Many businesses use SAP application to help them plan their resources and activities. Its flexibility and range makes it a challenge to audit.
SAP is highly configurable and implementations often vary, even within various business units of a company – both financial and non-financial. At the same time, the effective operation of controls within the system’s environment is critical to a robust financial and operational control environment. Therefore, it is important to gain a good understanding of how SAP is being utilised in the business while planning the audit scope and approach. Auditing an SAP environment introduces several unique complexities that can impact the audit scope and approach.
SAP covers most business processes and a minor change in the business process can have a direct effect on the audit procedures due to the complexity of the system. Changes in the setup and configuration of the system, the release strategy or creating new processes may result in new modules and/or functionality in SAP and as such, additional risks need to be considered.
For example, a client may consider retiring one of its legacy purchasing systems and moving this functionality onto SAP. In the past, key controls over purchase order approval may have been performed manually. But with the SAP implementation the client has considered automating the approval process in SAP. The setup of the automated workflow process and user access security is therefore important to ensure that adequate controls are maintained to mitigate the risks. This would involve testing automated controls instead of the manual controls over purchase order.
Segregation and sensitivity
For an effective audit, the auditor needs to gain a good understanding of the design of SAP’s authorisation concept (security design). In some instances, poor security design results in users being inadvertently granted access to unnecessary or unauthorised transactions. Therefore the review of the design and implementation of SAP security and access controls is important to ensure proper segregation of duties is maintained and access to sensitive transactions is well-controlled.
Segregation of duty conflicts can arise when a user is given access to two or more conflicting transactions – for example, creating a purchase order and amending vendor master details. A clear mapping of the business processes and identification of roles and responsibilities involved in the processes is crucial in the design of access controls to effectively audit security.
In addition, there may be transactions or access levels that are considered sensitive to the business, such as amending G/L codes and structures, amending recurring entries or amending and deleting audit logs. In an SAP audit such sensitive transactions would need to be considered during the planning phase.
Organisations can tailor the SAP system to fit their business needs including a selection of configurable and inherent controls. Understanding the selection process behind these controls is critical to the audit approach. Allowing purchase orders, for example, to be approved automatically through the system is considered a configurable automated control.
However, the client may also choose not to implement this functionality sap s4hana and address this risk through a manual control. Auditors need to understand the controls the client has chosen to implement and the matrix of controls that they place reliance on to mitigate one or more risks.
Types of Controls
In SAP there are four types of controls that an audit client can utilise in order to create a secure environment: inherent controls, configurable controls, application security, and manual reviews of SAP reports.
Typically access or configurable controls are executed by the SAP system and are preventive in nature. On the other hand, manual controls including manual reviews of reports are executed by an employee and are mainly detective in nature. For example, in the procure-to-pay (P2P) process of SAP, there are standard automated controls such as three-way matching (matching of purchase orders, goods receipt and invoices). The client may choose to adopt four-way matching, or two-way matching of invoices, therefore requiring customisation to suit their specific processes.
Each client will use a different mix of controls in order to achieve their specific control objectives, and because of the complexity of SAP application, auditing around the system to gain control assurance is not an option. Therefore the audit approach needs to be tailored for each situation appropriately. It is also important to highlight that SAP delivers several controls that are inherent within the SAP environment. An example of an inherent control is that journal entries must balance prior to posting in SAP.
In SAP it is important to understand the link between configurable controls and access controls. In order to achieve the control objective there may be a mix of configurable and access controls that create a control solution. For example, “Purchase orders over £1m get blocked automatically and cannot be processed.” This sounds like a configurable control, but is actually both a configurable control and an access control, as it deals with the configuration of the Purchasing Release Strategy within SAP and deals with who has access to create and approve a PO.
Another example is “Purchase Orders over US$1m must be approved by the manager.” This sounds like an access control, but it is a configurable control as well due to the configuration needed for the release strategy. In fact, these are complimentary controls, two controls covering the same risk together. Without one control, the other cannot cover the risk to the same precision. The auditor should test both the configuration and access aspects of these controls, so it is important that they are identified by the auditor and classified appropriately.