SAP and Sarbanes Oxley
Transcript of SAP and Sarbanes Oxley
-
7/29/2019 SAP and Sarbanes Oxley
1/39
Sarbanes Oxley:
Documentation Best Practices ina SAP R/3 Environment
Jim Chergey, Deloitte
Johanna Jones, Deloitte
-
7/29/2019 SAP and Sarbanes Oxley
2/39
What Well Cover
Introduction to best practices related to SOX
documentation in a SAP R/3 environment
Control objectives, risks, and control activities Documentation of business processes and general
computer controls
Testing of controls
Wrap-up
-
7/29/2019 SAP and Sarbanes Oxley
3/39
What Well Cover
Introduction to best practices related to SOX
documentation in a SAP R/3 environment
Control objectives, risks, and control activities Documentation of business processes and general
computer controls
Testing of controls
Wrap-up
-
7/29/2019 SAP and Sarbanes Oxley
4/39
SOX Documentation Requirements
Documentation requirements represent a significant
element of the Sarbanes-Oxley Act
Primary types of documentation include:
Documentation of business processes and computer
controls
Evidence of control activities
Documentation of test results
-
7/29/2019 SAP and Sarbanes Oxley
5/39
SOX Documentation Requirements
Final PCAOB standards require the external auditor to
express an opinion regarding whether managements
assessment is fairly stated and whether management
maintained effective ICFR
Management must create and maintain documentation to support
their Section 302 assertion (control design and control
Requires a tremendous level of effort to compile and maintain
Many organizations plan to utilize a document repository tool to
manage/organize the documentation Inappropriate documentation could result in a significant
or material deficiency, or a qualified/negative opinion
-
7/29/2019 SAP and Sarbanes Oxley
6/39
Standard SAP Documentation
Documentation available in SAP
Logs (audit, transport, table, system, security)
Change documents
Reports
Not all features are configured by default
In addition, not all information will be relevant for
SOX
-
7/29/2019 SAP and Sarbanes Oxley
7/39
Skill Level Required to Audit SAP
Takes several years to become a skilled SAP auditor
Basis
Infrastructure
Business Processes
Resources with appropriate knowledge may be
scarce for SOX readiness assistance
SAP Knowledge + Controls Expertise +Business Process Expertise +
General Computer Controls Expertise
-
7/29/2019 SAP and Sarbanes Oxley
8/39
What Well Cover
Introduction to best practices related to SOX
documentation in a SAP R/3 environment
Control objectives, risks, and control activities Documentation of business processes and general
computer controls
Testing of controls
Wrap-up
-
7/29/2019 SAP and Sarbanes Oxley
9/39
COSO Documentation Flow
Entity ProcessControl
Objective
Risk
Control
Activity
-
7/29/2019 SAP and Sarbanes Oxley
10/39
Control Objectives
Control objectives describe management
goals/directives
Objectives typically relate to:
Financial goals (completeness, existence/occurrence,
rights/obligations, valuation/allocation,
presentation/disclosure)
Operational goals (efficiency, accuracy, public image)
Regulatory/legal goals (regulatory compliance, legalcompliance)
Financial goals most relevant for SOX compliance
-
7/29/2019 SAP and Sarbanes Oxley
11/39
Risks
Need to be addressed at several layers:
Organization risks
Entity risks
Process/IT risks Absolute risk - before consideration of current controls (e.g.,
Accounts Payable is inherently risky)
Residual risk - remaining risk when all controls are considered
(should be at an acceptable/appropriate level)
Risk assessment component of COSO is different than
risks associated with control objectives and activities
-
7/29/2019 SAP and Sarbanes Oxley
12/39
Control Activities
Control activities are unique to an organizations
industry, technologies, size, business processes, etc.
Control activities are mapped to control objectives
Controls activities should include a balance ofpreventative and detective controls
-
7/29/2019 SAP and Sarbanes Oxley
13/39
Generic Control Objectives
Generic control objectives
Generic control objectives may not be applicable or material to an
organization
Not all business processes will be relevant/material
Enabling technologies and support activities differ among
organizations
Typically generic control objectives are not customized
-
7/29/2019 SAP and Sarbanes Oxley
14/39
Generic Control Activities
Generic control activities
Generic control activities should be customized based
upon the organizations business processes, technologies
and actual practices
SAP controls will not fit neatly into the CobiT generic
control objectives
It is critical that these controls be included, however
-
7/29/2019 SAP and Sarbanes Oxley
15/39
SAP-Specific Controls
The SAP application has specific controls needs unique to the
application that need to be identified, documented and tested
Example: Change control activities
System change option (SE06)
Client maintenance settings (SCC4)
Utilize SAP resources to assist in identifying these key controls
SAP Security Guide (http://service.sap.com/securityguide)
Authorizations Made Easy
System Administration Made Easy
SAP Security Website (http://service.sap.com/security)
-
7/29/2019 SAP and Sarbanes Oxley
16/39
CobiT Control Objective
Lets look at a generic CobiT objective and fit SAP-
specific control activities to that objective
Manage operations: Management has established
and documented standard procedures for IT
operations, including managing, monitoring and
responding to security, availability and processing
integrity events.
