sap erp audit assurance programs and icqs 18nov09

8/13/2019 SAP ERP Audit Assurance Programs and ICQs 18Nov09

1/137

Audit/Assurance Programs and ICQs


2/137

Security, Audit and Control Features SAPERP, 3rdEdition (Technical and Risk Management Reference Series)


ISACA

With more than 86,000 constituents in more than 160 countries, ISACA (!isaca!org) is a leading gloal

!ro"ider o# $no%ledge, certi#ications, communit&, ad"ocac& and education on in#ormation s&stems assurance and

securit&, enter!rise go"ernance o# I', and I'related ris$ and com!liance *ounded in 1+6+, ISACA s!onsors

international con#erences, !ulishes the"SACA#ournal, and de"elo!s international in#ormation s&stems auditingand control standards It also administers the gloall& res!ected Certi#ied In#ormation S&stems Auditor (CISA-),

Certi#ied In#ormation Securit& .anager

-

(CIS.

-

) and Certi#ied in the o"ernance o# nter!rise I'

-

(CI'

-

)designations ISACA de"elo!ed and continuall& u!dates the C2I'-, 3al I' and 4is$ I' #rame%or$s, %hich hel!

I' !ro#essionals and enter!rise leaders #ul#ill their I' go"ernance res!onsiilities and deli"er "alue to the usiness

Disclaimer

ISACA has designed and created Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk

Management Reference Series) 5cer!t o# the Audit/Assurance Programs and ICQs (the Wor$7), !rimaril& as aneducational resource #or control !ro#essionals ISACA ma$es no claim that use o# an& o# the Wor$ %ill assure a

success#ul outcome 'he Wor$ should not e considered inclusi"e o# an& !ro!er in#ormation, !rocedures and tests or

e5clusi"e o# other in#ormation, !rocedures and tests that are reasonal& directed to otaining the same results In

determining the !ro!riet& o# an& s!eci#ic in#ormation, !rocedure or test, securit& !ro#essionals should a!!l& their

o%n !ro#essional udgment to the s!eci#ic control circumstances !resented & the !articular s&stems or in#ormation

technolog& en"ironment While all care has een ta$en in researching and documenting the techni9ues descried in

this te5t, !ersons em!lo&ing these techni9ues must use their o%n $no%ledge and udgment ISACA and :eloitte, its

!artners and em!lo&ees, shall not e liale #or an& losses and/or damages (%hether direct or indirect), costs,e5!enses or claims %hatsoe"er arising out o# the use o# the techni9ues descried or reliance on the in#ormation in

this re#erence guide

SAP, SAP 4/;, m&SAP, SAP 4/; nter!rise, SAP Strategic nter!rise .anagement (SAP S.), SAP s source


3/137



Acknowledgments

ISACA wishes to recognize:

Researcher

.ar$ Sercome, CISA, CA, CIA, S!onsoring Partner, :eloitte, Australia

.atthe% Saines, CISA, CISSP, :eloitte, Australia

.aria Wood&att, CISA, :eloitte, Australia

2ernadette =ouat, CISA, :eloitte, Australia

Com!uter Assistance ==P, Canada

Chang =u .iao, CISA, ACI2, CPA, .CS, SAP '/C, Auditoreneral>s ##ice, Singa!ore

.a&an$ arg, CISA, Atmel Cor!ortation, SA

:a"id ' reen, Ph:, o"ernors State ni"ersit&, SA

uha!ri&a I&er, CISA, ACA, rad CWA, Cererus Consulting, India

2au Ja&endran, CISA, *CA, 2au Ja&endran Consulting, India

mma Johari, CISA, P., Australia

Pam ammermeier, CISA, Altran Control Solutions, SA4ani =alsinghani, CISA, CIS., 'echnoSols Consulting Ser"ices, Australia

.oo$he&, CISA, CIS., CISSP,


4/137



'on& Ha&es, CI', Queensland o"ernment, Australia, :irector

Jo Ste%art4attra&, CISA, CIS., CI', A*CHS, CH, *ACS, *CPA, *IIA, CSPS,

4S. 2ird Cameron, Australia, :irector

Assurance Committee $%%&'$%%(

regor& ' rochols$i, CISA, 'he :o% Chemical Com!an&, SA, Chair

Pi!!a Andre%s, CISA, ACA, CIA, Amcor, Australia4ichard 2riseois, CISA, CA, ##ice o# the Auditor eneral o# Canada, Canada

Sergio *legins$&, CISA, ICI, rugua&

4oert Johnson, CISA, CIS., CI', CISSP, 5ecuti"e Consultant, SA

Anthon& P


5/137



Appendix D. SAP !P!e"en#e$ xpendit#re$ In"entor%$ &asisA#dit'Ass#rance Programs

!e"en#e siness C%cle

I. Introd#ction

)vervie"

ISACA de"elo!ed"TAFTM% A Professional Practices Frameork for "T Assurance as a

com!rehensi"e and good!racticesetting model I'A* !ro"ides standards that are designed to e

mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#essiono!erates 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit and

assurance 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide

direction in the a!!lication o# I' audit and assurance !rocesses

Pur!ose

'he audit/assurance !rogram is a tool and tem!late to e used as a road ma! #or the com!letiono# a s!eci#ic assurance !rocess 'his audit/assurance !rogram is intended to e utilied & I'audit and assurance !ro#essionals %ith the re9uisite $no%ledge o# the suect matter under

re"ie%, as descried in I'A*, section @@00eneral Standards 'he audit/assurance !rograms

are !art o# I'A*, section F000I' Assurance 'ools and 'echni9ues

Control *rame"or+

'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C2I' #rame%or$s!eci#icall& C2I' F1using generall& a!!licale and acce!ted good !ractices 'he& re#lect

I'A*, sections ;F00I' .anagement Processes, ;600I' Audit and Assurance Processes, and

;800I' Audit and Assurance .anagement

.an& enter!rises ha"e emraced se"eral #rame%or$s at an enter!rise le"el, including the

Committee o# S!onsoring rganiations o# the 'read%a& Commission (CS) Internal Control

*rame%or$ 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator&re9uirements & the S Securities and 5change Commission (SC) as directed & the S

Saranes5le& Act o# @00@ and similar legislation in other countries 'he& see$ to integrate

control #rame%or$ elements used & the general audit/assurance team into the I' audit andassurance #rame%or$ Since CS is %idel& used, it has een selected #or inclusion in this

audit/assurance !rogram 'he re"ie%er ma& delete or rename columns in the audit !rogram to

align %ith the enter!rise>s control #rame%or$

I, -overnance. Ris+ and ControlI' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management

!rocess o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies andmanagement o"ersight controls 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho%

management a!!roaches and manages ris$ 2oth issues %ill e e"aluated as ste!s in the

audit/assurance !rogram Controls are the !rimar& e"aluation !oint in the !rocess 'heaudit/assurance !rogram %ill identi#& the control oecti"es %ith ste!s to determine control

design and e##ecti"eness

? @00+ ISACA All rights reser"ed Page G


6/137



Res!onsiilities of I, Audit and Assurance Professionals

I' audit and assurance !ro#essionals are e5!ected to customie this document to the en"ironmentin %hich the& are !er#orming an assurance !rocess 'his document is to e used as a re"ie% tool

and starting !oint It ma& e modi#ied & the I' audit and assurance !ro#essionalK it is not

intended to e a chec$list or 9uestionnaire It is assumed that the I' audit and assurance!ro#essional holds the Certi#ied In#ormation S&stems Auditor (CISA) designation, or has the

necessar& suect matter e5!ertise re9uired to conduct the %or$ and is su!er"ised & a

!ro#essional %ith the CISA designation and necessar& suect matter e5!ertise to ade9uatel&re"ie% the %or$ !er#ormed

II. (sing This Doc#ment

'his audit/assurance !rogram %as de"elo!ed to assist the audit and assurance !ro#essional in

designing and e5ecuting a re"ie% :etails regarding the #ormat and use o# the document #ollo%

