Many companies use SAP software to assist them plan their assets and actions. Its flexibility and vary makes it a problem to audit.
SAP is extremely configurable and implementations usually fluctuate, even inside numerous business items of a company – each monetary and non-financial. On the similar time, the efficient operation of controls inside the system’s atmosphere is vital to a strong monetary and operational management atmosphere. Due to this fact, it is very important achieve understanding of how SAP is being utilised within the business whereas planning the audit scope and method. Auditing an SAP atmosphere introduces a number of distinctive complexities that may influence the audit scope and method.
Business processes
SAP covers most business processes and a minor change within the business course of can have a direct impact on the audit procedures as a result of complexity of the system. Adjustments within the setup and configuration of the system, the discharge technique or creating new processes might end in new modules and/or performance in SAP and as such, further dangers have to be thought of.
For instance, a consumer might think about retiring one among its legacy buying methods and moving this performance onto SAP. Prior to now, key controls over buy order approval might have been carried out manually. However with the SAP implementation the consumer has thought of automating the approval course of in SAP. The setup of the automated workflow course of and consumer entry safety is subsequently necessary to make sure that enough controls are maintained to mitigate the dangers. This might contain testing automated controls as an alternative of the handbook controls over buy order.
Segregation and sensitivity
For an efficient audit, the auditor wants to realize understanding of the design of SAP’s authorisation idea (safety design). In some situations, poor safety design leads to customers being inadvertently granted entry to pointless or unauthorised transactions. Due to this fact the evaluation of the design and implementation of SAP safety and entry controls is necessary to make sure correct segregation of duties is maintained and entry to delicate transactions is well-controlled.
Segregation of obligation conflicts can come up when a consumer is given entry to 2 or extra conflicting transactions – for instance, creating a purchase order order and amending vendor grasp particulars. A transparent mapping of the business processes and identification of roles and tasks concerned within the processes is essential within the design of entry controls to successfully audit safety.
As well as, there could also be transactions or entry ranges which might be thought of delicate to the business, corresponding to amending G/L codes and constructions, amending recurring entries or amending and deleting audit logs. In an SAP audit such delicate transactions would have to be thought of through the planning part.
Management choice
Organisations can tailor the SAP system to suit their business wants together with a number of configurable and inherent controls. Understanding the choice course of behind these controls is vital to the audit method. Permitting buy orders, for instance, to be authorized mechanically by the system is taken into account a configurable automated management.
Nevertheless, the consumer may select to not implement this performance and tackle this danger by a handbook management. Auditors want to know the controls the consumer has chosen to implement and the matrix of controls that they place reliance on to mitigate a number of dangers.
Varieties of Controls
In SAP there are 4 varieties of controls that an audit consumer can utilise with the intention to create a safe atmosphere: inherent controls, configurable controls, software safety, and handbook opinions of SAP stories.
Sometimes entry or configurable controls are executed by the SAP system and are preventive in nature. On the opposite hand, handbook controls together with handbook opinions of stories are executed by an worker and are primarily detective in nature. For instance, within the procure-to-pay (P2P) strategy of SAP, there are customary automated controls corresponding to three-way matching (matching of buy orders, items receipt and invoices). The consumer might select to undertake four-way matching, or two-way matching of invoices, subsequently requiring customisation to go well with their particular processes.
Every consumer will use a special mixture of controls with the intention to obtain their particular management goals, and due to the complexity of SAP software, auditing across the system to realize management assurance is just not an possibility. Due to this fact the audit method must be tailor-made for every scenario appropriately. It is usually necessary to focus on that SAP delivers a number of controls which might be inherent inside the SAP atmosphere. An instance of an inherent management is that journal entries should steadiness previous to posting in SAP.
Configurable controls
In SAP it is very important perceive the hyperlink between configurable controls and entry controls. With a purpose to obtain the management goal there could also be a mixture of configurable and entry controls that create a management answer. For instance, “Buy orders over £1m get blocked mechanically and can’t be processed.” This appears like a configurable management, however is definitely each a configurable management and an entry management, because it offers with the configuration of the Buying Launch Technique inside SAP and offers with who has entry to create and approve a PO.
One other instance is “Buy Orders over US$1m should be authorized by the supervisor.” This appears like an entry management, however it’s a configurable management as nicely as a result of configuration wanted for the discharge technique. In actual fact, these are complimentary controls, two controls masking the identical danger collectively. With out one management, the opposite can’t cowl the danger to the identical precision. The auditor ought to take a look at each the configuration and entry features of those controls, so it is necessary that they’re recognized by the auditor and categorized appropriately.
Course of dangers
SAP is a course of primarily based ERP system and every SAP occasion might have completely different dangers related to it. The power to customize and tailor the system, and its inherent complexity, considerably will increase the general complexity of safety configurations and results in potential safety vulnerabilities. Segregation of obligation conflicts, errors and flaws subsequently change into extra possible.
Every consumer has completely different business processes, products and services, and methods that go well with their atmosphere. Designing the method successfully in SAP is necessary to mitigate the dangers related to insufficient or failed business processes. An efficient audit method ought to subsequently embrace an analysis of dangers and an understanding of the business course of mapping for every SAP occasion.
Rotation plan
On condition that the system is extremely customisable, course of pushed and allows a variety of management alternatives, every SAP occasion would doubtlessly have a special danger profile. Additional inside SAP, the danger profile of various modules and sub-modules corresponding to financials (FI), supplies management (MM), gross sales and distribution (SD), payroll, human capital (HC), business info warehouse (BW), buyer relationship management (CRM) and so forth shall be completely different.
The huge areas of the business operations that SAP software cowl would make it impractical to cowl them multi functional single audit. To finish a complete audit of SAP, it’s applicable to contemplate a rotation plan. This will contain planning opinions of every SAP business course of, module, sub-module; system configuration and alter management; and system safety, together with the design of segregation of duties and entry ranges. This ensures that the audits are carried out utilizing appropriately expert assets and canopy every danger space together with business course of, safety and related controls. These areas can subsequently be assessed successfully to establish gaps in management weaknesses and advocate applicable steps to resolve points.
Danger-based Strategy
Along with the above challenges, SAP methods are additionally upgraded and enhanced periodically to satisfy ever-changing business necessities. Within the present financial local weather, corporations are confronted with altering dangers within the atmosphere that have an effect on their business processes 審計 服務.
The intention of a risk-based method is to permit auditors to tailor the evaluation to the areas of business danger, giving method to higher concentrate on audit areas with a high-risk potential. The complexity of the SAP system and associated business processes, as indicated above, might lend itself to larger inherent danger and management danger which needs to be taken into consideration in planning the audit.
The chance-based method ought to embrace common danger evaluation, analytical audit procedures, methods and course of primarily based fieldwork, and substantive testing. On this means, an auditor can conduct the audit effectively with a level of reliability, in addition to optimising the effort and time it includes. It’s subsequently essential top-down danger primarily based audit method is adopted to successfully evaluation SAP.