Tax risk & Control with SAP GRC
The SAP GRC portfolio lets organizations effectively manage their TAX Risk and control frameworks, processes, reporting and documentation across the entire organization.
Deloitte’s TAX control for SAP GRC builds upon core elements such as risk visibility, TAX Policy dissemination and sign-off, centralization of documentation, automated workflows and automation of controls, all enabled by SAP GRC Technology.
The solution can handle the entire TAX risk management process, from risk identification to risk assessment, responding to risks with control activities to real-time monitoring of current risk picture and compliance status.
- Risk identification and Assessment – enables processes for recording, assessing and responding to TAX related risks (Also benefits uncertainties). Owners for risks are identified and mapped ensuring ownership and accountability across the organization
- Documentation of end to end processes – SAP GRC lets you document your end-to-end processes, assign ownership as well as attach relevant documentation on processes, sub-process or activity level.
- Control activities – Assign Automated, Semi-automated or manual controls to address risks. Schedule control activities, perform & document controls and report on compliance status
- Monitoring and reporting – Real-time monitoring of current risk picture and exposure, status of controls and level of compliance. Effectively manage tasks, issues etc. through issue management functionality to always have the complete overview of overdue and non-completed issues and tasks
The SAP GRC solution lets you automate your control efforts in order to drive sustainable and
Cost-effective compliance by implementing and documenting automated tax checks that supports driving operational and process improvements.
Implementing Automated controls
A key driver of implementing SAP GRC for TAX Risk and Control is utilizing the technology for automating controls, moving towards more preventive rather than detective controls, managing exceptions based on defined and implemented business rules.
- Configuration controls - Controls that verifies specific application controls in SAP ECC, such as system configuration of workflows, VAT codes & calculation setup. This type of control monitors the values in SAP ERP on a continuous basis. Only when exceptions occur, manual intervention is required
- Change management controls – Controls that monitors changes to SAP ERP configuration – e.g. changes VAT determination setup, mandatory fields on invoices or even adding new VAT codes.
- Transactional or exception based controls - Controls that monitors specific transactions in SAP ECC. Often thresholds are used to focus the efforts on the real risks. E.g. Transactions above 1 million EUR without VAT code, Incorrect combination of G/L account and applied VAT codes, manually overwritten VAT codes and VAT amount etc. Only when exceptions occur, manual intervention is required.
- Semi-automated controls – Controls that are based on e.g. standard reports and one of the activities are to review the output of these reports. The SAP GRC system connects to the ERP system and extracts the report and then submits it in a workflow to the control performer, together with control activities to be performed.
E.g. for organizations running SAP ERP software, many controls are already implemented, however these have been taken credit for when doing the overall risk assessment of the processes. This also means that there could be a business behind automating many of the current control activities, which are performed today. See our article on forming a business case for SAP GRC.
Want to see or know more, schedule a demo session with your local TAX / GRC contact.