0or+ Program Ste!s'he #irst column o# the !rogram descries the ste!s to e !er#ormed 'he numering scheme

used !ro"ides uiltin %or$ !a!er numering #or ease o# crossre#erence to the s!eci#ic %or$!a!er #or that section I' audit and assurance !ro#essionals are encouraged to ma$e

modi#ications to this document to re#lect the s!eci#ic en"ironment under re"ie%

C)#I, Cross'reference

'he C2I' crossre#erence !ro"ides the audit and assurance !ro#essional %ith the ailit& to re#er

to the s!eci#ic C2I' control oecti"e that su!!orts the audit/assurance ste! 'he C2I' control

oecti"e should e identi#ied #or each audit/assurance ste! in the section .ulti!le crossre#erences are not uncommon Processes at lo%er le"els in the %or$ !rogram are too granular to

e crossre#erenced to C2I' 'he audit/assurance !rogram is organied in a manner to #acilitate

an e"aluation through a structure !arallel to the de"elo!ment !rocess C2I' !ro"ides inde!thcontrol oecti"es and suggested control !ractices at each le"el As the !ro#essional re"ie%s each

control, he/she should re#er to C2I' F1 or the"T Assurance &uide% 'sing C()"T#or good

!ractice control guidance

C)S) Com!onents

As noted in the introduction, CS and similar #rame%or$s ha"e ecome increasingl& !o!ular

among audit and assurance !ro#essionals 'his ties the assurance %or$ to the enter!rise>s control#rame%or$ While the I' audit/assurance #unction has C2I' as a #rame%or$, o!erational audit

and assurance !ro#essionals use the #rame%or$ estalished & the enter!rise Since CS is the

most !re"alent internal control #rame%or$, it has een included in this document and is a ridgeto align I' audit/assurance %ith the rest o# the audit/assurance #unction .an& audit/assurance

organiations include the CS control com!onents %ithin their re!ort and summarie

assurance acti"ities to the audit committee o# the oard o# directors

*or each control, the audit and assurance !ro#essional should indicate the CS com!onent(s)

addressed It is !ossile, ut generall& not necessar&, to e5tend this anal&sis to the s!eci#ic audit

ste! le"el

? @00+ ISACA All rights reser"ed Page 6


7/137



'he original CS internal control #rame%or$ contained #i"e com!onents In @00F, CS %as

re"ised as theEnter*rise Risk Management +ERM "ntegrated Frameorkand e5tended to eightcom!onents 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on

4. and integration into the usiness decision model 4. is in the !rocess o# eing ado!ted

& large enter!rises 'he t%o #rame%or$s are com!ared in figure AD1

*igure AD12Com!arison of C)S) Internal Control and ER3 Integrated *rame"or+s

Internal Control *rame"or+ ER3 Integrated *rame"or+

Control Environment4 'he control en"ironment sets the tone o# an

organiation, in#luencing the control consciousness o# its !eo!le It is

the #oundation #or all other com!onents o# internal control, !ro"iding

disci!line and structure Control en"ironment #actors include theintegrit&, ethical "alues, management>s o!erating st&le, delegation o#

authorit& s&stems, as %ell as the !rocesses #or managing and

de"elo!ing !eo!le in the organiation

Internal EnvironmentD 'he internal en"ironment encom!asses the

tone o# an organiation, and sets the asis #or ho% ris$ is "ie%ed and

addressed & an enter!rise>s !eo!le, including ris$ management

!hiloso!h& and ris$ a!!etite, integrit& and ethical "alues, and theen"ironment in %hich the& o!erate

)jective SettingD ecti"es must e5ist e#ore management can

identi#& !otential e"ents a##ecting their achie"ement nter!rise ris$management ensures that management has in !lace a !rocess to set

oecti"es and that the chosen oecti"es su!!ort and align %ith the

enter!rise>s mission and are consistent %ith its ris$ a!!etiteEvent IdentificationD Internal and e5ternal e"ents a##ecting

achie"ement o# an enter!rise>s oecti"es must e identi#ied,

distinguishing et%een ris$s and o!!ortunities !!ortunities are

channeled ac$ to management>s strateg& or oecti"esetting

!rocesses

Ris+ AssessmentD "er& enter!rise #aces a "ariet& o# ris$s #rom

e5ternal and internal sources that must e assessed A !recondition to

ris$ assessment is estalishment o# oecti"es, and thus ris$

assessment is the identi#ication and anal&sis o# rele"ant ris$s toachie"ement o# assigned oecti"es 4is$ assessment is a !rere9uisite

#or determining ho% the ris$s should e managed

Ris+ AssessmentD 4is$s are anal&ed, considering the li$elihood and

im!act, as a asis #or determining ho% the& could e managed 4is$

areas are assessed on an inherent and residual asis

Ris+ Res!onse4 .anagement selects ris$ res!onses a"oiding,acce!ting, reducing, or sharing ris$ de"elo!ing a set o# actions to

align ris$s %ith the enter!rise>s ris$ tolerances and ris$ a!!etite

Control ActivitiesD Control acti"ities are the !olicies and !rocedures

that hel! ensure management directi"es are carried out 'he& hel!ensure that necessar& actions are ta$en to address ris$s to achie"ement

o# the enter!riseRs oecti"es Control acti"ities occur throughout the

organiation, at all le"els and in all #unctions 'he& include a range o#

acti"ities as di"erse as a!!ro"als, authoriations, "eri#ications,reconciliations, re"ie%s o# o!erating !er#ormance, securit& o# assets

and segregation o# duties

Control Activities4Policies and !rocedures are estalished and

im!lemented to hel! ensure the ris$ res!onses are e##ecti"el& carriedout

Information and CommunicationD In#ormation s&stems !la& a $e&

role in internal control s&stems as the& !roduce re!orts, includingo!erational, #inancial and com!liancerelated in#ormation that ma$e it

!ossile to run and control the usiness In a roader sense, e##ecti"e

communication must ensure in#ormation #lo%s do%n, across and u!

the organiation ##ecti"e communication should also e ensured %ith

e5ternal !arties, such as customers, su!!liers, regulators andshareholders

Information and Communication4 4ele"ant in#ormation is

identi#ied, ca!tured, and communicated in a #orm and time#rame thatenale !eo!le to carr& out their res!onsiilities ##ecti"e

communication also occurs in a roader sense, #lo%ing do%n, across,

and u! the enter!rise

3onitoringD Internal control s&stems need to e monitoreda

!rocess that assesses the 9ualit& o# the s&stem>s !er#ormance o"er

time 'his is accom!lished through ongoing monitoring acti"ities orse!arate e"aluations Internal control de#iciencies detected through

these monitoring acti"ities should e re!orted u!stream and correcti"e

actions should e ta$en to ensure continuous im!ro"ement o# the

s&stem

3onitoring4 'he entiret& o# enter!rise ris$ management is monitored

and modi#ications made as necessar& .onitoring is accom!lished

through ongoing management acti"ities, se!arate e"aluations, or oth

In#ormation #or figure AD1%as otained #rom the CS %e site!coso!org-a.outus!htm

'he original CS internal control #rame%or$ addresses the needs o# the I' audit and assurance

!ro#essionalD control en"ironment, ris$ assessment, control acti"ities, in#ormation and

communication, and monitoring As such, ISACA has elected to utilie the #i"ecom!onent

? @00+ ISACA All rights reser"ed Page B
http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm


8/137



model #or these audit/assurance !rograms As more enter!rises im!lement the 4. model, the

additional three columns can e added, i# rele"ant When com!leting the CS com!onent

columns, consider the de#initions o# the com!onents as descried in figure AD1

Reference/56!erlin+

ood !ractices re9uire the audit and assurance !ro#essional to create a %or$ !a!er #or each lineitem, %hich descries the %or$ !er#ormed, issues identi#ied and conclusions 'he

re#erence/h&!erlin$ is to e used to crossre#erence the audit/assurance ste! to the %or$ !a!er

that su!!orts it 'he numering s&stem o# this document !ro"ides a read& numering scheme #orthe %or$ !a!ers I# desired, a lin$ to the %or$ !a!er can e !asted into this column

Issue Cross'reference

'his column can e used to #lag a #inding/issue that the I' audit and assurance !ro#essional

