Erpsapbusproc
description
Transcript of Erpsapbusproc
1
SAP: Business Process Controlsand AIS
Jennifer Hahn
Michael Juergens
Deloitte & Touche
ISACA Spring Conference
April 27, 1999
2© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Presentation Outline
■ SAP Module Overview■ SAP Business Process Overview■ Audit Information System (AIS) Overview
2
3© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
SAP Module Overview
4© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
R/3Client / Server
ABAP/4
FIFinancial
Accounting
COControlling
AMFixed Assets
Mgmt.
PSProjectSystem
WFWorkflow
ISIndustry
Solutions
MMMaterials
Mgmt.
HRHuman
Resources
SDSales &
Distribution
PPProductionPlanning
QMQuality
Manage-ment PM
Plant Main-tenance
SAP R/3 Modules
3
5© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
SAP Modules - Functional Category
■ Financial Applications� FI, CO, EC, IM, TR, AM, PS
■ Logistics Applications� SD, MM, PM, PP, QM, LO
■ Human Resources� PA, PD
■ Cross Applications� WF, OC, AL, CAD. DMS, ALE,
EDI, I/Net, EC
■ Industry Solutions� IS
Financial Applications
Logistics Applications
Human Resources
Industry Solutions
Functional Category
Cross Applications
6© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Financial Accounting
● General Ledger
● Accounts Receivable
● Accounts Payable
● Tax and FinancialReports
● Special Purpose Ledger
● Legal Consolidations
FI
Financial Applications. . . . . . . .
4
7© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Controlling
● Cost Center Accounting
● Profit Center Accounting
● Product CostControlling
● Profitability Analysis
● Activity CostManagement
● Internal Orders
CO
Financial Applications. . . . . . . .
8© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Fixed Asset Management
● Depreciation
● Property Values
● Insurance Policies
● Capital InvestmentGrants
AM
Financial Applications. . . . . . . .
5
9© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Project System
● Project Tracking
● Work BreakdownStructure
● Budget Management
● Cost and RevenuePlanning
● Networks and Resources
PS
Financial Applications. . . . . . . .
10© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Sales and Distribution
● Computer Aided Sales
● Quotations
● Sales Order Management
● Pricing
● Delivery
● Invoicing
SD
Logistics Applications . . . . . . . .
6
11© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Materials Management
● Procurement
● Inventory Management
● Vendor Evaluation
● Invoice Verification
● Warehouse Management
MM
Logistics Applications . . . . . . . .
12© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Production Planning
● Sales & OperationsPlanning
● Demand Management
● Material RequirementsPlanning
● Production ActivityControl
● Capacity Planning
PP
Logistics Applications . . . . . . . .
7
13© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Quality Management
● Quality Certificates
● Inspection Processing
● Planning Tools
● Quality Control
● Quality Notifications
QM
Logistics Applications . . . . . . . .
14© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Plant Maintenance
● Plant Maintenance
● Equipment and TechnicalObjects
● Preventive Maintenance
● Service Management
● Maintenance OrderManagement
PM
Logistics Applications . . . . . . . .
8
15© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Human Resources
● PersonnelAdministration
● Payroll, Benefits
● Time Management
● Planning andDevelopment
● OrganizationManagement
HR
Human Resources. . . . . . . .
16© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Cross Applications
● SAP Business Workflow● SAP Office● SAP ArchiveLink● EDI● Communication● Application Link Enabled
(ALE)● Others
WF
Cross Applications. . . . . . . .
9
17© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Industry Solutions
● Banks● Hospitals● Oil Companies● Publishing Sector● Telecommunications● Retail● Utilities● Others
IS
Industry Solutions. . . . . . . .
18© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Basis Component Overview
10
19© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Basis Component
BC
Basis Component. . . . . . . .
● ABAP/4 DevelopmentWorkbench
● Computer CenterManagement System
● Authorization Concept
● Transport System
● Database Administration
20© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
SAP Business Process Overview
11
21© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
SAP Business Processes
■ Over 1200 business processes defined by SAP– Highly flexible– Customized to fit each company– Companies choose the business processes that they
want to implement
■ Every SAP installation is different– It is important to have clear understanding of business
processes that are effected by the SAP implementation– These business processes should be mapped to the
corresponding SAP modules that are implemented
22© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Example Business Process - Sales
SalesOrder
MRPrun
PlanningMPS
PlannedOrder
PurchaseRequisition
ProductionOrder
Delivery BillingCustomerPayment
PurchaseOrder
InvoiceReceipt
VendorPayment
GoodsIssue
GoodsReceipt
GoodsReceipt
GoodsIssue
ProductCosting
ProfitabilityAnalysis
Raw Finished
Vendor
Customer
Material
G/L Account
Modules
■ MM
■ PP
■ SD
■ FI/CO
12
23© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Linking SAP Modules, Business Processes and Audit
24© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Challenges
■ SAP Modules– Three Main Functional Categories– Multitude of Modules– Multitude of Sub-Modules
■ SAP Business Processes– 1200+ Processes
■ Audit Processes– Business Process Cycles
13
25© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Linking Audit Cycles to SAP Modules
Expenditure
Fixed Assets
Inventory Management
Payroll and Personnel
Revenue
TreasuryFinancial Applications
Logistics Applications
Human Resources
Cross Applications
Industry Solutions
Audit Business Cycles
Basis Component
SAP Module Functional Category
26© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Information System (AIS)
14
27© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS - History and Background
■ Requested by– Internal Auditors,– External Auditors, and– Company Management
■ Designed by SAP in response to requirements fora tool to find, evaluate and download informationfrom SAP easily
■ Includes:– Audit Report Tree (transaction code: SECR)– Report tree includes Systems and Financial audit tasks, reports
and tests for additional modules are under development– Evaluation and notes can be entered into the specific tasks to
monitor progress of tasks
28© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS - History and Background
■ To provide a mechanism and structurefor collection, and presentation ofstandard SAP reporting
■ The goal is improvement of audit qualitythrough real-time auditing
■ To provide company specific, individualselection and preparation of data needsand requirements for reporting andreview
■ To provide the ability to download datainto flat files for analysis with externaltools
– AuditAgent– ACL– IDEA– Baetge
A I S
SAP - DB
15
29© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
What is AIS?
