Auditing in the

ERP
Environments
 AGENDA

1. GENERAL OVERVIEW - ERP - Any Business,ERP

solutions,SAP R/3 –Architecture & Application components
2. MODULES IN ERP-Logistics,Accounting – Navigation of
Screen,Core Business Cycle in Manufacturing unit
3. RISK ASSESMENT IN ERP -Methology – Quantification Model ,
Impact-Severity X Detection,exposure,Statements – SD/MM/FI/
Common-Examples,Registers and Heat Maps – Module wise,
Revenue, expenditure & Inventory cycles-Summing up
4. TECHANICAL RISK IN ERP - Basis application
infrastructure,Risks-in Installation management,ABAP/4 work
bench & transport (se38/sa38) computing center management
systems,Profile Generator ( PGFC).
5. AUDIT IMPLEMENTATION IN ERP - Learning for auditors,
Excellence Model/ Global best practices (COBIT /COSO) and New
Directions in ERP Auditing
General Overview -Any Business

Purchase Sales
Qty. Value Order
Vendor Bill
Payable Customer
Other
HR Receivable Business
FA Wages Associate
Salary
s
Statut. Share
Bodies Holders

Production/Service Enterprise
ERP solutions–What do they enable

1-Managing & Supporting the resources of organisation

efficiently
-Employees
-Customers
-Vendors
-Share Holders
-Production Process
-Material & Services
ERP solutions-what do they enable

2-.Increasing Competitiveness
3-.Reducing Costs
4.-Improving operational reporting
5.-Improving Quality decision making
6-.Enhancing customer service
7-. Improving profitability
8- Providing integrity of data
9-Enhancing productivity of value chain
10-Speed
ERP solutions-what do they enable

-ERP solutions are integrated ,Configurable,Real

time and often available as Cross Industry solutions
-Today’s presentation is primarily based on SAP
Although many ERP solutions are in use :e.g.- Oracle
, J.D edward,Baan,Mfg Pro etc with similar concepts.
-SAP = Systems ,Applications,Products in Data
processing
– ERP cost/user-Licence - Info-users – Rs. 60K +
‘ (Approximate) Operational-users – Rs. 90K+
Developers – Rs. 350K+
AMC - Rs. 17 ~ 20%
ERP at Eicher = SAP 4.7c (375 users)
SAP R/3 –Architecture -3 Layers

Presentation - SAP R/3-S/W-GUI ( Enterprises

Layer 4.7c/ECC5) with which users interact

Application - Application Servers-with SAP R/3

Kernel that run ABAP/4
Layer programms(WIN 2003/Server Pack 1)

-RDBMS (eg Oracle 9i with (Patch

Data Base
level 4)-ABAP/4 Dictionary,source
Layer &executable program.
-TCodes-se16/tstct=120314 nos
- Tables(DB02) =35650 nos
SAP -R/3 Enterprises - Application components

MM SD
PP
CO
FI

AM
ERP QM
PS
PM
WF
IS HR
Modules in Logistics – Navigation of Screen
1. Logistic General (LO)
2. Product Life cycle Management (PLM)
3. Sales & Distribution (SD)
4. Material Management (MM)
5. Logistics Execution (LE)
6. Production Planning & Control ( PP)
7. Plant Maintenance (PM)
8. Customer Service (CS)
9. Quality Management (QM)
10. Project System (PS)
11. Environment Health & Safety ( EH&S)
12. Retail
13. Agency Business (LO-AB)
14. Global Trade
15. Country Versions
Modules in Accounting - Navigation of Screen
1. Accounting General (AC)
2. Financial Accounting (FI)
3. My SAP Banking
4. Corporate Finance Management(CFM)
5. Treasury (TR)
6. Controlling (CO)
7. Investment Management(IM)
8. Project System (PS)
9. Incentive & Commission Management
10. Enterprises Controlling
11. Rural Estate Management
12. Public Sector Management
13. Flexible real Estate Management (RE-FX)
14. Production sharing accounting systems
15. Country version
Core Business Cycle in Manufacturing
Create Create Create
Customer MRP Producing Vendor
Production
Relationship Inventory Relationship
Order
Sales Qty. Purchase
Production requisition
Sales Order Purchase Order/
Scheduling
Goods issue Agreement
Handling Raw Material
Inventory
FGS Management
Delivery Note Goods Receipt
Manage-
Our Invoice ment Vendor Invoice
A.R. Verification
Collection AP
Payment
Reporting
RISK ASSESMENT METHODOLOGY – BY A QUANTIFICATION MODEL

