Professional Documents
Culture Documents
IS Audit of ERP Software: Project Report of DISA 2.0 Course
IS Audit of ERP Software: Project Report of DISA 2.0 Course
of
DISA 2.0 Course
1. Introduction
A. The IS Audit Team audited project management controls over the implementation of the
SAP ECC 6.00 Version (ERP) Business Solution. Our purpose was to evaluate Security Controls,
User authentication and authorization, Audit Trails, Assess and Evaluate Management System
relating to change, System monitoring and business process configuration of the SAP ECC 6.00
Version (ERP) Business Solution.
SPM Group has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. The senior management of
SPM has been very proactive in directing the management and deployment of Information
Technology. Most of the mission critical applications in the company have been computerized
and networked. SPM selected SAP Business Suite to bring a more integrated and seamless
approach to internal processes. SAP deployment in SPM posed unique challenges arising out of
the need to integrate multiple units across different locations, involving extensive procedures
and large volumes of data. The family of business applications provides better insight into
enterprise-wide analysis based on real time data and key performance indicators, improved
quality and on-time delivery, reduction in inventory cost and enhanced customer service. This
implementation has empowered SPM to seamlessly connect all its vendors, customers and
partners to achieve improved business efficiency. SAP-R3 ECC 6.00 Version is deployed
across all of SPM’s financial, payroll and human capital functions. The Modules implemented
are PP, MM, FICO, Quality, PM and HR including Pay Roll. SPM has more than 500 sap users
across the company. By implementing SAP solutions SPM has achieved superior operational
excellence and business agility.
2. Auditee Environment
The primary objective of the assignment is to conduct Information Systems Audit of SAP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS audit
of SAP would be with the objective of providing comfort on the adequacy and appropriateness
of controls and mitigate any operational risks thus ensuring that the information systems
implemented through SAP provide a safe and secure computing environment. Further, specific
areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework. The initial assignment could primarily focus on the identified
areas of SAP Implementation.
3. Background
SPM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in
the Company. While the Information Systems Audit to be done covers both audit of ERP
System and review of its implementation, the IS Audit is expected to be in compliance with the
IS Auditing Standards, Guidelines and Procedures. The proposed IS Audit is further subjected
to applicable Auditing Standards of ICAI. The objective is to identify areas for improvement of
controls by benchmarking against global best practices. Further, any specific risks identified are
expected be mitigated by implementing controls as deemed relevant to ensure that SAP
implementation is secure and safe and provide assurance to the senior management of SPM.
Further, IS Auditors are expected to develop an IS Audit checklist for future use.
4. Situation
Business Model is:
SPM LIMITED
Following logistics arrangements have been made and confirmation about the
same should be obtained before travelling.
• Travel Arrangements – Bus/Train/ Flight bookings
• Accommodation Arrangements – Hotel / Guest House
• Pick-up and Drop arrangements to / from accommodation facility to / fromoffice
and/or station / airport
8. Documents reviewed
Following things are Reviewed:
a. Policies – Are the management guidelines which should be approved by the
Top Management and should be reviewed atleast once in each year?
b. Procedure – Are the detailed documents based on the policies set by the top
management? Procedures contain the detailed information about theprocess.
All the procedure should be approved by the management andshould be
reviewed atleast once in each year.
c. Flowcharts – Pictures are worth thousand words when it comes
tounderstanding the interaction of various processes and how the
transactionflow has the dependencies and branches that run in various
directions.
d. Audit logs and Screenshots – Every organisation implements the monitoring
control over the processes and the preserves the evidences ofthe same, in
the form of system screenshots and system logs. This gives anadded
confidence to the Information System Auditor about the monitoringcontrol
established by the management..
9. Deliverables
* *rsau/max_diskspace/per_day* or *rsau/max_diskspace/per_file* –
The logs which get generated can be seen using tcode *SM20*. SM20 giveslogs
based on the filter which has been set ( like what transaction orreport was executed by
what user at what time etc.) It also gives a veryimportant information – i.e. from what
terminal the transactions wereexecuted.
The old logs can be deleted using tcode *SM18*. This access should berestricted to
Basis team only.
