Assuring SAP: Australia

Assuring SAP





Enterprise resource planning Organisation Background been implemented by multiple Australian

Government entities for use as their financial
In Australia the Office of the Auditor-
and related applications General was established in 1901 under the
management and/or human resource
management systems. The purpose of our
software from SAP has been authority of the Audit Act 1901, the fourth
review is to undertake risk identification, risk
act to be passed by the first assembly of the
implemented by many Commonwealth of Australia Parliament.
assessment, control identification and control
assessment of entities SAP implementations.
In 1997 the Auditor-General Act 1997
Australian Government replaced the Audit Act, and was enacted
This contributes a significant level of
assurance for the financial statement audits
bodies as the basis of their on 1 January 1998. Under this Act the
undertaken by the ANAO.
independence and mandate of the Australian
financial and human resources National Audit Office (ANAO) was further Development of SAP Audit
management systems. Amy strengthened, as the Auditor-General had
become an Officer of the Parliament.
Fox and Lesa Craswell from the Information Technology Audit (IT Audit) The ANAO developed and published a SAP
exists to provide an integrated audit support Better Practice Guide1 in 1998. This guide was
Australian National Audit Office service to all business units within the ANAO. prepared to provide assistance to Australian
(ANAO), chart the development While administratively part of the Assurance Government entities to ensure that security
and internal control considerations (in
Audit group, they have primary responsibility
of ANAOs audit of SAP and in for the management and delivery of IT audit the form of better practice procedures)
activities to both the Assurance (Financial) within their SAP systems were configured
particular its use of specialised and Performance Audit service groups. The and implemented correctly. The guide
audit software, SAP Assure. primary objective for IT Audit is provision was updated and expanded on in 2004.
of independent assurance through the Until 2005 the ANAOs approach
There have been a variety of detection and evaluation of risks faced by to auditing SAP was through the use
Australian Government entities in their of manual work programmes. These
significant benefits from the adoption and use of existing and emerging programmes were developed internally over
use of SAP Assure and the technologies. a long period of time but were resource
There are currently 23 permanent intensive to complete. Our approach also
ANAO has achieved a much members of IT Audit supplemented imposed significantly on the staff at the
audit client, and did not appropriately
greater level of assurance about by contract staff, each with a range of
consider differences in SAP versions, audit
educational and technical skills and
the controls in client systems. experiences. The variety of technology, client business processes, and/or SAP
accounting, auditing, and graduate customisations. In addition, our audit scope
backgrounds provides a diverse team and coverage was primarily limited to the
capable of successfully undertaking most of BASIS module in SAP, specifically related to
the audit activities with which it is charged. security role allocation and administration.
One of the services offered by IT To support our audit process, the ANAO
Audit is the provision of IT application relied heavily on consultants and contractors
control assessment of the various SAP to provide specialist SAP knowledge
environments within audit clients. SAP is and training.
a key area of review for the ANAO as it has

Better Practice Guides can be downloaded from the Publications section of the ANAOs website:

In the later part of 2004 the ANAO The rollout of SAP Assure was internally Analysis Undertaken
became aware of a consulting firm who phased across a number of key audit clients.
There are three modules to the SAP
had developed a software tool, called SAP Our implementation used an integrated
Assure tool:
Assure2. This tool, in part, automated the approach between the IT and Assurance
audit of SAP. The capabilities of this software auditors, supported by both the IT and l Security;
went significantly beyond the audit coverage Assurance Audit executives as well as l Configuration; and
and the capability of the ANAOs manual audit client management. A programme l Data integrity and analysis.
programmes, and extended audit analysis of technical training was provided to IT
into areas such as SAP configuration controls, Audit staff, with additional process training Using SAP Assure as part of our audit
audit client manual and business process being provided to Assurance Audit staff. approach presents considerable opportunity
controls, and control risk assessments. Staff champions were designated for the for audit clients to be active participants
Importantly, the software was able to tool and provided a direct feedback loop in the audit process. The clients provide
undertake this analysis via read-only from audit staff to the vendor regarding background information for module
access to the audit clients SAP environment, implementation or operational issues, configuration as well as information on their
and was capable of customisation and and recommendations for possible business processes supported by SAP. In
configuration to cater for the different improvements. These activities addition to system controls and processes,
environments we were required to audit. contributed greatly to the overall SAP Assure allows manual processes
A decision was made to pilot SAP Assure success of the implementation. to be considered as part of the overall
after a desktop review of several comparable audit risk and control assessment. This
products. The review panel consisted of ensures a holistic view of all processes and
both IT and Assurance Audit specialists, configurations can be taken into account by
and considered factors such as usability, the audit team.
access requirements, cost, functionality, and
ongoing training needs. In late 2004 the
ANAO undertook a live pilot assessment of Module Key Functions
the tool at the then Department of Transport Controls l Provides a comprehensive assessment of controls within an SAP R/3
and Regional Services.3 The pilot was a environment.
combined effort with the product vendor l Inbuilt knowledgebase of controls which your environment is assessed
and included involvement from a range of against.
ANAO staff including IT and Assurance l Automatically identifies and reports internal control weaknesses.
Audit personnel. l Facilitates an integrated audit.
The outcomes of the pilot were l Assists with the ongoing monitoring of key SAP controls.
successful and positive. The pilot team Security l Inbuilt knowledgebase of SAP transactions and segregation of duties
realised immediate audit benefits in terms
of improved audit coverage, efficiency, l Provides proactive review of segregation of duties.
automation of reporting, and focussed l Assesses security within all SAP processes.
recommendations for configuration and l Assists with the ongoing monitoring of SAP access.
security improvements. But they also
identified considerable ongoing benefits Integrity l Identifies integrity risks.
that could be gained by the ANAO in using l Enables assessment against preset tolerances.
the tool as part of our audit coverage. l Automatically identifies duplicate and potential fraudulent transactions,
Consequently, a business case was and financial statement disclosure concerns.
developed and subsequently approved to l Assist with assessing the integrity of master data.
implement the tool progressively across our
SAP audit clients. 2
The supplier of the software is now Protiviti Independent Risk Consulting. More details at:
Now Department of Infrastructure, Transport, Regional Development and Local Government
Benchmarking and continuous monitoring l Maintaining and assuring security of and security management of SAP across
ensure that subsequent reviews are more audit client data; and a large number of Australian Government
efficient. Benchmarking allows for the l Turnover of key ANAO staff members entities. These recommendations are
comparison of prior year results against the initially involved in the pilot and centred on the general themes of:
current settings and allowing any changes introductory training (this has l Incompatible duties and ensuring an
and issue remediation to be identified subsequently been addressed and now appropriate level of system enforcement
very quickly. This feature enables prior year the majority of ANAO IT Audit staff are of segregation of duties between key
results to be fed into the risk assessment trained in the use the tool). financial transactions (for example,
process for the current years audit. transaction creation and transaction
The Benefits approval);
The Challenges A number of the ANAOs audit clients l Rationalisation of the number of users
As with any software tool, in addition to viewed the introduction of SAP Assure with access to functions and transactions
licensing fees, there are ongoing costs software as a business improvement considered by the ANAO as sensitive;
associated with training and maintaining the opportunity. They were keen to obtain Rationalisation of the number of users
knowledge of staff. There were also initial access to the audit results in order to assess with high level administration access (for
costs and challenges involved in the internally how they could better configure example, SAP*);
ANAOs implementation of SAP Assure. SAP to meet their entitys needs. Some l A lack of setting and enforcement within
These included: have subsequently purchased the tool for configuration items of organisational
l Purchase of the product; their own use. In contrast, a small number and/or accounting policy (for example,
l Initial training; of audit clients were not enthusiastic asset useful life settings in SAP differing to
with the additional level of scrutiny and that required by accounting policy); and
l Greater understanding required of audit
identification of risks provided by the tool.
areas not previously reviewed; l Key system messages not being set, or
There have been a variety of signicant
Risks identified impacting the overall being set as warnings instead of fatal
initial and ongoing benets achieved by the
audit approach; and error messages.
ANAO as a result of the rollout of SAP Assure
l Ensuring support from audit managers These include:
and audit clients. l Greater coverage for audit risk and control The Future of SAP Assurance
assurance across the SAP environments
The complexity of the SAP environment
within the ANAO
(we are now capable of reviewing
and the ability of the tool to reflect this configuration and security across all SAP Many Australian Government entities have
also presented some additional challenges, modules, not just BASIS); moved, or are preparing to move, to SAP
including: ECC6 during the 2007-09 financial years.
l Increased efficiency in the second year of
Within the ANAO there are internal processes
l Interpretation of results (determining implementation (review of SAP was more
whether a particular setting was underway to ensure that SAP Assure is able
efficient in the second year across all
appropriate or not based on audit risk to continue to meet our ongoing needs in
audit clients);
and control assessments); this changing environment. As part of this
l Identification of business improvement the ANAO has successfully undertaken a
l Variances of configuration between opportunities for audit clients; second pilot implementation of SAP Assure
audit clients (as each client has different l A standardised approach to reviewing on a new audit client implementation
business requirements and processes); SAP across a diverse audit client base of SAP ECC6. The aim of this pilot was to
l Audit clients unaware of particular (individual configurations differ widely, observe the SAP ECC6 implementation
settings (they had been set during the however the overall audit approach is process, identify issues the tool needed
original implementation of SAP using now consistent); and to address to continue performing, to
the standard Australian Government l A much greater level of assurance provide important staff development
template and never subsequently achieved where audit clients now and learning opportunities, and provide
reviewed/updated); have strong controls (and those with the audit client with an opportunity
l Differences between the initial weaker controls are able to identify and for business process improvement.
configuration of the tool (which had a remediate to improve their controls). The ANAO is currently in the process
standard setup for industry and private of updating its SAP Better Practice Guide
sector use) and the configuration of the Key Improvement Opportunities to reect changes to the SAP System
SAP environments under review by the environment and new functionality since the
With the assistance of SAP Assure the
ANAO (requiring additional software setup original guides were released. The new guide
ANAO has been able to identify and
and customisation for government use); is expected to be completed by March 2009.
recommend a significant number of
improvements to both the configuration

