What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

Similar documents
2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

Community Bankers Conference

Corporate Governance Update. SOX 404 and Internal Controls

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

Implementation Tool for Auditors

IT Service Delivery And Support

GFMIS. MIS MIS - BW SEM Operating System SAP R/3 (GFMIS) FI CO. e-payroll, e-pension AFMIS. ก ก (e-catalog,e-shopping list

Auditing Standards and Practices Council

Using Transactional Analysis for

Sarbanes-Oxley 404(a) Efficient, Effective Consulting Solutions

Sarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit

Minimizing fraud exposure with effective ERP segregation of duties controls

Seminar Internal Control Identification and Filtering

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Ten Payment Fraud Protections

ECON 132A SPRING 2008 MT#2

GAIT FOR BUSINESS AND IT RISK

Review of Payment Controls

2. Which of the following statements is true when configuring a group chart of accounts?

Eric Anderson, City Manager. Scottie Nix, Internal Auditor

INTERNAL CONTROLS FOR NONPROFITS

ILLUSTRATIVE RISKS OF MATERIAL MISSTATEMENT, RELATED CONTROL OBJECTIVES AND CONTROL ACTIVITIES. (Refer paragraphs 77 and 100)

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

Fraud Risk Management

INTERNAL CONTROLS FOR NONPROFITS

Simplifying The Accounts Payable Process

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

SEGREGATION OF DUTIES for SAP

Cash Reconciliations and Cash Handling

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

File. Audit. City Auditor

Financial Statement Close Process

INTERNAL CONTROLS FOR NONPROFITS

General Government and Gainesville Regional Utilities Vendor Master File Audit

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Pima County Community College District Year Ended June 30, 2008

CONTINUOUS AUDITING - UPDATE. Travis S. Moser, CISA

Welcome to the topic on purchasing items.

Plugging the Gaps in Financial Controls Monitoring

FLORIDA DEPARTMENT OF TRANSPORTATION

ALABAMA ASSOCIATION OF SCHOOL BUSINESS OFFICIALS

Escapia VRS. Month End Close and Audit Procedures

You can easily view comparative data and drill through for transaction details.

Identifying Proactive Process Solutions for Key Payroll and Time Management Controls. Bhavesh Bhagat, EnCrisp

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

Top 10 SAP audit and security risks: Securing your system and vital data

Clarity Accounts Payable Year-end Procedure Guide 2017

SAP Business One designed for all your small and midsize company s needs

Internal Controls Integrating COSO

SOX, ERP, and BPM. Business Performance. A Trifecta That Can Make Your Business Run Better B Y K ENTON B. W ALKER

CHAPTER -10 CIS AUDIT

Advanced Finance for Governing Board Members. Charter Schools: Advancing the Promise!! 2015 Annual Conference

Kalina Sukarova, Senior Financial Management Specialist

PEORIA COUNTY, ILLINOIS

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Top 10 SAP audit and security risks

Internal Controls and Sampling Tests

Evaluating Internal Controls

A Financial Executive s Guide to Internal Controls & Fraud Prevention in the Cloud

FRAUD AWARENESS UPDATE

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

Sage MAS 90 and 200 Product Update 2 Delivers Added Value!

Abila MIP Fund Accounting

Success in Joint Ventures: Sustained Compliance and Audit Oversight

We wish to thank the staff and management of the Authority for their cooperation and assistance during the course of this engagement.

REPORT 2014/162 INTERNAL AUDIT DIVISION

Understanding Internal Controls Office of Internal Audit

The definition of a deficiency is also set forth in the attached Appendix I.

IAASB Main Agenda (December 2008) Page Agenda Item

SAP GRC Risk Identification and Remediation

SAP Consolidated Payables Link

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been completed/validated since last report in August 2016

We will cover the entire SoulCRM in a flow to make it easier for you to configure your system using this document.

Wire Transfer Audit. Craig Hametner, CPA, CIA, CMA, CFE City Auditor. Prepared By: Jed Johnson Senior Audit Analyst. Michelle Taylor Audit Analyst

[RELEASE NOS ; ; FR-77; File No. S ]

TOP FINANCE PROCESSES THAT ARE THE CULPRITS OF BUSY WORK. Automating your workflow. to make your work flow.

