SAP and Sarbanes Oxley

7/29/2019 SAP and Sarbanes Oxley

1/39

Sarbanes Oxley:

Documentation Best Practices ina SAP R/3 Environment

Jim Chergey, Deloitte

Johanna Jones, Deloitte


2/39

What Well Cover

Introduction to best practices related to SOX

documentation in a SAP R/3 environment

Control objectives, risks, and control activities Documentation of business processes and general

computer controls

Testing of controls

Wrap-up


3/39

What Well Cover




computer controls

Testing of controls

Wrap-up


4/39

SOX Documentation Requirements

Documentation requirements represent a significant

element of the Sarbanes-Oxley Act

Primary types of documentation include:

Documentation of business processes and computer

controls

Evidence of control activities

Documentation of test results


5/39

SOX Documentation Requirements

Final PCAOB standards require the external auditor to

express an opinion regarding whether managements

assessment is fairly stated and whether management

maintained effective ICFR

Management must create and maintain documentation to support

their Section 302 assertion (control design and control

Requires a tremendous level of effort to compile and maintain

Many organizations plan to utilize a document repository tool to

manage/organize the documentation Inappropriate documentation could result in a significant

or material deficiency, or a qualified/negative opinion


6/39

Standard SAP Documentation

Documentation available in SAP

Logs (audit, transport, table, system, security)

Change documents

Reports

Not all features are configured by default

In addition, not all information will be relevant for

SOX


7/39

Skill Level Required to Audit SAP

Takes several years to become a skilled SAP auditor

Basis

Infrastructure

Business Processes

Resources with appropriate knowledge may be

scarce for SOX readiness assistance

SAP Knowledge + Controls Expertise +Business Process Expertise +

General Computer Controls Expertise


8/39

What Well Cover




computer controls

Testing of controls

Wrap-up


9/39

COSO Documentation Flow

Entity ProcessControl

Objective

Risk

Control

Activity


10/39

Control Objectives

Control objectives describe management

goals/directives

Objectives typically relate to:

Financial goals (completeness, existence/occurrence,

rights/obligations, valuation/allocation,

presentation/disclosure)

Operational goals (efficiency, accuracy, public image)

Regulatory/legal goals (regulatory compliance, legalcompliance)

Financial goals most relevant for SOX compliance


11/39

Risks

Need to be addressed at several layers:

Organization risks

Entity risks

Process/IT risks Absolute risk - before consideration of current controls (e.g.,

Accounts Payable is inherently risky)

Residual risk - remaining risk when all controls are considered

(should be at an acceptable/appropriate level)

Risk assessment component of COSO is different than

risks associated with control objectives and activities


12/39

Control Activities

Control activities are unique to an organizations

industry, technologies, size, business processes, etc.

Control activities are mapped to control objectives

Controls activities should include a balance ofpreventative and detective controls


13/39

Generic Control Objectives

Generic control objectives

Generic control objectives may not be applicable or material to an

organization

Not all business processes will be relevant/material

Enabling technologies and support activities differ among

organizations

Typically generic control objectives are not customized


14/39

Generic Control Activities

Generic control activities

Generic control activities should be customized based

upon the organizations business processes, technologies

and actual practices

SAP controls will not fit neatly into the CobiT generic

control objectives

It is critical that these controls be included, however


15/39

SAP-Specific Controls

The SAP application has specific controls needs unique to the

application that need to be identified, documented and tested

Example: Change control activities

System change option (SE06)

Client maintenance settings (SCC4)

Utilize SAP resources to assist in identifying these key controls

SAP Security Guide (http://service.sap.com/securityguide)

Authorizations Made Easy

System Administration Made Easy

SAP Security Website (http://service.sap.com/security)


16/39

CobiT Control Objective

Lets look at a generic CobiT objective and fit SAP-

specific control activities to that objective

Manage operations: Management has established

and documented standard procedures for IT

operations, including managing, monitoring and

responding to security, availability and processing

integrity events.


17/39

Customized SAP Control Activities

SAP Activity: Access to background processing

transactions (SM36 and SM37) is restricted.

SAP Activity: Administrative personnel utilize CCMStools to proactively monitor job processing activities toidentify processing errors and/or issues.

SAP Activity: Specific SAP background user IDs havebeen created to run regularly scheduled jobs. These IDsare controlled appropriately.


18/39

Controls in Legacy Environments

vs. the SAP Environment

If a similar control exists in multiple environments, be

sure to customize the control activities and specify

the environment in which the control applies

Example: Password history controls

Users may not utilize their last 10 passwords (AS/400)

Users may not utilize their last 5 passwords (SAP)


19/39

What Well Cover




computer controls

Testing of controls

Wrap-up


20/39

IT-enabled business process controls should beembedded in the business process documentation For example, do not create a separate document for

Accounts Payable IT controls

Control objectives can be achieved through acombination of manual and systematic controls

Integrating IT Controls


21/39

Types of IT controls include: Configured (IMG settings)

System-enabled (change records)

Security (design and administration of security) Reports (open sales order report)

IT Procedures/Policies (user administration procedures)

Need to work with business process owners and ITbusiness analysts to understand and document thecomplete controls structure

Integrating IT Controls


22/39

Manual Journal Entry Controls

Manual journal entries are

reviewed and approved before

entry.

Access to manually enter

journal entries is restricted to

appropriate personnel.

SAP automatically prevents

entries where the total

debits/credits are out of balance.

Posting period controls are

configured to ensure journal

entries are posted to appropriateperiods.

