1 Introduction

25

1.1 Audit Overview

25

1.2 Types of Auditors

26

1.2.1 Internal Auditors

27

1.2.2 External Auditors

27

1.2.3 Specialty Auditors

30

1.3 Categories of Audit Objectives

31

1.4 Auditing Principles and Considerations

33

1.4.1 Independence

33

1.4.2 Objectivity

34

1.4.3 Professional Skepticism

35

1.4.4 Evidence

37

1.5 Understanding the Audit

38

1.5.1 Risk-Based Auditing

38

1.5.2 Internal Controls

39

1.5.3 Thinking Like an Auditor

43

1.5.4 Applying Audit Investigative Techniques

45

1.6 Audit Reporting

47

1.6.1 Reporting Process

47

1.6.2 Responding to Preliminary Audit Issues

48

1.6.3 Negotiating Issues

48

1.6.4 Report Distribution

49

1.6.5 Management Response and Follow-Up

50

1.7 Rules of Engagement

50

1.7.1 Understanding the Audit Objective

50

1.7.2 Working with the Auditor

50

1.7.3 Establishing the Audit Environment

51

1.7.4 Do’s and Don’ts

51

1.8 Summary

51

2 Overview of the Typical SAP Audit

53

2.1 Timing for the SAP Audit

53

2.1.1 Pre-Implementation Review

54

2.1.2 Post-Implementation Review

55

2.1.3 Ongoing SAP Operations Review

55

2.2 The Building Blocks of an SAP Audit

56

2.2.1 Project Management (Implementations and Upgrades)

59

2.2.2 General Computer Controls

61

2.2.3 SAP Basis Settings and Security

63

2.2.4 SAP Component-specific Technical Settings

66

2.2.5 Business Processes Enabled by SAP

68

2.3 Common Problems and Solutions

70

2.3.1 Risk Assessment and Internal Control Design

71

2.3.2 Process Inconsistency

72

2.3.3 Documentation

73

2.3.4 Periodic SAP User Reviews

75

2.3.5 Non-Standard Process Monitoring

76

2.3.6 User Education and Understanding

76

2.3.7 Master Data Control

77

2.4 The Start of the Audit

78

2.4.1 Planning

79

2.4.2 Fieldwork

81

2.4.3 Reporting

82

2.4.4 Follow-up

85

2.5 Summary

86

3 SAP Implementations and Upgrades

87

3.1 Reasons for Considering Internal Controls During an Implementation

89

3.1.1 Regulatory Requirements

90

3.1.2 Business Partner Relationships

92

3.1.3 Cost to the Business

93

3.1.4 Process Verification

94

3.1.5 Control Redesign and Optimization

94

3.1.6 Upgrade-Specific Benefits

95

3.2 Creating a Control-Conscious Implementation

96

3.2.1 Implementation Team Skills and Knowledge

98

3.2.2 Setting the Stage for Effective Control Design

101

3.2.3 Reporting Issues and Progress

102

3.2.4 Working with Auditors

104

3.3 Designing Effective Controls

107

3.3.1 Defining Relevant Processes and Sub-processes

108

3.3.2 Creating the Risk Inventory

108

3.3.3 Linking Controls to Risks

110

3.3.4 Tracking Control Design Progress

113

3.3.5 Additional Risks Resulting from Control Decisions

114

3.3.6 Other Areas of Consideration

115

3.4 Control Considerations by Implementation Phase

116

3.4.1 Planning

116

3.4.2 Design

118

3.4.3 Configuration

119

3.4.4 Data Conversion

120

3.4.5 Testing

121

3.4.6 Training

122

3.4.7 Go-Live

123

3.4.8 Summary of Control Considerations by Phase

123

3.5 Summary

125

4 The Foundation for an SAP Audit: General Computer Controls, SAP Basis Settings and Security

127

4.1 General Computer Controls

127

4.1.1 Overview

128

4.1.2 Standards

130

4.1.3 GCC Highlights for an SAP Audit

133

4.1.4 GCCs Summary

141

4.2 SAP Basis Settings and Security

141

4.2.1 SAP Basis System Audit Highlights

142

4.2.2 SAP Security Highlights

144

4.3 Summary

148

5 Financial Reporting Cycle

149

5.1 Risks

149

5.2 Security and Master Data

151

5.2.1 Preventing Segregation of Duties Conflicts

152

5.2.2 Restricting Postings to Functional Areas

153

5.2.3 Limiting Access to Powerful Transactions

154

5.2.4 Establishing Controls and Security over Master Data

154

5.3 SAP Configurable Control Considerations

158

5.3.1 Configure SAP Data Quality Checks

159

5.3.2 Enhance Controls over SAP General Ledger Postings

163

5.3.3 Reduce Asset Management Errors

165

5.3.4 Other Configuration Tips

166

5.4 Additional Procedures and Considerations

167

5.4.1 Maintain and Follow a Closing Checklist

167

5.4.2 Implement Procedures to Resolve All Parked and Held Documents Prior to Closing

168

5.4.3 Confirm Receivables and Payables Account Balances

168

5.4.4 Establish Procedures for Verifying Asset Management Activities

170

5.5 Management Monitoring: SAP Report Highlights

170

5.5.1 Reports Identifying Changed Data

170

5.5.2 Incomplete Information

172

5.5.3 Potential Issues

173

5.6 Summary

173

6 Order-to-Cash Cycle

175

6.1 Risks

175

6.2 Security and Master Data

178

6.2.1 Preventing Segregation of Duties Conflicts

178

