Systems Applications Products audit
Encyclopedia
Systems Applications Products audit is when a computer system from SAP
undegoes an audit
to check its security
and data integrity
. SAP is the acronym for Systems, Applications, Products. It is a system that provides users with a soft real time business application. It contains a user interface and is considered extremely flexible. In an SAP audit the two main areas of concern are security and data integrity.
, which was a system that provided users with a soft-real-time business application that could be used with multiple currencies and languages. As client–server systems began to be introduced, SAP brought out a server based version of their software called SAP R/3
, henceforth referred to as SAP, which was launched in 1992. SAP also developed a graphical user interface
, or GUI, to make the system more user friendly and to move away from the mainframe style user interface.
For the next 10 years SAP dominated the large business applications market. It was successful primarily because it was extremely flexible. Because SAP was a modular system (meaning that the various functions provided by it could be purchased piecemeal) it was an extremely versatile system. A company could simply purchase modules that they wanted and customize the processes to match the company’s business model. SAP’s flexibility, while one of its greatest strengths is also one of its greatest weaknesses that lead to the SAP audit.
There are three main enterprise resource planning
(ERP) systems used in today’s larger businesses: SAP
, Oracle
, and PeopleSoft
. ERP's are specifically designed to help with the accounting function and the control over various other aspects of the companies business such as sales, delivery, production, human resources, and inventory management. Despite the benefits of ERP’s, there are also many potential pitfalls that companies who turn to ERP’s occasionally fall into.
and access control
s, which is paramount to establishing the integrity of the controls for the system. When a company first receives SAP it is almost devoid of all security measures. When implementing SAP a company must go through an extensive process of outlining their processes and then building their system security from the ground up to ensure proper segregation of duties
and proper access. Proper profile design and avoidance of redundant user ID’s and superuser
access will be important in all phases of operation. Along with this comes the importance of ensuring restricted access to terminals, servers, and the data center to prevent tampering. Because each company will have different modules each company’s security structure will be distinctly different.
A typical Example from SAP will be Creating a Vendor and also able to pay an invoice. The Create a Vendor Transaction is XK01 and pay invoice transaction FB60. If the User or Role in SAP has those two transactions then it will create a SOD Risk.
With security it all starts at the beginning with the proper design and implementation of security and access measures for employees. For new employees it is important that their access is set up properly and that future access granted has proper approval. After the system has been implemented the control over system changes and the approval process required for it is vital to ensure the continued security and functionality of the system. Without proper security measures in place from start to finish there will be a material weakness in the controls of the system because of this there will likely be some level of fraud as well.
Through security you are able to monitor who has access to what data and processes and ensure that there is sufficient segregation of duties
so as to prevent someone from perpetrating fraud
. One of the major advantages of SAP is that it can be programmed to perform various audit functions for you. One of the most important of those is for reviewing user access and using the system to cross check based on an access matrix to ensure that proper segregation is in place so a person with payment request access does not also have access to create a vendor.
The goal of auditing the access, steps and procedures for system updates is to ensure proper controls over change management of the system and to ensure that proper testing and authorization procedures are being used. All of these measures also affect our second major area of concern, data integrity.
s it is extremely important to ensure that the mapping of the interaction between the legacy systems and SAP is thorough and complete. Without that, any data received from SAP would be suspect. It is also important that proper backup
s of the database
be maintained along with an up-to-date and practiced disaster recovery plan to ensure continuity after a disaster. A thorough review of these plans along with the mapping of system interfaces will be important in this phase of the audit. Because all SAP data are stored on inter-related tables it is possible for users with certain security to change them. It is extremely important that the output be verified to ensure accuracy. SAP does provide some basic audit programs to assist with the review of data to ensure that it is processing properly. It is also customizable so that a user can create a program to audit a specific function.
The monitoring of change management, the moving of updates to the system from the development stage is one of the key elements of this particular concern. The review and testing procedures for these programs that are pulled through to production need to be painstakingly reviewed to ensure that they will function properly and not adversely affect another area of the system. If anything goes undetected the potential for a processing error or system crash could cause some major concern. Because of this, review of the process of review and pull through to production needs to be a high priority.
and accounts receivable
sub ledgers. Auditors must perform or review reconciliations between SAP and external information such as bank reconciliations and A/P statement reconciliations. They must review cost center and responsibility accounting, management review and budgetary control and the route of authorization for non-routine transactions.
The audit review should include a review of validation of data that is input in certain transactions, the design of ABAP
statements and their authority checks matching documents prior to closing. Also, with regard to the master file control there must be an independent review of master file changes and creation of transactional responsibilities to identify any redundant master files.
When it comes to data integrity the primary concerns are the integration of data from the legacy systems and then ensuring that data being input into the system for processing has been properly approved and is accompanied by the proper documentation. Through reviewing these aspects of the processing from implementation through to production you can gain reasonable confidence that the controls surrounding the data are sufficient and that the data are likely free of material error. The use of the built in audit functions will greatly assist with this process and the ability to create your own audit programs will allow you to customize the work to the company you are working with.
To further ensure data integrity it is important that proper documentation be reviewed along with confirmation of any external data available either through a legacy system or through a third party. This is extremely important with regard to certain sensitive accounts, such as accounts payable. Review of controls around budgets and management review and also review of authorization for non-routine transactions and physical access will be imperative to ensuring the accuracy of the data input and output from the system. The use of and development of tools within SAP will help accelerate this process and help to ensure that it is accurate. These are the two most vital parts to any SAP audit and successful review of them should allow you to determine the adequacy of control around the SAP system and access to it to determine whether or not there are any material deficiencies with the systems control.
SAP AG
SAP AG is a German software corporation that makes enterprise software to manage business operations and customer relations. Headquartered in Walldorf, Baden-Württemberg, with regional offices around the world, SAP is the market leader in enterprise application software...
undegoes an audit
Audit
The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation.- Accounting...
to check its security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
and data integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
. SAP is the acronym for Systems, Applications, Products. It is a system that provides users with a soft real time business application. It contains a user interface and is considered extremely flexible. In an SAP audit the two main areas of concern are security and data integrity.
What is SAP?
Systems, Applications, Products in data processing, or SAP, was originally introduced in the 1980s as SAP R/2SAP R/2
SAP R/2 is a real-time enterprise resource planning software produced by SAP.SAP R/2 followed the company's first product, a materials management module called RM/1...
, which was a system that provided users with a soft-real-time business application that could be used with multiple currencies and languages. As client–server systems began to be introduced, SAP brought out a server based version of their software called SAP R/3
SAP R/3
SAP R/3 is the former name of the main enterprise resource planning software produced by SAP AG. It is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfillment or billing.- History of...
, henceforth referred to as SAP, which was launched in 1992. SAP also developed a graphical user interface
Graphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
, or GUI, to make the system more user friendly and to move away from the mainframe style user interface.
For the next 10 years SAP dominated the large business applications market. It was successful primarily because it was extremely flexible. Because SAP was a modular system (meaning that the various functions provided by it could be purchased piecemeal) it was an extremely versatile system. A company could simply purchase modules that they wanted and customize the processes to match the company’s business model. SAP’s flexibility, while one of its greatest strengths is also one of its greatest weaknesses that lead to the SAP audit.
There are three main enterprise resource planning
Enterprise resource planning
Enterprise resource planning systems integrate internal and external management information across an entire organization, embracing finance/accounting, manufacturing, sales and service, customer relationship management, etc. ERP systems automate this activity with an integrated software application...
(ERP) systems used in today’s larger businesses: SAP
SAP AG
SAP AG is a German software corporation that makes enterprise software to manage business operations and customer relations. Headquartered in Walldorf, Baden-Württemberg, with regional offices around the world, SAP is the market leader in enterprise application software...
, Oracle
Oracle Corporation
Oracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
, and PeopleSoft
PeopleSoft
PeopleSoft, Inc. was a company that provided Human Resource Management Systems , Financial Management Solutions , Supply Chain and customer relationship management software, as well as software solutions for manufacturing, enterprise performance management, and student administration to large...
. ERP's are specifically designed to help with the accounting function and the control over various other aspects of the companies business such as sales, delivery, production, human resources, and inventory management. Despite the benefits of ERP’s, there are also many potential pitfalls that companies who turn to ERP’s occasionally fall into.
Segregation of duties
Security is the first and foremost concern in any SAP audit. There should be proper segregation of dutiesSeparation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
and access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
s, which is paramount to establishing the integrity of the controls for the system. When a company first receives SAP it is almost devoid of all security measures. When implementing SAP a company must go through an extensive process of outlining their processes and then building their system security from the ground up to ensure proper segregation of duties
Separation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
and proper access. Proper profile design and avoidance of redundant user ID’s and superuser
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
access will be important in all phases of operation. Along with this comes the importance of ensuring restricted access to terminals, servers, and the data center to prevent tampering. Because each company will have different modules each company’s security structure will be distinctly different.
A typical Example from SAP will be Creating a Vendor and also able to pay an invoice. The Create a Vendor Transaction is XK01 and pay invoice transaction FB60. If the User or Role in SAP has those two transactions then it will create a SOD Risk.
With security it all starts at the beginning with the proper design and implementation of security and access measures for employees. For new employees it is important that their access is set up properly and that future access granted has proper approval. After the system has been implemented the control over system changes and the approval process required for it is vital to ensure the continued security and functionality of the system. Without proper security measures in place from start to finish there will be a material weakness in the controls of the system because of this there will likely be some level of fraud as well.
Through security you are able to monitor who has access to what data and processes and ensure that there is sufficient segregation of duties
Separation of duties
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political...
so as to prevent someone from perpetrating fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
. One of the major advantages of SAP is that it can be programmed to perform various audit functions for you. One of the most important of those is for reviewing user access and using the system to cross check based on an access matrix to ensure that proper segregation is in place so a person with payment request access does not also have access to create a vendor.
System changes
After ensuring that security is set up to ensure proper segregation of duties the next area of concern surrounding security is with regards to system changes. All companies should have three different systems: the development system, the test system, and the production system. All changes to production will need to be run through an approval process and be tested to ensure that they will function properly when introduced into the production system. The security around who can authorize a change and who can pull that change through into production is paramount to ensuring the security and integrity of the system. Review of this process and the people involved with it will be a key to the audit of the system.The goal of auditing the access, steps and procedures for system updates is to ensure proper controls over change management of the system and to ensure that proper testing and authorization procedures are being used. All of these measures also affect our second major area of concern, data integrity.
Data integrity issues
Because SAP integrates data from legacy systemLegacy system
A legacy system is an old method, technology, computer system, or application program that continues to be used, typically because it still functions for the users' needs, even though newer technology or more efficient methods of performing a task are now available...
s it is extremely important to ensure that the mapping of the interaction between the legacy systems and SAP is thorough and complete. Without that, any data received from SAP would be suspect. It is also important that proper backup
Backup
In information technology, a backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. The verb form is back up in two words, whereas the noun is backup....
s of the database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
be maintained along with an up-to-date and practiced disaster recovery plan to ensure continuity after a disaster. A thorough review of these plans along with the mapping of system interfaces will be important in this phase of the audit. Because all SAP data are stored on inter-related tables it is possible for users with certain security to change them. It is extremely important that the output be verified to ensure accuracy. SAP does provide some basic audit programs to assist with the review of data to ensure that it is processing properly. It is also customizable so that a user can create a program to audit a specific function.
The monitoring of change management, the moving of updates to the system from the development stage is one of the key elements of this particular concern. The review and testing procedures for these programs that are pulled through to production need to be painstakingly reviewed to ensure that they will function properly and not adversely affect another area of the system. If anything goes undetected the potential for a processing error or system crash could cause some major concern. Because of this, review of the process of review and pull through to production needs to be a high priority.
Controls
Controls around the system need to be reviewed, especially around the accounts payableAccounts payable
Accounts payable is a file or account sub-ledger that records amounts that a person or company owes to suppliers, but has not paid yet , sometimes referred as trade payables. When an invoice is received, it is added to the file, and then removed when it is paid...
and accounts receivable
Accounts receivable
Accounts receivable also known as Debtors, is money owed to a business by its clients and shown on its Balance Sheet as an asset...
sub ledgers. Auditors must perform or review reconciliations between SAP and external information such as bank reconciliations and A/P statement reconciliations. They must review cost center and responsibility accounting, management review and budgetary control and the route of authorization for non-routine transactions.
The audit review should include a review of validation of data that is input in certain transactions, the design of ABAP
ABAP
ABAP , is a high-level programming language created by the German software company SAP...
statements and their authority checks matching documents prior to closing. Also, with regard to the master file control there must be an independent review of master file changes and creation of transactional responsibilities to identify any redundant master files.
When it comes to data integrity the primary concerns are the integration of data from the legacy systems and then ensuring that data being input into the system for processing has been properly approved and is accompanied by the proper documentation. Through reviewing these aspects of the processing from implementation through to production you can gain reasonable confidence that the controls surrounding the data are sufficient and that the data are likely free of material error. The use of the built in audit functions will greatly assist with this process and the ability to create your own audit programs will allow you to customize the work to the company you are working with.
Control risks
The two major control risks that need to be monitored with SAP are security and data integrity. To ensure that both are sufficient it is important that both be properly outlined and developed during implementation. User profiles must be designed properly and access must be sufficiently segregated to minimize the chance of fraud. Use of the SAP audit functions to cross check the user access with the matrix of allowable accesses is the quickest and easiest way to ensure that duties and access are properly segregated. New and old users must be entered and removed promptly and avoidance and monitoring of any super user access is imperative. Review of the access to upload and pull through changes to production and review of the associated authorization process is important from both a security and data integrity point of view.To further ensure data integrity it is important that proper documentation be reviewed along with confirmation of any external data available either through a legacy system or through a third party. This is extremely important with regard to certain sensitive accounts, such as accounts payable. Review of controls around budgets and management review and also review of authorization for non-routine transactions and physical access will be imperative to ensuring the accuracy of the data input and output from the system. The use of and development of tools within SAP will help accelerate this process and help to ensure that it is accurate. These are the two most vital parts to any SAP audit and successful review of them should allow you to determine the adequacy of control around the SAP system and access to it to determine whether or not there are any material deficiencies with the systems control.