Professional Documents
Culture Documents
1913 Control Testing in SAP - IT, Financial, and Operational Auditing
1913 Control Testing in SAP - IT, Financial, and Operational Auditing
[ Learning Points
Understand how to assess and test the SAP technology infrastructure Understand how to assess and test the SAP General Ledger and other financial reporting modules Understand how to assess and test SAP production, planning and procurement modules.
[ Return on Investment
Our basic assumption is that, if your organization is running SAP, then you are large enough, complex enough, or savvy enough to also have an internal audit function. Auditors need to know how to conduct a more effective application review of SAP, and should understand the infrastructure, key operations, and configuration. By ensuring that the auditors know how to properly focus on the key controls as they conduct audits in SAP, the business can be assured of minimizing the time needed to support the audit.
Real Experience. Real Advantage.
3
[ Best Practices
Audits of SAP are performed to provide assurance that the financial data is correct and that the organization can rely on the information and processing within SAP Learn a methodology for testing and specific test steps that can be used for any number of SAP audits, including but not limited to SOX testing, general computer control testing, application control testing, and financial report testing Use and modify sample audit programs to enhance SAP testing
4
Have built over 40 percent of the U.S. Navys current surface combatant fleet
[ Agenda
SAP from a business perspective
What SAP does for the user community
Financial Accounting (FI) Controlling (CO) Asset Management (AM) Materials Management (MM) Sales and Distribution (SD) Quality Management (QM) Plant Maintenance (PM) Human Resources (HR) Supply Chain Management (SCM) Customer Relationship Management (CRM) Governance, Risk & Compliance (GRC)
8
The tests should ensure that the controls are effective, that is, verify that they designed to actually mitigate risks The tests should also ensure that controls are efficient, that is, verify that they are actually mitigating the risks In some cases, auditors can identify excessive or redundant controls that can be eliminated Lets briefly go through how to test these controls
10
And Donts Forget to document and retain test procedures Neglect testing tests of design and tests of effectiveness Fail to conclude on your findings
11
Financial Implications
Financial Statements
Significant Accounts
Process Implications
Significant Processes
Managements Assertions
Internal Controls
12
Select them based on: Errors of importance * Size and composition (Acct Balances: FS10, F.08) High transaction volume (Line Items: F.42, FB09D, FBL1N) Transaction complexity Subjectivity in determining account balance Nature of the account (Suspense accounts, reserve accounts)
* Errors that individually or collectively could have a material effect on the financial statements Revenue Recognition (VF45, VF47), Goodwill Valuation (CX67)
13
What can go wrong?: Errors of importance Restatement, significant deficiencies Size and composition Inability to effectively analyze data High transaction volume Data noise, difficult to distinguish trends Transaction complexity Hidden errors Subjectivity in determining account balance Non-compliance with GAAP and/or IFRS Nature of the account Fraud
14
Internal Controls: Errors of importance Management review, executive approval Size and composition SAP configuration High transaction volume SAP configuration Transaction complexity SAP configuration Subjectivity in determining account balance SAP configuration Nature of the account SAP configuration
15
Contract Specifications
Material Requirements
Scheduled Delivery
Inventory on Hand
Work in Progress
Budget
Internal Controls
16
Key objectives: Material identification (MB51) Material need date (Part of PO, see ME23N) Inventory on hand (MB03) Warehouse availability (LS03) Matl req planning (MD04) Scrap / excess inventory (WAM03)
17
What can go wrong?: Material identification Wrong material, contract violation, liability Material need date Schedule delay Inventory on hand Excess material ordered Warehouse availability Lost material, insufficient storage space Matl req planning Shelf life expires, material not available Scrap / excess inventory Waste, unnecessary costs, fraud
18
And THATs what SAP does for the planning, procurement and material user.
19
[ Agenda
SAP from a business perspective
What SAP does for the user community
21
[ Agenda
SAP from a business perspective
What SAP does for the user community
The COSO cube has been used as an auditing model since its initial release in 1993.
Real Experience. Real Advantage.
24
There is also a COSO model for use with organizations with an enterprise risk management framework.
Real Experience. Real Advantage.
25
26
27
Errors of importance Management review, executive approval Size and composition SAP configuration High transaction vol. SAP configuration Transaction complexity SAP configuration Subjectivity in determining account balance SAP configuration Nature of the account SAP configuration
28
29
30
31
32
33
34
35
36
How can we test the effectiveness of managements reviews of material identification and/or material need dates?
Material is usually identified initially on a drawing before it is loaded into SAP or other production system to generate a Bill of Material. Drawings should all show the preparer and reviewer/approver. If there is a change management process in place, you can check the files to see if material changes are also approved and by whom. Material need dates are going to be based on several factors, such as economic ordering quantity, first assembly schedule date, labor resource availability, etc. Discuss with engineering and planning management how the first need date is established. Not very SAP dependent, but included for completeness.
Real Experience. Real Advantage.
37
40
[ Agenda
SAP from a business perspective
What SAP does for the user community
42
Includes controls such as: Logical access over infrastructure, applications, and data System development life cycle Program change management Data center physical security System and data backup and recovery Computer operation
Real Experience. Real Advantage.
44
45
User access to create and maintain customer, material and pricing master data is appropriate
Customer master data - tcodes FD01/FD02/FD05/FD06 (Finance), VD01/VD02/VD05/VD06 (Sales), XD01/XD02/XD05/XD06/XD07/XD99 (Central) Material master data - tcodes MM01 (Create), MM02 (Change), MM06 (Delete) Pricing master data - tcodes VK11 and VK12
Real Experience. Real Advantage.
46
48
51
52
53
54
56
57
JV Workflow
Approval Matrix Set Up used to determine if appropriate approvers for JV document is set up in SAP (JV user is not same as JV approver)
Tolerance Limits
SE16, T169G (can choose 1 or many company codes to view)
Automatic Posting
Identifies the various procedures that generate automatic postings to the GL Use Tcode OBYC (need business mgt. or SAP BASIS to execute)
Real Experience. Real Advantage.
58
[ Agenda
SAP from a business perspective
What SAP does for the user community
61
62
63
Record checks
Records are checked for key fields as part of data validation process to minimize duplicate data entry, including using fuzzy logic for close matches.
Field Verification
Key fields are mandatory entries, and the record cannot be stored with certain items incomplete or pending.
System checks
Cross system checks are used to ensure records are input in sequence
Validation checks
Post-closing data entries are permitted, but require management approval to assure the impact is known.
Field Verification
64
65
[ Agenda
SAP from a business perspective
What SAP does for the user community
67
[ Key Learnings
Audits of SAP are performed to provide assurance that the financial data is correct and that the organization can rely on the information and processing within SAP Learn a methodology for testing and specific test steps that can be used for any number of SAP audits, including but not limited to SOX testing, general computer control testing, application control testing, and financial report testing Use and modify sample audit programs to enhance SAP testing
68
]
69
70
73
74
75
78
80
]
82