You are on page 1of 23

SAP: Business Process Controls

and AIS

Jennifer Hahn
Michael Juergens
Deloitte & Touche

ISACA Spring Conference


April 27, 1999

Presentation Outline
SAP: Business Process Controls and AIS

■ SAP Module Overview


■ SAP Business Process Overview
■ Audit Information System (AIS) Overview

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 2

1
SAP: Business Process Controls and AIS

SAP Module Overview

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 3

SAP R/3 Modules


SAP: Business Process Controls and AIS

SD FI
Sales & Financial
Distribution Accounting
MM CO
Materials
Mgmt. Controlling
PP AM
Production

R/3
Fixed Assets
Planning Mgmt.

QM
Quality
Client / Server PS
Project
Manage-
ment PM ABAP/4 WF
System

Plant Main- Workflow


tenance
HR IS
Human Industry
Resources Solutions

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 4

2
SAP Modules - Functional Category
SAP: Business Process Controls and AIS

Functional Category

■ Financial Applications
Financial Applications Š FI, CO, EC, IM, TR, AM, PS

■ Logistics Applications
Logistics Applications Š SD, MM, PM, PP, QM, LO

■ Human Resources
Human Resources Š PA, PD
■ Cross Applications
Cross Applications Š WF, OC, AL, CAD. DMS, ALE,
EDI, I/Net, EC
Industry Solutions ■ Industry Solutions
Š IS

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 5

Financial Accounting
SAP: Business Process Controls and AIS

● General Ledger
● Accounts Receivable

FI ●


Accounts Payable
Tax and Financial
Reports
● Special Purpose Ledger
● Legal Consolidations

Financial Applications. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 6

3
Controlling
SAP: Business Process Controls and AIS

● Cost Center Accounting


● Profit Center Accounting
● Product Cost
CO Controlling
● Profitability Analysis
● Activity Cost
Management
● Internal Orders

Financial Applications. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 7

Fixed Asset Management


SAP: Business Process Controls and AIS

● Depreciation
● Property Values
AM ● Insurance Policies
● Capital Investment
Grants

Financial Applications. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 8

4
Project System
SAP: Business Process Controls and AIS

● Project Tracking
● Work Breakdown
Structure
PS ● Budget Management
● Cost and Revenue
Planning
● Networks and Resources

Financial Applications. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 9

Sales and Distribution


SAP: Business Process Controls and AIS

● Computer Aided Sales


● Quotations

SD ●


Sales Order Management
Pricing
● Delivery
● Invoicing

Logistics Applications . . . . . . . .
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 10

5
Materials Management
SAP: Business Process Controls and AIS

● Procurement
● Inventory Management
MM ● Vendor Evaluation
● Invoice Verification
● Warehouse Management

Logistics Applications . . . . . . . .
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 11

Production Planning
SAP: Business Process Controls and AIS

● Sales & Operations


Planning
● Demand Management

PP ● Material Requirements
Planning
● Production Activity
Control
● Capacity Planning

Logistics Applications . . . . . . . .
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 12

6
Quality Management
SAP: Business Process Controls and AIS

● Quality Certificates
● Inspection Processing
QM ● Planning Tools
● Quality Control
● Quality Notifications

Logistics Applications . . . . . . . .
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 13

Plant Maintenance
SAP: Business Process Controls and AIS

● Plant Maintenance
● Equipment and Technical

PM ●
Objects
Preventive Maintenance
● Service Management
● Maintenance Order
Management

Logistics Applications . . . . . . . .
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 14

7
Human Resources
SAP: Business Process Controls and AIS

● Personnel
Administration
● Payroll, Benefits

HR ●


Time Management
Planning and
Development
● Organization
Management

Human Resources. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 15

Cross Applications
SAP: Business Process Controls and AIS

● SAP Business Workflow


● SAP Office
● SAP ArchiveLink
WF ●


EDI
Communication
● Application Link Enabled
(ALE)
● Others

Cross Applications. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 16

8
Industry Solutions
SAP: Business Process Controls and AIS

● Banks
● Hospitals
● Oil Companies

IS ●


Publishing Sector
Telecommunications
● Retail
● Utilities
● Others
Industry Solutions. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 17

SAP: Business Process Controls and AIS

Basis Component Overview

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 18

9
Basis Component
SAP: Business Process Controls and AIS

● ABAP/4 Development
Workbench
● Computer Center
BC Management System
● Authorization Concept
● Transport System
● Database Administration

Basis Component. . . . . . . .