Key business processes in Sales and Distribution (SD),

Materials Management (MM) and Financial Accounting
(FI) need to be studied in detail to identify their
vulnerability to threats from within and outside. Based on
this and experience of internal audit team, risk statements
relevant to businesses are to be captured.

For each risk statement, risk impact and risk exposure is

to be assessed as under
 Risk Registers and Heat Maps – Module wise
Using the risk impact and risk exposure scores as worked out above,all possible risk
statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a
RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1
page HEAT MAP.
100
Y1 R2 R1
HIGH
R      

I
40
S
K MEDIUM G1 Y2 R3

20
I
LOW G3 G2 Y3
M
P
0 2 4 10
A  

C
 
T   LOW MEDIUM HIGH

RISK EXPOSURE →
Risk impact-Severity X Detection

Risk impact ( Severity x Detectability) to be assessed

on a scale of 1 – 100 (100 being the highest adverse
impact.
A-Risk Severity ( on a scale of 1- 10 ) is determined
based on weighted average affect on 5 parameters ie
i- PBT, ii- Statutory / regulatory compliance iii-
Strategic value iv- Financial statement accuracy ,
v- Reliability/ operational effectiveness .
B- Risk Detectability ( on a scale of 1 – 10 ) is
determined based on the stage of detectability of adverse
event ie with in the co.or from outside customers.
Risk exposure

Risk exposure (likelihood of occurrence) to be

assessed on a scale of 1-10 (10 being most likely).
Risk exposure is determind based on weighted
average effect of 10 parameters,responsible for the exposure
ie
I-Incorrect source data/ data entry ii Incorrect
incomplete execution iii-Incorrect/ non verification of output
iv-Skill/ resource constraint v-Inadequate segregation of
duties vi-Lack of system documentation vii-Authority norms
not defined/ followed viii- Inappropriate configuration/
process logic ix-Weak internal/ compensating controls x-
Others (i.e.: process complexity, frequency of changes,
software limitation, unassignable causes etc.)  
 RISK STATEMENTS – SD-Examples

Risk

S. Risk
Heat
N Risk statement exposur
zone
o e
Severit Impa
y DetectabIlity ct

1 Invoice may be raised without

effecting physical delivery of the
7 8 56 5 R1
goods from depot/ plant (bill and
hold)

2
Sales order may not be executed in
4 6 24 3 Y2
time and in full

3 Debit / credit notes sent to customers

may not contain adequate supporting 2 4 8 4 G2
details
 RISK STATEMENTS – MM-Examples

Risk

S. Risk
Heat
N Risk statement exposur
zone
o e
Severit Impac
DetectabIlity
y t

1
Financial authority norms for release R3
4 8 32 6
of PO may not be mapped into SAP  

2 GR may be prepared for a quantity

lower/ higher than vendor delivery 4 6 24 4 Y2
challan

3 CENVAT credit availed may be lower

than CENVATABLE excise duty
3 6 18 4 G2
credited to vendor through invoice
verification
 RISK STATEMENTS – FI-Examples

Risk
S. Risk
Heat
N Risk statement exposur
zone
o Severit Impac e
DetectabIlity
y t

1
Depreciation rates may have been
5 6 30 5 R3
incorrectly set up

2 Vendors account may not have been

reconciled/ confirmed as per laid 5 6 30 4 Y2
down frequency

3
Line items (individual entries)
clearing may not have been carried 3 6 18 4 G2
out in vendor accounts
 RISK STATEMENTS – Common to all functions Examples

Risk
S
Risk
. Heat
Risk statement exposu
N zone
Severi DetectabIlit Impa re
o
ty y ct

SAP transaction authorizations

1 granted to users may not relate to 8 8 64 8 R1
their assigned role/responsibility

