auditing sap - a proactive approach… -...
TRANSCRIPT
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
Auditing SAP - A Proactive Approach…
February 19th, 2010
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
1
Protiviti Introductions
Steve Cabello, Managing Director
Over 20 years of Internal Audit and SAP project experience
Kevin Erlandson, Associate Director
Over 15 years of Industry, Implementation and SAP audit experience
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
2
Tonight‟s Agenda
Defining the SAP Risk Universe
Key SAP Risks and Internal Audit Focus Areas
SAP Security
SAP Business Processes and Configurable Controls
SAP Transaction Processing and Analytics
Audit Considerations
Questions
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
3
We bring a unique blend of knowledge and experience to the table which combines the
focus, dedication and independence of a specialist firm, with the methodologies & tools,
global presence, and deep skill-sets of the Big 4 or larger consulting firm.
Who
we are
• The leading provider of completely independent risk consulting and internal audit services
• 35% of the Fortune 100 are our clients
• Over 2,500 experienced professionals in over 63 offices worldwide
• Protiviti is a wholly owned subsidiary of RHI
What
we do
ConsultingFinance Process Transformation
CIO Solutions
Business Operations
Governance Risk & Compliance
Financial Risk Strategy Management
Enterprise Application Solutions
Enterprise Information Management
Internal Audit
Internal Audit Start-Up
Co-Sourcing
Outsourcing
Internal Audit Transformation
Risk Assessment
Sarbanes-Oxley Compliance
What
makes us
different
Boutique:
Responsive client
service
Lack of SEC
restrictions
Independent from
attest & tax services
Better teaming with
external auditors
Focus on core
offerings
Big Four:
Methodologies &
tools
Experienced
professionals
Depth of risk
consulting services
Financial &
management stability
Recognized global
presence
Protiviti combines the
strengths of the large
consulting companies and
independent
alternatives…without
compromise
Who is Protiviti?
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
4
Application Security and Segregation of Duties – evaluate and design effective user
roles and segregation of duty (SoD) frameworks, security administration processes and global security parameters.
Automated Application Controls Design and Enhancement – evaluate and
optimize the operating effectiveness of key application configurations and features used to support internal
control and other compliance efforts while reducing reliance on inefficient manual control techniques.
Implementation Project Risk Management – Align project delivery with internal control
and compliance objectives for their application implementations or upgrades and provide an independent perspective through assessment, monitoring and reporting of project risks throughout the project lifecycle.
ERP Audits – improve the quality and efficiency of application audits and assessments by utilizing
specialized knowledge, experience and tools to manage the unique complexities of application control documentation and testing.
ERP Selections - Protiviti's team combines management skills, knowledge of the ERP landscape,
in-depth knowledge of business processes, experience with ERP systems implementations and a unique perspective on compliance and risk management. We help companies select the "best fit" solution and create a pragmatic implementation road map and process
GRC Software Implementation – select, plan and integrate powerful software tools and
supporting processes that improve internal control and compliance capabilities.
Our Enterprise Application Solutions Group
Pre-Implementation
Post-Implementation
Manage
Risk
Protiviti‟s Enterprise Application Solutions are relevant whether an organization is implementing SAP for the
first time or trying to improve their current installation. Our team includes professionals with years of
application implementation, assessment and improvement experience who utilize our powerful methodologies
and tools to help clients effectively leverage their enterprise applications into holistic, integrated compliance
and risk management solutions.
