Auditing SAP - A Proactive Approach… - isacala.orgisacala.org/doc/10Nov09_Auditing_SAP_A_Proactive_Approach.pdf · Auditing SAP - A proactive approach ... successfully post an accounting

© 2010 Protiviti Inc

CONFIDENTIAL: This document is for your company's internal use

only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…

Auditing SAP - A Proactive Approach…

February 19th, 2010




1

Protiviti Introductions

Steve Cabello, Managing Director

Over 20 years of Internal Audit and SAP project experience

Kevin Erlandson, Associate Director

Over 15 years of Industry, Implementation and SAP audit experience




2

Tonight‟s Agenda

Defining the SAP Risk Universe

Key SAP Risks and Internal Audit Focus Areas

SAP Security

SAP Business Processes and Configurable Controls

SAP Transaction Processing and Analytics

Audit Considerations

Questions




3

We bring a unique blend of knowledge and experience to the table which combines the

focus, dedication and independence of a specialist firm, with the methodologies & tools,

global presence, and deep skill-sets of the Big 4 or larger consulting firm.

Who

we are

• The leading provider of completely independent risk consulting and internal audit services

• 35% of the Fortune 100 are our clients

• Over 2,500 experienced professionals in over 63 offices worldwide

• Protiviti is a wholly owned subsidiary of RHI

What

we do

ConsultingFinance Process Transformation

CIO Solutions

Business Operations

Governance Risk & Compliance

Financial Risk Strategy Management

Enterprise Application Solutions

Enterprise Information Management

Internal Audit

Internal Audit Start-Up

Co-Sourcing

Outsourcing

Internal Audit Transformation

Risk Assessment

Sarbanes-Oxley Compliance

What

makes us

different

Boutique:

Responsive client

service

Lack of SEC

restrictions

Independent from

attest & tax services

Better teaming with

external auditors

Focus on core

offerings

Big Four:

Methodologies &

tools

Experienced

professionals

Depth of risk

consulting services

Financial &

management stability

Recognized global

presence

Protiviti combines the

strengths of the large

consulting companies and

independent

alternatives…without

compromise

Who is Protiviti?




4

Application Security and Segregation of Duties – evaluate and design effective user

roles and segregation of duty (SoD) frameworks, security administration processes and global security parameters.

Automated Application Controls Design and Enhancement – evaluate and

optimize the operating effectiveness of key application configurations and features used to support internal

control and other compliance efforts while reducing reliance on inefficient manual control techniques.

Implementation Project Risk Management – Align project delivery with internal control

and compliance objectives for their application implementations or upgrades and provide an independent perspective through assessment, monitoring and reporting of project risks throughout the project lifecycle.

ERP Audits – improve the quality and efficiency of application audits and assessments by utilizing

specialized knowledge, experience and tools to manage the unique complexities of application control documentation and testing.

ERP Selections - Protiviti's team combines management skills, knowledge of the ERP landscape,

in-depth knowledge of business processes, experience with ERP systems implementations and a unique perspective on compliance and risk management. We help companies select the "best fit" solution and create a pragmatic implementation road map and process

GRC Software Implementation – select, plan and integrate powerful software tools and

supporting processes that improve internal control and compliance capabilities.

Our Enterprise Application Solutions Group

Pre-Implementation

Post-Implementation

Manage

Risk

Protiviti‟s Enterprise Application Solutions are relevant whether an organization is implementing SAP for the

first time or trying to improve their current installation. Our team includes professionals with years of

application implementation, assessment and improvement experience who utilize our powerful methodologies

and tools to help clients effectively leverage their enterprise applications into holistic, integrated compliance

and risk management solutions.