County of Sutter. Management Letter. June 30, 2012

INTERNAL CONTROLS REVIEW PROGRESS REPORT Highlighted items have been completed since last report in January 2016

Chapter 13. Auditing the Inventory Management Process

CITY OF CORPUS CHRISTI

computer-assisted Chapter 10 Substantive testing, audit techniques and audit programmes

Segregation of Duties

Managing Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk

Entity level controls Design/implementation 530 Page 1 of 9

Financial Controls Checklist

EXAMINATION OF CERTAIN FINANCIAL PROCESSES AND INTERNAL CONTROLS OF THE KENTUCKY CORRECTIONAL INDUSTRIES

Annual Audit and Other Financial Matters

What Happens When Internal Controls Fail

Don t Leave Home Without Your SOX!

SECTION A CASE QUESTIONS (Total: 50 marks)

FGFOA 2017 Focus on the Future

RIT FINANCIAL APPLICATIONS Tips. Happy New Year! ... Inside this Issue

Auditing Standards and Practices Council

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

Get Invoice Processing That s Ready for the Digital Economy and Your IT Landscape

University System of Maryland University of Maryland, College Park

Internal Financial Controls (IFC) - An Overview

Transcription:

What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

What does an external auditor look for in SAP during SOX 404 Audits? Corporations have most of the business processes run by implementing modules of an ERP such as SAP. The operations of business process becomes smooth but at the cost of complexity. The modular design of SAP R/3 leads to complex user access, conflict of duties and so on. Consequently, Auditing SAP R/3 is equally complex. Several existing implementations have found to have not taken care of issues such as undocumented access security or the missing authoritative ownership of the whole big picture or excessive privileges was allocated for the personnel, etc. Just walking into any SAP implementation done years ago, there are several issues that the external auditor can find as deficiencies. (See Appendix A for the definitions of SOX 404 Deficiencies - Significant Deficiency, Material weakness and control deficiencies) that has dire consequence of potential misstatements in 10Q. Even with the recent go-live implementations, dynamic changes in the corporate world would end up creating deficiencies if due care is not taken. Consequently, It is observed that several corporations with huge SAP implementations have scheduled SAP audits as frequent as semi-annual. Thus it is important to understand the mindset of external auditors. Following are the issues that the external auditor will look for: 1. Segregation of duties In SAP R/3, segregation of incompatible functions is a major control point. So, fixing the incompatible functions before the external auditor would get to see would be the key. Assessing whether incompatible functions are assigned to SAP users can be a tedious task. So how does one go about addressing such incompatibility issues? Let me explain using an example of the accounts payable process in SAP. Ideally, in A/P segregation of duties should exist between purchasing, goods receiving, invoice processing and cash disbursement functionalities. Below, Step 1 - Document the entire process of payables. This would include Raising Purchase requisition, releasing purchase requisition, raising a purchase order PO, releasing purchase order, goods receipt, invoice entry, and finally processing payments. Step 2 - For each of the sub-process identified above, identify the relevant transaction code in SAP. This can be done using the standard menus in SAP. Step 3 - Identify the key control points within the process. In our example above, key control points would be raise PO, goods receipt, enter invoice, create and changing vendor master records. Step 4 - Identify if there are any other incompatible duties. One such incompatible function would be payment processing and vendor master maintenance. Step 5 - Identify the transaction codes in SAP, which allow access to these incompatible functions. Now in SAP the relevant transaction codes would be: XK01 / XK02 - Create Vendor / Change Vendor details, ME21 - Create PO, ME28 - Release PO, MB01 - Goods Receipt, MIRA / MIRO - Invoice Entry. The incompatible functions relevant for segregation of duties would be XK01 / XK02 and ME28 ME21 and ME28 ME28 and MB01 XK01 / XK02 and MIRA / MIRO