6.2.2 Restricting Transactions to Functional Sales Areas

179

6.2.3 Limiting Access to Powerful Transactions

180

6.2.4 Establishing Controls and Security over Master Data

181

6.3 SAP Configurable Control Considerations

185

6.3.1 Configure SAP Data Quality Checks

185

6.3.2 Configure Minimum Pricing Rules

188

6.3.3 Establish Dual Control over Sensitive Fields

189

6.3.4 Configure Credit Checking to Minimize Business Risk

190

6.3.5 Establish Document Flow Control

192

6.3.6 Enhance Controls over Returns and Credits

194

6.3.7 Define Appropriate Dunning Procedures

196

6.3.8 Other Configuration Tips

196

6.4 Additional Procedures and Considerations

196

6.4.1 Implement Order Entry Completeness and Timeliness Procedures

197

6.4.2 Provide Order Confirmations

197

6.4.3 Eliminate Duplicates from the Material Master and Customer Master

197

6.4.4 Establish Procedures for Verifying Pricing Conditions

198

6.4.5 Review One-Time Customer Usage

200

6.4.6 Monitor Customer Payments and Payment Application

200

6.5 Management Monitoring: SAP Report Highlights

201

6.5.1 Reports Identifying Changed Data

201

6.5.2 Incomplete Information or Processing

202

6.5.3 Customers Exceeding Credit Limits

206

6.5.4 Potential Issues

207

6.6 Summary

207

7 Purchase-to-Pay Cycle

209

7.1 Risks

210

7.2 Security and Master Data

213

7.2.1 Preventing Segregation of Duties Conflicts

213

7.2.2 Restricting Transactions to Functional Purchasing Organizations

214

7.2.3 Limiting Access to Powerful Transactions

214

7.2.4 Establishing Controls and Security over Master Data

215

7.3 SAP Configurable Control Considerations

219

7.3.1 Configure SAP Data Quality Checks

219

7.3.2 Establish Dual Control over Sensitive Fields

224

7.3.3 Ensure Robust Release Strategy Configuration

224

7.3.4 Require Purchase Requisition Reference

226

7.3.5 Strengthen Controls over Blanket POs

226

7.3.6 Use Source Determination When Possible

226

7.3.7 Prevent Reversal of Goods Receipt after Invoice Processing

226

7.3.8 Define Appropriate Payment Different Reason Codes

227

7.3.9 Configure Mandatory Goods Receipt for Relevant Items

227

7.3.10 Remove Unlimited Overdelivery Capabilities

228

7.3.11 Configure Stochastic Invoice Blocking

228

7.3.12 Other Configuration Tips

229

7.4 Additional Procedures and Considerations

230

7.4.1 Implement Invoice Payment Completeness and Timeliness Procedures

230

7.4.2 Eliminate Duplicates from the Vendor Master and Material Master

231

7.4.3 Confirm Vendor Payables Balances

232

7.4.4 Standardize Naming Conventions

233

7.4.5 Review One-Time Vendor Usage

233

7.4.6 Closely Monitor Evaluated Receipts Activity

234

7.4.7 Periodically Review Authorization Limits

234

7.4.8 Monitor Effectiveness of Receiving Procedures

235

7.4.9 Monitor Vendor Payments and Payment Application

235

7.4.10 Limit, if not Prohibit, Manual Payments

235

7.5 Management Monitoring: SAP Report Highlights

236

7.5.1 Reports Identifying Changed Data

236

7.5.2 Incomplete Information or Processing

237

7.5.3 Potential Issues

238

7.6 Summary

238

8 SAP Audit Tricks and Tools

239

8.1 The Audit Information System (AIS)

240

8.1.1 Accessing the AIS

240

8.1.2 Navigating the AIS

242

8.1.3 Using AIS to Prepare for your Audit

243

8.2 Computer Assisted Audit Techniques (CAATs)

244

8.2.1 Benefit of CAATs

246

8.2.2 Examples of CAATs in Common Business Cycles

247

8.2.3 Using CAATs in an SAP Environment

249

8.2.4 Specialized CAAT Tools

250

8.3 SAP BusinessObjects GRC Solutions

251

8.4 Continuous Auditing and Continuous Monitoring

252

8.5 Summary

253

9 Final Audit Preparations

255

9.1 Overview

255

9.2 Pre-Planning

256

9.3 Documentation: Preparing an Audit Binder

258

9.3.1 SAP System Information

259

9.3.2 SAP Support Team Organization Details

263

9.3.3 Policies and Procedures

265

9.3.4 Self-Assessment Procedures and Results

266

9.3.5 Known Weaknesses and Mitigation Procedures

268

9.4 Systems: Preparing for the Auditor

270

9.4.1 Creating and Testing Auditor IDs

270

9.4.2 Reconciling to a Non-Production Test Environment

271

9.4.3 Ensuring Resolution of Prior Audit Issues

271

9.5 Employees: Preparing Your Team

272

9.5.1 Explain the Audit Process

272

9.5.2 Establish Audit Ground Rules

272

9.5.3 Backfill Responsibilities

273

9.5.4 Perform a Readiness Review

273

9.6 Expert Advice

273

9.6.1 Having the Right Perspective

274

9.6.2 Having an Audit Mindset

276

9.6.3 Preparing in Advance

278

9.6.4 Being Organized

282

9.6.5 Participating in the Process, and Staying in Control

284

9.7 Summary

287