The Challenges in Auditing SAP
Many businesses use SAP application to help them plan their resources and activities. Its flexibility and range makes it a challenge to audit.
SAP is highly configurable and implementations often vary, already within various business units of a company – both financial and non-financial. At the same time, the effective operation of controls within the system’s ecosystem is basic to a strong financial and operational control ecosystem. consequently, it is important to gain a good understanding of how SAP is being utilised in the business while planning the audit scope and approach. Auditing an SAP ecosystem introduces several rare complexities that can impact the audit scope and approach.
SAP covers most business processes and a minor change in the business course of action can have a direct effect on the audit procedures due to the complexity of the system. Changes in the setup and configuration of the system, the release strategy or creating new processes may consequence in new modules and/or functionality in SAP and as such, additional risks need to be considered.
For example, a client may consider retiring one of its legacy purchasing systems and moving this functionality onto SAP. In the past, meaningful controls over buy order approval may have been performed manually. But with the SAP implementation the client has considered automating the approval course of action in SAP. The setup of the automated workflow course of action and user access security is consequently important to ensure that adequate controls are maintained to mitigate the risks. This would include testing automated controls instead of the manual controls over buy order.
Segregation and sensitivity
For an effective audit, the auditor needs to gain a good understanding of the design of SAP’s authorisation concept (security design). In some instances, poor security design results in users being inadvertently granted access to unnecessary or unauthorised transactions. consequently the review of the design and implementation of SAP security and access controls is important to ensure proper segregation of duties is maintained and access to sensitive transactions is well-controlled.
Segregation of duty conflicts can arise when a user is given access to two or more conflicting transactions – for example, creating a buy order and amending vendor master details. A clear mapping of the business processes and identification of roles and responsibilities involved in the processes is crucial in the design of access controls to effectively audit security.
In addition, there may be transactions or access levels that are considered sensitive to the business, such as amending G/L codes and structures, amending recurring entries or amending and deleting audit logs. In an SAP audit such sensitive transactions would need to be considered during the planning phase.
Organisations can tailor the SAP system to fit their business needs including a selection of configurable and inherent controls. Understanding the selection course of action behind these controls is basic to the audit approach. Allowing buy orders, for example, to be approved automatically by the system is considered a configurable automated control.
However, the client may also choose not to implement this functionality and address this risk by a manual control. Auditors need to understand the controls the client has chosen to implement and the matrix of controls that they place reliance on to mitigate one or more risks.
Types of Controls
In SAP there are four types of controls that an audit client can utilise in order to create a obtain ecosystem: inherent controls, configurable controls, application security, and manual reviews of SAP reports.
Typically access or configurable controls are executed by the SAP system and are preventive in character. however, manual controls including manual reviews of reports are executed by an employee and are mainly detective in character. For example, in the obtain-to-pay (P2P) course of action of SAP, there are standard automated controls such as three-way matching (matching of buy orders, goods receipt and invoices). The client may choose to adopt four-way matching, or two-way matching of invoices, consequently requiring customisation to suit their specific processes.
Each client will use a different mix of controls in order to unprotected to their specific control objectives, and because of the complexity of SAP application, auditing around the system to gain control assurance is not an option. consequently the audit approach needs to be tailored for each situation appropriately. It is also important to highlight that SAP delivers several controls that are inherent within the SAP ecosystem. An example of an inherent control is that journal entries must balance prior to posting in SAP.
In SAP it is important to understand the link between configurable controls and access controls. In order to unprotected to the control objective there may be a mix of configurable and access controls that create a control solution. For example, “buy orders over £1m get confined automatically and cannot be processed.” This sounds like a configurable control, but is truly both a configurable control and an access control, as it deals with the configuration of the Purchasing Release Strategy within SAP and deals with who has access to create and approve a PO.
Another example is “buy Orders over US$1m must be approved by the manager.” This sounds like an access control, but it is a configurable control in addition due to the configuration needed for the release strategy. In fact, these are complimentary controls, two controls covering the same risk together. Without one control, the other cannot cover the risk to the same accuracyn. The auditor should test both the configuration and access aspects of these controls, so it is important that they are identified by the auditor and classified appropriately.
course of action risks
SAP is a course of action based ERP system and each SAP example may have different risks associated with it. The ability to customise and tailor the system, and its inherent complexity, considerably increases the overall complexity of security configurations and leads to possible security vulnerabilities. Segregation of duty conflicts, errors and flaws consequently become more likely.
Each client has different business processes, products and sets, and systems that suit their ecosystem. Designing the time of action effectively in SAP is important to mitigate the risks associated with inadequate or failed business processes. An effective audit approach should consequently include an evaluation of risks and an understanding of the business course of action mapping for each SAP example.
Given that the system is highly customisable, course of action pushed and enables a range of control selections, each SAP example would potentially have a different risk profile. Further within SAP, the risk profile of different modules and sub-modules such as financials (FI), materials management (MM), sales and dispensing (SD), payroll, human capital (HC), business information warehouse (BW), customer relationship management (CRM) and so on will be different.
The great areas of the business operations that SAP application cover would make it impractical to cover them all in one single audit. To complete a comprehensive audit of SAP, it is appropriate to consider a rotation plan. This may include planning reviews of each SAP business course of action, module, sub-module; system configuration and change management; and system security, including the design of segregation of duties and access levels. This ensures that the audits are performed using appropriately skilled resources and cover each risk area including business course of action, security and associated controls. These areas can consequently be assessed effectively to clarify gaps in control weaknesses and recommend appropriate steps to resolve issues.
In addition to the above challenges, SAP systems are also upgraded and enhanced regularly to meet ever-changing business requirements. In the current economic climate, companies are faced with changing risks in the ecosystem that affect their business processes.
The aim of a risk-based approach is to allow auditors to tailor the review to the areas of business risk, giving way to greater focus on audit areas with a high-risk possible. The complexity of the SAP system and related business processes, as indicated above, may lend itself to higher inherent risk and control risk which should be taken into account in planning the audit.
The risk-based approach should include general risk examination, analytical audit procedures, systems and course of action based fieldwork, and substantive testing. In this way, an auditor can conduct the audit efficiently with a degree of reliability, in addition as optimising the time and effort it involves. It is consequently crucial that a top-down risk based audit approach is adopted to effectively review SAP.