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 19

SAP: Business Process Controls and AIS

SAP Business Process Overview

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 20

10
SAP Business Processes
SAP: Business Process Controls and AIS

■ Over 1200 business processes defined by SAP


– Highly flexible
– Customized to fit each company
– Companies choose the business processes that they
want to implement
■ Every SAP installation is different
– It is important to have clear understanding of business
processes that are effected by the SAP implementation
– These business processes should be mapped to the
corresponding SAP modules that are implemented

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 21

Example Business Process - Sales


SAP: Business Process Controls and AIS

Product Profitability
Costing Analysis
Planning
MPS

Sales MRP Planned Production Customer


Delivery Billing
Order run Order Order Payment

Goods Goods Goods


Issue Receipt Issue

Purchase
Raw Finished
Requisition Goods
Receipt Modules
Vendor
■ MM
Customer ■ PP
G/L Account Purchase Invoice Vendor ■ SD
Order Receipt Payment
Material ■ FI/CO

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 22

11
SAP: Business Process Controls and AIS

Linking SAP Modules, Business


Processes and Audit

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 23

Audit Challenges
SAP: Business Process Controls and AIS

■ SAP Modules
– Three Main Functional Categories
– Multitude of Modules
– Multitude of Sub-Modules
■ SAP Business Processes
– 1200+ Processes
■ Audit Processes
– Business Process Cycles

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 24

12
Linking Audit Cycles to SAP Modules
SAP: Business Process Controls and AIS

Audit Business Cycles SAP Module Functional Category

Treasury
Financial Applications
Fixed Assets
Expenditure
Revenue
Logistics Applications
Inventory
Management
Payroll and
Personnel Human Resources

Basis Component
Cross Applications
Industry Solutions

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 25

SAP: Business Process Controls and AIS

Audit Information System (AIS)

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 26

13
AIS - History and Background
SAP: Business Process Controls and AIS

■ Requested by
– Internal Auditors,
– External Auditors, and
– Company Management
■ Designed by SAP in response to requirements for
a tool to find, evaluate and download information
from SAP easily
■ Includes:
– Audit Report Tree (transaction code: SECR)
– Report tree includes Systems and Financial audit tasks, reports
and tests for additional modules are under development
– Evaluation and notes can be entered into the specific tasks to
monitor progress of tasks
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 27

AIS - History and Background


SAP: Business Process Controls and AIS

■ To provide a mechanism and structure


for collection, and presentation of
standard SAP reporting

■ The goal is improvement of audit quality


through real-time auditing

■ To provide company specific, individual


selection and preparation of data needs
and requirements for reporting and
IS review
A
■ To provide the ability to download data
into flat files for analysis with external
tools
– AuditAgent
– ACL
– IDEA
– Baetge
SAP - DB

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 28

14
What is AIS?
SAP: Business Process Controls and AIS

■ A collection of SAP reports / queries based on a


reporting tree
■ A tool for auditing an SAP system
■ Utilizes existing SAP functionality
■ Designed to rationalize and facilitate the audit
process
■ Organizes all audit related activities under one
umbrella
■ Aims to improve the quality of an audit

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 29

What does AIS do?


SAP: Business Process Controls and AIS

© 1998 SAP AG. All rights reserved.


© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 30

15
What does AIS do?
SAP: Business Process Controls and AIS

© 1998 SAP AG. All rights reserved.


© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 31

AIS Features and Functions


SAP: Business Process Controls and AIS

■ Tool for performing both System and Business


Audits
■ Provides auditors with the ability to document and
monitor the progress of an audit
■ Reports and queries can be customized for each
user
■ Allows auditors to evaluate information or
download data to be used by CAAT tools such as
ACL
■ Different views allow external auditors (both
financial and systems auditors) and internal
auditors to use the system simultaneously
© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 32

16
AIS - System Audits
SAP: Business Process Controls and AIS

■ Using the AIS System Audit tree users can:


– Review system configuration settings
– Review parameters settings
– Monitor operations
– Review various logs
– Review background processing
– Review security settings
– Perform user security audits
– Review transport related activities
– Review print and spool administration

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 33

AIS - Business Audits


SAP: Business Process Controls and AIS

■ Using the AIS Business Audit tree users can:


– Perform various audit related queries
– Produce various audit related reports
– Review organization structure
– Review document structure, ranges, posting keys etc.
– Review client setup (number of accounts, assets,
customers, vendors, materials etc.)
– Review chart of accounts
– Produce financial reports (balance sheets, P&L, ratio
analysis etc.)
– Review account balances

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 34

17
Audit Status Analysis
SAP: Business Process Controls and AIS

■ AIS uses Status Analysis functionality to:


– Summarize, maintain and monitor details of the audit
progress of specific testing, and for audit management
– Easily and quickly identify problem areas
– Document results of tests offering drill-down
functionality
– Notes exist in SAP R/3 version 3.1G+

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 35

Audit Status Analysis


SAP: Business Process Controls and AIS

■ Status Analysis functionality and capabilities


improves the ability of Audit management to track
tasks performed within SAP:
– Percentage of completed audit steps for an audit
objective via traffic lights:
– Creation of separate documentation for the node of
each separate user view
– Ability to identify the number of views a node is
assigned to, with the associated status of completion
for each view
– Tracking of changes made to the notes to a
responsible person

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 36

18
Audit Status Analysis
SAP: Business Process Controls and AIS

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 37

Audit Report Tree


SAP: Business Process Controls and AIS

■ The audit report tree contains two standard views:


– Financial Audit (AUDIT_FI)
– Systems Audit (AUDIT_SECR)
■ Each view contains:
– Auditing procedures and documentation tools
– Audit evaluations (including data and key controls
within the configuration)
– Data download tools through links to Data Analysis
Tools, such as ACL (automated) or IDEA (through
Monarch)

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 38

19
Audit Report Tree
SAP: Business Process Controls and AIS

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 39

AIS and SAP versions


SAP: Business Process Controls and AIS

■ Versions 3.1I and 4.5B+


– An integral part of the SAP Basis Component
■ Only works on certain releases of R/3
– 3.0D, 3.0E, 3.0F
– 3.1G, 3.1H, 3.1I
– 4.0A, 4.0B, 4.0C
– 4.5A, 4.5B, 4.6A
■ Not all functions are available in each version, as
functionality is based on the release level

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 40

20
AIS - Relevant OSS Notes
SAP: Business Process Controls and AIS

■ Online System Support (OSS) Notes:


– 13719 - Transport Files to load AIS onto SAP for
versions 3.0D on
– 41475 - Copying report variants between clients
– 77503 - AIS Overview, Auditor’s configuration of Views,
Variants and Ratios
– 85344 - Performance concerns when AIS is installed
– 100609 - Basis Installation Steps
– 128256 - Missing English Texts
– 129170 - Download of Query Data
– 133914 - Conversion of drill-down reports

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 41

SAP: Business Process Controls and AIS

AIS Business Case

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 42

21
AIS Advantages
SAP: Business Process Controls and AIS

■ Centralized auditing
■ Continuous auditing
■ Teaming of internal and external audit efforts
■ More efficient use of time
■ One report tree
■ Simplify data extraction
■ Potential to have all SAP reports in AIS only
■ Custom views
■ AIS is free

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 43

AIS Disadvantages
SAP: Business Process Controls and AIS

■ Variant review after every SAP upgrade


■ Reports must be configured
■ SAP knowledge required to interpret results
■ Over auditing
■ Under auditing
■ Access to SAP
■ Auditability of the Financial (FI) module Only
■ Reliance on the SAP system is assumed
■ AIS is not mature

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 44

22
Questions and Information
SAP: Business Process Controls and AIS

Presenter Information:
Jennifer Hahn
714-436-7171
Michael Juergens
714-436-7276

© 1999 Deloitte & Touche LLP. All rights reserved. Bpcontrols.ppt 45

23

You might also like