This action might not be possible to undo. Are you sure you want to continue?
[ CHRISTINA CRONE
ASUG INSTALLATION MEMBER MEMBER SINCE: 1999
Date: 29 September 2009 Speaker: Rick Fowler
[ [ BOB GAUTHIER
ASUG ASSOCIATE MEMBER MEMBER SINCE:1998
[ MIKE STOKO
ASUG INSTALLATION MEMBER MEMBER SINCE: 2003
Webcast on SOX & SAP § § § § § Introduction SAP automated controls Testing automated controls Conclusion Questions & Comments
Real Experience. Real Advantage.
§ Rick Fowler, CISA, CFE § 10+ years of internal audit experience
§ Currently with Northrop Grumman § Previous experience with the Virginia Information Technologies Agency (VITA), Virginia Department of Social Services (DSS), Circuit City Stores, SunTrust Bank, and Crestar Bank.
§ 15+ years of engineering, quality control, IT, and program management experience
§ Newport News Shipbuilding and US Navy.
§ Program Chair of the ASUG Internal Controls Special Interest Group (SIG)
Real Experience. Real Advantage.
§ Objectives for today’s webcast § Start off with some basics on internal controls and SOX § Address some of the major internal controls in SAP § I will be focusing on SAP business processes and their controls, not general computer controls. § GCC may be an option for a future webcast – let the Internal Controls SIG Program Chair know J § Ways to test SAP automated controls § There should be time for Q&A at the end. § Caveat – I’m good at this, but not an expert. If I can’t answer your questions, though, I will get back to you.
Real Experience. Real Advantage. 4
and any member of ASUG can take advantage of our group knowledge § Did I mention we have an opening for a volunteer? Expertise is nice but not required – all you need is a desire to participate. Real Advantage.[ Introduction – ASUG & Internal Controls SIG § Internal Controls SIG § § § § § Part of ASUG Financials Community Has a large membership across many industries SIG members represent all ASUG communities and most SIGs Discussions and forums cover a variety of internal control topics We have a volunteer position available… § Participation in the Internal Controls SIG is voluntary. 5 . § What exactly do we mean by “internal controls”? Real Experience.
both personally and organizationally Real Experience.[ Introduction – Internal controls in general § A control is very much just like it sounds § A process. or parameter that controls or limits your actions § “Hard” control – you need a key to start the car § “Hard” control – you need a password and user ID to log on a network § “Soft” control – speed limit signs (not very effective) § “Soft” control – signature authority § Also includes those activities that control or limit others § Log reviews – looking for inappropriate system access § Bank statement reconciliation – looking for bank errors § Internal controls are the controls we impose on ourselves. Real Advantage. 6 . procedure.
7 .[ Introduction – Internal controls in SAP § SAP has numerous hard and soft controls included in its configuration § User ID and password § Assigned roles and profiles § IMG settings § Customizable configurations § A key feature of SAP controls – Authorization Objects § A key building block of SAP security § Associated with transactions § Provides for specific access via activity codes Real Experience. Real Advantage.
Real Advantage.[ Introduction – Internal controls in SAP Real Experience. 8 .
Sarbox or SOX. Tyco International. Real Experience. Adelphia. Real Advantage. 9 .[ Introduction – Sarbanes-Oxley Act § The Sarbanes-Oxley Act of 2002 § Also known as the Public Company Accounting Reform and Investor Protection Act of 2002 § Commonly called Sarbanes-Oxley. § SOX is a United States federal law enacted as a reaction to a number of major corporate and accounting scandals including Enron. Peregrine Systems and WorldCom.
” § Officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report. 10 . § The signing officers must certify that they are “responsible for establishing and maintaining internal controls.” Real Experience. Real Advantage.[ Introduction – Sarbanes-Oxley Act § Section 302: Internal controls § Mandates a set of internal procedures designed to ensure accurate financial disclosure.
including IT aspects. Real Advantage.[ Introduction – Sarbanes-Oxley Act Section 404: Assessment of internal control § Requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). Among other requirements: § Assess design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions § Understand the flow of transactions. sufficient enough to identify points at which a misstatement could arise Real Experience. 11 .
Real Advantage. 12 . Many of these are manual controls that are not associated with SAP: § § § § Signatures indicating reviews Checklists indicating process steps performed Management meetings to discuss risks Etc. Real Experience. Most of these processes have internal controls associated with the to ensure the process works. But we’re here to discuss SAP and automated controls.[ Introduction – Sarbanes-Oxley Act There are a vast number of processes involved in any business.
