This book is designed to help SAP project managers, implementation teams, administrators, and users learn how to "think like an auditor" so they can be better-prepared for an internal or external audit of their SAP system. It provides practical, proven advice for preparing an audit roadmap for the system as a whole, and drills down into specific domains (applications, components, and business processes) to provide expert guidance on the most common audit objectives for those areas. No team facing an SAP system audit should be without it!

"Think Like an Auditor"
Get practical advice from an experienced SAP auditor on how to train your team to look at the audit roadmap from the auditor's perspective, and address weaknesses and "gotchas" before they happen.

Bulletproof Your Implementation and Enhancement/Upgrade Process
Learn how to ensure the effective design and implementation of controls for new SAP implementations, as well as the SAP upgrade and enhancement process, one of the biggest sources of audit problems.

Get Hands-on with Specific Domains
Understand the audit objectives at the application and component level, including SAP Basis, ERP Financials, MM, SD, and more.

Audit Roadmap for General Controls in SAP
Master the nuances of the major general controls in SAP, and the source of many audit issues: change management, segregation of duties, and emergency changes.

Audit Tips and Tools
Find answers on special issues and situations, audit tools available for SAP systems, third-party programs and services, and more.

Highlights

• Audit Concerns for Financial Reporting
• Implementation/Upgrade Controls
• Application-Level Audit Roadmaps
• Basis Settings and Security
• Change Control and Transports
• Audit Tips and Tools
• Best Practices and Lessons Learned

About the Author(s)

Steve Biskie is the founder of ERP Audit Solutions, a consultancy focused on helping companies manage the SAP audit process. He is also a Director at ACL Services Ltd, a worldwide provider of audit analytics software. He has been involved in the audit of SAP systems as an internal auditor, consultant, and project team member. He is a nationally-recognized expert on SAP audit and control, and speaks frequently on the subject at various conferences. Steve is a Certified Information Systems Auditor (CISA), Certified Information Technology Professional (CITP), and a non-practicing Certified Public Accountant (CPA).

Table of Contents

... Preface ... 15

1 ... Introduction ... 25

1.1 ... Audit Overview ... 25
1.2 ... Types of Auditors ... 26
1.2.1 ... Internal Auditors ... 27
1.2.2 ... External Auditors ... 27
1.2.3 ... Specialty Auditors ... 30
1.3 ... Categories of Audit Objectives ... 31
1.4 ... Auditing Principles and Considerations ... 33
1.4.1 ... Independence ... 33
1.4.2 ... Objectivity ... 34
1.4.3 ... Professional Skepticism ... 35
1.4.4 ... Evidence ... 37
1.5 ... Understanding the Audit ... 38
1.5.1 ... Risk-Based Auditing ... 38
1.5.2 ... Internal Controls ... 39
1.5.3 ... Thinking Like an Auditor ... 43
1.5.4 ... Applying Audit Investigative Techniques ... 45
1.6 ... Audit Reporting ... 47
1.6.1 ... Reporting Process ... 47
1.6.2 ... Responding to Preliminary Audit Issues ... 48
1.6.3 ... Negotiating Issues ... 48
1.6.4 ... Report Distribution ... 49
1.6.5 ... Management Response and Follow-Up ... 50
1.7 ... Rules of Engagement ... 50
1.7.1 ... Understanding the Audit Objective ... 50
1.7.2 ... Working with the Auditor ... 50
1.7.3 ... Establishing the Audit Environment ... 51
1.7.4 ... Do's and Don'ts ... 51
1.8 ... Summary ... 51

2 ... Overview of the Typical SAP Audit ... 53

2.1 ... Timing for the SAP Audit ... 53
2.1.1 ... Pre-Implementation Review ... 54
2.1.2 ... Post-Implementation Review ... 55
2.1.3 ... Ongoing SAP Operations Review ... 55
2.2 ... The Building Blocks of an SAP Audit ... 56
2.2.1 ... Project Management (Implementations and Upgrades) ... 59
2.2.2 ... General Computer Controls ... 61
2.2.3 ... SAP Basis Settings and Security ... 63
2.2.4 ... SAP Component-specific Technical Settings ... 66
2.2.5 ... Business Processes Enabled by SAP ... 68
2.3 ... Common Problems and Solutions ... 70
2.3.1 ... Risk Assessment and Internal Control Design ... 71
2.3.2 ... Process Inconsistency ... 72
2.3.3 ... Documentation ... 73
2.3.4 ... Periodic SAP User Reviews ... 75
2.3.5 ... Non-Standard Process Monitoring ... 76
2.3.6 ... User Education and Understanding ... 76
2.3.7 ... Master Data Control ... 77
2.4 ... The Start of the Audit ... 78
2.4.1 ... Planning ... 79
2.4.2 ... Fieldwork ... 81
2.4.3 ... Reporting ... 82
2.4.4 ... Follow-up ... 85
2.5 ... Summary ... 86

