GRFN_DAB_AUDITA Provides audit proposal infor Use in entry page
posals by Auditors BLE_APA mation by auditors in graph
ics
Audit Dashboard: Audit Pro GRFN_DAB_AUDITA Provides audit proposal infor Use in entry page
posals by Auditable Entities BLE_APAE mation by auditable entities
in graphics
Audit Plan Proposal GRFN_UIBB_AP_CHIP Displays the information of a Use in side panel
specific audit plan proposal
Audit Proposal GRFN_UIBB_AU_CHIP Displays the information of a Use in side panel

specific audit proposal
Criteria Data CRITERIA_CHIP_4_EN Used together with other Use in entry page
TRY_PAGE CHIPs to provide criteria data
for entry page
Evaluation Status (Pie View) GRPC_CHIP_EVAL_STAT Presents the status of evalu Use in side panel
ations in graphics
Evaluation Status (Column GRPC_CHIP_EVAL_STAT_CO Presents the status of evalu Use in entry page
View) LUMN ations in graphics
Issue Status (Pie View) GRPC_CHIP_ISSUE_STAT Presents the status of issues Use in side panel
in graphics
Issue Status (Column View) GRPC_CHIP_IS Presents the status of issues Use in entry page
SUE_STAT_COLUMN in graphics
Open Issues GRFN_OPEN_ISSUE_CHIP Displays open issues accord Use in side panel
ing to a specific object, such
as subprocess, control, etc.
POWL Wrapper GRFN_WD_POWL_CHIP Common POWL Wrapper Use in entry page
POWL List GRFN_POWL_LIST_CHIP POWL List CHIP Use in entry page
SAP Process Control

Risk Heatmap GRRM_CHIP_HEATMAP Displays risks by level and Use in entry page
impact in matrix
Subprocess/Control GRFN_SP_CONTROL_CHIP Displays information of a sin Use in side panel

gle subprocess or control
Timeframe Filter GRFN_TIMEFRAME_FIL A filter used together with Use in entry page
TER_CHIP other CHIPs
Passed/failed of Control GRRM_CHIP_PASS_FAIL_CN Displays the passed/failed Use in the side panel of risk
TL status of controls that are OIF
used in risks as response
Open Issues GRRM_CHIP_OPEN_ISSUE Displays the ad-hoc issues Use in entry page
New Entered Risks in the last GRRM_CHIP_NEW_RISKS Displays newly entered risks Use in entry page
14 days in the last 14 days
Risk heat map GRRM_CHIP_HEATMAP Displays risk heat map Use in entry page
Incomplete Response GRRM_CHIP_INCOMP_RE Displays incomplete re Use in entry page

SPONSE sponses
Planner GRRM_CHIP_PLANNER Displays the planner tasks Use in entry page

status
Scope Selection GRRM_CHIP_SCOPE Provides the selection of date Use in entry page
and organization, which will
be used as a scope for other
chips in the entry page
Top Risks GRRM_CHIP_TOP_RISKS User report CHIP Top Risks This chip is not used in the
(Variant of GRRM_R5) to get default delivery
the top risks
Workflow Monitor GRRM_CHIP_WI_MONITOR Monitors all the work inbox This chip is not used in the
tasks for all users in the sys default delivery
tem. Only the power user
who has the authorization is
allowed to do this activity.
Recent Loss Events GRRM_OB_CHIP_RE Displays the recent Loss Use in entry page
CENT_LOSSES Events from Banking created
during the last 14 days
Top Losses GRRM_OB_CHIP_TOP_LOSS Risk Banking Top Losses dis Use in entry page
ES plays the Top 5 loss events
comparing with Estimated
Loss
SAP Process Control

Loss Event Workflow Pipeline GRRM_OB_CHIP_WF_PIPE Displays the Loss Event Use in entry page
LINE Workflow in the form of Pipe
line and table list
More Information
For more information about standard SAP CHIPs, see CHIP Catalog.
For more information about creating CHIPs, see Creating Mashups with the Page Builder.
6.2 Master Data
Use
The Master Data work center is shared by the Access Control, Process Control, and Risk Management products
in the GRC Application. The menu groups and quick links available on the screen are determined by the
applications you have licensed. The content in this topic covers the functions specific to Process Control.
The Process Control Master Data work center contains the following sections:
● Organizations [page 398]

● Regulations and Policies [page 401]
● Objectives [page 410]
● Activities and Processes [page 412]
● Risks and Responses [page 417]
● Accounts [page 418]
● Reports [page 422]
More Information
● For information relating to Master Data functions in Risk Management, see https://help.sap.com/viewer/
51bbedc6646d4ff5b35b9d883be390a6/12.0.00/en-US/646bde178c07438187431e6c1746ea88.html
SAP Process Control

6.2.1 Organizations
Definition
Use
You can use the functions on the Organizations screen to create and maintain an organizational structure within
the application that mirrors the organizations in your company.
Integration
● If you have licensed Risk Management, Process Control and Access Control and want to use them for the
same organization, the application must share a common organizational view. Complete the Customizing
activity Maintain Organization Views, under Governance, Risk, and Compliance General Settings
Workflow
● To create the root organization and its first child organization in the specified organization view, complete
the Customizing activity Create Root Organization Hierarchy, under Governance, Risk, and Compliance
General Settings Workflow
More Information
Also see the Organizations topic in the documentation for SAP Access Control.
Process Control – Creating and Editing an Organization [page 398].
Also see the Working with Organizational Units topic in the documentation for SAP Risk Management.
6.2.1.1 Creating and Reviewing an Organization
Use
You create and edit organizations as a step in documenting your compliance initiative. The configurations you
choose affect authorizations and workflows.
SAP Process Control

Prerequisites
The following prerequisites must be fulfilled before you can work with organizations:
● To assign roles, complete the Customizing activity Maintain Entity Role Assignment, under Governance,
Risk, and Compliance General Settings Authorizations .
● For the Issues tab to display for organizations, complete the Customizing activity Enable Ad Hoc Issues by
Object Type, under Governance, Risk, and Compliance Common Component Settings Ad Hoc
Issues .
● If you are using SAP workflow functions, ensure that the corresponding roles are assigned to business
events in the Customizing activity Maintain Custom Agent Determination Rules, under Governance, Risk,
and Compliance General Settings Workflow .
Process
1. Create the organization.
 Note
Organizations are time-dependent. Ensure that you select the right time duration.
2. Assign subprocesses.
 Note
The default assignment method for subprocesses is to not allow local changes, but you can change this
default assignment method in Customizing for Governance, Risk and Compliance under Shared
Master Data Settings Define Default Subprocess Assignment Method .
3. Review and adjust regulations assignments.

4. Assign indirect entity-level controls.
5. Assign roles.
6. (Optional) Attach documents.
7. Choose Save.
The new organization appears as a subnode of the parent organization.
More Information
Working with Organizations [page 400]
SAP Process Control

6.2.1.2 Working with Organizations
Adding or Copying Organizations
To add or copy organizations:
1. Open the Organizations screen under Master Data Organizations .

2. On the Organizations screen, you can create a hierarchy with organizations and carry out various functions
for them.
 Note
The View field enables you to switch between different views of the organizational entities in a hierarchy
by making a selection in this dropdown field. You can also select by date, seeing organizational units
that were created on an earlier date.
3. To create an organization in the hierarchy, put the cursor on the parent organization or on the organization
for which you wish to create a suborganization. The screen of the organization opens.
4. Click Add. You are prompted to specify whether you want to create a new organization or reuse an existing
organization:
○ If you create a new organization, proceed as described in the section Working with the Organization
Tabs below.
○ If you want to reuse an existing organization, click Reuse existing organization. Then select the
organization that you want to reuse and click OK. After this, select the organization in the overview
screen and proceed as described below.
Working with the Organization Tabs
1. On the General tab, enter values for all required fields and other fields as needed.
2. On the Subprocess tab, you see the subprocess assigned to this organization. Select Assign Subprocess
and follow the guided activity to assign a new one.
 Note
The default assignment method for subprocesses is to not allow local changes, but you can change this
default assignment method in Customizing for Governance, Risk and Compliance under Shared
Master Data Settings Define Default Subprocess Assignment Method .
3. On the Indirect Entity-Level Controls tab, you can see and assign a new iELC to this organization.
4. On the Regulation tab, you can see the assigned regulations and the values of regulation-specific
attributes. Regulation in the organization is inherited from the assigned subprocesses and iELC. See
Regulations [page 401].
5. On the Policies tab, you can see the policies that have been created for this organization. See Policies [page
402].
6. On the Assignments tab, you can see which views pertain to the organization and the relevant application
components.
7. On the Issue tab, you can see the ad hoc issues which were raised for this organization. See Open Issues
[page 389].
SAP Process Control

8. On the Roles tab, you can assign users to individual roles, as well as replace or remove them. For more
information, see Standard Roles and Authorizations [page 37].
9. On the Attachments and Links tab, you can upload files or add links.
10. When you are finished, save the data for your organization. The new organization appears as a subnode of
the parent organization.
6.2.2 Regulations and Policies
Use
Regulations and Policies gives you visibility into your compliance landscape.
More Information
● Policies [page 402]

● Please also see the Regulations topic in the documentation for SAP Risk Management.
6.2.2.1 Regulations
Use
In the regulation hierarchy, you document which compliance initiatives your company supports. For each
compliance initiative, you can document the regulation and its requirements. After defining a new regulation,
you specify the subprocesses and controls that are relevant to that regulation.
The Regulations section allows you to:
● Document and review your compliance initiatives in one place

● Organize your compliance initiatives into groups
Prerequisites
Complete the following Customizing activities according to your business needs:
● Maintain Regulation Role Assignments under Governance, Risk, and Compliance Process Control
Authorizations
● Relate Regulation to Plan Usage under Governance, Risk and Compliance Process Control Multiple
Compliance Framework
SAP Process Control

● Define Subtypes for Regulation Specific Attributes under Governance, Risk and Compliance Process
Control Multiple Compliance Framework
● Enable CAPA by Regulation Type under Governance, Risk, and Compliance Common Component
Settings Ad Hoc Issues
Example
You have a group of financial compliance initiatives that could include SOX, J-SOX, and IDS or a group of
operational compliance initiatives that include FDA and Life Sciences regulations.
Maintain your regulation hierarchy to the individual requirement level, if desired. For example, you can maintain
SOX compliance down to the regulation requirement SOX 302. If you maintain regulation requirements, you
can assign them to controls and track the affected requirements at the control level.
More Information
Policies [page 402]
6.2.2.2 Policies
Use
A policy is a set of principles, rules, and guidelines that are formulated or adopted by an organization to reach
its long-term goals. Policies are designed to influence major decisions and actions, and all activities take place
within the boundaries set by them. They are used in Process Control and Risk Management.
A policy contains a written description of an organization's position on important subjects and its response to
specific situations. Policies support managerial decision-making, to help the company achieve its objectives.
Policies are an element of a complete governance process. This process involves an analysis of regulations,
best practices, and corporate business objectives, after which they are codified into policies affecting the
business actions of all employees.
Policies need to be created, reviewed, approved, and distributed; there is an ongoing process of policy
acknowledgment, self-assessment, and updates. Policies must be managed throughout their lifecycle.
Prerequisites
According to your business needs, complete the Customizing activities under Governance, Risk, and
Compliance Common Component Settings Policy Management .
SAP Process Control

More Information

Additional information: https://help.sap.com/viewer/51bbedc6646d4ff5b35b9d883be390a6/10.1.19/en-US/

9b1ba0c0c6c7436e9e68ed0d06930bda.html
6.2.2.2.1 Creating a Policy Group
Procedure
You must create a policy group before you can create a policy.
1. Choose Master Data Regulations and Policies Policies

2. Choose Create Policy Group .
The Policy Group screen displays.
3. Complete the following fields:
Policy Group fields
Field Name Description
Group Name (required) Create a distinctive Group Name.
Description (optional) Enter information to tell users the contents of the Policy
Group.
Approval Survey (required) Select the survey from the dropdown.
 Note
You must have previously created an Approval Survey
in the Survey Library.
Valid From (required) Enter the starting date.
Valid To (required) Enter the ending date.
4. Choose Save and Close.
SAP Process Control

More Information

6.2.2.2.2 Creating a Policy
Prerequisites
You must create a policy group before you can create a policy.
Context
Policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term
goals.
 Example
A Global Travel Policy is one example of a business policy. The goal might be to reduce costs and increase
efficiency by mandating that everyone in the company adhere to this policy.
Procedure
1. Choose Master Data Regulations and Policies Policies

2. Choose the Policy Group where you want to add the policy.
3. Choose Create Policy

4. Select a Policy Object Type and choose OK.
 Note
The Policy Object Types are configured during the Customizing activity Maintain Policy Types and
Distribution Methods under Governance, Risk, and Compliance Common Component Settings
Policy Management .
5. Complete the fields on the General tab.
SAP Process Control

Policy — General tab
Name (required) Create a distinctive policy name.
Description (optional) Enter information to tell users the contents of the policy.
Distribution Methods (required) Select Acknowledgement, Quiz or Survey. If you choose

Quiz or Survey, you must specify a template from the
Survey Library. An e-mail is sent to the recipients with a
PDF attachment, showing the required actions.
Purpose (required) State the reason for the policy.
Policy Category (optional) Select the categories this policy belongs to.
Date (optional) Enter the date.
Assignment Method (optional) Select Assign Directly, Inherited, Localized, or Superseded.
Responsible Organization (required) Enter the organization responsible for the policy.
Created by (optional) The default is the person who created the policy.
Created On (optional) The default is today's date.
Valid From (required) Enter the first date of effectiveness for the policy.
Valid To (required) Enter the last day of effectiveness for the policy.
Date for Next Revision (optional) Enter the date for the next revision. This date must be be
tween the Valid From and Valid To dates.
Note (optional) Enter any material that might be helpful to approvers or

reviewers.
6. Select the Policy Document tab. Attach the actual policy documents (word files, excel files, images) that
contain the written policy. The policy documents may reside in SAP Document Management Systems
(DMS) or you may include links to documents residing in external DMSl.
7. Select the Policy Scope tab.
You document who is in scope and subject to the policy. You may also explicitly specify who is excluded
from the scope of this policy. Define which Organizations, Processes (contained in the Organization),
Activities, People (can be roles, user groups, or specific users) or Exclusions you want to identify (text field).
This is who receives the policy when it is published.
8. Select the Risks tab.
This is the risk associated with the nonadherence to the policy. If the company is not compliant with the
policy, this is the risk that could occur.
9. Select the Controls tab.
Assign the controls or indirect entity-level controls that pertain to the policy.
10. Select the Policy Sources tab.
SAP Process Control

Specify the sources or the reasons and motivations behind the creation of the policy. There are defaults
choices provided. Add or remove sources as needed.
 Note
The Policy Sources are configured during the Customizing activity Maintain Policy Source Categories
under Governance, Risk, and Compliance Common Component Settings Policy Management .
11. Select the Issues tab.
If there are any ad hoc issues related to this policy that need to be addressed, they will be displayed in this
tab.
12. On the Roles tab you can assign users to individual roles (such as Policy Owner, Policy Approver and Policy
Reviewer), as well as replace or remove them. To assign a user, select the line of the role to which you want
to assign a user. Then choose Assign. In the dialog box then displayed, you can search for and select the
user to be assigned to this role. You can assign multiple approvers and reviewers.
13. Select the Review and Approval tab to view the status or the approvals. If you did not assign specific
reviewers or approvers, the Default Approvers (usually the Organization Owner — the owner of the
organization specified in the Policy Scope tab) are asked to approve the policy.
14. Choose Save.
15. Decide if you can immediately Submit for Approval or if you need to Send for Review.
Next Steps

● Please also see the Using a Policy as a Risk Response topic in the documentation for SAP Risk
Management.
6.2.2.2.3 Reviewing a Policy
Prerequisites
Policy reviewers were set up by the policy owner (author of the policy).
SAP Process Control

Context
After the policy owner submits the newly created policy for review, the policy review workflow is sent to the
reviewer. If the policy owner has set up more than one reviewer, then a parallel policy review workflow is sent to
all the reviewers at once.
Procedure
1. Choose My Home Work Inbox .

2. Select a policy to review. You see the same tabs that are used to create a policy. Read the material
contained in the tabs to understand the scope, history, and potential risks of the policy.
3. Submit comments as needed for specific tabs.
4. Review any comments on the Review and Approval tab. Add any general comments here. You have virtually
unlimited text.
 Note
If you accept the policy draft with no changes, then comments are optional. Before submitting the
comments, the reviewer can delete comments he or she has entered. The reviewer cannot delete
comments entered by other reviewers. Once a reviewer submits a comment, it cannot be modified or
deleted.
5. After the comments have been submitted, the policy owner can see all comments in a compiled format.
The policy owner revises the policy draft based on the review comments. As long as the policy owner does
not submit the policy for approval, reviewers can continue to enter comments by selecting the Review
Policy link in their Work Inbox.
Next Steps

Management.
SAP Process Control

6.2.2.2.4 Approving a Policy
Prerequisites
The policy approvers must be set up by the policy owner or the default approvers may be determined by the
workflow engine (based on the organizations and processes assigned to the policy).
 Note
● If the policy applies to an organization, then that organization owner becomes the default approver.
Since all the users in the organization are subject to this new policy, the organization owner must
approve it.
● If the policy applies to a certain process and/or subprocess, then the respective owner becomes the
default approver. Since all the users in the process and/or subprocess are subject to this new policy,
the process/subprocess owners must approve it.
● There may be other roles assigned to the policy approver role in the configuration, for a certain
organization, process or subprocess, who also receive the approval workflow.
Context
After the policy owner ensures that all the review comments have been incorporated, the owner submits the
final draft of the policy for approval. One or more approvers may be responsible for this policy, as determined
by the workflow engine and as specified by the policy owner. The defined approvers receive the approval
workflow in their GRC Inbox.
Procedure
1. Choose My Home Work Inbox .

2. Select a policy to approve. You see the same tabs used to create a policy. Read the material contained in
the tabs to understand the scope, history, and potential risks of the policy.
3. Review any comments on the Review and Approval tab. If an Approval Survey has been created, it is located
here and requires answers. Add any general comments here.
4. Decide if you need to Save Draft, Close, Send Back for Rework, Reject or Approve the policy.
5. You now have the following options:
○ Approve: The approver may (optionally) provide comments to the policy owner. The approver may also
attach supporting documents or links. The policy owner is notified that the policy has been approved.
If this policy receives approvals from all approvers, then the policy is ready to be published directly. Or,
this setting can be modified through the Customizing activities so that instead of all approvers, only
one approver is required for the policy to be approved and published to the policy library.
SAP Process Control

○ Reject: The approver has to provide comments to the policy owner. The approver may also attach
supporting documents or links. The policy owner is notified that the policy has been rejected. The only
choice for the policy owner is to create a new policy and start again.
○ Send Back for Rework: The approver has to provide comments to the policy owner. The approver must
provide suggestions (for example, a structured list) for improving the policy and any expected
changes. The approver may also attach supporting documents or links. The policy owner is notified
that the policy has been sent for rework. The policy owner has to amend the policy and resubmit it for
approval.
○ Save Draft: Save your comments or attachments and complete the approval process at a later time.
○ Close: Close the policy and complete actions at a later time. No Changes are saved.
6. Select Close.
Next Steps

Management.
6.2.2.2.5 Publishing a Policy
Prerequisites
The policy must have been reviewed by the policy reviewers and approved by the policy approvers. After
approval, the policy is published directly.
Context
A new policy is published to the Policy Library and is then available to all authorized users for viewing and is
available for distribution and policy attestation.
SAP Process Control

Procedure
1. Navigate to the Assessments work center.

2. Select the Planner to schedule the policy distribution.
 Note
The Distribution Method (Quiz, Survey, or Acknowledgement) is also defined when the policy is
created.
Next Steps

● See the topic Using a Policy as a Risk Response in the application help for SAP Risk Management.
6.2.3 Objectives
Depending on the products you have licensed, in the Objectives section of the Master Data work center, you can
maintain Control Objectives [page 410] and https://help.sap.com/viewer/
51bbedc6646d4ff5b35b9d883be390a6/10.1.19/en-US/8ddd8b4c9b4140c3a8e23baa6ab9ecc5.html .
6.2.3.1 Control Objectives
Use
Control objectives define statements of desired results or purposes. You assign these statements to the
relevant subprocesses. Control objectives document the objectives that are relevant for the specific
subprocess.
Activities
Creating Control Objectives
Perform the steps below to define your control objectives.
1. Choose Master Data Objectives Control Objectives
SAP Process Control

The Control Objective Catalog displays. The left pane shows a list of available control objectives. The right
pane shows the general information and related subprocesses of the control objective that is highlighted in
the left pane.
2. Choose Create.
The Create Control Objective dialog box displays.
3. On the General tab, enter the following information:
Control Objective - required Enter a name for the control objective. This is a 40-char
acter text field that the system uses in reports that are re
lated to control objectives.
Objective Category - required Select the objective category from the dropdown menu.
This value is used with the control type attribute within the
control. Your choices include the following categories:
○ Compliance and Regulations

○ Financial Reporting and Disclosures
○ Operations
To define your own values through the Customizing activ
ity, choose Governance, Risk, and Compliance
Process Control Edit Attribute Values . In the left pane,

select Attributes with Dependent Attributes. In the right
pane, select the row for CO-OBJCAT. Then select the val
ues under Attributes with Dependent Attributes and main
tain your entries.
Description – recommended Enter a description for the control objective.
This is a text field that is included in some reports that

present control objectives.
Valid To and Valid From - required Enter a date range for the control objective to be valid or
accept the default Valid To date of December 31, 9999
(preferred).
4. On the Subprocesses tab, choose Add to associate the desired subprocesses to your control objective.
5. On the Risks tab, select Add to associate the risks with your control objective.
6. On the Attachments and Links tab, choose Add to associate documents or links to your control objective.
7. Choose Save.
 Note
To change a control objective, follow the same procedure except, in step 2, you select an existing control
objective and then choose Open.
SAP Process Control

6.2.4 Activities and Processes
The Activities and Processes section in the Master Data work center is where you maintain your company's
activities, business processes, subprocesses, and controls. It contains the following links:
● Business Processes [page 412]

● Indirect Entity-Level Controls [page 416]
● Please also see the Activity Hierarchy topic in the documentation for SAP Risk Management.
6.2.4.1 Business Processes
Use
Business processes in the Activities and Processes section of the Master Data work center enable you to create
a business process structure containing all your central business processes, to which individual controls are
assigned.
A process refers to a set of activities that relate to a function in an organization’s operations. These activities,
when carried out, produce the desired output or process result.
The activities detail the flow of material and information between the process steps and the business decisions
that determine how a process step is accomplished. A process can contain subsets of activities called
subprocesses.
A process includes controls to ensure that the process, and corresponding subprocesses, can be performed
according to the company’s requirements. These controls are activities designed to address control objectives
and to mitigate risks in the company’s internal control environment.
 Example
An example of a process is the order-to-cash process, which starts with sales order creation and ends with
receipt of cash from customers for goods delivered or services rendered.
A subprocess for this activity can be sales order processing, which pertains to the receipt, processing, and
execution of a sales order.
A control activity within the subprocess can be the review of sales orders to ensure that only sales orders
within the customer’s authorized credit line are processed.
The process structure allows you to create processes, add subprocesses within a process, create controls
within a subprocess, and associate the relevant account groups and control objectives, or risks, to specific
subprocesses and controls.
● The process is the highest level node to which the subprocesses and controls are assigned.
● Each subprocess can have one or more controls assigned to it. Control objectives, account groups, risks,
and regulations are also assigned to subprocesses.
● Risks can be identified on subprocesses, control objectives, or account group assertions.
● Controls can be assigned to mitigate the risks identified.
SAP Process Control

The figure below shows the relationships between processes, subprocesses, controls, control objectives, risks,
and account groups:
Activities
Perform the following steps:
● Creating and Editing Processes and Controls [page 413]

● Creating or Editing a Subprocess [page 414]
● Control Objectives [page 410]
6.2.4.1.1 Creating and Editing Processes and Controls
Use
You use this procedure to create and edit processes and controls.
SAP Process Control

 Note
You can load values by activating the delivered business configuration sets (BC sets) during the
Customizing activity, Activate Business Configuration (BC) Sets under Governance, Risk, and Compliance
General Settings .
Procedure
1. Choose Master Data Activities and Processes Business Processes .

