Many businesses use SAP application to help them plan their resources and activities. Its flexibility and range makes it a challenge to audit. Hari Iyer offers some advice:
SAP is highly configurable and implementations often vary, even within various business units of a company – both financial and non-financial. At the same time, the effective operation of controls within the system’s environment is critical to a robust financial and operational control environment. Therefore, it is important to gain a good understanding of how SAP is being utilised in the business while planning the audit scope and approach. Auditing an SAP environment introduces several unique complexities that can impact the audit scope and approach.
Business processes
SAP covers most business processes and a minor change in the business process can have a direct effect on the audit procedures due to the complexity of the system. Changes in the setup and configuration of the system, the release strategy or creating new processes may result in new modules and/or functionality in SAP and as such, additional risks need to be considered.
For example, a client may consider retiring one of its legacy purchasing systems and moving this functionality onto SAP. In the past, key controls over purchase order approval may have been performed manually. But with the SAP implementation the client has considered automating the approval process in SAP. The setup of the automated workflow process and user access security is therefore important to ensure that adequate controls are maintained to mitigate the risks. This would involve testing automated controls instead of the manual controls over purchase order.
Segregation and sensitivity
For an effective audit, the auditor needs to gain a good understanding of the design of SAP’s authorisation concept (security design). In some instances, poor security design results in users being inadvertently granted access to unnecessary or unauthorised transactions. Therefore the review of the design and implementation of SAP security and access controls is important to ensure proper segregation of duties is maintained and access to sensitive transactions is well-controlled.
Segregation of duty conflicts can arise when a user is given access to two or more conflicting transactions – for example, creating a purchase order and amending vendor master details. A clear mapping of the business processes and identification of roles and responsibilities involved in the processes is crucial in the design of access controls to effectively audit security.
In addition, there may be transactions or access levels that are considered sensitive to the business, such as amending G/L codes and structures, amending recurring entries or amending and deleting audit logs. In an SAP audit such sensitive transactions would need to be considered during the planning phase.
Control selection
Organisations can tailor the SAP system to fit their business needs including a selection of configurable and inherent controls. Understanding the selection process behind these controls is critical to the audit approach. Allowing purchase orders, for example, to be approved automatically through the system is considered a configurable automated control.
However, the client may also choose not to implement this functionality and address this risk through a manual control. Auditors need to understand the controls the client has chosen to implement and the matrix of controls that they place reliance on to mitigate one or more risks.
Types of Controls
In SAP there are four types of controls that an audit client can utilise in order to create a secure environment: inherent controls, configurable controls, application security, and manual reviews of SAP reports.
Typically access or configurable controls are executed by the SAP system and are preventive in nature. On the other hand, manual controls including manual reviews of reports are executed by an employee and are mainly detective in nature. For example, in the procure-to-pay (P2P) process of SAP, there are standard automated controls such as three-way matching (matching of purchase orders, goods receipt and invoices). The client may choose to adopt four-way matching, or two-way matching of invoices, therefore requiring customisation to suit their specific processes.
Each client will use a different mix of controls in order to achieve their specific control objectives, and because of the complexity of SAP application, auditing around the system to gain control assurance is not an option. Therefore the audit approach needs to be tailored for each situation appropriately. It is also important to highlight that SAP delivers several controls that are inherent within the SAP environment. An example of an inherent control is that journal entries must balance prior to posting in SAP.
Configurable controls
In SAP it is important to understand the link between configurable controls and access controls. In order to achieve the control objective there may be a mix of configurable and access controls that create a control solution. For example, “Purchase orders over £1m get blocked automatically and cannot be processed.” This sounds like a configurable control, but is actually both a configurable control and an access control, as it deals with the configuration of the Purchasing Release Strategy within SAP and deals with who has access to create and approve a PO.
Another example is “Purchase Orders over US$1m must be approved by the manager.” This sounds like an access control, but it is a configurable control as well due to the configuration needed for the release strategy. In fact, these are complimentary controls, two controls covering the same risk together. Without one control, the other cannot cover the risk to the same precision. The auditor should test both the configuration and access aspects of these controls, so it is important that they are identified by the auditor and classified appropriately.
Process risks
SAP is a process based ERP system and each SAP instance may have different risks associated with it. The ability to customise and tailor the system, and its inherent complexity, significantly increases the overall complexity of security configurations and leads to potential security vulnerabilities. Segregation of duty conflicts, errors and flaws therefore become more likely.
Each client has different business processes, products and services, and systems that suit their environment. Designing the process effectively in SAP is important to mitigate the risks associated with inadequate or failed business processes. An effective audit approach should therefore include an evaluation of risks and an understanding of the business process mapping for each SAP instance.
Rotation plan
Given that the system is highly customisable, process driven and enables a range of control selections, each SAP instance would potentially have a different risk profile. Further within SAP, the risk profile of different modules and sub-modules such as financials (FI), materials management (MM), sales and distribution (SD), payroll, human capital (HC), business information warehouse (BW), customer relationship management (CRM) and so on will be different.
The vast areas of the business operations that SAP application cover would make it impractical to cover them all in one single audit. To complete a comprehensive audit of SAP, it is appropriate to consider a rotation plan. This may involve planning reviews of each SAP business process, module, sub-module; system configuration and change management; and system security, including the design of segregation of duties and access levels. This ensures that the audits are performed using appropriately skilled resources and cover each risk area including business process, security and associated controls. These areas can therefore be assessed effectively to identify gaps in control weaknesses and recommend appropriate steps to resolve issues.
Risk-based Approach
In addition to the above challenges, SAP systems are also upgraded and enhanced periodically to meet ever-changing business requirements. In the current economic climate, companies are faced with changing risks in the environment that affect their business processes.
The aim of a risk-based approach is to allow auditors to tailor the review to the areas of business risk, giving way to greater focus on audit areas with a high-risk potential. The complexity of the SAP system and related business processes, as indicated above, may lend itself to higher inherent risk and control risk which should be taken into account in planning the audit.
The risk-based approach should include general risk analysis, analytical audit procedures, systems and process based fieldwork, and substantive testing. In this way, an auditor can conduct the audit efficiently with a degree of reliability, as well as optimising the time and effort it involves. It is therefore crucial that a top-down risk based audit approach is adopted to effectively review SAP.
Author - Hari Iyer
MBA, FCPA (Australia), CISA, Chartered FCSI
Hari is the founding partner of Hadigy Limited, a management consultancy firm in London.
Hari has over 25 years of financial and IT auditing experience gained partly with the Big 4 professional accountancy firms (EY, Deloitte & PwC) in the UK. This includes audit assurance reviews, SAP project assurance, business process reviews, IT audits, financial audits, business continuity management, and SAP governance, risk and compliance (GRC) implementation & reviews.
Hari.iyer@Hadigy.com
www.Hadigy.com