auditing in SAP environment.ppt
-
Upload
tapas-bhattacharya -
Category
Documents
-
view
236 -
download
3
Transcript of auditing in SAP environment.ppt
-
8/13/2019 auditing in SAP environment.ppt
1/32
Auditing in the
ERP
Environments
10-June2006
-
8/13/2019 auditing in SAP environment.ppt
2/32
AGENDA
1. GENERAL OVERVIEW - ERP - Any Business,ERP solutions,SAP
R/3Architecture & Application components
2. MODULES IN ERP-Logistics,AccountingNavigation of
Screen,Core Business Cycle in Manufacturing unit
3. RISK ASSESMENT IN ERP-MethologyQuantification Model ,
Impact-Severity X Detection,exposure,StatementsSD/MM/FI/Common-Examples,Registers and Heat MapsModule wise,
Revenue, expenditure & Inventory cycles-Summing up
4. TECHANICAL RISK IN ERP- Basis application
infrastructure,Risks-in Installation management,ABAP/4 work
bench & transport (se38/sa38) computing center managementsystems,Profile Generator ( PGFC).
5. AUDIT IMPLEMENTATION IN ERP- Learning for auditors,
Excellence Model/ Global best practices (COBIT /COSO) and New
Directions in ERP Auditing
-
8/13/2019 auditing in SAP environment.ppt
3/32
General Overview -Any Business
Purchase
Qty. Value
Vendor
Payable
FA
SalesOrder
Bill
Customer
ReceivableHR
WagesSalary
Statut.Bodies
ShareHolders
Other
Business
Associates
Production/Service Enterprise
-
8/13/2019 auditing in SAP environment.ppt
4/32
ERP solutionsWhat do they enable
1-Managing & Supporting the resources of organisationefficiently
-Employees
-Customers
-Vendors
-Share Holders
-Production Process
-Material & Services
-
8/13/2019 auditing in SAP environment.ppt
5/32
2-.Increasing Competitiveness
3-.Reducing Costs
4.-Improving operational reporting
5.-Improving Quality decision making
6-.Enhancing customer service
7-. Improving profitability
8- Providing integrity of data
9-Enhancing productivity of value chain
10-Speed
ERP solutions-what do they enable
-
8/13/2019 auditing in SAP environment.ppt
6/32
-ERP solutions are integrated ,Configurable,Real time
and often available as Cross Industry solutions-Todays presentation is primarily based on SAPAlthough many ERP solutions are in use :e.g.- Oracle, J.D edward,Baan,Mfg Pro etc with similar concepts.
-SAP = Systems ,Applications,Products in Dataprocessing
ERP cost/user-Licence - Info-usersRs. 60K +
(Approximate) Operational-usersRs. 90K+
DevelopersRs. 350K+AMC - Rs. 17 ~ 20%
ERP at Eicher = SAP 4.7c (375 users)
ERP solutions-what do they enable
-
8/13/2019 auditing in SAP environment.ppt
7/32
SAP R/3Architecture -3 Layers
Presentation
Layer
Application
Layer
Data Base
Layer
- SAP R/3-S/W-GUI ( Enterprises
4.7c/ECC5) with which users interact
- Application Servers-with SAP R/3
Kernel that run ABAP/4programms(WIN 2003/Server Pack 1)
-RDBMS (eg Oracle 9i with (Patch
level 4)-ABAP/4 Dictionary,source
&executable program.
-TCodes-se16/tstct=120314 nos
- Tables(DB02) =35650 nos
-
8/13/2019 auditing in SAP environment.ppt
8/32
SAP -R/3 Enterprises - Application components
ERPAM
PS
CO
SD
QM
PM
HRIS
WF
FI
MMPP
-
8/13/2019 auditing in SAP environment.ppt
9/32
Modules in LogisticsNavigation of Screen
1. Logistic General (LO)
2. Product Life cycle Management (PLM)3. Sales & Distribution (SD)
4. Material Management (MM)
5. Logistics Execution (LE)
6. Production Planning & Control ( PP)
7. Plant Maintenance (PM)
8. Customer Service (CS)
9. Quality Management (QM)
10. Project System (PS)
11. Environment Health & Safety ( EH&S)12. Retail
13. Agency Business (LO-AB)
14. Global Trade
15. Country Versions
-
8/13/2019 auditing in SAP environment.ppt
10/32
Modules in Accounting - Navigation of Screen
1. Accounting General (AC)
2. Financial Accounting (FI)3. My SAP Banking
4. Corporate Finance Management(CFM)
5. Treasury (TR)
6. Controlling (CO)
7. Investment Management(IM)
8. Project System (PS)
9. Incentive & Commission Management
10. Enterprises Controlling
11. Rural Estate Management12. Public Sector Management
13. Flexible real Estate Management (RE-FX)
14. Production sharing accounting systems
15. Country version
-
8/13/2019 auditing in SAP environment.ppt
11/32
Core Business Cycle in Manufacturing
Create
CustomerRelationship
Sales Qty.