We help our clients with:




Defining the SAP Risk Universe




6

SAP Risk Universe – the Big Picture

General IT Risks

Application Interface Controls

IT Infrastructure Controls

Change Management

Security Administration

Backup and Recovery

Other Project / Implementation Risks

Project Risks

Transaction and Master Data Conversion

Testing and Training Strategy

Go/No Go Decision Criteria

Post Go-Live Support Requirements

* SAP Security Risks

Security Standards

Segregation of Duties and Sensitive Access

Powerful Users Access Management

User and Role Provisioning Process

* SAP Business Process and Transactional Data Risks

Configurable Application Controls

Detective / Monitoring Controls / Reports

Procedural Business Process Controls

SOX Controls (compliance purposes)

* Continuous monitoring applications and processes

Control Documentation Update, Compliance and Risk Management Optimization and

GRC Software Configuration

There are many risks in the context of ERP / SAP environments:

Steering Committee

Board of Directors

Compliance(Regulatory Requirements)

External / InternalAudit

GRC and ERM framework




7

Net New• Implementing SAP

for the first time

• Replacing legacy

systems

• Developing new

interfaces and

implementing new

processes

Rollout

• Applying SAP

template/model to

different locations

or business

processes or

outsourcing

entities

Upgrade(Technical / Functional)

• Re-engineering

SAP processes

and/or

configuration

• Consolidating SAP

instances

Maintenance

• Live with SAP for

some time; focus

is maintenance

• May upgrade in

the future

Where are

you now?

SAP Risks and Implementation / Lifecycle Stages

Each of the above project

stages, will bring

compliance risks around

Each SAP implementation phase or project brings new challenges and risks to your

control environment. Risks will vary according to the state of your SAP environment:




Risk Area 1: SAP Security




9

Key Concepts: ECC Security

• SAP security restricts users from performing functions. Security must grant

authorizations to a user before he / she is able to execute transactions. This is

known as the authorization concept.

• SAP security is so complex because of the need to limit access to different

components like company codes, plants, particular customer or vendor accounts,

payroll information, pricing, rebates, etc.

• SAP security is client-specific.

• The architecture of the authorization system is built upon the use of several components:

– Roles

– Profiles

– Authorizations

– Objects

– Fields

Roles / Profiles

Authorizations

User ID

ObjectsTransactions Fields

Employee

Job Description

Job Functions

Maps to

Maps to

Maps to

Business View SAP ECC View




10

ECC Security: Roles / Profiles

Roles / Profiles:

• Roles are the commonly used security building blocks, and usually unique to each

organization.

• Roles typically resemble a job description of an organization, such as sales representative,

accountant, warehouse staff, etc.

• Roles may be structured as simple roles or composite roles.

Simple roles are typically used

to for one business process

– e.g., Manage Posting Periods.

Composite roles are a

combination of simple roles

– e.g., G/L Supervisor. Roles / Profiles

Authorizations

User ID


Employee

Job Description

Job Functions

Maps to

Maps to

Maps to





11

ECC Security: Authorizations

Authorizations:

• Authorizations are specific permissions. Authorizations can be used to:

Restrict access to a specific transaction code.

Restrict access to create, change, display documents in a particular company code.

• SAP automatically queries all access assigned to a user and populates a system table with

all of the provided authorizations.

• When a user attempts to execute a

transaction, the system searches for

an authorization in this table that

satisfies required criteria.

If the system cannot find this

authorization, then the user‟s

access to this function is denied.

Roles / Profiles

Authorizations

User ID


Employee

Job Description

Job Functions

Maps to

Maps to

Maps to





12

ECC Security: Objects and Fields

Objects:

• Authorizations in profiles are defined based on Authorization Objects.

• An authorization object groups together authorization fields in an AND relationship in order

to check whether a user is allowed to perform a certain action.

• To pass an authorization test for an object, the user must satisfy the authorization check for

each field in the object.

• Example: M_BANF_EKG is the Purchasing Group in Purchase Requisition object.

Fields:

• Fields determine the type of

permissible activity such as Create,

Change, Display, etc.

• They also define levels of access such

as company code, plant, division, etc.

• Example: When the value for field

ACTVT equals 01 (for the object

M_BANF_EKG), authorization to

Create or Generate the PR has been granted.