%ants to #urther in"estigate or estalish as a !otential #inding 'he !otential #indings should e

documented in a %or$ !a!er that indicates the dis!osition o# the #indings (#ormall& re!orted,

re!orted as a memo or "eral #inding, or %ai"ed)

Comments

'he comments column can e used to indicate the %ai"ing o# a ste! or other notations It is not toe used in !lace o# a %or$ !a!er descriing the %or$ !er#ormed

III. Controls )at#rit% Anal%sis

ne o# the consistent re9uests o# sta$eholders %ho ha"e undergone I' audit/assurance re"ie%s is

a desire to understand ho% their !er#ormance com!ares to good !ractices Audit and assurance

!ro#essionals must !ro"ide an oecti"e asis #or the re"ie% conclusions .aturit& modeling #ormanagement and control o"er I' !rocesses is ased on a method o# e"aluating the organiation,

so it can e rated #rom a maturit& le"el o# none5istent (0) to o!timied (G) 'his a!!roach is

deri"ed #rom the maturit& model that the So#t%are ngineering Institute (SI) o# Carnegie.ellon ni"ersit& de#ined #or the maturit& o# so#t%are de"elo!ment

'he"T Assurance &uide% 'sing C()"T, a!!endi5 3II.aturit& .odel #or Internal Control, in

figure AD$, !ro"ides a generic maturit& model sho%ing the status o# the internal controlen"ironment and the estalishment o# internal controls in an enter!rise It sho%s ho% the

management o# internal control, and an a%areness o# the need to estalish etter internal

controls, t&!icall& de"elo!s #rom an ad hocto an o!timied le"el 'he model !ro"ides a highle"el guide to hel! C2I' users a!!reciate %hat is re9uired #or e##ecti"e internal controls in I'

and to hel! !osition their enter!rise on the maturit& scale

*igure AD$23aturit6 3odel for Internal Control3aturit6 Level Status of the Internal Control Environment Estalishment of Internal Controls

0


9/137



*igure AD$23aturit6 3odel for Internal Control

3aturit6 Level Status of the Internal Control Environment Estalishment of Internal Controls

intuiti"e is de!endent on the $no%ledge and moti"ation o# indi"iduals

##ecti"eness is not ade9uatel& e"aluated .an& control%ea$nesses e5ist and are not ade9uatel& addressedK the

im!act can e se"ere .anagement actions to resol"e control

issues are not !rioritied or consistent m!lo&ees ma& not

e a%are o# their res!onsiilities

selected I' !rocesses to determine the current le"el o# control

maturit&, the target le"el that should e reached and the ga!sthat e5ist An in#ormal %or$sho! a!!roach, in"ol"ing I'

managers and the team in"ol"ed in the !rocess, is used to

de#ine an ade9uate a!!roach to controls #or the !rocess and to

moti"ate an agreedu!on action !lan

; :e#ined Controls are in !lace and ade9uatel& documented !erating

e##ecti"eness is e"aluated on a !eriodic asis and there is ana"erage numer o# issues Ho%e"er, the e"aluation !rocess is

not documented While management is ale to deal

!redictal& %ith most control issues, some control

%ea$nesses !ersist and im!acts could still e se"ere

m!lo&ees are a%are o# their res!onsiilities #or control

Critical I' !rocesses are identi#ied ased on "alue and ris$

dri"ers A detailed anal&sis is !er#ormed to identi#& controlre9uirements and the root cause o# ga!s and to de"elo!

im!ro"ement o!!ortunities In addition to #acilitated

%or$sho!s, tools are used and inter"ie%s are !er#ormed to

su!!ort the anal&sis and ensure that an I' !rocess o%ner

o%ns and dri"es the assessment and im!ro"ement !rocess

F .anaged and

measurale

'here is an e##ecti"e internal control and ris$ management

en"ironment A #ormal, documented e"aluation o# controls

occurs #re9uentl& .an& controls are automated and regularl&

re"ie%ed .anagement is li$el& to detect most control issues,ut not all issues are routinel& identi#ied 'here is consistent

#ollo%u! to address identi#ied control %ea$nesses A

limited, tactical use o# technolog& is a!!lied to automate

controls

I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort

and agreement #rom the rele"ant usiness !rocess o%ners

Assessment o# control re9uirements is ased on !olic& and

the actual maturit& o# these !rocesses, #ollo%ing a thoroughand measured anal&sis in"ol"ing $e& sta$eholders

Accountailit& #or these assessments is clear and en#orced

Im!ro"ement strategies are su!!orted & usiness cases

Per#ormance in achie"ing the desired outcomes is

consistentl& monitored 5ternal control re"ie%s are

organied occasionall&G !timied An enter!rise%ide ris$ and control !rogram !ro"ides

continuous and e##ecti"e control and ris$ issues resolution

Internal control and ris$ management are integrated %ith

enter!rise !ractices, su!!orted %ith automated realtime

monitoring %ith #ull accountailit& #or control monitoring,ris$ management and com!liance en#orcement Control

e"aluation is continuous, ased on sel#assessments and ga!

and root cause anal&ses m!lo&ees are !roacti"el& in"ol"ed

in control im!ro"ements

2usiness changes consider the criticalit& o# I' !rocesses and

co"er an& need to reassess !rocess control ca!ailit& I'

!rocess o%ners regularl& !er#orm sel#assessments to con#irm

that controls are at the right le"el o# maturit& to meet usiness

needs and the& consider maturit& attriutes to #ind %a&s toma$e controls more e##icient and e##ecti"e 'he organiation

enchmar$s to e5ternal est !ractices and see$s e5ternal

ad"ice on internal control e##ecti"eness *or critical

!rocesses, inde!endent re"ie%s ta$e !lace to !ro"ide

assurance that the controls are at the desired le"el o# maturit&and %or$ing as !lanned

'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess 'he I' auditand assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram

and #ormulate an oecti"e assessment o# the maturit& le"els o# the control !ractices 'hematurit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to

&ear to document !rogression in the enhancement o# controls Ho%e"er, it must e noted that the!erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor

'here#ore, an auditor should otain the concerned sta$eholder>s concurrence e#ore sumitting

the #inal re!ort to management

At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the

!ro#essional assesses the current state o# the C2I' control #rame%or$ and assigns it a maturit&le"el using the si5le"el scale Some !ractitioners utilie decimals (5@G, 5G, 5BG) to indicate

gradations in the maturit& model As a #urther re#erence, C2I' !ro"ides a de#inition o# the

maturit& designations & control oecti"e While this a!!roach is not mandator&, the !rocess is!ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that

%ish to im!lement it It is suggested that a maturit& assessment e made at the C2I' control

le"el 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also otain maturit&

targets #rom the client/customer sing the assessed and target maturit& le"els, the !ro#essionalcan create an e##ecti"e gra!hic !resentation that descries the achie"ement or ga!s et%een the

actual and targeted maturit& goalsI*. Ass#rance and Control +ramework

? @00+ ISACA All rights reser"ed Page +


10/137



ISACA I, Assurance *rame"or+ and Standards

ISACA has long recognied the s!ecialied nature o# I' assurance and stri"es to ad"ance

gloall& a!!licale standards uidelines and !rocedures !ro"ide detailed guidance on ho% to

#ollo% those standards I' Audit and Assurance Standard S1G I' Controls, and I' Audit and

Assurance uideline ;8 Access Controls are rele"ant to this audit/assurance !rogram

ISACA Controls *rame"or+

C2I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridgethe ga! among control re9uirements, technical issues and usiness ris$s C2I' enales clear

!olic& de"elo!ment and good !ractice #or I' control throughout enter!rises

tiliing C2I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased alignsI' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise

4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es forSuccessful "T &o/ernance, 1ndEdition, !ulished in @00B, #or the related control !ractice "alue

and ris$ dri"ers

*. xec#ti"e S#mmar% of A#dit'Ass#rance +oc#s

SAP ERP Securit6

'he re"ie% o# SAP hel!s management ensure that it is secure Since launching its #irst !roduct

o##ering almost ;0 &ears ago, SAP has gro%n gloall& It has a!!ro5imatel& 1@ million users and

