CROSS-FUNCTION · RISK, COMPLIANCE & CONTROLS

Compliance Monitoring & Controls Hub

Sapnity implemented a governed Compliance Monitoring & Controls Hub on Power Platform that consolidates SAP/D365 logs, access changes, control tests and evidence into a single, audit-ready cockpit — moving the client away from spreadsheet-based control tracking and reactive remediation.

Core Platforms: Power Apps, Power Automate, Dataverse, Power BI, SAP / D365 Connectors, Azure AD Logs · Region: Global shared services · Complexity: High

SOX & Internal Controls SAP / D365 Monitoring Exception Management Audit Readiness

10-Day Sprint

One-Workflow Controls Sprint

Take one painful control (access reviews, SOD, journals) and turn it into a production-ready monitoring workflow in ~10 days.

View 10-day sprint →

2-Week Scan

SAP/D365 QuickScan Assessment

Identify top 5–10 automation candidates across compliance controls, approvals and reconciliations.

Start QuickScan →

3-Week Pack

Power Platform Starter Pack

Establish a governed low-code foundation with compliance & controls as anchor use cases.

Explore Starter Pack →

1. Business Problem — Controls Buried in Spreadsheets

The client’s SAP and D365 systems already produced rich security and transaction logs — but day-to-day compliance work still lived in Excel, email and SharePoint folders.

SOX & internal control matrices maintained as static spreadsheets per region.
Access reviews triggered by email, with responses scattered across attachments.
Sensitive journals and configuration changes checked manually before audits.
Issues discovered late by Internal Audit instead of through continuous monitoring.

In steering committee language, the CFO summarized it as: “We are paying for enterprise systems but running compliance like a side-car.”

2. Sapnity’s Mandate

Design and stand up a Compliance Monitoring & Controls Hub that would:

Bring SAP/D365 logs, access changes and control tests into one place.
Shift from point-in-time testing to continuous, exception-based monitoring.
Give Finance, IT and Internal Audit a shared, trusted view of control health.
Produce audit-ready evidence with full lineage from event → control → remediation.
Be governed, not fragile — using Power Platform with clear environment strategy.

3. Before — Fragmented Compliance Landscape

Before Sapnity, the compliance story was not a single system — it was a patchwork of tools and habits. Each team had its own “truth” for controls:

Finance tracked key controls in regional Excel files.
IT relied on security logs and ad-hoc SQL extracts.
Internal Audit maintained its own issue tracker and evidence folders.
No one could see end-to-end: event → control test → remediation → re-test.

BEFORE — FRAGMENTED COMPLIANCE SYSTEMS

SAP Security Logs

Basis team exports ad-hoc lists of role & access changes.

D365 Finance Journals

Finance manually samples journals for review before quarter-close.

Azure AD & SSO

Joiner–Mover–Leaver events monitored via separate dashboards.

Control Tracker Excel

Key controls, owners and due dates maintained per region in files.

Email & Chat Approvals

Evidence of reviews buried in email threads and chat screenshots.

Internal Audit Folders

Issues and remediation tracked in network folders and PDFs.

Every quarter, teams manually stitched these islands together for SOX and internal audit — consuming weeks that should have gone into prevention and design.

4. After — Sapnity Compliance Monitoring Hub

Sapnity replaced the patchwork with a single Compliance Monitoring Hub. Instead of each team maintaining its own spreadsheet, everyone now works off the same architecture pattern:

COMPLIANCE MONITORING PATTERN

Business & IT Control Owners

Finance controllers, IT security, process owners and Internal Audit reviewers.

Controls & Issues App

Model-driven Power App to manage controls, tests, exceptions and remediation tasks.

Monitoring Rules Engine

Power Automate flows and rule tables watching logs, journals and access events.

Dataverse Controls Model

Unified model for controls, evidence, exceptions, owners and testing history.

SAP / D365 & Identity Connectors

Event streams for journals, config changes, role changes, and JML activities.

Power BI Compliance Cockpit

Real-time view of control health, overdue actions and high-risk exceptions by entity.

✓

With this pattern, new controls are now modeled as configuration — not as new spreadsheets — and re-used across geographies and business units.

5. Implementation Story

Phase 1 — Risk & Controls Blueprint

Catalogued existing SOX and internal controls across 4 regions and 3 ERPs.
Grouped controls into patterns: access reviews, journals, configuration and reconciliations.
Defined which signals would come from SAP, D365, Azure AD, ticketing and manual attestations.

Phase 2 — Controls & Exceptions Model

Designed Dataverse tables for controls, tests, exceptions, remediation actions and evidence.
Introduced a global taxonomy: process area, assertion, risk rating, entity and owner.
Configured row-level security to keep legal entities and regions segregated as needed.

Phase 3 — Monitoring Rules & Flows

Built Power Automate flows that translate events into exceptions (e.g. conflicting roles, late journals).
Established risk-based SLAs and escalations to control owners and Internal Audit.
Ensured every exception must link to remediation and re-test before closure.

Phase 4 — Integration with SAP / D365 / Azure AD

Connected SAP and D365 to feed journals, configuration changes and high-risk transactions.
Ingested Azure AD JML events to track timely deprovisioning and role changes.
Aligned ticketing system (e.g. ServiceNow/JSM) incident types to exceptions for full traceability.

Phase 5 — Rollout, Governance and Scaling

Rolled out initially to two SOX entities, then scaled to additional countries.
Set up Dev / Test / Prod with managed solutions and automated deployments.
Trained a small “controls product owner” group to maintain rules without code changes.

6. Technical Architecture — Layered View

Experience Layer Power Apps for control owners, testers and Internal Audit; Teams-based approvals for exceptions.

Workflow & Rules Layer Power Automate flows orchestrating SLAs, escalations, and mapping raw events to exceptions.

Data & Evidence Layer Dataverse controls model with full audit trail, comments, attachments and ownership history.

Integration Layer SAP & D365 connectors, Azure AD logs, ticketing APIs and file-based feeds where needed.

Analytics & Reporting Layer Power BI datasets with drill-down from entity → process → control → exception → remediation.

Security & Governance Environment strategy, row-level security, DLP policies and ALM pipelines across Dev/Test/Prod.

7. Outcomes & KPIs

KPI	Before	After Sapnity
Quarter-end control evidence collation	3–4 weeks of cross-team follow-ups	3–5 days with central, live evidence
High-risk access exceptions detected pre-audit	Sporadic, mostly via manual review	>90% surfaced via continuous monitoring
Number of control trackers & local Excel files	> 40 regional files	One governed model with entity views
Internal Audit rework on recurring issues	Common across consecutive audits	~50% reduction in repeat findings
Time to onboard a new SOX entity	Months of design and templates	4–6 weeks using reusable patterns

8. Sapnity Differentiators

Pattern-first compliance design: We delivered a reusable monitoring pattern, not just a one-off dashboard.
Deep SAP/D365 + identity integration: Controls are wired directly into where risk is created — systems and roles.
Audit-grade Dataverse model: Built for traceability, evidence and clear ownership across entities.
Exception-first mindset: Focus moves from blanket testing to targeted remediation of what actually went wrong.
Governed low-code foundation: Clear environment strategy, ALM and DLP so compliance can scale safely with Power Platform.

For this client, Sapnity turned compliance from a quarter-end scramble into a continuous, shared service that Finance, IT and Internal Audit all trust.

← Previous Case Study Next Case Study →