Roles / Profiles

Authorizations

User ID


Employee

Job Description

Job Functions

Maps to

Maps to

Maps to





13

ECC Security: Transactions

• A transaction (transaction code, or t-code) is a command that directs the system to a

function. Every possible function is represented by a transaction code.

• A t-code may contain only letters, such as SPRO (IMG), or a combination of letters &

numbers, such as ME51N (Create Purchase Requisition).

• In SAP, you may use transaction codes as an alternative or shortcut to using the navigation

path to get to a system task.

• For example, instead of following

the navigation path Logistics ->

Materials Management ->

Purchasing -> Requisitions ->

Create a Requisition from the SAP

Menu to create a new PR, the user

can type ME51N into the Command

field. In either case, the "Create:

Purchase Requisition: Initial Screen"

is displayed.

Roles / Profiles

Authorizations

User ID


Employee

Job Description

Job Functions

Maps to

Maps to

Maps to





14

F_BKPF_BUK

= 1000

Company code

Result: If User‟s roles have been setup to provide access, the user will be able to

successfully post an accounting document via transaction code FB50

User Access Concepts – Detailed level

Step 2. SAP checks for access rights to authorization restrictions:

NOTE: there are thousands of authorization

object combinations in SAP.

Scenario: User executes transaction FB50 (Post GL Entry)

S_TCODE = FB50

Step 1. SAP checks for access rights to authorization object:

T-CODE = FB50

F_BKPF_BUP

= 01

Posting period

+F_BKPF_KOA

= 003

Business area

+F_BKPF_GSB

= K

Account type

+




15

In the context of Information Systems, there are 2 types of common access

exposures that arise:

Conflicting privileges introduce risk

when assigned to a user through a

single role

Conflicting privileges introduce risk

when assigned to a user through

multiple roles

How SAP Access Exposures Arise

UserAuth.

Object

Privilege A

Privilege B

1. From a role defined with excessive or

conflicting privileges

User

Auth.Object

Privilege A

Auth.Object

PrivilegeB

2. From multiple roles assigned to a

user such that the cumulative

privileges are excessive or conflicting




16

Security Exposures – common problem uncommonly found

By default, SAP grants the highest amount of authorizations assigned to a user.

For instance: A user has these two roles assigned:

• MANAGER_UK: allows users to post documents to UK companies

• CLERK_US: Allows user to post outgoing payments in US companies.

This is not necessarily an SOD violation, but when the „company code‟ authorization object

is assigned to both roles, the user will get access to company codes in the UK and the US.

=Access to

UK and US

GL Posting

and

Payments

MANAGER_UK CLERK_USRole:

User

T-code: FB50 (Post GL) F-53 (Post payment)+Auth Obj:

Field/Value:

F_BKPF_BUK (Comp. Code) F_BKPF_BUK (Comp. Code)

01 (Create)

BUKRS (not set)

01 (Create)

BUKRS (not set)




17

Complexity of SAP Security

Transaction Object Single Role Derived Role Composite Role User

FB05

MB1A

F-29

MB21

MB01

F_BKPF_GSB

F_BKPF_BUP

M_MSEG_BWA

M_MSEG_LGO

S_TCODE

M_MSEG_BWE

F_BKPF_BUK

M_MRES_BWA

F_BKPF_KOA

S1

S2

S3

S4

S5

C1C1

C2C2

C3C3




18

Key Risks in Your SAP Security Environment

Key Risks Net New Rollout Upgrade Maint.

1. Creating / Assigning roles with excessive/too little access

2. Creating / Assigning conflicting roles

3. Not testing security exposures prior to migrating roles to PRD

or assigning roles to users

4. Deviating from security standards

5. Generating SOD conflicts across applications

6. Monitoring tool not capturing real violations or false positive

reporting

7. Incomplete implementation of monitoring tool: configuration,

integration with provisioning process

8. Inadequate mitigating controls

9. Lack of super user monitoring

10. Inadequate/inefficient user access provisioning process

Security risks may vary depending on your company‟s implementation / lifecycle

stage, organizational complexity, security design, the tools you use and the steps

you take to assess security risks.

