ก GFMIS: ก. 1
GFMIS MIS ( ) MIS - BW SEM Operating System SAP R/3 (GFMIS) FM PO HR ก FI ก ก RP AP ก CM FA GL ก CO BIS. DPIS ก. e-procurement ก ก (e-catalog,e-shopping list e-auction) e-payroll, e-pension ก ก AFMIS ก 2
ก Audit Planning Tests of Controls Substantive Testing 1. Review of Organization s Policies, Practices, and Structure 4. Perform Test of Controls 7. Perform Substantive Tests 2. Review General controls and Application Controls 5. Evaluate Test Results 8. Evaluate Results and Issue Auditor s Report 3. Plan Tests of Controls and Substantive Testing Procedure 6. Determine Degree of Reliance on Controls 9.Audit Report * Information Systems Auditing and Assurance by James A.Hall 3
ก ก 1. ก (Adequate controls) 2. ก (Control effectiveness) 4
Control Matrix Errors Controls 5
Control Matrix 6
ก ก ก ก ก ก ก ก ก ก 7
ก ก Computer-Assisted Auditing Tools and Techniques (CAATTs) ก ก - Test Data ก ก - Generalized Audit Software (GAS) ก ก ก 8
ก ก IT Audit ก American Institute of Certified Public Accountants, Inc. (AICPA) http://www. aicpa.org (Institute of Internal Auditors-- IIA) http://www. theiia.org 9
Control framework for ERP Environment Program Interface/Data Conversion Integrity Design and implement controls for one-time conversions and ongoing interfaces. 1. Legacy system security 2. Interface 3. Conversion Remote Access- Certification (PKI) Encryption, etc. Firewall IS Policies/Procedures Hardware Operating system Database ERP Application Business Processes Technology Integrity 1. System security 2. Monitoring 3. Change management 4. Scheduling 5. Backup recovery 6. Disaster recovery Business Process Integrity 1. Business Risk 2. Control objective 3. Control requirements 4. Control techniques 5. Type of control Application Security 1. Security requirements 2. Security design 3. Security configuration (DEV & PRD) 4. Administration procedures development Project Management Change management and project disciplines 10
SAP R/3 Audit Layers Single Module SAP R/3 Basis System IT Audit and (IT) Organization and Business Departments IT basic security Database systems Operating System Network and Communication Systems Physical and Organizational Situation in the IT Environment *Introduction to the SAP R/3 System focusing on audit aspects By Roger Odenthal 11
ก SAP ก (Manual / procedural controls) ก ก ก (Inherent controls) ก ก ก ก (Configuration controls) ก ก (Logical access controls) ก ก ก ก ก ก ก (Segregation of duties) ก ก (Reporting Controls) ก ก 12
Inherent & Configurable Controls Inherent Controls Duplicate checks through message control Sequential documents thorugh number ranges Automatic integration and postings All transactions through unique documents History of transactions executed by users retained including date, time and user Logging and history of program changes Configuration Controls Edit Check Data Entry Validations Document Blocking Tolerance Levels Authorization Groups Payment Blocking Document Types User defined Error / Warning Messages Automatic Posting with predefined posting keys Reason Codes Predefined Master Data SAP Workflow Mandatory and/or System populated fields 13
ก SAP ก SAP กก (Risk Approach) ก ก ก ก SAP ก ก (Identifying the significant risks) Business Process Controls Application Security Program Interface Master Data Maintenance SAP (Gaining an understanding) ก ก (Determining key controls) Manual / Procedure Controls Inherent Controls Configuration Controls Logical Access Controls Reporting Controls (Risk-based Audit ก ก ก ก (Testing those controls to confirm their adequacy) 14
ก SAP R/3 Business Cycles 15
