Security Audit and Control Features SAP ERP 3rd Edition Icq Eng 1109

8/9/2019 Security Audit and Control Features SAP ERP 3rd Edition Icq Eng 1109

1/134

Audit/Assurance Programs and ICQs


2/134

Security, Audit and Control Features SAPERP, 3rdEdition (Technical and Risk Management Reference Series)


ISACA

With more than 86,000 constituents in more than 160 countries, ISACA (!isaca!org) is a leading gloal !ro"ider

o# $no%ledge, certi#ications, communit&, ad"ocac& and education on in#ormation s&stems assurance and securit&,

enter!rise go"ernance o# I', and I'related ris$ and com!liance *ounded in 1+6+, ISACA s!onsors internationalcon#erences, !ulishes the"SACA#ournal, and de"elo!s international in#ormation s&stems auditing and control

standards It also administers the gloall& res!ected Certi#ied In#ormation S&stems Auditor (CISA-), Certi#ied

In#ormation Securit& .anager-(CIS.-) and Certi#ied in the o"ernance o# nter!rise I'- (CI'-) designations

ISACA de"elo!ed and continuall& u!dates the C2I'-, 3al I' and 4is$ I' #rame%or$s, %hich hel! I'!ro#essionals and enter!rise leaders #ul#ill their I' go"ernance res!onsiilities and deli"er "alue to the usiness

Disclaimer

ISACA has designed and created Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and RiskManagement Reference Series) 5cer!t o# the Audit/Assurance Programs and ICQs (the Wor$7), !rimaril& as an

educational resource #or control !ro#essionals ISACA ma$es no claim that use o# an& o# the Wor$ %ill assure a

success#ul outcome 'he Wor$ should not e considered inclusi"e o# an& !ro!er in#ormation, !rocedures and tests or

e5clusi"e o# other in#ormation, !rocedures and tests that are reasonal& directed to otaining the same results Indetermining the !ro!riet& o# an& s!eci#ic in#ormation, !rocedure or test, securit& !ro#essionals should a!!l& their

o%n !ro#essional udgment to the s!eci#ic control circumstances !resented & the !articular s&stems or in#ormation

technolog& en"ironment While all care has een ta$en in researching and documenting the techni9ues descried in

this te5t, !ersons em!lo&ing these techni9ues must use their o%n $no%ledge and udgment ISACA and :eloitte, its

!artners and em!lo&ees, shall not e liale #or an& losses and/or damages (%hether direct or indirect), costs,e5!enses or claims %hatsoe"er arising out o# the use o# the techni9ues descried or reliance on the in#ormation in

this re#erence guide

SAP, SAP 4/;, m&SAP, SAP 4/; nter!rise, SAP Strategic nter!rise .anagement (SAP S.), SAP s source


3/134



Acknowledgments

ISACA wishes to recognize:

Researcher

.ar$ Sercome, CISA, CA, CIA, S!onsoring Partner, :eloitte, Australia

.atthe% Saines, CISA, CISSP, :eloitte, Australia

.aria Wood&att, CISA, :eloitte, Australia2ernadette =ouat, CISA, :eloitte, Australia

Com!uter Assistance ==P, CanadaChang =u .iao, CISA, ACI2, CPA, .CS, SAP '/C, Auditoreneral>s ##ice, Singa!ore

.a&an$ arg, CISA, Atmel Cor!ortation, SA

:a"id ' reen, Ph:, o"ernors State ni"ersit&, SA

uha!ri&a I&er, CISA, ACA, rad CWA, Cererus Consulting, India2au Ja&endran, CISA, *CA, 2au Ja&endran Consulting, India

mma Johari, CISA, P., Australia

Pam ammermeier, CISA, Altran Control Solutions, SA

4ani =alsinghani, CISA, CIS., 'echnoSols Consulting Ser"ices, Australia

.oo$he&, CISA, CIS., CISSP,


4/134



'on& Ha&es, CI', Queensland o"ernment, Australia, :irector

Jo Ste%art4attra&, CISA, CIS., CI', A*CHS, CH, *ACS, *CPA, *IIA, CSPS,

4S. 2ird Cameron, Australia, :irector

Assurance Committee $%%&'$%%(

regor& ' rochols$i, CISA, 'he :o% Chemical Com!an&, SA, Chair

Pi!!a Andre%s, CISA, ACA, CIA, Amcor, Australia

4ichard 2riseois, CISA, CA, ##ice o# the Auditor eneral o# Canada, CanadaSergio *legins$&, CISA, ICI, rugua&

4oert Johnson, CISA, CIS., CI', CISSP, 5ecuti"e Consultant, SA

Anthon& P


5/134



Appendix D. SAP !P!e"en#e$ xpendit#re$ In"entor%$ &asisA#dit'Ass#rance Programs

!e"en#e siness C%cle

I. Introd#ction

)vervie"

ISACA de"elo!ed"TAFTM% A Professional Practices Frameork for "T Assurance as acom!rehensi"e and good!racticesetting model I'A* !ro"ides standards that are designed to e

mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession

o!erates 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit andassurance 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide

direction in the a!!lication o# I' audit and assurance !rocesses

Pur!ose

'he audit/assurance !rogram is a tool and tem!late to e used as a road ma! #or the com!letiono# a s!eci#ic assurance !rocess 'his audit/assurance !rogram is intended to e utilied & I'

audit and assurance !ro#essionals %ith the re9uisite $no%ledge o# the suect matter underre"ie%, as descried in I'A*, section @@00eneral Standards 'he audit/assurance !rograms

are !art o# I'A*, section F000I' Assurance 'ools and 'echni9ues

Control *rame"or+

'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C2I' #rame%or$

s!eci#icall& C2I' F1using generall& a!!licale and acce!ted good !ractices 'he& re#lectI'A*, sections ;F00I' .anagement Processes, ;600I' Audit and Assurance Processes, and

;800I' Audit and Assurance .anagement

.an& enter!rises ha"e emraced se"eral #rame%or$s at an enter!rise le"el, including theCommittee o# S!onsoring rganiations o# the 'read%a& Commission (CS) Internal Control

*rame%or$ 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator&

re9uirements & the S Securities and 5change Commission (SC) as directed & the SSaranes5le& Act o# @00@ and similar legislation in other countries 'he& see$ to integrate

control #rame%or$ elements used & the general audit/assurance team into the I' audit and

assurance #rame%or$ Since CS is %idel& used, it has een selected #or inclusion in thisaudit/assurance !rogram 'he re"ie%er ma& delete or rename columns in the audit !rogram to

align %ith the enter!rise>s control #rame%or$

I, -overnance. Ris+ and ControlI' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management

!rocess o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies and

management o"ersight controls 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho%management a!!roaches and manages ris$ 2oth issues %ill e e"aluated as ste!s in the

audit/assurance !rogram Controls are the !rimar& e"aluation !oint in the !rocess 'he

audit/assurance !rogram %ill identi#& the control oecti"es %ith ste!s to determine controldesign and e##ecti"eness

? @00+ ISACA All rights reser"ed Page G


6/134


7/134



'he original CS internal control #rame%or$ contained #i"e com!onents In @00F, CS %as

re"ised as theEnter*rise Risk Management +ERM "ntegrated Frameorkand e5tended to eightcom!onents 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on

4. and integration into the usiness decision model 4. is in the !rocess o# eing ado!ted

& large enter!rises 'he t%o #rame%or$s are com!ared in figure AD1

*igure AD12Com!arison of C)S) Internal Control and ER3 Integrated *rame"or+s

Internal Control *rame"or+ ER3 Integrated *rame"or+

Control Environment4 'he control en"ironment sets the tone o# an

organiation, in#luencing the control consciousness o# its !eo!le It is

the #oundation #or all other com!onents o# internal control, !ro"iding

disci!line and structure Control en"ironment #actors include theintegrit&, ethical "alues, management>s o!erating st&le, delegation o#

authorit& s&stems, as %ell as the !rocesses #or managing and

de"elo!ing !eo!le in the organiation

Internal EnvironmentD 'he internal en"ironment encom!asses the

tone o# an organiation, and sets the asis #or ho% ris$ is "ie%ed and

addressed & an enter!rise>s !eo!le, including ris$ management

!hiloso!h& and ris$ a!!etite, integrit& and ethical "alues, and theen"ironment in %hich the& o!erate