The most common SAP Security risks our clients face are:




19

What You Can Do to Proactively Mitigate Security RisksC

on

tro

l F

oc

us

Are

as

• Provide input to security

standards

• Review/signoff on role

design

• Educate security and

process teams around

controls

• Test SOD conflicts prior

to go-live and during

integrated testing

rounds (at role, position

and user level) and

provide remediation

feedback

• Flag roles with sensitive

access to minimize

assignment

• Provide input on

security monitoring tool

implementation

Net New Rollout Upgrade Maintenance


design and assignment

• Test SOD and SA

during rollout to confirm

adherence with

compliance standards

• Help identify and assign

mitigating controls

• Help confirm end users

are executing assigned

mitigating controls

• Help confirm that

security monitoring

tools are used properly

– procedures, roles and

responsibilities are

defined


design and assignment

• Test SOD and SA

during upgrade to

confirm adherence with

compliance standards

• Review/adjust security

monitoring tool, to

reflect new transactions

and functionality


design updates

• Assess SOD / SA

exposures

• Assist in remediation of

security failures

• Review/adjust SOD

rules, to reflect new

transactions and

functionality

• Help confirm end users

are executing assigned

mitigating controls

• Update control

documentation

• Keep External Auditors aware of

security standard changes

• Monitor access to powerful roles

and transactions

• Proper configuration

of BASIS controls




20

What Tools are Available to Help You?

There are a number of tools in the market to help you assess SAP security and

SOD risks.

Functionality and reporting capabilities should be carefully analyzed to make sure

they fit the short and long term needs in your organization.

Some of these tools are used to help assess and monitor security exposures, and

are not only used by Internal Audit departments but also by:

SAP Security or IT teams

Functional Users (responsible for user certification)

External Auditors

Point in time

assessment tools

Continuous Monitoring tools

ACL

Assure Security

Other

SAP‟s GRC Access Controls

Approva – Authorization Insight

Security Weaver




21

What Can You Get from Assessment Tools?(Assure Security Example)

Sensitive Transaction Listing

Reports

User Access to Sensitive Transaction

Summary Reports

Summary SOD Conflict Reports

User Access to Sensitive Transaction

Detail ReportsDetail User SOD Conflict ReportsSAP Security Role SOD Analysis

Reports




Risk Area 2: SAP Business Processes and

Configurable Controls




23

Application / Configurable Controls: Definition

• Application Controls are defined by COSO as “…Programmed procedures in application software, and related manual procedures, designed to help ensure the completeness and accuracy of information processing…”.

• Control considerations arise around critical business process flow points at which the application:

– Makes calculations.

– Performs data validation and edit checks.

– Interfaces electronically with other systems.

– Sorts, summarizes and reports critical financial information that is relied upon as complete and accurate by Management.

– Limits access to transactions and data.

• As most transactions posted in SAP automatically generate accounting postings to the General Ledger, it is important to consider controls throughout a business process – e.g., Procure to Pay – and not just financial controls within the Finance organization.




24

Importance of Application Controls

• Robust system-based controls are

typically more reliable and desirable

than manual controls.

• Optimization of such controls better

enables organizations and their

external auditors to attest to the

effectiveness of controls over critical

financial statement elements, and

the key financial reporting processes

that drive them.

System-

Based

Detective

Controls

System-

Based

Preventive

Controls

People-

Based

Detective

Control

People-

Based

Preventive

Controls

Desirable

Reli

ab

le

Configuration Options

Application Security

Transaction Controls

Policies & Procedures

Monitoring Exception Reporting

Reconciliations

Automated

Manual

Detective Preventive




25

Global Controls vs. Local Controls

• Whether it be an automated configurable control or a manual detective control,

SAP controls can also be classified as either being Global or Local controls.

• In SAP terms, a global control would apply across all company codes, whereas a

local control would be company code specific.

– Some examples of global controls include:

• Document types that can post to customer accounts.