-
7/29/2019 SAP and Sarbanes Oxley
17/39
Customized SAP Control Activities
SAP Activity: Access to background processing
transactions (SM36 and SM37) is restricted.
SAP Activity: Administrative personnel utilize CCMStools to proactively monitor job processing activities toidentify processing errors and/or issues.
SAP Activity: Specific SAP background user IDs havebeen created to run regularly scheduled jobs. These IDsare controlled appropriately.
-
7/29/2019 SAP and Sarbanes Oxley
18/39
Controls in Legacy Environments
vs. the SAP Environment
If a similar control exists in multiple environments, be
sure to customize the control activities and specify
the environment in which the control applies
Example: Password history controls
Users may not utilize their last 10 passwords (AS/400)
Users may not utilize their last 5 passwords (SAP)
-
7/29/2019 SAP and Sarbanes Oxley
19/39
What Well Cover
Introduction to best practices related to SOX
documentation in a SAP R/3 environment
Control objectives, risks, and control activities Documentation of business processes and general
computer controls
Testing of controls
Wrap-up
-
7/29/2019 SAP and Sarbanes Oxley
20/39
IT-enabled business process controls should beembedded in the business process documentation For example, do not create a separate document for
Accounts Payable IT controls
Control objectives can be achieved through acombination of manual and systematic controls
Integrating IT Controls
-
7/29/2019 SAP and Sarbanes Oxley
21/39
Types of IT controls include: Configured (IMG settings)
System-enabled (change records)
Security (design and administration of security) Reports (open sales order report)
IT Procedures/Policies (user administration procedures)
Need to work with business process owners and ITbusiness analysts to understand and document thecomplete controls structure
Integrating IT Controls
-
7/29/2019 SAP and Sarbanes Oxley
22/39
Manual Journal Entry Controls
Manual journal entries are
reviewed and approved before
entry.
Access to manually enter
journal entries is restricted to
appropriate personnel.
SAP automatically prevents
entries where the total
debits/credits are out of balance.
Posting period controls are
configured to ensure journal
entries are posted to appropriateperiods.
MANUAL IT (SYSTEMATIC)
Journal entries entered into the
SAP system are reviewed
regularly to ensure they were
properly approved and
accurately entered.
-
7/29/2019 SAP and Sarbanes Oxley
23/39
General Computer Controls Documentation
Documentation structure may differ from business
processes
Process flows not relevant for many areas, such as system
monitoring
Process flows may be useful for some IT processes, such as
change control and user administration
Narratives can be utilized to explain current practices
-
7/29/2019 SAP and Sarbanes Oxley
24/39
What Well Cover
Introduction to best practices related to SOX
documentation in a SAP R/3 environment
Control objectives, risks, and control activities Documentation of business processes and general
computer controls
Testing of controls
Wrap-up
-
7/29/2019 SAP and Sarbanes Oxley
25/39
Testing Basics
Testing is primarily performed to evaluate the operatingeffectiveness of control activities
Testing documentation should consist of:
Testing procedures performed to ensure that controlactivities are functioning properly
Documentation of exceptions
Testing is different than Understanding
Conversations with control owners does not qualify astesting
Key Controls
Only keycontrols need to be testedeven ifallcontrols were documented
-
7/29/2019 SAP and Sarbanes Oxley
26/39
Sample Sizes
Appropriate testing sample sizes should bedetermined based upon: Frequency of the control (annually, quarterly, monthly,
weekly, daily, multiple times per day, programmed) Type of testing (corroborative inquiry vs. attribute sampling)
Frequency of testing of the control activity (quarterly vs.annually)
Additional samples may be necessary if exceptions
are found Sample size guidance should be provided by external
auditor
-
7/29/2019 SAP and Sarbanes Oxley
27/39
Types of Testing
Corroborative inquiry Consists of interviews with
control owner(s) to verify that the control is working as
documented and corroboration via:
Observation Independent viewing of a control process or
physical control
Examination/inspection of evidential matter Hardcopy or
online
Reperformance Independent performance of a control
-
7/29/2019 SAP and Sarbanes Oxley
28/39
Types of Testing
Attribute sampling Utilized when a sample of
documentation will be the primary test of the control;
measures a characteristic of a control (present or not
present)
Additional reliance placed on testing if it is performed in a
manner consistent with sample sizes/approach of the
external auditors
Other reliance factors:
Type of controls (control environment vs. routine transactions)
Competence of tester
Objectivity (independence) of tester
-
7/29/2019 SAP and Sarbanes Oxley
29/39
Documentation of Testing
Indicate who was interviewed
Include names and titles
Document content of interview Describe testing procedures performed
Examined, inspected, observed, reperformed
Note exceptions
Refer to supporting workpapers and effectivenessgap documentation
Provide signoff and date
-
7/29/2019 SAP and Sarbanes Oxley
30/39
Testing Documentation Example
Interviewed Joe Smith, Business Systems Analyst, and Jane Clark,Staff Accountant. Both stated that Company ABC uses transactioncode AS01 to create an asset master record.