)jective SettingD ecti"es must e5ist e#ore management can

identi#& !otential e"ents a##ecting their achie"ement nter!rise ris$management ensures that management has in !lace a !rocess to set

oecti"es and that the chosen oecti"es su!!ort and align %ith the

enter!rise>s mission and are consistent %ith its ris$ a!!etiteEvent IdentificationD Internal and e5ternal e"ents a##ecting

achie"ement o# an enter!rise>s oecti"es must e identi#ied,

distinguishing et%een ris$s and o!!ortunities !!ortunities are

channeled ac$ to management>s strateg& or oecti"esetting

!rocesses

Ris+ AssessmentD "er& enter!rise #aces a "ariet& o# ris$s #rom

e5ternal and internal sources that must e assessed A !recondition to

ris$ assessment is estalishment o# oecti"es, and thus ris$

assessment is the identi#ication and anal&sis o# rele"ant ris$s toachie"ement o# assigned oecti"es 4is$ assessment is a !rere9uisite

#or determining ho% the ris$s should e managed

Ris+ AssessmentD 4is$s are anal&ed, considering the li$elihood and

im!act, as a asis #or determining ho% the& could e managed 4is$

areas are assessed on an inherent and residual asis

Ris+ Res!onse4 .anagement selects ris$ res!onses a"oiding,acce!ting, reducing, or sharing ris$ de"elo!ing a set o# actions to

align ris$s %ith the enter!rise>s ris$ tolerances and ris$ a!!etite

Control ActivitiesD Control acti"ities are the !olicies and !rocedures

that hel! ensure management directi"es are carried out 'he& hel!ensure that necessar& actions are ta$en to address ris$s to achie"ement

o# the enter!riseRs oecti"es Control acti"ities occur throughout the

organiation, at all le"els and in all #unctions 'he& include a range o#

acti"ities as di"erse as a!!ro"als, authoriations, "eri#ications,reconciliations, re"ie%s o# o!erating !er#ormance, securit& o# assets

and segregation o# duties

Control Activities4Policies and !rocedures are estalished and

im!lemented to hel! ensure the ris$ res!onses are e##ecti"el& carriedout

Information and CommunicationD In#ormation s&stems !la& a $e&

role in internal control s&stems as the& !roduce re!orts, includingo!erational, #inancial and com!liancerelated in#ormation that ma$e it

!ossile to run and control the usiness In a roader sense, e##ecti"e

communication must ensure in#ormation #lo%s do%n, across and u!

the organiation ##ecti"e communication should also e ensured %ith

e5ternal !arties, such as customers, su!!liers, regulators andshareholders

Information and Communication4 4ele"ant in#ormation is

identi#ied, ca!tured, and communicated in a #orm and time#rame thatenale !eo!le to carr& out their res!onsiilities ##ecti"e

communication also occurs in a roader sense, #lo%ing do%n, across,

and u! the enter!rise

3onitoringD Internal control s&stems need to e monitoreda

!rocess that assesses the 9ualit& o# the s&stem>s !er#ormance o"er

time 'his is accom!lished through ongoing monitoring acti"ities orse!arate e"aluations Internal control de#iciencies detected through

these monitoring acti"ities should e re!orted u!stream and correcti"e

actions should e ta$en to ensure continuous im!ro"ement o# the

s&stem

3onitoring4 'he entiret& o# enter!rise ris$ management is monitored

and modi#ications made as necessar& .onitoring is accom!lished

through ongoing management acti"ities, se!arate e"aluations, or oth

In#ormation #or figure AD1%as otained #rom the CS %e site!coso!org-a.outus!htm

'he original CS internal control #rame%or$ addresses the needs o# the I' audit and assurance

!ro#essionalD control en"ironment, ris$ assessment, control acti"ities, in#ormation and

communication, and monitoring As such, ISACA has elected to utilie the #i"ecom!onent

? @00+ ISACA All rights reser"ed Page B
http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm


8/134



model #or these audit/assurance !rograms As more enter!rises im!lement the 4. model, the

additional three columns can e added, i# rele"ant When com!leting the CS com!onent

columns, consider the de#initions o# the com!onents as descried in figure AD1

Reference/56!erlin+

ood !ractices re9uire the audit and assurance !ro#essional to create a %or$ !a!er #or each lineitem, %hich descries the %or$ !er#ormed, issues identi#ied and conclusions 'he

re#erence/h&!erlin$ is to e used to crossre#erence the audit/assurance ste! to the %or$ !a!er

that su!!orts it 'he numering s&stem o# this document !ro"ides a read& numering scheme #orthe %or$ !a!ers I# desired, a lin$ to the %or$ !a!er can e !asted into this column

Issue Cross'reference

'his column can e used to #lag a #inding/issue that the I' audit and assurance !ro#essional

%ants to #urther in"estigate or estalish as a !otential #inding 'he !otential #indings should e

documented in a %or$ !a!er that indicates the dis!osition o# the #indings (#ormall& re!orted,

re!orted as a memo or "eral #inding, or %ai"ed)

Comments

'he comments column can e used to indicate the %ai"ing o# a ste! or other notations It is not toe used in !lace o# a %or$ !a!er descriing the %or$ !er#ormed

III. Controls )at#rit% Anal%sis

ne o# the consistent re9uests o# sta$eholders %ho ha"e undergone I' audit/assurance re"ie%s is

a desire to understand ho% their !er#ormance com!ares to good !ractices Audit and assurance

!ro#essionals must !ro"ide an oecti"e asis #or the re"ie% conclusions .aturit& modeling #ormanagement and control o"er I' !rocesses is ased on a method o# e"aluating the organiation,

so it can e rated #rom a maturit& le"el o# none5istent (0) to o!timied (G) 'his a!!roach is

deri"ed #rom the maturit& model that the So#t%are ngineering Institute (SI) o# Carnegie.ellon ni"ersit& de#ined #or the maturit& o# so#t%are de"elo!ment

'he"T Assurance &uide% 'sing C()"T, a!!endi5 3II.aturit& .odel #or Internal Control, in

figure AD$, !ro"ides a generic maturit& model sho%ing the status o# the internal controlen"ironment and the estalishment o# internal controls in an enter!rise It sho%s ho% the

management o# internal control, and an a%areness o# the need to estalish etter internal

controls, t&!icall& de"elo!s #rom an ad hocto an o!timied le"el 'he model !ro"ides a highle"el guide to hel! C2I' users a!!reciate %hat is re9uired #or e##ecti"e internal controls in I'

and to hel! !osition their enter!rise on the maturit& scale

*igure AD$23aturit6 3odel for Internal Control3aturit6 Level Status of the Internal Control Environment Estalishment of Internal Controls

0


9/134



*igure AD$23aturit6 3odel for Internal Control

3aturit6 Level Status of the Internal Control Environment Estalishment of Internal Controls

intuiti"e is de!endent on the $no%ledge and moti"ation o# indi"iduals##ecti"eness is not ade9uatel& e"aluated .an& control

%ea$nesses e5ist and are not ade9uatel& addressedK the

im!act can e se"ere .anagement actions to resol"e control

issues are not !rioritied or consistent m!lo&ees ma& not

e a%are o# their res!onsiilities

selected I' !rocesses to determine the current le"el o# controlmaturit&, the target le"el that should e reached and the ga!s

that e5ist An in#ormal %or$sho! a!!roach, in"ol"ing I'

managers and the team in"ol"ed in the !rocess, is used to

de#ine an ade9uate a!!roach to controls #or the !rocess and to

moti"ate an agreedu!on action !lan

; :e#ined Controls are in !lace and ade9uatel& documented !eratinge##ecti"eness is e"aluated on a !eriodic asis and there is an

a"erage numer o# issues Ho%e"er, the e"aluation !rocess is

not documented While management is ale to deal

!redictal& %ith most control issues, some control

%ea$nesses !ersist and im!acts could still e se"erem!lo&ees are a%are o# their res!onsiilities #or control

Critical I' !rocesses are identi#ied ased on "alue and ris$dri"ers A detailed anal&sis is !er#ormed to identi#& control

re9uirements and the root cause o# ga!s and to de"elo!

im!ro"ement o!!ortunities In addition to #acilitated

%or$sho!s, tools are used and inter"ie%s are !er#ormed to

su!!ort the anal&sis and ensure that an I' !rocess o%nero%ns and dri"es the assessment and im!ro"ement !rocess

F .anaged and

measurale

'here is an e##ecti"e internal control and ris$ management

en"ironment A #ormal, documented e"aluation o# controls

occurs #re9uentl& .an& controls are automated and regularl&re"ie%ed .anagement is li$el& to detect most control issues,

ut not all issues are routinel& identi#ied 'here is consistent

#ollo%u! to address identi#ied control %ea$nesses A limited,

tactical use o# technolog& is a!!lied to automate controls

I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort

and agreement #rom the rele"ant usiness !rocess o%ners

Assessment o# control re9uirements is ased on !olic& andthe actual maturit& o# these !rocesses, #ollo%ing a thorough

and measured anal&sis in"ol"ing $e& sta$eholders

Accountailit& #or these assessments is clear and en#orced

Im!ro"ement strategies are su!!orted & usiness cases

Per#ormance in achie"ing the desired outcomes isconsistentl& monitored 5ternal control re"ie%s are

organied occasionall&G !timied An enter!rise%ide ris$ and control !rogram !ro"ides

continuous and e##ecti"e control and ris$ issues resolution

Internal control and ris$ management are integrated %ith

enter!rise !ractices, su!!orted %ith automated realtimemonitoring %ith #ull accountailit& #or control monitoring,

ris$ management and com!liance en#orcement Control

e"aluation is continuous, ased on sel#assessments and ga!

and root cause anal&ses m!lo&ees are !roacti"el& in"ol"ed

in control im!ro"ements

2usiness changes consider the criticalit& o# I' !rocesses and

co"er an& need to reassess !rocess control ca!ailit& I'

!rocess o%ners regularl& !er#orm sel#assessments to con#irm

that controls are at the right le"el o# maturit& to meet usinessneeds and the& consider maturit& attriutes to #ind %a&s to

ma$e controls more e##icient and e##ecti"e 'he organiation

enchmar$s to e5ternal est !ractices and see$s e5ternal

ad"ice on internal control e##ecti"eness *or critical

!rocesses, inde!endent re"ie%s ta$e !lace to !ro"ideassurance that the controls are at the desired le"el o# maturit&

and %or$ing as !lanned

'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess 'he I' audit

and assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram

and #ormulate an oecti"e assessment o# the maturit& le"els o# the control !ractices 'hematurit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to&ear to document !rogression in the enhancement o# controls Ho%e"er, it must e noted that the

!erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor

'here#ore, an auditor should otain the concerned sta$eholder>s concurrence e#ore sumittingthe #inal re!ort to management

At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the!ro#essional assesses the current state o# the C2I' control #rame%or$ and assigns it a maturit&

le"el using the si5le"el scale Some !ractitioners utilie decimals (5@G, 5G, 5BG) to indicate

gradations in the maturit& model As a #urther re#erence, C2I' !ro"ides a de#inition o# the

maturit& designations & control oecti"e While this a!!roach is not mandator&, the !rocess is!ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that

%ish to im!lement it It is suggested that a maturit& assessment e made at the C2I' control

le"el 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also otain maturit&targets #rom the client/customer sing the assessed and target maturit& le"els, the !ro#essional

can create an e##ecti"e gra!hic !resentation that descries the achie"ement or ga!s et%een the

actual and targeted maturit& goalsI*. Ass#rance and Control +ramework

? @00+ ISACA All rights reser"ed Page +


10/134



ISACA I, Assurance *rame"or+ and Standards

ISACA has long recognied the s!ecialied nature o# I' assurance and stri"es to ad"ance

gloall& a!!licale standards uidelines and !rocedures !ro"ide detailed guidance on ho% to

#ollo% those standards I' Audit and Assurance Standard S1G I' Controls, and I' Audit and

Assurance uideline ;8 Access Controls are rele"ant to this audit/assurance !rogram

ISACA Controls *rame"or+

C2I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridgethe ga! among control re9uirements, technical issues and usiness ris$s C2I' enales clear

!olic& de"elo!ment and good !ractice #or I' control throughout enter!rises

tiliing C2I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased alignsI' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise

4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es forSuccessful "T &o/ernance, 1ndEdition, !ulished in @00B, #or the related control !ractice "alue

and ris$ dri"ers

*. xec#ti"e S#mmar% of A#dit'Ass#rance +oc#s

SAP ERP Securit6

'he re"ie% o# SAP hel!s management ensure that it is secure Since launching its #irst !roduct

o##ering almost ;0 &ears ago, SAP has gro%n gloall& It has a!!ro5imatel& 1@ million users and

+6,F00 installations in more than 1@0 countries and is the thirdlargest inde!endent so#t%are

com!an& in the %orld 'he com!an& name, SAP, is a erman acron&m that loosel& translates innglish to S&stems, A!!lications and Products in data !rocessing

2e#ore SAP 4P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@-and theclient/ser"erased s&stem SAP 4/; 2oth 4/@ and 4/; are targeted to usiness a!!lication

solutions and #eature com!le5it&, usiness and organiational e5!erience, and integration 'he

4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&Kho%e"er, this is not the case 'he 4 in 4/@ and 4/; means real time7 4elease le"els are

annotated se!aratel& to the 4/@ or 4/; descri!tors *or e5am!le, in SAP 4/; F62, the F is the

maor release numer, the 6 is the minor release numer #ollo%ing a maor release, and the 2 isthe "ersion %ithin a release

4/; %as introduced in 1++@ %ith a threetier architecture !aradigm In recent &ears, SAP has

introduced Ser"ice riented Architecture (SA) as !art o# SAP 4P 'his comines 4P %ith an

o!en technolog& !lat#orm that can integrate SAP and nonSAP s&stems on the SAP


11/134



4is$s resulting #rom ine##ecti"e or incorrect con#igurations or use o# SAP could result in some o#

the #ollo%ingD :isclosure o# !ri"ileged in#ormation

Single !oints o# #ailure

=o% data 9ualit&

=oss o# !h&sical assets =oss o# intellectual !ro!ert&

=oss o# com!etiti"e ad"antage

=oss o# customer con#idence

3iolation o# regulator& re9uirements

)jective and Sco!e

)jective2'he oecti"e o# the SAP 4P audit/assurance re"ie% is to !ro"ide management

%ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# the

enter!rise>s SAP 4P architecture

Sco!e'he re"ie% %ill #ocus on con#iguration o# the rele"ant SAP 4P com!onents andmodules %ithin the enter!rise 'he selection o# the s!eci#ic com!onents and modules %ill eased u!on the ris$s introduced to the enter!rise & these com!onents and modules

3inimum Audit S+ills

'his re"ie% is considered highl& technical 'he I' audit and assurance !ro#essional must ha"e an

understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP

tools, e5!osures and #unctionalit& It should not e assumed that an audit and assurance

!ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%

? @00+ ISACA All rights reser"ed Page 11


12/134



*I. !e"en#e siness C%cle A#dit'Ass#rance Program

Audit/Assurance Program Ste!

C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Com

munication

Monitoring

A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P

1 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreedu!on

corrections and note remaining de#iciencies

.1

11 :etermine %hetherD

Senior management has ass igned res!onsiilities #or in#ormation,

its !rocessing and its use

ser management is res!onsile #or !ro"iding in#ormation that

su!!orts the entit&>s oecti"es and !olicies

In#ormation s&stems management is res!onsile #or !ro"iding the

ca!ailities necessar& #or achie"ement o# the de#ined in#ormation

s&stems oecti"es and !olicies o# the entit&

Senior management a!!ro"es !lans #or de"elo!ment and

ac9uisition o# in#ormation s&stems

'here are !rocedures to ensure that the in#ormation s&stem eing

de"elo!ed or ac9uired meets user re9uirements

'here are !rocedures to ensure that in#ormation s&stems, !rogramsand con#iguration changes are tested ade9uatel& !rior to

im!lementation

All !ersonnel in"ol"ed in the s&stem ac9uisition and con#iguration

acti"ities recei"e ade9uate training and su!er"ision

'here are !rocedures to ensure that in#ormation s&stems are

im!lemented/con#igured/u!graded in accordance %ith the

estalished standards

ser management !artici!ates in the con"ersion o# data #rom the

e5isting s&stem to the ne% s&stem

*inal a!!ro"al is otained #rom user management !rior to going

li"e %ith a ne% in#ormation/u!graded s&stem

'here are !rocedures to document and schedule all changes to

in#ormation s&stems (including $e& A2AP !rograms)

'here are !rocedures to ensure that onl& authoried changes are

.1

? @00+ ISACA All rights reser"ed Page 1@


13/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

initiated

'here are !rocedures to ensure that onl& authoried, tested and

documented changes to in#ormation s&stems are acce!ted into the

!roduction client

'here are !rocedures to allo% #or and control emergenc& changes

'here are !rocedures #or the a!!ro"al, monitoring and control o#

the ac9uisition and u!grade o# hard%are and s&stems so#t%are

'here is a !rocess #or monitoring the "olume o# named and

concurrent SAP 4P users to ensure that the license agreement is

not eing "iolated

'he organiation structure, estalished & senior management,

!ro"ides #or an a!!ro!riate segregation o# incom!atile #unctions

'he dataase, a!!lication and !resentation ser"ers are located in a

!h&sicall& se!arate and !rotected en"ironment (ie, a data center)

mergenc&, ac$u! and reco"er& !lans are documented and tested

on a regular asis to ensure that the& remain current and

o!erational 2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems to

resume o!erations in the e"ent o# an interru!tion

A!!lication controls are designed %ith regard to an& %ea$nesses in

segregation, securit&, de"elo!ment and !rocessing controls that

ma& a##ect the in#ormation s&stem

Access to the Im!lementation uide (I.) during !roduction has

een restricted

'he !roduction client settings ha"e een #lagged to not allo%

changes to !rograms and con#iguration

#7 PRELI3I:AR; A8DI, S,EPS

1 ain an understanding o# the SAP 4P en"ironment

11 'he same ac$ground in#ormation otained #or the SAP 4P 2asis

Securit& audit !lan is re9uired #or and rele"ant to the usiness c&cles

In !articular, the #ollo%ing in#ormation is im!ortantD

P@P;