Sales Order
Goods issue
Delivery Note
Our Invoice
A.R.
Collection
MRP Producing
Inventory
Create
ProductionOrder
Create
VendorRelationship
Production
Inventory
Manage-
ment
Handling
FGS
Raw Material
Management
Purchase
requisition
Purchase Order/
SchedulingAgreement
Goods Receipt
Vendor Invoice
Verification
AP
PaymentReporting
-
8/13/2019 auditing in SAP environment.ppt
12/32
Key business processes in Sales and Distribution (SD),
Materials Management (MM) and Financial Accounting
(FI) need to be studied in detail to identify their
vulnerability to threats from within and outside. Based on
this and experience of internal audit team, risk statements
relevant to businesses are to be captured.
For each risk statement, risk impact and risk exposure is
to be assessed as under
RISK ASSESMENT METHODOLOGYBY A QUANTIFICATION MODEL
-
8/13/2019 auditing in SAP environment.ppt
13/32
R
I
S
K
I
M
P
A
C
T
HIGH100 Y1 R2 R1
MEDIUM
40
G1 Y2 R3
LOW20
G3 G2 Y3
0 2 4 10
LOW MEDIUM HIGH
RISK EXPOSURE
Risk Registers and Heat MapsModule wise
Using the risk impact and risk exposure scores as worked out above,all possible riskstatements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of aRISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1page HEAT MAP.
-
8/13/2019 auditing in SAP environment.ppt
14/32
Risk impact( Severityx Detectability) to be assessed
on a scale of 1100 (100 being the highest adverseimpact.
A-Risk Severity ( on a scale of 1- 10 ) is determinedbased on weighted average affect on 5 parameters ie
i- PBT, ii- Statutory / regulatory compliance iii-Strategic value iv- Financial statement accuracy ,v- Reliability/ operational effectiveness .
B- Risk Detectability ( on a scale of 110 ) isdetermined based on the stage of detectability of adverseevent ie with in the co.or from outside customers.
Risk impact-SeverityX Detection
-
8/13/2019 auditing in SAP environment.ppt
15/32
Risk exposure(likelihood of occurrence) to beassessed on a scale of 1-10 (10 being most likely).
Risk exposure is determind based on weightedaverage effect of 10 parameters,responsible for the exposureie
I-Incorrect source data/ data entry ii Incorrectincomplete execution iii-Incorrect/ non verification of outputiv-Skill/ resource constraint v-Inadequate segregation ofduties vi-Lack of system documentation vii-Authority normsnot defined/ followed viii- Inappropriate configuration/
process logic ix-Weak internal/ compensating controls x-Others (i.e.: process complexity, frequency of changes,software limitation, unassignable causes etc.)
Risk exposure
-
8/13/2019 auditing in SAP environment.ppt
16/32
S.
N
o
Risk statement
Risk
Risk
exposur
e
Heat
zone
Severit
y DetectabIlity
Impa
ct
1
Invoice may be raised withouteffecting physical delivery of the
goods from depot/ plant (bill and
hold)
7 8 56 5R1
2Sales order may not be executed in
time and in full
4 6 24 3Y2
3 Debit / credit notes sent to customers
may not contain adequate supporting
details
2 4 8 4G2
RISK STATEMENTSSD-Examples
-
8/13/2019 auditing in SAP environment.ppt
17/32
S.
N
o
Risk statement
Risk
Risk
exposur
e
Heat
zone
Severit
yDetectabIlity
Impa
ct
1
Financial authority norms for releaseof PO may not be mapped into SAP 4 8 32 6
R3
2 GR may be prepared for a quantity
lower/ higher than vendor delivery
challan
4 6 24 4Y2
3 CENVAT credit availed may be lower
than CENVATABLE excise duty
credited to vendor through invoice
verification
3 6 18 4G2
RISK STATEMENTSMM-Examples
-
8/13/2019 auditing in SAP environment.ppt
18/32
RISK STATEMENTSFI-Examples
S.
N
o
Risk statement
Risk
Risk
exposur
e
Heat
zoneSeverit
yDetectabIlity
Impa
ct
1
Depreciation rates may have beenincorrectly set up
5 6 30 5 R3
2Vendors account may not have been
reconciled/ confirmed as per laid
down frequency
5 6 30 4Y2
3Line items (individual entries)
clearing may not have been carried
out in vendor accounts
3 6 18 4G2
-
8/13/2019 auditing in SAP environment.ppt
19/32
RISK STATEMENTSCommon to all functionsExamples
S
.
N
o
Risk statement
Risk
Riskexposu
re
Heat
zoneSeveri
ty
DetectabIlit
y
Impa
ct
1
SAP transaction authorizations
granted to users may not relate totheir assigned role/responsibility
8 8 64 8 R1
2
SAP transactions may be carried out
using group IDs resulting in non
traceability of transactions to any
specific individual (employee)
8 8 64 8 R1
3
Audit trails (chronological log of
changes) may not be reviewed/
analyzed by process owners
5 8 40 7 R3
-
8/13/2019 auditing in SAP environment.ppt
20/32
Imp-table mappings &Concepts SD-Sales orders=vbak/vbap/vbpa-different types SD-Shipping=vblk/likp/lips-different types SD-Billing=konv/vbrk/vbrp/vbukdifferent types,PRICING procedures SD-Cust mast used in AR=knvp/knvv/kna1/knb1,sales organisation
MM-Purc requisition=eban/ebkn MM-PO/SA=ekko/ekpo MM-Deliv sch=eket/ekkn MM-GR=mkpf/mseg/ekbe
MM-Mat Mast=marc/mlan/makt/mara/mbew MM-PO inf record=konh/konp/eina/eine MM-BOM-STKO/STOP MM-Mat-types ,Material Movements,Material groups,Material types,purchase groups
FI-Paym=payr, Acctg=bkpf/bseg,-open/closed items-Cust=bsid/bsad,Vend=bsik/bsas,G/L=bsik/bsas
FI-Mast-G/L=skb1/ska1/skat,CC=csks/cskt,profit c=cepc/cskt
FI-Vend mast-used in AP=pur-lfm1/lfm2/gen-lfa1/lfb1/lfbk FI-Document types-30 types- AB-acctg, BR-bank recp,KR-vend inv, RV-sale inv FI-Acct types-5-A-Assets,D-Cust, K-Vend,M-Material, S-G/L , FI-COA-Chart of accts
-
8/13/2019 auditing in SAP environment.ppt
21/32
Risks in Revenue, expend,inventory cycles-overview -400+
Configuration :-
Authorisation :-
Masters :-
Procedure
manuals:-
Audit Trails :-
SAP System land scope ,R/3 customizing ,organ objects,currencies,
Tax procedures,charges in customer /vendor master.Document types
,depreciation keys, overhead cost allocation,PO release,Payment
terms ,Pricing procedures in SD, credit controls,outgoing invoice
posting/Free goods ,Automatic account determination.
Authorization objects ,user management,Tolerance groups,Work
flows,Conflicting combinations,owned developed
transactions,super user ,change management.
GL Masters-,Customer Masters,Vendor Masters, Material masters,
Selling price,Tax codes,Quota arrangement,BOM.
Risk based queries (SD,MM,FI) Using SAP +MS access
/AIS/Critical tools/tables/LDB-SAPeg At Eicher
SAP-Querries=106+133+25, MSAcc-Querries=103+135+39
Configuration control,Authorization ( change management,Master &
Application ( PO/Sales order credits /FI documents)
-
8/13/2019 auditing in SAP environment.ppt
22/32
Technical - Basis application infrastructure in SAP R/3.
4 Key Basis Tools + UtilitiesA. Installation Management guide-IMG- SPRO
B. ABAP/4 Work Bench &Transportation System ( Development
+ Test + Production.)
C. Computing center management system (CCMS)
- Utililities to monitor ,Control & Config. R/3. Start up ,shut down,NW monitoring,security ,back ups,alerts
trouble shooting,system Config.& system profile
management,DBA, Profile security.)
D. Profile generator & security Adm.(PG&SA)( SUIM-Authorisation ,Information System,SU03-
.Maintainence& Authorisation.
-
8/13/2019 auditing in SAP environment.ppt
23/32
Risks-in Installation management
1-The organisationModels :-
2-Critical no
. Range:-
3-Modif of
critical tables
SPRO & SCC4control productionclient settings.---Risks are:
- Incorrect consolidation /Inadequate
reporting /Incorrect MIS/Manual work
around.
Assigned to individual DB record
Internal No by SAP & external no by
users (snro+suim+spro).
SAPTablesOther than X* Y*
-Tables fields (SE16/SE11/DD03M)
-
8/13/2019 auditing in SAP environment.ppt
24/32
Risks in ABAP/4 work bench & transport(se38/sa38).
Change Control Procedure(Programme,Queries).
Development & Testing Servers.
Transport system testing.
Logs.
Emergency change procedures.