We help our clients with:
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
Defining the SAP Risk Universe
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
6
SAP Risk Universe – the Big Picture
General IT Risks
Application Interface Controls
IT Infrastructure Controls
Change Management
Security Administration
Backup and Recovery
Other Project / Implementation Risks
Project Risks
Transaction and Master Data Conversion
Testing and Training Strategy
Go/No Go Decision Criteria
Post Go-Live Support Requirements
* SAP Security Risks
Security Standards
Segregation of Duties and Sensitive Access
Powerful Users Access Management
User and Role Provisioning Process
* SAP Business Process and Transactional Data Risks
Configurable Application Controls
Detective / Monitoring Controls / Reports
Procedural Business Process Controls
SOX Controls (compliance purposes)
* Continuous monitoring applications and processes
Control Documentation Update, Compliance and Risk Management Optimization and
GRC Software Configuration
There are many risks in the context of ERP / SAP environments:
Steering Committee
Board of Directors
Compliance(Regulatory Requirements)
External / InternalAudit
GRC and ERM framework
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
7
Net New• Implementing SAP
for the first time
• Replacing legacy
systems
• Developing new
interfaces and
implementing new
processes
Rollout
• Applying SAP
template/model to
different locations
or business
processes or
outsourcing
entities
Upgrade(Technical / Functional)
• Re-engineering
SAP processes
and/or
configuration
• Consolidating SAP
instances
Maintenance
• Live with SAP for
some time; focus
is maintenance
• May upgrade in
the future
Where are
you now?
SAP Risks and Implementation / Lifecycle Stages
Each of the above project
stages, will bring
compliance risks around
Each SAP implementation phase or project brings new challenges and risks to your
control environment. Risks will vary according to the state of your SAP environment:
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
Risk Area 1: SAP Security
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
9
Key Concepts: ECC Security
• SAP security restricts users from performing functions. Security must grant
authorizations to a user before he / she is able to execute transactions. This is
known as the authorization concept.
• SAP security is so complex because of the need to limit access to different
components like company codes, plants, particular customer or vendor accounts,
payroll information, pricing, rebates, etc.
• SAP security is client-specific.
• The architecture of the authorization system is built upon the use of several components:
– Roles
– Profiles
– Authorizations
– Objects
– Fields
Roles / Profiles
Authorizations
User ID
ObjectsTransactions Fields
Employee
Job Description
Job Functions
Maps to
Maps to
Maps to
Business View SAP ECC View
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
10
ECC Security: Roles / Profiles
Roles / Profiles:
• Roles are the commonly used security building blocks, and usually unique to each
organization.
• Roles typically resemble a job description of an organization, such as sales representative,
accountant, warehouse staff, etc.
• Roles may be structured as simple roles or composite roles.
Simple roles are typically used
to for one business process
– e.g., Manage Posting Periods.
Composite roles are a
combination of simple roles
– e.g., G/L Supervisor. Roles / Profiles
Authorizations
User ID
ObjectsTransactions Fields
Employee
Job Description
Job Functions
Maps to
Maps to
Maps to
Business View SAP ECC View
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
11
ECC Security: Authorizations
Authorizations:
• Authorizations are specific permissions. Authorizations can be used to:
Restrict access to a specific transaction code.
Restrict access to create, change, display documents in a particular company code.
• SAP automatically queries all access assigned to a user and populates a system table with
all of the provided authorizations.
• When a user attempts to execute a
transaction, the system searches for
an authorization in this table that
satisfies required criteria.
If the system cannot find this
authorization, then the user‟s
access to this function is denied.
Roles / Profiles
Authorizations
User ID
ObjectsTransactions Fields
Employee
Job Description
Job Functions
Maps to
Maps to
Maps to
Business View SAP ECC View
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
12
ECC Security: Objects and Fields
Objects:
• Authorizations in profiles are defined based on Authorization Objects.
• An authorization object groups together authorization fields in an AND relationship in order
to check whether a user is allowed to perform a certain action.
• To pass an authorization test for an object, the user must satisfy the authorization check for
each field in the object.
• Example: M_BANF_EKG is the Purchasing Group in Purchase Requisition object.
Fields:
• Fields determine the type of
permissible activity such as Create,
Change, Display, etc.
• They also define levels of access such
as company code, plant, division, etc.
• Example: When the value for field
ACTVT equals 01 (for the object
M_BANF_EKG), authorization to
Create or Generate the PR has been granted.
Roles / Profiles
Authorizations
User ID
ObjectsTransactions Fields
Employee
Job Description
Job Functions
Maps to
Maps to
Maps to
Business View SAP ECC View
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
13
ECC Security: Transactions
• A transaction (transaction code, or t-code) is a command that directs the system to a
function. Every possible function is represented by a transaction code.