13 . Real Experience.[ Automated Controls – Segregation of Duties § Also referred to as “separation of duties” or “SOD. Real Advantage. SOD is used to ensure that no single person is in a position to introduce fraudulent financial transactions without detection.” this is the most common control across all industries and processes. § From a business perspective. (from ISACA) § From an IT perspective. SOD is used to ensure that no single person is in a position to introduce fraudulent or malicious code without detection. § This is a basic internal control that prevents or detects errors and irregularities by assigning to separate individuals responsibility for initiating and recording transactions and custody of assets to separate individuals.
§ The question is. profiles. Real Advantage. § Roles can include many authorizations. or transaction in SAP !! § SAP. § Needless to say.[ Automated Controls – Segregation of Duties § There is no prohibition against any combination of roles. will permit all users to have SAP_ALL. that’s not recommended… § Roles and Profiles are assigned to each user. as an ERP. which ones are appropriate? Real Experience. 14 .
§ Auditors review assigned roles and permissions. § Determine if the access represents an SOD violation. § A brief aside on mitigating controls – § Not all controls are possible or practical in all organizations. not the auditor’s. § Is there another way to obtain a similar level of control over an activity? § Consider periodic monitoring. Note that mitigating controls may exist. 15 . Real Experience. reports.[ Automated Controls – Segregation of Duties § Identifying who can do what is management’s responsibility. etc. including SOD controls. Real Advantage.
or people can transfer § Last year’s roles may no longer be part of the job § Management should be reviewing access periodically § Auditors will verify access to production systems § Some auditors also test access to DEV & TST § Limited access differs from SOD – § if I have just 1 transaction. there is no SOD issue § if that transaction is not part of my job.[ Automated Controls – Limited Access § Access to SAP should be based upon the user’s current assigned duties § Jobs can change over time. 16 . Real Advantage. there is an access issue Real Experience.
17 . § A 3-way match is not always applicable: § Services often do not have a GR component § Some vendors may be set up for autopay w/o GR § A 2-way match can be configured § Tolerance limits on received quantity or invoiced cost may prevent a payment. Real Experience. § Referring back to SOD. a valid invoice.[ Automated Controls – 3-Way Match § A 3-way match is another powerful control offered in SAP. Real Advantage. a valid PO. § Ensures that. and a proper goods receipt exist. it’s a good idea to try and keep these 3 responsibilities out of one person’s access. before a payment can be made.
Real Advantage. dates.[ Automated Controls – Transaction Limits § Transactions may also be limited in SAP based on established tolerances (cost. quantity ordered. etc.) § This allows orders to be placed up to the approver’s dollar authority limit § This allows for partial shipments to be received and invoiced § This allows for modest price fluctuations in received goods § Business management should establish these limits Real Experience. 18 . quantity received.
Other § Work flow § Who can initiate a key transaction? § Who must approve a key transaction? § Who can kick off a batch program (and when)? § Master data § Who has access to modify master data tables? § Who has access to master data transactions? § Other system access limits § Who can do remote function calls (RFC)? § Who on the Basis team has production access? Real Experience. Real Advantage.[ Automated Controls . 19 .
Real Advantage. MB03 Are parallel transactions included? FK01. Check the information . Verify that the users who have access should have access Real Experience. .[ Testing Automated Controls . What are the key transactions? § § § § § § § § § § Obtain from business management May be part of documented business process narratives Are there display-only transaction listed? FS03.does it make sense? 3. XK01 Are the critical “Z” transactions included? Are there any? Check with business management if there are questions Method 1: by role Method 2: by transaction code Method 3: by authorization object Is there a need for anyone in IT to have production access? 20 2. Checking access using SAP directly 4.Access 1. MK01.
Access Method 1: by role § § § § § SUIM à Roles à By Transaction Assignment Enter key transaction Identify the roles with access to the key transaction Are these roles appropriate? Repeat for other key transactions Method 2: by transaction code § § § § § SUIM à User à Users by Complex Selection Criteria à Users by Complex Selection Criteria Enter key transaction Identify the users with access to the key transaction Are these users appropriate? Repeat for other transactions 21 Real Experience.[ Testing Automated Controls . . Real Advantage.
22 . Real Advantage.Access Method 3: by authorization object § SU22 à Enter key transaction(s) § § Identify the check objects for each transaction SAP can save these in Word or Excel format for reference § § § § § § SUIM à User à Users by Complex Selection Criteria à Users by Complex Selection Criteria Enter the authorization objects and values for the check objects of the key transaction May required multiple iterations if there are more than three check objects for the transaction Identify the users with access to these authorization obejcts Are these users appropriate? Repeat for other transactions Real Experience.[ Testing Automated Controls .
[ Testing Automated Controls .Access Method 1 example – finding roles for transaction ME21N Real Experience. Real Advantage. 23 .