-
8/13/2019 auditing in SAP environment.ppt
25/32
Risks in - computing center management systems
Batch processing control :-
Application server parameters:-
Locking transaction codes :-
Restricted Password. :-
SAP Router :-
On Line Support systems :-(SAP Market place ,Web)
Remote function call :-
Batch input (SM35) ,Administration SM(64)
Processing (SM36)
a) Login IPW expiration 180 day b) Min pw length
6-8 (C) Login /fails to session end (incorrect pw-3
times)
SM 01 (Users who have access to lock /unlock
T.code)
Default PW , Name
Permission table authorization with valid IP address
(port 3200)
Remote Access to SAP vendor
Programme inter faces (SM59) Use of E-SCORE ,
/EPIC /DMS/ITS/ etc
-
8/13/2019 auditing in SAP environment.ppt
26/32
Risks in -Profile Generator ( PGFC) :-
Security Admin probel ( Create /change/display)
Super user SAP* ,SAP all
Authorisation documentation (Biggest risks )
Log + Trace file
-
8/13/2019 auditing in SAP environment.ppt
27/32
ERP implementation- Learnings for auditors
Managing Incharge:- Higher no of IS auditors than traditional profile auditors.
ERP trainedAuditors ( Functionally /Query)Audit Methodology:- Risk assessment of audit universe (H/M/L)
Audit Manuals ( Query ) Excel ,M.S.Access
Segregation of duties.
User authorisation ( object level security)
Customized to fit each organisations unique needs.
Role of Auditor :- Integrated approach ( involvement in project early stage for design +Controls of systems )
Pre implementation reviewBefore go live ( Business case , projectrisks,Application security design).
Post implement review(Application)
Quality assuranceBPR Programme.
Audit involvementin project :-
During selection & implementation ( Contribute towardsestablishing control environment ).
Audit respons :- Environment evaluation from risk prospective,
Subject specials ( SD,MM,Tax) & ERP competent team
Efficient audit
Audit universe ( Business application + Basis appl.infrastructure)
Use HELP
-
8/13/2019 auditing in SAP environment.ppt
28/32
Audit Excellence Model/Global best practices (COSO)
Mapping in COSO (Committee of sponsoring Organisation of tread way commission)
A :- 3 Objectives Identifications : 1 Operation
2 Financial Reporting
3 Compliances.
B :- 5 Components of Internal Controls :-
1. Control Environments :- Ethics,Values,Standards,
2. Risk Assessment :- Technology,Operation,Finance,Heat Maps( Risk Impact vs
Exposure).
3. Control Activities :- KPI, Polices,Procedures,TQM,Physical,Safe guards.
4. Information & Communication :- Up & down , Adequacy ,Q,Timeliness
5. Monitoring & controls :- Internal controls, Physical verification, Overheads, MIS, . ,
Feed backs,Forums etc
-
8/13/2019 auditing in SAP environment.ppt
29/32
Audit Excellence Model/Global best practics (COBIT)
Mapping to COBIT (Control Objective for Information and related Technology ).
MAIN PROCESSESS No of Key Processes
Planning and orgainsation 11
Acquisition & Implementation 6
Delivery & Support 13
Monitoring 4
LEVEL OF CONTROLS -ASSESMENT
0. Non Existance
1.Initial /Adhoc
2.Repeatable but person dependent
3.DefinedStandardized & documented.
4. ManagedMonitoring OK & Feed back system.
5. Optimized Control- Industry Best Practices
-
8/13/2019 auditing in SAP environment.ppt
30/32
New Directions in ERP Auditing :-
Risk Based Auditing linked to COSO& Cobit
Professional ethics& standards
AIS (Materiality )+ Queries development(Tabledown load+MS access)
Auditing tools- ACL/IDEA etc and many more
Online continuous audit(Remote-desk topauditing)
E enabled applications (vendors/Dlrs, P2P, B2C)
OutsourcingCompetence/costsbenefit based
100 % transaction Audit/AUDIT thr computers
Continuous enhancing ERP competencies
Qualified Auditiors-CIA/CISA.
-
8/13/2019 auditing in SAP environment.ppt
31/32
References
www.theiia.org
Internal auditing :- Guidance for the profession
:- Code of Ethics
:- International Standards for the professional practices of internal auditing
:- Practice Advisories
:- Development & Practice Aids.
www.isaca.orgIS Auditing standards
IS Auditing guidelines
IS Auditing Procedures
Standards for Professional information system control
http://www.sapgenie.com/ (google search based)
http:/www.sap.com services / education
http://www.sap.com/ Community
Help ..sap.com
-
8/13/2019 auditing in SAP environment.ppt
32/32
Arvind Dang
98711 41333
Thank you