3 ... SAP Implementations and Upgrades ... 87

3.1 ... Reasons for Considering Internal Controls During an Implementation ... 89
3.1.1 ... Regulatory Requirements ... 90
3.1.2 ... Business Partner Relationships ... 92
3.1.3 ... Cost to the Business ... 93
3.1.4 ... Process Verification ... 94
3.1.5 ... Control Redesign and Optimization ... 94
3.1.6 ... Upgrade-Specific Benefits ... 95
3.2 ... Creating a Control-Conscious Implementation ... 96
3.2.1 ... Implementation Team Skills and Knowledge ... 98
3.2.2 ... Setting the Stage for Effective Control Design ... 101
3.2.3 ... Reporting Issues and Progress ... 102
3.2.4 ... Working with Auditors ... 104
3.3 ... Designing Effective Controls ... 107
3.3.1 ... Defining Relevant Processes and Sub-processes ... 108
3.3.2 ... Creating the Risk Inventory ... 108
3.3.3 ... Linking Controls to Risks ... 110
3.3.4 ... Tracking Control Design Progress ... 113
3.3.5 ... Additional Risks Resulting from Control Decisions ... 114
3.3.6 ... Other Areas of Consideration ... 115
3.4 ... Control Considerations by Implementation Phase ... 116
3.4.1 ... Planning ... 116
3.4.2 ... Design ... 118
3.4.3 ... Configuration ... 119
3.4.4 ... Data Conversion ... 120
3.4.5 ... Testing ... 121
3.4.6 ... Training ... 122
3.4.7 ... Go-Live ... 123
3.4.8 ... Summary of Control Considerations by Phase ... 123
3.5 ... Summary ... 125

4 ... The Foundation for an SAP Audit: General Computer Controls, SAP Basis Settings and Security ... 127

4.1 ... General Computer Controls ... 127
4.1.1 ... Overview ... 128
4.1.2 ... Standards ... 130
4.1.3 ... GCC Highlights for an SAP Audit ... 133
4.1.4 ... GCCs Summary ... 141
4.2 ... SAP Basis Settings and Security ... 141
4.2.1 ... SAP Basis System Audit Highlights ... 142
4.2.2 ... SAP Security Highlights ... 144
4.3 ... Summary ... 148

5 ... Financial Reporting Cycle ... 149

5.1 ... Risks ... 149
5.2 ... Security and Master Data ... 151
5.2.1 ... Preventing Segregation of Duties Conflicts ... 152
5.2.2 ... Restricting Postings to Functional Areas ... 153
5.2.3 ... Limiting Access to Powerful Transactions ... 154
5.2.4 ... Establishing Controls and Security over Master Data ... 154
5.3 ... SAP Configurable Control Considerations ... 158
5.3.1 ... Configure SAP Data Quality Checks ... 159
5.3.2 ... Enhance Controls over SAP General Ledger Postings ... 163
5.3.3 ... Reduce Asset Management Errors ... 165
5.3.4 ... Other Configuration Tips ... 166
5.4 ... Additional Procedures and Considerations ... 167
5.4.1 ... Maintain and Follow a Closing Checklist ... 167
5.4.2 ... Implement Procedures to Resolve All Parked and Held Documents Prior to Closing ... 168
5.4.3 ... Confirm Receivables and Payables Account Balances ... 168
5.4.4 ... Establish Procedures for Verifying Asset Management Activities ... 170
5.5 ... Management Monitoring: SAP Report Highlights ... 170
5.5.1 ... Reports Identifying Changed Data ... 170
5.5.2 ... Incomplete Information ... 172
5.5.3 ... Potential Issues ... 173
5.6 ... Summary ... 173

6 ... Order-to-Cash Cycle ... 175

6.1 ... Risks ... 175
6.2 ... Security and Master Data ... 178
6.2.1 ... Preventing Segregation of Duties Conflicts ... 178
6.2.2 ... Restricting Transactions to Functional Sales Areas ... 179
6.2.3 ... Limiting Access to Powerful Transactions ... 180
6.2.4 ... Establishing Controls and Security over Master Data ... 181
6.3 ... SAP Configurable Control Considerations ... 185
6.3.1 ... Configure SAP Data Quality Checks ... 185
6.3.2 ... Configure Minimum Pricing Rules ... 188
6.3.3 ... Establish Dual Control over Sensitive Fields ... 189
6.3.4 ... Configure Credit Checking to Minimize Business Risk ... 190
6.3.5 ... Establish Document Flow Control ... 192
6.3.6 ... Enhance Controls over Returns and Credits ... 194
6.3.7 ... Define Appropriate Dunning Procedures ... 196
6.3.8 ... Other Configuration Tips ... 196
6.4 ... Additional Procedures and Considerations ... 196
6.4.1 ... Implement Order Entry Completeness and Timeliness Procedures ... 197
6.4.2 ... Provide Order Confirmations ... 197
6.4.3 ... Eliminate Duplicates from the Material Master and Customer Master ... 197
6.4.4 ... Establish Procedures for Verifying Pricing Conditions ... 198
6.4.5 ... Review One-Time Customer Usage ... 200
6.4.6 ... Monitor Customer Payments and Payment Application ... 200
6.5 ... Management Monitoring: SAP Report Highlights ... 201
6.5.1 ... Reports Identifying Changed Data ... 201
6.5.2 ... Incomplete Information or Processing ... 202
6.5.3 ... Customers Exceeding Credit Limits ... 206
6.5.4 ... Potential Issues ... 207
6.6 ... Summary ... 207

