milford sprecher sap public services, inc. audit support in sap
TRANSCRIPT
Milford Sprecher
SAP Public Services, Inc.
Audit Support in SAP
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Tools and Data Export
Summary and Q&A
SAP AG 2003 / Audit Information System, 3
Reasons/Methodology for Financial Audits
Financial audits Generally begin with an assessment of internal controls under the
assumption that good internal controls reduces the risk of improprieties in the system
Are performed after adequate planning and with proper supervision
Are performed by obtaining “competent evidential matter through inspection, observation, inquiries and confirmations to afford a reasonable basis for an opinion”3
3 Taylor, Donald H. and Glezen, G. William. Auditing: Integrated Concepts and Procedures, Second Edition, New York: John Wiley & Sons, 1982
SAP AG 2003 / Audit Information System, 4
Legal Environment (Today)
Sarbanes-Oxley Act – 2002: New regulations for auditing firms including more independence
requirements Reinforces older case law and acts Places more attention, requirements and responsibilities on
management Elevates internal accounting controls to assertion level requiring
an opinion from auditor
SAP AG 2003 / Audit Information System, 5
How Can Technology Help?
System tools to facilitate documentation, assessment and testing of internal control environment
Ability to implement continuous automated control techniques to ensure continued compliance with Sarbanes-Oxley requirements (e.g., monitoring of key disclosure controls, electronic sign-offs of control procedure completion, etc.)
Ability to provide consistent business process and control practices Automated auditing techniques Control gap analysis and resolution performance management and
tracking
SAP AG 2003 / Audit Information System, 6
SAP Principles Supporting Audit Requirements
Inherent controls are delivered with SAP and do not need to be designed into the
system
Configurable controls automated controls to be defined at the time of system configuration
Security controls user access and segregation of duties controls
Reporting controls controls that rely on standard or ad-hoc reports from SAP
SAP AG 2003 / Audit Information System, 7
Internal Controls
SAP Security Guide
Contains examples of best practices for separation of duties
System Audit
Function in System Audit to make sure there are separation of duties (after the fact)
MIC (Management of Internal Controls)
Documents processes, risk and internal controls in place
Third Party Products
SAP Compliance Calculator by Versa Contains segregation of duties testing Sarbanes-Oxley driven
SAP AG 2003 / Audit Information System, 8
Continuous ImprovementContinuous Improvement
Scoping andSet-Up
Document Processes
and Controls
Sign-Off, Prepare
Certification / Internal Control
Report
Assess Control
Design and Remediate
Issues
TestOperatingEffective-
ness
Attest and
Report
Management Auditor
CEO / CFO
Internal Control Manager
Org.Unit Manager
Process Group Owner
Control Owner
Evaluator Tester
Issue and Remediation Plan Owner
Internal and External Auditor
SAP MIC – Phases and Roles
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AISTools and Data Export
Summary and Q&A
SAP AG 2003 / Audit Information System, 10
SAP Audit Information System (AIS)
AIS is the auditors‘ toolbox within the SAP environment Structured collection and pre-setting of standard reports Suitable for auditors with limited SAP experience Role-based organization
Comprehensive functionality for system and business audits Provides monitoring of system inherent and configurable controls Implements numerous reporting controls
Business audit structured according to Financial statements Business Processes
AIS reporting tree links to multiple types of documentation AIS documentation, SAP Library, IMG documentation, web addresses
Data export to external analysis and audit tools online real time or batch processed queries document data, account balances, and financial statement data
SAP AG 2003 / Audit Information System, 11
Audit Information System (AIS)
• Audit planning
• Work program
- System audit- Business audit
Exp
ort
in
terf
ace
Online controls onthe SAP database
• System information
• Reconciliation• B/S, P&L• Account balances• Documents
Data export
• Account balances• Line items
Non-SAP Environment mySAP ERP Environment
Work paperprep.
Report
Analysis software( ACL / IDEA / … )
Reporting software
Line items
Balances
...