The Process Structure screen appears.
2. Select the desired year and period or date, and choose Apply if you have changed them. This ensures that
you see the processes and subprocesses that exist for the period or date you select.
3. Choose the row containing the highest level of process under which you want to add a new process. If you
have not yet created or uploaded any processes, you select the top line Process Structure.
4. To create a new process, select Create and choose Process.
5. To edit a process, select the process you want to edit and choose Open.
6. The Central Process screen displays.
7. In the General tab, enter the following information:
Name - required Enter a name for the process.
Description - recommended Enter a description of the process.
Valid To and Valid From - required Enter the validity date range. In most cases, the Valid To
date should be unlimited.
8. (Optional) On the Attachment and Links tab, choose Add to add a file or a link. You can attach a process
flow diagram or a process narrative.
9. Choose Save. The Process Structure screen displays your new, or edited, process in the hierarchy.
 Note
Processes may be nested under other processes to support hierarchical process definitions. For example,
to reflect the needs of the business, you might define the top-level process as a business cycle, and the
next level process as a major process.
6.2.4.1.2 Creating or Editing a Subprocess
Once you have created a process, you can create subprocesses or edit existing subprocesses.
1. Choose Master Data Activities and Processes Business Processes .

The Process Structure screen appears.
SAP Process Control

2. Select the desired year and period or date, and choose Apply if you have changed them. This ensures that
you see the processes and subprocesses that exist for the period or date you select.
 Recommendation
For more information, see Creating and Editing Processes and Controls [page 413]
3. Select the process under which you want to add a new subprocess.
○ To create a subprocess, choose Create Subprocess .
○ To edit a subprocess, choose the subprocess you want to edit and choose Open.
The Central Subprocess screen appears.
4. On the General tab, enter or edit the following information:
Field Description
Name - required Enter or edit the name of the subprocess.
Description - recommended Enter or edit the description of the subprocess.
Valid To and Valid From - required Enter or edit the validity date range for the subprocess. In
most cases the Valid To should be unlimited.
Industry Specific – optional This allows tracking of subprocesses related to specific in
dustries. Select Yes or No. If you select Yes, an Industry
field appears. Select the industry from the dropdown list.
Transaction Type - optional Estimation, nonroutine, or routine
5. On the Control Objectives tab, you can add or edit the control objectives associated with the subprocess.
This indicates which control objectives are supported by controls within this subprocess.
1. Choose Add to add a control objective.
The Add Control Objectives table appears a list of your control objectives.
2. Choose the desired Control Objective to highlight and select it.
3. Choose OK.
Based on your selection, the system fills the following fields on the Control Objectives tab:
Field name Description
Control Objectives The relevant controls objectives for the subprocess.
Description The description of the control objectives.
6. On the Accounts Groups tab, you can add account groups to the subprocess. This indicates which account
groups and assertions are supported by controls within this subprocess.
1. Choose Add.
A selection screen of account groups appears.
2. Choose the desired account groups to highlight and select them.
3. Choose OK.
SAP Process Control

Based on your selection, the system fills the following fields on the Account Groups tab:
Names The name of selected account group.
Description The description of the account group.
7. On the Risks tab, you can add, edit, or remove the risks that you want to associate with your subprocess.
1. Choose Add to assign a new risk, or, choose Open to modify a risk that is already assigned to the
subprocess.
2. Select the desired risks from the Add Risks table and choose OK.
3. If you want to change a risk that is already assigned to your subprocess, choose Open.
The Central List screen appears.
4. If you want to remove a risk from your subprocess, select the risk and choose Remove.
8. (Optional) On the Attachment and Links tab, choose Add to add a file or a link. For example, you can attach
a process documentation file for your subprocess.
9. On the Regulations tab, choose Add to assign a new regulation. Select the desired regulation and choose
OK.
○ If you want to remove a regulation from your Subprocess, select the regulation and choose Remove.
10. Select Save.
The Subprocess Structure screen appears your new or edited subprocess under the process hierarchy that
you selected.
6.2.4.2 Indirect Entity-Level Controls
Prerequisites
Indirect entity-level controls (iELC) must be created before they can be assigned to organizations.
Procedure
1. Choose Process Control Organizations .

2. Select the year and period depending on the desired start date and choose Go. The system displays the
organizations that are active in the chosen time frame.
3. Select the row of the organization to which you want to assign indirect entity-level controls.
4. Choose Open to edit the organization. Select the Indirect Entity-Level Controls tab.
5. Assign indirect entity-level controls to the organization.
SAP Process Control

○ Choose Add to display the indirect entity-level controls that have not been assigned to this
organization.
○ Choose the indirect entity-level controls that you want to assign to the organization by selecting one or
more rows. You can filter for an indirect entity-level control by entering filters in the name or
description columns.
 Recommendation
Holding down the CTRL key allows you to select multiple lines. Holding down the SHIFT key allows
you to select consecutive items. If you want to remove an indirect entity-level control from the
selection, hold the CTRL key and choose the control to deselect and remove it from the list.
○ Choose OK once all desired indirect entity-level controls are selected. The system displays a table
showing all selected indirect entity-level controls.
6. Choose Save.
 Note
The system creates indirect entity-level controls that are local to that organization. Users with access
to indirect entity-level controls within that organization can display or edit them in Process Control
My Home My Objects My iELCs. .
6.2.5 Risks and Responses
Definition
The Risks and Responses section of the Master Data work center enables you to maintain your organization's
risk, opportunity, and response catalogs. It contains the following Quick Links:
● Risk Catalog
● Opportunity Catalog
● Response Catalog
More Information
Please also see the following topics in the documentation for SAP Risk Management:
● Risk Catalog
● Opportunity Catalog
● Classifying Risks, Opportunities, and Responses
SAP Process Control

6.2.5.1 Risk Catalog
Definition
A Risk Catalog provides a structured view of all risks to your company. The catalog allows you to sort risks
hierarchically, as well as to classify risks according to the categories of risks that you wish to track. The catalog
also facilitates reporting, for example, to evaluate the risks per risk category defined for your company.
Structure
To access the Risk Catalog, go to the Risks and Responses section of the Master Data work center.
More Information
Please also see the Risk Catalog (Risk Management) topic in the documentation for SAP Risk Management.
6.2.6 Accounts
Use
You use the Accounts menu group to create account groups that are relevant to your compliance initiatives.
The account group hierarchy represents accounts that include external financial statements.
Each account group has its own attributes, such as the significance of the account group at the corporate level;
and, assertions regarding the account group relative to the financial statements. In the account group
hierarchy, you can see which accounts are significant and for what reasons.
For Sarbanes-Oxley purposes, an account is deemed to be significant if there is a reasonable possibility that a
misstatement in the account will result in a material effect on the financial statements. Other compliance
initiatives related to financial reporting may use similar concepts.
Financial assertions are declarations made by management about an entity’s significant accounts that are
reported on their financial statements. For Sarbanes-Oxley purposes, financial assertions cover completeness,
existence or occurrence, rights or obligations, valuation or allocation, presentation and disclosure. The Process
Control-delivered business content provides these values, which can be configured as needed.
SAP Process Control

Features
The Accounts work center allows you to:
● Define account groups specific to your organizations and compliance processes

● Designate account groups as significant to facilitate compliance tracking and reporting
● Document the basis for designating an account group as significant
● Assign relevant financial assertions and related risks to support your compliance process
Activities
● Creating Account Groups [page 419]

● Editing Account Groups [page 420]
6.2.6.1 Creating Account Groups
Procedure
1. Choose Master Data Accounts. The account group hierarchy displays based upon the selected
period and year.
2. In the hierarchy, choose an account group under which you want to create a lower level account group.
 Note
If you need to create the top node, select the Account Group Hierarchy (top) row.
3. Choose Create to configure the new account group.

4. The Account Group screen displays the following tabs:
○ General
○ GL Accounts
○ Risks
○ Attachments and Links
5. On the General tab, enter account group settings as follows:
Field Instructions
Name (required) This is name of the new account group.
Description This is the description of the account group.
SAP Process Control

Field Instructions
Valid From and Valid To (required) The Valid From date defaults based upon the date of the
parent object, your current timeframe, and sign-off status.
You may change the default if desired.
Significant You can see which accounts are designated significant and
for what reasons.
Assertions Assertions are declarations made by management about

the entity’s significant financial statement accounts, re
ported on their financial statements.
6. On the GL Accounts tab, you can manually define specific general ledger accounts that includes the
account group. This entire tab is optional, as many auditors focus more on the financial statement level
accounts than on individual general ledger accounts.
7. On the Risks tab, you can add or remove risks that are associated with the account group and account
assertions.
8. On the Attachments and Links tab, you can optionally attach or link supporting files to an account group.
9. Once the required and desired information for all tabs has been entered, select Save. The new account
group added displays beneath the node in the account group hierarchy that you originally selected.
10. Repeat this process to create additional nodes for your account group hierarchy, if needed. The account
group you are adding becomes a subnode (at the next lower level in the hierarchy) of the account group
that you initially selected.
6.2.6.2 Editing Account Groups
There are two activities concerning account groups:
● Change the structure of an account group hierarchy or search for an account group.
● Edit the attributes of an account group.
Change the structure of an existing account group hierarchy or search for an

account group
1. Choose Master Data Accounts. The account group hierarchy displays based upon the selected
period and year.
2. Choose the account group you want to move. You can rearrange the order of account groups within a node;
or, you can move account groups to a different node.
3. Choose Actions and select Cut, Paste, Up, or Down to move the accounts to the desired location.
 Note
You cannot move an account group under another account group with a different validity period unless
the child account group validity is within the parent account group validity. You cannot delete an
SAP Process Control

account group by using Cut; that is only used in a cut and paste operation. To retire an account group,
change its Valid To date.
○ Select Expand All or Collapse All to display or hide all subnodes in the account group hierarchy.
○ Select Find and Find Next to search for a specific account group.
Change the Attributes of an Existing Account Group
1. Choose the account group that you want to edit.

2. Choose Open to edit the attributes of the selected account group.
 Recommendation
The Creating Account Groups topic contains details on each tab where edits are possible. For more
information, see Creating Account Groups [page 419].
6.2.6.3 Consolidated Balances
Use
You use the Consolidated Balances function to do the following:
● Enter or upload balances for the account groups that you defined at the global level.
● Determine the significance threshold for consolidated account group balances.
● Apply a significance threshold to flag consolidated account groups as significant.
 Note
Users with appropriate access can adjust the significance as needed.
Activities
To update your account group balances, follow the directions below:
1. Choose Master Data Accounts Consolidated Balances .

2. Enter the Year, Currency, Significance Threshold, if desired, and the Version.
3. Manually enter your consolidated account group balances or use the Download Template and Upload
Template buttons to automate the process.
 Note
You can manually mark an account group balance as significant or you can let the system do it for you
based on Significance Threshold that you specified.
SAP Process Control

4. Choose Save.
6.2.6.4 Organization Balances
Use
You use the Organization-Level Balances and Significance function to do the following:
● Enter or upload balances for the account groups at the compliance-initiative specific level.
● Determine the significance threshold for compliance-initiative specific account group balances.
● Apply a significance threshold to mark account groups as significant, or not.
 Note
The system flags organizations and subprocesses as in scope if the account groups assigned to its
subprocesses are identified as significant. Organizations and subprocesses can be in scope for one
timeframe and not for another. This attribute can be adjusted by users with appropriate access privileges.
Activities
To update your account group balances do the following:
1. Choose Master Data Accounts Organization Balances .

2. Enter the Year, Regulation, Currency, and Significance Threshold.
3. Manually enter your consolidated account group balances or use the Download Template and Upload
Template buttons to automate the process.
You can manually mark an account group balance as significant or the system can select the accounts
based on parameters you defined in the Customizing activities.
4. Choose Save.
6.2.7 Reports (Master Data)
This topic lists the reports available under the Reports section of the Master Data work center.
 Note
The Reports section is shared by Risk Management and Process Control. Based on the applications you
have licensed, you may see only a subset of the reports.
SAP Process Control

Report Description
Risk and Control Matrix This report provides information on control and risk matrix.
You can find out what risks specific controls are covering,
under different risk models (Subprocess – Accounts Group
and Assertions – Risk – Control; Subprocess – Control Ob
jective – Risk – Control; Subprocess – Risk – Control).
Risk Coverage This report provides visibility into the coverage of risks by
controls by organization and process. For each risk associ
ated with a subprocess, it shows the list of controls as
signed. You can review this report and understand the risk
gaps to determine if new controls are needed.
Organization and Process Structure This report provides visibility into the organization - process
- subprocess - control hierarchy. You can review this report
and understand what controls and processes are assigned
under each of the business entities.
Indirect Entity-Level Control (iELC) Structure This report provides visibility into the organization - indirect
entity-level control structure. You can review this report and
understand what indirect entity-level controls are imple
mented under each business entity and determine if new
iELCs are needed.
Test Plan by Control This report provides visibility into the coverage of test plans
by controls by organization and process. For each control, it
shows the list of test plans assigned. You can review this re
port and determine if test plans have been assigned properly
to all controls to be tested.
Change Analysis This report provides visibility into all process control object
changes and details within a selected time period. You can
review this report and find out what changes (creation, mod
ification, removal, and role assignment) have been per
formed to each object.
Audit Log This report shows chronologically all changes to local and
central objects within a time period. You can review this re
port and find out what changes have been performed to
each central or local object.
Risk-Based Compliance Management This report provides visibility into the coverage of both Risk
Management and Process Control risks by organization and
process. For each risk, it shows the list of controls assigned
as well as the control design and testing status. You can re
view this report and understand the risk gaps to determine if
new controls are needed.
SAP Process Control

Report Description
Policies by Regulation This report provides a method to access all policies, proce
dures, work instructions, and so on, that the company has in
place to address a certain regulation and/or requirement.
Policies Versions This report provides the capability to look at the different
versions of a policy, procedure, work instruction, and so
forth, to provide an idea of how the policy has progressed
and evolved over time. This report also shows the docu
ments (with the version numbers) that were attached to the
policy object in its different versions. The ownership and cre
ation information for each of the versions is also available in
this report.
Risks Associated with Policies This report provides the ability to access the local Risk Man
agement risks associated with a certain policy, procedure,
work instruction, and so on. It also can retrieve a report that
lists all the policies, procedures, work instructions, and so
forth, that the company associated with a risk.
Processes and Controls with Policies This report details the processes that are impacted by a cer
tain policy. It also lists which controls are in place to ensure
compliance with the policy.
Regulation/Policy Requirement-Control Coverage This report provides visibility into the coverage of controls by
requirement by regulation or policy. For each regulation re
quirement, it shows the list of controls assigned. You can re
view this report and determine whether further controls are
needed.
Control-Regulation/Policy Requirement Coverage This report provides visibility into the coverage of require
ments by controls by organization and process. For each
control, it shows the list of requirements assigned. You can
review this report and determine whether further require
ments could be covered by a specific control.
6.3 Rule Setup
Use
The Rule Setup work center is shared by the Access Control, Process Control, and Risk Management products
in the GRC Application. The menu groups and quick links available on the screen are determined by the
applications you have licensed. The content in this topic covers the functions specific to Process Control. If you
have licensed additional products, such as Access Control or Risk Management, refer to the relevant topics
SAP Process Control

The Process Control Rule Setup work center provides links to the following areas:
● Continuous Monitoring [page 425]

● Scheduling [page 443]
● Legacy Automated Monitoring [page 447]
● Reports [page 484]
More Information
● Please also see the Rule Setup topic in the documentation for SAP Access Control.
● Please also see the Rule Setup topic in the documentation for SAP Risk Management.
6.3.1 Continuous Monitoring
Definition
Depending on the products you have licensed, the Continuous Monitoring section of the Rule Setup work center
gives you access to the following:
● Data Sources [page 425]

● Business Rules [page 431]
● Business Rule Assignment [page 435]
More Information
Continuous Monitoring Overview [page 73]
6.3.1.1 Creating and Changing Data Sources
Definition
A data source is a set of fields that provides the information for Continuous Monitoring. From a technical
viewpoint, the data source is a set of logically-related fields that retrieve a flat structure from a system, such as
an ERP system, that is monitored.
SAP Process Control

Use
Data sources supply the metadata description of source data. They extract the data description (including
name, type, and a source path from a source system). They are the foundation to create a Continuous
Monitoring business rule.
● Data source — records what is monitored, and where and how to load the information.
● Business rule — contains information about how to filter the data and detect deficiencies.
The subscenarios of the data source are the following:
● ABAP Report
● SoD Integration
● BW Query
● Configurable
● Event
● External Partner
● Process Integration
● Programmed
● SAP Query
● HANA
Integration
To perform this function, you must be assigned to the Data Source Specialist role. Different subscenarios
require different prerequisites.
Subscenario Create and Register Other Prerequisites

Connection
ABAP Report X Qualified and Register reports by transaction code /n/GRCPI/

OVERVIEW in ERP system
SoD Integration No connector required. SAP Access Control has been activated
BW Query X The BW query exists with the following rules:
● The BI characteristics must be arranged in rows area.

● The BI key figure must be arranged in columns area.
● Only Single Value and Selection Option Filters are supported.
● Filter has to be set to optional.
● There are no aggregation rows in the query output.
SAP Process Control

Subscenario Create and Register Other Prerequisites
Connection
Configurable X ● For Connection Type: SAP System, the GRC plug-in (RTA) must
be installed on the ERP system.
 Note
SAP ERP 4.6 C and below are not supported. These con
nectors are not shown in the list.
● For Connection Type: S/4 Cloud, Continuous Control Moni

toring Integration (2OH) must be implemented.
See: Setting Up Continuous Control Monitoring (2OH)
Event No connector required. Define the event definition in the Customizing activities.
You are receiving the
event from another sys
tem.
External Partner X For external partners who implement Web service based on Web
Service Definition Language (WDSL) provided by SAP. Create a log
ical port.
Process Integration No connector required Process Integration development is done. The proxy must contain
both import and export parameter.
Programmed X GRC10.0 plug-in is installed in ERP
SAP Query X SAP query (not implemented by logical database). Use transaction
code SQ01 to choose a valid query.
HANA X HANA DB is ready. The connection between GRC system to HANA

DB need to be established. See SAP Note 1597627 for details.
This subscenario can only consume Calculation View stored in
HANA DB. These views should be prepared already.
1. Choose Rule Setup Continuous Monitoring Data Sources . The Data Source List screen displays.
2. Choose one of the following options:
○ Create — Use this option to create a data source.
○ Open — Use this option to view or edit an existing data source. You cannot change a data source that a
business rule is using.
○ Delete — Use this option to delimit a data source. You cannot delete a data source a business rule is
using.
○ Copy — Use this option to copy an existing data source and change it.
SAP Process Control

3. On the General tab, enter or edit the parameters as shown in the following table:
Parameter Instructions
Data Source (required) Name the data source.
Description Enter the description or purpose of the data source.
Valid From (required) Enter the start date for the validity period of the data source.
Valid To (required) Enter the end date for the validity period of the data source.
 Note
The Valid To date must be later than the Valid From date.
Status Select the data source status from the dropdown menu. You can select one
of the following options:
○ New – The data source is a draft. From this status, you can only change
it to In Review.
○ In Review – The data source is in review. From this status, you can only
change it to Active.
○ Active - Once a data source is Active, you can assign it to a business
rule. You can set the status to In Review to make any changes. From this
status, you can change it to Inactive or In Review.
○ Inactive - The data source is no longer in use. From this status, you can
only change it to In Review.
 Note
A data source must be Active before you can assign a business rule to it.
Search Term Enter a term to search for a data source.
 Example
You can search for data sources that are classified with search terms,
such as SOX or FDA.
4. On the Object fields tab, enter or edit the parameters as shown below:
Subscenario Name the subscenario and connection type of the data source. The connec
tion type is automatically entered if there is only one connection type.
Parameters Different subscenarios contain different parameters. The parameters search

for the specific query, tables, or proxy.
SAP Process Control

Fields List the fields of the data source, such as their type, amount or quantity, de
scription, and so on. You can change the field descriptions to make them
more useful for your business needs.
5. On the Connector tab, maintain additional connectors. By default, the main connector retrieves the
backend metadata such as query fields and field descriptions.
 Note
On the Ad Hoc Query tab (only applicable to the Configurable subscenario), you ensure the tables and
joins used retrieve the expected data.
6. On the Attachments and Links tab, attach a file or link to the rule.
7. Select Save. The system displays a message to confirm that all data was saved.
6.3.1.2 Business Rule Parameters (BRPs)
Use
Business Rule Parameters (BRPs) are system parameters on the organization level that can be assigned to
business rules. Like OLSPs, BRPs can also make it easier to assign rule criteria when common systems or
system parameters must be assigned to several rules. The mechanism of BRPs is similar to that of OLSPs.
However, unlike OLSPs which limit the use of parameters within four fields, BRPs allow you to create any
named parameter and use them in business rules, provided that these supported data types are used:
ABAP Data Type ABAP Dictionary Type Description Notes
C CHAR Character string Maximum length is 45 char

acters. Example: AB00
D DATE (DATS) Date
P DEC Decimal Only 2-digit decimal numbers

are allowed. Example:
123,45 (European format)
I INT Integer Maximum length is 16 char

acters. Example: 32.453
(European format)
N NUMC Numeric character Maximum length is 16 char

acters. Example: 32.453
(European format)
SAP Process Control

 Note
Both ABAP data type and ABAP dictionary type are supported by BRP. You might see mixed data types in
the Field Type column of the source data. For more information about data types, see http://help.sap.com
Technology Platform SAP NetWeaver SAP NetWeaver 7.0 Application Help Function-Oriented
View English Application Platform by Key Capability ABAP Technology ABAP Workbench (BC-DWB)
BC - ABAP Dictionary Data Types in the ABAP Dictionary Mapping of the ABAP Data Types .
BRPs can be used in the following subscenarios:
● Configurable
● Programmed
● SAP Query
● BW Query
● ABAP Report
● HANA
With BRP, you can use a more complicated value determination to include both single values and value ranges
to filter data and define deficiency criteria.
More Information
The BRP feature is an improved alternative to the OSLP feature in Legacy Automated Monitoring. You can use
both BRPs and OLSPs in the same environment. For more information about OLSPs, see Organizational Level
System Parameters (OLSPs) [page 463].
6.3.1.2.1 Creating, Editing, and Deleting Business Rule

