The Challenges in Auditing SAP
SAP is highly configurable and implementations often vary, even within various business units of a company — both financial and non-financial. At the same time, the effective operation of controls within the bodies environment is very important to a robust financial and in business control environment. Therefore, it is important to gain a good understanding of how SAP is being implemented in the business while planning the audit scope and approach. Auditing an SAP environment features several unique complexity that can impact the audit scope and approach.
Business processes
SAP covers most business processes and a minor change in the business process can have an effect on the audit procedures due to the intricacy sap 系統 of the system. Changes in the setup and setup of the system, the release strategy or creating new processes may result in new adventures and/or functionality in SAP and as such, additional risks need to be considered.
For example, litigant may consider settlement one of its legacy purchasing systems and moving this functionality onto SAP. In the past, key controls over purchase order approval may have been performed hand. But with the SAP execution the client has considered automating the approval process in SAP. The setup of the automated workflow process and user access security is therefore important to ensure that adequate controls are maintained to mitigate the risks. This would involve testing automated controls rather than the manual controls over purchase order.
Segregation and awareness
For an effective audit, the auditor needs to gain a good understanding of the design of SAP’s authorisation concept (security design). Now and again, poor security design results in users being inadvertently granted access to unnecessary or unauthorised transactions. Therefore the review of the design and execution of SAP security and access controls is important to ensure proper segregation of duties is maintained and access to sensitive transactions is well-controlled.
Segregation of duty conflicts can arise when a user is given access to two or more conflicting transactions — for example, creating a purchase order and amending vendor master details. A clear mapping of the business processes and identification of roles and responsibilities active in the processes is essential in the design of access controls to effectively audit security.
In addition, there may be transactions or access levels that are considered sensitive to the business, such as amending G/L codes and structures, amending recurring entries or amending and deleting audit fire wood. In an SAP audit such sensitive transactions would need to be regarded during the planning phase.
Control selection
Establishments can target the SAP system to fit their business needs including a selection of configurable and inherent controls. Understanding the selection process behind these controls is very important to the audit approach. Allowing purchase orders, for example, to be approved automatically through the system is considered a configurable automated control.
However, the client may also choose not to implement this functionality and address this risk via a manual control. Auditors need to understand the controls the client has chosen to implement and the matrix of controls that they place dependence on to mitigate more than one risks.
