Challenges in SAP auditing
Many companies use the SAP application to help them plan their resources and activities. Its flexibility and scope make auditing challenging.
SAP is highly configurable and implementations often vary, even within various business units of a company, both financial and non-financial. At the same time, the effective operation of controls within the system environment is critical to a sound financial and operational control environment. Therefore, it is important to have a good understanding of how SAP is used in business while planning the scope and focus of the audit. Auditing a SAP environment presents several unique complexities that can affect the scope and focus of the audit.
Business processes
SAP covers most business processes and a minor change in business process can have a direct effect on audit procedures due to the complexity of the system. Changes to the installation and configuration of the system, the launch strategy or the creation of new processes may result in new modules and / or functionality in SAP and, as such, additional risks should be considered.
For example, a customer might consider retiring one of their legacy purchasing systems and moving this functionality to SAP. In the past, key controls over PO approval may have been done manually. But with the implementation of SAP, the customer has considered automating the approval process in SAP. Therefore, the configuration of the automated workflow process and the security of user access is important to ensure that adequate controls are maintained to mitigate risks. This would involve testing automated controls rather than manual controls on the purchase order.
Segregation and sensitivity
For an effective audit, the auditor must have a good understanding of the design of the SAP authorization concept (security design). In some cases, poor security design results in users inadvertently accessing unnecessary or unauthorized transactions. Therefore, reviewing the design and implementation of SAP security and access controls is important to ensure that proper separation of duties is maintained and that access to sensitive transactions is well controlled.
Segregation of duties conflicts can arise when a user has access to two or more conflicting transactions, for example creating a purchase order and modifying the supplier master details. A clear mapping of business processes and identification of roles and responsibilities involved in the processes is crucial in designing access controls to effectively audit security.
In addition, there may be transactions or access levels that are considered business sensitive, such as modifying G / L codes and structures, modifying recurring entries, or modifying and deleting audit records. In a SAP audit, these sensitive transactions should be considered during the planning phase.
Control selection
Organizations can tailor the SAP system to suit their business needs, including a selection of inherent and configurable controls. Understanding the selection process behind these controls is critical to the audit approach. Allowing purchase orders, for example, to be automatically approved through the system is considered a configurable automated control.
However, the customer can also choose not to implement this functionality and address this risk through manual control. Auditors must understand the controls the client has chosen to implement and the matrix of controls they rely on to mitigate one or more risks.
Types of controls
In SAP there are four types of controls that an audit client can use to create a secure environment: inherent controls, configurable controls, application security, and manual reviews of SAP reports.
Access or configurable controls are typically enforced by the SAP system and are preventive in nature. On the other hand, manual checks, including manual reviews of reports, are performed by an employee and are primarily detective in nature. For example, in SAP’s purchase-to-pay (P2P) process, there are standard automated controls such as three-way matching (purchase order matching, goods receipt, and invoices). The customer can choose to adopt a four-way mix or a two-way mix of invoices, requiring customization to suit their specific processes.
Each customer will use a different combination of controls to achieve their specific control objectives, and due to the complexity of the SAP application, auditing around the system for assurance of control is not an option. Therefore, the audit approach must be appropriately adapted to each situation. It is also important to note that SAP offers several controls that are inherent to the SAP environment. An example of an inherent control is that journal entries must be balanced before being posted to SAP.
Configurable controls
In SAP, it is important to understand the link between configurable controls and access controls. To achieve the control objective, there may be a combination of configurable and access controls that create a control solution. For example, “Purchase orders over £ 1 million are automatically blocked and cannot be processed.” This sounds like a configurable control, but in reality it is both a configurable control and an access control, as it deals with the configuration of the purchase release strategy within SAP and takes care of who has access to create and approve a purchase order.
Another example is “Purchase orders over $ 1 million must be approved by the manager.” This sounds like an access control, but it is also a configurable control due to the configuration required for the launch strategy. In fact, these are complementary controls, two controls that cover the same risk together. Without one control, the other cannot hedge the risk with the same precision. The auditor must test the configuration and access aspects of these controls, so it is important that they are identified by the auditor and classified appropriately.
Process risks
SAP is a process-based ERP system and each SAP instance can have different associated risks. The ability to customize and adapt the system, and its inherent complexity, significantly increases the overall complexity of security configurations and leads to potential security vulnerabilities. Therefore, segregation of role conflicts, errors, and failures are more likely.
Each customer has different business processes, products and services, and systems that follow their environment. Designing the process effectively in SAP is important to mitigate the risks associated with unsuitable or failed business processes. Therefore, an effective audit approach must include an assessment of risks and an understanding of business process mapping for each SAP instance.
Plane rotation
Since the system is highly customizable, process-driven, and allows for a variety of control selections, each SAP instance could have a different risk profile. Also, within SAP, the risk profile of different modules and sub-modules such as Finance (FI), Materials Management (MM), Sales and Distribution (SD), Payroll, Human Capital (HC), Business Information Warehouse (BW) , customer relationship management (CRM), etc. it will be different.
The vast areas of business operations that SAP applications cover would make it impractical to cover them all in a single audit. To complete a comprehensive SAP audit, it is appropriate to consider a rotation plan. This may involve planning reviews for each SAP business process, module, or sub-module; system configuration and change management; and system security, including the design of segregation of duties and access levels. This ensures that audits are performed using properly trained resources and cover every area of risk, including business processes, security, and associated controls. Therefore, these areas can be effectively assessed to identify deficiencies in control and recommend appropriate steps to resolve the problems.
Risk-based approach
In addition to the above challenges, SAP systems are also regularly updated and improved to meet ever-changing business requirements. In today’s economic climate, companies face changing risks in the environment that affect their business processes.
The goal of a risk-based approach is to allow auditors to tailor the review to areas of business risk, giving way to a greater focus on audit areas with high risk potential. The complexity of the SAP system and related business processes, as noted above, may lend itself to increased inherent risk and control risk that must be considered when planning the audit.
The risk-based approach should include general risk analysis, analytical audit procedures, systems and process-based fieldwork, and substantive testing. In this way, an auditor can perform the audit efficiently with a certain degree of reliability, in addition to optimizing the time and effort involved. Therefore, it is crucial that a top-down risk-based audit approach is adopted to review SAP effectively.