Parameters
Use
Follow the procedure below to create, edit, and delete Business Rule Parameters (BRPs).
Procedure
1. Choose Rule Setup Continuous Monitoring Business Rule Parameters . The Business Rule
Parameters screen appears.
2. Choose one of the following actions:
○ Create: Use this action to create a new BRP.
○ Open: Use this action to open and edit a BRP.
SAP Process Control

○ Delete: Use this action to delete a BRP from the system.
 Note
You cannot delete a BRP once it is assigned to a business rule.
3. To create a BRP, enter the following information in the General section:
Field Required/Optional Instruction
Name Required Enter the name of the BRP.
Type Required Select the type of BRP.
Data Type Required Select one of the following supported

data types:
○ Char
○ Decimal
○ Date
○ Integer
○ Number
Default Values Required Depending on the data type, give a de

fault value to the BRP. If no values are
maintained in the Maintain Rule
Parameter Value section, the default
value will be used.
Description Required Description of the BRP.
 Note
Name, Type, and Data Type cannot be modified once the BRP is saved.
4. On the Maintain Rule Parameter Value screen, maintain or modify the BRP values for the organizations that
you want to apply the BRP to.
You can use the Value set option to define multiple values and value ranges for an organization in a single
field. Use a semicolon (;) to separate values and a tilde (~) to indicate a value range.
5. Confirm the details of the BRP and finish.
6.3.1.3 Creating a Business Rule
Prerequisites
To perform this function, you must be assigned to the Business Rule Specialist role. You must have already
created a data source. For more information, see Creating and Changing Data Sources [page 425].
SAP Process Control

Procedure
A business rule provides a scalable user interface, which can support various data sources such as
configurable rules, programmed rules, SAP Query and BI Query.
1. Select Rule Step Business Rule (in the Continuous Monitoring section) . The Business Rule Overview
screen appears.
2. Choose Create.
3. Choose a Data Source. Only data sources with a status of Active are valid. If you do not know the name of
the data source, search by name, subscenario, connection type, search term, or validity date. Choose
Search Data Source. After you have selected the data source, choose OK.
4. Choose Start to create a Business Rule.
Based on the subscenario defined in the data source, the guided activity has different steps. Provide the
input required for the subscenario of your data source.
Subscenario/ Basic In Data Input Filter Defi- Conditions Output Techni Ad- Attach
Step forma for Parame Crite ciency and Calcu Format cal Set hoc ments
tion Analy ters ria Criteria lations tings Query and Links
sis
Configurable X X X X X X X X X
Programmed X X X X X X X
ABAP Report X X X X
SAP Query X X X X X X X X
Event X X X X X X
SoD Integra X X X X
tion
BW Query X X X X X X X X
External Part X X X X X X
ner
Process Inte X X X X X X X X
gration
HANA X X X X X X X X X X
○ Basic Information
— Enter the required fields (Name, Description, Category, Analysis Type, Valid From, Valid to, and
Status) and any optional fields that apply to your business rule.
 Note
The values of Category and Analysis depend on the subscenario defined in the Data Source. The
only two statuses that are eligible at this stage are: New and In Review.
SAP Process Control

To determine which connectors are applied to this business rule, select Applied in the Connectors
table. The default is the main connector designated by the data source.
○ Data for Analysis (only applicable to the Configurable subscenario)
— Choose a subset of fields in the data source to be analyzed in the business rule.
○ Input Parameters
— Enter the input parameters as defined in the HANA view to query ERP data for the business rule.
Input parameters can be defined as optional or required when a HANA view is created.
○ Filter Criteria
— Select fields as filters and enter the values in each filter field. For example, you might look at records
over a certain currency amount (for example, purchase orders over 1,000 euros). If the criteria must be
determined at runtime and the field type is date, you can select Runtime Value Determination and
choose the runtime method.
 Note
In some subscenarios (such as Programmed), the filter fields are predefined and cannot be
changed.
○ Deficiency Criteria
— Select fields as deficiencies. Enter the deficiency thresholds or indicator to each deficiency field. If
the Field Analysis type is Changes or Blank Check, the deficiency value is Indicator (High, Medium, or
Low). If the Field Analysis type is another type, the deficiency value is Threshold.
 Note
In some subscenarios (such as Programmed), the deficiency fields are predefined and cannot be
changed.
In some subscenarios, the Calculated Field is visible. You can create a calculated field as an
additional deficiency field; if so, the calculations function is defined in the Conditions and
Calculations step.
○ Conditions and Calculations

— There are several SAP pre-delivered conditions and calculation functions that can be applied to each
deficiency field.
○ For deficiency fields (not additional calculated fields), only conditions can be applied.
○ For calculated deficiency fields, both conditions and calculation functions can be applied.
 Note
The Currency Conversion calculation function is available only for the data type Amount.
For the Event subscenario, you can choose Send Notification and/or Trigger a Monitoring Job.
○ Output Format
— Each deficiency field with an exception is generated as a job result. The output columns of the job
result can be adjusted here. You can choose which columns to hide or display. You can also change the
sequence number to set the order of the columns displayed. For example, a sequence number of 001
would appear to the left of 002.
○ Technical Settings
— These settings are for users with a technical background. They are settings for runtime usage and
vary based on each subscenario. Default values are defined for each parameter, but you can override
the value to adjust the behavior or outcome of the job result during runtime.
SAP Process Control

○ Ad Hoc Query
— You can query the data from the system that is defined in the target connector. This can be useful to
test your query without scheduling a job. To view the results list, use one of the following:
○ Data Collection: Raw data is presented, based on the filter criteria.
○ Apply Rule: Deficiency Criteria and Conditions and Calculations defined in previous steps are
applied to the result.
○ Attachments and Links
— You can attach documents and links related to the business rule in this step.
5. Choose Save. A confirmation message appears. If more changes are needed, choose the Change the
Business Rule link to navigate to the same business rule in change mode.
6.3.1.4 Changing a Business Rule
Use
If your business environment has changed, you can change a business rule. You can change:
● Basic Information
● Data for analysis
● Filter criteria
● Deficiency criteria
● Conditions and calculations
● Output format
● Technical settings
● Ad hoc query
● Controls
● Attachment and links
Prerequisites
A business rule must already be created. For more information, see Creating a Business Rule [page 431].
Procedure
The business rule is presented on a screen with several tabs. The tabs vary, based on the subscenarios
selected in the data source. Each tab corresponds to a step to create a business rule (for example, Filter
Criteria and Output Format). The Control tab shows additional information when changing the business rule. It
also displays the controls assigned to the business rule.
SAP Process Control

6.3.1.5 Assigning a Business Rule to a Control
Definition
You can use business rules for compliance initiatives. You assign rules to controls for automated testing and
monitoring. You can also specify the testing frequency of a rule assigned to a control.
Use
Prerequisites
● A business rule has been created, rule status is active, and is in a valid period.
● A control has been created.
● (Optional) The Customizing activity Set Number of Business Rules Assigned to Each Control has been
completed. The activity is located at Governance, Risk, and Compliance Common Component Settings
Continuous Monitoring Set Number of Business Rules Assigned to Each Control . If the activity is not
completed, the default limit of the number of business rules assigned to each control is 10.
Procedure
1. In the Entity field, select Control.

2. Enter the date when the business rule assignment is valid. The default value is the first calendar day of the
current year. Select Apply.
 Caution
This value impacts all subsequent operations and business rule assignments. Business Rule
Assignment uses the valid period concept (like HR master data). For every business rule assigned to a
control, the assignment relationship period is the intersection of the valid period of the control, the
business rule, and this date value (taken as a Valid From value).
3. Search for the control to assign to the business rule. You can search by Organization, Process, Subprocess,
Control, or Business Rule.
In the Control Search Result table, controls are displayed with Control, Description, Organization, Process,
Subprocess, Test Automation, and Trigger. The system only lists sem-iautomated and automated controls
(manual controls cannot be used). One row is selected by default. Highlight a row to select a control. If
business rules are already assigned to this control, the rules will display in the Common Business Rules or
Regulation-Specific Business Rules tabs.
 Note
The Control's Trigger field is required. The value of this attribute field determines which business rules
can be assigned to the control:
○ If the Trigger value is Date, only nonevent based business rules can be assigned to it.
○ If the Trigger value is Event, only business rules with a subscenario of Event can be assigned to it.
4. Add (or remove) a business rule's assignment to a control.
SAP Process Control

 Note
If the control has no regulation assigned, only common business rules can be added. The regulation-
specific business rule cannot be added to a cross-regulation control.
1. Assign a specific business rule to a the control.

○ For a control that has no regulation assigned, only the Common Business Rules tab displays.
Choose Add to select a business rule.
○ For a control that has been assigned to a regulation, two tabs display: Common Business Rules and
the Regulation-specific Business Rule tab. You can use the common business rule data or assign
regulation-specific business rules to the control. To assign a regulation-specific business rule,
choose the Regulation-specific Business Rule tab. Select the Maintain Regulation-specific Business
Rules button. The command buttons appear. Choose Add.
2. The window Select Business Rule displays. You can search by Business Rule name and/or by a search
term associated to the business rule. Highlight the desired business rule and select OK.
3. Choose Save to save all your changes to this control’s business rule assignment.
5. Maintain the frequency of the assigned business rule for date-based controls. This step does not apply to
event-based controls.
1. Select Modify.
2. On the Common Business Rules or Regulation-specific Business Rules tab, highlight to select a
business rule under a date-based control.
 Note
You can maintain separate schedules for monitoring and compliance purposes.
6. Choose Professional View to view the business rule assignment information. The Professional View provides
detailed business rule assignment information such as the assignment valid period for monitoring or
compliance separately.
6.3.1.6 Continuous Monitoring Scheduler Overview
Use
In Process Control, all continuous monitoring is set up through the scheduler. Job schedules can be established
for monitoring rules assigned to local controls, and can be immediate, for a fixed date and time, or recurring.
This page would be used by administrators creating continuous monitoring jobs, monitoring job status, tracing
any job execution problems, maintaining continuous monitoring job schedules, and so forth.
The Continuous Monitoring Scheduler tasks include these main steps.
1. Create query to find existing jobs using certain search criteria

2. Customize the Personal Object Worklist (POWL) result table
3. Create, cancel or open job functions.
 Example
You have assigned business rules to a control and want to create a job in the Continuous Monitoring
scheduler. Or, you have created some jobs in the Continuous Monitoring Scheduler and want to find them.
SAP Process Control

Prerequisites
You have the proper role assigned to the continuous monitoring job and job step.
Process
1. Create a query to find existing jobs using the following search criteria:
○ Timeframe/year: Every job has timeframe/year attributes. Indicate the correct timeframe/year to
search.
○ Max Rows: The maximum number of search results. The default value is 50.
2. Customize the result table. You can customize the results table by revealing the hidden columns through
the settings filter result table.
3. Create or open an existing job.
4. Cancel a job if you have the authorization and the following conditions apply:
○ If the job type is an Automated Monitoring Job, the following is true:
○ If the job Execution Type is Immediate or Date/Time: This job cannot be canceled unless its status
is New.
○ If the job Execution Type is Event Trigger, this job can be canceled regardless of its status.
○ If the job type is an Incoming Event Handling Job, the following is true:
○ If the job Execution Type is Single Mode, this job can be canceled regardless of its status.
○ If the job Execution Type is Batch Mode, the job can be canceled regardless of its status.
6.3.1.6.1 Scheduling Automated Monitoring and Incoming

Event Handling Jobs
Prerequisites
● A business rule has been created and assigned to a control. See Creating a Business Rule [page 431].
● A business rule has been assigned to a control. See Assigning a Business Rule to a Control [page 435].
Context
From the Rule Setup work center, select Automated Monitoring under the Scheduling section. You can schedule
the following types of monitoring jobs:
● Automated Monitoring Job

● Incoming Event Handling Job
SAP Process Control

● Standalone Job
For simplicity, scheduling Standalone Jobs is described separately in Scheduling Standalone Jobs [page 439]
Procedure
1. Enter the required information on the Create a Job initial screen.

2. Choose Create. The screen displays the Timeframe and Year values obtained from the Continuous
Monitoring Job screen.
3. Select the Job Type. Different job types have different subsequent steps. Choose a job type depending on
the scenario, as shown below:
○ Automated Monitoring Job — Used in non-event based scenarios.
○ Incoming Event Handling Job — Used in event-based scenarios. This is a business rule with the
subscenario of Event.
After you choose Continue, you cannot return to the Create a Job initial screen from the other steps.
 Note
One job consists of multiple job steps.
4. Enter the following header data.

○ Job Name: The maximum length of a job name is 32 characters. Special characters are not allowed.
○ Execution Type: Based on different job types, different job execution type values are allowed.
○ Automated Monitoring jobs allow the following execution types:
— Immediate: The job step is executed immediately when scheduled time is upcoming.
— Date/Time: The job step is executed according to the date or time chosen. This can occur before
or after the scheduled time
— Event Trigger: The job step is executed when an event that meets the conditions defined in the
business rule occur.
○ Incoming Event Handling jobs allow the following execution types:
— Single mode: The job step is executed whenever an event is received by the GRC system.
— Batch mode: The job step is executed with a certain frequency, such as every hour. All the
events during this interval are processed as a batch
○ Frequency: System configuration frequencies are described below:
— If Hourly is selected, the Hour Recurring From and Hour Recurring To fields indicate the interval of
one day. For example, if you want to run a job from 20:00 to 23:00 every day, you could set Hour
Recurring From as 20:00 and Hour Recurring To as 23:00
— There is no frequency for Event Trigger and Single Mode execution type jobs.
○ Test Period From and Test Period To: The execution period of the job.
— Default values come from the time interval defined by the timeframe/year values.
— Values cannot be changed when job execution type is Event Trigger or Single Mode.
— If a change is allowed, you can only narrow the timeframe (not extend it).
— The test period cannot exceed one week for the Hourly frequency.
— The test period cannot exceed a half-year for the Daily frequency
○ (Optional) Target Connector: Indicate specific target connector, on which every job step runs. Use this
option if you want to restrict the monitoring to the target connector.
— There is no target connector if the job type is Incoming Event Handling Job.
SAP Process Control

— There is no target connector for SOD and PI subscenarios.
5. On the Share Regulation screen, choose one regulation as the main regulation of this job. You can also
share the results with other regulations by setting the Monitoring Results Sharing option.
 Example
You can share your SOX data with your JSOX regulations.
6. On the Select controls screen, search for and select controls that have business rules assigned. You can
enter combinations of organization, process, subprocess, control, business rule to search controls and
reduce search time. If the control cannot be found, check the following points:
○ The regulation indicated in the Share Regulation step is applied as a default search criteria in this step.
○ Only automated or semi-automated controls are presented. Manual controls cannot be used with the
Continuous Monitoring Scheduler.
— For automated monitoring jobs, the system only displays controls whose trigger is Date.
— For automated monitoring jobs except SoD Integration and Process Integration subscenarios, you
must have authorization to the applied connectors defined in the business rule.
— For automated monitoring jobs with Configurable and Programmed subscenarios, if the control’s
corresponding organization has OLSPs maintained, the system only displays the connectors
maintained in these OLSPs.
— For Incoming Event Handling Jobs, the system displays only controls with an Event trigger.
○ If a target connector is selected in the previous header step, only this particular target connector is
shown.
○ You must assign business rules to the control under the regulation indicated in the previous Share
Regulation step. You must also set the Monitoring/Compliance indicator if applicable.
 Note
Pay attention to the Business Rule Assignment Valid Period, which can be seen by selecting the
Professional View in the Business Rule Assignment screen. The date of the Test Period selected in
the previous header step must be covered by the corresponding Business Rule Assignment Valid
Period.
7. Control Details — Review all the matched business rules and target connectors of every selected control. If
there is no problem, choose Save. For optimal performance, do not exceed 1500 generated job steps.
8. Confirmation — Choose Close to close the screen. On the Scheduler screen, the job you just created is
shown.
6.3.1.6.2 Scheduling Standalone Jobs
Prerequisites
● A business rule has been created. See Creating a Business Rule [page 431].
SAP Process Control

Context
From the Rule Setup work center, select Automated Monitoring under the Scheduling section. This opens
Continuous Monitoring Scheduler - All, and from here you can Create Job.
On the following screen, select Standalone Job as the Job Type and then Continue. This will take you to the
Continuous Monitoring Scheduler: Step 1 (Header) screen.
Be aware that after you click Continue, you cannot return to the initial screen from the later steps without
discarding the new job and beginning the process again.
Procedure
1. Enter the required information on the Step 1 (Header) screen, then click Next.
○ Job Name: The maximum length of a job name is 32 characters. Special characters are not allowed.
○ Execution Type:
○ Immediate: The job step is executed immediately at the scheduled time.
○ Date/Time The job step is executed according to the date or time chosen. This can occur before or
after the scheduled time.
○ Event Trigger: The job step is executed when an event that meets the conditions defined in the
business rule occur.
○ Frequency:
○ There is no Frequency for Event Trigger jobs.
○ Hourly has a maximum Test Period of one week. The Hour Recurring From and Hour Recurring To
fields define the period during which the job will be repeated every day. For example, if you want to
run a job from 20:00 to 23:00 every day, you set Hour Recurring From as 20:00 and Hour
Recurring To as 23:00
○ Test Period From and Test Period To:
○ Default values come from the time interval defined by the timeframe and year values.
○ Values cannot be changed when the job execution type is Event Trigger
○ If a change is allowed, you can only narrow the timeframe (not extend it).
○ The test period cannot exceed one week for the Hourly frequency.
○ The test period cannot exceed half a year for the Daily frequency
○ A Weekly test period must always begin on the first day of a week, and finish on the last day of a
week.
○ A Monthly test period must always begin on the first day of a month, and finish on the last day of a
month.
○ A Quarterly test period must always begin on the first day of a quarter, and finish on the last day of
a quarter.
○ (Optional) Target Connector:
○ Indicate specific target connector, on which every job step runs. Use this option if you want to
restrict the monitoring to the target connector.
○ There is no target connector for SOD and PI subscenarios.
2. Enter the required information on the Step 2 (Select Business Rules) screen.
SAP Process Control

○ Enter a parameter in the Name field and then Search. Select the appropriate business rule from the list
in the table, and click Next.
3. On the Step 3 (Confirm) screen, you can review the business rule and its parameters using the Check
Parameter Value function, and then Save the job.
○ The Deficiency Value tab in the Check Parameter Value function shows you any previously defined
parameters and the resulting deficiency values.
○ The Filter Value tab enables you to edit the value of any previously defined parameters.
If the job was Immediate, then after you Save the job and refresh the Continuous Monitoring Scheduler
screen, you will be able to view the results in the Job Monitor as you would with other job types.
6.3.1.6.3 Changing a Scheduled Continuous Monitoring

Job
Context
Procedure
1. Create a query to find existing jobs. Use the search criteria:

○ Timeframe/year: Every job has a timeframe and year attributes.
○ Maximum Rows: Search result number limitation, whose default is 50 rows.
 Note
You can customize the POWL results table by unhiding the hidden columns through Settings screen,
filter result table, and so on.
2. Jobs can be canceled if you have authorization and the following conditions are met:
○ If the Job type is an Automated Monitoring Job, then:
— If the Job Execution Type is Immediate or Date/Time, the job cannot be canceled unless its status is
New
— If the Job Execution Type is Event Trigger, this job can be canceled regardless of its status.
○ If the Job Type is an Incoming Event Handling Job, then:
— If the Job Execution Type is Single Mode, this job can be canceled regardless of its status
If the Job Execution Type is Batch Mode, this job can be canceled regardless of its status.
3. You can perform the following functions if you have the proper authorizations
○ Cancel Job Step — If the Job Execution Type is immediate or Date/Time and its status is New
○ Cancel All Job Steps — Call all the remaining New job steps for the job whose execution type is
Immediate or Date/Time
SAP Process Control

○ Reschedule Job Step — Only allowed if the status is Error. After rescheduling, a new job step is created
and the original job step status is set to Replaced.
○ Reschedule All Job Steps — All erroneous job steps can be rescheduled at once, rather than having to
reschedule each one individually.
○ Obsolete Job Step — Only allowed if the status is Error.
6.3.1.6.4 Viewing a Continuous Monitoring Job
Use
Viewing a Continuous Monitoring job involves these processes:
● View Job Header

● View Job Share Regulation
● View Job Step
Process
1. View Job Header — In the Scheduler main window, select one job and choose Open Job. The header tab is
displayed as the default.
2. View Job Share Regulation — In the job window, choose the Share Regulation tab to see if the results are
shared with more than one regulation.
3. View Job Step — in the job window, view the generated job step list for this job. You can select any job step
and choose the Job Step Log button to view its application log. You can conduct the following functions if
you have proper authorization:
○ Cancel Job Step — Job step can be canceled only when its job execution type is Immediate or Date/
Time and the status is New.
○ Cancel All Job Steps — Cancel all remaining New job steps for the job whose execution type is
Immediate or Date/Time.
○ Reschedule Job Step — The job step can be rescheduled only when its status is Error. After
rescheduling, a new job step is created and the original job step status is set to Replaced.
○ Reschedule All Job Steps — All erroneous job steps can be rescheduled at once, rather than having to
reschedule each one individually.
○ Obsolete Job Step — Job step can be set to obsolete only when the status is Error.
6.3.1.7 Queries Center
The Queries Center app allows you to execute ad hoc queries for the following, with specified filters or
deficiency criteria, without impacting on existing business rule or data source definitions:
● Business rules
SAP Process Control

● Data sources
● Tables
Activities
In the Business Rule or Table/View tabs, enter the required data to execute ad hoc queries.
When querying a business rule, in the Business Rule tab, the following apply:
● The Field Analysis section allows you to define what fields will display in the results, and what fields can be
added in the deficiency criteria.
● The Filter Criteria section allows you to select the fields whose values you want to filter from the business
rule and define the filter conditions.
 Note
The fields selected in Filter Criteria cannot be used in Deficiency Criteria.
● The Deficiency Criteria controls the criteria that determines if matching data is considered deficient.
● In the Ad Hoc Query Result section, enter a timeframe and a year.
● To select data from the data source with the defined filter criteria, choose the Data Collection button.
● To display results that meet the filter and deficiency criteria defined in the previous steps, choose the Apply
Rule button.
● To export the results to an Excel file, choose Export. You can also export the business rule itself by choosing
Export Business Rule.
When querying a data source, in the Table/View tab, the following apply:
● To change related tables, you can use the Related Table Lookup button after entering a base table.
6.3.2 Scheduling
The Scheduling section of the Rule Setup work center enables you to maintain schedules for continuous control
monitoring, and track job progress in the areas of monitoring and automated testing. This functionality
pertains to Process Control and Risk Management. It contains the following links:
● Automated Monitoring [page 443] — provides an overview of all scheduled jobs.

