A lot of enterprises use SAP application to enable them strategy their sources and pursuits. Its flexibility and range would make it a challenge to audit.
SAP is hugely configurable and implementations usually differ, even within just several company units of a firm – equally economic and non-money. At the similar time, the effective procedure of controls within the system’s environment is critical to a sturdy economic and operational regulate atmosphere. For that reason, it is significant to get a great comprehension of how SAP is being utilised in the organization while setting up the audit scope and strategy. Auditing an SAP natural environment introduces numerous unique complexities that can affect the audit scope and method.
SAP covers most small business procedures and a minimal adjust in the business enterprise system can have a immediate outcome on the audit strategies owing to the complexity of the system. Modifications in the setup and configuration of the system, the release system or making new procedures may possibly consequence in new modules and/or functionality in SAP and as such, additional risks need to be regarded.
For example, a client may well think about retiring a person of its legacy acquiring systems and relocating this features onto SAP. In the earlier, key controls over purchase order acceptance may well have been executed manually. But with the SAP implementation the consumer has deemed automating the acceptance system in SAP. The set up of the automated workflow method and person obtain stability is hence significant to make certain that suitable controls are maintained to mitigate the challenges. This would entail tests automatic controls alternatively of the guide controls above obtain get.
Segregation and sensitivity
For an productive audit, the auditor requirements to get a good being familiar with of the design of SAP’s authorisation principle (security design). In some occasions, bad stability design and style results in end users getting inadvertently granted entry to avoidable or unauthorised transactions. For that reason the critique of the style and design and implementation of SAP safety and access controls is significant to ensure suitable segregation of duties is preserved and entry to sensitive transactions is well-controlled.
Segregation of obligation conflicts can come up when a user is presented entry to two or far more conflicting transactions – for illustration, creating a buy order and amending seller grasp details. A distinct mapping of the business processes and identification of roles and duties concerned in the processes is essential in the style and design of access controls to efficiently audit stability.
In addition, there might be transactions or access levels that are thought of sensitive to the enterprise, such as amending G/L codes and buildings, amending recurring entries or amending and deleting audit logs. In an SAP audit such delicate transactions would need to be viewed as through the planning period.
Organisations can tailor the SAP system to in good shape their business desires which include a selection of configurable and inherent controls. Comprehending the range process powering these controls is significant to the audit technique. Making it possible for obtain orders, for case in point, to be permitted automatically via the program is regarded a configurable automated regulate.
However, the customer may well also select not to apply this features and address this danger through a handbook handle. Auditors require to understand the controls the shopper has decided on to carry out and the matrix of controls that they put reliance on to mitigate 1 or extra risks.
Forms of Controls
In SAP there are four forms of controls that an audit consumer can utilise in buy to create a secure natural environment: inherent controls, configurable controls, software protection, and guide opinions of SAP stories.
Commonly access or configurable controls are executed by the SAP process and are preventive in mother nature. On the other hand, guide controls such as handbook reviews of reports are executed by an employee and are largely detective in mother nature. For case in point, in the procure-to-shell out (P2P) approach of SAP, there are regular automatic controls these kinds of as three-way matching (matching of purchase orders, items receipt and invoices). The customer might select to undertake four-way matching, or two-way matching of invoices, thus requiring customisation to go well with their certain procedures.
Each individual consumer will use a diverse blend of controls in get to obtain their certain control goals, and simply because of the complexity of SAP application, auditing around the process to achieve command assurance is not an alternative. As a result the audit approach requirements to be personalized for each scenario correctly. It is also crucial to emphasize that SAP provides several controls that are inherent inside of the SAP ecosystem. An case in point of an inherent command is that journal entries must balance prior to putting up in SAP.
In SAP it is essential to understand the connection among configurable controls and accessibility controls. In buy to reach the control goal there may be a blend of configurable and accessibility controls that create a management alternative. For example, “Purchase orders above £1m get blocked automatically and simply cannot be processed.” This sounds like a configurable regulate, but is in fact equally a configurable regulate and an entry regulate, as it deals with the configuration of the Paying for Release System inside SAP and deals with who has obtain to develop and approve a PO.
A different example is “Buy Orders in excess of US$1m ought to be approved by the supervisor.” This seems like an obtain handle, but it is a configurable command as nicely thanks to the configuration required for the launch method. In point, these are complimentary controls, two controls masking the similar threat alongside one another. With no one particular management, the other can’t go over the threat to the identical precision. The auditor must take a look at equally the configuration and accessibility aspects of these controls, so it is vital that they are recognized by the auditor and classified correctly.
SAP is a system based ERP program and each and every SAP instance may have diverse challenges affiliated with it. The capacity to customise and tailor the system, and its inherent complexity, drastically increases the total complexity of stability configurations and prospects to potential safety vulnerabilities. Segregation of duty conflicts, glitches and flaws consequently become additional probably.
Just about every client has unique business enterprise procedures, products and products and services, and systems that accommodate their atmosphere. Planning the process proficiently in SAP is vital to mitigate the hazards related with insufficient or failed company processes. An productive audit approach should really as a result include things like an analysis of hazards and an comprehension of the small business process mapping for each individual SAP instance.
Provided that the technique is very customisable, approach pushed and allows a variety of regulate alternatives, each SAP instance would probably have a various chance profile. More within just SAP, the danger profile of distinctive modules and sub-modules this kind of as financials (FI), products administration (MM), income and distribution (SD), payroll, human cash (HC), business enterprise information warehouse (BW), customer romantic relationship administration (CRM) and so on will be distinct.
The wide areas of the company operations that SAP software protect would make it impractical to address them all in one one audit. To entire a complete audit of SAP, it is appropriate to consider a rotation strategy. This might involve arranging opinions of just about every SAP business procedure, module, sub-module method configuration and modify management and process safety, like the structure of segregation of duties and obtain stages. This guarantees that the audits are done employing appropriately proficient sources and go over every threat area which include business enterprise procedure, protection and related controls. These places can therefore be assessed correctly to discover gaps in regulate weaknesses and propose suitable ways to resolve concerns.
In addition to the above problems, SAP techniques are also upgraded and improved periodically to meet up with at any time-modifying enterprise requirements. In the existing economic weather, companies are confronted with shifting threats in the environment that have an impact on their organization processes.
The purpose of a risk-centered method is to allow auditors to tailor the assessment to the parts of business chance, giving way to higher concentration on audit spots with a large-chance possible. The complexity of the SAP system and relevant enterprise procedures, as indicated earlier mentioned, may possibly lend by itself to greater inherent threat and management risk which need to be taken into account in planning the audit.
The danger-based mostly approach should really include things like standard danger investigation, analytical audit techniques, systems and method primarily based fieldwork, and substantive tests. In this way, an auditor can carry out the audit competently with a diploma of trustworthiness, as well as optimising the time and effort it consists of. It is as a result essential that a top-down threat based mostly audit approach is adopted to effectively assessment SAP.