• Mandatory field settings for customer/vendor records.

– Some examples of local controls include:

• Customer / vendor posting tolerances.

• Invoice verification tolerances.

• Global and local controls have both advantages and disadvantages.

– The primary advantage of global controls are that they are easier to monitor and test.

– The primary advantage of local controls are that they are more specific to individual

business operations.




26

Another Way to Look at Controls – Preventive vs. Detective

Approximately 70+ SAP process controls are analyzed during a process review of

Purchase to Pay

Master DataPurchase Orders /

RequisitionsInvoice /

Receipts Payments

Control

ConcernDo potential duplicate vendors exist?

Process

Controls

Preventive Control - Will duplicate warning messages be enabled?

Detective Control – Review duplicate payment reports with different criteria

Security

Controls

Preventive Control – Are key functions segregated within the organization

(e.g. Master Data versus Invoice Entry)?

Detective Control – Review access to sensitive functions and conflicting

responsibilities




27

Key Risks in Your SAP Process Controls Environment

Depending on the type of SAP process change occurring in your organization, different types of

risks may manifest. The most common SAP business process risks our clients face are:

Risks Net New Rollout Upgrade Maint.

1. SAP configuration is not setup to support your control

environment

4. Inadequate definition of mitigating controls - excessive

manual controls, spreadsheets or reconciliations

2. Control requirements not considered during implementation

8. Policies, procedures and control frameworks not updated to

reflect new control environment

3. Poor visibility to your SAP configuration settings

5. Deviation from global control template or standards

6. Inadequate change management process to control

configuration changes with control implications

7. Inadequate business process ownership responsible for

overseeing business process configuration

9. SOX / Internal Control testing procedures are not documented

to reflect SAP specific steps




28

What Can You do to Proactively Mitigate Process Risks?C

on

tro

l F

oc

us

Are

as

• Provide input to

process controls

definitions – (approvals,

reconciliations,

standard system

settings)

• Help identify and

document control

requirements – manual,

automated, business

• Educate business

process teams around

SAP functionality

supporting controls

• Test controls throughout

the implementation

phases

• Provide input on control

monitoring tool

implementation


• Help define Global and

Local control

parameters (80/20 rule)

• Define control

monitoring processes,

roles and

responsibilities:

configuration, manual

and business controls

• Assess local control

environment to confirm

adherence with

standards

• Test reports from a

controls perspective

• Help identify and assign

mitigating controls

• Review /adjust control

monitoring standards

and tools

• Review control

enhancements and/or

impact

• Understand /

recommend new control

enhancing features,

if any

• Confirm that control

changes were approved

by proper monitoring

processes

• Assess change control

environment to confirm

adherence with

standards

• Review / adjust control

monitoring standards

and tools to reflect new

functionality

• Review control

changes

• Perform transactional

data analysis to identify

control gaps (e.g.

duplicate invoices)

• Conduct periodic

assessments to review

adherence to process

control standards,

potential

enhancements, or data

integrity issues

• Update control

documentation• Keep external auditors aware of

control changes

• Monitor process indicators,

delays / breakdowns




29

Go-Live

Integration Testing

Test control

parameters

throughout the

implementation

Workshops to

Disposition

Control

Recommendations

1

23

• Embed compliance

requirements into

system design

• Retrofit control

enhancements

Review compliance

with expected controls

SAP Control

Documentation &

Testing Results

Continuous

Monitoring tool

• Updated control

framework

• SAP specific control

parameters

• SAP specific test

plans

Typical processes in scope:

• Quote to Cash

• Requisition to Pay

• Record to Report

• Plan to Produce

• Hire to Retire

• Basis

Goal – Develop and push control recommendations based on SAP compliance best

practices and making best use of available SAP control functionality, including:

configurable (automated) controls, detective / manual controls (reports):

Assess

Configurable

Control

Environment

Kick Off Meeting &

Workshop

Preparation

How do You Build Proper SAP Controls?




30

What Resources are Available to Help You?