+6,F00 installations in more than 1@0 countries and is the thirdlargest inde!endent so#t%are

com!an& in the %orld 'he com!an& name, SAP, is a erman acron&m that loosel& translates innglish to S&stems, A!!lications and Products in data !rocessing

2e#ore SAP 4P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@-and theclient/ser"erased s&stem SAP 4/; 2oth 4/@ and 4/; are targeted to usiness a!!lication

solutions and #eature com!le5it&, usiness and organiational e5!erience, and integration 'he

4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&Kho%e"er, this is not the case 'he 4 in 4/@ and 4/; means real time7 4elease le"els are

annotated se!aratel& to the 4/@ or 4/; descri!tors *or e5am!le, in SAP 4/; F62, the F is the

maor release numer, the 6 is the minor release numer #ollo%ing a maor release, and the 2 isthe "ersion %ithin a release

4/; %as introduced in 1++@ %ith a threetier architecture !aradigm In recent &ears, SAP has

introduced Ser"ice riented Architecture (SA) as !art o# SAP 4P 'his comines 4P %ith

an o!en technolog& !lat#orm that can integrate SAP and nonSAP s&stems on the SAP


11/137



4is$s resulting #rom ine##ecti"e or incorrect con#igurations or use o# SAP could result in some o#

the #ollo%ingD :isclosure o# !ri"ileged in#ormation

Single !oints o# #ailure

=o% data 9ualit&

=oss o# !h&sical assets =oss o# intellectual !ro!ert&

=oss o# com!etiti"e ad"antage

=oss o# customer con#idence

3iolation o# regulator& re9uirements

)jective and Sco!e

)jective2'he oecti"e o# the SAP 4P audit/assurance re"ie% is to !ro"ide management

%ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# the

enter!rise>s SAP 4P architecture

Sco!e'he re"ie% %ill #ocus on con#iguration o# the rele"ant SAP 4P com!onents andmodules %ithin the enter!rise 'he selection o# the s!eci#ic com!onents and modules %ill eased u!on the ris$s introduced to the enter!rise & these com!onents and modules

3inimum Audit S+ills

'his re"ie% is considered highl& technical 'he I' audit and assurance !ro#essional must ha"e an

understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP

tools, e5!osures and #unctionalit& It should not e assumed that an audit and assurance

!ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%



12/137



*I. !e"en#e siness C%cle A#dit'Ass#rance Program

Audit/Assurance Program Ste!

C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Com

munication

Monitoring

A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P

1 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreedu!on

corrections and note remaining de#iciencies

.1

11 :etermine %hetherD

Senior management has ass igned res!onsiilities #or in#ormation,

its !rocessing and its use

ser management is res!onsile #or !ro"iding in#ormation that

su!!orts the entit&>s oecti"es and !olicies

In#ormation s&stems management is res!onsile #or !ro"iding the

ca!ailities necessar& #or achie"ement o# the de#ined in#ormation

s&stems oecti"es and !olicies o# the entit&

Senior management a!!ro"es !lans #or de"elo!ment and

ac9uisition o# in#ormation s&stems

'here are !rocedures to ensure that the in#ormation s&stem eing

de"elo!ed or ac9uired meets user re9uirements

'here are !rocedures to ensure that in#ormation s&stems, !rogramsand con#iguration changes are tested ade9uatel& !rior to

im!lementation

All !ersonnel in"ol"ed in the s&stem ac9uisition and con#iguration

acti"ities recei"e ade9uate training and su!er"ision

'here are !rocedures to ensure that in#ormation s&stems are

im!lemented/con#igured/u!graded in accordance %ith the

estalished standards

ser management !artici!ates in the con"ersion o# data #rom the

e5isting s&stem to the ne% s&stem

*inal a!!ro"al is otained #rom user management !rior to going

li"e %ith a ne% in#ormation/u!graded s&stem

'here are !rocedures to document and schedule all changes to

in#ormation s&stems (including $e& A2AP !rograms)

'here are !rocedures to ensure that onl& authoried changes are

.1

? @00+ ISACA All rights reser"ed Page 1@


13/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

initiated

'here are !rocedures to ensure that onl& authoried, tested and

documented changes to in#ormation s&stems are acce!ted into the

!roduction client

'here are !rocedures to allo% #or and control emergenc& changes

'here are !rocedures #or the a!!ro"al, monitoring and control o#

the ac9uisition and u!grade o# hard%are and s&stems so#t%are

'here is a !rocess #or monitoring the "olume o# named and

concurrent SAP 4P users to ensure that the license agreement is

not eing "iolated

'he organiation structure, estalished & senior management,

!ro"ides #or an a!!ro!riate segregation o# incom!atile #unctions

'he dataase, a!!lication and !resentation ser"ers are located in a

!h&sicall& se!arate and !rotected en"ironment (ie, a data center)

mergenc&, ac$u! and reco"er& !lans are documented and tested

on a regular asis to ensure that the& remain current and

o!erational 2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems to

resume o!erations in the e"ent o# an interru!tion

A!!lication controls are designed %ith regard to an& %ea$nesses in

segregation, securit&, de"elo!ment and !rocessing controls that

ma& a##ect the in#ormation s&stem

Access to the Im!lementation uide (I.) during !roduction has

een restricted

'he !roduction client settings ha"e een #lagged to not allo%

changes to !rograms and con#iguration

#7 PRELI3I:AR; A8DI, S,EPS

1 ain an understanding o# the SAP 4P en"ironment

11 'he same ac$ground in#ormation otained #or the SAP 4P

2asis Securit& audit !lan is re9uired #or and rele"ant to the usiness

c&cles In !articular, the #ollo%ing in#ormation is im!ortantD

P@P;

? @00+ ISACA All rights reser"ed Page 1;


14/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

3ersion and release o# SAP 4P im!lemented

'otal numer o# named users (#or com!arison

%ith logical access securit& testing results)

s $e& securit& !olicies and standards

PF

P6P+:S@:[email protected].@

1@ tain details o# the #ollo%ingD

rganiational .anagement .odel as it relates to sales/re"enue

acti"it&, ie, sales organiation unit structure in SAP 4P and

com!an& sales organiation chart (re9uired %hen e"aluating the

results o# access securit& control testing) An inter"ie% o# the s&stems im!lementation team, i# !ossile, and

!rocess design documentation #or sales and distriution

AI1:SG

:S6

@ Identi#& the signi#icant ris$s and determine the $e& controls

@1 :e"elo! a highle"el !rocess #lo% diagram and o"erall

understanding o# the 4e"enue !rocessing c&cle, including the

#ollo%ing su!rocessesD

.aintain !ricing/customer master data

Sales order !rocessing

In"oice !rocessing

Pa&ment recei!t

P+AI1

:S1;

@@ Assess the $e& ris$s, determine $e& controls or control %ea$nesses,

and test controls (re#er sam!le testing !rogram elo% and cha!ter F

#or techni9ues #or testing con#igurale controls and logical access

securit&) regarding the #ollo%ing #actorsD

P+

:SG:S+

? @00+ ISACA All rights reser"ed Page 1F


15/137


16/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

changes) against authoried source documentation

01@ 4e"ie% organiation !olic& and !rocess design s!eci#ications

regarding access to maintain master data 'est user access to

create and maintain customer, material and !ricing master data as

#ollo%sD

Customermaster data'ransaction codes

*:01/*:0@/*:0G/*:06 (*inance),3:01/3:0@/3:0G/3:06 (Sales),

U:01/U:0@/U:0G/U:06/U:0B/U:++ (Central) .aterial master data'ransaction codes ..01 (Create),

..0@ (Change), ..06 (:elete)

Pricing master data'ransaction codes 311 and

31@

AI@AI6

:SG:S11

X

01; :etermine %hether the con#igurale control settings address the

ris$s !ertaining to the "alidit&, com!leteness and accurac& o#

master data and %hether the& ha"e een set in accordance %ith

management intentions 3ie% the settings online using the I. as

#ollo%sD

Customer Account rou!sD 'ransaction SP4 .enu Path*inancial Accounting T Accounts 4ecei"ale O