? @00+ ISACA All rights reser"ed Page 1;


14/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

3ersion and release o# SAP 4P im!lemented

'otal numer o# named users (#or com!arison

%ith logical access securit& testing results)

s $e& securit& !olicies and standards

PFP6P+:S@:[email protected].@

1@ tain details o# the #ollo%ingD

rganiational .anagement .odel as it relates to sales/re"enue

acti"it&, ie, sales organiation unit structure in SAP 4P and

com!an& sales organiation chart (re9uired %hen e"aluating the

results o# access securit& control testing) An inter"ie% o# the s&stems im!lementation team, i# !ossile, and

!rocess design documentation #or sales and distriution

AI1

:SG

:S6

@ Identi#& the signi#icant ris$s and determine the $e& controls

@1 :e"elo! a highle"el !rocess #lo% diagram and o"erall understanding

o# the 4e"enue !rocessing c&cle, including the #ollo%ing

su!rocessesD

.aintain !ricing/customer master data

Sales order !rocessing

In"oice !rocessing

Pa&ment recei!t

P+AI1:S1;

@@ Assess the $e& ris$s, determine $e& controls or control %ea$nesses, and

test controls (re#er sam!le testing !rogram elo% and cha!ter F #or

techni9ues #or testing con#igurale controls and logical access

securit&) regarding the #ollo%ing #actorsD

P+:SG:S+

? @00+ ISACA All rights reser"ed Page 1F


15/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

'he controls culture o# the organiation (eg, a ustenough control

!hiloso!h&)

'he need to e5ercise udgment to determine the $e& controls in the

!rocess and %hether the controls structure is ade9uate (An&

%ea$nesses in the control structure should e re!orted to e5ecuti"e

management and resol"ed)

.@

C7 DE,AILED A8DI, S,EPS

17 3aintain customer/!ricing master data7

171 Changes made to master data are valid. com!lete. accurate and

timel67

111 :etermine %hether the #ollo%ing re!orts o# changes to master

data ha"e een com!ared to authoried source documents and/or a

manual log o# re9uested changes to ensure the& %ere in!ut

accuratel& and on a timel& asisD

*or customer master data, use transaction code 3G1 (also

accessile using transaction code SA;8 and !rogram

4*:A2=00) to generate a list denoting the date and time o#change, old and ne% "alues #or #ields, and details o# the user

%ho in!ut the change

se transaction code SA=48B00+++; (also accessile using

transaction code SA;8 and !rogram 4*:=IA2) to dis!la&

changes to credit management and credit in#ormation change

details #or com!arison to authoried source documents

se transaction ..0F to dis!la& master data changes #or

indi"idual materials

enerate a list o# !ricing changes using transaction 31@

and suse9uentl& selecting the #ollo%ing !ath #rom menu

o!tionsD n"ironment T Changes T Change 4e!ort Chec$

the accurac& o# changes made to the !ricing master records

and also the time at %hich these changes ha"e een a!!lied

(%hich is essential to the e##ecti"e !rocessing o# !ricing

AI@AI6:S6:S11

X

? @00+ ISACA All rights reser"ed Page 1G


16/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

changes) against authoried source documentation

11@ 4e"ie% organiation !olic& and !rocess design s!eci#ications

regarding access to maintain master data 'est user access to

create and maintain customer, material and !ricing master data as

#ollo%sD

Customermaster data'ransaction codes

*:01/*:0@/*:0G/*:06 (*inance),3:01/3:0@/3:0G/3:06 (Sales),

U:01/U:0@/U:0G/U:06/U:0B/U:++ (Central) .aterial master data'ransaction codes ..01 (Create),

..0@ (Change), ..06 (:elete)

Pricing master data'ransaction codes 311 and

31@

AI@AI6:SG:S11

X

11; :etermine %hether the con#igurale control settings address the

ris$s !ertaining to the "alidit&, com!leteness and accurac& o#

master data and %hether the& ha"e een set in accordance %ith

management intentions 3ie% the settings online using the I. as

#ollo%sD

Customer Account rou!sD 'ransaction SP4 .enu Path*inancial Accounting T Accounts 4ecei"ale O Accounts

Pa&ale T Customer Accounts T .aster :ataT Pre!aration

#or Creating Customer .aster :ata T :e#ine Account

rou! With Screen =a&out (Customers)

.aterial '&!esD 'ransaction SP4 .enu Path=ogistics

eneral T .aterial .aster T 2asic Settings T .aterial

'&!es T :e#ine Attriutes o# .aterial '&!es

Industr& SectorD 'ransaction SP4 Path=ogistics

eneral T .aterial .aster T *ield Selection T :e#ine

industr& sectors and industr&sector s!eci#ic #ield selection

nderstand the organiation>s !ricing !olic& and its

P+

:S+

:S11:S1@

X

? @00+ ISACA All rights reser"ed Page 16


17/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

con#iguration in SAP 4P (eg, hardcoded, manualo"erride !ossile, user enters !rice) Pricing conditiont&!es and records can e re"ie%ed against theorganiation>s !ricing !olic& using the #ollo%ing menu

!ath and transaction codes 'ransaction SP4 .enu PathSales and :istriution

T 2asic *unctions T PricingD 3FF #or material !rice condition record

3F8 #or !rice list t&!e condition records

3G@ #or customers!eci#ic condition t&!e

17$ 3aster dataremain current and !ertinent7

1@1 :etermine %hether management runs the #ollo%ing re!orts, or

e9ui"alent, & master data t&!e and con#irm e"idence o#

management>s re"ie% o# the data #or currenc& and ongoing

!ertinenceD

Customer master data4un transaction code *@0

.aterial master data4un transaction code ..S;

Pricing master data4un transaction code 31;

'ransaction *;@ !ro"ides an o"er"ie% o# customers #or %hich no credit

limit has een entered Chec$ the out!ut #rom transaction *;@ to

con#irm a credit limit has een set #or customers in the range re9uiring a

limit

P8:S;:S11.1

X

$7 Sales )rder Purchasing

$717 Sales orders are !rocessed "ith valid !rices and terms and !rocessing

is com!lete. accurate and timel67

@11 :etermine %hether the ailit& to create, change or delete sales

orders, contracts, and deli"er& schedules is restricted to authoried

!ersonnel & testing access to the #ollo%ing transactionsD

Create (3A01)/Change (3A0@) Sales rder

? @00+ ISACA All rights reser"ed Page 1B


18/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

Create (3A;1)/Change (3A;@) :eli"er& Schedules

Create (3AF1)/Change (3AF@) Contracts

@1@ 4e#er to master data integrit& !oint 11@

@1; 4e#er to master data integrit& !oint 11;

@1F nderstand the !olicies and !rocedures regarding reconciliation o#

sales orders 4e"ie% o!erations acti"it& at selected times and chec$

#or e"idence that reconciliations are eing !er#ormed

$7$7)rders are !rocessed "ithin a!!roved customer credit limits7

@@1 :etermine %hether the con#igurale con tro l se tti ngs

address the ris$s !ertaining to the !rocessing o# orders outside

customer credit limits and %hether the& ha"e een set in accordance

%ith management intentions 3ie% the settings online using the I.

as #ollo%sD

'ransaction SP4 .enu Path*inancial Accounting T

Accounts 4ecei"ale O Accounts Pa&ale T Credit .anagement

T Credit Control Account

5ecute transaction 3A to sho% the t&!e o# credit chec$!er#ormed #or the corres!onding transaction t&!es in order

!rocessing

5ecute transaction 3AB to determine %hether a credit chec$

is !er#ormed #or a!!ro!riate document t&!es eing used

5ecute transaction 3A: to sho% the credit grou!s that

ha"e een assigned to the deli"er& t&!es eing used

5ecute transaction 3A8 to sho% an o"er"ie% o# de#ined

credit chec$s #or credit control areas

$7


19/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

legitimate reasons #or the sales documents that remain incom!lete


20/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

in"oice data


21/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

;G1 3ie% the sales document t&!es con#igured & using transaction

338 =oo$ #or the entire sales document t&!es that relate to sales

order returns and credit re9uests :ouleclic$ on one o# these

document t&!es In the eneral Control section o# the screen,

there is a re#erence mandator& #ield 3eri#& that the setting has

een set to . 4e!eat this #or all o# the other rele"ant document

t&!es :iscuss the re#erence #ield settings in !lace #or the selected

document t&!es %ith management :etermine %hether the

con#iguration in !lace is set as management intended

;G@ 4e"ie% the con#iguration settings #or deli"er& and illing loc$s

online using the I. as #ollo%sD

Shi!!ingD 'ransaction SP4 .enu Path=ogistics 5ecution

TShi!!ing T :eli"eries T :e#ine 4easons #or 2loc$ing in

Shi!!ing

2illingD 'ransaction SP4 .anu PathSales and :istriution T

2illing T 2illing :ocuments T :e#ine 2loc$ing T 4eason #or

2illing

:etermine %hether the settings su!!ort the !rocessing o# credits in

line %ith the organiation>s credit management !olic& and are

consistent %ith management>s intention

>7 Pa6ment Recei!t

>717Cash recei!ts are entered accuratel6. com!letel6 and in a timel6 manner7

F11 'a$e a sam!le o# an$ reconciliations and test #or ade9uate

clearance o# reconciling items and a!!ro"al & #inance management

F1@ :etermine %hether the s&stem has een con#igured to not allo%

!rocessing o# cash recei!ts outside o# a!!ro"ed an$ accounts

5ecute transaction *I1@ and ascertain to %hich an$ accounts a cash

recei!t can e !osted :etermine i# this is consistent %ith

management>s intentions

F1; se the transaction code *@1Customer !en Items (also

? @00+ ISACA All rights reser"ed Page @1


22/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

accessile using transaction code SA;8 and !rogram 4*:P=00) to

re"ie% customer o!en items 'he re!ort lists each item and the

amount o%ed At the end o# the listing, the total amount still to e

collected is calculated 'ransaction code SA=48B00++G6

Customer !en

>7$7Cash recei!ts are valid and are not du!licated7

F@1 4e"ie% the accounts recei"ale reconciliat ion an d dete rmine

%hether there are an& amounts unallocated or an& reconciling

items :etermine the aging o# these items and ma$e in9uir& o#

management as to the reasons #or these items remaining

unallocated or unreconciled

>7s intentions

>7>7,imel6 collection of cash recei!ts is monitored7

F;1 As #or F1;, determine %hether accounts recei"ale aging re!orts

are re"ie%ed regularl& to ensure that the collection o# !a&ments is

eing !er#ormed in a timel& manner

? @00+ ISACA All rights reser"ed Page @@


23/134



C)#I, Control Practice Assessed

3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

AI@71 Change Standards and Procedures

1 :e"elo!, document and !romulgate a change management #rame%or$ that s!eci#ies the !olicies and!rocesses, includingD

4oles and res!onsiilities

Classi#ication and !rioritiation o# all changes ased on usiness ris$

Assessment o# im!act

Authoriation and a!!ro"al o# all changes & the usiness !rocess o%ners and I'

'rac$ing and status o# changes

Im!act on data integrit& (eg, all changes to data #iles eing made under s&stem and a!!lication control

rather than & direct user inter"ention)

@ stalish and maintain "ersion control o"er all changes

; Im!lement roles and res!onsiilities that in"ol"e usiness !rocess o%ners and a!!ro!riate technical I'

#unctions nsure a!!ro!riate segregation o# duties

F stalish a!!ro!riate record management !ractices and audit trails to record $e& ste!s in the change

management !rocess nsure timel& closure o# changes le"ate and re!ort to management changes that are

not closed in a timel& #ashion

G Consider the im!act o# contracted ser"ices !ro"iders (eg, o# in#rastructure, a!!lication de"elo!ment and

shared ser"ices) on the change management !rocess Consider integration o# organiational change

management !rocesses %ith change management !rocesses o# ser"ice !ro"iders Consider the im!act o# theorganiational change management !rocess on contractual terms and S=As

AI@7$ Im!act Assessment. Prioriti=ation and Authori=ation

1 :e"elo! a !rocess to allo% usiness !rocess o%ners and I' to re9uest changes to in#rastructure, s&stems or

a!!lications :e"elo! controls to ensure that all such changes arise onl& through the change re9uest

management !rocess

@ Categorie all re9uested changes (eg, in#rastructure, o!erating s&stems, net%or$s, a!!lication s&stems,

!urchased/!ac$aged a!!lication so#t%are)

; Prioritie all re9uested changes nsure that the change management !rocess identi#ies oth the usiness and

technical needs #or the change Consider legal, regulator& and contractual reasons #or the re9uested change

F Assess all re9uests in a structured #ashion nsure that the assessment !rocess addresses im!act anal&sis on

in#rastructure, s&stems and a!!lications Consider securit&, legal, contractual and com!liance im!lications o#

the re9uested change Consider also interde!endencies amongst changes In"ol"e usiness !rocess o%ners in

the assessment !rocess, as a!!ro!riate

G nsure that each change is #ormall& a!!ro"ed & usiness !rocess o%ners and I' technical sta$eholders, as

? @00+ ISACA All rights reser"ed Page @;

VII. Maturity Assessment

'he maturit& assessment is an o!!ortunit& #or the re"ie%er to assess the maturit& o# the !rocesses re"ie%ed 2ased on the results o# audit/assurance re"ie%, andre"ie%er>s oser"ations, assign a maturit& le"el to each o# the #ollo%ing C2I' control !ractices


24/134




3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

a!!ro!riate

AI@7> Change Status ,rac+ing and Re!orting

1 nsure that a documented !rocess e5ists %ithin the o"erall change management !rocess to declare, assess,

authorie and record an emergenc& change

@ nsure that emergenc& changes are !rocessed in accordance %ith the emergenc& change element o# the

#ormal change management !rocess

; nsure that all emergenc& access arrangements #or changes are a!!ro!riatel& authoried, documented and

re"o$ed a#ter the change has een a!!lied

F Conduct a !ostim!lementation re"ie% o# all emergenc& changes, in"ol"ing all concerned !arties 'he re"ie%should consider im!lications #or as!ects such as #urther a!!lication s&stem maintenance, im!act on

de"elo!ment and test en"ironments, a!!lication so#t%are de"elo!ment 9ualit&, documentation and manuals,

and data integrit&

DS?7< Identit6 3anagement

1 stalish and communicate !olicies and !rocedures to uni9uel& identi#&, authenticate and authorie access

mechanisms and access rights #or all users on a needto$no%/needtoha"e asis, ased on !redetermined

and !rea!!ro"ed roles Clearl& state accountailit& o# an& user #or an& action on an& o# the s&stems and/or

a!!lications in"ol"ed

@ nsure that roles and access authoriation criteria #or assigning user access rights ta$e into accountD

Sensiti"it& o# in#ormation and a!!lications in"ol"ed (data classi#ication)

Policies #or in#ormation !rotection and dissemination (legal, regulator&, internal !olicies and

contractual re9uirements)

4oles and res!onsiilities as de#ined %ithin the enter!rise

'he needtoha"e access rights associated %ith the #unction

Standard ut indi"idual user access !ro#iles #or common o roles in the organiation

4e9uirements to guarantee a!!ro!riate segregation o# duties

; stalish a method #or authenticating and authoriing users to estalish res!onsiilit& and en#orce accessrights in line %ith sensiti"it& o# in#ormation and #unctional a!!lication re9uirements and in#rastructure

com!onents, and in com!liance %ith a!!licale la%s, regulations, internal !olicies and contractual

agreements

F :e#ine and im!lement a !rocedure #or identi#&ing ne% users and recording, a!!ro"ing and maintaining

access rights 'his needs to e re9uested & user management, a!!ro"ed & the s&stem o%ner and

im!lemented & the res!onsile securit& !erson

G nsure that a timel& in#ormation #lo% is in !lace that re!orts changes in os (ie, !eo!le in, !eo!le out,

!eo!le change) rant, re"o$e and ada!t user access rights in coordination %ith human resources and user

de!artments #or users %ho are ne%, %ho ha"e le#t the organiation, or %ho ha"e changed roles or os

? @00+ ISACA All rights reser"ed Page @F


25/134




3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

DS?7> 8ser Account 3anagement

1 nsure that access control !rocedures include ut are not limited toD

sing uni9ue user I:s to enale users to e lin$ed to and held accountale #or their actions

A%areness that the use o# grou! I:s results in the loss o# indi"idual accountailit& and are !ermitted

onl& %hen usti#ied #or usiness or o!erational reasons and com!ensated & mitigating controls rou!

I:s must e a!!ro"ed and documented

Chec$ing that the user has authoriation #rom the s&stem o%ner #or the use o# the in#ormation s&stem

or ser"ice, and the le"el o# access granted is a!!ro!riate to the usiness !ur!ose and consistent %ith the

organiational securit& !olic& A !rocedure to re9uire users to understand and ac$no%ledge their access rights and the conditions o#

such access

nsuring that internal and e5ternal ser"ice !ro"iders do not !ro"ide access until authoriation

!rocedures ha"e een com!leted

.aintaining a #ormal record, including access le"els, o# all !ersons registered to use the ser"ice

A timel& and regular re"ie% o# user I:s and access rights

@ nsure that management re"ie%s or reallocates user access rights at regular inter"als using a #ormal !rocess

ser access rights should e re"ie%ed or reallocated a#ter an& o changes, such as trans#er, !romotion,

demotion or termination o# em!lo&ment Authoriations #or s!ecial !ri"ileged access rights should e

re"ie%ed inde!endentl& at more #re9uent inter"als

DS(71 Configuration Re!ositor6 and #aseline

1 Im!lement a con#iguration re!ositor& to ca!ture and maintain con#iguration management items 'he

re!ositor& should include hard%areK a!!lication so#t%areK middle%areK !arametersK documentationK

!roceduresK and tools #or o!erating, accessing and using the s&stems, ser"ices, "ersion numers and

licensing details

@ Im!lement a tool to enale the e##ecti"e logging o# con#iguration management in#ormation %ithin a

re!ositor&; Pro"ide a uni9ue identi#ier to a con#iguration item so the item can e easil& trac$ed and related to !h&sical

asset tags and #inancial records

F :e#ine and document con#iguration aselines #or com!onents across de"elo!ment, test and !roduction

en"ironments, to enale identi#ication o# s&stem con#iguration at s!eci#ic !oints in time (!ast, !resent and

!lanned)

G stalish a !rocess to re"ert to the aseline con#iguration in the e"ent o# !rolems, i# determined a!!ro!riate

a#ter initial in"estigation

6 Install mechanisms to monitor changes against the de#ined re!ositor& and aseline Pro"ide management

re!orts #or e5ce!tions, reconciliation and decision ma$ing

DS(7$ Identification and 3aintenance of Configuration Items

1 :e#ine and im!lement a !olic& re9uiring all con#iguration items and their attriutes and "ersions to e

identi#ied and maintained

@ 'ag !h&sical assets according to a de#ined !olic& Consider using an automated mechanism, such as

arcodes

? @00+ ISACA All rights reser"ed Page @G


26/134




3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

; :e#ine a !olic& that integrates incident, change and !rolem management !rocedures %ith the maintenance

o# the con#iguration re!ositor&

F :e#ine a !rocess to record ne%, modi#ied and deleted con#iguration items and their relati"e attriutes and

"ersions Identi#& and maintain the relationshi!s et%een con#iguration items in the con#iguration re!ositor&

G stalish a !rocess to maintain an audit trail #or all changes to con#iguration items

6 :e#ine a !rocess to identi#& critical con#iguration items in relationshi! to usiness #unctions (com!onent

#ailure im!act anal&sis)

B 4ecord all assetsincluding ne% hard%are and so#t%are, !rocured or internall& de"elo!ed%ithin the

con#iguration management data re!ositor&8 :e#ine and im!lement a !rocess to ensure that "alid licenses are in !lace to !re"ent the inclusion o#

unauthoried so#t%are

DS(7< Configuration Integrit6 Revie"

1 'o "alidate the integrit& o# con#iguration data, im!lement a !rocess to ensure that con#iguration items are

monitored Com!are recorded data against actual !h&sical e5istence, and ensure that errors and de"iations

are re!orted and corrected

@ sing automated disco"er& tools %here a!!ro!riate, reconcile actual installed so#t%are and hard%are

!eriodicall& against the con#iguration dataase, license records and !h&sical tags

; Periodicall& re"ie% against the !olic& #or so#t%are usage the e5istence o# an& so#t%are in "iolation or in

e5cess o# current !olicies and license agreements 4e!ort de"iations #or correction

? @00+ ISACA All rights reser"ed Page @6


27/134



xpendit#re siness C%cle

I. Introd#ction

Overview

ISACA de"elo!ed"TAFTM

% A Professional Practices Frameork for "T Assurance as acom!rehensi"e and good!racticesetting model I'A* !ro"ides standards that are designed to emandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession

o!erates 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit and

assurance 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"idedirection in the a!!lication o# I' audit and assurance !rocesses

Purpose'he audit/assurance !rogram is a tool and tem!late to e used as a roadma! #or the com!letion o#

a s!eci#ic assurance !rocess 'his audit/assurance !rogram is intended to e utilied & I' audit

and assurance !ro#essionals %ith the re9uisite $no%ledge o# the suect matter under re"ie%, as

descried in I'A*, section @@00eneral Standards 'he audit/assurance !rograms are !art o#I'A*, section F000I' Assurance 'ools and 'echni9ues

Control Framework'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C2I' #rame%or$

s!eci#icall& C2I' F1using generall& a!!licale and acce!ted good !ractices 'he& re#lect

I'A*, sections ;F00I' .anagement Processes, ;600I' Audit and Assurance Processes, and

;800I' Audit and Assurance .anagement

.an& enter!rises ha"e emraced se"eral #rame%or$s at an enter!rise le"el, including the

Committee o# S!onsoring rganiations o# the 'read%a& Commission (CS) Internal Control*rame%or$ 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator&

re9uirements & the S Securities and 5change Commission (SC) as directed & the S

Saranes5le& Act o# @00@ and similar legislation in other countries 'he& see$ to integratecontrol #rame%or$ elements used & the general audit/assurance team into the I' audit and

assurance #rame%or$ Since CS is %idel& used, it has een selected #or inclusion in this

audit/assurance !rogram 'he re"ie%er ma& delete or rename columns in the audit !rogram toalign %ith the enter!rise>s control #rame%or$

IT Governance, Risk an ControlI' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management

!rocess o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies andmanagement o"ersight controls 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho%

management a!!roaches and manages ris$ 2oth issues %ill e e"aluated as ste!s in the

audit/assurance !rogram Controls are the !rimar& e"aluation !oint in the !rocess 'he

audit/assurance !rogram %ill identi#& the control oecti"es %ith ste!s to determine controldesign and e##ecti"eness

Responsi!ilities o" IT Auit an Assurance Pro"essionalsI' audit and assurance !ro#essionals are e5!ected to customie this document to the en"ironment

ISACA @00+ All rights reser"ed Page @B


28/134



in %hich the& are !er#orming an assurance !rocess 'his document is to e used as a re"ie% tool

and starting !oint It ma& e modi#ied & the I' audit and assurance !ro#essionalK it is not

intended to e a chec$list or 9uestionnaire It is assumed that the I' audit and assurance!ro#essional holds the Certi#ied In#ormation S&stems Auditor (CISA) designation, or has the

necessar& suect matter e5!ertise re9uired to conduct the %or$ and is su!er"ised & a

!ro#essional %ith the CISA designation and necessar& suect matter e5!ertise to ade9uatel&re"ie% the %or$ !er#ormed

II. (sing This Doc#ment

'his audit/assurance !rogram %as de"elo!ed to assist the audit and assurance !ro#essional in

designing and e5ecuting a re"ie% :etails regarding the #ormat and use o# the document #ollo%

#ork Pro$ram %teps'he #irst column o# the !rogram descries the ste!s to e !er#ormed 'he numering scheme

used !ro"ides uiltin %or$ !a!er numering #or ease o# crossre#erence to the s!eci#ic %or$

!a!er #or that section I' audit and assurance !ro#essionals are encouraged to ma$emodi#ications to this document to re#lect the s!eci#ic en"ironment under re"ie%

CO&IT Cross're"erence'he C2I' crossre#erence !ro"ides the audit and assurance !ro#essional %ith the ailit& to re#er

to the s!eci#ic C2I' control oecti"e that su!!orts the audit/assurance ste! 'he C2I' controloecti"e should e identi#ied #or each audit/assurance ste! in the section .ulti!le cross

re#erences are not uncommon Processes at lo%er le"els in the %or$ !rogram are too granular to

e crossre#erenced to C2I' 'he audit/assurance !rogram is organied in a manner to #acilitate

an e"aluation through a structure !arallel to the de"elo!ment !rocess C2I' !ro"ides inde!thcontrol oecti"es and suggested control !ractices at each le"el As the !ro#essional re"ie%s each

control, he/she should re#er to C2I

' F1 or the"T Assurance &uide% 'sing C()"

T#or good!ractice control guidance

CO%O ComponentsAs noted in the introduction, CS and similar #rame%or$s ha"e ecome increasingl& !o!ular

among audit and assurance !ro#essionals 'his ties the assurance %or$ to the enter!rise>s control