● Job Monitor [page 444]— allows you to view the execution status of automated testing jobs that were
scheduled using the Continuous Monitoring or the Legacy Automated Monitoring. It also displays whether
a scheduled job performed successfully and shows results of executed tests.
● Event Queue [page 447] — Events from external systems are placed in the event queue. The event queue is
used to monitor the status of events, and which job has processed which events.
6.3.2.1 Automated Monitoring

You use Automated Monitoring to maintain schedules for continuous control monitoring and to track
automated testing jobs. You create a recurring event (job) at a frequency to automatically test and monitor
SAP Process Control

controls for deficiencies. You then schedule a background job to execute the control with the associated rule
for the frequencies.
You can also choose to create a Standalone Job, and execute it immediately.
Related Information
Scheduling Automated Monitoring and Incoming Event Handling Jobs [page 437]
Scheduling Standalone Jobs [page 439]
6.3.2.2 Job Monitor
Use
The Job Monitor allows you to view the execution status of scheduled automated testing jobs. It displays
whether a scheduled job performed successfully and shows results of executed tests. Jobs could have been
scheduled using the following functionality:
● For Process Control or Risk Management Continuous Monitoring jobs, choose Rule Setup Scheduling
Automated Monitoring. .
● For Process Control or Risk Management Legacy Automated Monitoring jobs, choose Rule Setup
Legacy Automated Monitoring Monitoring Scheduler .
Prerequisites
Jobs must have been scheduled using the Scheduling Automated Monitoring and Incoming Event Handling
Jobs [page 437] or Legacy: Using the Monitoring Scheduler [page 473].
Features
● View execution status of scheduled automated testing jobs

● Search for jobs based on specified criteria (for example, time frame, job name, frequency)
● Filter results based on various fields (for example, deficiency type, organization, connector type)
● Drilldown on Review Results of executed jobs to view detailed results
SAP Process Control

Activities
● To search for executed jobs, perform the steps in Searching for Executed Jobs [page 445].
● To view results of executed jobs, perform the steps in Viewing Job Results [page 446].
6.3.2.2.1 Searching for Executed Jobs
Context
Jobs can be created and scheduled through the Continuous Monitoring functionality or the Legacy Automated
Monitoring.
● For Continuous Monitoring jobs, choose Rule Setup Scheduling Job Monitor. .
● For Legacy Automated Monitoring jobs, choose Rule Setup Legacy Automated Monitoring Job
Monitor. .
Procedure
1. The Job Monitor screen displays the criteria that you can use to search for executed jobs.
2. Select the desired year and period in the time frame fields, and choose Go. This limits your search to those
jobs that were executed during the specified time frame.
3. (Legacy only) Select the type of Regulation.
4. Enter the search criteria: job name, frequency, target connector, execution date from, execution date to (or
any combination) to narrow your search results.
5. Choose Search.
The Job Monitor screen displays all executed jobs that match your search criteria.
6. To export search results to a file, select Export. To convert results to a printable format, select Print Version.
7. To further customize the view of your search results, use the Filter and Settings located at the upper right
hand of the screen.
SAP Process Control

6.3.2.2.2 Viewing Job Results
Prerequisites
Perform the steps in Searching for Executed Jobs [page 445].
Context
Based on search results returned from Searching for Executed Jobs, you can view information about the results
of jobs. Jobs can be created and scheduled through the Continuous Monitoring functionality or the Legacy
Automated Monitoring.
Monitor. .
Procedure
1. Select View Result link to view the job result details. The Job Result screen displays the following
information:
○ Result: Header data specific to the job (for example: rule, number of exceptions, organization)
○ Details: Test result line item data showing exceptions
○ Attachment (if any): Report of actual test results.
2. Special displays:
○ Legacy Automated Monitoring
○ If the job is executed for rules other than ABAP reports or SAP standard or custom program from
Process Control, the results display in the grid below the job header information. There is one row
for each exception.
○ If the job is executed for a control which uses an SAP standard or custom program, the results are
linked. Select the report link to view the report.
○ Continuous Monitoring
○ If the job is executed for a control which uses ABAP reports, the results are linked. Select either
Open in HTML or Open in TEXT.
3. If there are no exceptions, the lower grid does not display. Only the header information with a deficiency
rating of Adequate displays. To export the exception list to a file, select Export. To convert results to a
printable format, select Print Version.
SAP Process Control

6.3.2.3 Event Queue
Events from external system are first placed in the event queue. The event queue is used to monitor the status
of events, and which job has processed which events.
6.3.3 Legacy Automated Monitoring

The Legacy Automated Monitoring section of the Rule Setup work center allows you to continue to use
monitoring that you set-up in Process Control 3.0. If you are performing the initial set up of Monitoring in
Process Control 12.0, access the Continuous Monitoring [page 425] functionality for more robust functionality.
You can then skip this section.
You can transform queries and SAP reports into Process Control scripts for rule definition and testing. You can
also set up automated tests for controls that have been assigned to organizations, including configuration of
rules, definition of criteria for application systems, and assignment of rules to controls.
 Caution
You need to activate the Business Configuration (BC) Set GRPC-AMF-MENUITEM-UPGRADE twice using
the Customizing activity Maintain Authorizations for Application Links under Governance, Risk and
Compliance General Settings Maintain Customer Specific Menus . This BC set enables you to continue
to use Automated Rules Framework (ARF) in Process Control 10.0.
The Legacy Automated Monitoring section contains the following links:
● Legacy: Creating Rule Criteria [page 455]

● Legacy: Rule Script [page 457]
● Legacy: Organizational Level System Parameters [page 463]
● Legacy: Selecting a Query to Execute [page 466]
● Legacy: Automated Test Rules [page 467]
● Legacy: Control Rule Assignment [page 473]
● Monitoring Scheduler [page 473]
● Job Monitor [page 444]
● Legacy: Event Monitoring Activation [page 483]
● Legacy: Event-based Control Monitor [page 483]
6.3.3.1 Legacy: Performing Automated Testing and

Monitoring
Use
You can automate the testing of control effectiveness and monitoring of controls in the ERP system.
All automated tests of effectiveness and monitoring of controls use automated test rules to determine the
exception data to extract from the ERP system. The following graphic illustrates that an automated test rule is
SAP Process Control

assigned to a control within Process Control to run a specific program within the target ERP system to test or
monitor data in the ERP system:
You can use automated test rules to do the following:
● Transaction data — Identify transactions based on specified thresholds or identify transactions that are
outside of the tolerance settings
● Configuration data — Monitor all or specific changes to configuration settings, identify specific values
within configuration settings, or perform blank checks.
● Master data — Monitor all or specific changes to master data, identify specific values of critical fields, or
perform blank checks.
Process Control records historical information in a change log to monitor changes to configuration settings and
master data over the entire timeframe of the control.
You can use automated test rules to fully or partially automate the testing of a control, as follows:
● Fully automated testing — The system determines the control rating and creates issues for remediation
processing, based on test results.
● Semi-automated testing — You manually review the test results and determine the control rating and the
issues for remediation.
SAP Process Control

Process
1. Create a rule
You must create a rule and select the rule script and criteria to define your testing or monitoring
parameters. You create and maintain the rules at the global compliance level: Rule Setup Legacy
Automated Monitoring Rule .
2. Assign rules to controls
You assign one or more automated test rules to the control that you want to test or monitor. You can also
specify one or more testing or monitoring frequencies for each control-rule assignment. You assign the
rules to the controls at the compliance initiative level: Rule Setup Legacy Automated Monitoring
Control Rule Assignment .
○ For more information, see Control Rule Assignment [page 473].
3. Schedule the monitor
○ You use the Monitoring Scheduler [page 473] to schedule a control monitoring job. This executes the
rules based upon the control-rule assignments. The monitoring schedule can be set to recur regularly
or to execute on a one-time basis.
The system executes the testing and monitoring activities as follows:
1. At the start date, the process control system automatically executes the test or monitoring activities and
passes the rule information to the program (RTA) in the ERP system.
2. The program executes based upon the control-rule assignment.
1. The rules identify exceptions in configuration data and transaction data based on the rule criteria for a
given period.
2. When the rule execution is complete, the program on the ERP system sends an exception report to the
process control application.
6.3.3.1.1 Legacy: Monitoring of Automated and Semi-

automated Controls
Use
Process Control facilitates the monitoring of data to ensure controls in your ERP system are operating
effectively, and to identify weaknesses or potential deficiencies on a timely basis. You can create the following
monitoring controls within Process Control to identify exceptions in your ERP system based on your deficiency
parameters:
● Configuration Controls – to identify potential unauthorized configuration settings or parameters in the ERP
system.
● Master Data Controls – to identify suspect master data in the ERP system.
● Transaction Data Controls – to identify unusual business transactions in the ERP system.
You can customize your automated monitoring controls to review data based on your filter parameters and test
period. You then schedule the automated monitoring controls at any frequency you choose based upon your
configuration.
SAP Process Control

Automated test rules can automate your monitoring procedures. These rules use a script and rule criteria to
identify control exceptions on data in the ERP system. For more information, see Legacy: Automated Test Rules
[page 467], and Legacy: Performing Automated and Semi-automated Tests of Effectiveness [page 452].
● If exceptions are found, the system automatically creates an issue when exceptions are Identified.
● If no exceptions are found, no results are returned but the activity is logged with Adequate deficiency rating
in the Job Monitor.
The following figure illustrates the steps in performing automated controls monitoring:
A monitoring control may be semi-automated based on its control design. However, if issues are found, there is
no difference in the workflow tasks between automated and semi-automated control monitoring. Shown below
is the test failure routing for automated and semi-automated control monitoring based upon delivered
business content.
Test Failure Routing for Automated and semi-automated Control Monitoring
Rule with Issue Deficiency Rating Automated: Issues Go to Semiautomated: Issues Go to
Rule with Deficiency (H/M/L) Control Owner Control Owner
Rule with Review Required Control Owner Control Owner
SAP Process Control

Prerequisites
For more information about the prerequisites to performing control monitoring, see Legacy: Performing
Automated and semi-automated Tests of Effectiveness [page 452].
Activities
● System execution of automated control monitoring

● Access tasks related to issues from automated control monitoring
● Perform tasks related to issues from automated control monitoring
● Create and perform remediation plans
 Note
If issues are identified for automated control monitoring, redoing the monitoring control for the same
period returns the same results. For this reason and to ensure that issues are identified on a timely basis,
some companies perform control monitoring on a more frequent basis than either manual testing or
automated testing of control effectiveness.
Procedure
System Execution of Automated Control Monitoring
1. Process Control performs automated control monitoring based on the job schedule you create in the
Monitoring Scheduler. The job schedule triggers execution of monitoring activities in the ERP system
based upon rules and parameters to determine which ERP data represents a monitoring exception. For
more information, see Legacy: Performing Automated and semi-automated Tests of Effectiveness [page
452]. For more information about rules and control-rule assignments, see Legacy: Automated Test Rules
[page 467], and Legacy: Control Rule Assignment [page 473]
2. The ERP system returns any monitoring exceptions to Process Control. The issues have a deficiency rating
of High, Medium, Low, or Review Required, depending on the rule settings. You define your tolerance
settings for deficiencies in the rule parameters associated with the rule.
3. If no exceptions are identified, the monitoring job schedule is completed and no workflow is required. The
job monitor reflects that the job has completed its execution with Adequate deficiency rating.
4. If exceptions are identified, this automatically creates an issue. The system routes the issue to the person
assigned the task to receive the issues. In the delivered business content (BC Set), this person has the role
Control Owner.
 Note
You have the option of assigning the task to another role, depending on your business requirements
and organizational structure.
Perform Tasks Related to Issues from Automated Control Monitoring
Perform steps in Legacy: Performing Automated and Semi-automated Test of Effectiveness [page 452]
SAP Process Control

6.3.3.1.2 Legacy: Performing Automated and Semi-
automated Tests of Effectiveness
Use
Process Control can facilitate automation of the effectiveness testing of controls that exist in your ERP system.
This increases testing efficiency and standardizes testing if several organizations have similar controls. You can
customize your automated tests based on filter parameters. You can also run the automated tests at any
frequency based upon your configuration. Automated test rules automate the test procedures. These rules use
a script and rule criteria to identify control exceptions on data in the ERP system. Automated test rules can
fully or partially automate your tests of effectiveness.
Test of Effectiveness
In a fully automated test of effectiveness, the system creates an issue when the system identifies exceptions
based upon your rule criteria. The following figure displays the process flow for an automated test of
effectiveness scenario:
1. The system performs the test of control effectiveness. If the test passes, the work flow is complete.
2. If the test fails, the system creates issues and routes them to the issue owner.
3. The issue owner reviews the issues for validity. If it is not a valid issue, the work flow is complete.
4. If it is a valid issue, the issue owner assigns a remediation plan owner and submits it.
The plan owner creates, executes, and completes the plan.
SAP Process Control

5. The issue owner reviews the remediation activities and closes the issue. The work flow is complete.
Semi-automated Test of Effectiveness
In a semi-automated test of effectiveness, the tester receives the test results, with any issues if the system has
identified exceptions. The tester must review and validate the exceptions. The tester can then void the issue or
assign the issue to an owner for processing.
Automated and semi-automated tests of effectiveness have differences in certain workflow tasks. Shown below
is the routing of tasks for automated and semi-automated tests of effectiveness.
Routing of Tasks for Automated and Semi-automated Tests of Effectiveness
Deficiency Rating of Issue Automated Issues Go to semi-automated: Tasks Go to
Rule with Deficiency (High/Medium/ Subprocess Owner Tester

Low)
Rule with Review Required
Role with No Deficiency N/A N/A
Prerequisites
Activities
● System execution of automated or semi-automated test of effectiveness

● Access tasks related to automated or semi-automated test of effectiveness
● Perform tasks related to automated or semi-automated test of effectiveness
● Create and perform remediation plans
 Note
Automatic retesting is not applicable to automated and semi-automated tests of effectiveness. This is
because if the test is rerun for the same period, it would return the same results based upon the ERP data.
For this reason, some companies perform automated testing on a more frequent basis than manual testing.
Procedure
System Execution of Automated or Semi-automated Test of Effectiveness
1. Process Control performs automated tests based on the plan you created in the Planner. The plan includes
information such as start and due date of testing, organization name, and control selection. When the plan
start date occurs, the test executes in the ERP system based on control-rule assignments. For more
information, see Planner [page 497] and Legacy: Control Rule Assignments [page 473].
2. The ERP system returns any test exceptions to Process Control. The exceptions have a deficiency rating of
High, Medium, Low, or Review Required depending on the rule settings and the data in your ERP system.
You define your tolerance settings for High, Medium, Low deficiencies within the rule parameters for
specific rule criteria.
SAP Process Control

3. If no exceptions are identified, the system performs the following depending on whether the test is fully or
○ Automated Test of Effectiveness — Testing of the plan is complete. The system assigns the test a
deficiency rating of Adequate.
○ Semi-automated Test of Effectiveness — The system assigns the test a deficiency rating of
Adequate.
 Note
For monitoring, no task is generated if no exceptions are found. For testing purposes, a task is
generated, even if no exceptions are found.
4. If exceptions are identified, the system performs the following depending on whether the test is fully or
○ Automated Test of Effectiveness — The system automatically creates an issue. The system routes
the issue to the person assigned the task Receive Issues from Automated Test of Control Effectiveness.
In the delivered business content (BC Set), this person has the role Subprocess Owner.
○ Semi-automated Test of Effectiveness — The system automatically creates an issue. The system
routes the test results to the person assigned the task Perform semi-automated Test of Effectiveness.
In the BC set, this person has the Process Tester role. The tester can void the issue or assign the issue
to an owner for processing.
 Note
You can assign this task to another role, depending on your business requirements.
Accessing Tasks Related to Automated or Semi-automated Test of Effectiveness
To access your tasks for compliance tests or control monitoring, choose a path from the following:
● My Home Work Inbox Work Inbox – lists all tasks and reports delivered to your Work Inbox.
● Evaluation Results My Tasks My Tasks – lists all your tasks.
● Evaluation Results Compliance My Tasks – lists just your compliance tasks.
Performing Tasks Related to Issues from Automated/Semi-automated Test of Effectiveness
1. To perform the task, select, and open the task.

2. To review exceptions identified by the system, select the Evaluation tab. Choose the Fail link under the
Results column to display details.
The following instructions apply to semi-automated test of effectiveness only:
○ To review and validate the exceptions, select the Issue tab. Enter issue owner and choose Submit. Issue
status changes to Ready.
○ To void the issue, select the Issue tab. Choose Void the Issue. Choose Submit. Issue status changes to
Canceled.
 Note
The overall rating of the test is based upon the issues. A test with no open issues has passed and
displays a green icon. A test with open issues (not voided) has failed and displays a red or yellow icon,
depending upon the priority of the issues. If at least one issue with high priority exists, the rating is red.
If no issues with high priority exist, the rating is yellow.
3. To perform tasks related to remediation, see Remediation of Open Issues [page 55].
SAP Process Control

6.3.3.2 Legacy: Creating Rule Criteria
Use
Automated test rules consist of rule scripts and rule criteria that filter and monitor exception data extracted
from the ERP systems.
Use Rule Criteria to specify the data type to be extracted for a given system type.
 Note
Rule criteria for Process Control 3.0 rules are maintained by the system. For more information, see Legacy:
Creating Automated Test Rules [page 468].
Process
1. Choose Rule Setup Legacy Automated Monitoring Rule Criteria

The Rule Criteria screen displays the following commands:
○ Create
Use this command to create new rule criteria.
○ Open
Use this command to open and edit existing rule criteria that are associated with a rule script.
○ Delete
Use this command to delete rule criteria that are associated with a rule script.
2. Select Create to define a new rule criterion.
3. On the General tab, enter the following information:
Rule Criteria Parameters
Attribute Explanation
Name (required) Name the rule criterion.
 Recommendation
It is useful to have a consistent naming convention.
Description (required) Enter the description or purpose of the rule criterion.
SAP Process Control

Attribute Explanation
Criteria Type (required) Choose from the following dropdown menu options:
○ Table Based
Use this type to refer to table-specific data. Enter the
table and field names on the Connector tab.
○ Data-type Based
Use this type to refer to specific values such as a nu
meric or string. You enter the specific value on the
Connector tab.
OLSP Select Yes if you plan to use the criterion as an OLSP.
 Note
The delivered scripts for SAP ERP systems work with
the following criteria as OLSPs:
○ Company Code
○ Plant Code
○ Purchase Organization
○ Sales Organization
4. On the Connector tab, enter the target connector based on the system type that you are using.
 Note
A connector refers to the interface between the backend system and the process control application.
The connector that you specify in the rule criteria and the rule script must match exactly to obtain the
desired results.
You can assign values in the target connector field for any of the following available systems:
○ SAP Access Control
○ Local System
○ Multiple Applications Query
○ Oracle
○ PeopleSoft
○ SAP System
 Note
If you want to extract data from all installed instances of your SAP systems, you must leave the target
connector blank.
If you only want to retrieve data from one SAP system, you must specify the target connector for
particular system that you want.
SAP Process Control

5. For each target connector that you select, depending on whether you chose Table Based or Data-based for
criteria type, assign values for the attributes as indicated in the table below:
Attribute Description
Table Name Enter the exact name of the table within the SAP backend
system from which you want to extract data.
Field Name Enter the exact name of the field within the SAP backend
system from which you want to extract data.
Field Description The system enters the description as default, based on

the description of the chosen field.
Data Type Select the data type, such as date or, numeric, that you
want to extract from the SAP backend system.
6. Choose Save.
6.3.3.3 Legacy: Rule Script
Use
The rule script is the key link between a rule, the ERP system, and the associated rule criteria. The rule script
maps to the program that executes in the ERP system when you run a rule to test or monitor a control. The rule
script uses the rule criteria to determine the data to be extracted from the ERP system.
SAP Process Control

The following figure illustrates this relationship:
Features
The rule script features enable you to do the following:
● Create new rules, called configurable rules, by browsing for a table, or a view in the backend system. Then
specify your deficiencies based on the fields in the backend tables or views.
● Specify the following analysis types for the configurable rules:
○ Change Check
This type of analysis monitors changes to configuration and master data by automatically
reconstructing change history from the change logs.
○ Value Check
This type of analysis monitors the value of specified objects.
● For the output report, choose the:
○ Fields
○ Sequence of the fields
● Create a new rule by browsing for an SAP Query and importing its definition. Use the definition to specify a
deficiency condition
● Create a new rule by browsing an SAP report.
SAP Process Control

● Create ABAP plug-ins in the SAP backend system by using a structured framework code.
The framework allows you to create input and output structures that define filter, deficiency, and output
report columns based on the business requirement. Once you develop the structures, you can create a new
control by browsing for this program from the backend system. These controls are called programmed
controls and they can be further divided based on the type of analysis that the program performs.
● Restrict the output report to authorized users.
● Create and edit rule scripts and rules in a uniform and structured way within the process control
application.
● Integrate with external programs such as SAP Business Warehouse (BW) solutions, SAP Access Control, or
plug-ins.
A rule script can employ one of the following data extraction vehicles:
● A table or a database view

● An ABAP program
● SAP standard reports
● Custom scripts
● An SAP query
● An SAP Access Control report
The rule scripts for the Process Control 3.0 delivered rules are maintained by the system. You only create rule
scripts if you choose to create custom rules.
More Information
Creating rule scripts [page 459]
Rule script types [page 460]
SAP Note 1329589 — Automated Rules Framework
6.3.3.3.1 Legacy: Creating Rule Scripts
Context
The rule scripts for the Process Control 3.0 delivered rules are maintained by the system. You only create rule
scripts if you create custom Process Control 3.0 rules.
SAP Process Control

Procedure
1. Select Rule Setup Legacy Automated Monitoring Rule Script . The Rule Script screen appears.
2. Do the following to create or copy a rule script:
○ To create a rule script, select Create.
○ To copy an existing rule script, choose a rule script and select Copy.
3. On the General tab, complete all required fields.
 Note
Process Control enables you to create rule scripts to work with different target ERP systems. When you
choose a Script Type, the user interface dynamically displays the appropriate fields and tabs for each.
For example, the GRC Configurable script type displays the Table Lookup button, whereas the Query
script type displays the Query Lookup button.
For more information, see Rule Script Types [page 460].
4. Configure the script criteria:

1. Select the Script Criteria tab.
2. Choose the data fields and select the data type, filter or deficiency, output indicator, and output
sequence.
3. Choose Save.
 Note
The Script Criteria tab is not available for SAP Standard Report and Custom (report) script types.
For more information, see Rule Script Types [page 460].
5. Configure the target connector:

1. Select the Target Connector tab.
2. Select Add and choose from the available connectors.
3. Select OK and Save.
Next Steps
● Creating rule criteria [page 455]

● Rule script types [page 460]
6.3.3.3.2 Legacy: Rule Script Types
You can use the following script types with automated test rules:
● GRC Configurable
SAP Process Control

This script type is a template–based query that can be run against backend tables or database views. You
choose a system, a target connector, and browse a view or a table in the ERP backend system and design a
rule using the available fields.
● GRC Programmed
This script type allows you to incorporate ABAP programs into the automated test rules. This can be an
ABAP script that SAP delivers with Process Control or scripts for other backend systems provided by a
partner organization.
● GRC 2.5
This script type runs programmed control rules implemented for SAP GRC Process Control 2.5. You cannot
create new Process Control 2.5 scripts. However, you can use Process Control 2.5 scripts that are already
in use due to an upgrade.
● SAP Standard Report
This script type works with a rule that calls a standard SAP report.
● Custom (report)
This script type works with a rule that uses a custom-developed report such as for third party applications.
● Query
This script type works with a rule that calls a query in the SAP backend system. The rule can query multiple
tables to retrieve exception information.
● Segregation of Duties (SoD)
This script type works with a rule that pulls the SoD analysis results from the SAP Access Control
application (if available).
● Event-based
This script type works with a rule that receives violations based on the occurrence of events such as
network alerts.
● Financial Performance Management
SAP Process Control provides out-of-the-box integration with the BusinessObjects Financial Performance
Management application. The monitoring tests available from this integration have a specific script type.
● Business Warehouse
SAP Process Control integrates with SAP BusinessObjects Business Warehouse (BW). This script type
allows you to bind a script from a BW query and define a rule to leverage the results of any analysis done in
BW.
For more information about script types and configuring rules, see SAP Note 1329589 - Automated Rules
Framework.
Available Fields and Tabs
When you choose a Script Type, The user interface dynamically displays the available fields and tabs for each.
Available Attributes and Functions
The following table lists the available attributes and functions for each script type:
Script Type System Type Script Category Analysis Look up
GRC Configurable SAP Change Log Check Changes, Monitor, Table, view (database
Number of changes or projection)
SAP Process Control

