Many companies use SAP utility to assist them plan their sources and actions. Its flexibility and vary makes it a problem to audit.
SAP is extremely configurable and implementations usually fluctuate, even inside varied business models of a company – each monetary and non-financial. On the identical time, the efficient operation of controls inside the system’s setting is essential to a strong monetary and operational management setting. Subsequently, you will need to achieve a great understanding of how SAP is being utilised within the business whereas planning the audit scope and method. Auditing an SAP setting introduces a number of distinctive complexities that may impression the audit scope and method.
Business processes
SAP covers most business processes and a minor change within the business course of can have a direct impact on the audit procedures as a result of complexity of the system. Modifications within the setup and configuration of the system, the discharge technique or creating new processes might end in new modules and/or performance in SAP and as such, further dangers should be thought of.
For instance, a consumer might think about retiring one in all its legacy buying techniques and moving this performance onto SAP. Up to now, key controls over buy order approval might have been carried out manually. However with the SAP implementation the consumer has thought of automating the approval course of in SAP. The setup of the automated workflow course of and consumer entry safety is subsequently essential to make sure that satisfactory controls are maintained to mitigate the dangers. This could contain testing automated controls as a substitute of the guide controls over buy order.
Segregation and sensitivity
For an efficient audit, the auditor wants to achieve a great understanding of the design of SAP’s authorisation idea (safety design). In some situations, poor safety design ends in customers being inadvertently granted entry to pointless or unauthorised transactions. Subsequently the assessment of the design and implementation of SAP safety and entry controls is essential to make sure correct segregation of duties is maintained and entry to delicate transactions is well-controlled.
Segregation of obligation conflicts can come up when a consumer is given entry to 2 or extra conflicting transactions – for instance, creating a purchase order order and amending vendor grasp particulars. A transparent mapping of the business processes and identification of roles and tasks concerned within the processes is essential within the design of entry controls to successfully audit safety.
As well as, there could also be transactions or entry ranges which might be thought of delicate to the business, akin to amending G/L codes and buildings, amending recurring entries or amending and deleting audit logs. In an SAP audit such delicate transactions would should be thought of through the planning part.
Management choice
Organisations can tailor the SAP system to suit their business wants together with a choice of configurable and inherent controls. Understanding the choice course of behind these controls is essential to the audit method. Permitting buy orders, for instance, to be accredited routinely via the system is taken into account a configurable automated management.
Nonetheless, the consumer can also select to not implement this performance and handle this threat via a guide management. Auditors want to know the controls the consumer has chosen to implement and the matrix of controls that they place reliance on to mitigate a number of dangers.
Kinds of Controls
In SAP there are 4 varieties of controls that an audit consumer can utilise so as to create a safe setting: inherent controls, configurable controls, utility safety, and guide evaluations of SAP studies.
Usually entry or configurable controls are executed by the SAP system and are preventive in nature. On the opposite hand, guide controls together with guide evaluations of studies are executed by an worker and are primarily detective in nature. For instance, within the procure-to-pay (P2P) technique of SAP, there are customary automated controls akin to three-way matching (matching of buy orders, items receipt and invoices). The consumer might select to undertake four-way matching, or two-way matching of invoices, subsequently requiring customisation to swimsuit their particular processes.
Every consumer will use a distinct mixture of controls so as to obtain their particular management aims, and due to the complexity of SAP utility, auditing across the system to achieve management assurance is just not an possibility. Subsequently the audit method must be tailor-made for every state of affairs appropriately. It is usually essential to focus on that SAP delivers a number of controls which might be inherent inside the SAP setting. An instance of an inherent management is that journal entries should steadiness previous to posting in SAP.
Configurable controls
In SAP you will need to perceive the hyperlink between configurable controls and entry controls. To be able to obtain the management goal there could also be a mixture of configurable and entry controls that create a management answer. For instance, “Buy orders over £1m get blocked routinely and can’t be processed.” This appears like a configurable management, however is definitely each a configurable management and an entry management, because it offers with the configuration of the Buying Launch Technique inside SAP and offers with who has entry to create and approve a PO.
One other instance is “Buy Orders over US$1m should be accredited by the supervisor.” This appears like an entry management, however it’s a configurable management as properly as a result of configuration wanted for the discharge technique. In truth, these are complimentary controls, two controls protecting the identical threat collectively. With out one management, the opposite can not cowl the danger to the identical precision. The auditor ought to take a look at each the configuration and entry facets of those controls, so it’s important that they’re recognized by the auditor and labeled appropriately.
Course of dangers
SAP is a course of primarily based ERP system and every SAP occasion might have totally different dangers related to it. The power to customize and tailor the system, and its inherent complexity, considerably will increase the general complexity of safety configurations and results in potential safety vulnerabilities. Segregation of obligation conflicts, errors and flaws subsequently develop into extra seemingly audit.
Every consumer has totally different business processes, products and services, and techniques that swimsuit their setting. Designing the method successfully in SAP is essential to mitigate the dangers related to insufficient or failed business processes. An efficient audit method ought to subsequently embody an analysis of dangers and an understanding of the business course of mapping for every SAP occasion.
Rotation plan
Provided that the system is extremely customisable, course of pushed and allows a spread of management picks, every SAP occasion would probably have a distinct threat profile. Additional inside SAP, the danger profile of various modules and sub-modules akin to financials (FI), supplies management (MM), gross sales and distribution (SD), payroll, human capital (HC), business info warehouse (BW), buyer relationship management (CRM) and so forth shall be totally different.
The huge areas of the business operations that SAP utility cowl would make it impractical to cowl them multi function single audit. To finish a complete audit of SAP, it’s applicable to think about a rotation plan. This will contain planning evaluations of every SAP business course of, module, sub-module; system configuration and alter management; and system safety, together with the design of segregation of duties and entry ranges. This ensures that the audits are carried out utilizing appropriately expert sources and canopy every threat space together with business course of, safety and related controls. These areas can subsequently be assessed successfully to determine gaps in management weaknesses and advocate applicable steps to resolve points.
Threat-based Method
Along with the above challenges, SAP techniques are additionally upgraded and enhanced periodically to satisfy ever-changing business necessities. Within the present financial local weather, firms are confronted with altering dangers within the setting that have an effect on their business processes.
The goal of a risk-based method is to permit auditors to tailor the assessment to the areas of business threat, giving technique to higher give attention to audit areas with a high-risk potential. The complexity of the SAP system and associated business processes, as indicated above, might lend itself to larger inherent threat and management threat which must be taken under consideration in planning the audit.
The danger-based method ought to embody basic threat evaluation, analytical audit procedures, techniques and course of primarily based fieldwork, and substantive testing. On this manner, an auditor can conduct the audit effectively with a level of reliability, in addition to optimising the effort and time it includes. It’s subsequently essential top-down threat primarily based audit method is adopted to successfully assessment SAP.