Accounts Pa&ale T Customer Accounts T .aster :ataT

Pre!aration #or Creating Customer .aster :ata T :e#ine

Account rou! With Screen =a&out (Customers)

.aterial '&!esD 'ransaction SP4 .enu Path=ogistics

eneral T .aterial .aster T 2asic Settings T .aterial

'&!es T :e#ine Attriutes o# .aterial '&!es

Industr& SectorD 'ransaction SP4 Path=ogistics

eneral T .aterial .aster T *ield Selection T :e#ine

industr& sectors and industr&sector s!eci#ic #ield selection

nderstand the organiation>s !ricing !olic& and its

P+:S+:S11:S1@

X



17/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

con#iguration in SAP 4P (eg, hardcoded, manualo"erride !ossile, user enters !rice) Pricing conditiont&!es and records can e re"ie%ed against theorganiation>s !ricing !olic& using the #ollo%ing menu

!ath and transaction codes 'ransaction SP4 .enu PathSales and :istriution

T 2asic *unctions T PricingD 3FF #or material !rice condition record

3F8 #or !rice list t&!e condition records

3G@ #or customers!eci#ic condition t&!e

%7$ 3aster dataremain current and !ertinent7

0@1 :etermine %hether management runs the #ollo%ing re!orts, or

e9ui"alent, & master data t&!e and con#irm e"idence o#

management>s re"ie% o# the data #or currenc& and ongoing

!ertinenceD

Customer master data4un transaction code *@0

.aterial master data4un transaction code ..S;

Pricing master data4un transaction code 31;

'ransaction *;@ !ro"ides an o"er"ie% o# customers #or %hich no credit

limit has een entered Chec$ the out!ut #rom transaction *;@ to

con#irm a credit limit has een set #or customers in the range re9uiring a

limit

P8:S;:S11.1

X

$7 Sales )rder Purchasing

$717 Sales orders are !rocessed "ith valid !rices and terms and

!rocessing is com!lete. accurate and timel67

@11 :etermine %hether the ailit& to create, change or delete

sales orders, contracts, and deli"er& schedules is restricted to

authoried !ersonnel & testing access to the #ollo%ing transactionsD

Create (3A01)/Change (3A0@) Sales rder

? @00+ ISACA All rights reser"ed Page 1B


18/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

Create (3A;1)/Change (3A;@) :eli"er& Schedules

Create (3AF1)/Change (3AF@) Contracts

@1@ 4e#er to master data integrit& !oint 11@

@1; 4e#er to master data integrit& !oint 11;

@1F nderstand the !olicies and !rocedures regarding

reconciliation o# sales orders 4e"ie% o!erations acti"it& at selected

times and chec$ #or e"idence that reconciliations are eing

!er#ormed

$7$7)rders are !rocessed "ithin a!!roved customer credit limits7

@@1 :etermine %hether the con#igurale con tro l se tti ngs

address the ris$s !ertaining to the !rocessing o# orders outside

customer credit limits and %hether the& ha"e een set in accordance

%ith management intentions 3ie% the settings online using the I.

as #ollo%sD

'ransaction SP4 .enu Path*inancial Accounting T

Accounts 4ecei"ale O Accounts Pa&ale T Credit

.anagement T Credit Control Account

5ecute transaction 3A to sho% the t&!e o# credit chec$

!er#ormed #or the corres!onding transaction t&!es in order

!rocessing

5ecute transaction 3AB to determine %hether a credit chec$

is !er#ormed #or a!!ro!riate document t&!es eing used

5ecute transaction 3A: to sho% the credit grou!s that

ha"e een assigned to the deli"er& t&!es eing used

5ecute transaction 3A8 to sho% an o"er"ie% o# de#ined

credit chec$s #or credit control areas

$7


19/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

SA;8 and !rogram 43A*44) 4e"ie% items on the list %ith the

a!!ro!riate o!erational management, and ascertain i# there are

legitimate reasons #or the sales documents that remain incom!lete


20/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

documents su!!orts the accurate #lo% o# illing details through the

sales !rocess and su!!orts the accurate calculation and !osting o#

in"oice data


21/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

s credit management !olic& and are

consistent %ith management>s intention

>7 Pa6ment Recei!t

>717Cash recei!ts are entered accuratel6. com!letel6 and in a timel6 manner7

F11 'a$e a sam!le o# an$ reconciliations and test #or ade9uate

clearance o# reconciling items and a!!ro"al & #inance management

F1@ :etermine %hether the s&stem has een con#igured to not

allo% !rocessing o# cash recei!ts outside o# a!!ro"ed an$ accounts

5ecute transaction *I1@ and ascertain to %hich an$ accounts a cash

? @00+ ISACA All rights reser"ed Page @1


22/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

recei!t can e !osted :etermine i# this is consistent %ith

management>s intentions

F1; se the transaction code *@1Customer !en Items (also

accessile using transaction code SA;8 and !rogram 4*:P=00) to

re"ie% customer o!en items 'he re!ort lists each item and the

amount o%ed At the end o# the listing, the total amount still to e

collected is calculated 'ransaction code SA=48B00++G6

Customer !en

>7$7Cash recei!ts are valid and are not du!licated7

F@1 4e"ie% the accounts recei"ale reconci liation and

determi ne %hether there are an& amounts unallocated or an&

reconciling items :etermine the aging o# these items and ma$e

in9uir& o# management as to the reasons #or these items remaining

unallocated or unreconciled

>7s intentions

>7>7,imel6 collection of cash recei!ts is monitored7

F;1 As #or F1;, determine %hether accounts recei"ale aging

re!orts are re"ie%ed regularl& to ensure that the collection o#

? @00+ ISACA All rights reser"ed Page @@


23/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comment

ControlEnvironment

RiskAssessment

ControlActivities

Informationand

Communication

Monitoring

!a&ments is eing !er#ormed in a timel& manner

? @00+ ISACA All rights reser"ed Page @;


24/137



C)#I, Control Practice Assessed

3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

AI@71 Change Standards and Procedures

1 :e"elo!, document and !romulgate a change management #rame%or$ that s!eci#ies the !olicies and

!rocesses, includingD 4oles and res!onsiilities

Classi#ication and !rioritiation o# all changes ased on usiness ris$

Assessment o# im!act

Authoriation and a!!ro"al o# all changes & the usiness !rocess o%ners and I'

'rac$ing and status o# changes

Im!act on data integrit& (eg, all changes to data #iles eing made under s&stem and a!!lication control

rather than & direct user inter"ention)

@ stalish and maintain "ersion control o"er all changes

; Im!lement roles and res!onsiilities that in"ol"e usiness !rocess o%ners and a!!ro!riate technical I'

#unctions nsure a!!ro!riate segregation o# duties

F stalish a!!ro!riate record management !ractices and audit trails to record $e& ste!s in the change

management !rocess nsure timel& closure o# changes le"ate and re!ort to management changes that are

not closed in a timel& #ashion

G Consider the im!act o# contracted ser"ices !ro"iders (eg, o# in#rastructure, a!!lication de"elo!ment and

shared ser"ices) on the change management !rocess Consider integration o# organiational change

management !rocesses %ith change management !rocesses o# ser"ice !ro"iders Consider the im!act o# the

organiational change management !rocess on contractual terms and S=AsAI@7$ Im!act Assessment. Prioriti=ation and Authori=ation

1 :e"elo! a !rocess to allo% usiness !rocess o%ners and I' to re9uest changes to in#rastructure, s&stems or

a!!lications :e"elo! controls to ensure that all such changes arise onl& through the change re9uest

management !rocess

@ Categorie all re9uested changes (eg, in#rastructure, o!erating s&stems, net%or$s, a!!lication s&stems,

!urchased/!ac$aged a!!lication so#t%are)

; Prioritie all re9uested changes nsure that the change management !rocess identi#ies oth the usiness and

technical needs #or the change Consider legal, regulator& and contractual reasons #or the re9uested change