Script Type System Type Script Category Analysis Look up
Value Check Monitor value
GRC Programmed SAP Configuration control Changes, Monitor, ABAP program

Number of changes
Oracle Master data control Changes, Monitor,

Number of changes
PeopleSoft Transaction reporting Absolute, Percentage,

Absolute & Percentage
GRC 2.5 SAP (Read-only – can Configuration control Changes, Monitor, ABAP program
not create a new Rule Number of changes,
Greenlight RTA pro
Script with SAP Sys Existence
gram
tem Type)
Oracle Master data control Changes, Monitor,

Number of changes,
Existence
PeopleSoft Transaction reporting Absolute, Percentage,

Absolute & Percentage
SAP Standard Report SAP Others n/a SAP Standard Reports

Scripts with Variants
Custom (report) SAP, Oracle, People Others n/a Customer or partner

Soft developed scripts
Query SAP Others Filter, Monitor Value SAP Query
Multiple Application Others Filter Multiple Application

Query Query
Segregation of Duties Compliance Calibrator Others Compliance Calibrator

n/a
Report
Event Based Local System Others Event based applica

n/a
tions
Financial Performance Business Financial Others BFC system

n/a
Management Consolidation
Business Warehouse BW Analytical Queries Others n/a n/a
For more information about script types and configuring rules, see SAP Note 1329589 - Automated Rules
Framework.
Available Tabs
SAP Process Control

The following table lists the available tabs for each script type:
Script Type Script Criteria Target Connector
GRC Configurable x x
GRC Programmed x x
GRC 2.5 x n/a
SAP Standard Report n/a n/a
Custom (report) n/a n/a
Query x x
Segregation of Duties x n/a
Event Based x n/a
Financial Performance Man

x n/a
agement
Business Warehouse x x
6.3.3.4 Organizational Level System Parameters (OLSPs)
Use
You use OLSPs to assign systems and system-specific organization parameters at the global level, rather than
at the rule level. This facilitates the assignment of rule criteria when common systems or system parameters
must be assigned to several rules.
Features
OLSPs enable individual organizations to run tests using a common set of rules but with their own organization-
specific systems and values.
Example
If you want to extract test data from the SAP backend system for company code US01:
● You define an organization USA in Process Control. The USA organization is responsible for company code
US01 in the SAP backend system PRD.
SAP Process Control

● You have 12 rules that extract data for company US01.
Instead of defining the system value as PRD and the company code value as US01 in the rule criteria for all 12
rules, you can assign the system and criteria value at the OLSP level. Then you assign the OLSP to the
organization USA. When you execute the rule, it captures the OLSP value for the company code in the rule
criteria.
 Note
OLSPs can only be used for rules of type GRC Configurable, GRC Programmed, and GRC 2.5 (only
applicable to Legacy Automated Monitoring rules).
For SAP Business Suite, the following rule criteria are valid OLSPs:
Rule Criteria SAP Table SAP Field
PURCHASE_ORG T024E EKORG
SALES_ORGANIZATION VBAK VKORG
PLANT T001W WERKS
COMPANY CODE T001 BUKRS
6.3.3.4.1 Creating and Editing Organizational Level System

Parameters
Context
Use the procedure below to create, edit, and delete Organizational Level System Parameters (OLSPs).
Procedure
1. Choose Rule Setup Legacy Automated Monitoring Organizational Level System Parameters .
The Organizational Level System Parameters screen displays.

2. Choose one of the following actions:
○ Create
Use this action to create a new OLSP.
○ Open
Use this action to view or edit an existing OLSP.
SAP Process Control

○ Delete
Use this action to delete an OLSP.
 Caution
You cannot delete an OLSP that is assigned to an organization.
3. To create or edit an OLSP, select the General tab. Enter or edit the following information:
OLSP Parameters
Parameters Instructions
Name (required) Give a name to the OLSP if you are creating a new one. If
you are in edit mode, you cannot change this field.
Description (required) Enter or edit the description or purpose of the OLSP.
4. Select the System Parameters tab. Choose Add to specify the connector or system parameter that you
want to assign. Select one of the following commands:
Command Instruction
Add Connectors If you select this option, the system displays a list of available
connectors, the related system type, and description.
Highlight one or more connectors, then choose OK when your selection

is complete.
Add System Parameters If you select this option, you can add system parameters under a se
lected connector.
○ Highlight the connector to which you want to add system parame

ters. Add rule criteria by selecting from any of the OLSP values
such as company code or purchasing organization.
○ Use the following operators in connection with setting low/high val
ues to filter the data to be extracted:
○ Between
Use this operator to define a range of values.
○ Exclude
Use this operator to exclude a value or a range of values.
○ Include
Use this operator to include one value or all values.
 Note
To ensure a rule criterion is available for OLSP, the rule criterion
must be marked with Yes for OLSP indicator. Each OLSP system pa
rameter can have multiple connectors with multiple rule criteria val
ues.
5. Select Save.
SAP Process Control

A message confirms that changes were saved.
6.3.3.5 Legacy: Selecting a Query to Execute
Use
You use Query to execute query programs that reside in target ERP systems. You can use the queries to
perform unplanned tests of non-SAP and SAP Query scripts.
Before setting up and running queries with Process Control, the query must already exist in the target ERP
system. For more information about creating a query in the target system, see your system administrator.
 Note
In the target SAP systems, we recommend that you create your queries using the user group type Standard
Area. You may also create a rule using a rule script with type Query to automate query execution. For more
information, see Rule Script Types [page 460].
Procedure
To execute or search for queries in target applications, perform the steps below.
1. Choose Rule Setup Legacy Automated Monitoring Query

The Find Queries screen displays.
2. Choose one or more of the fields in the table below to filter your data. The system supports wildcards (*).
Query Filters
Filter Description
Target Connector (required) Enter the target system where you want to search for a
query program. To search for the available connectors, se
lect the value help. Choose the desired connector and se
lect OK.
Query Name (optional) If you know the query name, enter it here.
User Group (optional) If you know the name of the user group in the target sys
tem, enter it here.
3. Select Go.
The Query screen displays all queries based on your search criteria and authorization.
 Note
The system only displays those queries on the target system that you are authorized to run.
SAP Process Control

4. Select the row of the query that you want to execute.
5. Choose Select Query to Execute.
The Query screen displays the query criteria.
6. Enter your query criteria, keeping in mind the rules below:
○ You can specify the maximum rows you want the system to return in the Max Rows parameter. This can
be useful to check the logic of your query and criteria.
○ Filter criteria can be optional or mandatory. This is defined in the query program.
○ The diamonds on the left of the criteria fields allow you to display Selection Options (operators to
refine your query).
○ The arrows on the right of the criteria field enable you to make multiple selections.
7. Choose Execute Query.
The Query screen displays your query results.
8. Choose Print Version to print the query results to a PDF file. To export the results to an Excel file, choose
Export.
6.3.3.6 Legacy: Automated Test Rules
Use
You use automated test rules to automate the testing and monitoring of controls in your backend system.
Using automated test rules, you can monitor your backend controls and data and identify transactions or
changes that are outside of prescribed tolerance settings. You can track changes to configuration settings and
monitor changes to master data. All tests of effectiveness and automated controls use automated test rules to
determine what exception data to extract from the backend system.
Activities
● Rule
Maintain and configure rules and rule criteria.
● Organizational Level System Parameters (OLSPs)
Maintain and configure OLSPs.
More Information
Creating Automated Test Rules [page 468]
Creating and Editing Rules [page 469]
Creating and Editing Organizational Level System Parameters [page 464]
SAP Process Control

6.3.3.6.1 Legacy: Creating Automated Test Rules
Use
An automated test rule is composed of a rule script and rule criteria. A user creates an automated test rule by
creating a rule script first and identifying the associated rule criteria. You create a rule by associating an
existing rule script to the rule.
Process Control 3.0 provides the following options for creating automated test rules:
● Use the delivered Process Control 3.0 rules.

● Create custom Process Control 3.0 rules.
Prerequisites
The prerequisites are dependent on the script type you choose. Some script types are defined within the
Process Control application and do not have prerequisites. Some script types, such as SAP Queries, SAP
Reports, and GRC Programmed, require you have installed the programs or Real Time Agents (RTA) on the
target ERP systems.
For more information, see SAP Note 1329589 - Automated Rules Framework .
Process
You create automated test rules in Rule Setup Legacy Automated Monitoring Rule . Depending on the
rule creation option you choose, different activities are required in the user interface. The following table
summarizes the rule creation options and the required activities in the user interface:
User Interface Element PC 3.0 Delivered Rules Custom PC 3.0 Rules PC 2.5 Rules
Rule Setup Legacy
Automated Monitoring X X X
Rule
Rule Setup Legacy
Automated Monitoring n/a X X
Rule Script
Rule Setup Legacy
Automated Monitoring n/a n/a X
Rule Criteria
PC 3.0 Delivered Rules
SAP Process Control

For the PC 3.0 delivered rules, the system provides the rule, rule script, and rule criteria. You can modify the
following:
● Rule name
● Validity dates
● Rule description
● Connector
● Values and tolerance limits for the rule criteria
For more information, see Creating and Editing Rules [page 469].
Custom PC 3.0 Rules
For the PC 3.0 custom rules, you must create the rule scripts and the rules. The rule criteria are provided by
the system. For more information, see:
● Rule Script [page 457]

● Creating Rule Scripts [page 459]
● Creating and Editing Rules [page 469]
PC 2.5 Rules
The functions to use existing PC 2.5 rules are provided for backward compatibility. Only users upgrading from
PC 2.5 and with existing PC 2.5 formatted rules can use this function. Users can create new PC 2.5 formatted
rules only for non-SAP systems. The activities required for creating a PC 2.5 formatted rules are unchanged
from the PC 2.5 release:
1. You create rule criteria in Rule Setup Legacy Automated Monitoring Rule Criteria . For more
information, see Creating Rule Criteria. [page 455]
2. You create a rule script and associate it with the rule criteria in Rule Setup Legacy Automated
Monitoring Rule Script . For more information, see Rule Script [page 457].
3. You create a rule and associate it with the rule script and rule criteria in Rule Setup Legacy Automated
Monitoring Rule . For more information, see Creating and Editing Rules [page 469].
6.3.3.6.2 Legacy: Creating and Editing Rules
Context
Process Control 3.0 provides the following options for creating automated test rules:
● Use the delivered Process Control 3.0 rules.

● Create custom Process Control 3.0 rules.
● Create Process Control 2.5 rules for non-SAP systems. (This is only available for environments upgraded
from Process Control 2.5 to Process Control 3.0).
Depending on the rule creation option you choose, different activities are required in the user interface.
SAP Process Control

Follow the steps below to:
● Create or edit a rule.

● Assign a script to a rule.
● Define appropriate rule criteria and associate it to the script.
Procedure
1. Choose Rule Setup Legacy Automated Monitoring Rule
The Rule screen displays.

2. Choose one of the following options:
○ Create
Use this option to create a new rule.
○ Open
Use this option to view or edit an existing rule. You cannot change the rule if it is assigned to a control.
○ Delete
Use this option to delete a rule. You cannot delete the rule if it is assigned to a control.
○ Copy
Use this option to copy an existing rule and change it.
 Note
For the PC 3.0 delivered rules, the system provides the rule, rule script, and rule criteria. You change
the following as needed:
○ Rule name
○ Validity dates
○ Rule description
○ Connector
○ Values and tolerance limits for the rule criteria
3. On the General tab, enter or edit the parameters as shown in the table below:
General tab
Name (required) Name the rule.
Description (required) Enter the description or purpose of the rule.
SAP Process Control

Script (required) Select the script that you want to assign to the rule. You
can directly enter the script name or search for the script.
1. To view the list of available scripts, select the icon on

the right. A script search screen opens.
2. If you want to see a complete list of all scripts choose
Search.
3. If you prefer to filter your search, enter parameters
for one or more of the following: script name, system
type, script category, target connector, and script type
4. Choose Start Search.
5. Highlight the desired script and select OK.
Script Description, Script Type, Script Category The system automatically populates these fields based on
the script that you select.
Connector Choice, Single Connector Value(optional) You can choose to have the rule use all the associated con
nectors or a specific connector.
Valid From (required) Enter the start date for the validity period of the rule.
Valid To (required) Enter the end date for the validity period of the rule.
 Note
The Valid To date must be later than the Valid From
date.
Rule Group (optional) You can choose a rule group for filtering and reporting.
Select a rule group and choose OK.
 Note
You create rule groups in the Process Control Custom
izing activities.
Rule Status (required) Select the rule status from the dropdown menu. You can
select one of the following options:
○ Released - The rule may be assigned to a control.

○ Work in Progress - The rule is unfinished.
○ Inactive - The rule is no longer in use.
 Note
A rule must be Released before you can assign it to a
control.
SAP Process Control

4. On the Rule Criteria tab, select the desired criteria after choosing one of the following actions:
Rule Criteria Actions
Action Instructions
Add Add new criteria to the rule.
Remove Delete the rule criterion from an existing rule.
Set Deficiency Select Low, Medium, High, or Review Required as the defi-
ciency indicator of exceptions identified based on the rule
criteria.
 Note
You cannot assign rule criteria to a rule that has a script type of SAP Standard Report or Custom.
5. The Operator table is below the Rule Criteria table. You can use this table to filter extracted data based on
the rule script and rule criteria. Choose from the any of the filter commands listed in the table below:
Operator Values Definitions
Include Use this operator if you want the test results to include
only values specified in the Value From /Value To range.
Exclude Use this operator if you want the test results to exclude
values specified in the Value From /Value To range.
In Between Use this operator if you want the test results to include
only data between the range specified in the Value From
and Value To fields.
Less Than Use this operator if you want the test results to include
only data less than the range specified in the Value From
and Value To fields.
Less Than or Equal To Use this operator if you want the test results to include
only data less than or equal to the range specified in the
Value From and Value To fields.
Greater Than Use this operator if you want the test results to include
only data greater than the range specified in the Value
From and Value To fields.
Greater Than or Equal To Use this operator if you want the test results to include
only data greater than or equal to the range specified in
the Value From and Value To fields.
6. In the Attachments and Links tab, you can attach a file or a link to the rule.
7. Select Save to save the rule settings.
SAP Process Control

The system displays a message to confirm that all data is successfully saved.
6.3.3.7 Legacy: Control Rule Assignment
Definition
Control Rule Assignment is done for specific initiatives. You assign rules to controls for automated testing and
monitoring. Rules can be assigned to controls that have a test automation of either Automated or Semi-
automated.
You can specify the testing frequency of a rule that has been assigned to a control. Set up the time intervals
initially through the Customizing activities. You can assign multiple testing frequencies to a rule. You can
choose any combination of annually, semiannually, quarterly, monthly, weekly or any.
Rule frequency can be specified for the two types of control testing:
● Compliance – to test effectiveness of control for the purpose of reporting to your internal or external
auditors.
● Monitoring – to monitor continuous operating effectiveness of control. A control can be assigned multiple
rules that may have different testing frequencies.
 Example
A rule can have quarterly and monthly frequencies for compliance tests, and a weekly frequency for
monitoring activities.
Use
Prerequisites
Rules must be created and defined before performing the control rule assignment. For more information, see
Creating Automated Test Rules [page 468].
6.3.3.8 Legacy: Using the Monitoring Scheduler
Use
The Monitoring Scheduler allows you to schedule jobs to monitor your controls. You schedule a job to execute
based upon the control-rule assignments that are defined to monitor business transactions and configuration
settings in target back end systems. These scheduled jobs run automatically based on the frequency, test
period, and timeframe that you specify.
SAP Process Control

Prerequisites
Rules must be assigned to controls. For more information, see Control Rule Assignment. [page 473]
Features
You can use the monitoring scheduler to do the following:
● Schedule jobs to monitor and test controls with assigned rules

● Create job schedules for multiple frequencies for one control-rule assignment
● Monitor job logs, details, and status
Activities
● To create a new job schedule to monitor controls, see Creating a Monitoring Schedule. [page 476]
● To view details about a scheduled job or to cancel scheduled jobs, see Viewing and Canceling Schedules or
Jobs. [page 478]
 Example
You have a control in your financial process that prohibits journal entries in excess of $100,000 for prior
periods for company code 0475 for a target back end system.
You can create a monitoring schedule containing a job (control and the assigned rule) that checks journal
entries each month for the entire year (January to December) for company code 0475. The Monitoring
Scheduler runs the job 12 times (once a month) and reports any exceptions (journal entries in excess of
$100,000 in a prior period).
Alternatively, you may set the frequency to daily during the quarter-end months (for example, March, June,
September, December). For those four months, you can create another job within the same schedule to run
the monitoring test on a daily basis.
More Information
Using the Scheduler with Connectors [page 475]
SAP Process Control

6.3.3.8.1 Legacy: Using the Scheduler with Connectors
Use
After performing the Control Rule Assignment of the created Configurable Rule, you can schedule it to do the
monitoring. In the Scheduler, you can use the Target Connector to filter the control-rule assignments by
system. The connectors are specified in the following places.
● In the Rule Script – This is the list of all the possible connectors that this control can run.
● In the Rule – The assigned user chooses either all the connectors defined in the underlying Rule Script or
one of the Rule Script’s connectors. If you choose only one of the connectors, this restricts the control to
that connector.
● In the OLSP – This has a list of connectors together with the parameters for each connector.
Activities
Determining the Connector Used
The following list explains the process the system uses to determine the connector to use:
● The scheduler requires pairing the Control Rule Assignment with the OLSP sets of the associated
organization.
● Process Control must bring together the connectors allowed by the underlying rule and the connectors
specified for the OLSP.
● The scheduler allows the scheduling of jobs only for those connectors allowed by both the rule and the
associated OLSP.
● If the OLSP does not have any connectors, the scheduler allows the scheduling of a job for any connector
that the rule allows.
● If both the OLSP and the rule specify a connector, the system uses any connector valid for both.
● If there is no connector in the OLSP, the system uses the connector defined by the rule or rule script.
● If a rule does not have any connector, the system uses any connector that is valid for both the rule script
and the OLSP.
 Example
The following table lists examples of the various combinations:
Rule Script Connectors Rule Connectors OLSP Connectors Scheduler Uses This Con
nector:
A, B, C, D A B, C, D None
A, B, C, D D None D
A, B, C, D D D D
A, B, C, D Any B, C B, C
SAP Process Control

Rule Script Connectors Rule Connectors OLSP Connectors Scheduler Uses This Con
nector:
A, B, C, D Any E, F, G None
A, B, C, D Any None A, B, C, D
A A A, B, C, D A
6.3.3.8.2 Legacy: Creating a Monitoring Schedule
Follow the steps to create a monitoring schedule:
1. Choose Rule Setup Legacy Automated Monitoring Monitoring Scheduler. . The Monitoring
Scheduler screen displays current job schedules based on the displayed timeframe.
2. Select the year and period in the timeframe fields and choose Go if you have changed them. This provides
the default Test Period From and Test Period To dates for the job schedule you create.
3. Select the correct Regulation that this job pertains to.
4. Choose Create Schedule to design a new schedule. The Create Schedule screen displays the fields where
you enter the following information:
Create Schedule details
Field Description
Job Name - required Give a name to your schedule. Use a naming convention
so you can select and filter your job schedules easily using
wildcards.
Regulation - required Choose the correct regulation.
Frequency - required Specify the intervals you want the schedule to run within
the test period. Your frequency choices were set up during
initial configuration.
Test Period From - required Enter the beginning of the period of the transaction data
that you want to monitor.
The Test Period From date must be within the timeframe

displayed in bold in the upper left corner of the screen. If
you want a date within a different timeframe, you must
exit Create Schedule, reset the timeframe as needed, and
begin Create Schedule again.
SAP Process Control

Field Description
Test Period To - required Enter the last date of the monitoring period of the transac
tion data.
The Test Period To date must be within the timeframe dis

played in bold in the upper left hand corner of the screen.
If you want a date within a different timeframe, you must
exit Create Schedule, reset the timeframe as needed, and
begin Create Schedule again.
Start Job - required This refers to when the schedule starts executing.
Select from the options in the dropdown menu:
○ Immediate – Schedule starts as soon as you finish

creating the job schedule.
○ Date/Time – Schedule starts on a specific date and
time. If you select this option, the Start Time and
Execution Date fields display:
○ Start Time – Enter hour, minute, and second of
day to execute (00:00:00).
○ Execution Date – Enter the number of days be
fore the last day of the test period and select
Before or After. This will schedule to start the job
(no. of days) (before or after) the last day of the
test period.
For example, if you want a job to start 3 days be
fore the end of the quarter, enter 3 in the
Execution Date field and select the Before radio
button. For a quarter ending on March 31, this re
sults in the job executing on March 28th. If you
selected After, the job executes on April 3rd.
 Note
If you enter a combination that produces a
date in the past, the execution start date de
faults to Immediate.
○ Event based – This applies only to the controls that

are event-based.
Target Connector This filters control-rule assignments by system.
Choose the value help and select the desired connector

based on a specific system. If you leave the target connec
tor blank, the application determines the systems to test
the control and rule based on the setup of the OLSP, rule,
and control-rule assignment.
Comment This space is a free-form field.
SAP Process Control

5. After entering the information, choose Add to select the control-rule assignments to add to the schedule.
The Control Search screen displays filter options to facilitate your search of controls. You can filter by
organization, process, subprocess, control and rule, or a combination of these parameters.
To enter additional search criteria, choose the Expand Tray icon across from Advanced Search. If desired,
enter additional search parameters for System Type, Script Type, Script Category, and/or Rule Group. This
refines your search results and results in faster searches.
 Note
Use the asterisk symbol (*) as a wildcard for your searches.
6. Choose Search. All the control-rule assignments matching your search parameters display on the upper
grid.
If you do not specify any search criteria, all control-rule assignments for all valid organizations (based on
your specified timeframe) display.
7. Highlight and select the control-rule assignments you want to add.
 Note
Hold down the CTRL key to select multiple control-rule assignments. Hold down the SHIFT key to
select consecutive rows.
8. To add the selected controls to the selected grid (lower grid on the screen), use the single or double down
arrows (located in the middle of the screen between the upper and lower grid). Four arrows are presented,
each with a different functionality – add, add all, remove, remove all (rolling over the arrows with your
cursor displays the functionality of each). Conversely, to remove control-rule assignments from the job,
select the single or double up arrows. This shifts the control-rule assignments from the lower grid to the
upper grid.
9. Once you have moved the control-rule assignments into the lower grid, select Add in the lower right hand
corner of the screen (scroll down if you cannot see it). This brings you back to the Create Schedule screen.
If the automated test rules are related to SAP Reports or Custom Reports from SAP, you can select a
variant to use when executing the report. The variants are defined in the SAP ERP system.
10. Select Schedule to complete the Job Schedule creation.
6.3.3.8.3 Legacy: Viewing and Canceling Schedules or Jobs
Context
The Monitoring Scheduler allows you to view and cancel scheduled jobs. It allows you to search for a scheduled
job based on a timeframe and/or based on filter criteria. You can use the filter and settings options to
customize your view of the results of your search.
 Note
Automated tests that are scheduled by the Planner for compliance are also listed in the Monitoring
Scheduler list.
SAP Process Control

You can cancel a schedule or job only if the status is Scheduled. You cannot cancel schedules or jobs that
have already started (status In Progress) or have already executed (status Complete)
Procedure
1. Choose Rule Setup Legacy Automated Monitoring Monitoring Scheduler.
The Monitoring Scheduler screen displays schedules based on the timeframe displayed. It also presents
information about the schedules including the status.
2. To export the list of schedules for the selected timeframe to a file, choose Export.
3. To cancel a schedule, select a schedule and choose Cancel Job.
 Note
Schedules and jobs can only be canceled when they are in scheduled status. A schedule may have any
of the following statuses:
Schedule status
Status Description
Scheduled This has been scheduled. It executes in the target sys

tems as defined in the start job parameter.
Scheduling Conflict A duplicate schedule exists for event-based jobs (for the
same frequency and period). The most recent schedule
(that is similar to an existing schedule) has a status of
Scheduling Conflict and cannot execute.
Invalid Control The schedule has failed a validation test (for example,
an invalid control-rule assignment) in Process Control
and was not sent to the target system.
In Progress The schedule is in process of executing on the target

system.
Completed The schedule has executed successfully.
Canceled The schedule was canceled before it was sent to the tar
get system.
4. To view the log for a specific schedule, select a schedule to highlight and select it. Choose Show Log. The
screen displays the job header information and a job log list that shows all the control-rule assignments
that were executed in the schedule.
5. To print the job log list to a file, choose Print Version. To export the log to a file, choose Excel.
6. To cancel or reschedule jobs, select the job and choose one of the options:
○ Cancel - You can only cancel jobs if they are in a scheduled status.
SAP Process Control

○ Reschedule job - You can reschedule jobs that are in an invalid control status. After you have
determined the cause of the failure and corrected the problem, select the row containing the job and
select Reschedule Job. This places the job back on its original schedule.
7. To view a job status, choose any of the following commands:
○ Job Status – Select the job. Choose Job Status. The Job Status screen displays the routines
(programs) that the system executed to send the job request to the target system.
 Note
If a job has a status of Invalid control on the Monitoring Scheduler screen, you can use Job
Status to determine the reason the job did not execute.
○ Job Detail – Select the job. Choose Job Detail. The screen displays the job header information, the
number of deficiencies, and their ratings.
 Note
Job details are only available if your target is an SAP system.
6.3.3.9 Job Monitor
Use
The Job Monitor allows you to view the execution status of scheduled automated testing jobs. It displays
whether a scheduled job performed successfully and shows results of executed tests. Jobs could have been
scheduled using the following functionality:
● For Process Control or Risk Management Continuous Monitoring jobs, choose Rule Setup Scheduling
Automated Monitoring. .
● For Process Control or Risk Management Legacy Automated Monitoring jobs, choose Rule Setup
Legacy Automated Monitoring Monitoring Scheduler .
Prerequisites
Jobs must have been scheduled using the Scheduling Automated Monitoring and Incoming Event Handling
Jobs [page 437] or Legacy: Using the Monitoring Scheduler [page 473].
Features
● View execution status of scheduled automated testing jobs

● Search for jobs based on specified criteria (for example, time frame, job name, frequency)
SAP Process Control

● Filter results based on various fields (for example, deficiency type, organization, connector type)
● Drilldown on Review Results of executed jobs to view detailed results
Activities
● To search for executed jobs, perform the steps in Searching for Executed Jobs [page 445].
● To view results of executed jobs, perform the steps in Viewing Job Results [page 446].
6.3.3.9.1 Searching for Executed Jobs
Context
Jobs can be created and scheduled through the Continuous Monitoring functionality or the Legacy Automated
Monitoring.
Monitor. .
Procedure
1. The Job Monitor screen displays the criteria that you can use to search for executed jobs.
2. Select the desired year and period in the time frame fields, and choose Go. This limits your search to those
jobs that were executed during the specified time frame.
3. (Legacy only) Select the type of Regulation.
4. Enter the search criteria: job name, frequency, target connector, execution date from, execution date to (or
any combination) to narrow your search results.
5. Choose Search.
The Job Monitor screen displays all executed jobs that match your search criteria.
6. To export search results to a file, select Export. To convert results to a printable format, select Print Version.
7. To further customize the view of your search results, use the Filter and Settings located at the upper right
hand of the screen.
SAP Process Control

6.3.3.9.2 Viewing Job Results
Prerequisites
Perform the steps in Searching for Executed Jobs [page 445].
Context
Based on search results returned from Searching for Executed Jobs, you can view information about the results
of jobs. Jobs can be created and scheduled through the Continuous Monitoring functionality or the Legacy
Automated Monitoring.
Monitor. .
Procedure
1. Select View Result link to view the job result details. The Job Result screen displays the following
information:
○ Result: Header data specific to the job (for example: rule, number of exceptions, organization)
○ Details: Test result line item data showing exceptions
○ Attachment (if any): Report of actual test results.
2. Special displays:
○ Legacy Automated Monitoring
○ If the job is executed for rules other than ABAP reports or SAP standard or custom program from
Process Control, the results display in the grid below the job header information. There is one row
for each exception.
○ If the job is executed for a control which uses an SAP standard or custom program, the results are
linked. Select the report link to view the report.
○ Continuous Monitoring
○ If the job is executed for a control which uses ABAP reports, the results are linked. Select either
Open in HTML or Open in TEXT.
3. If there are no exceptions, the lower grid does not display. Only the header information with a deficiency
rating of Adequate displays. To export the exception list to a file, select Export. To convert results to a
printable format, select Print Version.
SAP Process Control

6.3.3.10 Legacy: Event-Based Control Monitoring
You use the following functions to activate, track, and review your event-driven controls:
● Event Monitoring Activation

You use this function to activate event-based controls. You must have authorization to access the Event
Monitoring Action. If you are using the delivered roles, assign the user the Automated Control Specialist
role.
● Event Monitor
The Event Monitor and the Job Monitor function in the same manner. You choose a time period and search
criteria to retrieve the list of event-driven controls. In the Issues column, you can retrieve the details of
issues that are identified for that control.
● Event Queue Log
You use the Event Queue Log to view the status and details for all event-based controls. You choose a time
period and search criteria to retrieve the list of event-driven controls. In the Issues column, you can retrieve
the details of issues that are identified for that control.
6.3.3.10.1 Legacy: Event-Driven Controls
Use
Controls or monitoring rules that respond to messages that external systems send to Process Control are
called event-driven controls. Such controls are scheduled and run in Process Control. They execute a query
against a back end system to gather data. The external system decides when an event is significant enough to
send to the application.
 Example
The external system could be a network management tool that monitors network traffic, watching for
intrusions, system failures, and so on. The process uses a Web service interface that you enable in SAP
NetWeaver, to communicate from the external system to Process Control.
Integration
1. You configure the schema for the event in the Customizing activities for Process Control.
2. You define a rule to work with that event. These are event-driven rules. The name of the rule must be
exactly the same as the name of the event.
3. Based on the number of events, you specify the criteria that the rules use to create issues.
4. Associate your event-driven rule with a control. This combination is an event listener. It is ready to receive
and process events as defined.
5. Decide if the event listener is active or inactive. You set this parameter on the Event Monitoring Activation
screen.
When Process Control judges a received event to be significant, the system creates an issue, and a workflow
message to notify the appropriate user that an issue has been created.
SAP Process Control

 Note
● The external system notifies Process Control when the defined event occurs. Job scheduler does not
schedule event-driven controls.
● Process Control uses the Event Monitor to track and monitor events. For more information, see Event-
Based Control Monitoring [page 483]
6.3.4 Reports (Rule Setup)
The Reports section of the Rule Setup work center contains the following reports:
Report Description
Data Source Business Rule Assignment This report lists all data sources that can be used for busi
ness rules and indicates the business rules that use a partic
ular data source. You can use this report to understand the
data being analyzed by a particular rule, by drilling-down into
the data source details for table and field information.
Control Monitoring History with Ratings This report provides visibility into the automated control and
transaction monitoring results by regulation, by organiza
tion, by process and by control. You can use this report to fa
cilitate root-cause identification of the automated monitor
ing issues by drilling-down into the specific details of the is
sues.
Monitoring Issue Status This report provides visibility into the status of automated
monitoring issues by regulation, by organization, by process
and by control. You can review this report to determine
which critical monitoring issues remain open and do not
have any assigned remediation plans. You can drilldown into
the automated monitoring issue details.
Monitoring Remediation Status This report provides visibility into the status of remediation
plans for automated monitoring issues. You can use this re
port to determine which critical monitoring issues do not
have any remediation plans or have remediation plans that
are still open. You can drilldown into the remediation plan de
tails.
Automated Control Rule Assignment This report shows the assignment between the control and
the rule from the Legacy Automated Monitoring work center.
Automated Control Rule and Rule Criteria This report shows the assignment between rule criteria and
rule from the Legacy Automated Monitoring work center.
SAP Process Control

Report Description
Automated Control Business Rule Assignment This report shows the assignment between control and busi
ness rule from the Continuous Monitoring work center.
6.4 Assessments
Use
The Assessments work center is shared by the Access Control, Process Control, and Risk Management
products in the GRC Application. The menu groups and quick links available on the screen are determined by
the applications you have licensed. The content in this topic covers the functions specific to Process Control.
The Process Control Assessments work center contains the following sections:
● Surveys [page 485]

● Manual Test Plans [page 494]
● Assessment Planning [page 495]
● Reports (Assessments) [page 501]
6.4.1 Surveys
Use
A survey is a structured list of questions. Within GRC, surveys are used to obtain information about the
existence and evaluation of risks (RM) or the design or operational adequacy of controls (PC). Surveys are
used to carry out assessments of objects such as risks, activities, or policies, for example. These assessments
are defined via plans in the Planner [page 496].
Surveys are created and maintained in the Survey Library [page 487] and sent via the workflow (which can be
routed to an inbox and/or e-mail).
● Process Control Planner [page 497]
Prerequisites
● To send e-mails with interactive PDF survey data, complete the Customizing activity Maintain Inbound E-
Mail Settings for Survey under Governance, Risk, and Compliance General Settings Workflow .
● Users who receive survey PDFs by e-mail must have stored their e-mail address in the GRC back-end
system (SU01) under System User Profile Own Data (Address Tab) .
SAP Process Control

● If you are creating a survey for a collaborative assessment, the role Contributor to Collaborative
Assessment must be maintained for the user in the Roles tab of the risk or risks involved.
● For risk assessment surveys, complete the Customizing activity Implement New Survey Valuation under
Governance, Risk, and Compliance Common Component Settings Surveys .
● The e-mail addresses of all users to whom the system sends a survey must be maintained.
● The role assignments must be maintained:
○ Business users who receive survey responses and post responses in the system need the roles
SAP_GRC_FN_BASE and SAP_GRC_FN_BUSINESS_USER.
○ The SAPCONNECT user configures the e-mail notification settings in the back-end system, so the roles
SAP_GRC_FN_BASE and SAP_GRC_FN_ALL are required.
For more information, see the SAP Process Control 12.0 on the product page for SAP Process Control at
https://help.sap.com/viewer/p/SAP_PROCESS_CONTROL .
● For workflow functions, maintain the Customizing activities under Governance, Risk, and Compliance
General Settings Workflow .
● If you want to be able to change the subject or body of the survey e-mail, then you must also make entries
in the Workflow Customizing activity Maintain Custom Notification Messages.
More Information
● Creating Surveys [page 488]

● Creating Questions for Surveys [page 489]
● Survey Library [page 487]
● Question Library [page 486]
6.4.1.1 Question Library
Definition
The Question Library lists the user-defined questions that you can use within your surveys. Each question
comprises the following information:
● Category: The category of the question.

● Question: The text of the question.
● Active: Specifies whether the question is active or inactive. Only active questions are available for use in
surveys.
● Answer Type: The type of answer (yes/no/NA, rating, and so on) expected from the person taking the
survey.
● Created By
● Created On
SAP Process Control

Use
Using the Question Library, you can do the following:
● Create new questions. You can create a new question, or copy and change an existing question.
● Open questions for editing. You can only edit questions that are not being used in a survey.
● Delete questions. You can only delete questions that have not been assigned to any survey.
● Upload questions from a file stored on your local machine.
You can use the questions defined in the Question Library with the surveys listed in the Survey Library.
More Information
Creating Questions for Surveys [page 489]
Surveys [page 485]
Survey Library [page 487]
Creating Surveys [page 488]
6.4.1.2 Survey Library
Definition
The Survey Library lists the user-defined surveys that you can use to obtain information on the existence and
evaluation of risks (RM) or the adequacy of controls (PC). Each survey comprises the following information:
● Category: The category of the survey.

● Title: The title of the survey.
● Description: An optional description of the survey and its purpose.
● Active: Specifies whether the survey is active or inactive. Only active surveys are available for use.
● Questions: The questions that comprise the survey.
● Created By
● Created On
Use
Using the Survey Library, you can do the following:
● Create new surveys. You can create a new survey, or copy and change an existing survey.
● Open surveys for editing. You can only edit surveys that have not been scheduled.
● Delete surveys. You can only delete surveys that have not been scheduled.
SAP Process Control

You can use the questions defined in the Question Library with the surveys listed in the Survey Library.
More Information
Surveys [page 485]
Question Library [page 486]
6.4.1.2.1 Creating Surveys
Prerequisites
See Surveys [page 485].
Procedure
To create a survey:
1. Choose Assessments Surveys Survey Library .

2. Choose Create. The Create Survey dialog box appears.
3. On the General tab, select a survey category, a title for the survey, and a description (optional).
4. If necessary, specify the valuation type. The entries defined here are used for surveys, question categories,
and answer types.
 Note
Using valuation for risk analyses requires additional settings through the Customizing activities.
Complete the activities listed under Governance, Risk, and Compliance Common Component
Settings Surveys .
5. Specify whether the survey is to be activated or not.
 Note
You cannot activate a survey without first creating one or more questions for it.
6. In the lower screen section, you can add questions as follows:

○ Choose Add to add questions that were previously defined.
○ Under the Actions menu, you can navigate within the questions (if there are many) or create a new
question.
SAP Process Control

7. Set the valuation or scoring, if used, for the survey questions. For more information, see Valuation and
Scoring for Surveys and Questions [page 492].
○ Answer types Yes/No/NA, Rating and Choice support reconfiguring user-defined scores. If you select
score based valuation for Valuation, you can view and change the predefined scores for each question.
Select the Set Score link in the Set Score column.
○ The total score of one survey is the sum of scores for each question.
 Example
Survey A has two questions (Q1 and Q2). The answers and scores are defined as following:
○ Question 1: Answers: 1.1 = 50; Answer 1.2 = 0

○ Question 2: Answers: 2.1 = 0; Answer 2.2 = 0; Answer 2.3 = 50
The total score of the survey is the sum of all the answers. In the example, a submission with
answers Q1 – Answer 1.1 + Q2 – Answer 2.1 = 50 as a total score. The highest possible score for
this survey would be 100.
8. Save the survey. Your survey can now be included in a plan when you call up the Planner [page 496].
 Note
○ Your survey becomes visible on the Survey tab of the Risk or Activity screen after you create a plan
in the Planner and have sent out the survey.
○ You can display the results of the survey by running the Survey Results report under Reports and
Analytics Compliance .
More Information
6.4.1.2.2 Creating Questions for Surveys
Use
For each type of survey, you can create user-defined questions to be attached. You can create questions in the
Question Library [page 486], or you can open a specific survey in the Survey Library [page 487] and create
questions for it. Furthermore, you can define your own answer types, which you can attach to question or
survey categories if necessary.
 Note
If a question is already being used in a survey, you cannot change any data for it, but you can deactivate it.
SAP Process Control

Prerequisites
Complete the Customizing activity Define Ratings for Survey Questions, found under Governance, Risk, and
Compliance Common Component Settings Surveys .
Procedure
To create a question:
1. Go to Assessments Surveys Question Library .

2. A list of all existing questions is displayed. When you choose Create, a dialog box opens in which you can
create your own question.
3. Select the category of the question from the dropdown options and enter text describing the question.
4. Specify whether the question is active or not. Active means that it can be used in a survey.
 Note
If you are not finished formulating the question, or if you want to make a question obsolete, deactivate
the question. You cannot delete questions that are already used in surveys.
5. Enter one of the following answer types (answer types vary based upon the survey category):
Answer Type Meaning & Type of Entry Required
Rating Requires the entry of a rating type. If you select this an
swer type, you are asked if the answer requires a com
ment.
Yes / No / NA Requires a Yes, No, or Not Applicable (NA) answer. If you

select this answer type, you are asked if the answer re
quires a comment.
Text Requires a text entry by user.
Percentage Requires the entry of a percentage.
Amount Requires the entry of an amount.
Choice A user-defined question in which you can define the an

swer options and the scores. If you select this answer
type, you are asked if the answer requires a comment.
Probability Level Requires the entry of a probability level. If you select this
answer type, you are asked if the answer requires a com
ment.
SAP Process Control

Answer Type Meaning & Type of Entry Required
Impact Level Requires the entry of an impact level. If you select this an
swer type, you are asked if the answer requires a com
ment.
Speed of Onset Requires the entry of a speed of onset value. If you select
this answer type, you are asked if the answer requires a
comment.
 Note
The answer types Yes/No/NA, Rating and Choice support user-defined scoring for each answer option.
A number score is assigned to each answer option at the design time. At runtime, users receive the
scores according to their selections. A final score is based on aggregating the scores from each
question.
○ For the answer type Rating, scores are defined during the Customizing activity, Define Ratings for
Survey Questions, located under Governance, Risk and Compliance Common Component
Settings Surveys .
○ For the answer type Choice, scores can be defined in the frontend, or they can be defined in the
corresponding column of the survey upload Excel file.
○ For the answer type Yes/No/NA, question scores are defined when the survey is defined.
 Recommendation
For more information, see Score-Based Valuation for Surveys and Questions [page 492].
6. If you are creating a question directly from a survey, choose Actions Create Question . On the Create
Question screen, you can specify if the question is local (only used for this survey). If you choose No, the
question can be used in other surveys.
7. Save your data.
Result
You have created a question for use in the survey.
 Note
If you want to upload new questions from your hard disk, you can do so by choosing Actions Upload .
The format of the file must be .csv, which can be created from a Microsoft Excel spreadsheet. For Choice
type questions, this spreadsheet can define the scores given to each choice, using the CHOICE_SCORE
column.
SAP Process Control

6.4.1.2.3 Score-Based Valuation for Surveys and Questions
Use
You can use the valuation and scoring function built into survey and question creation to assist in risk analysis
and process control evaluation.
● Surveys can be created with the type No Valuation or Score-Based Valuation. If you choose Score-Based
Valuation, a Set Score link appears on the right side of each line for all score-based questions that you have
created or that you have added from the Question Library [page 486].
 Note
Certain question types, such as those requiring a text entry, cannot be scored. The Set Score link will
not appear next to these kinds of questions. For more information about the different question types,
see Creating Questions for Surveys [page 489].
● When you choose the Set Score link, an Override Question Score window appears. You can choose to use
any maintained values that were preset through the Customizing activities, or you can override those
values with those of your own choosing.
 Note
If you override the preset values, the values you enter are valid only for this instance of the question. If
you use the same question type for another question in a survey, the default values are assigned to it
unless you override them again.
● If you wish to revert to the values set in the Customizing activities, click the Reset button in the Override
Question Score window.
● You can indicate whether a question is to be local (one-time only for a survey) or if it is to be global (stored
in the Question Library after creation). The default setting is global.
More Information
Surveys [page 485]
Survey Library [page 487]
6.4.1.3 Survey Category
SAP Process Control currently provides the following categories of surveys in the Survey Library for evaluations
of different purposes:
● Self-assessment
● Control Design
SAP Process Control

● Disclosure Survey [page 493]
● Indirect Entity-level Control
● Policy
● Subprocess Design
● Sign-off
6.4.1.3.1 Disclosure Survey
Use
Disclosure surveys evaluate the disclosure status of a company. With the SAP Process Control Disclosure
Survey, you can perform evaluations on three different entity levels: organization level, subprocess level, and
control level. Accordingly, the following three types of surveys are available in the Survey Library:
● Organization disclosure survey

● Subprocess disclosure survey
● Control disclosure survey
In the Planner [page 496], you can plan a survey based on one of the entities. During planning, you can define
the following attributes for the survey:
● Survey period
● Start date and due date
● Object survey template and disclosure survey template
You can choose a survey based on the specific object, or based on the disclosure status as a whole; you
can also choose both.
● Regulation
● Organization
● Subprocess or control
Depending on the entity level, you can choose the relevant subprocesses or controls. In organization
disclosure survey, this option is not available.
Disclosure surveys can be performed in Online Mode or Offline Mode. In Online Mode, the recipient receives the
survey in the work inbox. In Offline Mode, a PDF version of the survey is sent via e-mail to the recipient, who
answers the questions in the PDF file and sends back the result.
 Note
In Offline Mode, a valid e-mail address must be assigned to the relevant roles first in order to receive the
survey.
More Information
To read more about the Planner, see Planner [page 496].
To create surveys in Process Control, see Creating Surveys [page 488].
SAP Process Control

To create a plan in Process Control, see Creating a Plan [page 497].
6.4.2 Manual Test Plans
Use
A manual test plan consists of a sequence of test steps that are performed during testing to determine that a
control is operating effectively. A manual test plan may test either a manual or an automated control. If you
define the test method as manual, a manual test plan applies.
When you create a manual test plan, you assign the following attributes to it:
● Test steps comprising the test plan and the required steps
● Sampling methodology and initial sample size
● Indicator that says whether or not a test step failure results in a failed control and requires further action
All required test steps must be completed, in sequence, before the final validation of a manual control.
Prerequisites
A control must be in place before a test plan can be assigned, and the control must have Test Automation set to
Manual. For more information, see Business Processes [page 412].
Features
This function allows you to:
● Create, view, and edit manual test plans

● Assign manual test plans to controls at the global or at the compliance-specific level
● Set validity dates for test plans
● Assign manual test plans to one or more central controls
 Note
You can assign manual test plans directly to controls while creating or editing a control.
Activities
● To create and assign attributes to a manual test plan, or to edit an existing plan, perform the steps in
Creating and Editing Manual Test Plans. [page 495]
SAP Process Control

6.4.2.1 Creating and Editing Manual Test Plans
Follow the steps below to create or edit a manual test plan:
1. Choose Assessments Manual Test Plans. .

The Manual Test Plans screen appears and shows a list of test plans and their associated controls.
2. Set the timeframe for the test plan and select Go.
3. Select Create to define a new test plan or Open to change an existing plan.
The Test Plan screen appears.
4. On the General tab, enter or change the following information:
Test Name Enter the name of the manual test plan.
Description Enter a description for the manual test plan.
Valid From / Valid To Enter the date range for which the test plan is valid.
5. On the Test Steps pane, select Add to add new steps or, to delete an existing step, select the step and then
select Remove..
6. In the Step Name field, enter the name of the step for the manual test.
7. In the Step Description field, enter a short description for this step.
8. In the Step or Test dropdown menu, select either Step or Test to indicate if this step is for manual controls
or is a test for automated controls.
9. In the Required dropdown menu, select Yes or No to indicate whether or not this step is required.
10. In the Fail Ends Test dropdown menu, select Yes or No to indicate whether or not to end the test if this step
fails.
11. In the Initial Sample field, enter a description for the initial sample.
12. In the Sampling Method dropdown menu, select the desired sampling method.
13. Optionally, select the Attachments and Links tab to attach files or links to your test plan.
14. Select Save when you have completed your plan definition or when you have finished your edits.
6.4.3 Assessment Planning
In the Assessment Planning section of the Assessments work center, you have the following options:
● Planner
● Planner Monitor
● Sign-Off Monitor
SAP Process Control

6.4.3.1 Planner
Use
You can access the Planner under Assessment Planning in the Assessments work center. The window that
opens displays all Process Control and Risk Management plans and associated activities.
Using the Planner, you can do the following:
● Display existing plans, create a new plan, or copy and change an existing plan.
● Display the organizations for which plans are to be used.
● Display planning dates, including the start date, due date, and actual end date.
● Display the status of a plan.
● Split a plan, which has not executed, involving more than one organization.
 Caution
Splitting a plan over several organizations cannot be reversed.
Prerequisites
You need to ensure the following when using the Planner:
● User roles are properly assigned to organizations.

● According to your business needs, complete the Customizing activity Define Plan Usage under
Governance, Risk and Compliance Common Component Settings Planning and Scheduling .
Process
You can use the Planner for Process Control and Risk Management, triggering workflow procedures for
assessment, testing, and sign-off, among other purposes. You can use it to trigger e-mail surveys as well for
policy distribution.
More Information
Process Control Planner [page 497]
Please also see the Risk Management Planner topic in the documentation for SAP Risk Management.
SAP Process Control

6.4.3.1.1 Process Control Planner
Use
Using the Planner, you can define workflow procedures for validation and sign-off, schedule ad hoc issues, and
plan surveys to be carried out for Risk Management.
During planning, you can select the time period to be evaluated, the type of evaluation, the survey to be used (if
any), the items to be evaluated, and the start date and due date. This triggers a workflow to be sent to relevant
users beginning on the start date.
Prerequisites
User roles are assigned to organizations and to the local process hierarchy objects. This is done through the
More Information
To read more about the Planner, see Planner [page 496].
To create a plan in Process Control, see Creating a Plan [page 497].
6.4.3.1.2 Creating a Plan
Use
During planning, you enter the plan information following the guided activity steps. The plan executes the
specific logic beginning on the start date.
Prerequisites
● User roles are properly assigned to organizations

● Complete the Customizing activity Define Plan Usage under Governance, Risk, and Compliance
Common Component Settings Planning and Scheduling .
SAP Process Control

Procedure
1. Navigate to Assessments Assessment Planning Planner . The Planner table displays existing
plans. The period and year selected determine the default period and year for the next step.
2. Choose Create. The guided activity screen for creating a plan displays.
3. Enter the name of the plan and select a Plan Activity. Depending on the selection you make here, the fields
below it vary.
4. To use a survey for the plan, select it from the dropdown list.
5. For some plans that involve the sending of PDF questionnaires, you must set the Delivery: Via E-Mail
Indicator. This means that you receive a survey in Offline Mode. Otherwise, you receive a work item in your
work inbox, which is considered as the Online Mode.
6. Enter the start and due dates, and for assessments, the analysis date.
 Note
The due date cannot be the same as the start date, it must be at least one day later. However, for risk
analyses, the analysis date can be the same as the start date. If workflow is not completed by the
planned due date, the workflow remains open until it is completed. The Due Date can be configured
with reminders and escalations to notify users of tasks approaching or past their due dates.
7. Select Yes if it is a Recurring Plan. Enter the recurring information.

8. (Optional, depending on configuration) Click Next to display Select Regulations. Select the Regulation step
and the Evaluation Results Sharing.
9. (Optional, depending on configuration) Click Next and proceed to the Select Organizations step. Expand
this window to see all the fields.
10. Choose the line of the organization for which you want to carry out the plan activity and then choose Next.
 Note
All organizations loaded in the list are included in the plan.

○ For planning Perform Signoff, review the list to ensure that all organizations are correctly flagged
for sign-off. If any sign-off flags are incorrect, exit the Planner. Make the changes to the
organization’s Subject to Sign-off field and restart the planning activity.
○ For planning Perform Aggregation of Deficiencies (AoD), review the list to ensure that all
organizations are correctly flagged for AoD. If any AoD flags are incorrect, exit the Planner. Make
the changes to the organization’s Subject to AoD field and restart the planning activity.
11. In the next step, Select Objects, you can further narrow the selection criteria (depending on the
configuration), if applicable.
(Risk Management only) For an activity validation, you have the following options:
○ If you select all activities, all existing activities in the organization are used in the plan.
○ If you select by activity attributes, for example, you can specify the activity category and type, and the
number of risks to be included. In particular, you can specify the inherent and residual risk levels, as
well as enter a validity period for the plan.
○ If you select specific activities, you must specify which ones are to be included in the plan.
12. Select the Recipients for the plan (depending on configuration). Only Policy Survey, Policy Quiz and Policy
Acknowledgement use this choice.
13. After choosing Next, you access the Review section of the Guided Procedure, where you can check whether
the plan details and the selections you made are correct. If you choose the View Objects, the system
outputs a list of the selected objects and the corresponding e-mail recipient or recipients.
SAP Process Control

14. Choose Activate Plan to save the plan.
15. The last step, Confirmation, is triggered automatically, and the system confirms that your plan was saved.
16. To conclude the procedure, click the Finish pushbutton. Alternatively, you can create a new plan from the
corresponding link in this section.
17. The plan you created is now listed in the overview screen. If you call up the plan again from the list, you can
see the scheduling events for this plan in the Events tab.
18. In the overview screen, the statuses set by the system are:
○ Planning — The plan has been created but has not been executed.
○ In process — The plan is being processed but is not completed.
○ Completed — The plan has been executed successfully.
○ Error — The plan has been executed but an error occurred.
 Note
If you receive the status Error for your plan, you can see the reason in the Events tab of the plan. In
this case, you must check the application log using transaction SLG1.
Copying a Plan
1. From the Planner overview list, put your cursor on the plan to be copied and choose Copy.
2. A Guided Procedure for copying the plan displays.
3. You can change the plan details by entering other data. The start date cannot be in the past.
4. The steps to be followed for copying are the same as for creation — see Steps above.
Deleting or Splitting a Plan
A plan can be deleted or split over several organizations. In the latter case, you can use one plan for all
organizations or have the plan replicated for each organization.
1. From the Planner overview list, put your cursor on the plan to be deleted or split and choose the correct
action.
 Note
You can only delete or split a plan that has not been executed yet. Only a plan whose status is Planning
and whose start date is tomorrow or later can be deleted or split. To split a plan, you must previously
have selected at least two different organizations.
2. The plan is either split or deleted. If it is split, two lines are displayed in the list. If deleted, the line for this
plan no longer displays.
6.4.4 Planner Monitor
You can use the Planner Monitor to track and monitor the execution status of workflow, e-mail survey, and
user-defined objects created by the planner within the application.
Planner Monitor displays the following information for each plan:
● Plan Name — The name of the plan.

● Plan Activity — The activity or usage of the plan item.
SAP Process Control

● Organization — The organization of the plan item. For cross-organization activities, such as policy
distribution, this column shows No Selected Organization.
● Object — The object name included in a plan item.
● Frequency — The planning frequency for recurring planning. If the plan item represents one-time planning,
this column displays One Time Plan.
● Start Date — The plan item start date.
● Due Date — The plan item due date.
● Recipients — The e-mail addresses of the plan item recipients.
● Status — The plan item planning and execution status.
The Status can be one of the following:
● Error — The case has executed, but has failed.

● In Process — The case is in process, but has not finished.
● Completed — The case has executed successfully.
● Overdue — The case has not been processed, and the due date has passed.
● With exceptions — The case has completed, but with exceptions.
You can filter plan items, as required, by plan name, plan activity, organization, as well as by a date range, and
manually send notifications to recipients, as appropriate.
Auto Notifications
You can enable automatic notifications about plans in status "Error". To do this, in transaction SE36 set the
report GRFN_PLANNER_SEND_ERROR_NOTIF as a background job. The job will check plans on a regular basis
and upon plans in status "Error" are found, automatic email notifications will be sent to persons responsible.
6.4.5 Sign-Off Monitor
Use
This functionality monitors the sign-off process. The sign-off monitor shows the full organization hierarchy.
For organizations marked as subject to sign-off, the sign-off begins with the lower organizations and proceeds
to the higher organizations in the hierarchy. You can see if an organization has been signed off or not, the sign-
off date, and any attachments.
Activities
The following selection criteria are available for the sign-off monitor:
● Timeframe, Timeframe Year — You can choose which timeframe you want to see.
● Regulation — The sign-off is regulation specific. You can choose which regulation data you want to see.
The sign-off monitor displays the organization hierarchy, and the following information for each organization:
● If the organization is subject to sign off. The values are Yes or No.
SAP Process Control

● The sign-off user name, and the sign-off date (if the sign-off has been done).
● Any attached or linked files (attached during sign-off).
6.4.6 Reports (Assessments)
Assessment reports pertain to all design assessments and tests of effectiveness. Which reports are available
varies by person, based upon the role assigned.
 Note
The Case Selection field is used in several Assessment Reports. Use this field to see evaluation cases of:
● All in reporting timeframe: The report shows all evaluation cases per evaluation type that occurred in
the reporting timeframe.
● One per evaluation timeframe: The report only shows one evaluation case per evaluation type for each
evaluation timeframe, according to the setting in Include Assessment.
● One per reporting timeframe: The report only shows one evaluation case per evaluation type for the
reporting timeframe, according to the setting in Include Assessment.
 Example
If there are three control effectiveness tests:
Case 1: planned for timeframe January 2012, performed on 2012.1.10
Case 2: planned for timeframe January 2012, performed on 2012.1.20
Case 3: planned for timeframe Year 2012, performed on 2012.1.30 and Include Assessments is set to Most
Recent Assessments/Tests in Timeframe. Run report in timeframe Year 2012, regarding to different
selections in Case selection:
● If All in reporting timeframe, all three cases are shown.

● If One per evaluation timeframe, case 2 and case 3 are shown, because they are planned for different
evaluation timeframes.
● If One per reporting timeframe, case 1 is shown, because it is the most recent in the reporting
timeframe.
The following are assessment reports:
Assessment Report Description
Evaluation Results by Organization This report provides a hierarchical view into the evaluation results of
different types of organizations. You can review this report to under
stand the evaluation status of controls and subprocesses for each
evaluation type. You can focus on failed controls and processes and
drilldown to see if further remediation actions must be taken.
SAP Process Control

Evaluation Management This report provides a list of organizations that have not yet per
formed certain evaluations in a specific timeframe. You can review
this report to understand the evaluation coverage gaps to see if fur
ther assessments or tests must be planned.
Indirect Entity-Level Control (iELC) Evaluations This report provides indirect entity-level control evaluation results
by iELCs by organization. You can review this report to understand
the evaluation status of iELCs for each evaluation type. You can fo
cus on failed iELCs and drilldown to see if further remediation ac
tions must be taken.
Indirect Entity-Level Control (iELC) Evaluations by This report provides a hierarchical view of indirect entity-level con
Organization trol evaluation results by organization. You can review this report to
understand the evaluation status of iELCs for each evaluation type.
You can focus on failed iELCs and drilldown to see if further reme
diation actions must be taken.
Subprocess Design Assessment This report provides visibility into subprocess design assessment by
organization and process. For each subprocess, it shows the results
of the performed subprocess design assessment. You can review
this report and focus on failed subprocesses and drilldown to see if
further remediation actions must be taken.
Control Ratings This report provides visibility into the control evaluation results of
different evaluation types by organization and process. You can re
view this report to understand the evaluation status of controls for
each control evaluation type. You can focus on failed controls and
drilldown to see if further remediation actions must be taken.
Control Test History with Ratings This report provides visibility into control testing results by controls
by organization and process for multiple periods (if available). You
can review this report to understand the testing status of controls.
You can focus on controls that failed the effectiveness test and drill
down to see if further remediation actions must be taken.
Test Step Status This report provides visibility into the test step details of control
testing results for each organization and process. For each effective-
ness test, it shows results for each test step. You can review this re
port to understand what step failures contribute to the overall test
deficiency.
Risk Coverage with Evaluations This report focuses on evaluation results with risk coverage by con
trols by organization and process. You can review this report to un
derstand, for each risk, whether or not the control assigned for miti
gation is designed and executed correctly. This could help see if an
other control is needed or further remediation actions must be
taken.
SAP Process Control

Risk Coverage with Ratings by Organization This report shows evaluation results risk coverage in a hierarchical
layout. You can review this report to understand, for each risk,
whether or not the control assigned for mitigation is designed and
executed correctly. This could help determine if another control is
needed or further remediation actions must be taken.
Assessment Survey Results This report provides visibility into assessment results of each evalu
ation type by control for each organization and process. For each
control or subprocess, it shows the evaluation results of the per
formed subprocess design, control design, and self-assessment.
You can review this report and focus on failed subprocesses and
controls. You can drilldown to see if further remediation actions
must be taken.
Issue Status This report provides visibility into issue statuses of each evaluation
type. You can review this report to find out whether there are open
issues under specific organizations, processes, subprocesses, or
controls and drilldown to open the issue details.
CAPA Status This report provides visibility into CAPA plan statuses of each evalu
ation type, if applicable. You can review this report to check whether
all addressed CAPA plans are processed in a timely fashion. You can
also drilldown to see the CAPA plan details.
 Recommendation
For more information, see Key Assessment Report: CAPA Sta
tus Report.
Remediation Status This report shows the status of the remediation plan for each evalu
ation type. You can review this report to see whether all addressed
remediation plans are processed in a timely fashion and drilldown to
see remediation plan details.
Test Status by Organization This report provides a hierarchical view into high level statistics on
evaluation status by organization. For each organization, it shows
the total number of key controls as well as the evaluation pass rate
of each evaluation type. You can review this report to compare inter
nal control compliance status among different organizations.
Test Status by Process This report provides a hierarchical view into high-level statistics on
evaluation status by process. For each organization and process, it
shows the total number of key controls as well as the evaluation
pass rate on each evaluation type. You can review this report to
compare the internal control compliance status among different
processes.
SAP Process Control

Scoping Coverage This report provides a hierarchical view into the result of consoli
dated materiality analysis by accounts group. For each central ac
counts group, it shows the consolidated accounts group signifi-
cance decisions together with account groups balance and material
ity threshold. Additionally, this report shows the overall scoping cov
erage status, in terms of scope control numbers and risk coverage.
You can review this report to see if more account groups must be
added to the scope.
Organization-Level Materiality Analysis Results This report provides a hierarchical view into the result of organiza
tion-level materiality analysis by organization and accounts group.
For each local accounts group, it shows the organization-level ac
counts group significance decisions together with the accounts
group balance and materiality threshold. You can review this report
to see if further accounts group, process, and controls must be
added to the scope.
Testing Strategy by Control This report provides visibility into the results of control risk assess
ment results by control by organization and process. For each con
trol, it shows the value of control risk rating from assessment as well
as the level of evidence calculation result. A use could review this re
port and understand the decisions of testing strategy suggestion to
each control following the risk-based compliance approach.
Risk Assessment Results This report provides visibility into the results of risk assessment re
sults by risk by organization and process. For each risk, it shows the
assessed value of probability, impact level, and overall risk level. You
can review this report and use its output as evidence for risk-based
compliance.
Organizational Sign-off Status This report provides visibility into the status of sign-off by organiza
tion. You can review this report to find out whether business owners
have performed the sign-off for their areas of responsibility. You can
drilldown for the detailed sign-off results.
Aggregation of Deficiency (AOD) Status This report provides visibility into the status of aggregation of defi-
ciency by organization. You can review this report to find out
whether business owners have performed aggregation of deficiency
for their areas of responsibility and drilldown to check the detailed
AOD results.
Policy Profile This report provides an overall summary of the policy, its current
status and where it is currently in the workflow.
Policy Distribution Survey Results This report provides visibility into the results of policy distribution on
question and answer level. You can review this report for audit trail
purpose or you can perform analytics on the feedback from specific
survey questions.
SAP Process Control

Policy and Issue Status This report provides an overall summary of all issues (both evalua
tion and ad hoc) related to a specific policy. You can review this re
port to help evaluate the effectiveness of a policy based on the eval
uation issues of controls in the policy scope or on the ad hoc issues
of the policy.
Ad Hoc Issue Report This report provides an overall summary of the ad hoc issues.
survey questions.
of the policy.
survey questions.
of the policy.
survey questions.
of the policy.
survey questions.
SAP Process Control

of the policy.
6.4.6.1 Key Assessment Report: CAPA Status Report
The Corrective Action and Preventive Action (CAPA) status report provides the condition of all the CAPA
initiatives that have been taken in your company to remediate issues rising out of operations. You can also drill
down into each of the CAPA plans and view the details of the plan. The report can help determine the number
of CAPA plans that have been initiated in the company:
● within a certain organization

● for a particular business process or subprocess
● by a certain individual
● within a certain timeframe
The CAPA status report can be used for different reasons by various users. An organization owner may use this
report to check how many CAPA plans have been initiated in the organization. A process owner could use the
report to see the number of CAPA plans that have been planned in the owner's process, as well as how many of
them are overdue, and the status of completion of these plans.
 Example
Within an organization, you can compile a list of plans that:
● started on May 2, 2010

● are due on December 22
● are overdue in the Warehouse Management process.
○ If there are any overdue CAPA plans, you can drill down to see which remediator is the person who
is stopping the plan from being completed. Then, you may contact the individual to expedite the
CAPA completion.
6.5 Access Management
Use
The Access Management work center is shared by the Access Control, Process Control, and Risk Management
the applications you have licensed. The content in this topic covers the functions specific to Process Control. If
SAP Process Control

you have licensed additional products, such as Access Control or Risk Management, refer to the relevant topics
The Process Control Access Management work center has the GRC Role Assignments [page 507] section.
More Information
Please also see the following topics in the documentation for SAP Access Control and SAP Risk Management:
Access Management Work Center – Access Control-specific topics
Access Management – Risk Management-specific topics
6.5.1 GRC Role Assignments
Use
The GRC Role Assignments menu group is shared by the Access Control, Process Control, and Risk
Management products in the GRC Application. The quick links that appear on the screen are determined by the
applications you have licensed. The content in this topic covers the functions specific to Process Control.
In the GRC Role Assignments section of the Access Management work center you can specify owners for the
delivered roles and the conditions that require approval from role owners.
● Organizations [page 507] – To maintain the organization structure within the application for you
company.
● Business Processes [page 510]
● Replacements [page 511]
● Central Delegation [page 513]
6.5.1.1 Organizations
Use
You use the Organizations link under the Access Management work center to assign corporate and organization
roles.
 Note
There is also an Organizations link under the Master Data work center. You use its functions to create and
maintain the organizational structure in the application. For more information, see Organizations [page
398] (in the Master Data work center).
SAP Process Control

Activities
For the Organizations link under the Access Management work center you can do the following activities are
available for assigning corporate and organization roles:
● Select timeframes
● Select organizations
● Choose and assign corporate and organization-level roles to organizations
● Choose users and assign them to roles
More Information
Assigning Corporate and Organization Roles [page 508]
6.5.1.1.1 Assigning Corporate and Organization Roles
Context
You can use this function to assign users to roles for corporate and organization objects. You typically perform
this task during initial setup, when organizations or roles (corporate or organization) are added, or when
multiple users are assigned to roles.
To assign users to roles at the corporate and organization levels, perform the steps in the following categories:
1. Select a timeframe
2. Select organizations
Choose the corporate and organization-level roles that you want to assign.
3. Assign roles
Choose the users that you want to assign to the roles.
4. Review selection
Review the users assigned to selected roles.
5. Confirm selection
Confirm the role assignments.
Procedure
1. Navigate to Access Management Organizations . The Assign Corporate and Organization Roles screen
appears.
SAP Process Control

2. The guided activity screen appears. Perform the following steps:
○ Step 1 – Select a timeframe
○ Step 2 – Select Organizations
1. Enter search criteria in the Find field to filter valid organizations based on your parameters. Otherwise,
leave the field blank to show all valid organizations based on the timeframe displayed, and choose Go.
2. Select the organizations and use the arrow buttons to move them from the Available to the Selected
pane. If no organizations are selected, all organizations are considered.
 Recommendation
To select multiple fields, press the CTRL key. To select consecutive fields, press the SHIFT key.
3. Select Next. The Assignments table displays the selected organizations and the respective corporate
and organization-level roles.
○ Step 3 – Assign Roles

1. Select a cell beneath a role to assign a user to the role. You can either enter the user’s name in the cell
or select the value help button to search for user names. Disabled cells indicate that an assignment
exists. For information about changing existing assignments, see Replacements [page 511].
 Note
Some roles allow multiple users to be assigned. If a role allows multiple assignments, it always
presents an editable cell for additional assignments, whether or not an assignment already exists.
2. To copy the same users to multiple roles, select the entire row you want to copy.
3. Select Copy Action and choose either:
○ Copy to ALL – to copy the user to all editable fields (whether empty or not), or
○ Copy to Empty – to copy the user to only empty editable fields.
4. The Copy Assignment screen appears. Select All roles or Only selected roles for roles to which you want
the users copied. Select OK. The Assignments table populates based on your selection.
 Example
The copy action is based upon assignments made in the selected row. For example, a row might
contain the process-level role assignments for Process Owner as Denise Smith and Tester as Oleg
Kopp. Choosing Copy to Empty and then All Roles copies Denise Smith to all empty Process Owner
cells and Oleg Kopp to all empty Tester cells. However, choosing Only selected roles and choosing
Tester copies just Oleg Kopp to all empty Tester cells.
5. Select Next. The Proposed Changes screen displays the assignments to be made.
3. Step 4 - Review
Review your selections in the Proposed Changes results table. Select Previous to go back and make any
changes, if desired. Otherwise, choose Next (the Confirmation screen appears) or select Finish.
4. Step 5 - Confirm
Confirm your selection and select Finish. Your assignments have been made, and any changes require a
replacement or removal.
SAP Process Control

Next Steps
● Business Process: Assign Process, Subprocess, and Control Roles [page 510]
● SAP Process Control 12.0 Security Guide at https://help.sap.com/pc
6.5.1.2 Business Process: Assign Process, Subprocess, and

Control Roles
Prerequisites
Complete the Customizing activity located either at Governance, Risk, and Compliance General Settings
Authorizations Maintain Entity Role Assignment or Governance, Risk, and Compliance Process Control
Authorizations Maintain Regulation Role Assignment
 Recommendation
For more information, see the SAP Process Control 12.0 at .https://help.sap.com/pc
Context
You can use this function during initial setup to assign users to roles for local process objects. For example,
when new process objects are added, when roles are added for process hierarchy levels, or when additional
users are assigned to roles that can be assigned to multiple users. To assign users to roles in the process,
subprocess and control levels, you perform steps in the following four categories:
1. Select Role and Filter – to select the roles you want to assign.
2. Assign Roles – to select the user(s) you want to assign to the role(s).
3. Review selection – to review users assigned to selected roles.
4. Confirm selection – to confirm user-role assignments.
 Note
You can also perform mass role assignment to cross-regulation roles or specific regulations.
Procedure
1. Navigate to Access Management GRC Role Assignments Business Processes . The Assign Process,
Subprocess, and Control Roles screen appears. Perform the following guided activity steps:
SAP Process Control

2. Select a Timeframe
3. Select Role and Filter
1. Select the role levels (for example, process, subprocess, control) of the roles to which you want to
assign a user.
2. (Optional, but suggested) Use Filters to obtain a search of specific organizations, processes, or roles. If
filters are used, the number of resulting organizations, processes or roles chose are reduced.
 Note
If you do not choose to filter the selection, the Assignments table displays all organizations,
processes, and roles available for the selected role level (process, subprocess, control). To work
with manageable amounts of data, limit the number of role levels and use filters to refine your
selections.
3. Choose Next. The Assigned Roles screen appears

Select a cell beneath a role to assign a user to the role. You can either enter the user’s name or select
the value help to search user names. Ensure that you are assigning the user to the correct role level.
Disabled cells indicate that an assignment exists.
4. Assign roles
1. Select a cell beneath a role to assign a user the role. You can either enter the user's name in the cell or
select the value help button to search user names. Ensure that you are assigning the user to the
appropriate role level. Disabled cells indicate that an assignment exists. To change existing
assignments, see Replacements [page 511].
 Note
Some roles allow multiple users to be assigned. If a role allows multiple assignments, it displays an
editable cell for additional assignments (whether or not an assignment already exists).
2. To copy the same users to multiple roles, choose Copy Action.

