auditing in SAP environment.ppt

8/13/2019 auditing in SAP environment.ppt

1/32

Auditing in the

ERP

Environments

10-June2006


2/32

AGENDA

1. GENERAL OVERVIEW - ERP - Any Business,ERP solutions,SAP

R/3Architecture & Application components

2. MODULES IN ERP-Logistics,AccountingNavigation of

Screen,Core Business Cycle in Manufacturing unit

3. RISK ASSESMENT IN ERP-MethologyQuantification Model ,

Impact-Severity X Detection,exposure,StatementsSD/MM/FI/Common-Examples,Registers and Heat MapsModule wise,

Revenue, expenditure & Inventory cycles-Summing up

4. TECHANICAL RISK IN ERP- Basis application

infrastructure,Risks-in Installation management,ABAP/4 work

bench & transport (se38/sa38) computing center managementsystems,Profile Generator ( PGFC).

5. AUDIT IMPLEMENTATION IN ERP- Learning for auditors,

Excellence Model/ Global best practices (COBIT /COSO) and New

Directions in ERP Auditing


3/32

General Overview -Any Business

Purchase

Qty. Value

Vendor

Payable

FA

SalesOrder

Bill

Customer

ReceivableHR

WagesSalary

Statut.Bodies

ShareHolders

Other

Business

Associates

Production/Service Enterprise


4/32

ERP solutionsWhat do they enable

1-Managing & Supporting the resources of organisationefficiently

-Employees

-Customers

-Vendors

-Share Holders

-Production Process

-Material & Services


5/32

2-.Increasing Competitiveness

3-.Reducing Costs

4.-Improving operational reporting

5.-Improving Quality decision making

6-.Enhancing customer service

7-. Improving profitability

8- Providing integrity of data

9-Enhancing productivity of value chain

10-Speed

ERP solutions-what do they enable


6/32

-ERP solutions are integrated ,Configurable,Real time

and often available as Cross Industry solutions-Todays presentation is primarily based on SAPAlthough many ERP solutions are in use :e.g.- Oracle, J.D edward,Baan,Mfg Pro etc with similar concepts.

-SAP = Systems ,Applications,Products in Dataprocessing

ERP cost/user-Licence - Info-usersRs. 60K +

(Approximate) Operational-usersRs. 90K+

DevelopersRs. 350K+AMC - Rs. 17 ~ 20%

ERP at Eicher = SAP 4.7c (375 users)

ERP solutions-what do they enable


7/32

SAP R/3Architecture -3 Layers

Presentation

Layer

Application

Layer

Data Base

Layer

- SAP R/3-S/W-GUI ( Enterprises

4.7c/ECC5) with which users interact

- Application Servers-with SAP R/3

Kernel that run ABAP/4programms(WIN 2003/Server Pack 1)

-RDBMS (eg Oracle 9i with (Patch

level 4)-ABAP/4 Dictionary,source

&executable program.

-TCodes-se16/tstct=120314 nos

- Tables(DB02) =35650 nos


8/32

SAP -R/3 Enterprises - Application components

ERPAM

PS

CO

SD

QM

PM

HRIS

WF

FI

MMPP


9/32

Modules in LogisticsNavigation of Screen

1. Logistic General (LO)

2. Product Life cycle Management (PLM)3. Sales & Distribution (SD)

4. Material Management (MM)

5. Logistics Execution (LE)

6. Production Planning & Control ( PP)

7. Plant Maintenance (PM)

8. Customer Service (CS)

9. Quality Management (QM)

10. Project System (PS)

11. Environment Health & Safety ( EH&S)12. Retail

13. Agency Business (LO-AB)

14. Global Trade

15. Country Versions


10/32

Modules in Accounting - Navigation of Screen

1. Accounting General (AC)

2. Financial Accounting (FI)3. My SAP Banking

4. Corporate Finance Management(CFM)

5. Treasury (TR)

6. Controlling (CO)

7. Investment Management(IM)

8. Project System (PS)

9. Incentive & Commission Management

10. Enterprises Controlling

11. Rural Estate Management12. Public Sector Management

13. Flexible real Estate Management (RE-FX)

14. Production sharing accounting systems

15. Country version


11/32

Core Business Cycle in Manufacturing

Create

CustomerRelationship

Sales Qty.

