Solution Management FinancialsSAP AG
The SAP Audit Information System
SAP AG 2003 / Audit Information System, 2
Audit Information System – overview
Administration of AIS
System audit with AIS
Business audit with AIS
Tools and data export
Summary and Q&A
Agenda
SAP AG 2003 / Audit Information System, 3
SAP Audit Information System (AIS)
AIS is the auditors‘ toolbox within the SAP environmentStructured collection and pre-setting of standard reportsSuitable for auditors with limited SAP experienceRole-based organization
Comprehensive functionality for system and business auditsProvides monitoring of system inherent and configurable controlsImplements numerous reporting controls
Business audit structured according to Financial statementsBusiness Processes
AIS reporting tree links to multiple types of documentationAIS documentation, SAP Library, IMG documentation, web addresses
Data export to external analysis and audit toolsonline real time or batch processed queriesdocument data, account balances, and financial statement data
SAP AG 2003 / Audit Information System, 4
Audit Information System (AIS)
• Audit planning
• Work program
- System audit- Business audit
Expo
rt in
terf
ace
Online controls onthe SAP database• System information• Reconciliation• B/S, P&L• Account balances• Documents
Data export• Account balances• Line items
Non-SAP Environment mySAP ERP Environment
Work paperprep.
Report
Analysis software( ACL / IDEA / … )
Reporting software
Line items
Balances
...Accounts
CustomersVendorsAssetsMaterialOrders
Invoices…
SAP AG 2003 / Audit Information System, 5
AIS – Motivation and Availability
Why should one be interested in the topic?In an environment of mass transactions, system support for audit is a must.Corporate governance requirements
Why use the SAP Audit Information System?Acts as a bridge between auditors and the SAP systemHelps to understand SAP terminology and structuresOptimized for the SAP system, direct access to critical data
What is the effort involved in installing and using AIS?AIS provides data without requiring much system resource.Queries can be run in batch or online.
Availability of AISFirst available with SAP R/3 Release 3.xLargely enhanced for use on top of SAP R/3 4.6C and R/3 EnterpriseEnhancements available as part of mySAP solutions and as part of Sarbanes-Oxley Act (SOA) package
SAP AG 2003 / Audit Information System, 6
Continuous Audit
RatingBasel II
GoB, GoBSCOSO II
Sarbanes-Oxley Act Parallel
Valuation
SEMRisk Mgmt, Consolidation,
Bal. Scorecard, Man.Cockpit
I A S
SoftwareCertificate
US-GAAP
GDPdUAudit InformationSystem
MICManagement of
Internal Controls
DARTData Retention
Tool
Corporate Governance
SAP AG 2003 / Audit Information System, 7
SOA Section 302 – Requirements
Certification of disclosure in companies’ quarterly and annual reportsManagement responsibility for effective disclosure controls and procedures over financial reporting, operations and complianceDisclosure of significant deficiencies in internal control to audit committee and external auditorsCertification of contents of SEC reports* by CEO and CFO
(*) filed annually and/or quarterly, depending on size and location of company
ActivityIdentify scope of the company’s disclosure controls and procedures.Document business processes and process controls over all major activities within an entity (beyond solely processes impacting financial reporting).Assess internal control effectiveness.Identify and track resulting issues and remediation plans.Cascade the accountability for control evaluation and roll up the results (e.g., resulting in a dashboard confirming ability to sign certification).
SAP AG 2003 / Audit Information System, 8
SOA Section 404 – Requirements
Management report on internal control over financial reportingAnnual report should include a report by management on the effectiveness of internal control over financial reporting.
Documentation of control design of effectiveness testingDisclosure of any material weaknessesAttestation by external auditors
Note: Further periodic requirements are covered under Section 302.
ActivityIdentify areas of scope relevant for evaluating the effectiveness of internal control over financial reporting.Document the design of significant controls. Perform evaluation of control design and effectiveness. Identify resulting control issues and monitor remediation.Document changes in processes and controls; surface any associated issues.Prepare internal control report.Attestation by external auditors
SAP AG 2003 / Audit Information System, 9
SAP Principles and Applications Supporting SOA
SAP principlesInherent controlsConfigurable controlsReporting controls
SAP applicationsManagement of Internal ControlsWhistle BlowerAudit Information SystemBusiness ConsolidationRisk ManagementManagement CockpitBalanced ScorecardBusiness Planning and Simulation
implements
checks
SAP AG 2003 / Audit Information System, 10
SAP standard roles
Audit Measure
Audit Result
Individual auditor menu
. . . . . . . . . . . .
Documentation / Maintenance
A u d i t
Risk Assessment
Step1
Step2
Step3
Step4
Step5
Step6
Stepn
Enterprise Process
G/L accnts Customers Vendors Inventory
Receivables Cash FinancialInstruments Payables
Revenue Personal expense
Dataexport . . .