3. Select Next. The Proposed Changes displays the changes to be made.
5. Review your selections in the Proposed Changes results table. Choose Previous to go back and make
changes. Choose Next (the Confirmation screen displays) or choose Finish.
6. Confirm your selection and choose Finish. Your assignments have been made, and any changes require a
replacement or removal.
6.5.1.3 Replacements
Use
The Replacement function allows you to remove a user from a role or to replace a user in a role. You use this
function when employee status changes due to job transfers, new hires, or terminations. This changes the role
assignments and transfers the open workflow from the user being replaced to his or her replacement.
SAP Process Control

Features
1. Navigate to Access Management GRC Role Assignments Replacements . The Replacements and
Removals screen appears.
2. Since you select a user in the upper pane, the lower pane shows role replacements or removals for the
highlighted user. This listing is display-only.
 Note
In the lower pane, Level represents the authorization level of the role and Object pertains to the object
(such as process, subprocess, control) to which the role has access.
3. Select the desired year and period in the timeframe fields, and choose Go. The earliest possible date for a
replacement is tomorrow (that is, system date plus one day).
4. To replace or remove a user from a role, select Replace or Remove. The Role Replacement and Removal
screen displays a guided activity.
5. Select user
○ In the Find field, enter the name or user ID of the user you want to replace or remove. Choose Go. Wild
cards (*) are not supported on this screen.
○ Select the row of the user to be replaced or removed and select Next. The Assignments table displays
the current role assignments for the user selected.
6. Define Replacement
○ To replace a user in a role, select the Replacement field of the role for which you want to enter a
replacement.
○ Enter the user name or select the value help to search by user or user ID. Provide a partial user name
or user, using wild cards (*) as needed. Select the row containing the desired replacement and choose
OK.
○ In the Effective Date field, enter the date that you want the replacement to take effect. Optionally, leave
the field blank to default to the earliest possible date, usually the following day.
○ Continue selecting roles and making replacements until all desired roles have replacements.
○ To copy a user name and effective date to multiple roles (rows), select the source row for the copy and
choose Copy Action. If you have not selected a row, Copy Action is disabled.
○ Choose any of the following options from the Copy Action dropdown:
○ Copy to ALL – to copy to all Replacement and Effective Date fields (whether target cells are empty
or not). If the fields are not empty, the fields are overwritten with the new user and effective date.
○ Copy to Empty – to copy to only empty Replacement and Effective Date fields. If these fields are
populated with a different user/date, the fields retain the user/date content and are not replaced.
○ To remove a user from a role without replacing him or her, select the user name and select Remove.
This is useful when a role allows multiple users to be assigned.
 Note
If your removal causes a role assignment to become empty, the system displays a warning.
○ Select Next. The Proposed Changes screen displays the changes to be made.
7. Review your selections in the Proposed Changes results table. Select Previous to go back and make
changes. Otherwise, choose Next or select Finish. The Confirmation screen appears.
8. Confirm your selection and choose Finish. Your replacements and removals are effective on the date you
provided. For replacements, the system reroutes open workflow tasks to the replacements on that date.
SAP Process Control

6.5.1.4 Central Delegation
Use
You authorize users to perform tasks and exercise access rights on behalf of other users. The system
administrator must grant you authorization to perform central delegation.
● You can authorize a user (the delegate) to perform the tasks and to exercise the access rights of another
user (the delegator).
● You delegate access rights by creating a new delegation in which you designate one user as the delegator
and another as the delegate. The delegator’s access rights and tasks become accessible to the delegate for
the validity period that you specify.
 Recommendation
Companies limit access to Central Delegation because it authorizes users to access all delegations and to
delegate on another user’s behalf.
 Caution
Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business
users. If a power user needs to delegate his or her authorization to others, he or she must ask the IT
department to assign the PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity-
dependent. For more information, see Standard Roles and Auzthorization Objects.
Prerequisites
You have authorization for central delegation. For more information, see the SAP Process Control 12.0 Security
Guide at https://help.sap.com/pc.
Procedure
To delegate the access rights of one user to another, follow the steps below.
To create a new delegation
1. Select Access Management work center, choose GRC Role Assignments Central Delegation
The Central Delegation screen displays all existing delegations. From here, you can create a new delegation,
open and edit an existing delegation, or delete a delegation.
2. To create a new delegation, choose Create.
The Central Delegation screen displays.
3. Enter the information as follows:
1. In the Delegator User field, select the value help to display the User List dialog box.
2. Enter, or search for, the user name. Select a user name and choose OK.
The Delegator and User ID fields are automatically filled when you select a user.
SAP Process Control

 Note
You can use wildcards (*) in a search.
3. In the Delegate User field, select the delegate in the same manner as you selected a delegator.
The system fills in the Full Name field when you select a user.
4. In the Delegation Period field, adjust the defaults as needed.
○ The Start Date defaults to the date the delegation is created.
Enter the date you want the delegation to begin.
○ The End Date defaults to unlimited (December 31, 9999).
Enter the date you want the delegation to end. If you accept the default of an unlimited End Date,
you can change the date later, or delete the delegation when it is no longer needed.
To edit an existing delegation
1. To edit an existing delegation, choose a delegation assignment and then Open.

The Central Delegation screen appears. You can change only the End Date.
2. Choose Save to save your changes.
To delete an existing delegation
1. Choose the delegation assignment and then Delete.

You are prompted to confirm the deletion. Please note you can only delete a delegation that hasn't started
yet.
2. Choose Yes.
To terminate an ongoing delegation
To terminate an ongoing delegation,
1. Execute the transaction SE38 and launch GRPC_USER_DELEGATION_DEL.

2. Find the delegation you want to terminate by the delegate's user ID and enter the date of termination.
3. By checking the Mass Delimit, you can terminate all the delegations of the delegate at a time.
6.5.1.5 Mass Role Reassignment
With Mass Role Assignment, you don't need to remove roles, replace role assignees or replicate role
assignment one by one. You can select multiple users to remove some or all roles assigned to them, or replace
them with new assignees, or copy their role assignment to other users .
Remove Role Assignment
To remove roles from users,
1. Select the Remove action

2. Search for the source users from whom you want to remove their roles
3. Select the roles you want to remove
SAP Process Control

Replace Assignees
To remove roles from users and re-assign the roles to new assignees,
1. Select the Replace action

2. Search for the source users whom you want to replace with new assignees
3. Select the roles you want to remove and re-assign
4. Select target users, namely the new assignees
 Note
Please note if you choose multiple target users, all the selected roles will be assigned to each target user.
Replicate Role Assignment
Different from replacing role assignees, to replicate role assignment is to assign the selected roles of source
users to target users while keeping the role assignment of source users.
6.6 Reports and Analytics
Use
The Reports and Analytics work center is shared by the Access Control, Process Control, and Risk Management
the applications you have licensed. The content in this topic covers the functions specific to Process Control. If
you have licensed additional products, such as Access Control or Risk Management, refer to the relevant topics
The Process Control Reports and Analytics work center contains the Compliance [page 515] section.
More Information
Also see the Reports and Analytics topic in the application help for SAP Access Control and SAP Risk
Management.
6.6.1 Compliance
The following reports are contained in the Reports and Analytics work center in the Compliance section.
SAP Process Control

Report Description
Evaluation Status Dashboard Shows a high-level picture of the overall status of corporate
compliance throughout different business entities and pro
vides analytics and drilldown capabilities to view data on dif
ferent levels and dimensions.
Overall Compliance Status Dashboard Shows a high-level picture of the overall status of corporate
compliance throughout different business entities and pro
vides analytics and drilldown capabilities to view data on dif
ferent levels and dimensions.
Survey Results Displays the results of surveys.
Datasheet Provides comprehensive information on master data, evalu

ation, and remediation activities for subprocesses and con
trols.
 Recommendation
For more information, see Datasheets.
6.6.1.1 Datasheets
Datasheets provide access to detailed information related to a control or subprocess. They offer the following
functionality:
● Ability to have a single point view for the information related to a control or subprocess, including the
attributes, long texts, and all the related entities such as control objectives, risks, account groups.
● Ability to export the reports in standard formats that you can share and print.
Roles that use the datasheet functionality:
● Internal Auditors
These reports can document a picture of the controls and subprocesses in an organization.
● Process owners and control owners
These roles may request datasheets to obtain an overview of their subprocesses. Information includes the
definition of the subprocess, any assessments done on the subprocess, the controls encompassed by the
subprocess, and the assessments and testing done on these controls. Control owners may request
datasheets to find out about the design of their controls. They may also want to know about the testing and
assessment of these controls to understand the effectiveness of the controls.
 Note
Process and control owners may not have access to printing datasheet reports, depending on company
policy.
● External Auditors
Auditors may request information to research controls or subprocesses.
SAP Process Control

 Note
Some companies allow external auditors to access their systems and data, and some do not. If external
auditors are not granted access, then the internal auditors may retrieve the reports and e-mail them to
the external auditors.
Output Sections
The data in the control datasheet is divided into the following sections:
● Master data related to control attributes

● Control objectives and risks
● Account groups
● Related attachments and links
● Parent hierarchy of the control
● Assessment surveys
● Manual test plans
● Evaluation results
● Test of effectiveness results
● Control design assessment results
● Remediation plans
Activities
Follow the guidelines to generate datasheet reports:
1. Enter the following data for your datasheet:

○ Period
○ Year
○ Organization
○ Process
○ Subprocess
○ Level
○ Evaluation results
○ Issues and remediations
○ Attachments
○ Display report immediately/Request report and await work item
2. Choose Print Preview to have the system generate a printable file.
SAP Process Control

7 Enterprise Services in SAP Process
Control
Related Information
Policy Management [page 518]

Issue Management [page 525]
7.1 Policy Management
Manages policies including creating, maintaining, reviewing, approving, and publishing of policies.
Technical Data
Entity Type Process Component
Software Component Version GRCFND_A V1000
Technical Name POLICY_MANAGEMENT
Namespace Not applicable
7.1.1 Policy
A set of principles, rules, and guidelines that are formulated or adopted by an organization to reach its long-
term goals.
SAP Process Control

518 PUBLIC Enterprise Services in SAP Process Control
Technical Data
Entity Type Business Object
Technical Name GRCFND_A V1000
Business Context and Use
The Policy business object is used to maintain policy metadata and its related documents. It allows external
applications to search, create, update, and generate new versions of policies in the SAP GRC system.
7.1.1.1 Search In
An interface to search policies and policy groups.
Technical Data
Entity Type Service Interface
Category SAP A2X
Direction Inbound
The Search In synchronous inbound service interface groups operations that search policies and policy groups
in the SAP GRC system.
7.1.1.1.1 Search Policy
To find policies according to the search criteria.
SAP Process Control

Enterprise Services in SAP Process Control PUBLIC 519
Technical Data
Entity Type Service Operation
Release States Released
Technical Name GRFN_POLICY_SEARCH
Namespace N/A
Application Component GRC-SPC
Web Service Definition GRFN_POLICY_SEARCH
Direction Inbound
Mode Synchronous
Idempotency Not applicable
Change/Update Behavior Not applicable
P2P Communication Enabled <Yes/No>
Business Context
The Search Policy operation searches the policies in the SAP GRC system according to the search criteria, and
returns the result of relevant policies.
More Information
For more information about searching a policy using the web service, see SAP Note 1726512 - Policy
Management SOA enablement (Custom Development Guide).
7.1.1.1.2 Search Policy Group
To search policy groups according to the search criteria.
SAP Process Control

Technical Data
Technical Name GRFN_POLICY_GROUP_SEARCH
Namespace N/A
Web Service Definition GRFN_POLICY_GROUP_SEARCH
Direction Inbound
Mode Synchronous
Business Context
The Search Policy Group operation searches the policy groups in the SAP GRC system according to the search
criteria, and returns the result of relevant policy groups.
More Information
7.1.1.2 Update In
An interface to create, update, and generate new versions of policies.
SAP Process Control

Technical Data
Category SAP A2X
Direction Inbound
The Update In synchronous inbound service interface groups the operations that create policies, update policy
documents, and generate new policy versions in the SAP GRC system.
7.1.1.2.1 Create Policy
To create a policy.
Technical Data
Technical Name GRFN_POLICY_CREATE
Web Service Definition GRFN_POLICY_CREATE
Direction Inbound
Mode Synchronous
P2P Communication Enabled Yes
SAP Process Control

Business Context
When a policy document is created in the external DMS, the Create Policy operation allows the external
application to create a policy in the SAP GRC system using the input document created in the external DMS as
an attachment.
Features
The Create Policy operation creates a policy in the SAP GRC system with the input policy document as an
attachment.
More Information
7.1.1.2.2 Generate Policy Version
To generate a new policy version.
Technical Data
Technical Name GRFN_POLICY_NEW_VERSION
Web Service Definition GRFN_POLICY_NEW_VERSION
Direction Inbound
Mode Synchronous
SAP Process Control

Business Context
When a policy is published in the SAP GRC system, the Generate Policy Version operation allows the external
application to generate a new policy version in the SAP GRC system.
Features
The Generate New Policy Version operation adds the input document in the SAP GRC system as a new version
of the original document and generates a new policy version.
More Information
7.1.1.2.3 Update Policy Document
To update a policy document.
Technical Data
Technical Name GRFN_POLICY_DOCUMENT_UPDATE
SAP Process Control

Web Service Definition GRFN_POLICY_DOCUMENT_UPDATE
Direction Inbound
Mode Synchronous
Change/Update Behavior Type 2
Business Context
When a policy is created in the SAP GRC system from web service and the policy document has just been
updated in the external DMS, the Update Policy Document operation allows the external application to update
the policy document in the SAP GRC system so that both policy documents are up-to-date.
Features
The Update Policy Document operation updates the policy document in the SAP GRC system when the policy
document in the external DMS is updated.
More Information
7.2 Issue Management
Definition
Manages issues identified outside the standard testing and assessment process.
SAP Process Control

Technical Data
Entity Type Process Component
Software Component Version GRFND_A V1000
Technical Name ISSUE_MANAGEMENT
Compliance and operational issues arise outside the control evaluation. These issues need to be documented
and tracked for the improvement of organizational compliance status.
7.2.1 Ad Hoc Issue
Definition
Compliance and operational problems outside control evaluation.
Technical Data
Entity Type Business Object
Technical Name ADHOC_ISSUE
The Ad Hoc Issue business object is used to maintain issue data.
SAP Process Control

7.2.1.1 Update In
Definition
An interface to generate ad hoc issues.
Technical Data
Category SAP A2X
Direction Inbound
The Update In synchronous inbound service interface groups operations that create ad hoc issues in the SAP
GRC system.
7.2.1.1.1 Create Issue
Definition
To create an ad hoc issue.
Technical Data
Entity Type Operation
SAP Process Control

Release State Released
Technical Name GRFN_ISSUE_WS
Web Service Definition (Back End) GRFN_ISSUE_WS
Direction Inbound
Mode Synchronous
P2P Communication Enabled True
The Create Issue operation allows the external application to create ad hoc issues in the SAP GRC system.
Features
The Create Issue operation creates an ad hoc issue in the SAP GRC system with the input issue name,
description and reporter name.
More Information
Identifying, Creating, and Assigning Ad Hoc Issues [page 385]
SAP Process Control

8 Archiving in SAP Process Control
You can use transaction AOBJ to create archiving objects. You can specify archiving objects for preprocessing,
writing, and deleting activities. For more information, see Customizing for SAP NetWeaver under Application
Server System Administration Data Archiving Archiving Object-Specific Customizing . Archiving for SAP
Process Control is carried out with the help of archiving objects.
The following table shows the available GRC archiving objects for SAP Process Control:
GRC ILM-Enabled Archiving Objects
Archiving Objects Description ILM Object Condition field Reference field
GRFNPLAN Archiving for GRC GRFN_PLAN_DE TASK COMPLETION_DATE

Planner and Planner STRUCTION
Monitor
For further information, see the section Data Protection: Process Control and Risk Management in the Security
Guide for SAP Process Control at: https://help.sap.com/pc
You can also extend these standard archiving objects to suit your own business requirements. You can specify
the database tables from which the system archives the information for the archiving object.
You can use transaction SARA to schedule when the system executes the preprocessing, writing, and deleting
activities for an archiving object. For more information, see SAP Easy Access Tools Administration
SARA - Data Archiving . You can use the following features in transaction SARA:
● Preprocessing
We provide each business object with separate selection criteria to identify the instances of the business
object that are ready for archiving. We provide each query with the same logic. The query selects the
instances that are ready and calls the CHECK_ARCHIVABILITY action. The action checks the residence
period and sets the archiving status to Archiving in Process. The action only runs across the relevant
business object.
You can control the memory used during archive preprocessing by specifying the package size, and
describing the number of documents being processed together in one SAP Logical Unit of Work (SAP
LUW) . Before the next package is selected and processed, allocated memory is released to keep the
memory consumption for the preprocessing batch job constant.
● Writing
The system selects all instances of a business object that have the archiving status Archiving in Process. It
copies the instances into the archive. You can control the memory used during writing in the same way as
for preprocessing.
● Deleting
The system deletes all records that are archived from the registered database tables.
● Deleting from Archive
All SAP Process Control archiving objects are ILM-enabled. For more information about SAP Information
Lifecycle Management (SAP ILM), seehttp://help.sap.com/erpInformation published on SAP site SAP
SAP Process Control

Archiving in SAP Process Control PUBLIC 529
ERP Cross-Application Functions Cross-Application Components SAP Information Lifecycle
Management .
You can load archived documents into the standard SAP Process Control screens. The system uses only the
display mode for these archived documents. We provide each business object in SAP Process Control with the
following settings:
● Individual archiving object

● Archiving status: Statuses include Not Archived, Archiving in Process, and Archived.
● CHECK_ARCHIVABILITY action
● Programs for each of the preprocessing, write, and delete steps
● Individual query to select business objects for the preprocessing step
● POWL for archived documents
Features
Why Archive?
Archiving data from the production database makes the production database faster as it is carrying less
unproductive data. Searching archived documents is possible via the provided POWLs for archived documents.
From there it is possible to open archived documents in the standard SAP NFE UIs in display mode, as if they
were in the production database.
Archiving Dependent Objects
The system archives charge information, address information, or information from texts or attachments when
you archive a business object. It also archives other objects that are used in business objects for tendering. It
does not archive master data objects in general (with the exception of business partner master).
Index Criteria
You can specify database indexes to enable a query to search for data records efficiently. Ideally, you should
have no more than 8 indexes defined for a database table; otherwise the performance of the query decreases.
The database indexes in SAP NFE improve the performance of active business queries, and not archiving
queries. For example, you usually do not search the database table for a product ID in forwarding order items
for business reasons. For this reason, we do not provide database indexes for archiving. The system in general
performs a full table scan during preprocessing.
More Information
For more information about the Archive Information System, see SAP Library for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/nw . Under Application Help for Function-Oriented View, open SAP Library and
choose Solution Life Cycle Management Data Archiving Data Archiving in the ABAP Application System
Data Archiving with Archive Development Kit (ADK) Archive Information System .
For more information about tables and archiving objects, see SAP Library for SAP NetWeaver on SAP Help
Portal at http://help.sap.com/nw . Under Application Help for Function-Oriented View, open SAP Library and
SAP Process Control

530 PUBLIC Archiving in SAP Process Control
choose Solution Life Cycle Management Data Archiving Data Archiving in the ABAP Application System
Data Archiving with Archive Development Kit (ADK) Archive Administration Tables and Archiving Objects .
SAP Process Control

Archiving in SAP Process Control PUBLIC 531
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP Process Control

532 PUBLIC Important Disclaimers and Legal Information
SAP Process Control
Important Disclaimers and Legal Information PUBLIC 533
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

Process Control

Uploaded by

Copyright:

Available Formats

Process Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Process Control

Uploaded by

Copyright:

Available Formats

Administration Guide | PUBLIC

SAP Process Control

THE BEST RUN

1 Introduction to SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 What's New in SAP Process Control 12.0 SP10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 What's New History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

SAP Process Control

6 Work Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

7 Enterprise Services in SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

SAP Process Control

8 Archiving in SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

SAP Process Control

Unified repository for compliance, control, and policy information

● Ensure cross-function standardization and drive consistency across your organization

Embedded controls to strengthen business processes

Improved compliance and control processes at optimal cost

SAP Process Control

Product Version 12.0 Support Package 10

Area SAP Process Control

Country Relevance Valid for all countries

New and Enhanced Features

SAP Process Control

What's New in SAP Process Control 12.0 SP09 [page 7]

3.1 What's New in SAP Process Control 12.0 SP09

Product Version 12.0 Support Package 09

Area SAP Process Control

Country Relevance Valid for all countries

New and Enhanced Features

Continuous Control Monitoring

SAP Process Control

3.2 What's New in SAP Process Control 12.0 SP08

Product Version 12.0 Support Package 08

Area SAP Process Control

Country Relevance Valid for all countries

New and Enhanced Features

SAP Process Control

Product Version 12.0 Support Package 07

Area SAP Process Control

Country Relevance Valid for all countries

New and Enhanced Features

3.4 What's New in SAP Process Control 12.0 SP06

Product Version 12.0 Support Package 06

Area SAP Process Control

Country Relevance Valid for all countries

SAP Process Control

3.5 What's New in SAP Process Control 12.0 SP05

Product Version 12.0 Support Package 05

Area SAP Process Control

Country Relevance Valid for all countries

New and Enhanced Features

SAP Process Control

3.6 What's New in SAP Process Control 12.0 SP04

Product Version 12.0 Support Package 04

Area SAP Process Control

Country Relevance Valid for all countries

New and Enhanced Features

SAP Process Control

3.7 What's New in SAP Process Control 12.0 SP03

Product Version 12.0 Support Package 03

Area SAP Process Control