• A t-code may contain only letters, such as SPRO (IMG), or a combination of letters &
numbers, such as ME51N (Create Purchase Requisition).
• In SAP, you may use transaction codes as an alternative or shortcut to using the navigation
path to get to a system task.
• For example, instead of following
the navigation path Logistics ->
Materials Management ->
Purchasing -> Requisitions ->
Create a Requisition from the SAP
Menu to create a new PR, the user
can type ME51N into the Command
field. In either case, the "Create:
Purchase Requisition: Initial Screen"
is displayed.
Roles / Profiles
Authorizations
User ID
ObjectsTransactions Fields
Employee
Job Description
Job Functions
Maps to
Maps to
Maps to
Business View SAP ECC View
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
14
F_BKPF_BUK
= 1000
Company code
Result: If User‟s roles have been setup to provide access, the user will be able to
successfully post an accounting document via transaction code FB50
User Access Concepts – Detailed level
Step 2. SAP checks for access rights to authorization restrictions:
NOTE: there are thousands of authorization
object combinations in SAP.
Scenario: User executes transaction FB50 (Post GL Entry)
S_TCODE = FB50
Step 1. SAP checks for access rights to authorization object:
T-CODE = FB50
F_BKPF_BUP
= 01
Posting period
+F_BKPF_KOA
= 003
Business area
+F_BKPF_GSB
= K
Account type
+
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
15
In the context of Information Systems, there are 2 types of common access
exposures that arise:
Conflicting privileges introduce risk
when assigned to a user through a
single role
Conflicting privileges introduce risk
when assigned to a user through
multiple roles
How SAP Access Exposures Arise
UserAuth.
Object
Privilege A
Privilege B
1. From a role defined with excessive or
conflicting privileges
User
Auth.Object
Privilege A
Auth.Object
PrivilegeB
2. From multiple roles assigned to a
user such that the cumulative
privileges are excessive or conflicting
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
16
Security Exposures – common problem uncommonly found
By default, SAP grants the highest amount of authorizations assigned to a user.
For instance: A user has these two roles assigned:
• MANAGER_UK: allows users to post documents to UK companies
• CLERK_US: Allows user to post outgoing payments in US companies.
This is not necessarily an SOD violation, but when the „company code‟ authorization object
is assigned to both roles, the user will get access to company codes in the UK and the US.
=Access to
UK and US
GL Posting
and
Payments
MANAGER_UK CLERK_USRole:
User
T-code: FB50 (Post GL) F-53 (Post payment)+Auth Obj:
Field/Value:
F_BKPF_BUK (Comp. Code) F_BKPF_BUK (Comp. Code)
01 (Create)
BUKRS (not set)
01 (Create)
BUKRS (not set)
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
17
Complexity of SAP Security
Transaction Object Single Role Derived Role Composite Role User
FB05
MB1A
F-29
MB21
MB01
F_BKPF_GSB
F_BKPF_BUP
M_MSEG_BWA
M_MSEG_LGO
S_TCODE
M_MSEG_BWE
F_BKPF_BUK
M_MRES_BWA
F_BKPF_KOA
S1
S2
S3
S4
S5
C1C1
C2C2
C3C3
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
18
Key Risks in Your SAP Security Environment
Key Risks Net New Rollout Upgrade Maint.
1. Creating / Assigning roles with excessive/too little access
2. Creating / Assigning conflicting roles
3. Not testing security exposures prior to migrating roles to PRD
or assigning roles to users
4. Deviating from security standards
5. Generating SOD conflicts across applications
6. Monitoring tool not capturing real violations or false positive
reporting
7. Incomplete implementation of monitoring tool: configuration,
integration with provisioning process
8. Inadequate mitigating controls
9. Lack of super user monitoring
10. Inadequate/inefficient user access provisioning process
Security risks may vary depending on your company‟s implementation / lifecycle
stage, organizational complexity, security design, the tools you use and the steps
you take to assess security risks.