7 ... Purchase-to-Pay Cycle ... 209

7.1 ... Risks ... 210
7.2 ... Security and Master Data ... 213
7.2.1 ... Preventing Segregation of Duties Conflicts ... 213
7.2.2 ... Restricting Transactions to Functional Purchasing Organizations ... 214
7.2.3 ... Limiting Access to Powerful Transactions ... 214
7.2.4 ... Establishing Controls and Security over Master Data ... 215
7.3 ... SAP Configurable Control Considerations ... 219
7.3.1 ... Configure SAP Data Quality Checks ... 219
7.3.2 ... Establish Dual Control over Sensitive Fields ... 224
7.3.3 ... Ensure Robust Release Strategy Configuration ... 224
7.3.4 ... Require Purchase Requisition Reference ... 226
7.3.5 ... Strengthen Controls over Blanket POs ... 226
7.3.6 ... Use Source Determination When Possible ... 226
7.3.7 ... Prevent Reversal of Goods Receipt after Invoice Processing ... 226
7.3.8 ... Define Appropriate Payment Different Reason Codes ... 227
7.3.9 ... Configure Mandatory Goods Receipt for Relevant Items ... 227
7.3.10 ... Remove Unlimited Overdelivery Capabilities ... 228
7.3.11 ... Configure Stochastic Invoice Blocking ... 228
7.3.12 ... Other Configuration Tips ... 229
7.4 ... Additional Procedures and Considerations ... 230
7.4.1 ... Implement Invoice Payment Completeness and Timeliness Procedures ... 230
7.4.2 ... Eliminate Duplicates from the Vendor Master and Material Master ... 231
7.4.3 ... Confirm Vendor Payables Balances ... 232
7.4.4 ... Standardize Naming Conventions ... 233
7.4.5 ... Review One-Time Vendor Usage ... 233
7.4.6 ... Closely Monitor Evaluated Receipts Activity ... 234
7.4.7 ... Periodically Review Authorization Limits ... 234
7.4.8 ... Monitor Effectiveness of Receiving Procedures ... 235
7.4.9 ... Monitor Vendor Payments and Payment Application ... 235
7.4.10 ... Limit, if not Prohibit, Manual Payments ... 235
7.5 ... Management Monitoring: SAP Report Highlights ... 236
7.5.1 ... Reports Identifying Changed Data ... 236
7.5.2 ... Incomplete Information or Processing ... 237
7.5.3 ... Potential Issues ... 238
7.6 ... Summary ... 238

8 ... SAP Audit Tricks and Tools ... 239

8.1 ... The Audit Information System (AIS) ... 240
8.1.1 ... Accessing the AIS ... 240
8.1.2 ... Navigating the AIS ... 242
8.1.3 ... Using AIS to Prepare for your Audit ... 243
8.2 ... Computer Assisted Audit Techniques (CAATs) ... 244
8.2.1 ... Benefit of CAATs ... 246
8.2.2 ... Examples of CAATs in Common Business Cycles ... 247
8.2.3 ... Using CAATs in an SAP Environment ... 249
8.2.4 ... Specialized CAAT Tools ... 250
8.3 ... SAP BusinessObjects GRC Solutions ... 251
8.4 ... Continuous Auditing and Continuous Monitoring ... 252
8.5 ... Summary ... 253

9 ... Final Audit Preparations ... 255

9.1 ... Overview ... 255
9.2 ... Pre-Planning ... 256
9.3 ... Documentation: Preparing an Audit Binder ... 258
9.3.1 ... SAP System Information ... 259
9.3.2 ... SAP Support Team Organization Details ... 263
9.3.3 ... Policies and Procedures ... 265
9.3.4 ... Self-Assessment Procedures and Results ... 266
9.3.5 ... Known Weaknesses and Mitigation Procedures ... 268
9.4 ... Systems: Preparing for the Auditor ... 270
9.4.1 ... Creating and Testing Auditor IDs ... 270
9.4.2 ... Reconciling to a Non-Production Test Environment ... 271
9.4.3 ... Ensuring Resolution of Prior Audit Issues ... 271
9.5 ... Employees: Preparing Your Team ... 272
9.5.1 ... Explain the Audit Process ... 272
9.5.2 ... Establish Audit Ground Rules ... 272
9.5.3 ... Backfill Responsibilities ... 273
9.5.4 ... Perform a Readiness Review ... 273
9.6 ... Expert Advice ... 273
9.6.1 ... Having the Right Perspective ... 274
9.6.2 ... Having an Audit Mindset ... 276
9.6.3 ... Preparing in Advance ... 278
9.6.4 ... Being Organized ... 282
9.6.5 ... Participating in the Process, and Staying in Control ... 284
9.7 ... Summary ... 287

... The Author ... 289

... Index ... 291