A woman examining documents with a magnifying glass

Follow the Money

Follow the Money

1

‎‎‎‎Follow the Money INTRO

Data analytics and continuous monitoring can help the business, and internal audit teams simplify and improve the internal control system and audit process. Continuous monitoring increases operational efficiencies, reduces costs, and helps detect potential fraud, errors, and abuse earlier - all while providing a higher-quality internal control system.

Continuous monitoring is increasingly becoming a way for organizations to create value. The use of data analytics tools and techniques is also helping to fundamentally transform and improve audit approaches. Consider the traditional audit approach, which is based on a cyclical process that involves manually identifying control objectives, assessing and testing controls, performing tests, and sampling only a small population to measure control effectiveness or operational performance.

Fast forward to a continuous auditing approach using repeatable and sustainable data analytics, and the approach becomes much more risk-based and comprehensive; audit at the speed of the business. With data analytics, organizations have the ability to review every transaction - not just a sampling - which enables a more efficient analysis on a larger scale.

2

‎‎‎‎Introducing remQ Solutions

remQ solutions offer a platform that enables business users (in finance, procurement, sales, and other lines of business), as well as compliance and audit teams, to automate and standardize the organization’s internal control system.

They can set up and run automated controls in SAP ERP and S/4HANA systems, work together on identified issues using the case management system, review findings, and provide proof of an effective internal control system to auditors.

Internal controls reduced costs

remQ facilitates the continuous, automated monitoring of data and processes to ensure controls in your SAP ERP or S/4HANA system are operating effectively and to identify weaknesses or potential control deficiencies on a timely basis. In particular, you can identify suspect master data or transactions in your SAP system and prevent errors and fraud. 

remQ provides monitoring controls for transactions, master data and configuration. Standard controls are delivered for the following processes/areas:

  • Procure to Pay (P2P)
  • Order to Cash (O2C)
  • Inventory (INV)
  • Accounting/GL(GL)
  • Asset Accounting (FIAA)
  • Human Resources and Payroll (HR)

3

‎‎‎‎The business case for automation and standardization

It is easy to see why automation greatly improves the internal control system while at the same time reducing the costs:

  • Automated checks can be conducted in (near) real-time and for all transactions, unlike after-the-fact manual audits. This means organizations have a chance to stop fraud and errors while they happen, reducing losses and costs.
  • While automated controls can handle all business transactions and check all data available, manual work often is limited to subsets of data (both in scope and time); i.e. automation can increase the number of detected cases.
  • Automated checks are cheaper than manual audit work – they reduce the time staff has to spend on performing data analytics, and they can focus on solving real issues; furthermore, how to properly conduct analysis sometimes is not clear, we have seen internal controls that are described as for instance “check for irregularities”, but without a clear definition what that means, leaving the employee responsible a little bit in the dark about how to conduct the control. Also, an employee overlooking an issue (a false-negative event), could be held accountable, while the real problem is that the organization does not provide its staff with suitable tools and technology.
  • Automation takes away routine workload from auditors and experts so they can focus on new topics.

Clock, calendar and various adjusting screws

Problems implementing a continuous audit/monitoring approach are availability and quality of data, handling the data (export, transformation, load into analytics tool), effectively leveraging data analytics and applying it, handling exceptions and false positives, implementing an efficient workflow to manage cases, and others. remQ is an add-on for your SAP system, it can access all data in the system, but no data leaves the system: all your SAP security mechanism is at work, and the data is protected against manipulation or data loss.

BROCHURE – the benefits of our products!

remQ - Stop losing your money to fraud!

remQ is a continuous monitoring software for SAP ERP and S/4HANA, with a large library of built-in controls that help check master data and business processes to avoid financial losses through errors and fraud. remQ can be set up in less than a day, works regardless of organization size and industry, requires no consulting project, and reduces the cost of compliance through automation.

Tablet showing the cover page of the document

4

‎‎‎‎remQ - Follow the Money Compliance

remQ - Follow the Money Compliance is an innovative solution that enables automated, continuous control of master data and business transactions in SAP ERP and S/4HANA. The software scans the data and applies remQ-delivered or custom defined controls.

Here are a few examples of areas that are covered by the controls that are part of the remQ - Follow the Money Compliance module: 

  • Revenue: debtor master data, payment terms, credit limits and memo, discounts, optional: KYC checks/sanctions list screening
  • Accounting: analysis of GL postings, recurring postings, use of unusual transaction codes, use of debug/replace. 
  • Procurement: vendor master data, invoices and payments, CpD payments, payment terms, and process violations. 
  • Inventory/Assets: master data checks, movements, retirements/scrapping, and price changes. 

Suspicious transactions and data get flagged and an alert is created. Users (from lines of business, controlling, compliance and audit teams) can access the alerts in their remQ in a box together with relevant background information. Based on the users’ authorizations they get an overview of open alerts as well as details for each alert. They can update the alert and add comments and information directly to the application. Finally, the alert is accepted or rejected, depending on the result of the investigation. All alert and case data is archived for reporting and review.