There are a limited number of tools to help you assess process controls in SAP.

These tools should be carefully analyzed to make sure they fit the short and long

term needs in your organization.

Some of these tools are not only used by Internal Audit departments, but also by

SAP implementation teams to help in the enablement of process controls,

monitoring of control operations and prevention of exposures:

Assessment tools Continuous Monitoring tools

Assure Controls SAP‟s GRC Process Controls

Approva – Process Insights




31

What Can You get from Assessment Tools?(Assure Controls Example)

Process Overview Reports

Control Weakness ReportsControl Overview Reports

Control Evaluation ReportsProcess Summary Reports

Detail Control Reports

32

Assessment Tool Example: Summary Reports

Master Data: on

Key: on

Master Data

Interfaces

Transactions

Business Processes: on

Controlling

37 - Configuration of mandatory fields

39 - Dual authorization for sensitive fields

38 - Duplicate vendor check

6 - Vendor evaluation

220 - Reconciliation Accounts

General

Ledger

Vendor

Maintenance

620 - Park and post

approval controls

Credit Notes

Payment /

Clearing

263 - Configure payment

block reasons

478 - Post small differences automatically - tolerance key BD

243 - Material tolerance

key PE

238 - Purchase order

release strategies

Purchase

Orders

247 - Tolerance on purchase

order and receipt

625 - Set goods

receipt indicator

505 - Over and under

delivery tolerances

232 - Functional

Authorizations

602 - Ability to change approved requisitions

532 - Release Strategies with classification

Purchase

Requisitions

252 / 599 - Duplicate invoice

check

255 -Park and post approval

250 - Invoice amount

tolerance - Key AP

254 - Invoice amount tolerance

Invoice Entry /

Invoice Verification

General Ledger integration

Area or control not reviewed in automatic testing

Exception

No exceptions identified

466 - Invoice tolerance key AN

600 - Duplicate vendor check - Set message

619 - Purchase order and Invoice amount tolerance - Key PP

706 - Duplicate invoice check

system message

244 - Ability to change

approved orders 815 - Currencies allowed in

payment methods

624 - Item Amount Check

701 - Document Change

Rules

801 - Alternative payee in document field 801 - Alternative payee in

805 - Change Vendor in Invoice compared to

Purchase Order




33

Assessment Tool Example: Purchase to Pay Configuration

Configuration controls are assessed by reviewing the settings at the lowest level of detail. For example, an invoice

duplicate check test should include the assessment of SAP settings by company code and duplicate setting:

Some advantages of using

Assessment Tools:

• Gain increased visibility to control

environment – virtually 100% sample

• Reports are generated automatically

and include ideal settings and actual

configuration

• Can do exception-based reporting

which outlines problem item




Risk Area 3: Transactional Processing and

Analytics




35

Data Integrity

Analysis Cost SavingsCost Recovery

Historical Prospective

Payment Assessments

Security / SOD ViolationsRemediation

Master Data Cleanup

Why Perform Transactional Analysis

Companies need to manage the risks associated with SAP transaction processing, master data

maintenance and segregation of duty violations. When applied to the Procure to Pay process, key

transactional assessment areas include:

• Financial Risks – Overpayments / duplicate payments, fraud

• Operational Risks – Duplicate data management for vendors, customers, assets and employees

In order to comprehensively assess Procure to Pay areas, you should include historical and

current SAP data to enable future cost savings as depicted below.

Leveraging data, can also help Internal Audit Directors and Finance Executives (CFO's, VP‟s,

Controllers) identify internal control and risk issues, identify, recover and eliminate financial leakage,

search for anomalies, benchmark their processing performance and compare to best practices.




36

Automated Transactional Analysis

Even in well controlled environments, with well defined security and built in application controls,

it is important to understand the details about the transactions being processed, the way they

are being handled and the data that is or will be recorded in SAP.

