Professional Documents
Culture Documents
1913 Control Testing in SAP - IT, Financial, and Operational Auditing
1913 Control Testing in SAP - IT, Financial, and Operational Auditing
Huntington Ingalls
Northrop Grumman
[ Learning Points
Understand how to assess and test the SAP technology
infrastructure
Understand how to assess and test the SAP General
Ledger and other financial reporting modules
Understand how to assess and test SAP production,
planning and procurement modules.
[ Return on Investment
Our basic assumption is that, if your organization is
running SAP, then you are large enough, complex
enough, or savvy enough to also have an internal audit
function.
Auditors need to know how to conduct a more effective
application review of SAP, and should understand the
infrastructure, key operations, and configuration.
By ensuring that the auditors know how to properly focus
on the key controls as they conduct audits in SAP, the
business can be assured of minimizing the time needed to
support the audit.
Real Experience. Real Advantage.
[ Best Practices
Audits of SAP are performed to provide assurance that
the financial data is correct and that the organization can
rely on the information and processing within SAP
Learn a methodology for testing and specific test steps
that can be used for any number of SAP audits, including
but not limited to SOX testing, general computer control
testing, application control testing, and financial report
testing
Use and modify sample audit programs to enhance SAP
testing
[ Agenda
SAP from a business perspective
What SAP does for the user community
10
And Donts
Forget to document and retain test procedures
Neglect testing tests of design and tests of effectiveness
Fail to conclude on your findings
11
2011
Balance
Sheets
Financial
Implications
Financial
Statements
Significant
Accounts
Process
Implications
Significant
Processes
What can go
WRONG?
Managements
Assertions
Internal Controls
12
* Errors that individually or collectively could have a material effect on the financial
statements Revenue Recognition (VF45, VF47), Goodwill Valuation (CX67)
13
14
Internal Controls:
Errors of importance
Management review, executive approval
Size and composition
SAP configuration
High transaction volume SAP configuration
Transaction complexity SAP configuration
Subjectivity in determining
account balance
SAP configuration
Nature of the account
SAP configuration
15
Contract
Specifications
Material
Requirements
Inventory
on Hand
Scheduled
Delivery
Work in
Progress
Material Requirements
Planning
What can go
WRONG?
Budget
Internal Controls
16
Key objectives:
Material identification
(MB51)
Material need date
(Part of PO, see ME23N)
Inventory on hand
(MB03)
Warehouse availability (LS03)
Matl req planning
(MD04)
Scrap / excess inventory (WAM03)
17
18
Internal Controls:
Material identification
Engineering / management review
Material need date
Engineering / management review
Inventory on hand
SAP Configuration
Warehouse availability SAP Configuration
Matl req planning
SAP Configuration
Scrap / excess inventory SAP Configuration
19
[ Agenda
SAP from a business perspective
What SAP does for the user community
20
21
22
[ Agenda
SAP from a business perspective
What SAP does for the user community
23
24
25
26
27
28
29
30
31
32
33
34
35
Material identification
Material need date
Inventory on hand
Warehouse availability
Matl req planning
Scrap / excess inventory
36
37
38
39
40
[ Agenda
SAP from a business perspective
What SAP does for the user community
41
42
43
44
Approva BizRights
ACL Direct Link
I-DEAS
Cognos
WinShuttle
45
46
Basis administration
Transport/import
Develop program change
Develop role change
User security administration
Change monitoring
User testing
Authorize change
Perform change
47
48
49
50
51
52
53
54
The Performance
Assistant provides you
with more detailed
information about the
control to help you
understand how it works.
Lots
more info
Real Experience. Real Advantage.
55
56
57
JV Workflow
Approval Matrix Set Up used to determine if appropriate
approvers for JV document is set up in SAP (JV user is not
same as JV approver)
Tolerance Limits
SE16, T169G (can choose 1 or many company codes to view)
Automatic Posting
Identifies the various procedures that generate automatic
postings to the GL
Use Tcode OBYC (need business mgt. or SAP BASIS to
execute)
Real Experience. Real Advantage.
