Company (Name):

A
A total
total of
of 99
99 tests
tests have
have been
been
designed to evaluate ALL KEY
risks based on best practices and
the
the latest
latest auditing
auditing standards
standards

Fiscal Year End (Date):

Tested on (Date)/ tested by (Name):
Tested in (System):

Contains
Contains detailed
detailed testing
testing
instructions, rather than generic
descriptions of the tests to be
performed
performed

Links
Links to
to the
the pre-populated
pre-populated test
test
sheets with fill-in fields for
company-specific information.

Revenue - Audit Program for SAP - SAMPLE

Control Activity

Control
Activity Type
Preventive/
Detective

Control
Nature
Manual/
Automated

IT Nature
IT Dependent/
Non ITDependent

Control
Rating
High/
Medium/
Low

Query
No

Testing Procedures:
For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable
assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The
following testing procedures will assist auditors in performing tests of control for each control activity.

Testing Reference
Conclusion
Reference to supporting Effective/
evidence considered
Ineffective
pertinent

Invoicing, Sales Returns, and Adjustments

Control Objective REV06: Invoices relate to valid shipments.
(Control Objective Assertion: [Balance Sheet] Receivables: Validity & [Income Statement] Sales: Validity)
Control Objective Background: If invoices are issued and processed that do not relate to valid shipments, revenue and accounts receivable will be overstated.
REV06.01: Only authorized
personnel have the ability to create
or process deliveries in SAP.

Preventive

Automated

IT Dependent

High

65

During the life cycle of a delivery, several stages can be recognized. First, the delivery is created, then picked, then
packed, and finally loaded. When the transportation provider picks up the goods from the warehouse, the goods issue
is posted in the system.

Tab 45

Perform the following procedures to generate a listing of users with access to create delivery documents in SAP:

In
In addition
addition to
to the
the written
written stepstepby-step instructions, screenprints from SAP will be
provided
provided to
to visually
visually assist
assist
those new to the system.
Covers ALL principal revenue
subprocesses:
subprocesses:
Managing and Processing Orders
Invoicing, Sales Returns, & Adjustments

Processing
Processing Cash
Cash Receipts
Receipts
Maintaining Customer Master Files

265730069.xls

Execute transaction code SUIM

Proceed to the Users By Authorization Values screen via "User" -> "Users By Complex Selection Criteria" -> "By
Authorization Values"
AUTHORIZATION OBJECT 1:
S_TCODE:
VL01 (Create delivery) OR
VL01N (Create Outbound Delivery with Order Reference) OR
VL01NO (Create Outbound Delivery without Order Reference)
AUTHORIZATION OBJECT 2:
V_LIKP_VST:
Activity (ACTVT): 01 (Create)
Shipping/Receiving Point (VSTEL): * (means SOME/ANY shipping/ receiving points)

Page 1 of 5

Control Activity

Control
Activity Type
Preventive/
Detective

Control
Nature
Manual/
Automated

IT Nature
IT Dependent/
Non ITDependent

Control
Rating
High/
Medium/
Low

Query
No

Testing Procedures:
For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable
assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The
following testing procedures will assist auditors in performing tests of control for each control activity.

Testing Reference
Conclusion
Reference to supporting Effective/
evidence considered
Ineffective
pertinent

AUTHORIZATION OBJECT 3:
M_MSEG_BWE:
Activity (ACTVT): 01 (Create)
Movement type (BWART): * (mean SOME/ANY movement types) or restrict as needed
Movement types that should typically be considered for this assessment:
- 601 and 651 (required to post goods issue for outgoing sales orders and incoming returns)
- 621 through 624 (required to handle deliveries for returnable packaging)
- 631 through 634 (required to handle deliveries for customer consignment)
- Other movement types should only be assigned to warehouse staff and not to the sales department

Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.

265730069.xls

Page 2 of 5

Exception Details
For ineffective controls

265730069.xls

Mitigating Controls
For ineffective controls

Planned Remediation Procedures

For ineffective controls

Planned
Remediation
Date
For ineffective
controls

Remediation
Status
Completed/
In Progress

Ref. to PostRemediation
Testing Details
If applicable

Page 3 of 5

Exception Details
For ineffective controls

265730069.xls

Mitigating Controls
For ineffective controls

Planned Remediation Procedures

For ineffective controls

Planned
Remediation
Date
For ineffective
controls

Remediation
Status
Completed/
In Progress

Ref. to PostRemediation
Testing Details
If applicable

Page 4 of 5

265730069.xls

Count
*Insert
additional
rows as
needed

000099Tab 45

User ID

User Name

Locked?
Valid From
(Yes/No)
*Exclude locked user IDs
("0" or "Blank" in this field
means that user ID is NOT
locked)

Valid Through
*Exclude IDs that
are past their
validity date (no
access)

User Type
*Exclude D (System) and C
(Communication) IDs (no end
user access); leave A
(Dialog) and S (Service) IDs
for analysis

Access Appropriate Exceptions

as per the Job
Noted?
Responsibilities?
(Yes/No)
(Yes/No)

Comments/ Exception Detail

1
2
3
4
5
Total

Page 5 of 5