Lesa Craswell Amy Fox

Director at the Australian National Audit Senior Director at the Australian National
Office (ANAO) in Canberra Australia. Lesa Audit Office (ANAO) in Canberra Australia.
has previously been a member of the local Amy has previously been a member of the
board of the Canberra Information Systems local board of the Canberra Information
Audit & Control Association Chapter and has Systems Audit & Control Association Chapter,
over ten years IT experience in Australian is a Certified Information Systems Auditor and
Government. a Chartered Accountant.

My Olympic torch relay
International Olympic Day is celebrated
on 23 June. On that day in 2008, 162 torch
bearers took part in the torch relay of the
Beijing Olympics beside the beautiful
Qinghai Lake in Qinghai Province, the
northwest of China. Ms. Yang Li, who is
Deputy Director of IT Audit Center with the
National Audit Office of the Peoples Republic
of China, was the 121th leg among them.
After the torch relay, Yang was
interviewed by the interpreter from The
Official Website of the Beijing 2008 Olympic
Games by telephone.
I had never thought that I could connect
with the Olympic Games so near. Before last
National Day, I thought the Olympic Games
were only related with the athletes and the
champions. After I was selected as the Torch
Bearer organized by Lenovo last October, I
was extremely pleased. My family and my
colleagues felt proud for me. It is not only my
glory but also the 80,000 Chinese auditors.
Today I really hope they could also share the
happiness. Yang Li said.

My family and my colleagues

felt proud for me. It is not only
my glory but also the 80,000
Chinese auditors. Today I really
hope they could also share the