Sales Order

Goods issue

Delivery Note

Our Invoice

A.R.

Collection

MRP Producing

Inventory

Create

ProductionOrder

Create

VendorRelationship

Production

Inventory

Manage-

ment

Handling

FGS

Raw Material

Management

Purchase

requisition

Purchase Order/

SchedulingAgreement

Goods Receipt

Vendor Invoice

Verification

AP

PaymentReporting


12/32

Key business processes in Sales and Distribution (SD),

Materials Management (MM) and Financial Accounting

(FI) need to be studied in detail to identify their

vulnerability to threats from within and outside. Based on

this and experience of internal audit team, risk statements

relevant to businesses are to be captured.

For each risk statement, risk impact and risk exposure is

to be assessed as under

RISK ASSESMENT METHODOLOGYBY A QUANTIFICATION MODEL


13/32

R

I

S

K

I

M

P

A

C

T

HIGH100 Y1 R2 R1

MEDIUM

40

G1 Y2 R3

LOW20

G3 G2 Y3

0 2 4 10

LOW MEDIUM HIGH

RISK EXPOSURE

Risk Registers and Heat MapsModule wise

Using the risk impact and risk exposure scores as worked out above,all possible riskstatements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of aRISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1page HEAT MAP.


14/32

Risk impact( Severityx Detectability) to be assessed

on a scale of 1100 (100 being the highest adverseimpact.

A-Risk Severity ( on a scale of 1- 10 ) is determinedbased on weighted average affect on 5 parameters ie

i- PBT, ii- Statutory / regulatory compliance iii-Strategic value iv- Financial statement accuracy ,v- Reliability/ operational effectiveness .

B- Risk Detectability ( on a scale of 110 ) isdetermined based on the stage of detectability of adverseevent ie with in the co.or from outside customers.

Risk impact-SeverityX Detection


15/32

Risk exposure(likelihood of occurrence) to beassessed on a scale of 1-10 (10 being most likely).

Risk exposure is determind based on weightedaverage effect of 10 parameters,responsible for the exposureie

I-Incorrect source data/ data entry ii Incorrectincomplete execution iii-Incorrect/ non verification of outputiv-Skill/ resource constraint v-Inadequate segregation ofduties vi-Lack of system documentation vii-Authority normsnot defined/ followed viii- Inappropriate configuration/

process logic ix-Weak internal/ compensating controls x-Others (i.e.: process complexity, frequency of changes,software limitation, unassignable causes etc.)

Risk exposure


16/32

S.

N

o

Risk statement

Risk

Risk

exposur

e

Heat

zone

Severit

y DetectabIlity

Impa

ct

1

Invoice may be raised withouteffecting physical delivery of the

goods from depot/ plant (bill and

hold)

7 8 56 5R1

2Sales order may not be executed in

time and in full

4 6 24 3Y2

3 Debit / credit notes sent to customers

may not contain adequate supporting

details

2 4 8 4G2

RISK STATEMENTSSD-Examples


17/32

S.

N

o

Risk statement

Risk

Risk

exposur

e

Heat

zone

Severit

yDetectabIlity

Impa

ct

1

Financial authority norms for releaseof PO may not be mapped into SAP 4 8 32 6

R3

2 GR may be prepared for a quantity

lower/ higher than vendor delivery

challan

4 6 24 4Y2

3 CENVAT credit availed may be lower

than CENVATABLE excise duty

credited to vendor through invoice

verification

3 6 18 4G2

RISK STATEMENTSMM-Examples


18/32

RISK STATEMENTSFI-Examples

S.

N

o

Risk statement

Risk

Risk

exposur

e

Heat

zoneSeverit

yDetectabIlity

Impa

ct

1

Depreciation rates may have beenincorrectly set up

5 6 30 5 R3

2Vendors account may not have been

reconciled/ confirmed as per laid

down frequency

5 6 30 4Y2

3Line items (individual entries)

clearing may not have been carried

out in vendor accounts

3 6 18 4G2


19/32

RISK STATEMENTSCommon to all functionsExamples

S

.