Some of the user groups can be as follows (name can be used as perconvenience):
(3) *Table logging* : There are certain tables where table loggingshould be enabled in
Production system. The technical setting of suchtables need to be adjusted to “/Log
data changes/”. Transaction code*SE13* can be used for verifying whether table
logging is enabled ornot. Table *DD09L* can also be used with the condition /Log = X/
to getan overview of the tables for which table logging is enabled. Changedocument for
such tables can be viewed using table *DBTABLOG*.
(4) *Maintaining proper values for Profile Parameters* :Proper profileparameters values
must be maintained as per the Best Practices so as tosatisfy Security Audit
Requirements. Below are examples of some suchprofile parameters.
Audit is a never ending topic. We can continue to talk about as manysecurity audit
concepts as possible. We will discuss about some othervery important points in our
/*next post*/ on SAP Security Audit Guidelines.
Controls & Check list
IS Auditor Review of Application Controls
Description
Ref
Segregation of Duties
Completeness
Authorisation
Accuracy
Validity
Source Data Preparation and Authorisation
Ensure that source documents are prepared by authorized and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the origination and approval of
1
these documents. Check whether the source document is a well-designed input form. Detect errors and
irregularities so they can be reported and corrected.
b Whether the procedures for preparing source data entry, and ensure
that they are effectively and properly communicated to appropriate
and qualified personnel? [These procedures should establish and
communicate required authorization levels (input, editing,
authorizing, accepting and rejecting source documents).The
procedures should also identify the acceptable source media for
each type of transaction.]
2 Establish that data input is performed in a timely manner by authorized and qualified staff. Correction
and resubmission of data that ware erroneously input should be performed without compromising
original transaction authorization levels. Where appropriate for reconstruction, retain source documents
for appropriate amount of time.
c Whether definition for who can input, edit, authorize, accept and
reject transactions, and override errors is there?
Whether error logs are reviewed and acted upon within a specified
and reasonable period of time?
3 Accuracy, Completeness and Authenticity Checks Establish that data input is performed in a timely
manner by authorized and qualified staff. Correction and resubmission of data that were erroneously
input should be performed without compromising original transaction authorization levels. Where
appropriate for reconstruction, retain original source documents for the appropriate amount of time.
a Whether the transaction data are verified as close to the data entry
point as possible and interactively during online sessions?
4 Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous
transactions does not disrupt the processing of valid transactions.
Whether there are procedures with audit trails to account for all
exceptions and rejections of sensitive output documents?
Audit of the Project Management of the Steven F. Udvar-Hazy Center, July 31,2019. We
identified improvements needed in financial management and project controls for monitoring
budget-to-actual project revenues and expenses; planning system user requirements; and
procedures for monitoring contract modifications.
Audit of Project Management of the National Museum of the American Indian Mall Museum,
September 30,2018. We determined that the Office of facilities Engineering and Operations was
not completing reconciliations of its internal project financial tracking system records to the
Institution's financial system in a timely manner. Werecommended that financial and
management controls be strengthened by the ERP project team defining requirements and
reports needed for monitoring construction projects.
Audit of Trust Fund Budget Process, September 28, 2017. We determined that significant
management control weaknesses existed in the trust fund budget process. We recommended
improvements in two areas: (1) completeness of the trust fund budget process and (2) controls
to ensure that budgeted expenditures are not exceeded.
Audit of Financial Management of Traveling Exhibits, September 26, 2017. We determined that
controls were inadequate due to inaccurate managerial cost accounting information. We
recommended that policies and procedures be established for accumulating and reporting costs
regularly, consistently, and reliably. Such cost information is necessary for the Institution to
manage its operations and to carry out its fiduciary duties and responsibilities effectively.
Routine cost information is fundamentalto any well-managed, cost-effective organization.
Audit of Project Management Related to the Purchase of the Victor Building, February 21, 2017.
We determined that there was no dedicated project manager to ensure that prudent business
practices and generally accepted project management procedures were in place and operating
properly. As a result, there was a high risk of cost overruns on the projects, delays in their
completion, and added costs inevitably occasioned by such delays.
11. Summary/Conclusion
This report is quite reasonable as verified from various departments and managers and
workers, to the best of our knowledge & belief. This report is issued without any prejudice &
subject to terms & conditions of the policy issued. Thanking & assuring you best of my attention
at all points.