ก SAP R/3 Creating Customer Relationship Material Requirement Planning Producing Inventory Creating Production Order Creating Vendor Relationship Sales Quotation Production Purchase Requisition Sales Order Handling Finished Goods Raw Materials Management Purchase Order Goods Issue Delivery Note Goods Receipt Invoice Invoice Verification Revenue Account Receivable Accounts Payable Expenditure Collection Reporting Payment Page 60, figure 4.4 Core Business Cycles Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 16
Linking Audit Cycles to SAP Modules Audit Business Cycles SAP Module Functional Category Financial Accounting Treasury Fixed Assets Expenditures Revenues Inventory management Financial Applications Logistics Applications Human Resources Payroll and Personnel Basis Component Cross Applications Industry Solutions Page 60, figure 4.3 Linking Audit Cycles to SAP Modules Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 17
Expenditure Business Cycle Invoice Requisition Vendor Vendor Invoice EFT Payment Registered Purchase Officer Enters Purchase Order Purchaser/ Receiving Department UNMATCHED AP Clerk Input EFT Approval File Reconcile Officer EFT File PO Release PO Input Receiving Information AP supervisor Bank Reconciliation Purchase Order 1. Purchases 2. Goods Receipt 3. Invoice Processing 4. Payment 18
SAP Expenditure Business Cycle 4 1. Master data maintenance Vendor master data Material master data Vendor pricing information 2. Purchasing Purchase requisition Request for Quotation (RFQ) Purchase Order Contract / Scheduling agreement Release procedure (Release strategy) Goods Receipts ( GR) 3. Invoice Processing Invoice Verification Three-way match process; Purchase Order, Goods Receipts and Invoice 4. Processing Disbursements Risks ก Key Controls ก Testing Techniques ก 19
SAP R/3 Expenditures Business Cycle Expenditures Cycle 1. Master data maintenance 2. Purchasing 3. Invoice Processing 4. Processing Disbursements ก SAP R/3 Risks ก Key Controls ก Testing Techniques ก 20
Master Data Maintenance Master Data Maintenance Risks ก กก ก Vendor Master 1. ก ก ก Vendor Master ก ก ก ก ก Vendor, ก discount terms ก 2. Vendor Master Vendor ก ก Vendor ก ก Page 122 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 21
Master Data Maintenance Key Controls ก ก Vendor Master 1. ก ก ก Vendor Master ก Key Controls ก : - ก ก Vendor Master - ก ก ก - ก ก (Configure) ก ก Vendor Master ก ก 2. Vendor Master Key Controls ก : - ก ก Vendor Master Page 122-123 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 22
Master Data Maintenance ก Vendor Master 1. ก ก / ก Vendor Master (Program RFKABL00) 2. User access authorization ก / ก Vendor Master 3. ก ก (Configurable Control settings) ก ก Vendor Master ก ก ก ก 4. - Extract Vendor Master ก Table LFA1 5. ก ก ก ก Vendor Master (Program RFKKVZ00) Page 123-124 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 23
SAP R/3 Expenditures Business Cycle Expenditures Cycle 1. Master data maintenance 2. Purchasing 3. Invoice Processing 4. Processing Disbursements ก SAP R/3 Risks ก Key Controls ก Testing Techniques ก 24
Purchasing Risk ก 1. ก ก ก Purchasing ก ก ก ก ก, ก ก ก (Release Strategy) 2. ก ก / ก 3. ก Supplier ก Page 124 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 25
Purchasing Key Controls 1. ก ก ก Purchasing Key Controls ก : - ก ก, ก ก ก กก - ก Source list of Material Vendor approval list - SAP R/3 Release Strategy 2. ก ก Key Controls ก : - ก ก ก ก - ก ก, ก ก ก ก ก ก 3. ก Supplier ก Key Controls ก : - ก ก ก ก 26 Page 125 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition
Purchasing Testing Techniques ก ก 1. User access to PR/PO transaction 2. Approval source list of materials and Approval Vendor Lists 3. ก ก (Configurable Control settings) ก ก Release Strategy ก 4. ก Vendor ก (Program RM06EM00) 5. ก Vendor (Transaction MB51; specify Storage location & movement type) Page 125-127 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 27
SAP R/3 Expenditures Business Cycle Expenditures Cycle 1. Master data maintenance 2. Purchasing 3. Invoice Processing 4. Processing Disbursements ก SAP R/3 Risks ก Key Controls ก Testing Techniques ก 28
Invoice Processing Risk ก / ก 1. ก ก 2. ก ก ก 3. ก ก ก ก Page 127 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 29
Invoice Processing Key Controls 1. ก ก Key Controls ก : - ก ก input, ก ก, ก ก ก ก ก ก ก ก (PO) / (GR) 2. ก ก ก Key Controls ก : - ก (Configurable Control settings) > Three-way match process; (Purchase Order, Goods Receipts and Invoice) and posting period control - ก Tolerance limits GR/IR - ก ก - ก ก ก Exchange rate 3. ก ก ก ก Key Controls ก : - ก ก input, ก ก, ก ก ก ก 30 Page 125 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition
Invoice Processing Testing Techniques 1. User access authorization Invoice Processing 2. ก ก GR/IR control indicator (globally required) 3. ก ก (Configurable Control settings) Tolerance limits Message control ก 4. ก GR/IR (Program RM06EM00) 5. ก ก (PO Outstanding) Program RM06EM00 6. ก ก Exchange rate Page 127-129 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 31
SAP R/3 Expenditures Business Cycle Expenditures Cycle 1. Master data maintenance 2. Purchasing 3. Invoice Processing 4. Processing Disbursements ก SAP R/3 Risks ก Key Controls ก Testing Techniques ก 32
Processing Disbursement Risks ก / ก ก 1. ก ก 2. ก 3. ก ก ก ก Page 129 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition 33
Processing Disbursement Key controls Invoice Processing 1. ก ก Payment run ก ก ก ก ก ก (Payment run parameter) ก ก 2. ก ก Release blocked invoice ก ก / ก lock ก invoice ก block for payment ก lock invoice vendor Page 129 34 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition
Processing Disbursement Testing Techniques 1. User access authorization Invoice Processing Automatic Payments Transactions Parameters for Payment Payment with printout 2. User access authorization Release invoices Change document Change line items Block/unblock vendor Page 130 35 Book: Security, Audit and Control Features SAP R/3, 2 nd Edition
ก ก ก ก ก ก ก ก ก กก ก ก ก ก ก ก Approval (RA) Custody (AA) Recording / Transaction processing (TP) Control (CO) ERP ก ก ก Access to master data maintenance (MD) 36
ก ก ก 37
ก ก ก ก transaction code ก 38
ก SAP (AIS) Audit Information System (AIS) ก SAP ก ก (Inherent Control & Configuration Control) AIS ก 1. ก (System Audit) - System configuration - System logs and status displays - Development / customizing 2. ก ก ก (Business Audit) - Organization overview - Financial statement oriented audit - Process-originated originated audit 39
40
41
42
43
ก GFMIS ก (General Controls) 44
3. ก ก ก ก ก ก ก ก ก ก ก ก ก / ก ก ก ก ก ก ก ก ก 45
4. ก 4.1 ก ก ก 4.2 ก ก 4.3 ก ก 4.4 ก ก ก 4.5 ก ก 4.6 ก ก ก 4.7 ก ก ก 46
ก ( ) 4.8 ก 4.9 ก ก ก 4.10 ก ก 4.11 ก ก ก 4.12 ก ก ก 4.13 ก ก ก 47
4.1 ก ก ก ก ก ก need to know 48
4.2 ก ก ก (System Analysis) ก (Programming) ก (Computer Operation) (User) ก (System Library) (Data Control) 49
4.3 ก ก ก ก ก ก ก ก ก ก ก ก 50
4.4 ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก 51
4.5 ก ก ก ก ก ก ก 52
4.6 ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก 53
4.7 ก ก ก (User Views or Subschema) ก (Database Authorization Table) ก (Data Encryption) ก ก (Inference Controls) 54
4.8 ก ก ก (Authentication) (Password) ก ก (Physical Possession Identification) ก (Biometric Identification) ก ก (Authorization) ก กก ก ก (Audit Log) 55
4.9 ก ก ก ก Label (external and internal ) 56
4.10 ก ก Encryption Callback system Parity bit 57
4.11 ก ก ก ก ก ก ก ก ก ก ก ก ก 58
4.12 ก ก ก ก ก ก (Preventive Maintenance) ก (Uninterrupted Power Supply) ก (Fault Tolerant) 59
4.13 ก ก ก Backup files, facilities, and stationery ก ก ก ก ก ก ก ก ก ก ก 60
กก ก ก ก ก ก ก ก 61
Questions & Answers 62