Audit Support in SAP

Milford Sprecher SAP Public Services, Inc.

Auditing Overview mySAP Audit Information System (AIS) Overview Administration of AIS Tools and Data Export Summary and Q&A

Concurrent Session #7

Reasons/Methodology for Financial Audits

Financial audits
Generally begin with an assessment of internal controls under the assumption that good internal controls reduces the risk of improprieties in the system Are performed after adequate planning and with proper supervision Are performed by obtaining competent evidential matter through inspection, observation, inquiries and confirmations to afford a reasonable basis for an opinion3
3 Taylor,

Donald H. and Glezen, G. William. Auditing: Integrated Concepts and Procedures, Second Edition, New York: John Wiley & Sons, 1982

SAP AG 2003 / Audit Information System, 3

Legal Environment (Today)

Sarbanes-Oxley Act 2002:
New regulations for auditing firms including more independence requirements Reinforces older case law and acts Places more attention, requirements and responsibilities on management Elevates internal accounting controls to assertion level requiring an opinion from auditor

SAP AG 2003 / Audit Information System, 4

Concurrent Session #7

How Can Technology Help?

System tools to facilitate documentation, assessment and testing of internal control environment Ability to implement continuous automated control techniques to ensure continued compliance with Sarbanes-Oxley requirements (e.g., monitoring of key disclosure controls, electronic sign-offs of control procedure completion, etc.) Ability to provide consistent business process and control practices Automated auditing techniques Control gap analysis and resolution performance management and tracking

SAP AG 2003 / Audit Information System, 5

SAP Principles Supporting Audit Requirements

Inherent controls
are delivered with SAP and do not need to be designed into the system

Configurable controls
automated controls to be defined at the time of system configuration

Security controls
user access and segregation of duties controls

Reporting controls
controls that rely on standard or ad-hoc reports from SAP

SAP AG 2003 / Audit Information System, 6

Concurrent Session #7

Internal Controls
SAP Security Guide Contains examples of best practices for separation of duties System Audit Function in System Audit to make sure there are separation of duties (after the fact) MIC (Management of Internal Controls) Documents processes, risk and internal controls in place Third Party Products SAP Compliance Calculator by Versa
Contains segregation of duties testing Sarbanes-Oxley driven

SAP AG 2003 / Audit Information System, 7

SAP MIC Phases and Roles

Continuous Improvement
Management Assess Control Design and Remediate Issues Test Operating Effectiveness Sign-Off, Prepare Certification / Internal Control Report Auditor Attest and Report

Scoping and Set-Up

Document Processes and Controls

CEO / CFO Internal Control Manager Org.Unit Manager Process Group Owner Control Owner Evaluator Tester

Issue and Remediation Plan Owner Internal and External Auditor

SAP AG 2003 / Audit Information System, 8

Concurrent Session #7

Auditing Overview mySAP Audit Information System (AIS) Overview Administration of AIS Tools and Data Export Summary and Q&A

SAP Audit Information System (AIS)

AIS is the auditors toolbox within the SAP environment
Structured collection and pre-setting of standard reports Suitable for auditors with limited SAP experience Role-based organization

Comprehensive functionality for system and business audits

Provides monitoring of system inherent and configurable controls Implements numerous reporting controls

Business audit structured according to

Financial statements Business Processes

AIS reporting tree links to multiple types of documentation

AIS documentation, SAP Library, IMG documentation, web addresses

Data export to external analysis and audit tools

online real time or batch processed queries document data, account balances, and financial statement data
SAP AG 2003 / Audit Information System, 10

Concurrent Session #7

Audit Information System (AIS)

Non-SAP Environment
Audit planning Work program - System audit - Business audit

mySAP ERP Environment

... Online controls on the SAP database

System information Reconciliation B/S, P&L Account balances Documents

Accounts Customers
Vendors

Analysis software ( ACL / IDEA / )

Line items

Export interface

Assets Material Orders Invoices

Reporting software

Balances

Data export
Account balances Line items

Work paper prep.

Report

SAP AG 2003 / Audit Information System, 11

AIS Motivation and Availability

Why should one be interested in this?
In an environment of mass transactions, system support for audit is a must. Corporate governance requirements

Why use the SAP Audit Information System?

Acts as a bridge between auditors and the SAP system Helps to understand SAP terminology and structures Optimized for the SAP system, direct access to critical data

What is the effort involved in installing and using AIS?

AIS provides data without requiring much system resource. Queries can be run in batch or online. AIS is simple to implement five to 10 consulting days including training.

SAP AG 2003 / Audit Information System, 12

Concurrent Session #7

Audit Information System

SAP AG 2003 / Audit Information System, 13

The Audit Information System

The Audit Information System facilitates smoother and better quality audits. It consists of a number of single roles and is a - Collection, - Structure, and - Default setup of SAP standard programs. The AIS is the Toolbox of the auditor in SAP environment.

SAP AG 2003 / Audit Information System, 14

Concurrent Session #7

Auditing Overview mySAP Audit Information System (AIS) Overview Administration of AIS Tools and Data Export Summary and Q&A

Tools Used for Online and Offline Controls

Query

ABAP

Drill-down reporting

Information systems
SAP AG 2003 / Audit Information System, 16

DART

Concurrent Session #7

Online Controls Query

List

SAP - DB
Dialog

Query
Drilldown
SAP Query The application SAP Query is used to create lists not already contained in the SAP standard.

Extract
(flat file)

SAP AG 2003 / Audit Information System, 17

Selected Queries Delivered by SAP

Document analysis
Documents in general A/P A/R G/L line items Flexible selection for the data retrieval Flexible analysis of the data deemed critical using ALV functions Posted on Sunday or holidays? Posted at unusual times? ... Offsetting account analysis Even distribution of postings? (in Days/Months/Year) Unusual document origin? (manual, SD, MM, HR, ...) Posted in timely manner? (BUDAT CPUDAT) Documents with the greatest volume (+/-) Terms and conditions, base date, days 1, %, days 2, %, Net values in document - Values in master data = Variance (shows manual changes) Payments out of the norm - Standard condition per master data (days / %) - Condition taken as found in document - Variance (shows payment tendency) Clearing only payment-relevant process? Clearing via reversal?

Dubious Documents
Document journal (with holiday calendar)

Account Analysis
A/R A/P G/L accounts

Comparison of Terms
A/R A/P

Variance Analysis
A/R (Payments received) A/P (Payments sent)

Critical Clearing Processes

A/R
SAP AG 2003 / Audit Information System, 18

Concurrent Session #7

Online Controls Drilldown Reporting

List

SAP - DB
Dialog

Drill-down Reporting
SAP drill-down reporting With drill-down reporting, SAP provides you with an interactive information system to let you evaluate the data collected in your application.

Drilldown

Extract
(flat file)

SAP AG 2003 / Audit Information System, 19

Online Controls Information Systems

List

SAP - DB
Dialog

Information systems
Component-specific information tools: General ledger Accounts receivable Accounts payable Logistics Repository ...
SAP AG 2003 / Audit Information System, 20

Drilldown

Information System Information System Information System Information System Information System

Extract
(flat file)

Concurrent Session #7

10

Offline Controls DART

List

SAP - DB
Dialog

DART
Drilldown
Data Retention Tool ( D A R T ): Data retention and evaluation of tax-relevant data. Data extraction and storage View query Export function (SAP-Audit-Format)
SAP AG 2003 / Audit Information System, 21

Extract
(flat file)

Auditing Overview mySAP Audit Information System (AIS) Overview Administration of AIS Tools and Data Export Summary and Q&A

Concurrent Session #7

11

7 Key Points to Take Home

1. 2. 3. 4. 5. 6. 7. SAP Audit Information System (AIS) is the auditors toolbox in the SAP environment. It provides a structured, easy-to-learn access to audit-relevant data in the SAP system. AIS is being used by external auditors, internal auditors/financial analysts, tax auditors and data security officers. There are comprehensive online controls for system audit, business audit, and tax audit. AIS supports data export of master data, account balances, and documents to 3rd party audit and analysis tools. AIS can be implemented quickly and with low effort, and easily adjusted to the requirements of the customer. AIS requires few system resources.

SAP AG 2003 / Audit Information System, 23

AIS Benefits

AIS is the auditors toolbox within SAP. Online Controls and Data Export Easy to use functionality Comprehensive offering for System audit Business audit Tax audit

SAP AG 2003 / Audit Information System, 24

Concurrent Session #7

12