N

o

Risk statement

Risk

Riskexposu

re

Heat

zoneSeveri

ty

DetectabIlit

y

Impa

ct

1

SAP transaction authorizations

granted to users may not relate totheir assigned role/responsibility

8 8 64 8 R1

2

SAP transactions may be carried out

using group IDs resulting in non

traceability of transactions to any

specific individual (employee)

8 8 64 8 R1

3

Audit trails (chronological log of

changes) may not be reviewed/

analyzed by process owners

5 8 40 7 R3


20/32

Imp-table mappings &Concepts SD-Sales orders=vbak/vbap/vbpa-different types SD-Shipping=vblk/likp/lips-different types SD-Billing=konv/vbrk/vbrp/vbukdifferent types,PRICING procedures SD-Cust mast used in AR=knvp/knvv/kna1/knb1,sales organisation

MM-Purc requisition=eban/ebkn MM-PO/SA=ekko/ekpo MM-Deliv sch=eket/ekkn MM-GR=mkpf/mseg/ekbe

MM-Mat Mast=marc/mlan/makt/mara/mbew MM-PO inf record=konh/konp/eina/eine MM-BOM-STKO/STOP MM-Mat-types ,Material Movements,Material groups,Material types,purchase groups

FI-Paym=payr, Acctg=bkpf/bseg,-open/closed items-Cust=bsid/bsad,Vend=bsik/bsas,G/L=bsik/bsas

FI-Mast-G/L=skb1/ska1/skat,CC=csks/cskt,profit c=cepc/cskt

FI-Vend mast-used in AP=pur-lfm1/lfm2/gen-lfa1/lfb1/lfbk FI-Document types-30 types- AB-acctg, BR-bank recp,KR-vend inv, RV-sale inv FI-Acct types-5-A-Assets,D-Cust, K-Vend,M-Material, S-G/L , FI-COA-Chart of accts


21/32

Risks in Revenue, expend,inventory cycles-overview -400+

Configuration :-

Authorisation :-

Masters :-

Procedure

manuals:-

Audit Trails :-

SAP System land scope ,R/3 customizing ,organ objects,currencies,

Tax procedures,charges in customer /vendor master.Document types

,depreciation keys, overhead cost allocation,PO release,Payment

terms ,Pricing procedures in SD, credit controls,outgoing invoice

posting/Free goods ,Automatic account determination.

Authorization objects ,user management,Tolerance groups,Work

flows,Conflicting combinations,owned developed

transactions,super user ,change management.

GL Masters-,Customer Masters,Vendor Masters, Material masters,

Selling price,Tax codes,Quota arrangement,BOM.

Risk based queries (SD,MM,FI) Using SAP +MS access

/AIS/Critical tools/tables/LDB-SAPeg At Eicher

SAP-Querries=106+133+25, MSAcc-Querries=103+135+39

Configuration control,Authorization ( change management,Master &

Application ( PO/Sales order credits /FI documents)


22/32

Technical - Basis application infrastructure in SAP R/3.

4 Key Basis Tools + UtilitiesA. Installation Management guide-IMG- SPRO

B. ABAP/4 Work Bench &Transportation System ( Development

+ Test + Production.)

C. Computing center management system (CCMS)

- Utililities to monitor ,Control & Config. R/3. Start up ,shut down,NW monitoring,security ,back ups,alerts

trouble shooting,system Config.& system profile

management,DBA, Profile security.)

D. Profile generator & security Adm.(PG&SA)( SUIM-Authorisation ,Information System,SU03-

.Maintainence& Authorisation.


23/32

Risks-in Installation management

1-The organisationModels :-

2-Critical no

. Range:-

3-Modif of

critical tables

SPRO & SCC4control productionclient settings.---Risks are:

- Incorrect consolidation /Inadequate

reporting /Incorrect MIS/Manual work

around.

Assigned to individual DB record

Internal No by SAP & external no by

users (snro+suim+spro).

SAPTablesOther than X* Y*

-Tables fields (SE16/SE11/DD03M)


24/32

Risks in ABAP/4 work bench & transport(se38/sa38).

Change Control Procedure(Programme,Queries).

Development & Testing Servers.

Transport system testing.

Logs.

Emergency change procedures.


25/32

Risks in - computing center management systems

Batch processing control :-

Application server parameters:-

Locking transaction codes :-

Restricted Password. :-

SAP Router :-

On Line Support systems :-(SAP Market place ,Web)

Remote function call :-

Batch input (SM35) ,Administration SM(64)

Processing (SM36)

a) Login IPW expiration 180 day b) Min pw length

6-8 (C) Login /fails to session end (incorrect pw-3

times)

SM 01 (Users who have access to lock /unlock

T.code)

Default PW , Name

Permission table authorization with valid IP address

(port 3200)

Remote Access to SAP vendor

Programme inter faces (SM59) Use of E-SCORE ,

/EPIC /DMS/ITS/ etc


26/32

Risks in -Profile Generator ( PGFC) :-

Security Admin probel ( Create /change/display)

Super user SAP* ,SAP all

Authorisation documentation (Biggest risks )

Log + Trace file


27/32

ERP implementation- Learnings for auditors

Managing Incharge:- Higher no of IS auditors than traditional profile auditors.

ERP trainedAuditors ( Functionally /Query)Audit Methodology:- Risk assessment of audit universe (H/M/L)

Audit Manuals ( Query ) Excel ,M.S.Access

Segregation of duties.

User authorisation ( object level security)

Customized to fit each organisations unique needs.

Role of Auditor :- Integrated approach ( involvement in project early stage for design +Controls of systems )

Pre implementation reviewBefore go live ( Business case , projectrisks,Application security design).

Post implement review(Application)

Quality assuranceBPR Programme.

Audit involvementin project :-

During selection & implementation ( Contribute towardsestablishing control environment ).

Audit respons :- Environment evaluation from risk prospective,

Subject specials ( SD,MM,Tax) & ERP competent team

Efficient audit

Audit universe ( Business application + Basis appl.infrastructure)

Use HELP


28/32

Audit Excellence Model/Global best practices (COSO)

Mapping in COSO (Committee of sponsoring Organisation of tread way commission)

A :- 3 Objectives Identifications : 1 Operation

2 Financial Reporting

3 Compliances.

B :- 5 Components of Internal Controls :-

1. Control Environments :- Ethics,Values,Standards,

2. Risk Assessment :- Technology,Operation,Finance,Heat Maps( Risk Impact vs

Exposure).

3. Control Activities :- KPI, Polices,Procedures,TQM,Physical,Safe guards.

4. Information & Communication :- Up & down , Adequacy ,Q,Timeliness

5. Monitoring & controls :- Internal controls, Physical verification, Overheads, MIS, . ,

Feed backs,Forums etc


29/32

Audit Excellence Model/Global best practics (COBIT)

Mapping to COBIT (Control Objective for Information and related Technology ).

MAIN PROCESSESS No of Key Processes

Planning and orgainsation 11

Acquisition & Implementation 6

Delivery & Support 13

Monitoring 4

LEVEL OF CONTROLS -ASSESMENT

0. Non Existance

1.Initial /Adhoc

2.Repeatable but person dependent

3.DefinedStandardized & documented.

4. ManagedMonitoring OK & Feed back system.

5. Optimized Control- Industry Best Practices


30/32

New Directions in ERP Auditing :-

Risk Based Auditing linked to COSO& Cobit

Professional ethics& standards

AIS (Materiality )+ Queries development(Tabledown load+MS access)

Auditing tools- ACL/IDEA etc and many more

Online continuous audit(Remote-desk topauditing)

E enabled applications (vendors/Dlrs, P2P, B2C)

OutsourcingCompetence/costsbenefit based

100 % transaction Audit/AUDIT thr computers

Continuous enhancing ERP competencies

Qualified Auditiors-CIA/CISA.


31/32

References

www.theiia.org

Internal auditing :- Guidance for the profession

:- Code of Ethics

:- International Standards for the professional practices of internal auditing

:- Practice Advisories

:- Development & Practice Aids.

www.isaca.orgIS Auditing standards

IS Auditing guidelines

IS Auditing Procedures

Standards for Professional information system control

http://www.sapgenie.com/ (google search based)

http:/www.sap.com services / education

http://www.sap.com/ Community

Help ..sap.com


32/32

Arvind Dang

98711 41333

[email protected]

Thank you

auditing in SAP environment.ppt

Documents

Transcript of auditing in SAP environment.ppt