F Assess all re9uests in a structured #ashion nsure that the assessment !rocess addresses im!act anal&sis on

in#rastructure, s&stems and a!!lications Consider securit&, legal, contractual and com!liance im!lications o#

the re9uested change Consider also interde!endencies amongst changes In"ol"e usiness !rocess o%ners in

the assessment !rocess, as a!!ro!riate

G nsure that each change is #ormall& a!!ro"ed & usiness !rocess o%ners and I' technical sta$eholders, as

a!!ro!riate

? @00+ ISACA All rights reser"ed Page @F

*II. )at#rit% Assessment

'he maturit& assessment is an o!!ortunit& #or the re"ie%er to assess the maturit& o# the !rocesses re"ie%ed 2ased on the results o# audit/assurance re"ie%, andre"ie%er>s oser"ations, assign a maturit& le"el to each o# the #ollo%ing C2I' control !ractices


25/137




3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

AI@7> Change Status ,rac+ing and Re!orting

1 nsure that a documented !rocess e5ists %ithin the o"erall change management !rocess to declare, assess,

authorie and record an emergenc& change

@ nsure that emergenc& changes are !rocessed in accordance %ith the emergenc& change element o# the

#ormal change management !rocess

; nsure that all emergenc& access arrangements #or changes are a!!ro!riatel& authoried, documented and

re"o$ed a#ter the change has een a!!lied

F Conduct a !ostim!lementation re"ie% o# all emergenc& changes, in"ol"ing all concerned !arties 'he re"ie%

should consider im!lications #or as!ects such as #urther a!!lication s&stem maintenance, im!act onde"elo!ment and test en"ironments, a!!lication so#t%are de"elo!ment 9ualit&, documentation and manuals,

and data integrit&

DS?7< Identit6 3anagement

1 stalish and communicate !olicies and !rocedures to uni9uel& identi#&, authenticate and authorie access

mechanisms and access rights #or all users on a needto$no%/needtoha"e asis, ased on !redetermined

and !rea!!ro"ed roles Clearl& state accountailit& o# an& user #or an& action on an& o# the s&stems and/or

a!!lications in"ol"ed

@ nsure that roles and access authoriation criteria #or assigning user access rights ta$e into accountD

Sensiti"it& o# in#ormation and a!!lications in"ol"ed (data classi#ication)

Policies #or in#ormation !rotection and dissemination (legal, regulator&, internal !olicies and

contractual re9uirements)

4oles and res!onsiilities as de#ined %ithin the enter!rise

'he needtoha"e access rights associated %ith the #unction

Standard ut indi"idual user access !ro#iles #or common o roles in the organiation

4e9uirements to guarantee a!!ro!riate segregation o# duties

; stalish a method #or authenticating and authoriing users to estalish res!onsiilit& and en#orce access

rights in line %ith sensiti"it& o# in#ormation and #unctional a!!lication re9uirements and in#rastructurecom!onents, and in com!liance %ith a!!licale la%s, regulations, internal !olicies and contractual

agreements

F :e#ine and im!lement a !rocedure #or identi#&ing ne% users and recording, a!!ro"ing and maintaining

access rights 'his needs to e re9uested & user management, a!!ro"ed & the s&stem o%ner and

im!lemented & the res!onsile securit& !erson

G nsure that a timel& in#ormation #lo% is in !lace that re!orts changes in os (ie, !eo!le in, !eo!le out,

!eo!le change) rant, re"o$e and ada!t user access rights in coordination %ith human resources and user

de!artments #or users %ho are ne%, %ho ha"e le#t the organiation, or %ho ha"e changed roles or os

? @00+ ISACA All rights reser"ed Page @G


26/137


27/137




3aturit6

,arget

3aturit6

Reference

56!erlin+

Comments

; :e#ine a !olic& that integrates incident, change and !rolem management !rocedures %ith the maintenance

o# the con#iguration re!ositor&

F :e#ine a !rocess to record ne%, modi#ied and deleted con#iguration items and their relati"e attriutes and

"ersions Identi#& and maintain the relationshi!s et%een con#iguration items in the con#iguration re!ositor&

G stalish a !rocess to maintain an audit trail #or all changes to con#iguration items

6 :e#ine a !rocess to identi#& critical con#iguration items in relationshi! to usiness #unctions (com!onent

#ailure im!act anal&sis)

B 4ecord all assetsincluding ne% hard%are and so#t%are, !rocured or internall& de"elo!ed%ithin the

con#iguration management data re!ositor&8 :e#ine and im!lement a !rocess to ensure that "alid licenses are in !lace to !re"ent the inclusion o#

unauthoried so#t%are

DS(7< Configuration Integrit6 Revie"

1 'o "alidate the integrit& o# con#iguration data, im!lement a !rocess to ensure that con#iguration items are

monitored Com!are recorded data against actual !h&sical e5istence, and ensure that errors and de"iations

are re!orted and corrected

@ sing automated disco"er& tools %here a!!ro!riate, reconcile actual installed so#t%are and hard%are

!eriodicall& against the con#iguration dataase, license records and !h&sical tags

; Periodicall& re"ie% against the !olic& #or so#t%are usage the e5istence o# an& so#t%are in "iolation or in

e5cess o# current !olicies and license agreements 4e!ort de"iations #or correction

? @00+ ISACA All rights reser"ed Page @B


28/137



xpendit#re siness C%cle

I. Introd#ction

Overview

ISACA de"elo!ed"TAFTM

% A Professional Practices Frameork for "T Assurance as acom!rehensi"e and good!racticesetting model I'A* !ro"ides standards that are designed to e

mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession

o!erates 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit andassurance 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide

direction in the a!!lication o# I' audit and assurance !rocesses

Purpose'he audit/assurance !rogram is a tool and tem!late to e used as a roadma! #or the com!letion o#

a s!eci#ic assurance !rocess 'his audit/assurance !rogram is intended to e utilied & I' audit

and assurance !ro#essionals %ith the re9uisite $no%ledge o# the suect matter under re"ie%, as

descried in I'A*, section @@00eneral Standards 'he audit/assurance !rograms are !art o#I'A*, section F000I' Assurance 'ools and 'echni9ues

Control Framework

'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C2I' #rame%or$

s!eci#icall& C2I' F1using generall& a!!licale and acce!ted good !ractices 'he& re#lectI'A*, sections ;F00I' .anagement Processes, ;600I' Audit and Assurance Processes, and

;800I' Audit and Assurance .anagement

.an& enter!rises ha"e emraced se"eral #rame%or$s at an enter!rise le"el, including the

Committee o# S!onsoring rganiations o# the 'read%a& Commission (CS) Internal Control

*rame%or$ 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator&

re9uirements & the S Securities and 5change Commission (SC) as directed & the SSaranes5le& Act o# @00@ and similar legislation in other countries 'he& see$ to integrate

control #rame%or$ elements used & the general audit/assurance team into the I' audit and

assurance #rame%or$ Since CS is %idel& used, it has een selected #or inclusion in thisaudit/assurance !rogram 'he re"ie%er ma& delete or rename columns in the audit !rogram to

align %ith the enter!rise>s control #rame%or$

IT Governance, Risk and ControlI' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management

!rocess o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies and

management o"ersight controls 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho%management a!!roaches and manages ris$ 2oth issues %ill e e"aluated as ste!s in the

audit/assurance !rogram Controls are the !rimar& e"aluation !oint in the !rocess 'he

audit/assurance !rogram %ill identi#& the control oecti"es %ith ste!s to determine controldesign and e##ecti"eness

Responsibilities of IT Audit and Assurance ProfessionalsI' audit and assurance !ro#essionals are e5!ected to customie this document to the en"ironment

in %hich the& are !er#orming an assurance !rocess 'his document is to e used as a re"ie% tool

ISACA @00+ All rights reser"ed Page @8


29/137


30/137



4. and integration into the usiness decision model 4. is in the !rocess o# eing ado!ted

& large enter!rises 'he t%o #rame%or$s are com!ared in figure AD1

*igure AD12Com!arison of C)S) Internal Control and ER3 Integrated *rame"or+s

Internal Control *rame"or+ ER3 Integrated *rame"or+

Control Environment4 'he control en"ironment sets the tone o# an

organiation, in#luencing the control consciousness o# its !eo!le It isthe #oundation #or all other com!onents o# internal control, !ro"iding

disci!line and structure Control en"ironment #actors include the

integrit&, ethical "alues, management>s o!erating st&le, delegation o#authorit& s&stems, as %ell as the !rocesses #or managing and

de"elo!ing !eo!le in the organiation

Internal EnvironmentD 'he internal en"ironment encom!asses the

tone o# an organiation, and sets the asis #or ho% ris$ is "ie%ed andaddressed & an enter!rise>s !eo!le, including ris$ management

!hiloso!h& and ris$ a!!etite, integrit& and ethical "alues, and the

en"ironment in %hich the& o!erate

)jective SettingD ecti"es must e5ist e#ore management can

identi#& !otential e"ents a##ecting their achie"ement nter!rise ris$

management ensures that management has in !lace a !rocess to setoecti"es and that the chosen oecti"es su!!ort and align %ith the

enter!rise>s mission and are consistent %ith its ris$ a!!etite

Event IdentificationD Internal and e5ternal e"ents a##ectingachie"ement o# an enter!rise>s oecti"es must e identi#ied,

distinguishing et%een ris$s and o!!ortunities !!ortunities are

channeled ac$ to management>s strateg& or oecti"esetting

!rocesses

Ris+ AssessmentD "er& enter!rise #aces a "ariet& o# ris$s #rome5ternal and internal sources that must e assessed A !recondition to

ris$ assessment is estalishment o# oecti"es, and thus ris$

assessment is the identi#ication and anal&sis o# rele"ant ris$s to

achie"ement o# assigned oecti"es 4is$ assessment is a !rere9uisite#or determining ho% the ris$s should e managed

Ris+ AssessmentD 4is$s are anal&ed, considering the li$elihood andim!act, as a asis #or determining ho% the& could e managed 4is$

areas are assessed on an inherent and residual asis

Ris+ Res!onse4 .anagement selects ris$ res!onses a"oiding,

acce!ting, reducing, or sharing ris$ de"elo!ing a set o# actions toalign ris$s %ith the enter!rise>s ris$ tolerances and ris$ a!!etite

Control ActivitiesD Control acti"ities are the !olicies and !rocedures

that hel! ensure management directi"es are carried out 'he& hel!ensure that necessar& actions are ta$en to address ris$s to achie"ement

o# the enter!riseRs oecti"es Control acti"ities occur throughout the

organiation, at all le"els and in all #unctions 'he& include a range o#

acti"ities as di"erse as a!!ro"als, authoriations, "eri#ications,

reconciliations, re"ie%s o# o!erating !er#ormance, securit& o# assets

and segregation o# duties

Control Activities4Policies and !rocedures are estalished and

im!lemented to hel! ensure the ris$ res!onses are e##ecti"el& carriedout

Information and CommunicationD In#ormation s&stems !la& a $e&

role in internal control s&stems as the& !roduce re!orts, including

o!erational, #inancial and com!liancerelated in#ormation that ma$e it!ossile to run and control the usiness In a roader sense, e##ecti"e

communication must ensure in#ormation #lo%s do%n, across and u!

the organiation ##ecti"e communication should also e ensured %ith

e5ternal !arties, such as customers, su!!liers, regulators and

shareholders

Information and Communication4 4ele"ant in#ormation is

identi#ied, ca!tured, and communicated in a #orm and time#rame that

enale !eo!le to carr& out their res!onsiilities ##ecti"ecommunication also occurs in a roader sense, #lo%ing do%n, across,

and u! the enter!rise

3onitoringD Internal control s&stems need to e monitoreda

!rocess that assesses the 9ualit& o# the s&stem>s !er#ormance o"er

time 'his is accom!lished through ongoing monitoring acti"ities orse!arate e"aluations Internal control de#iciencies detected through

these monitoring acti"ities should e re!orted u!stream and correcti"e

actions should e ta$en to ensure continuous im!ro"ement o# the

s&stem

3onitoring4 'he entiret& o# enter!rise ris$ management is monitored

and modi#ications made as necessar& .onitoring is accom!lished

through ongoing management acti"ities, se!arate e"aluations, or oth

In#ormation #or figure AD1%as otained #rom the CS %e site!coso!org-a.outus!htm

'he original CS internal control #rame%or$ addresses the needs o# the I' audit and assurance!ro#essionalD control en"ironment, ris$ assessment, control acti"ities, in#ormation and

communication, and monitoring As such, ISACA has elected to utilie the #i"ecom!onent

model #or these audit/assurance !rograms As more enter!rises im!lement the 4. model, theadditional three columns can e added, i# rele"ant When com!leting the CS com!onent

columns, consider the de#initions o# the com!onents as descried in figure AD1

ISACA @00+ All rights reser"ed Page ;0
http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm


31/137



Reference$%&perlink

ood !ractices re9uire the audit and assurance !ro#essional to create a %or$ !a!er #or each line

item, %hich descries the %or$ !er#ormed, issues identi#ied and conclusions 'here#erence/h&!erlin$ is to e used to crossre#erence the audit/assurance ste! to the %or$ !a!er

that su!!orts it 'he numering s&stem o# this document !ro"ides a read& numering scheme #or

the %or$ !a!ers I# desired, a lin$ to the %or$ !a!er can e !asted into this column

Issue Cross#reference

'his column can e used to #lag a #inding/issue that the I' audit and assurance !ro#essional%ants to #urther in"estigate or estalish as a !otential #inding 'he !otential #indings should e

documented in a %or$ !a!er that indicates the dis!osition o# the #indings (#ormall& re!orted,

re!orted as a memo or "eral #inding, or %ai"ed)

Comments

'he comments column can e used to indicate the %ai"ing o# a ste! or other notations It is not to

e used in !lace o# a %or$ !a!er descriing the %or$ !er#ormed

III. Controls )at#rit% Anal%sis

ne o# the consistent re9uests o# sta$eholders %ho ha"e undergone I' audit/assurance re"ie%s is

a desire to understand ho% their !er#ormance com!ares to good !ractices Audit and assurance

!ro#essionals must !ro"ide an oecti"e asis #or the re"ie% conclusions .aturit& modeling #ormanagement and control o"er I' !rocesses is ased on a method o# e"aluating the organiation,

so it can e rated #rom a maturit& le"el o# none5istent (0) to o!timied (G) 'his a!!roach is

deri"ed #rom the maturit& model that the So#t%are ngineering Institute (SI) o# Carnegie.ellon ni"ersit& de#ined #or the maturit& o# so#t%are de"elo!ment

'he"T Assurance &uide% 'sing C()"T, a!!endi5 3II.aturit& .odel #or Internal Control, in

figure AD$, !ro"ides a generic maturit& model sho%ing the status o# the internal controlen"ironment and the estalishment o# internal controls in an enter!rise It sho%s ho% the

management o# internal control, and an a%areness o# the need to estalish etter internal

controls, t&!icall& de"elo!s #rom an ad hocto an o!timied le"el 'he model !ro"ides a high

le"el guide to hel! C2I' users a!!reciate %hat is re9uired #or e##ecti"e internal controls in I'and to hel! !osition their enter!rise on the maturit& scale



0


32/137





; :e#ined Controls are in !lace and ade9uatel& documented !erating

e##ecti"eness is e"aluated on a !eriodic asis and there is ana"erage numer o# issues Ho%e"er, the e"aluation !rocess is

not documented While management is ale to deal

!redictal& %ith most control issues, some control

%ea$nesses !ersist and im!acts could still e se"ere

m!lo&ees are a%are o# their res!onsiilities #or control

Critical I' !rocesses are identi#ied ased on "alue and ris$

dri"ers A detailed anal&sis is !er#ormed to identi#& controlre9uirements and the root cause o# ga!s and to de"elo!