Vendors
Inventory
Customers
Revenue
Receivables
Data export
Audit Environment
SAP AG 2003 / Audit Information System, 11
Audit-specific documentation and training
AIS, Views/Target Groups
Business audit Tax auditSystem audit
Internal auditors
External auditors
Data securityofficers
Tax auditors
SAP AG 2003 / Audit Information System, 12
Audit Information System
SAP AG 2003 / Audit Information System, 13
IMG DocumentationSelected table areas
AIS DocumentationInformation on audit steps
SAP LibrarySelected chapters
Internet LinksSelected Web addresses
Additional Information within the AIS
SAP AG 2003 / Audit Information System, 14
Audit Information System – overview
Administration of AIS
System audit with AIS
Business audit with AIS
Tools and data export
Summary and Q&A
Agenda
SAP AG 2003 / Audit Information System, 15
GeneralSAP R/3 Security GuideTop 10 security reportsSystem configuration System logs Software status (transport, support packages). . .
Users and authorizationsCentral user administrationCritical combinations of transactions. . .
Tables/repositoryTable authorizationTable recordingsAccess statisticsChange documents. . .
System Audit with AIS
SAP AG 2003 / Audit Information System, 16
System Audit
SAP AG 2003 / Audit Information System, 17
System Audit - Authorization
Critical combination of transactions addresses the issue ofsegregation of duties (SOD)
SAP AG 2003 / Audit Information System, 18
Critical Combination of Transactions – SOD
SAP AG 2003 / Audit Information System, 19
Critical Combination of Transactions – SOD
SAP AG 2003 / Audit Information System, 20
System Audit - Repository/Tables
SAP AG 2003 / Audit Information System, 21
Repository/Tables - Information System
SAP AG 2003 / Audit Information System, 22
Repository/Tables - Data Browser
SAP AG 2003 / Audit Information System, 23
Audit Information System – overview
Administration of AIS
System audit with AIS
Business audit with AIS
Tools and data export
Summary and Q&A
Agenda
SAP AG 2003 / Audit Information System, 24
AIS – Standard Roles for Business Audit (1)
Account-oriented approach
Balance sheet Fixed assetsReal estate (*)InventoryReceivablesFinancial instruments (*)Cash (*)Payables
Income statementSales revenue (*)Raw material consumed (*)Personnel expenses
Segment reporting (*)
Internal activity allocation (*)
Consolidated financial statement (*)* = new as of Q4 / 2003
SAP AG 2003 / Audit Information System, 25
Process-oriented approach
From purchase to pay (*)VendorsPurchasingIncoming invoicesPayablesOutgoing payments
From order to cash (*)CustomersRevenuesReceivablesIncoming payments
AIS – Standard Roles for Business Audit (2)
* = new as of Q4 / 2003
SAP AG 2003 / Audit Information System, 26
AIS - Business Audit
SAP AG 2003 / Audit Information System, 27
AIS Organizational Overview
SAP AG 2003 / Audit Information System, 28
Organizational Overview - Client
SAP AG 2003 / Audit Information System, 29
Organizational Overview - Company Code
SAP AG 2003 / Audit Information System, 30
Organizational Overview - # of Customers
KNA1
KNC1
KNB1
SAP AG 2003 / Audit Information System, 31
AIS - Financial Statements - General
SAP AG 2003 / Audit Information System, 32
General Ledger (GLT0)
SAP AG 2003 / Audit Information System, 33
Account Analysis G/L Account
The analysis is also available for- A/R accounts- A/P accounts
SAP AG 2003 / Audit Information System, 34
Account Analysis – Data Selection
SAP AG 2003 / Audit Information System, 35
Account Analysis – Offsetting Accounts
SAP AG 2003 / Audit Information System, 36
Account Analysis – Daily Volume
SAP AG 2003 / Audit Information System, 37
Account Analysis – Timely Update ?
SAP AG 2003 / Audit Information System, 38
Account Analysis – Top Posting Volume
SAP AG 2003 / Audit Information System, 39
Account Analysis - Documents
SAP AG 2003 / Audit Information System, 40
AIS – Business Audit of Receivables (1)
AIS – Receivables
Customer master data
Top 10 reports
Reconciliation
Customers – balances
Customers – documents
Risks on receivables
Cut-off check
A/R Information System
Overview about customersNew customersCustomers marked for deletionChanged customersMissing credit data…
SAP AG 2003 / Audit Information System, 41
AIS – Business Audit of Receivables (2)
AIS – Receivables
Customer master data
Top 10 reports
Reconciliation
Customers – balances
Customers – documents
Risks on receivables
Cut-off check
A/R Information System
SAP AG 2003 / Audit Information System, 42
Audit Information System – overview
Administration of AIS
System audit with AIS
Business audit with AIS
Tools and data export
Summary and Q&A
Agenda
SAP AG 2003 / Audit Information System, 43
QueryQuery
DrillDrill--downdownreportingreporting
InformationInformationsystemssystems
D A R TD A R T
A B A PA B A P
Tools Used for Online and Offline Controls
SAP AG 2003 / Audit Information System, 44
SAP SAP -- DBDBList
Dialog
Drill-down
Extract(flat file)
A B A PA B A P
Advanced Business Application Programming
ABAP is the programming language used in R/3.
Call SAP standard or customer-specific programs.
Online Controls – ABAP
SAP AG 2003 / Audit Information System, 45
Calling up reportsusing theapplication menu
Calling up reports directly using thesystem menu
Report selection w/ GL
Legal requirements
AccountG/L account balances
SystemServices
Reporting
R F S S L D 0 0Program:
G/L account balances
provided by program
RFSSLD00
ABAP Reporting – Calling Up Reports
SAP AG 2003 / Audit Information System, 46
Call report
Table of variables
T-BILANZ INTT-BUK 0001T-GJAHR2002T-from/to 0100 - 0999
G/L Account balances/RFSSLD00
with variant (1)
G/L Account balances
Chart of Accts. INTG/L Account 1-999Company code 0001Fiscal year 2002
Variants for RFSSLD00
VAR1 :Chart of accounts INTG/L Account 1-999Company code T-BUKFiscal year T-GJAHR
VAR2 :Chart of accounts INTCompany code T-BUK
VARn :
G/L account balances
provided by program
RFSSLD00
ABAP Reporting – Using Variants
SAP AG 2003 / Audit Information System, 47
SAP SAP -- DBDB
QueryQuery
SAP Query
The application SAP Query is used to create lists not already contained in the SAP standard.
It has been designed for users with little or no knowledge of the SAP programming language ABAP.
List
Dialog
Drill-down
Extract(flat file)
Online Controls – Query
SAP AG 2003 / Audit Information System, 48
SAP SAP -- DBDB
DrillDrill--downdownReportingReporting
SAP drill-down reporting
With drill-down reporting, SAP provides you with an interactive information system to let you evaluate the data collected in your application.
List
Dialog
Drill-down
Extract(flat file)
Online Controls – Drilldown Reporting
SAP AG 2003 / Audit Information System, 49
SAP SAP -- DBDB
InformationInformationsystemssystems
Component-specific information tools:
General ledger Information SystemAccounts receivable Information SystemAccounts payable Information SystemLogistics Information SystemRepository Information System. . .
List
Dialog
Drill-down
Extract(flat file)
Online Controls – Information Systems
SAP AG 2003 / Audit Information System, 50
SAP SAP -- DBDB
D A R TD A R T
Data Retention Tool ( D A R T ):
Data retention and evaluation oftax-relevant data.
Data extraction and storageView query Export function (SAP-Audit-Format)
List
Dialog
Drill-down
Extract(flat file)
Offline Controls – DART
SAP AG 2003 / Audit Information System, 51
Download
SAP DBSAP DB
Probability-based auditing(statistical sampling algorithms)
A C L I D E A . . .
Scenario for the Export of Data
Single audit
SAP AG 2003 / Audit Information System, 52
Data Export
SAP AG 2003 / Audit Information System, 53
Data Export - G/L Account, Document Items
SAP AG 2003 / Audit Information System, 54
Data Export - G/L Account, Document Items
Data Collection (Phase 1, Batch)
Download (Phase 2, Dialogue)
SAP AG 2003 / Audit Information System, 55
Data Export - G/L Account, Document Items
3rd party audit software
SAP AG 2003 / Audit Information System, 56
Audit Information System – overview
Administration of AIS
System audit with AIS
Business audit with AIS
Tools and data export
Summary and Q&A
Agenda
SAP AG 2003 / Audit Information System, 57
7 Key Points about SAP Audit Information System
1. SAP Audit Information System (AIS) is the auditor‘s toolboxin the SAP environment.
2. It provides a structured, easy-to-learn access to audit-relevant data in the SAP system.
3. AIS is being used by external auditors, internal auditors, tax auditors and data security officers.
4. There are comprehensive online controls for system audit, business audit, and tax audit.
5. AIS supports data export of master data, account balances, and documents to 3rd party audit and analysis tools.
6. AIS does only require few system resources.
SAP AG 2003 / Audit Information System, 58
AIS – Benefits
AIS is the auditor‘s toolbox within SAP.
Online Controls and Data Export
Easy to use functionality
Comprehensive offering for
System audit
Business audit
Tax audit
SAP AG 2003 / Audit Information System, 59
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Copyright 2003 SAP AG. All Rights Reserved
Top Related