The most common SAP Security risks our clients face are:
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
19
What You Can Do to Proactively Mitigate Security RisksC
on
tro
l F
oc
us
Are
as
• Provide input to security
standards
• Review/signoff on role
design
• Educate security and
process teams around
controls
• Test SOD conflicts prior
to go-live and during
integrated testing
rounds (at role, position
and user level) and
provide remediation
feedback
• Flag roles with sensitive
access to minimize
assignment
• Provide input on
security monitoring tool
implementation
Net New Rollout Upgrade Maintenance
• Review/signoff on role
design and assignment
• Test SOD and SA
during rollout to confirm
adherence with
compliance standards
• Help identify and assign
mitigating controls
• Help confirm end users
are executing assigned
mitigating controls
• Help confirm that
security monitoring
tools are used properly
– procedures, roles and
responsibilities are
defined
• Review/signoff on role
design and assignment
• Test SOD and SA
during upgrade to
confirm adherence with
compliance standards
• Review/adjust security
monitoring tool, to
reflect new transactions
and functionality
• Review/signoff on role
design updates
• Assess SOD / SA
exposures
• Assist in remediation of
security failures
• Review/adjust SOD
rules, to reflect new
transactions and
functionality
• Help confirm end users
are executing assigned
mitigating controls
• Update control
documentation
• Keep External Auditors aware of
security standard changes
• Monitor access to powerful roles
and transactions
• Proper configuration
of BASIS controls
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
20
What Tools are Available to Help You?
There are a number of tools in the market to help you assess SAP security and
SOD risks.
Functionality and reporting capabilities should be carefully analyzed to make sure
they fit the short and long term needs in your organization.
Some of these tools are used to help assess and monitor security exposures, and
are not only used by Internal Audit departments but also by:
SAP Security or IT teams
Functional Users (responsible for user certification)
External Auditors
Point in time
assessment tools
Continuous Monitoring tools
ACL
Assure Security
Other
SAP‟s GRC Access Controls
Approva – Authorization Insight
Security Weaver
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
21
What Can You Get from Assessment Tools?(Assure Security Example)
Sensitive Transaction Listing
Reports
User Access to Sensitive Transaction
Summary Reports
Summary SOD Conflict Reports
User Access to Sensitive Transaction
Detail ReportsDetail User SOD Conflict ReportsSAP Security Role SOD Analysis
Reports
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
Risk Area 2: SAP Business Processes and
Configurable Controls
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
23
Application / Configurable Controls: Definition
• Application Controls are defined by COSO as “…Programmed procedures in application software, and related manual procedures, designed to help ensure the completeness and accuracy of information processing…”.
• Control considerations arise around critical business process flow points at which the application:
– Makes calculations.
– Performs data validation and edit checks.
– Interfaces electronically with other systems.
– Sorts, summarizes and reports critical financial information that is relied upon as complete and accurate by Management.
– Limits access to transactions and data.
• As most transactions posted in SAP automatically generate accounting postings to the General Ledger, it is important to consider controls throughout a business process – e.g., Procure to Pay – and not just financial controls within the Finance organization.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
24
Importance of Application Controls
• Robust system-based controls are
typically more reliable and desirable
than manual controls.
• Optimization of such controls better
enables organizations and their
external auditors to attest to the
effectiveness of controls over critical
financial statement elements, and
the key financial reporting processes
that drive them.
System-
Based
Detective
Controls
System-
Based
Preventive
Controls
People-
Based
Detective
Control
People-
Based
Preventive
Controls
Desirable
Reli
ab
le
Configuration Options
Application Security
Transaction Controls
Policies & Procedures
Monitoring Exception Reporting
Reconciliations
Automated
Manual
Detective Preventive
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
25
Global Controls vs. Local Controls
• Whether it be an automated configurable control or a manual detective control,
SAP controls can also be classified as either being Global or Local controls.
• In SAP terms, a global control would apply across all company codes, whereas a
local control would be company code specific.
– Some examples of global controls include:
• Document types that can post to customer accounts.
• Mandatory field settings for customer/vendor records.
– Some examples of local controls include:
• Customer / vendor posting tolerances.
• Invoice verification tolerances.
• Global and local controls have both advantages and disadvantages.
– The primary advantage of global controls are that they are easier to monitor and test.
– The primary advantage of local controls are that they are more specific to individual
business operations.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
26
Another Way to Look at Controls – Preventive vs. Detective
Approximately 70+ SAP process controls are analyzed during a process review of
Purchase to Pay
Master DataPurchase Orders /
RequisitionsInvoice /
Receipts Payments
Control
ConcernDo potential duplicate vendors exist?
Process
Controls
Preventive Control - Will duplicate warning messages be enabled?
Detective Control – Review duplicate payment reports with different criteria
Security
Controls
Preventive Control – Are key functions segregated within the organization
(e.g. Master Data versus Invoice Entry)?
Detective Control – Review access to sensitive functions and conflicting
responsibilities
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
27
Key Risks in Your SAP Process Controls Environment
Depending on the type of SAP process change occurring in your organization, different types of
risks may manifest. The most common SAP business process risks our clients face are:
Risks Net New Rollout Upgrade Maint.
1. SAP configuration is not setup to support your control
environment
4. Inadequate definition of mitigating controls - excessive
manual controls, spreadsheets or reconciliations
2. Control requirements not considered during implementation
8. Policies, procedures and control frameworks not updated to
reflect new control environment
3. Poor visibility to your SAP configuration settings
5. Deviation from global control template or standards
6. Inadequate change management process to control
configuration changes with control implications
7. Inadequate business process ownership responsible for
overseeing business process configuration
9. SOX / Internal Control testing procedures are not documented
to reflect SAP specific steps
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
28
What Can You do to Proactively Mitigate Process Risks?C
on
tro
l F
oc
us
Are
as
• Provide input to
process controls
definitions – (approvals,
reconciliations,
standard system
settings)
• Help identify and
document control
requirements – manual,
automated, business
• Educate business
process teams around
SAP functionality
supporting controls
• Test controls throughout
the implementation
phases
• Provide input on control
monitoring tool
implementation
Net New Rollout Upgrade Maintenance
• Help define Global and
Local control
parameters (80/20 rule)
• Define control
monitoring processes,
roles and
responsibilities:
configuration, manual
and business controls
• Assess local control
environment to confirm
adherence with
standards
• Test reports from a
controls perspective
• Help identify and assign
mitigating controls
• Review /adjust control
monitoring standards
and tools
• Review control
enhancements and/or
impact
• Understand /
recommend new control
enhancing features,
if any
• Confirm that control
changes were approved
by proper monitoring
processes
• Assess change control
environment to confirm
adherence with
standards
• Review / adjust control
monitoring standards
and tools to reflect new
functionality
• Review control
changes
• Perform transactional
data analysis to identify
control gaps (e.g.
duplicate invoices)
• Conduct periodic
assessments to review
adherence to process
control standards,
potential
enhancements, or data
integrity issues
• Update control
documentation• Keep external auditors aware of
control changes
• Monitor process indicators,
delays / breakdowns
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
29
Go-Live
Integration Testing
Test control
parameters
throughout the
implementation
Workshops to
Disposition
Control
Recommendations
1
23
• Embed compliance
requirements into
system design
• Retrofit control
enhancements
Review compliance
with expected controls
SAP Control
Documentation &
Testing Results
Continuous
Monitoring tool
• Updated control
framework
• SAP specific control
parameters
• SAP specific test
plans
Typical processes in scope:
• Quote to Cash
• Requisition to Pay
• Record to Report
• Plan to Produce
• Hire to Retire
• Basis
Goal – Develop and push control recommendations based on SAP compliance best
practices and making best use of available SAP control functionality, including:
configurable (automated) controls, detective / manual controls (reports):
Assess
Configurable
Control
Environment
Kick Off Meeting &
Workshop
Preparation
How do You Build Proper SAP Controls?
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
30
What Resources are Available to Help You?
There are a limited number of tools to help you assess process controls in SAP.
These tools should be carefully analyzed to make sure they fit the short and long
term needs in your organization.
Some of these tools are not only used by Internal Audit departments, but also by
SAP implementation teams to help in the enablement of process controls,
monitoring of control operations and prevention of exposures:
Assessment tools Continuous Monitoring tools
Assure Controls SAP‟s GRC Process Controls
Approva – Process Insights
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
31
What Can You get from Assessment Tools?(Assure Controls Example)
Process Overview Reports
Control Weakness ReportsControl Overview Reports
Control Evaluation ReportsProcess Summary Reports
Detail Control Reports
32
Assessment Tool Example: Summary Reports
Master Data: on
Key: on
Master Data
Interfaces
Transactions
Business Processes: on
Controlling
37 - Configuration of mandatory fields
39 - Dual authorization for sensitive fields
38 - Duplicate vendor check
6 - Vendor evaluation
220 - Reconciliation Accounts
General
Ledger
Vendor
Maintenance
620 - Park and post
approval controls
Credit Notes
Payment /
Clearing
263 - Configure payment
block reasons
478 - Post small differences automatically - tolerance key BD
243 - Material tolerance
key PE
238 - Purchase order
release strategies
Purchase
Orders
247 - Tolerance on purchase
order and receipt
625 - Set goods
receipt indicator
505 - Over and under
delivery tolerances
232 - Functional
Authorizations
602 - Ability to change approved requisitions
532 - Release Strategies with classification
Purchase
Requisitions
252 / 599 - Duplicate invoice
check
255 -Park and post approval
250 - Invoice amount
tolerance - Key AP
254 - Invoice amount tolerance
Invoice Entry /
Invoice Verification
General Ledger integration
Area or control not reviewed in automatic testing
Exception
No exceptions identified
466 - Invoice tolerance key AN
600 - Duplicate vendor check - Set message
619 - Purchase order and Invoice amount tolerance - Key PP
706 - Duplicate invoice check
system message
244 - Ability to change
approved orders 815 - Currencies allowed in
payment methods
624 - Item Amount Check
701 - Document Change
Rules
801 - Alternative payee in document field 801 - Alternative payee in
805 - Change Vendor in Invoice compared to
Purchase Order
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
33
Assessment Tool Example: Purchase to Pay Configuration
Configuration controls are assessed by reviewing the settings at the lowest level of detail. For example, an invoice
duplicate check test should include the assessment of SAP settings by company code and duplicate setting:
Some advantages of using
Assessment Tools:
• Gain increased visibility to control
environment – virtually 100% sample
• Reports are generated automatically
and include ideal settings and actual
configuration
• Can do exception-based reporting
which outlines problem item
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
Risk Area 3: Transactional Processing and
Analytics
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
35
Data Integrity
Analysis Cost SavingsCost Recovery
Historical Prospective
Payment Assessments
Security / SOD ViolationsRemediation
Master Data Cleanup
Why Perform Transactional Analysis
Companies need to manage the risks associated with SAP transaction processing, master data
maintenance and segregation of duty violations. When applied to the Procure to Pay process, key
transactional assessment areas include:
• Financial Risks – Overpayments / duplicate payments, fraud
• Operational Risks – Duplicate data management for vendors, customers, assets and employees
In order to comprehensively assess Procure to Pay areas, you should include historical and
current SAP data to enable future cost savings as depicted below.
Leveraging data, can also help Internal Audit Directors and Finance Executives (CFO's, VP‟s,
Controllers) identify internal control and risk issues, identify, recover and eliminate financial leakage,
search for anomalies, benchmark their processing performance and compare to best practices.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
36
Automated Transactional Analysis
Even in well controlled environments, with well defined security and built in application controls,
it is important to understand the details about the transactions being processed, the way they
are being handled and the data that is or will be recorded in SAP.
It is important to remember that exceptions will happen and many controls can be
circumvented, especially by privileged or knowledgeable users
Co
mp
lia
nc
e F
oc
us
Are
as
• Pre-implementation
analysis of legacy
transactions to identify:
Potential opportunities
Configurable control
needs and design /
blueprint
considerations
Required (master)
data clean-up
Net New Rollout Upgrade Maintenance
• Analysis of SAP
transactions to identify:
Potential opportunities
Configurable control
enhancements
Master data
considerations
• Understanding of
potential impact to
processes and/or
controls.
• Post implementation
analysis and validation
to ensure no adverse
impact
• Periodic testing to
ensure transactional
data confirms high risk
system based controls
are still operating.
• Data contained within
the system allows the
business to make
informed, accurate
decisions
• Identify further areas of
operational
improvement
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
37
Key Risks During Each Lifecycle Stage
Key Risks Net New Rollout Upgrade Maint.
System based controls, both configuration and security are not
sufficient to prevent or detect errors and/or fraud
Current business environment encourages individuals to either
accept or take additional inappropriate risk
Traditional sampling techniques may not provide sufficient
coverage and review of the full transactional population is needed
Configuration controls can be turned on, off or changed. Security
can also be changed
SAP risks may vary depending on your company‟s implementation / lifecycle stage,
your organizational complexity, your security design and the tools you use to help
manage risk.
They may also provide effective tests of control and substantive procedures
where there are no input documents or a visible audit trail.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
38
Analytics Example for Procure to Pay
With analytics different SAP risks and opportunities can be identified and analyzed.
Vendor
Purchase
Order
Goods
Receipt
Invoice
Receipt
Cash
Disbursement
Material VendorMaster Data
Purchasing
Organization
MM Module MM ModuleFI Module
(A/P Sub-Module)
Purchase
Requisition
MM Module
MM Module
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
39
Analytics Example for Procure to PayVendor Master
Vendor Master Record:
• How many vendors does the company
use?
• Are there duplicate vendors in the
Vendor Master?
• Are inactive vendors, without any activity
in over a year, categorized as active?
• How are vendors being utilized?
• Have changes to the vendor masters been approved?
• Are there potentially fictitious or unauthorized vendors in the vendor master?
• Are there any vendors with the same address as an employee?
• Have vendors been checked against regulatory requirements?
Purchase
OrderGoods
ReceiptInvoice
ReceiptCash
Disbursement
Purchasing
Organization
Purchasing
Organization
MM Module MM ModuleFI Module
(A/P Sub-Module)
Purchase
Requisition
MM Module
MM Module
Vendor
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
40
Analytics Example for Procure to PayVendor Master
What condition is your vendor master file in and what impact does it have on your
organization?
In this example, not all fields are complete. Possible solutions:
Not allow the system to accept blank addresses and define required fields.
Possible use of drop down menus (e.g., state, country, etc.).
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
41
Analytics Example for Procure to PayPurchase Requisition
Purchase Requisition:
• What materials / services are being
ordered?
• Who is ordering materials / services?
• Who is approving materials / services?
• What are the amounts and frequency of purchase requisitions?
• Do the materials / services appear reasonable for the department / employee
initiating the purchase requisition?
• Are any segregation of duties (authoritative levels) being by-passed?
Vendor
Purchase
OrderGoods
ReceiptInvoice
ReceiptCash
Disbursement
Purchasing
Organization
Purchasing
Organization
MM Module MM ModuleFI Module
(A/P Sub-Module)
Purchase
Requisition
MM Module
MM Module
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
42
Analytics Example for Procure to PayPurchase Orders
Purchase Orders:
• Are there duplicate purchase orders?
• Is the use of one-time vendors appropriate?
• Do sole sourcing opportunities exist?
• Do we know what our product reordering
volume is by item, warehouse, or vendor?
• Can we determine the percentage change in sales, price and / or cost levels by
product / vendor?
• Should we compare rates for similar products from other vendors to ensure
purchase rates are competitive?
• Can we eliminate stale POs by analyzing and reporting on partial receipts?
• Reconciliation of orders received without or prior to a purchase order.
Purchase
OrderGoods
ReceiptInvoice
ReceiptCash
Disbursement
Purchasing
Organization
Purchasing
Organization
MM Module MM ModuleFI Module
(A/P Sub-Module)
Purchase
Requisition
MM Module
MM Module
Vendor
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
43
Analytics Example for Procure to PayCash Disbursements
Cash Disbursements:
• Are payments being split to avoid approval limits?
• Are non-PO based invoices excessive?
• Are invoices dated prior to POs?
• Are there large payments without a purchase order or to one-time vendors?
• Are there duplicate payments being processed?
• Does it appear discounts and rebates are being missed?
• Provide an audit trail for disbursements by purchase order, vendor, etc.
• Summarize cash disbursements by account, bank, group, vendor, etc.
• Generate vendor cash activity summary for support in rebate negotiations.
• Audit paid invoices for manual comparison with actual invoices.
Purchase
OrderGoods
ReceiptInvoice
ReceiptCash
Disbursement
Purchasing
Organization
Purchasing
Organization
MM Module MM ModuleFI Module
(A/P Sub-Module)
Purchase
Requisition
MM Module
MM Module
Vendor
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
44
Assessment tools
• SAP GRC Process Controls
• Native SAP / ABAP (complexity)
• Business Intelligence solutions (complexity)
• ACL
• Ms Access (size limitations)
• Excel (size limitations)
• Assure Integrity – Protiviti proprietary tool specific to SAP
Data formatting tools:
• Monarch – electronic report manipulation
What Tools are Available to Help You?
There are a number of tools available to help you perform transactional analysis.
These tools should be carefully analyzed to make sure they fit the short and long
term needs in your organization.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
45
Planning an Audit with Transactional Data
Developing and executing an organization‟s audit plan requires time, financial resources
and personnel. To keep costs down it is important to have a focused plan, identifying
those areas that are considered high priority and those that are considered low priority.
By analyzing transactional data, you can
help identify an organization‟s potential for
risk within:
– Individual Entities
– Business Processes, and
– Critical Functions
Summary results can be quantified to help
prioritize your audit needs.
Detailed transactional results can provide
critical information for testing during the
audit.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
46
Prioritizing Using Summary Results
Each Integrity test contains at least one summary report which quantifies the results and/or
presents the information in graphical format for quick and efficient identification of
potential concerns.
Planning an Audit with Transactional Data
Note: Company code data can help determine which entity of
your business may require more focus during the audit.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
47
Executing the Audit Using Detailed Results
Make sure to include all of the critical information needed to assist in the execution of your
audit.
Planning an Audit with Transactional Data
Once samples have been determined, the detailed results can be referenced to identify therecords that need to be obtained and validated.
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
48
• Consider where the company is having issues and/or where the greatest
opportunities exist to leverage monitoring / analytic capabilities.
• Consider where an analytics-based diagnostic review may be of value to the
company.
• Consider the enterprise perspective but start small and agree upfront as to how
items will be measured.
• Determine what monitoring / analytic capabilities and tools already exist within the
company.
• Obtain business buy-in and explore opportunities for the business, operations, IT,
and Internal Audit to collaborate.
• Consider whether an audit analytic initiative should be manual / ad-hoc or if an
automated approach and long-term monitoring mechanisms should be developed.
Audit and Risk Management Considerations
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
Summary / Wrap-Up
© 2010 Protiviti Inc
CONFIDENTIAL: This document is for your company's internal use
only and may not be copied nor distributed to any third party. Auditing SAP - A proactive approach…
50
To Summarize
• Be as proactive as possible when your company is going through SAP projects affecting
security and controls
• Get involved in early stages of SAP projects by providing input from a compliance
perspective
• Bring the right skills – SAP Security, Business Process, and/or Controls – sometimes all
these skills are needed
• Use tools – it is extremely difficult to assess security and configurable controls manually
• Your goals when assessing and providing recommendations to security standards and SAP
process controls should include:
– Standardize security and business process design
– Help find the right balance between automated controls and manual controls (reports)
– Help address potential control gaps
– Confirm that right people have authority to approve changes to security structure and
SAP configuration impacting your control environment
– Assess your SAP environment periodically and with the right depth of analysis