MANUAL IT (SYSTEMATIC)

Journal entries entered into the

SAP system are reviewed

regularly to ensure they were

properly approved and

accurately entered.


23/39

General Computer Controls Documentation

Documentation structure may differ from business

processes

Process flows not relevant for many areas, such as system

monitoring

Process flows may be useful for some IT processes, such as

change control and user administration

Narratives can be utilized to explain current practices


24/39

What Well Cover




computer controls

Testing of controls

Wrap-up


25/39

Testing Basics

Testing is primarily performed to evaluate the operatingeffectiveness of control activities

Testing documentation should consist of:

Testing procedures performed to ensure that controlactivities are functioning properly

Documentation of exceptions

Testing is different than Understanding

Conversations with control owners does not qualify astesting

Key Controls

Only keycontrols need to be testedeven ifallcontrols were documented


26/39

Sample Sizes

Appropriate testing sample sizes should bedetermined based upon: Frequency of the control (annually, quarterly, monthly,

weekly, daily, multiple times per day, programmed) Type of testing (corroborative inquiry vs. attribute sampling)

Frequency of testing of the control activity (quarterly vs.annually)

Additional samples may be necessary if exceptions

are found Sample size guidance should be provided by external

auditor


27/39

Types of Testing

Corroborative inquiry Consists of interviews with

control owner(s) to verify that the control is working as

documented and corroboration via:

Observation Independent viewing of a control process or

physical control

Examination/inspection of evidential matter Hardcopy or

online

Reperformance Independent performance of a control


28/39

Types of Testing

Attribute sampling Utilized when a sample of

documentation will be the primary test of the control;

measures a characteristic of a control (present or not

present)

Additional reliance placed on testing if it is performed in a

manner consistent with sample sizes/approach of the

external auditors

Other reliance factors:

Type of controls (control environment vs. routine transactions)

Competence of tester

Objectivity (independence) of tester


29/39

Documentation of Testing

Indicate who was interviewed

Include names and titles

Document content of interview Describe testing procedures performed

Examined, inspected, observed, reperformed

Note exceptions

Refer to supporting workpapers and effectivenessgap documentation

Provide signoff and date


30/39

Testing Documentation Example

Interviewed Joe Smith, Business Systems Analyst, and Jane Clark,Staff Accountant. Both stated that Company ABC uses transactioncode AS01 to create an asset master record.

Ran report RSUSR002 with the following query settings: S_TCODE = AS01

A_S_GSBER, Company code = * (any)

A_B_ANLKL, Activity = 01 (create) A_A_VIEW, Asset view = * (any)

A_S_KOSTL, Cost center = * (any)

Refer to workpaper. Examined thereport with Joe and Jane and noted that there were 40 active and 2inactive users with this access. Identified 6 active users that should not

have this access. Exceptions Noted: Access to this transaction appears excessive.

See control effectiveness gap at workpaper - Issue 20.

Work Performed by Mike Auditor on 6/30/2004.


31/39

Documentation Repositories

Documentation repositories will likely need to becreated/installed to track the documentation needed bymanagement to support their Section 302 assertion

Solutions vary from complex network directory structures

to robust tools Document-related consideration items when evaluating

solutions: Are documents loaded or hyperlinked?

What documentation can be stored?

Where is the documentation stored (application database orexternal server)?

How is data archived?

How is version control maintained?


32/39

Management of Internal Controls (MIC)

SAPs tool for helping customers manage the SOX

documentation requirement

General release planned for 3rd quarter 2004


33/39

Auditability of Controls

Documentation proving that controls are performed overtime needs to be retained for audit purposes (i.e., thecontrol must be audit-able)

The amount of documentation should be reasonable but

the control owner must be able to provide evidence of thecontrol May require additional signoff and filing procedures

May require additional network storage

Auditors will request samples of documentation over a

period of time, not just a walkthrough of the controlprocedure

Retention of controls documentation similar to financialaudit documentation retention requirements


34/39

ExampleMonitoring

Control: A daily checklist is used when monitoring the

SAP system. The checklist is completed twice each

day (morning and afternoon).

Test: Auditor will select 10 days to examine evidence

of the control.

Documentation Requirements: Expectation that, at a

minimum, completed checklists for each date will be

available. The checklists should be initialed and

dated by the control owner.


35/39

What Well Cover



Control objectives, risks, and control activities

Documentation of business processes and general

computer controls

Testing of controls

Wrap-up


36/39

Review

Documentation requirements represent a significant element ofSOX

Appropriate skills necessary to audit

Develop customized control activities and map to generic control

objectives Include SAP-specific controls

IT-enabled business process controls should be embedded inthe business process documentation

General computer control documentation structure may differfrom business processes

Document tests of controls

Testing is different than Understanding

Retain documentation


37/39

ResourcesMany are Available

The R/3 Security Guide Volumes I III Free at the SAP Service Marketplace (SAPnet)

Available at: http://service.sap.com/securityguide

Authorizations Made Easy Guide Available at: http://www.tech.saplabs.com/guidebooks/default.asp

System Administration Made Easy Guide Available at: http://www.tech.saplabs.com/guidebooks/default.asp

Security, Audit and Control Features: SAP R/3 Available at: http://www.isaca.org

SAP Security Website

http://service.sap.com/security Deloitte

Available at: www.deloitte.com

Navigate to ServicesRisk Consulting


38/39

Questions???

How to Contact Us:

[email protected]

[email protected]


39/39

908

Session Code:

SAP and Sarbanes Oxley

Documents

Transcript of SAP and Sarbanes Oxley