#rame%or$ While the I' audit/assurance #unction has C2I' as a #rame%or$, o!erational auditand assurance !ro#essionals use the #rame%or$ estalished & the enter!rise Since CS is the

most !re"alent internal control #rame%or$, it has een included in this document and is a ridge

to align I' audit/assurance %ith the rest o# the audit/assurance #unction .an& audit/assuranceorganiations include the CS control com!onents %ithin their re!ort and summarie

assurance acti"ities to the audit committee o# the oard o# directors

*or each control, the audit and assurance !ro#essional should indicate the CS com!onent(s)

addressed It is !ossile, ut generall& not necessar&, to e5tend this anal&sis to the s!eci#ic audit

ste! le"el

'he original CS internal control #rame%or$ contained #i"e com!onents In @00F, CS %as

re"ised as theEnter*rise Risk Management +ERM "ntegrated Frameorkand e5tended to eight

ISACA @00+ All rights reser"ed Page @8


29/134



com!onents 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on

4. and integration into the usiness decision model 4. is in the !rocess o# eing ado!ted

& large enter!rises 'he t%o #rame%or$s are com!ared in figure AD1

*igure AD12Com!arison of C)S) Internal Control and ER3 Integrated *rame"or+s

Internal Control *rame"or+ ER3 Integrated *rame"or+

Control Environment4 'he control en"ironment sets the tone o# anorganiation, in#luencing the control consciousness o# its !eo!le It is

the #oundation #or all other com!onents o# internal control, !ro"idingdisci!line and structure Control en"ironment #actors include the

integrit&, ethical "alues, management>s o!erating st&le, delegation o#

authorit& s&stems, as %ell as the !rocesses #or managing and

de"elo!ing !eo!le in the organiation

Internal EnvironmentD 'he internal en"ironment encom!asses thetone o# an organiation, and sets the asis #or ho% ris$ is "ie%ed and

addressed & an enter!rise>s !eo!le, including ris$ management!hiloso!h& and ris$ a!!etite, integrit& and ethical "alues, and the

en"ironment in %hich the& o!erate

)jective SettingD ecti"es must e5ist e#ore management canidenti#& !otential e"ents a##ecting their achie"ement nter!rise ris$

management ensures that management has in !lace a !rocess to set

oecti"es and that the chosen oecti"es su!!ort and align %ith the

enter!rise>s mission and are consistent %ith its ris$ a!!etite

Event IdentificationD Internal and e5ternal e"ents a##ecting

achie"ement o# an enter!rise>s oecti"es must e identi#ied,

distinguishing et%een ris$s and o!!ortunities !!ortunities are

channeled ac$ to management>s strateg& or oecti"esetting!rocesses

Ris+ AssessmentD "er& enter!rise #aces a "ariet& o# ris$s #rom

e5ternal and internal sources that must e assessed A !recondition to

ris$ assessment is estalishment o# oecti"es, and thus ris$assessment is the identi#ication and anal&sis o# rele"ant ris$s to

achie"ement o# assigned oecti"es 4is$ assessment is a !rere9uisite

#or determining ho% the ris$s should e managed

Ris+ AssessmentD 4is$s are anal&ed, considering the li$elihood and

im!act, as a asis #or determining ho% the& could e managed 4is$

areas are assessed on an inherent and residual asis

Ris+ Res!onse4 .anagement selects ris$ res!onses a"oiding,

acce!ting, reducing, or sharing ris$ de"elo!ing a set o# actions to

align ris$s %ith the enter!rise>s ris$ tolerances and ris$ a!!etite

Control ActivitiesD Control acti"ities are the !olicies and !roceduresthat hel! ensure management directi"es are carried out 'he& hel!

ensure that necessar& actions are ta$en to address ris$s to achie"ement

o# the enter!riseRs oecti"es Control acti"ities occur throughout the

organiation, at all le"els and in all #unctions 'he& include a range o#

acti"ities as di"erse as a!!ro"als, authoriations, "eri#ications,

reconciliations, re"ie%s o# o!erating !er#ormance, securit& o# assetsand segregation o# duties

Control Activities4Policies and !rocedures are estalished andim!lemented to hel! ensure the ris$ res!onses are e##ecti"el& carried

out

Information and CommunicationD In#ormation s&stems !la& a $e&role in internal control s&stems as the& !roduce re!orts, including

o!erational, #inancial and com!liancerelated in#ormation that ma$e it

!ossile to run and control the usiness In a roader sense, e##ecti"e

communication must ensure in#ormation #lo%s do%n, across and u!

the organiation ##ecti"e communication should also e ensured %ithe5ternal !arties, such as customers, su!!liers, regulators and

shareholders

Information and Communication4 4ele"ant in#ormation isidenti#ied, ca!tured, and communicated in a #orm and time#rame that

enale !eo!le to carr& out their res!onsiilities ##ecti"e

communication also occurs in a roader sense, #lo%ing do%n, across,

and u! the enter!rise

3onitoringD Internal control s&stems need to e monitoreda!rocess that assesses the 9ualit& o# the s&stem>s !er#ormance o"er

time 'his is accom!lished through ongoing monitoring acti"ities or

se!arate e"aluations Internal control de#iciencies detected through

these monitoring acti"ities should e re!orted u!stream and correcti"e

actions should e ta$en to ensure continuous im!ro"ement o# the

s&stem

3onitoring4 'he entiret& o# enter!rise ris$ management is monitoredand modi#ications made as necessar& .onitoring is accom!lished

through ongoing management acti"ities, se!arate e"aluations, or oth

In#ormation #or figure AD1%as otained #rom the CS %e site!coso!org-a.outus!htm

'he original CS internal control #rame%or$ addresses the needs o# the I' audit and assurance

!ro#essionalD control en"ironment, ris$ assessment, control acti"ities, in#ormation andcommunication, and monitoring As such, ISACA has elected to utilie the #i"ecom!onent

model #or these audit/assurance !rograms As more enter!rises im!lement the 4. model, the

additional three columns can e added, i# rele"ant When com!leting the CS com!onent

columns, consider the de#initions o# the com!onents as descried in figure AD1

ISACA @00+ All rights reser"ed Page @+
http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm


30/134



Re"erence()yperlinkood !ractices re9uire the audit and assurance !ro#essional to create a %or$ !a!er #or each line

item, %hich descries the %or$ !er#ormed, issues identi#ied and conclusions 'here#erence/h&!erlin$ is to e used to crossre#erence the audit/assurance ste! to the %or$ !a!er

that su!!orts it 'he numering s&stem o# this document !ro"ides a read& numering scheme #orthe %or$ !a!ers I# desired, a lin$ to the %or$ !a!er can e !asted into this column

Issue Cross're"erence'his column can e used to #lag a #inding/issue that the I' audit and assurance !ro#essional

%ants to #urther in"estigate or estalish as a !otential #inding 'he !otential #indings should e

documented in a %or$ !a!er that indicates the dis!osition o# the #indings (#ormall& re!orted,re!orted as a memo or "eral #inding, or %ai"ed)

Comments'he comments column can e used to indicate the %ai"ing o# a ste! or other notations It is not to

e used in !lace o# a %or$ !a!er descriing the %or$ !er#ormed

III. Controls )at#rit% Anal%sis

ne o# the consistent re9uests o# sta$eholders %ho ha"e undergone I' audit/assurance re"ie%s isa desire to understand ho% their !er#ormance com!ares to good !ractices Audit and assurance

!ro#essionals must !ro"ide an oecti"e asis #or the re"ie% conclusions .aturit& modeling #or

management and control o"er I' !rocesses is ased on a method o# e"aluating the organiation,so it can e rated #rom a maturit& le"el o# none5istent (0) to o!timied (G) 'his a!!roach is

deri"ed #rom the maturit& model that the So#t%are ngineering Institute (SI) o# Carnegie

.ellon ni"ersit& de#ined #or the maturit& o# so#t%are de"elo!ment

'he"T Assurance &uide% 'sing C()"T, a!!endi5 3II.aturit& .odel #or Internal Control, in

figure AD$, !ro"ides a generic maturit& model sho%ing the status o# the internal controlen"ironment and the estalishment o# internal controls in an enter!rise It sho%s ho% the

management o# internal control, and an a%areness o# the need to estalish etter internal

controls, t&!icall& de"elo!s #rom an ad hocto an o!timied le"el 'he model !ro"ides a high

le"el guide to hel! C2I' users a!!reciate %hat is re9uired #or e##ecti"e internal controls in I'and to hel! !osition their enter!rise on the maturit& scale



0


31/134





e a%are o# their res!onsiilities moti"ate an agreedu!on action !lan

; :e#ined Controls are in !lace and ade9uatel& documented !eratinge##ecti"eness is e"aluated on a !eriodic asis and there is an

a"erage numer o# issues Ho%e"er, the e"aluation !rocess is

not documented While management is ale to deal

!redictal& %ith most control issues, some control

%ea$nesses !ersist and im!acts could still e se"erem!lo&ees are a%are o# their res!onsiilities #or control

Critical I' !rocesses are identi#ied ased on "alue and ris$dri"ers A detailed anal&sis is !er#ormed to identi#& control

re9uirements and the root cause o# ga!s and to de"elo!

im!ro"ement o!!ortunities In addition to #acilitated

%or$sho!s, tools are used and inter"ie%s are !er#ormed to

su!!ort the anal&sis and ensure that an I' !rocess o%nero%ns and dri"es the assessment and im!ro"ement !rocess

F .anaged and

measurale

'here is an e##ecti"e internal control and ris$ management

en"ironment A #ormal, documented e"aluation o# controls

occurs #re9uentl& .an& controls are automated and regularl&re"ie%ed .anagement is li$el& to detect most control issues,

ut not all issues are routinel& identi#ied 'here is consistent

#ollo%u! to address identi#ied control %ea$nesses A limited,

tactical use o# technolog& is a!!lied to automate controls

I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort

and agreement #rom the rele"ant usiness !rocess o%ners

Assessment o# control re9uirements is ased on !olic& andthe actual maturit& o# these !rocesses, #ollo%ing a thorough

and measured anal&sis in"ol"ing $e& sta$eholders

Accountailit& #or these assessments is clear and en#orced

Im!ro"ement strategies are su!!orted & usiness cases

Per#ormance in achie"ing the desired outcomes isconsistentl& monitored 5ternal control re"ie%s are

organied occasionall&

G !timied An enter!rise%ide ris$ and control !rogram !ro"ides

continuous and e##ecti"e control and ris$ issues resolution

Internal control and ris$ management are integrated %ith

enter!rise !ractices, su!!orted %ith automated realtime

monitoring %ith #ull accountailit& #or control monitoring,ris$ management and com!liance en#orcement Control

e"aluation is continuous, ased on sel#assessments and ga!

and root cause anal&ses m!lo&ees are !roacti"el& in"ol"ed

in control im!ro"ements

2usiness changes consider the criticalit& o# I' !rocesses and

co"er an& need to reassess !rocess control ca!ailit& I'

!rocess o%ners regularl& !er#orm sel#assessments to con#irm

that controls are at the right le"el o# maturit& to meet usiness

needs and the& consider maturit& attriutes to #ind %a&s toma$e controls more e##icient and e##ecti"e 'he organiation

enchmar$s to e5ternal est !ractices and see$s e5ternal

ad"ice on internal control e##ecti"eness *or critical

!rocesses, inde!endent re"ie%s ta$e !lace to !ro"ideassurance that the controls are at the desired le"el o# maturit&

and %or$ing as !lanned

'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess 'he I' audit

and assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram

and #ormulate an oecti"e assessment o# the maturit& le"els o# the control !ractices 'he

maturit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to&ear to document !rogression in the enhancement o# controls Ho%e"er, it must e noted that the

!erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor'here#ore, an auditor should otain the concerned sta$eholders> concurrence e#ore sumittingthe #inal re!ort to management

At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the!ro#essional assesses the current state o# the C2I' control #rame%or$ and assigns it a maturit&

le"el using the si5le"el scale Some !ractitioners utilie decimals (5@G, 5G, 5BG) to indicate

gradations in the maturit& model As a #urther re#erence, C2I' !ro"ides a de#inition o# the

maturit& designations & control oecti"e While this a!!roach is not mandator&, the !rocess is!ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that

%ish to im!lement it It is suggested that a maturit& assessment e made at the C2I' control

le"el 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also otain maturit&targets #rom the client/customer sing the assessed and target maturit& le"els, the !ro#essional

can create an e##ecti"e gra!hic !resentation that descries the achie"ement or ga!s et%een the

actual and targeted maturit& goals

I*. Ass#rance and Control +ramework

I%ACA IT Assurance Framework an %tanars

ISACA @00+ All rights reser"ed Page ;1


32/134



ISACA has long recognied the s!ecialied nature o# I' assurance and stri"es to ad"ance

gloall& a!!licale standards uidelines and !rocedures !ro"ide detailed guidance on ho% to

#ollo% those standards I' Audit/Assurance Standard S1G I' Controls, and I' Audit/Assuranceuideline ;8 Access Controls are rele"ant to this audit/assurance !rogram

I%ACA Controls FrameworkC2I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridgethe ga! among control re9uirements, technical issues and usiness ris$s C2I' enales clear

!olic& de"elo!ment and good !ractice #or I' control throughout enter!rises

tiliing C2I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased alignsI' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise

4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es forSuccessful "T &o/ernance, 1ndEdition, !ulished in @00B, #or the related control !ractice "alue

and ris$ dri"ers

V. Executive Summary of Audit/Assurance Focus

%AP *RP %ecurity'he re"ie% o# SAP hel!s management ensure that it is secure Since launching its #irst !roduct

o##ering almost ;0 &ears ago, SAP has gro%n gloall& It has a!!ro5imatel& 1@ million users and+6,F00 installations in more than 1@0 countries and is the thirdlargest inde!endent so#t%are

com!an& in the %orld 'he com!an& name, SAP, is a erman acron&m that loosel& translates in

nglish to S&stems, A!!lications and Products in data !rocessing

2e#ore SAP 4P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@-and the

client/ser"erased s&stem SAP 4/; 2oth 4/@ and 4/; are targeted to usiness a!!licationsolutions and #eature com!le5it&, usiness and organiational e5!erience, and integration 'he

4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&K

ho%e"er, this is not the case 'he 4 in 4/@ and 4/; means real time7 4elease le"els are

annotated se!aratel& to the 4/@ or 4/; descri!tors *or e5am!le, in SAP 4/; F62, the F is themaor release numer, the 6 is the minor release numer #ollo%ing a maor release, and the 2 is

the "ersion %ithin a release

4/; %as introduced in 1++@ %ith a threetier architecture !aradigm In recent &ears, SAP has

introduced Ser"ice riented Architecture (SA) as !art o# SAP 4P 'his comines 4P %ith an

o!en technolog& !lat#orm that can integrate SAP and nonSAP s&stems on the SAP


33/134



the #ollo%ingD :isclosure o# !ri"ileged in#ormation

Single !oints o# #ailure

=o% data 9ualit&

=oss o# !h&sical assets

=oss o# intellectual !ro!ert& =oss o# com!etiti"e ad"antage

=oss o# customer con#idence

3iolation o# regulator& re9uirements

O!+ective an %cope)jective2'he oecti"e o# the SAP 4P audit/assurance re"ie% is to !ro"ide management

%ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# theenter!rise>s SAP 4P architecture

%copeThe review will focus on conguration of the relevant SAP EP

com!onents and modules within the enter!rise. The selection of the s!eciccom!onents and modules will "e "ased u!on the ris#s introduced to theenter!rise "y these com!onents and modules.

Minimum Auit %kills'his re"ie% is considered highl& technical 'he I' audit and assurance !ro#essional must ha"e an

understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP

tools, e5!osures and #unctionalit& It should not e assumed that an audit and assurance!ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%

ISACA @00+ All rights reser"ed Page ;;


34/134



V$. Ex!enditure %usiness &ycle Audit/Assurance Program


C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comments

Co

ntrolEnvironment

R

iskAssessment

C

ontrolActivities

InformationandCommunication

Monitoring

A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P

11 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreedu!on

corrections and note remaining de#iciencies

.1

1@ :etermine %hetherD

Senior management has assigned res!onsiilities #or

in#ormation, its !rocessing and its use

ser management is res!onsile #or !ro"iding in#ormation

that su!!orts the entit&>s oecti"es and !olicies

In#ormation s&stems management is res!onsile #or !ro"iding

the ca!ailities necessar& #or achie"ement o# the de#ined in#ormation

s&stems oecti"es and !olicies o# the entit&

Senior management a!!ro"es !lans #or de"elo!ment and

ac9uisition o# in#ormation s&stems

'here are !rocedures to ensure that the in#ormation s&stemeing de"elo!ed or ac9uired meets user re9uirements

'here are !rocedures to ensure that in#ormation s&stems,

!rograms and con#iguration changes are tested ade9uatel& !rior to

im!lementation

All !ersonnel in"ol"ed in the s&stem ac9uisition and

con#iguration acti"ities recei"e ade9uate training and su!er"ision

'here are !rocedures to ensure that in#ormation s&stems are

im!lemented/con#igured/u!graded in accordance %ith the estalished

standards

ser management !artici!ates in the con"ersion o# data #rom

the e5isting s&stem to the ne% s&stem

.1

? @00+ ISACA All rights reser"ed Page ;F


35/134




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Security Audit and Control Features SAP ERP 3rd Edition Icq Eng 1109

Documents

Transcript of Security Audit and Control Features SAP ERP 3rd Edition Icq Eng 1109