The Challenges in Auditing SAP

Lots of organizations use SAP software to assistance them system their means and actions. Its overall flexibility and vary makes it a challenge to audit.

SAP is hugely configurable and implementations usually vary, even within just several business models of a business – each economic and non-money. At the identical time, the successful procedure of controls in just the system’s setting is crucial to a sturdy monetary and operational handle atmosphere. Hence, it is critical to gain a great understanding of how SAP is remaining utilised in the enterprise when preparing the audit scope and tactic. Auditing an SAP environment introduces several one of a kind complexities that can impression the audit scope and method.

Business enterprise procedures

SAP covers most company processes and a minor transform in the small business process can have a immediate impact on the audit techniques owing to the complexity of the method. Alterations in the set up and configuration of the procedure, the release method or creating new processes may possibly final result in new modules and/or functionality in SAP and as these kinds of, extra risks will need to be viewed as.

For illustration, a customer might consider retiring a person of its legacy acquiring techniques and moving this performance on to SAP. In the previous, key controls above invest in buy acceptance might have been performed manually. But with the SAP implementation the shopper has thought of automating the approval system in SAP. The set up of the automatic workflow method and user entry stability is for that reason significant to make certain that suitable controls are maintained to mitigate the threats. This would include screening automatic controls alternatively of the guide controls above obtain get.

Segregation and sensitivity

For an powerful audit, the auditor requires to gain a fantastic being familiar with of the design of SAP’s authorisation strategy (safety style). In some cases, inadequate stability design success in buyers being inadvertently granted obtain to avoidable or unauthorised transactions. As a result the overview of the design and style and implementation of SAP security and entry controls is significant to be certain correct segregation of duties is preserved and access to delicate transactions is well-managed.

Segregation of obligation conflicts can crop up when a consumer is supplied entry to two or extra conflicting transactions – for case in point, generating a invest in purchase and amending seller master information. A crystal clear mapping of the business enterprise procedures and identification of roles and duties associated in the procedures is essential in the style of entry controls to effectively audit protection.

In addition, there may perhaps be transactions or accessibility stages that are thought of sensitive to the organization, such as amending G/L codes and constructions, amending recurring entries or amending and deleting audit logs. In an SAP audit such sensitive transactions would will need to be deemed for the duration of the scheduling stage.

Handle variety

Organisations can tailor the SAP program to fit their business enterprise wants including a collection of configurable and inherent controls. Comprehending the assortment procedure guiding these controls is essential to the audit strategy. Allowing acquire orders, for illustration, to be approved mechanically as a result of the process is deemed a configurable automatic control.

Nevertheless, the consumer may perhaps also pick out not to put into action this features and address this threat by way of a manual management. Auditors have to have to realize the controls the customer has preferred to put into practice and the matrix of controls that they put reliance on to mitigate one or additional hazards.

Kinds of Controls

In SAP there are 4 forms of controls that an audit client can utilise in buy to develop a safe surroundings: inherent controls, configurable controls, software stability, and guide critiques of SAP stories.

Usually entry or configurable controls are executed by the SAP method and are preventive in character. On the other hand, handbook controls such as handbook evaluations of stories are executed by an worker and are largely detective in nature. For case in point, in the procure-to-spend (P2P) approach of SAP, there are standard automatic controls these types of as a few-way matching (matching of buy orders, merchandise receipt and invoices). The consumer may well decide on to adopt 4-way matching, or two-way matching of invoices, for that reason requiring customisation to go well with their unique processes.

Each shopper will use a unique combine of controls in purchase to accomplish their unique handle objectives, and mainly because of the complexity of SAP software, auditing all-around the procedure to acquire manage assurance is not an choice. Therefore the audit solution desires to be tailored for every single condition appropriately. It is also essential to emphasize that SAP provides quite a few controls that are inherent within the SAP surroundings. An case in point of an inherent management is that journal entries have to equilibrium prior to posting in SAP.

Configurable controls

In SAP it is crucial to understand the website link among configurable controls and obtain controls. In buy to obtain the command aim there may possibly be a mix of configurable and entry controls that produce a handle solution. For illustration, “Purchase orders around £1m get blocked mechanically and simply cannot be processed.” This sounds like a configurable manage, but is actually equally a configurable management and an access control, as it specials with the configuration of the Buying Launch Approach within just SAP and discounts with who has entry to develop and approve a PO.

A different instance is “Purchase Orders in excess of US$1m must be authorized by the manager.” This seems like an accessibility handle, but it is a configurable manage as very well because of to the configuration wanted for the launch tactic. In actuality, these are complimentary controls, two controls masking the same danger alongside one another. With no a person handle, the other can not protect the risk to the similar precision. The auditor should exam each the configuration and entry features of these controls, so it is essential that they are discovered by the auditor and labeled correctly.

Procedure challenges

SAP is a approach centered ERP technique and every SAP occasion may perhaps have distinct dangers associated with it. The ability to customise and tailor the system, and its inherent complexity, drastically raises the general complexity of safety configurations and qualified prospects to opportunity security vulnerabilities. Segregation of duty conflicts, problems and flaws as a result turn out to be more likely.

Each individual consumer has distinct organization processes, products and solutions and providers, and devices that go well with their ecosystem. Creating the process successfully in SAP is vital to mitigate the threats associated with inadequate or unsuccessful business enterprise processes. An efficient audit method ought to for that reason include an evaluation of risks and an being familiar with of the business system mapping for every SAP instance.

Rotation plan

Supplied that the method is remarkably customisable, method pushed and permits a vary of command options, every SAP instance would most likely have a diverse danger profile. Even more within SAP, the chance profile of diverse modules and sub-modules these kinds of as financials (FI), supplies management (MM), gross sales and distribution (SD), payroll, human money (HC), small business data warehouse (BW), shopper romantic relationship administration (CRM) and so on will be distinctive.

The huge parts of the small business operations that SAP software include would make it impractical to include them all in one one audit. To total a in depth audit of SAP, it is proper to consider a rotation approach. This may perhaps include organizing critiques of each individual SAP enterprise procedure, module, sub-module program configuration and modify administration and technique safety, which include the style of segregation of duties and access degrees. This makes sure that the audits are executed working with properly expert means and deal with each danger region including business course of action, safety and related controls. These parts can consequently be assessed successfully to discover gaps in manage weaknesses and recommend acceptable methods to resolve challenges.

Danger-based Method

In addition to the higher than issues, SAP methods are also upgraded and improved periodically to satisfy at any time-shifting business enterprise needs. In the present-day economic local weather, corporations are faced with transforming threats in the natural environment that affect their organization procedures.

The purpose of a risk-dependent tactic is to allow auditors to tailor the review to the areas of business enterprise danger, providing way to better focus on audit places with a superior-chance possible. The complexity of the SAP system and similar company procedures, as indicated higher than, may possibly lend alone to better inherent hazard and management risk which should be taken into account in arranging the audit.

The danger-centered approach need to involve common chance assessment, analytical audit treatments, devices and system centered fieldwork, and substantive testing. In this way, an auditor can carry out the audit proficiently with a diploma of reliability, as properly as optimising the time and effort and hard work it involves. It is for that reason very important that a top-down risk based mostly audit strategy is adopted to successfully evaluate SAP.