58
[ Agenda
SAP from a business perspective
What SAP does for the user community
59
60
The objectives of the activity being reviewed and the means by which the
activity controls its performance;
The significant risks to the activity, its objectives, resources, and operations
and the means by which the potential impact of risk is kept to an acceptable
level;
The adequacy and effectiveness of the activity's risk management and
control processes compared to a relevant control framework or model
61
62
63
Objective Risks
Mitigating Controls
Control Statement
Edit checks
Edit checks eliminate common typographic errors. Where possible, the application
includes processes to validate financial values for reasonableness and approval
limits; looks for proper formats and required fields; uses standardized input screens;
verifies sequences (e.g., missing items), range checks, and check digits;and performs
cross checks (e.g., where certain policies are only valid with certain premium table
codes).
Record checks
Records are checked for key fields as part of data validation process to minimize
duplicate data entry, including using fuzzy logic for close matches.
Field Verification
Key fields are mandatory entries, and the record cannot be stored with certain items
incomplete or pending.
System checks
Cross system checks are used to ensure records are input in sequence
Validation checks
Post-closing data entries are permitted, but require management approval to assure
the impact is known.
Field Verification
Test Plan
64
65
[ Agenda
SAP from a business perspective
What SAP does for the user community
66
67
[ Key Learnings
Audits of SAP are performed to provide assurance that
the financial data is correct and that the organization can
rely on the information and processing within SAP
Learn a methodology for testing and specific test steps
that can be used for any number of SAP audits, including
but not limited to SOX testing, general computer control
testing, application control testing, and financial report
testing
Use and modify sample audit programs to enhance SAP
testing
68
SESSION CODE:
1913
69
70
User Maintenance:
SU01
Maintain User (SU01D)
SU02
Maintain Authorization Profiles
SU03
Maintain Authorizations
SU10
Mass changes to User Master
SU12
Mass Changes to User Master Records
SU20
Maintain Authorization Fields
SU21
Maintain Authorization Objects
SU50
Maintain User Defaults
SU51
Maintain User Address
SU52
Maintain User Parameters
SU53
Display Check Values
SU54
Maintain User Menu
SU55
Start user menu
SU56
Analyze user buffer (Security Check
SUIM
User Information System
71
Authorization Objects:
SU22
Auth. object usage in transactions
SU30
Total checks in the area of authorizations
Table Security:
SUCH
Translatability CHECKs
SUCU
Table authorizations: Customizing
72
73
74
Program
RSUSR000
RSUSR002
RSUSR003
RSUSR004
Objs.
RSUSR005
RSUSR006
RSUSR007
RSUSR010
Object
RSUSR020
RSUSR030
RSUSR040
RSUSR100
RSUSR101
RSUSR102
RSUSR400
RSPARAM
RSCSAUTH
RSABAUTH
Short description
Current Active Users
Lists of Users According to Complex Selection Criteria
Check the Passwords of Users SAP* and DDIC in all Clients
Restrict User Values to the Following Simple Profiles and Auth.
List of Users With Critical Authorizations
List of User Master Records Locked Due to Incorrect Logon
List Users Whose Address Data is Incomplete
Transaction Lists According to Selection With User, Profile or
List Profiles by Complex Selection Criteria
List Authorizations According to Complex Selection Criteria
List Authorization Objects by Complex Selection Criteria
List Change Documents for Users
List Change Documents for Profiles
List Change Documents for Authorizations
Test Environment Authorization Checks (SAP Systems Only)
List system parameters (Tcode RZ11 or TU02)
Maintain program/report authorization groups
Transfers authorization groups from TRDIR to TPGP
75
DD02V
List of Tables and Descriptions
TSTC
Transaction Listing
TSTCA
Values for Transaction Code Authorizations
TSTCT
Transactions with Description
TACT
Activities that can be Protected
TACTT
Activities that can be Protected with Descriptions
TACTZ
Authorization Objects and Valid Activities
TBRG
Authorization Objects and Authorization Groups
TBRGT
Auth Objects and Auth Groups with Descriptions
TDDAT
Table Authorization Groups
TOBJ
Authorization Objects
TOBJC
Authorization Object w Class assignment
TOBJT
Authorization Objects and Descriptions
TOBC
Authorization Object Classes
TOBCT
Authorization Object Classes and Descriptions
TPGP
ABAP/4 Authorization Groups
TPGPT
Long Texts for ABAP/4 Program Groups
TRDIR
System Table TRDIR, ABAP/4 Programs with Authorization
TRDIRE
System Tables w attributes
TACTZ
Valid Activities
USOBT
Transaction codes w Authorization Objects checked. Used with
Profile Generator
76
77
78
79
80
81
SESSION CODE:
1913
82