24 .Access Method 1 example – many roles may include a key transaction Real Experience.[ Testing Automated Controls . Real Advantage.
Access Method 2 example Finding users with access to transacti on F-22 Real Experience. Real Advantage.[ Testing Automated Controls . 25 .
26 .[ Testing Automated Controls . Real Advantage.Access Method 2 example – many users may have access to a particular key transaction Real Experience.
[ Testing Automated Controls . Real Advantage. 27 .Access Method 3 example – SU22 for a key transaction Real Experience.
28 .Access Method 3 example – Authorization objects Real Experience. Real Advantage.[ Testing Automated Controls .
29 . Real Advantage.[ Testing Automated Controls .Access Method 3 example – Check objects Real Experience.
Real Advantage.[ Testing Automated Controls . 30 .Access Method 3 example – SUIM Enter the check objects (field values from SU22) If more than 3 check objects exist. then you will need to repeat this process (only users common to all iterations will have the access to the transaction). Real Experience.
[ Testing Automated Controls – Access § There are automated tools to help with this process. 31 . Real Advantage. such as SAP’s GRC Access Control: Real Experience.
32 .[ Testing Automated Controls – Access § Based on established rules. Real Advantage. this tool will help maintain the appropriate access assignments: Real Experience.
[ Testing Automated Controls – Access § Other tools are also available: § Approva § Similar to SAP’s GRC Access Control in functionality § ACL with SAP Direct Link § Scripts need to be developed to access the correct tables for data collection and then to analyze the results § IDEAS. etc. many hours of data collection Real Experience. can also be scripted to analyze SAP data § Need to obtain RFC links and login parameters § Tools will save you many. 33 . SAS. Real Advantage.
§ As noted before. so SOD matrices are not generally sharable.SOD § Testing for SOD follows from the access testing previously described. Real Advantage. § Not every organization will have the same structure.[ Testing Automated Controls . Real Experience. 34 . § Testing SOD conflicts can be done with a spreadsheet. § Work with the business management to identify the duties (the SAP access) that needs to be segregated. some SOD violations may be unavoidable due to limited personnel resources – consider how to identify and test the mitigating controls in such cases.
§ Many combinations are acceptable – see if you can identify an intentional or accidental combination of transactions that could be fraudulent or produce errors in the financial statements. 35 . Real Experience. § For each user. § Where more than one column has an entry.[ Testing Automated Controls . list the transactions in the appropriate column (these are from the access review previously discussed). determine whether this is appropriate or not.SOD § One method I’ve used is to group the job functions in columns and list the users in rows. Real Advantage.
Real Advantage.[ Testing Automated Controls . 36 . automated controls can make the process easier: Real Experience.SOD § Again.
§ Testing the configuration settings may require assistance from the Basis Team Real Experience. 37 .Configuration § Used to control many other SAP functions § § § § § Tolerance limits for 3-way (and 2-way) matching GR Indicator flag Automatic posting to GL Depreciation etc.[ Testing Automated Controls . Real Advantage.
click on “Details” § Verify that the “Goods Receipt” block is checked § Tolerance Limits – defines how “exact” a match must be for automatic payment processing of an invoice § Transaction OMR6 – display tolerance limit categories § For each category. 38 .[ Testing Automated Controls . select and view the tolerance (may be set at 0) § Automatic Postings – identifies the various procedures that generate automatic postings to the General Ledger § Transaction OBYC – display automatic posting procedures § For critical transactions. select procedure and verify account settings Real Experience. Real Advantage.Configuration § Goods Receipt Indicator – this setting requires the goods to be received before a payment can be made § Transaction SPRO à Display IMG à Materials Management à Purchasing à Account Assignment à Maintain Account Assignment § Select the account category.
Processing review – I look at the batch processing for daily time collection to verify it kicks off routinely and will notify operations if there is a problem or abend § 3. 39 . no auto-approvals. Real Advantage.Configuration § Payroll processing § Differ from company to company § My company uses a legacy timekeeping system and a 3rd-party payroll processor § My tests will differ from yours. approval. but may be useful § 1. no mystery files) § 2. Demographic file – I review the process that provides the weekly demographic file to the processor to verify that the data comes from our HR records only § Similar testing can be done with your local process Real Experience. Code review – I review the program code used in time collection. and reporting to verify inputs (time clock pairs.[ Testing Automated Controls .
SAP offers features to monitor and improve internal controls § ASUG and the Internal Controls SIG are here to help § By the way. 40 .[ Conclusion § For public companies. Real Advantage. we have an opening for a SIG volunteer… Real Experience. SOX is required § For all companies.
Comments. 41 .[ Question. Suggestions Real Experience. Real Advantage.
Real Advantage. 42 . Real Experience.[ § Thank you.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.