SAP TECHNICAL AUDIT (FREQUENTLY ASKED QUESTIONS)

  • What is an audit?
  • An audit encompasses an independent review of a process, procedure or set of results to ensure their completeness, accuracy, integrity and security. Examples vary from the statutory audit of a company’s financial accounts to a compliance audit regarding the establishment of required health and safety procedures.

  • What is the difference between internal audit and external audit?
  • Internal audit is a function that, although operating independently from other departments and reports directly to the audit committee, resides within an organisation (i.e. they are company employees). It is responsible for performing audits (both financial and non-financial) within a wide range of areas within a business, as directed by the annual audit plan. Internal audit look at key risks facing the business and what is being done to manage those risks effectively, to help the organisation achieve its objectives. For example, they may look at risks to the company’s reputation such as the use of cheap labour in foreign countries, or strategic risks such as producing too many products in comparison to resources available etc.
  • External audit is an independent body which resides outside of the organisation which it is auditing. They are focused on the financial accounts or risks associated with finance and are appointed by the company shareholders. The main responsibility of external audit is to perform the annual statutory audit of the financial accounts, providing an opinion on whether they are a true and fair reflection of the company’s financial position. As part of this, external auditors often examine and evaluate internal controls put in place to manage the risks which could affect the financial accounts, to determine if they are working as intended.

  • What are the benefits of having your SAP system audited?
  • Time spent reviewing the effectiveness and efficiency of systems and processes is something that, although desirable, tends to be overlooked as management are too busy performing their day-to-day activities to become involved in initiating and performing such tasks.
  • A review by the internal audit function (internal or outsourced) is an opportunity for management to have their systems and processes reviewed without having to commit significant amounts of time or resources, whilst still retaining the level of contribution desired. The review, as well as highlighting existing strengths, can identify potential areas of weakness or inefficiency within a system or process based upon key risks. As a result, the internal control environment can be enhanced with the final audit report outlining areas for improvement and recommended remediation activities necessary, which can form the basis of a management action plan.