It is important to remember that exceptions will happen and many controls can be

circumvented, especially by privileged or knowledgeable users

Co

mp

lia

nc

e F

oc

us

Are

as

• Pre-implementation

analysis of legacy

transactions to identify:

Potential opportunities

Configurable control

needs and design /

blueprint

considerations

Required (master)

data clean-up


• Analysis of SAP

transactions to identify:

Potential opportunities

Configurable control

enhancements

Master data

considerations

• Understanding of

potential impact to

processes and/or

controls.

• Post implementation

analysis and validation

to ensure no adverse

impact

• Periodic testing to

ensure transactional

data confirms high risk

system based controls

are still operating.

• Data contained within

the system allows the

business to make

informed, accurate

decisions

• Identify further areas of

operational

improvement




37

Key Risks During Each Lifecycle Stage

Key Risks Net New Rollout Upgrade Maint.

System based controls, both configuration and security are not

sufficient to prevent or detect errors and/or fraud

Current business environment encourages individuals to either

accept or take additional inappropriate risk

Traditional sampling techniques may not provide sufficient

coverage and review of the full transactional population is needed

Configuration controls can be turned on, off or changed. Security

can also be changed

SAP risks may vary depending on your company‟s implementation / lifecycle stage,

your organizational complexity, your security design and the tools you use to help

manage risk.

They may also provide effective tests of control and substantive procedures

where there are no input documents or a visible audit trail.




38

Analytics Example for Procure to Pay

With analytics different SAP risks and opportunities can be identified and analyzed.

Vendor

Purchase

Order

Goods

Receipt

Invoice

Receipt

Cash

Disbursement

Material VendorMaster Data

Purchasing

Organization

MM Module MM ModuleFI Module

(A/P Sub-Module)

Purchase

Requisition

MM Module

MM Module




39

Analytics Example for Procure to PayVendor Master

Vendor Master Record:

• How many vendors does the company

use?

• Are there duplicate vendors in the

Vendor Master?

• Are inactive vendors, without any activity

in over a year, categorized as active?

• How are vendors being utilized?

• Have changes to the vendor masters been approved?

• Are there potentially fictitious or unauthorized vendors in the vendor master?

• Are there any vendors with the same address as an employee?

• Have vendors been checked against regulatory requirements?

Purchase

OrderGoods

ReceiptInvoice

ReceiptCash

Disbursement

Purchasing

Organization

Purchasing

Organization


(A/P Sub-Module)

Purchase

Requisition

MM Module

MM Module

Vendor




40

Analytics Example for Procure to PayVendor Master

What condition is your vendor master file in and what impact does it have on your

organization?

In this example, not all fields are complete. Possible solutions:

Not allow the system to accept blank addresses and define required fields.

Possible use of drop down menus (e.g., state, country, etc.).




41

Analytics Example for Procure to PayPurchase Requisition

Purchase Requisition:

• What materials / services are being

ordered?

• Who is ordering materials / services?

• Who is approving materials / services?

• What are the amounts and frequency of purchase requisitions?

• Do the materials / services appear reasonable for the department / employee

initiating the purchase requisition?

• Are any segregation of duties (authoritative levels) being by-passed?

Vendor

Purchase

OrderGoods

ReceiptInvoice

ReceiptCash

Disbursement

Purchasing

Organization

Purchasing

Organization


(A/P Sub-Module)

Purchase

Requisition

MM Module

MM Module




42

Analytics Example for Procure to PayPurchase Orders

Purchase Orders:

• Are there duplicate purchase orders?

• Is the use of one-time vendors appropriate?

• Do sole sourcing opportunities exist?

• Do we know what our product reordering

volume is by item, warehouse, or vendor?

• Can we determine the percentage change in sales, price and / or cost levels by

product / vendor?

• Should we compare rates for similar products from other vendors to ensure

purchase rates are competitive?

• Can we eliminate stale POs by analyzing and reporting on partial receipts?

• Reconciliation of orders received without or prior to a purchase order.

Purchase

OrderGoods

ReceiptInvoice

ReceiptCash

Disbursement

Purchasing

Organization

Purchasing

Organization


(A/P Sub-Module)

Purchase

Requisition

MM Module

MM Module

Vendor




43

Analytics Example for Procure to PayCash Disbursements

Cash Disbursements:

• Are payments being split to avoid approval limits?

• Are non-PO based invoices excessive?

• Are invoices dated prior to POs?

• Are there large payments without a purchase order or to one-time vendors?

• Are there duplicate payments being processed?

• Does it appear discounts and rebates are being missed?

• Provide an audit trail for disbursements by purchase order, vendor, etc.

• Summarize cash disbursements by account, bank, group, vendor, etc.

• Generate vendor cash activity summary for support in rebate negotiations.

• Audit paid invoices for manual comparison with actual invoices.

Purchase

OrderGoods

ReceiptInvoice

ReceiptCash

Disbursement

Purchasing

Organization

Purchasing

Organization


(A/P Sub-Module)

Purchase

Requisition

MM Module

MM Module

Vendor




44

Assessment tools

• SAP GRC Process Controls

• Native SAP / ABAP (complexity)

• Business Intelligence solutions (complexity)

• ACL

• Ms Access (size limitations)

• Excel (size limitations)

• Assure Integrity – Protiviti proprietary tool specific to SAP

Data formatting tools:

• Monarch – electronic report manipulation

What Tools are Available to Help You?

There are a number of tools available to help you perform transactional analysis.

These tools should be carefully analyzed to make sure they fit the short and long

term needs in your organization.




45

Planning an Audit with Transactional Data

Developing and executing an organization‟s audit plan requires time, financial resources

and personnel. To keep costs down it is important to have a focused plan, identifying

those areas that are considered high priority and those that are considered low priority.

By analyzing transactional data, you can

help identify an organization‟s potential for

risk within:

– Individual Entities

– Business Processes, and

– Critical Functions

Summary results can be quantified to help

prioritize your audit needs.

Detailed transactional results can provide

critical information for testing during the

audit.




46

Prioritizing Using Summary Results

Each Integrity test contains at least one summary report which quantifies the results and/or

presents the information in graphical format for quick and efficient identification of

potential concerns.


Note: Company code data can help determine which entity of

your business may require more focus during the audit.




47

Executing the Audit Using Detailed Results

Make sure to include all of the critical information needed to assist in the execution of your

audit.


Once samples have been determined, the detailed results can be referenced to identify therecords that need to be obtained and validated.




48

• Consider where the company is having issues and/or where the greatest

opportunities exist to leverage monitoring / analytic capabilities.

• Consider where an analytics-based diagnostic review may be of value to the

company.

• Consider the enterprise perspective but start small and agree upfront as to how

items will be measured.

• Determine what monitoring / analytic capabilities and tools already exist within the

company.

• Obtain business buy-in and explore opportunities for the business, operations, IT,

and Internal Audit to collaborate.

• Consider whether an audit analytic initiative should be manual / ad-hoc or if an

automated approach and long-term monitoring mechanisms should be developed.

Audit and Risk Management Considerations




Summary / Wrap-Up




50

To Summarize

• Be as proactive as possible when your company is going through SAP projects affecting

security and controls

• Get involved in early stages of SAP projects by providing input from a compliance

perspective

• Bring the right skills – SAP Security, Business Process, and/or Controls – sometimes all

these skills are needed

• Use tools – it is extremely difficult to assess security and configurable controls manually

• Your goals when assessing and providing recommendations to security standards and SAP

process controls should include:

– Standardize security and business process design

– Help find the right balance between automated controls and manual controls (reports)

– Help address potential control gaps

– Confirm that right people have authority to approve changes to security structure and

SAP configuration impacting your control environment

– Assess your SAP environment periodically and with the right depth of analysis




Questions

Documents

Auditing SAP - A Proactive Approach… - isacala.orgisacala.org/doc/10Nov09_Auditing_SAP_A_Proactive_Approach.pdf · Auditing SAP - A proactive approach ... successfully post an accounting