SOD MIC

7/28/2019 SOD MIC

1/10

SAP AG 2006, mySAP ERP 2005, 1

SAP MIC: Management of Internal Controls

Continuous Improvement

Continuous Improvement

Scoping and

Set-Up

Document

Processes &

Controls

Sign-Off,

Prepare

Certifi cation /

Internal Control

Report

Assess

Control

Design &

Remediate

Issues

Test

Operating

Effective-

ness

Attest

and

Report

Management Auditor

7/28/2019 SOD MIC

2/10


Disclaimer

These materials are subject to change without notice. These

materials are provided by SAP AG and its affiliated companies

("SAP Group" ) for informational purposes only, without

representation or warranty of any kind, and SAP Group shall not

be liable for errors or omissions with respect to the materials. The

only warranties for SAP Group products and services are those

that are set forth in the express warranty statements

accompanying such products and services, if any. Nothing herein

should be construed as constituting an additional warranty.

7/28/2019 SOD MIC

3/10


SAP MIC: Import of Automated Control Testing Results

Many companies use dedicated control testing applications to test contro l effectiveness. These

results are automaticall y pushed into MIC via an XI interface.

2) Results pushed to MIC

User Violation DetailedReport Time: Feb 1, 2005 12:59 PM

User Rule Priority Exception

John B lack Create Mas ter Data + Tr igger payment High 1 Violat ion

1) Dedicated tool performs analysis of control effectiveness in ERP system

Example: Test of a Segregation of Duties (SOD) control

XI

Test logs created

Remediation

workflows triggered

Lowered TCO

Business Benefits

Lower cost of compliance

7/28/2019 SOD MIC

4/10


SAP Automation of MIC Controls - 2005

ReportPDF

ExternalSOD

Toolset mySAP ERP

ControlExecution

mySAP CRM

.

XI

ScheduleJob

ExecuteReport

Post toMIC

DatabaseReport

Generated

MIC

7/28/2019 SOD MIC

5/10


SAP Automation of MIC Controls - 2005

ReportPDF

External

TestingApplication

XI

ScheduleJob

ExecuteReport

Post toMIC

DatabaseSend

Report

MIC

ReportPDF

1. Trigger

Testing

2. SendResult

3. Send Result

7/28/2019 SOD MIC

6/10


SAP MIC: Audit Information System (AIS) Link

AIS can be used to perform control effect iveness test ing within the SAP t ransactional

system. A direct link from MIC to AIS will streamline testing activities.

MIC Test Log

Test procedure:

Perform G/L Account

Analysis i n AIS

Enter AIS

Findings:

Reconcil iation delays

exist: see document

100003716/2003 fo r more

info

Tester

enters AIS

via link in

MIC

Tester

documents

results in

MIC

Tester executes repor t

Lowered TCO

Business Benefits

Lower cost of compliance

7/28/2019 SOD MIC

7/10


Central Process Catalog

SAP MIC: XI Upload of Master Data/Central Catalogs

Process Group 1: Sales and Distribution

Process Group 2:

Process Group 1.2:

Process 5: ..

Process 6: ..

Process Group 1.1: Sales

Process 1: Contract Negot.

Process 2: Order Process.

Process 3: CRM

Process 4: Sales Support

PC4You North America

PC4You USA - East

PC4You USA - West

PC4You Canada

PC4You Mexico

PC4You Corporate

PC4You EMEA

..

Org Unit Hierarchy

Legacy SOX

System / MS Excel

XI Interface

populates

SAP MIC

withexisting

data

SAP MIC

Many companies have initial SOX/contro l documentation in PC-based tools or MS

Excel. Via an XI interface, this data can be uploaded into MIC.

Reduced implementation t ime

Reduced migration costs / TCO

Business Benefits

Reduced cost of compliance

7/28/2019 SOD MIC

8/10


SAP Analytics Supporting Corporate Governance

Overview Project Progress Control Design Assessment

Process Design Assessment Issue Analysis

7/28/2019 SOD MIC

9/10


Application Pre-Requisites

These systems are used for data sources: mySAP ERP 2005 (FINBASIS 600) SP02

or mySAP ERP 2004 (FINBASIS 300) SP11

These modules are used as data sources: a back-end application SAP Management of Internal Controls (MIC) as part of mySAP

ERP (must be implemented before this particular analytic app can be deployed)

This particu lar analytic application is fully Remote Function Call (RFC)-based (no BW installation necessary), reading data directly from therespect ive back-end application (SAP MIC). The following advantagesresult from this approach:

Direct MIC data access (no BI-extraction necessary). The use of MICs built-in buffering capability is recommended to optimize performance

Long texts available long texts relating to controls, issues or other objectsare critical in the corporate governance context. It is now possible to displaythese texts in an analytic app as the BW limitation (max. 60 characters)does not apply here

Authorization / Personalization maintained in the back-end application (SAPMIC) applies in the analytic app as well (no double authorizationmaintenance or personalization necessary)

7/28/2019 SOD MIC

10/10


SAP MIC: Other enhancements

Customer-defined fields

Each customer can choose to add additional documentation fields tomaster data objects such as controls or processes

Mass tester assignment

Testers can be assigned to cover all controls within a particular

organizational unit or process group

Segregation of duties analysis of MIC authorizations

Reports covering which authorizations can be combined within the MIC

application itself (e.g. should a control owner be allowed to test their own

control?)

Versioning for all documents attached to MIC objects

SOD MIC

Documents

Transcript of SOD MIC