Screenshot of remQ Alert Monitor

remQ also can be set up to immediately stop a transaction that looks suspicious: financial documents or business partners can be blocked, giving enough time to experts to look into the issue and resolve it.

Screenshot of remQ Administration Console

5

‎‎‎‎Access Violations Management

One important application is setting up controls for Access Violation Management: the SAP authorization concept is an important piece in the SAP security concept. But access to critical functions (e.g. maintaining bank data of vendors), or critical combinations of functions (e.g. maintaining vendor master data, and starting payment runs), are unavoidable, and mitigating the residual risks is crucial: thus, monitoring access with remQ reduces risks and audit findings by implementing a digital 4-eyes principal.

Screenshot of remQ Access Violation Management Setup

SAP authorization teams try to limit access to critical functions (single actions), or critical combinations of functions (segragation-of-duties, SoD) authorizations are preventive controls: they limit what users can do.

But usually, residual risks remain: all organizations have single action risks, and cannot cover all SODs requirements through 4 eyes. remQ Access Violation management introduces a digital 4-eyes principle to mitigate the risks through advanced DID DO monitoring.

 

Access violations and monitoring can be defined on different levels:

Level 1: Authorizations. can do-analysis is performed based on the SAP authorizations assigned to users. Typically many results.

Level 2: Transaction codes started. The lowest level for DID DO-analysis, analysis on basis of transactions users started. This often does not take into account whether a user only displayed data or entered/changed data. Fewer results than level 1.

Level 3: Simple analysis of change logs/change documents. Getting a list of users who changed a certain document type and also changed another document type (e.g.combine analysis of changes to vendor master data and incoming invoices). Fewer results than level 2.

Level 4: Advanced DID DO-analysis for connected documents. This analysis takes into account whether the documents changed b the same user also are connected in the same business process. For example, changes to vendor master data and incoming invoices must be for the same vendor, not just vendor A and invoice from vendor B. Most specific results, only real-risk transaction are detected.

 

remQ Access Violation Management investigates SOD violations on level 4, giving you the most accurate assessment of risk and the lowest possible false positive rate.

It also is a great mitigating control for residual access risks known in your access control tool such as SAP GRC Access Control or setQ.

BROCHURE – the benefits of our products!

remQ - Turn compliance into a cost saver!

Organizations are increasingly exposed to compliance requirements. Adopting innovative ways to assess and manage risk and enhance performance is critical. That’s where data analytics and continuous monitoring are helping to simplify and improve the internal control system, increase operational efficiencies, reduce costs, and detect fraud and errors earlier. Internal controls become a way for organizations to create value.

Tablet showing the cover page of the document

6

‎‎‎‎remQ - Payroll Compliance add-on module

The remQ - Payroll Compliance module is an add-on for the remQ - Follow the Money Compliance module: It adds controls to HR and payroll, focusing on employee master data and payroll. 

Examples of use cases: master data, pay changes, hiring dates, unusual transactions, and detecting ghost employees. 

remQ - Payroll Compliance seamlessly plugs into the platform and users can add new checks, and use all the case management and reporting features. 

remQ - Payroll Compliance is an add-on module and needs to be licensed separately.

7

‎‎‎‎remQ and SAP GRC solutions

Access risks such as in the SAP GRC Access Control SOD matrix can be avoided in some cases by changing SAP authorization roles, or assigning different roles to users when re-organizing work and processes. But in many cases, organizations cannot avoid granting high-risk combinations of authorizations to users, simply because there are not enough users. In that case, you find residual risks in SAP GRC Access Control and you accept them.

remQ Access Violation Management allows you to set up controls for residual risks that you have in SAP GRC, and monitor all activities related to them. You then can review activities and have compensating control for those risks.

Other business/transactional risks can also be mitigated by automated continuous monitoring, with the option to add auto-reaction methods (such as blocking a vendor or an invoice, for instance). Like this remQ covers IT and business risks and delivers actionable alerts.

Organizations that use SAP GRC Process Controls can integrate remQ with a simple to set-up SAP QUERY and assign remQ transaction monitoring alerts to SAP GRC PC risks and risk owners via the risk-control-matrix, making use of a type of remQ control, organizational unit/company code, etc.

Integration with SAP GRC tools and remQ Access Violation Management and transaction monitoring close the gap between SAP GRC Access Control and SAP GRC Process Control.

8

‎‎‎‎Return on Investment, Total Cost of Ownership

remQ - Follow the Money Compliance helps to prevent errors and fraud in critical business processes. It also helps to identify weak processes, such as data quality issues for important master data.

remQ’s license model is based on the size of the organization. We also offer a trial: setting up the software in your SAP ERP test system and results are available within 1 day.

Beyond direct financial returns, remQ helps detect weaknesses in processes and improve business processes and the internal control system.

WE ARE HERE FOR YOU

Businessman with a floating clock, calendar, chart and gears

It's all about good communication.

Whether you are already a customer, would like to become one, have a technical question, would like to work with us, or are interested in an investment: we are here for you!

Technical support:

We’ll help you out. Get connected with our support team at supq(at)voquzlabs.com or call us directly at one of the numbers below.

- American Customers: +19176364290
- All other regions: +4989925191260