SAP transactions may be carried out

using group IDs resulting in non
8 8 64 8 R1
2 traceability of transactions to any
specific individual (employee)

Audit trails (chronological log of

3 changes) may not be reviewed/ 5 8 40 7 R3
analyzed by process owners
Imp-table mappings &Concepts
• SD-Sales orders=vbak/vbap/vbpa-different types
• SD-Shipping=vblk/likp/lips-different types
• SD-Billing=konv/vbrk/vbrp/vbuk—different types,PRICING procedures
• SD-Cust mast used in AR=knvp/knvv/kna1/knb1,sales organisation

• MM-Purc requisition=eban/ebkn
• MM-PO/SA=ekko/ekpo
• MM-Deliv sch=eket/ekkn
• MM-GR=mkpf/mseg/ekbe
• MM-Mat Mast=marc/mlan/makt/mara/mbew
• MM-PO inf record=konh/konp/eina/eine
• MM-BOM-STKO/STOP
• MM-Mat-types ,Material Movements,Material groups,Material types,purchase groups

• FI-Paym=payr, Acctg=bkpf/bseg,-open/closed items-

Cust=bsid/bsad,Vend=bsik/bsas,G/L=bsik/bsas
• FI-Mast-G/L=skb1/ska1/skat,CC=csks/cskt,profit c=cepc/cskt
• FI-Vend mast-used in AP=pur-lfm1/lfm2/gen-lfa1/lfb1/lfbk
• FI-Document types-30 types- AB-acctg, BR-bank recp,KR-vend inv, RV-sale inv
• FI-Acct types-5-A-Assets,D-Cust, K-Vend,M-Material, S-G/L ,
• FI-COA-Chart of accts
 Risks in –Revenue, expend,inventory cycles-overview -400+

Configuration :- SAP System land scope ,R/3 customizing ,organ objects,currencies,

Tax procedures,charges in customer /vendor master.Document types
,depreciation keys, overhead cost allocation,PO release,Payment
terms ,Pricing procedures in SD, credit controls,outgoing invoice
posting/Free goods ,Automatic account determination.

Authorisation :- Authorization objects ,user management,Tolerance groups,Work

flows,Conflicting combinations,owned developed
transactions,super user ,change management.
Masters :- GL Masters-,Customer Masters,Vendor Masters, Material masters,
Selling price,Tax codes,Quota arrangement,BOM.
Procedure Risk based queries (SD,MM,FI) Using SAP +MS access
manuals:- /AIS/Critical tools/tables/LDB-SAP—eg At Eicher—
SAP-Querries=106+133+25, MSAcc-Querries=103+135+39

Audit Trails :- Configuration control,Authorization ( change management,Master &

Application ( PO/Sales order credits /FI documents)
Technical - Basis application infrastructure in SAP R/3.

4 Key Basis Tools + Utilities

A. Installation Management guide-IMG- SPRO
B. ABAP/4 Work Bench &Transportation System ( Development
+ Test + Production.)
C. Computing center management system (CCMS)
- Utililities to monitor ,Control & Config. R/3
…. Start up ,shut down,NW monitoring,security ,back ups,alerts
trouble shooting,system Config.& system profile
management,DBA, Profile security.)
D. Profile generator & security Adm.(PG&SA)
( SUIM-Authorisation ,Information
System,SU03-.Maintainence& Authorisation.
Risks-in Installation management

1-The organisation SPRO & SCC4 –control production

Models :- client settings.---Risks are:
- Incorrect consolidation /Inadequate
reporting /Incorrect MIS/Manual work
around.

2-Critical no Assigned to individual DB record –

. Range:- Internal No by SAP & external no by
users (snro+suim+spro).

3-Modif of SAP –Tables –Other than X* Y*

critical tables
-Tables fields (SE16/SE11/DD03M)
Risks in ABAP/4 work bench & transport(se38/sa38).

•Change Control Procedure(Programme,Queries).

