By Annie Kennedy, Contributing Writer, SAPinsider
With more than 34,000 employees worldwide, clinical research conducted in more than 55 countries, and products marketed in 120 countries, pharmaceutical company Eli Lilly and Company (Lilly) needed an efficient way to monitor financial and operational activity in core ERP systems. To achieve this efficiency, Lilly leveraged SAP Process Control to automate the performance of business controls through continuous control monitoring (CCM). The company uses CCM to monitor configurations, master data, and transactions across several areas such as Finance, Supply Chain, HR, Security and IT while keeping all controls and related information in a single repository.
Emily Damson, SAP Security and Controls Architect at Lilly, shares how SAP Process Control continues to help Lilly standardize controls across global locations, automate control performance, and streamline issue resolution.
The Role of SAP Process Control in Lilly’s SAP Landscape
All of Lilly’s locations around the world – spanning 72 countries and three shared service centers – run on a single global instance of SAP. Lilly runs SAP ECC 6.0, and its additional SAP components use SAP Single Sign-On. From a governance, risk, and compliance (GRC) perspective, in addition to SAP Process Control, Lilly uses SAP Access Control integrated with SAP Identity Management for security end-user provisioning, firefighting, and segregation of duties (SoD) analysis.
Prior to using SAP Process Control, Lilly was using a primarily manual approach to track the company’s financial and operational activities and related controls, including control owners and business entities. To increase transparency and efficiency, Lilly now relies on the CCM, manual control performance, and financial control operation surveying functionalities provided by SAP Process Control.
Utilizing the CCM functionality within SAP Process Control in particular has saved Lilly’s process owners significant time. By creating a schedule of control performance to monitor for specific exceptions or deficiencies on a regular interval, the scheduled executions of these controls can be documented within SAP Process Control without necessitating user intervention. This documentation essentially becomes evidence of control performance for events such as audits or other control inquiries, with user interaction, evaluation, and correction only required when exceptions are identified.
Lilly realized that creating such a schedule of control performance to monitor processes within a target system would help the organization run more efficiently. According to Damson, applying CCM according to a specific process flow (Figure 1) enables the company to monitor activities in its core SAP ECC environment and 18 other SAP systems, as well as activity in its production and non-production systems – which include 200+ connectors from Lilly’s production GRC environment. Lilly can also monitor activity around Sarbanes–Oxley Act (SOX) regulations and compliance, SoD, and operational controls, as well as business process, master data, and configuration controls in its finance, supply chain, HR, security, and IT departments.
Figure 1 – Eli Lilly utilized this process flow to apply to its CCM
Increased Transparency for Global Process Owners
Perhaps most importantly, Lilly has used the foundational data provided by SAP Process Control to create geographic and functional area dashboards that give business owners global visibility into control performance, a necessary capability considering not all of the company’s sites contain the same businesses. These all-encompassing views into control status provide a single source of truth and eliminate the chance for different global interpretations, which ultimately helps streamline Lilly’s compliance process.
Control history dashboards are providing global process owners with a better understanding of how some of the controls are being executed over time or in different regions. In the past, no one really knew if projects were on time when reports were printed and filed, and not many people reviewed the results unless they were audited. Now, says Damson, SAP Process Control records those results and tracking deadlines, increasing visibility to help global process owners better understand and measure how the business is running as it relates to some of those controls. For greater company-wide assurance, Lilly also designed its process controls so that business rules are updated and tested in the development system before being moved into production to provide additional security for changes.
Automating Control Performance for Efficiency through Continuous Monitoring
Lilly uses CCM to monitor for issues in both SAP ECC and SAP Process Control, such as continuously monitoring for jobs in “error” status. To answer the question of whether SAP Process Control is still operating as expected, a daily “ping” is sent from the system, providing feedback such as whether emails are still being sent by the system properly, whether job steps are still processing, and identifying job steps in “error” status. These pings identify when a job step is released but not executed. In this case, the business rule would look for instances in which the job step status equaled “released” or “in process.”
In general, CCM should only monitor for deficiencies or exceptions, says Damson. Lilly has been able to take its reporting capabilities to the next level by using CCM reports, such as batch job failures, to create a control dashboard via generating the control monitoring history with a ratings report. The control dashboard can provide a view of the health of a control, Damson notes. If a CCM is run for 100 days, for example, and it identifies an issue one day out of the 100, Lilly considers the health of that control to be 99%, and the system takes a snapshot of that health marker. The scheduled monitoring creates an issue in process control when it finds a deficiency, which prompts workflows for the process control and control owners that is documented during the identified issue’s analysis and resolution stages.
As a helpful business rule, Lilly defines control expectations and control deficiencies to pare down the data collected in the source. Once you go through testing and are happy with the results from your business rule, says Damson, you can then link your business rule to your control and process control and create a schedule for your job to run on that control in defined frequency, at any interval of time you define. Under CCM, any value changes, master data errors, or other anomalies would be flagged and Lilly alerted. Processes such as order to cash, bill-to/ship-to, and free of charge orders were prime candidates for CCM at Lilly, says Damson, as were monitoring changes on authorization limits for purchase order approvals or changes in employees’ HR information.
With the reports Lilly is able to generate, says Damson, troubleshooting has become much more streamlined, saving time spent by improving processes. For example, Lilly created a work item status query which helps re-trigger workflows if needed based on information such as the user working on the item, as well as information on open and in-process items. The report is generated by a work item status query set in SAP Process Control, with results made available in SAP Business Client. Lilly’s reports allow control owners to obtain information much more easily than parsing through data in the risk and control matrix.
Overall, with automation and CCM, Lilly has better monitoring of core business processes with increased visibility into control performance and the ability to act quickly on exceptions. The organization has also benefitted from visibility into control data by creating dashboards and has reduced time spent resolving errors thanks to key troubleshooting reports.
Watch the full on-demand session presented by Eli Lilly’s SAP Security and Controls Architect Emily Damson during SAPinsider’s 2020 virtual event and learn how the company is using SAP Process CCM to monitor compliance, automate control performance and check for system issues.
MEET THE EXPERTS
Emily Damson is the SAP Security and Controls Architect at Eli Lilly and Company. She is responsible for the SAP GRC Process Control solution at Eli Lilly and Company, and works with a wide range of business partners to automate the performance of SOX, SOD or operational controls across our organizations, reduce manual effort and better identify potential issues within our SAP systems. She also has shared responsibility for the global governance and oversight of the SAP security as it relates to financial functions within Eli Lilly.