1 ISACA JOURNAL VOLUME 6, 2009

custom-developed objects that may require

testing. Although the IT auditing section
contains information necessary to perform
the SAP production system IT audit, auditing
the technical client used to implement system
patches, updates and upgrades is not addressed.
The last two chapters (13 and 14) describe ERP
system control concerns; SAP tools that address
governance, risk and compliance; future ERP and
SAP directions; and other discussions relevant
to auditing SAP. Though audit guidance in these
chapters applies specifically to the SAP tool set,
the audit considerations could easily be applied to
any of the provisioning tools.
Finally, Security, Audit and Control Features
SAP

ERP, 3
rd
Edition, concludes with
appendices including:
Audit programs with detailed audit task
work steps and a COBIT cross-reference
Internal control questionnaires for the three
business cycles and Basis
Recommended SAP transactions to be
locked and tables to be logged and reviewed
In conclusion, the third edition is required
reading for any SAP audit, control, risk or
security professional. For many, this book will
become a well-worn reference, guiding them
through their daily SAP ERP tasks. For others,
it will remain a one-time or occasional read to
enhance their basic understanding of SAP ERP.
The third edition surpasses earlier versions in the
presentation of SAP ERP control fundamentals
and audit best practices. This text is a necessity
for the bookshelf of any SAP ERP audit or control
department.
EDITORS NOTE
Security, Audit and Control Features SAP

ERP, 3
rd
Edition, is available from the ISACA
Bookstore. For information, see the ISACA
Bookstore Supplement in this Journal, visit
www.isaca.org/bookstore, e-mail bookstore@
isaca.org or telephone +1.847.660.5650.
Security, Audit and Control Features SAP

ERP,
3
rd
Edition, is a must have for any finance,
operational or IT auditor or risk management,
IT security or compliance professional,
especially those beginning their work in an SAP
environment. It is also an excellent reference
for experienced SAP auditors and other experts
and those IT and business managers responsible
for SAP control processes. Through study and
application of the how-to control and audit
activities found in the third edition, even the new
SAP auditor will have the potential to quickly rise
to SAP best practice audit and control standards.
There are five broad topic areas within
Security, Audit and Control Features SAP

ERP,
3
rd
Edition:
The preparatory section (chapters 1 to 4)
includes an introduction to enterprise resource
planning (ERP) system fundamentals and SAPs
ERP system basics, followed by recommended
risk management and audit methods. These
chapters provide a necessary foundation for any
SAP audit professional.
The business cycle section (chapters 5 to 10)
consists of a general overview of the SAP
revenue, expenditure and inventory business
cycle processes, including activity flows and
controls. This section also includes audit
considerations: risk, controls and detailed
testing steps. The business cycle chapters
provide the necessary knowledge base for both
finance and IT auditors in understanding SAP
ERP. The auditing chapters provide substantial
information outlining risk, key controls and
detailed testing guidance.
The IT auditing section (chapters 11 and 12)
lays the foundation for system administration
(SAP Basis administration), describes in detail
the risks and controls central to SAP system
administration, and details techniques any
auditor could follow when testing control
effectiveness. This chapter shows the IT
auditor not only how to effectively test Basis
controls but also how to identify additional
Published by ISACA
Reviewed by Pam
Kammermeier, CISA, is
IT manager at Altran Control
Solutions, USA. She has
more than 12 years audit
experience and 20-plus years
IT experience.
Security, Audit and Control Features
SAP

ERP, 3
rd
Edition
Book Review