  • What is involved in an SAP audit?
  • SAP is a very large and complex ERP system, forming the platform for multiple inter-related business processes for those companies which utilise it. It is comprised of thousands of configurable tables making it highly flexible, and has a complex integrated security function. Therefore, SAP is a challenging environment to audit, particularly for those with minimal technical knowledge or appreciation of the business processes that operate within the system.
  • In order to gain maximum assurance from the system, the following 3 types of review would need to be performed (or they can be performed independently dependent upon the risks you wish to provide comfort over):
  • SAP Basis Review – covers access security (i.e. SAP authorisations) over sensitive system administration functions, configuration of security parameter settings and manual controls over system administration processes (e.g. user provisioning, change management etc)
  • SAP Business Process Review – covers both configurable (e.g. tolerance settings) and manual controls (e.g. reconciliations) within the business process under review such as revenue & receivables, procure to pay etc
  • SAP Segregation of Duties Review – covers both sensitive access and identification of incompatible duties within the business process under review.
  • What is Segregation of Duties?
  • The term Segregation of Duties (SoD) is a security principle which aims to prevent fraud and errors by disseminating the tasks and associated privileges for a specific business process among multiple users. This ensures a user does not have control over an end-to-end process without any additional user intervention.
  • In SAP it is possible to achieve segregation of duties by controlling and monitoring access rights of users, to ensure a single user cannot execute two or more conflicting transactions. To do this, firstly a set of rules will need to be created to identify those incompatible functions which pose a risk and need to be reviewed (e.g. Post Journal Entries AND Maintain GL Master Data). Secondly, the corresponding access in SAP needs to be mapped to the individual functions so that those users with access to incompatible functions (known as ‘SoD conflicts’) can be identified and remediated as required.
  • What are the different types of controls in SAP?
  • The following are the type of controls available in an SAP system:
  • Inherent Controls – those which have been hard coded into the system and cannot be changed via configuration
  • Configuration Controls – those which can be changed to support control objectives (e.g. tolerance groups and validations)
  • Restricted Access Controls – those which can be designed during the creation and maintenance of security profiles to ensure access to sensitive processing functions and segregation of duties is appropriate
  • Manual Controls – those which operate outside of the system (but may relay on system outputs such as reports) and support the system controls above (e.g. reconciliations, sign-offs, and policies and procedures)
  • What audit tools are required to perform an SAP audit?
  • The 3 main types of review (SAP Basis, SAP Business Process & SAP SoD Review) can be performed entirely using audit tools and techniques existing within the SAP system itself. The type of tools available includes:
  • System transactions – for example, transaction ‘SUIM’ allows the reviewer to search for users with access to sensitive system access. In addition, transaction SE16N (display only) allows the reviewer to view SAP tables to identify information such as authorisation groups in use, table protection levels assigned etc
  • SAP logs – these allow a reviewer to search for sensitive actions performed in the system (e.g. last logon date for privileged system-delivered user IDs, date production client was last opened for change etc)
  • SAP reports – these allow a reviewer to examine security configuration settings (e.g. report RSPARAM can be used to examine password parameter settings)
  • Therefore, external auditing tools are not essential. However, they can be extremely useful for reducing the amount of manual input required and making the review more efficient. This is most significant when analysing SoD conflicts in the system and/or reviewing assignment of sensitive access, particularly due to the fact there are normally several transactions which allow the same function to be performed in SAP and so each variable needs to be considered.
  • What will be the resource and time commitment for an SAP audit?
  • The precise resource and time commitment of an SAP audit will depend entirely on the scale of the audit proposed. As a guide each of the 3 main types of review (SAP Basis, SAP Business Process & SAP SoD Review) will take approx. 10–15 days for an auditor/consultant to perform.
  • Although the time commitment of resources from management will be minimal, there will be a requirement for their input in order to set up the auditor/consultant with the appropriate initial access to the system (and grant additional access where required during the audit). In addition, the auditor/consultant will need to discuss with management the procedural aspects of SAP administration (e.g. user administration, change management etc) and test the operating effectiveness of these processes which will require some evidence gathering by management.
  • Lastly, the findings will need to be discussed and validated before issuing a final report outlining strengths, weaknesses and recommendations. Therefore, input from client management (i.e. SAP Basis Manager, SAP Transport Manager, SAP Business Process Analyst etc) will be approx. a third of the total man days required for the audit (e.g. if the review took an auditor/consultant 15 days to complete a review then management would need to contribute approx. 5 days worth of resource time)
  • Will the auditor/consultant require full access to the SAP system?
  • Absolutely not! The auditor/consultant does not require, nor should they ever request, full access to the production system. In fact, they only require display access in order to perform the reviews involved in an SAP audit.
  • Some SAP default profiles (e.g. S_A.SHOW) can provide most of the display access necessary to use the SAP transactions required to perform their work. Where required, additional display access can be supplemented to the auditor/consultant user ID. A list of required access should be provided to the client prior to the audit start date to make the auditors/consultants time on site as efficient and productive as possible.
  • How often will we need to audit our SAP system?
  • If your company has to undergo an annual statutory financial audit then it is likely that at least some elements of the SAP system will be reviewed by the external auditors as part of this process. Therefore, it may be a good idea to perform an internal audit of your SAP system earlier in the year to ensure the system controls are working as expected and uncover any weaknesses, and perform subsequent remediation activities, prior to the external audit taking place.
  • In addition, the timing and frequency of internal audit reviews do not have to be governed by the external audit. An organisation may be highly motivated to demonstrate a strong internal control environment to their staff and shareholders and so perform smaller more frequent reviews throughout the year with each audit focusing on specific elements of the SAP system.
  • Alternatively, a system upgrade or significant development may be the catalyst for an ad hoc review to ensure that existing system controls have not been adversely affected, or that new controls have been implemented where required.
  • What level of access is required to audit SAP security?
  • In order to perform a comprehensive review of SAP security, display access to several SAP Basis transactions is required. This level of access can be permitted by assigning the SAP standard profile "S_A.SHOW". It is a profile, not a role, and so will need to be assigned to the auditor user ID within the profile tab using transaction SU01.
    Please note: this will not allow access to download reporting results into excel format. Therefore, this access (object S_GUI, value 61) will need to be granted separately to the auditor's user ID.
cia2.jpg

Copyright © 2011. All Rights Reserved.

Mediaoxygen Limited.