There are many businesses that utilize SAP applications so they can plan activities and resources. However, range and flexibility can make SAP very challenging to audit.
SAP (systems, applications, products) is very configurable, and the implementation of it varies, even within the different departments of one business. Non-financial and financial departments are both affected by SAP.
Occurring at the same time, the control of operations that are within the system is necessary to keep the financial environment robust. Therefore, it is imperative that SAP is fully understood, and the way it is used during the audit process. When auditing SAP in a business environment, several unique factors can impact the approach and scope of the audit.
Business Processes
Most business processes are covered by SAP, and when there is a change in this process, it can directly affect the audit process. The percentage of the audit that is affected is dependent on the challenges of the system in place. Thus, any changes in the configuration and setup of the system, or the creation of new processes, can result in new functionalities or new modules of SAP.
For example, a business owner may decide to retire a legacy purchasing system and relocate this function to SAP. Previously, manual approval would have been required to control the keys of purchase, but when the business owner decides to setup fiori launchpad, approval for the process is automatic.
This is why it is important to make sure that adequate controls are in place to minimize risks, maintain access security by users and automate the workflow process.
Sensitivity and Segregation
In order for an audit to be successful, the auditor must have a good understanding of the SAP’s authorization concept design. There are some instances when the security design (authorization concept) is so ineffective that users will gain inadvertent access to unauthorized or unnecessary transactions.
Therefore, the implementation and design of the SAP security and control of access is extremely important to make sure the duties are segregated, and this segregation is maintained so access to transactions that are sensitive is well-controlled.
Conflicts with segregation of duties can occur when one user is permitted access to conflicting transactions. For example, a conflict can arise if a user is assigned to amend the details of a vendor on the master list and is also granted access to create a purchase order. It is important there is a clear map of the processes of the business as well as the identification of responsibilities and roles so the audit can be effectively completed.
Selection Control
Businesses customize a SAP system so that it meets the needs of the organization. This includes selecting inherent and configurable controls, application security, manual reviews and configurable controls of SAP reports.
Every business will use a mixture of different controls so they can achieve certain control objectives. Because SAP applications are complex, it is not an option to audit around the system so control assurance is gained.
Adequately working SAP applications are necessary if a business wants to keep track of their resources. Overcoming the challenges with a SAP audit will help reduce security risks and give business owners more control over applications.