Accounts
Customers
Vendors
Assets
Material
Orders
Invoices
…
SAP AG 2003 / Audit Information System, 12
AIS – Motivation and Availability
Why should one be interested in this? In an environment of mass transactions, system support for audit is
a must. Corporate governance requirements
Why use the SAP Audit Information System? Acts as a bridge between auditors and the SAP system Helps to understand SAP terminology and structures Optimized for the SAP system, direct access to critical data
What is the effort involved in installing and using AIS? AIS provides data without requiring much system resource. Queries can be run in batch or online. AIS is simple to implement – five to 10 consulting days including
training.
SAP AG 2003 / Audit Information System, 13
Audit Information System
SAP AG 2003 / Audit Information System, 14
The Audit Information System facilitates smoother and better quality audits.
It consists of a number of single roles and is a - Collection,- Structure, and- Default setup
of SAP standard programs.
The AIS is the Toolbox of the auditor in SAP environment.
The Audit Information System
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Summary and Q&ATools and Data Export
SAP AG 2003 / Audit Information System, 16
QueryQuery
Drill-downDrill-downreportingreporting
InformationInformation
systemssystemsD A R TD A R T
A B A PA B A P
Tools Used for Online and Offline Controls
SAP AG 2003 / Audit Information System, 17
SAP - DBSAP - DB
QueryQuery
SAP Query
The application SAP Query is used to create lists not already contained in the SAP standard.
List
Dialog
Drill-down
Extract(flat file)
Online Controls – Query
SAP AG 2003 / Audit Information System, 18
Document analysis • Documents in general• A/P A/R G/L line items
Flexible selection for the data retrieval Flexible analysis of the data deemed critical
using ALV functions
Dubious Documents• Document journal
(with holiday calendar)
Posted on Sunday or holidays? Posted at unusual times? . . .
Account Analysis• A/R• A/P• G/L accounts
Offsetting account analysis Even distribution of postings? (in Days/Months/Year) Unusual document origin? (manual, SD, MM, HR, ...) Posted in timely manner? (BUDAT – CPUDAT) Documents with the greatest volume (+/-)
Critical Clearing Processes • A/R
Clearing only payment-relevant process? Clearing via reversal?
Variance Analysis• A/R (Payments received)• A/P (Payments sent)
Payments out of the norm- Standard condition per master data (days / %)- Condition taken as found in document- Variance (shows payment tendency)
Comparison of Terms• A/R• A/P
Terms and conditions, base date, days 1, %, days 2, %, Net values in document - Values in master data = Variance (shows manual changes)
Selected Queries Delivered by SAP
SAP AG 2003 / Audit Information System, 19
SAP - DBSAP - DB
Drill-downDrill-downReportingReporting
SAP drill-down reporting
With drill-down reporting, SAP provides you with an interactive information system to let you evaluate the data collected in your application.
List
Dialog
Drill-down
Extract(flat file)
Online Controls – Drilldown Reporting
SAP AG 2003 / Audit Information System, 20
SAP - DBSAP - DB
InformationInformation
systemssystems
Component-specific information tools:
General ledger Information System Accounts receivable Information System Accounts payable Information System Logistics Information System Repository Information System . . .
List
Dialog
Drill-down
Extract(flat file)
Online Controls – Information Systems
SAP AG 2003 / Audit Information System, 21
SAP - DBSAP - DB
D A R TD A R T
Data Retention Tool ( D A R T ):
Data retention and evaluation oftax-relevant data.
Data extraction and storage View query Export function (SAP-Audit-Format)
List
Dialog
Drill-down
Extract(flat file)
Offline Controls – DART
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Tools and Data Export
Summary and Q&A
SAP AG 2003 / Audit Information System, 23
7 Key Points to Take Home
1. SAP Audit Information System (AIS) is the auditor‘s toolboxin the SAP environment.
2. It provides a structured, easy-to-learn access to audit-relevant data in the SAP system.
3. AIS is being used by external auditors, internal auditors/financial analysts, tax auditors and data security officers.
4. There are comprehensive online controls for system audit, business audit, and tax audit.
5. AIS supports data export of master data, account balances, and documents to 3rd party audit and analysis tools.
6. AIS can be implemented quickly and with low effort, and easily adjusted to the requirements of the customer.
7. AIS requires few system resources.
SAP AG 2003 / Audit Information System, 24
AIS – Benefits
AIS is the auditor‘s toolbox within SAP.
Online Controls and Data Export
Easy to use functionality
Comprehensive offering for
System audit
Business audit
Tax audit