Step 6 - Identify employees within the organization who have access to such incompatible functions. This can be done using SUIM, data analysis tools. If required analysis can be even done at the authorization profile level. Step 7 - Once users with access to incompatible functions are identified, access to such functions should be restricted. The BASIS person who is responsible and knowledgeable enough to carry out such task should do this. External auditors steps would be very similar to above steps. 2. Inconsistent business process procedure This is very commonly seen in today s corporate environment where M&A is part of the game. The first question that s asked is how was the data moved and what are the process procedures in place for each of the entity. Process procedures are crucial to be consistent across all the entity/business process, as inconsistent procedure will make the business prone for financial misstatements. For example, in one of the SAP audits of a corporation, all master material lists had tolerance limits excepting one master materials list belonging to one of the entity that was bought few years ago. This can be found out by running a filter on all master material lists for materials that allow over tolerance limits. The design risk here was, Users were allowed to specify delivery tolerances that would permit acceptance of delivery of a significantly larger quantity of goods than were ordered (Via requirements planning document and PO) and approved. Also, the overriding of delivery tolerances was allowed rather than preventing. Potentially, if the invoice was processed and paid based on this, there would be a misstatement. The business process procedures are categorized as manual and automated. The above is an example of automated procedure. An example of Manual business process procedures is central payment procedure in place or procedure followed when a new application server is released to production and certain procedures are passed such as OS patches brought up-to date, Anti-virus scanner with latest signatures installed, database hardened, server being taken through penetration tests and so on. Inconsistencies in Manual business process procedures are easy to find and remediate when compared to automated business process procedures. Consequently, external auditor would have automated scripts that discover inconsistencies in automated process procedures in place. We recommend that the SAP R/3 procedures be reviewed semi-annually for any inconsistent procedures due to changes that would have crept in, a tight SLDC process in place and finally enable STP (Straight-through processing) and use Transaction manager. The advantage of using Transaction manager is, it manages the execution of each step of the transaction's process, performs the accounting, ensures that separation of duties is enforced and captures the audit trail associated with that transaction. Not only does this increased automation save time spent on executing these steps, it eliminates the errors (and resulting investigation and reprocessing) that are a normal consequence of a manual approach. 3. Unsecured customized programs - Almost all SAP implementations have many customized 'Z' transactions or 'Y' transactions built in to suit the business process. Although there is nothing wrong the problem is, these customized transactions are not secured, making them vulnerable. External auditor would look how secure they are. Make sure that they are secured either via S_TCODE or assigning an authorization object to the transaction via transaction code SE93. SAP auditors can find a listing of all customized Y and Z transactions through the menu path (Menu Path >> system >> Services >> Reporting) or through transaction SA38. Below is a screen shot that appears.

Here to find all programs i.e. customized transactions beginning with "Y" and "Z", in the Program field, enter "YA" in the field from and "ZZ" in the field to. The listing of all customized programs within SAP appears. On this listing, external auditors would look for the following three issues. a. Customized Transaction Title - As an SAP auditor, the first thing you should check is that all custom programs have sufficiently descriptive titles stating the purpose of the program. Any missing title descriptions should be reported. b. Test Transactions - Next, click on the binocular button and make a search for terms like "TST" or "TEST". Ideally, there should not be any customized Y or Z transactions in the production environment. Test programs Y and Z lying in production environment should be removed. c. Critical Customized Transactions - SAP Customized transactions which are used to execute critical functions like deleting codes, other programs etc pose another security risk. SAP auditors can find such programs using terms like "DEL", "DELETE" or "REMOVE". Such programs are normally are the ones which need to be removed from SAP before Go Live but have been overlooked. Apart form these, other programs which look conspicuous / attract attention like ones with exclamation marks (!), question marks (?), should also be investigated by R/3 auditors. 4. Excessive or Unauthorized access to Master table & SAP basis - Many companies make the mistake of giving access to sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc to users in production. On the other hand access is given to BASIS or development staff to run transactions in SAP production environment. Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley. We recommend that during the semi-annual audit, business owners check these areas for any creep of violations. 5. Unrestricted posting periods Corporations strictly close the books at specified timeline but some of the corporations allow posting as closing of the books are not done in a timely manner. If that s happening, SAP R/3 does not have any control in avoiding a misstatement. Make sure that business owners close the books at specified timeline. Else, unauthorized entries in previous open periods can result in severe deficiency under SOX. 6. SAP access to terminated employees or presence of redundant testing users accounts 80% of the time, we have observed that corporations would have access for terminated employees are not revoked. Another popular observation is the presence of redundant users accounts that was created to test with names very close to current employee with same role, functions and authorizations. The lack of tight change management with proper test environment and release to production process in place is the main reason for this. During semi-annual audit, business owners need to review for any such violations. 7. Database and OS hardening Recommend the SAP R/3 servers to have database hardened and OS patches to be current with anti-virus signatures to be current. Also recommend that unnecessary ports to be closed, vulnerability checks are performed and accordingly remediate before moving the server to production. 8. Interfaces and error handling A typical SAP system may have many interfaces from existing legacy systems as well as interfaces to other external systems. Inbound interfaces to SAP from