Ran report RSUSR002 with the following query settings: S_TCODE = AS01
A_S_GSBER, Company code = * (any)
A_B_ANLKL, Activity = 01 (create) A_A_VIEW, Asset view = * (any)
A_S_KOSTL, Cost center = * (any)
Refer to workpaper. Examined thereport with Joe and Jane and noted that there were 40 active and 2inactive users with this access. Identified 6 active users that should not
have this access. Exceptions Noted: Access to this transaction appears excessive.
See control effectiveness gap at workpaper - Issue 20.
Work Performed by Mike Auditor on 6/30/2004.
-
7/29/2019 SAP and Sarbanes Oxley
31/39
Documentation Repositories
Documentation repositories will likely need to becreated/installed to track the documentation needed bymanagement to support their Section 302 assertion
Solutions vary from complex network directory structures
to robust tools Document-related consideration items when evaluating
solutions: Are documents loaded or hyperlinked?
What documentation can be stored?
Where is the documentation stored (application database orexternal server)?
How is data archived?
How is version control maintained?
-
7/29/2019 SAP and Sarbanes Oxley
32/39
Management of Internal Controls (MIC)
SAPs tool for helping customers manage the SOX
documentation requirement
General release planned for 3rd quarter 2004
-
7/29/2019 SAP and Sarbanes Oxley
33/39
Auditability of Controls
Documentation proving that controls are performed overtime needs to be retained for audit purposes (i.e., thecontrol must be audit-able)
The amount of documentation should be reasonable but
the control owner must be able to provide evidence of thecontrol May require additional signoff and filing procedures
May require additional network storage
Auditors will request samples of documentation over a
period of time, not just a walkthrough of the controlprocedure
Retention of controls documentation similar to financialaudit documentation retention requirements
-
7/29/2019 SAP and Sarbanes Oxley
34/39
ExampleMonitoring
Control: A daily checklist is used when monitoring the
SAP system. The checklist is completed twice each
day (morning and afternoon).
Test: Auditor will select 10 days to examine evidence
of the control.
Documentation Requirements: Expectation that, at a
minimum, completed checklists for each date will be
available. The checklists should be initialed and
dated by the control owner.
-
7/29/2019 SAP and Sarbanes Oxley
35/39
What Well Cover
Introduction to best practices related to SOX
documentation in a SAP R/3 environment
Control objectives, risks, and control activities
Documentation of business processes and general
computer controls
Testing of controls
Wrap-up
-
7/29/2019 SAP and Sarbanes Oxley
36/39
Review
Documentation requirements represent a significant element ofSOX
Appropriate skills necessary to audit
Develop customized control activities and map to generic control
objectives Include SAP-specific controls
IT-enabled business process controls should be embedded inthe business process documentation
General computer control documentation structure may differfrom business processes
Document tests of controls
Testing is different than Understanding
Retain documentation
-
7/29/2019 SAP and Sarbanes Oxley
37/39
ResourcesMany are Available
The R/3 Security Guide Volumes I III Free at the SAP Service Marketplace (SAPnet)
Available at: http://service.sap.com/securityguide
Authorizations Made Easy Guide Available at: http://www.tech.saplabs.com/guidebooks/default.asp
System Administration Made Easy Guide Available at: http://www.tech.saplabs.com/guidebooks/default.asp
Security, Audit and Control Features: SAP R/3 Available at: http://www.isaca.org
SAP Security Website
http://service.sap.com/security Deloitte
Available at: www.deloitte.com
Navigate to ServicesRisk Consulting
-
7/29/2019 SAP and Sarbanes Oxley
38/39
Questions???
How to Contact Us:
-
7/29/2019 SAP and Sarbanes Oxley
39/39
908
Session Code: