The Challenges in Auditing SAP

Numerous businesses use SAP software to enable them prepare their sources and routines. Its versatility and assortment would make it a obstacle to audit.

SAP is extremely configurable and implementations normally change, even within just numerous business enterprise units of a organization – equally monetary and non-economic. At the exact same time, the successful procedure of controls in just the system’s surroundings is vital to a sturdy financial and operational handle natural environment. Hence, it is essential to get a very good knowledge of how SAP is becoming utilised in the small business when arranging the audit scope and tactic. Auditing an SAP natural environment introduces quite a few unique complexities that can influence the audit scope and solution.

Small business processes

SAP handles most enterprise processes and a insignificant modify in the business enterprise process can have a immediate impact on the audit treatments owing to the complexity of the system. Changes in the setup and configuration of the procedure, the release method or producing new processes may result in new modules and/or performance in SAP and as these, supplemental hazards will need to be deemed.

For case in point, a customer may well think about retiring 1 of its legacy paying for units and relocating this functionality on to SAP. In the previous, important controls above purchase buy acceptance could have been executed manually. But with the SAP implementation the shopper has considered automating the acceptance course of action in SAP. The setup of the automatic workflow process and consumer entry security is for that reason vital to make sure that suitable controls are preserved to mitigate the dangers. This would entail tests automated controls rather of the manual controls above order get.

Segregation and sensitivity

For an efficient audit, the auditor wants to achieve a excellent knowledge of the style and design of SAP’s authorisation thought (security design). In some circumstances, poor stability structure effects in consumers becoming inadvertently granted accessibility to unnecessary or unauthorised transactions. Consequently the assessment of the design and style and implementation of SAP protection and access controls is essential to make sure correct segregation of duties is taken care of and obtain to delicate transactions is perfectly-controlled.

Segregation of responsibility conflicts can crop up when a user is supplied access to two or far more conflicting transactions – for instance, creating a obtain buy and amending vendor learn particulars. A very clear mapping of the business enterprise procedures and identification of roles and tasks associated in the procedures is essential in the design and style of obtain controls to efficiently audit stability.

In addition, there may possibly be transactions or accessibility amounts that are thought of sensitive to the business enterprise, this sort of as amending G/L codes and constructions, amending recurring entries or amending and deleting audit logs. In an SAP audit these types of delicate transactions would will need to be regarded as through the organizing stage.

Control collection

Organisations can tailor the SAP system to in shape their company needs which includes a selection of configurable and inherent controls. Comprehension the range system behind these controls is vital to the audit approach. Making it possible for acquire orders, for instance, to be approved immediately through the technique is viewed as a configurable automated handle.

On the other hand, the customer may well also pick out not to employ this performance and deal with this risk by a handbook manage. Auditors want to recognize the controls the client has picked to employ and the matrix of controls that they location reliance on to mitigate one or a lot more dangers.

Styles of Controls

In SAP there are four kinds of controls that an audit client can utilise in get to create a safe ecosystem: inherent controls, configurable controls, software protection, and handbook evaluations of SAP studies.

Normally accessibility or configurable controls are executed by the SAP system and are preventive in mother nature. On the other hand, handbook controls which includes guide assessments of stories are executed by an worker and are predominantly detective in character. For instance, in the procure-to-pay out (P2P) approach of SAP, there are standard automatic controls this kind of as 3-way matching (matching of order orders, items receipt and invoices). The client may well choose to undertake 4-way matching, or two-way matching of invoices, for that reason demanding customisation to go well with their certain procedures.

Just about every consumer will use a distinctive blend of controls in purchase to obtain their specific manage aims, and since of the complexity of SAP software, auditing all over the procedure to attain command assurance is not an alternative. As a result the audit method requires to be tailored for every condition correctly. It is also vital to spotlight that SAP delivers various controls that are inherent in just the SAP ecosystem. An instance of an inherent control is that journal entries need to harmony prior to submitting in SAP.

Configurable controls

In SAP it is important to understand the website link between configurable controls and entry controls. In purchase to accomplish the command aim there may well be a blend of configurable and accessibility controls that produce a control resolution. For instance, “Purchase orders above £1m get blocked immediately and can’t be processed.” This seems like a configurable handle, but is in fact each a configurable control and an access handle, as it specials with the configuration of the Acquiring Launch Approach within just SAP and promotions with who has entry to generate and approve a PO.

One more example is “Order Orders about US$1m will have to be authorized by the manager.” This appears like an entry handle, but it is a configurable manage as nicely thanks to the configuration needed for the launch technique. In reality, these are complimentary controls, two controls covering the same threat with each other. Without the need of 1 control, the other can’t cover the chance to the exact same precision. The auditor should test the two the configuration and entry areas of these controls, so it is important that they are identified by the auditor and categorised appropriately.

Approach risks

SAP is a system centered ERP program and each SAP instance may perhaps have different dangers associated with it. The potential to customise and tailor the program, and its inherent complexity, appreciably raises the over-all complexity of protection configurations and prospects to prospective safety vulnerabilities. Segregation of obligation conflicts, errors and flaws therefore grow to be additional likely.

Every single consumer has various small business procedures, items and expert services, and devices that suit their atmosphere. Creating the course of action correctly in SAP is significant to mitigate the threats connected with inadequate or unsuccessful business procedures. An successful audit solution ought to therefore include an evaluation of threats and an knowing of the small business system mapping for each SAP occasion.

Rotation strategy

Given that the procedure is really customisable, method driven and permits a variety of manage picks, every SAP occasion would likely have a various threat profile. Further in SAP, the hazard profile of distinctive modules and sub-modules these as financials (FI), products management (MM), revenue and distribution (SD), payroll, human cash (HC), small business info warehouse (BW), purchaser marriage management (CRM) and so on will be various.

The large areas of the company functions that SAP software go over would make it impractical to deal with them all in just one one audit. To total a complete audit of SAP, it is acceptable to take into account a rotation strategy. This may perhaps entail preparing assessments of each and every SAP company method, module, sub-module system configuration and improve administration and system security, together with the design and style of segregation of responsibilities and accessibility degrees. This makes certain that the audits are performed employing appropriately expert methods and include each danger region which includes enterprise process, protection and associated controls. These regions can hence be assessed effectively to recognize gaps in regulate weaknesses and advise proper actions to solve issues.

Hazard-based Tactic

In addition to the above difficulties, SAP programs are also upgraded and improved periodically to satisfy ever-modifying small business needs. In the current financial local climate, corporations are faced with shifting risks in the atmosphere that have an impact on their small business procedures.

The purpose of a danger-primarily based method is to permit auditors to tailor the review to the locations of business threat, providing way to increased focus on audit places with a significant-chance probable. The complexity of the SAP process and relevant organization procedures, as indicated over, may well lend alone to larger inherent chance and management hazard which must be taken into account in planning the audit.

The threat-based approach ought to consist of standard threat examination, analytical audit treatments, systems and method based mostly fieldwork, and substantive screening. In this way, an auditor can conduct the audit proficiently with a degree of dependability, as perfectly as optimising the time and work it consists of. It is thus crucial that a top-down possibility based mostly audit technique is adopted to effectively review SAP.