legacy systems usually consist of a file, which is sent from the legacy system to SAP, and processed in the background via a standard SAP transaction. Outbound interfaces from SAP to external systems usually consist of a file, which is sent from SAP to the external system and processed at periodic intervals by the external system. Alternatively, users can download data from SAP to their PC and then process it as they wish, for example, in a spreadsheet. Appropriate procedures need to be implemented to ensure the use of interfaces is well controlled and to protect the integrity of system data. Following are the critical issues that external auditors would look for: a. Data interfaced from legacy systems into SAP or from SAP to external systems may not be completely transferred or the files loaded may be corrupted. b. Unauthorized changes may be made during batch input error correction. c. Unauthorized changes may be made to batch input (interfaced files) without detection. The key is the documented error codes for every failure in transferring between legacy/sap and these errors are detected and corrected in a timely manner with sufficient audit trails and approvals. 9. Inherent and configurable controls - Inherent controls are predefined controls that defined in SAP R/3. Such controls do not need to be configured separately in SAP. Such inherent controls are helpful in preventing any major errors since SAP itself prevents the same thorough such inherent controls. Below are some of the inherent controls that could be utilized to prevent errors leading to SOX 404 deficiencies. Duplicate checks through message control Sequential documents through number ranges Automatic integration and postings Online data analysis All transactions through unique documents History of transactions executed by users retained including date, time and user. Logging and history of program changes Configurable controls are those customized to the business process needs. These are added during first implementation before going-live or can be added at any point of time. SAP AIS (Audit Information System) consists of tools, which can be used to monitor inherent controls within SAP as well as configurable controls within SAP.

Appendix A A paper on Compliance week (Oct 2004) noted that 51% of disclosures in recent months were due to problematic financial systems. Other big issues showing up as significant deficiencies/ material weaknesses: - Personnel Issues: segregation of duties, inadequate staffing/training, supervision issues- Tone at the Top (following instances of restatement)- Poorly documented accounting practices. So, What is this significant deficiencies/ material weakness? The following is an excerpt taken directly from aicpa.org. Control Deficiency: The design or operation of a control that does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Example: A member of the accounting department has been assigned responsibility to perform reconciliations on all bank accounts on a monthly basis. This person also has responsibility for opening the mail and preparing the daily deposit to the bank. The person s manager is required to review each reconciliation when completed, but the manager does not consistently sign off on the reconciliation indicating review. Two internal control deficiencies exist here: (1) the lack of segregation of duties because one individual is preparing the cash deposit and reconciling the cash accounts and (2) the lack of documentation of a control because the manager does not evidence review so it is not clear that the review has been performed. Significant Deficiency: A control deficiency that adversely affects the company s ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP). Alone or with other deficiencies, this type of control deficiency results in more than a remote likelihood that a misstatement of the financials, that is more than inconsequential in amount, will not be prevented or detected. Example: The company uses a standard sales contract making it necessary for the accounting department to review completed sales contracts for changes to standard shipping terms to assure the proper timing for recognizing revenue from sales. Because the terms are not always reviewed, revenue has been overstated on occasion. It is unlikely that any single sales contract could result in a material overstatement of revenue, and there are controls in place to ensure that materials misstatements do not occur. However, a misstatement that is more than inconsequential yet less than material could result, creating a significant deficiency in internal control. Material Weakness: A significant deficiency that, alone or with others, results in more than a remote likelihood that a material misstatement of the financials will not be prevented or detected. Examples of weaknesses that would likely be considered material depending on the circumstances include: Ineffective oversight by the audit committee over the external financial reporting process, and the internal controls over financial reporting Material misstatements in the financial statements not initially identified by the company s internal controls

Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time Restatement of previously issued financial statements to correct a material misstatement For larger, more complex entities, ineffective internal audit functions For complex entities in highly regulated industries, ineffective regulatory compliance function Fraud of any magnitude on the part of senior management An ineffective control environment

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback