1 / 4

The Challenges in Auditing SAP

Lots of organizations make use of SAP application to help them intend their tasks and also resources. Its flexibility as well as variety makes it a challenge to audit.<br><br>SAP is highly configurable and executions typically vary, even within various business systems of a company - both non-financial and economic. At the same time, the efficient operation of controls within the system's setting is essential to a robust financial as well as operational control environment. Consequently, it is very important to acquire a mutual understanding of exactly how SAP is being utilised in the business while

cynhadciqm
Download Presentation

The Challenges in Auditing SAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Several organizations use SAP application to help them intend their resources as well as tasks. Its adaptability and range makes it a difficulty to audit. SAP is highly configurable and applications commonly differ, even within different business units of a company - both non-financial as well as monetary. At the same time, the effective operation of controls within the system's atmosphere is important to a durable economic as well as functional control atmosphere. As a result, it is essential to gain a mutual understanding of just how SAP is being made use of in the business while planning the audit extent and method. Investigating an SAP environment presents a number of distinct intricacies that can affect the audit extent and strategy. Business processes SAP covers most business procedures and also a small adjustment in the business process can have a straight impact on the audit treatments due to the intricacy of the system. Adjustments in the configuration and also setup of the system, the release method or creating new procedures might cause brand-new modules and/or functionality in SAP and also therefore, extra threats need to be considered. For example, a customer may consider retiring one of its tradition buying systems as well as relocating this capability onto SAP. In the past, key controls over order approval might have been executed by hand. Yet with the SAP execution the client has considered automating the approval process in SAP. The configuration of the automated workflow process and user access protection is consequently vital to make sure that ample controls are maintained to alleviate the threats. This would certainly entail testing automated controls rather than the hand- operated controls over order. Segregation and level of sensitivity For a reliable audit, the auditor requires to get a mutual understanding of the design of SAP's authorisation concept (protection layout). In some circumstances, poor protection layout results in customers being inadvertently granted access to unneeded or unsanctioned deals. Consequently the review of the layout and application of SAP safety and security as well as gain access to controls is necessary to ensure correct partition of duties is preserved and accessibility to delicate transactions is well-controlled. Partition of responsibility conflicts can develop when a customer is admitted to two or even more conflicting deals Synnove Systems SAP ERP Company in Singapore & Malaysia - for example, producing a purchase order as well as changing vendor master information. A clear mapping of business processes and also identification of responsibilities and sap erp system Malaysia also functions involved in the procedures is crucial in the design of accessibility controls to properly audit security. Additionally, there may be deals or access levels that are thought about sensitive to the business, such as amending G/L codes and frameworks, amending repeating access or modifying as well as deleting audit logs. In an SAP audit such sensitive deals would certainly need to be considered throughout the planning stage. Control selection Organisations can customize the SAP system to fit their business demands including a choice of configurable as well as integral controls. Recognizing the choice process behind these controls is essential to the audit approach. Enabling order, for example, to be approved instantly with the system is thought about a configurable computerized control. However, the customer may likewise pick not to apply this capability as well as address this threat via a guidebook control. Auditors require to recognize the controls the client has selected to carry out and also the matrix of

  2. controls that they position dependence on to minimize several risks. Sorts of Controls In SAP there are 4 types of controls that an audit customer can make use of in order to create a protected atmosphere: integral controls, configurable controls, application safety and security, and also hand-operated evaluations of SAP reports. Usually access or configurable controls are performed by the SAP system and also are precautionary in nature. On the other hand, hand-operated controls consisting of manual evaluations of records are carried out by a staff member as well as are mostly investigator in nature. As an example, in the procure-to-pay (P2P) process of SAP, there are conventional automated controls such as three-way matching (matching of purchase orders, goods invoice as well as invoices). The customer may pick to embrace four-way matching, or two-way matching of billings, therefore calling for customisation to fit their certain processes. Each client will certainly utilize a various mix of controls in order to accomplish their specific control goals, and also because of the intricacy of SAP application, bookkeeping around the system to gain control assurance is not an alternative. Consequently the audit technique requires to be customized for each scenario properly. It is additionally essential to highlight that SAP provides a number of controls that are inherent within the SAP setting. An example of an integral control is that journal entrances need to balance prior to posting in SAP. Configurable controls In SAP it is important to recognize the link between configurable controls and also gain access to controls. In order to achieve the control unbiased there may be a mix of configurable as well as accessibility controls that produce a control option. For instance, "Order over ₤ 1m get blocked automatically and also can not be processed." This sounds like a configurable control, yet is really both a configurable control and also an access control, as it takes care of the setup of the Purchasing Launch Technique within SAP as well as handle who has accessibility to approve a po and produce. An additional example is "Order over US$ 1m have to be accepted by the supervisor." This sounds like an access control, however it is a configurable control also because of the setup required for the release technique. In fact, these are complimentary controls, two controls covering the exact same threat together. Without one control, the other can not cover the threat to the very same precision. The auditor should examine both the setup and also gain access to facets of these controls, so it is important that they are identified by the auditor and also classified appropriately.

  3. Process dangers SAP is a process based ERP system and each SAP instance may have different risks associated with it. The ability to customise and also customize the system, and also its intrinsic intricacy, considerably raises the general intricacy of safety and security arrangements as well as brings about prospective security vulnerabilities. Segregation of duty imperfections, conflicts and errors as a result end up being most likely. Each client has various business procedures, solutions and products, and also systems that fit their atmosphere. Designing the process successfully in SAP is necessary to reduce the dangers related to insufficient or stopped working business procedures. An effective audit strategy must therefore consist of an analysis of threats and also an understanding of the business process mapping for each SAP circumstances. Turning plan Considered that the system is extremely customisable, process driven and also makes it possible for a range of control choices, each SAP instance would potentially have a different risk profile. Additionally within SAP, the risk profile of different modules and sub-modules such as financials (FI), materials management (MM), sales as well as distribution (SD), pay-roll, human resources (HC), business details warehouse (BW), client connection management (CRM) and so forth will certainly be various. The huge locations of business procedures that SAP application cover would make it not practical to cover them all in one single audit. To finish a detailed audit of SAP, it is appropriate to take into consideration a rotation plan. This might entail planning testimonials of each SAP business process, module, sub-module; system setup as well as modification management; as well as system safety, consisting of the design of partition of tasks and access degrees. This guarantees that the audits are carried out utilizing properly proficient sources as well as cover each danger area including erp solutions company Malaysia business process, security as well as connected controls. These locations can for that reason be examined efficiently to identify spaces in control weaknesses and also recommend ideal steps to solve issues. Risk-based Approach Along with the above obstacles, SAP systems are also upgraded and improved periodically to meet ever-changing business requirements. In the current economic climate, firms are faced with changing dangers in the environment that affect their business processes. The purpose of a risk-based strategy is to enable auditors to tailor the review to the areas of business danger, giving way to better focus on audit areas with a high-risk possibility. The intricacy of the SAP system as well as

  4. relevant business procedures, as indicated above, might lend itself to higher intrinsic risk as well as control risk which need to be thought about in planning the audit. The risk-based approach must consist of basic risk evaluation, analytical audit procedures, systems as well as process based fieldwork, as well as substantive screening. By doing this, an auditor can perform the audit effectively with a degree of integrity, along with optimizing the moment and also effort it includes. It is as a result important that a top-down threat based audit method is adopted to successfully review SAP.

More Related