■ A collection of SAP reports / queries based on areporting tree
■ A tool for auditing an SAP system
■ Utilizes existing SAP functionality
■ Designed to rationalize and facilitate the auditprocess
■ Organizes all audit related activities under oneumbrella
■ Aims to improve the quality of an audit
30© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
What does AIS do?
© 1998 SAP AG. All rights reserved.
16
31© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
What does AIS do?
© 1998 SAP AG. All rights reserved.
32© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS Features and Functions
■ Tool for performing both System and BusinessAudits
■ Provides auditors with the ability to document andmonitor the progress of an audit
■ Reports and queries can be customized for eachuser
■ Allows auditors to evaluate information ordownload data to be used by CAAT tools such asACL
■ Different views allow external auditors (bothfinancial and systems auditors) and internalauditors to use the system simultaneously
17
33© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS - System Audits
■ Using the AIS System Audit tree users can:– Review system configuration settings– Review parameters settings– Monitor operations– Review various logs– Review background processing– Review security settings– Perform user security audits– Review transport related activities– Review print and spool administration
34© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS - Business Audits
■ Using the AIS Business Audit tree users can:– Perform various audit related queries– Produce various audit related reports– Review organization structure– Review document structure, ranges, posting keys etc.– Review client setup (number of accounts, assets,
customers, vendors, materials etc.)– Review chart of accounts– Produce financial reports (balance sheets, P&L, ratio
analysis etc.)– Review account balances
18
35© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Status Analysis
■ AIS uses Status Analysis functionality to:– Summarize, maintain and monitor details of the audit
progress of specific testing, and for audit management– Easily and quickly identify problem areas– Document results of tests offering drill-down
functionality– Notes exist in SAP R/3 version 3.1G+
36© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Status Analysis
■ Status Analysis functionality and capabilitiesimproves the ability of Audit management to tracktasks performed within SAP:– Percentage of completed audit steps for an audit
objective via traffic lights:– Creation of separate documentation for the node of
each separate user view– Ability to identify the number of views a node is
assigned to, with the associated status of completionfor each view
– Tracking of changes made to the notes to aresponsible person
19
37© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Status Analysis
38© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Report Tree
■ The audit report tree contains two standard views:– Financial Audit (AUDIT_FI)– Systems Audit (AUDIT_SECR)
■ Each view contains:– Auditing procedures and documentation tools– Audit evaluations (including data and key controls
within the configuration)– Data download tools through links to Data Analysis
Tools, such as ACL (automated) or IDEA (throughMonarch)
20
39© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Audit Report Tree
40© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS and SAP versions
■ Versions 3.1I and 4.5B+– An integral part of the SAP Basis Component
■ Only works on certain releases of R/3– 3.0D, 3.0E, 3.0F– 3.1G, 3.1H, 3.1I– 4.0A, 4.0B, 4.0C– 4.5A, 4.5B, 4.6A
■ Not all functions are available in each version, asfunctionality is based on the release level
21
41© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS - Relevant OSS Notes
■ Online System Support (OSS) Notes:– 13719 - Transport Files to load AIS onto SAP for
versions 3.0D on– 41475 - Copying report variants between clients– 77503 - AIS Overview, Auditor’s configuration of Views,
Variants and Ratios– 85344 - Performance concerns when AIS is installed– 100609 - Basis Installation Steps– 128256 - Missing English Texts– 129170 - Download of Query Data– 133914 - Conversion of drill-down reports
42© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS Business Case
22
43© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS Advantages
■ Centralized auditing
■ Continuous auditing
■ Teaming of internal and external audit efforts
■ More efficient use of time
■ One report tree
■ Simplify data extraction
■ Potential to have all SAP reports in AIS only
■ Custom views
■ AIS is free
44© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
AIS Disadvantages
■ Variant review after every SAP upgrade
■ Reports must be configured
■ SAP knowledge required to interpret results
■ Over auditing
■ Under auditing
■ Access to SAP
■ Auditability of the Financial (FI) module Only
■ Reliance on the SAP system is assumed
■ AIS is not mature
23
45© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt
SAP: Business Process Controls and AIS
Questions and Information
Presenter Information:Jennifer Hahn714-436-7171Michael Juergens714-436-7276