•Development & Testing Servers.
•Transport system testing.
•Logs.
•Emergency change procedures.
Risks in - computing center management systems

Batch processing control :- Batch input (SM35) ,Administration SM(64)

Processing (SM36)
Application server parameters:- a) Login IPW expiration 180 day b) Min pw length
6-8 (C) Login /fails to session end (incorrect pw-3
times)
Locking transaction codes :- SM 01 (Users who have access to lock /unlock
T.code)
Restricted Password. :- Default PW , Name

SAP Router :- Permission table authorization with valid IP address

On Line Support systems :-
(SAP Market place ,Web)
Remote function call :-
(port 3200)
Remote Access to SAP vendor
Programme inter faces (SM59) Use of E-
SCORE , /EPIC /DMS/ITS/ etc
Risks in -Profile Generator ( PGFC) :-

• Security Admin probel ( Create /change/display)

•Super user SAP* ,SAP all
•Authorisation documentation (Biggest risks )
•Log + Trace file
 ERP implementation- Learnings for auditors
Managing Incharge :- •Higher no of IS auditors than traditional profile auditors.
•ERP trained –Auditors ( Functionally /Query)
Audit Methodology :- •Risk assessment of audit universe (H/M/L)
•Audit Manuals ( Query ) Excel ,M.S.Access
•Segregation of duties.
•User authorisation ( object level security)
•Customized to fit each organisations’ unique needs.
Role of Auditor :- •Integrated approach ( involvement in project early stage for design +
Controls of systems )
•Pre implementation review – Before go live ( Business case , project
risks,Application security design).
•Post implement review – (Application)
•Quality assurance – BPR Programme.
Audit involvement •During selection & implementation ( Contribute towards
in project :- establishing control environment ).
Audit respons :- •Environment evaluation from risk prospective,
•Subject specials ( SD,MM,Tax) & ERP competent team
•Efficient audit
•Audit universe ( Business application + Basis appl.infrastructure)
•Use HELP
 Audit Excellence Model/Global best practices (COSO)

Mapping in COSO (Committee of sponsoring Organisation of tread way commission)

A :- 3 Objectives Identifications : 1 Operation
2 Financial Reporting
3 Compliances.
B :- 5 Components of Internal Controls :-
1. Control Environments :- Ethics,Values,Standards,
2. Risk Assessment :- Technology,Operation,Finance,Heat Maps( Risk Impact vs ‘
Exposure).
3. Control Activities :- KPI, Polices,Procedures,TQM,Physical,Safe guards.
4. Information & Communication :- Up & down , Adequacy ,Q,Timeliness
5. Monitoring & controls :- Internal controls, Physical verification, Overheads, MIS, . ,
Feed backs,Forums etc
Audit Excellence Model/Global best practics (COBIT)
Mapping to COBIT (Control Objective for Information and related Technology ).
MAIN PROCESSESS No of Key Processes
•Planning and orgainsation 11
•Acquisition & Implementation 6
•Delivery & Support 13
•Monitoring 4
LEVEL OF CONTROLS -ASSESMENT
0. Non Existance
1.Initial /Adhoc
2.Repeatable but person dependent
3.Defined –Standardized & documented.
4. Managed – Monitoring OK & Feed back system.
5. Optimized Control- Industry Best Practices
New Directions in ERP Auditing :-
• Risk Based Auditing linked to COSO& Cobit
•Professional ethics& standards
•AIS (Materiality )+ Queries development(Table
down load+MS access)
•Auditing tools- ACL/IDEA etc and many more
•On –line continuous audit(Remote-desk top
auditing)
•E enabled applications (vendors/Dlrs, P2P, B2C)
•Outsourcing – Competence/costs – benefit based

100 % transaction Audit/AUDIT thr computers

•Continuous enhancing ERP competencies
•Qualified Auditiors-CIA/CISA….
 References
www.theiia.org
Internal auditing :- Guidance for the profession
:- Code of Ethics
:- International Standards for the professional practices of internal auditing
:- Practice Advisories
:- Development & Practice Aids.
www.isaca.org
IS Auditing standards
IS Auditing guidelines
IS Auditing Procedures
Standards for Professional information system control
http://www.sapgenie.com/ (google search based)
http:/www.sap.com services / education
http://www.sap.com/ Community
Help ..sap.com
Thank you