im!ro"ement o!!ortunities In addition to #acilitated

%or$sho!s, tools are used and inter"ie%s are !er#ormed to

su!!ort the anal&sis and ensure that an I' !rocess o%ner

o%ns and dri"es the assessment and im!ro"ement !rocess

F .anaged andmeasurale

'here is an e##ecti"e internal control and ris$ managementen"ironment A #ormal, documented e"aluation o# controls

occurs #re9uentl& .an& controls are automated and regularl&

re"ie%ed .anagement is li$el& to detect most control issues,

ut not all issues are routinel& identi#ied 'here is consistent

#ollo%u! to address identi#ied control %ea$nesses Alimited, tactical use o# technolog& is a!!lied to automate

controls

I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ortand agreement #rom the rele"ant usiness !rocess o%ners

Assessment o# control re9uirements is ased on !olic& and

the actual maturit& o# these !rocesses, #ollo%ing a thorough

and measured anal&sis in"ol"ing $e& sta$eholders

Accountailit& #or these assessments is clear and en#orcedIm!ro"ement strategies are su!!orted & usiness cases

Per#ormance in achie"ing the desired outcomes is

consistentl& monitored 5ternal control re"ie%s are

organied occasionall&

G !timied An enter!rise%ide ris$ and control !rogram !ro"ides

continuous and e##ecti"e control and ris$ issues resolution

Internal control and ris$ management are integrated %ith

enter!rise !ractices, su!!orted %ith automated realtime

monitoring %ith #ull accountailit& #or control monitoring,

ris$ management and com!liance en#orcement Controle"aluation is continuous, ased on sel#assessments and ga!

and root cause anal&ses m!lo&ees are !roacti"el& in"ol"ed

in control im!ro"ements

2usiness changes consider the criticalit& o# I' !rocesses and

co"er an& need to reassess !rocess control ca!ailit& I'

!rocess o%ners regularl& !er#orm sel#assessments to con#irm

that controls are at the right le"el o# maturit& to meet usiness

needs and the& consider maturit& attriutes to #ind %a&s to

ma$e controls more e##icient and e##ecti"e 'he organiationenchmar$s to e5ternal est !ractices and see$s e5ternal

ad"ice on internal control e##ecti"eness *or critical

!rocesses, inde!endent re"ie%s ta$e !lace to !ro"ide

assurance that the controls are at the desired le"el o# maturit&and %or$ing as !lanned

'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess 'he I' auditand assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram

and #ormulate an oecti"e assessment o# the maturit& le"els o# the control !ractices 'he

maturit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to

&ear to document !rogression in the enhancement o# controls Ho%e"er, it must e noted that the!erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor

'here#ore, an auditor should otain the concerned sta$eholders> concurrence e#ore sumittingthe #inal re!ort to management

At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the

!ro#essional assesses the current state o# the C2I' control #rame%or$ and assigns it a maturit&le"el using the si5le"el scale Some !ractitioners utilie decimals (5@G, 5G, 5BG) to indicate

gradations in the maturit& model As a #urther re#erence, C2I' !ro"ides a de#inition o# the

maturit& designations & control oecti"e While this a!!roach is not mandator&, the !rocess is

!ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that%ish to im!lement it It is suggested that a maturit& assessment e made at the C2I' control

le"el 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also otain maturit&

targets #rom the client/customer sing the assessed and target maturit& le"els, the !ro#essionalcan create an e##ecti"e gra!hic !resentation that descries the achie"ement or ga!s et%een the

actual and targeted maturit& goals

I*. Ass#rance and Control +ramework

I!ACA IT Assurance Framework and !tandards

ISACA has long recognied the s!ecialied nature o# I' assurance and stri"es to ad"ance

ISACA @00+ All rights reser"ed Page ;@


33/137



gloall& a!!licale standards uidelines and !rocedures !ro"ide detailed guidance on ho% to

#ollo% those standards I' Audit/Assurance Standard S1G I' Controls, and I' Audit/Assurance

uideline ;8 Access Controls are rele"ant to this audit/assurance !rogram

I!ACA Controls Framework

C2I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridgethe ga! among control re9uirements, technical issues and usiness ris$s C2I' enales clear

!olic& de"elo!ment and good !ractice #or I' control throughout enter!rises

tiliing C2I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased aligns

I' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise

4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es for

Successful "T &o/ernance, 1ndEdition, !ulished in @00B, #or the related control !ractice "alue

and ris$ dri"ers

V. Executive Summary of Audit/Assurance ocus

!AP 'RP !ecurit&'he re"ie% o# SAP hel!s management ensure that it is secure Since launching its #irst !roduct

o##ering almost ;0 &ears ago, SAP has gro%n gloall& It has a!!ro5imatel& 1@ million users and

+6,F00 installations in more than 1@0 countries and is the thirdlargest inde!endent so#t%arecom!an& in the %orld 'he com!an& name, SAP, is a erman acron&m that loosel& translates in

nglish to S&stems, A!!lications and Products in data !rocessing

2e#ore SAP 4P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@-and the

client/ser"erased s&stem SAP 4/; 2oth 4/@ and 4/; are targeted to usiness a!!lication

solutions and #eature com!le5it&, usiness and organiational e5!erience, and integration 'he

4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&Kho%e"er, this is not the case 'he 4 in 4/@ and 4/; means real time7 4elease le"els are

annotated se!aratel& to the 4/@ or 4/; descri!tors *or e5am!le, in SAP 4/; F62, the F is the

maor release numer, the 6 is the minor release numer #ollo%ing a maor release, and the 2 isthe "ersion %ithin a release

4/; %as introduced in 1++@ %ith a threetier architecture !aradigm In recent &ears, SAP hasintroduced Ser"ice riented Architecture (SA) as !art o# SAP 4P 'his comines 4P %ith

an o!en technolog& !lat#orm that can integrate SAP and nonSAP s&stems on the SAP


34/137



Single !oints o# #ailure

=o% data 9ualit&

=oss o# !h&sical assets

=oss o# intellectual !ro!ert&

=oss o# com!etiti"e ad"antage

=oss o# customer con#idence 3iolation o# regulator& re9uirements

Ob(ective and !cope

)jective2'he oecti"e o# the SAP 4P audit/assurance re"ie% is to !ro"ide management

%ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# theenter!rise>s SAP 4P architecture

!cope)The review will focus on configuration of the relevant SAP ERP components andmodules within the enterprise. The selection of the specific components and modules will bebased upon the risks introduced to the enterprise by these components and modules.

*inimum Audit !kills'his re"ie% is considered highl& technical 'he I' audit and assurance !ro#essional must ha"e an

understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP

tools, e5!osures and #unctionalit& It should not e assumed that an audit and assurance!ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%

ISACA @00+ All rights reser"ed Page ;F


35/137



VI. Ex!enditure "usiness Cycle Audit/Assurance #rogram


C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comments

Co

ntrolEnvironment

R

iskAssessment

C

ontrolActivities

InformationandCommunication

Monitoring

A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P

11 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreedu!on

corrections and note remaining de#iciencies

.1

1@ :etermine %hetherD

Senior management has assigned res!onsiilities #or

in#ormation, its !rocessing and its use

ser management is res!onsile #or !ro"iding in#ormation

that su!!orts the entit&>s oecti"es and !olicies

In#ormation s&stems management is res!onsile #or !ro"iding

the ca!ailities necessar& #or achie"ement o# the de#ined in#ormation

s&stems oecti"es and !olicies o# the entit&

Senior management a!!ro"es !lans #or de"elo!ment and

ac9uisition o# in#ormation s&stems

'here are !rocedures to ensure that the in#ormation s&stemeing de"elo!ed or ac9uired meets user re9uirements

'here are !rocedures to ensure that in#ormation s&stems,

!rograms and con#iguration changes are tested ade9uatel& !rior to

im!lementation

All !ersonnel in"ol"ed in the s&stem ac9uisition and

con#iguration acti"ities recei"e ade9uate training and su!er"ision

'here are !rocedures to ensure that in#ormation s&stems are

im!lemented/con#igured/u!graded in accordance %ith the estalished

standards

ser management !artici!ates in the con"ersion o# data #rom

the e5isting s&stem to the ne% s&stem

.1

? @00+ ISACA All rights reser"ed Page ;G


36/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comments

ControlEnvironment

RiskAssessment

ControlActivities


Monitoring

*inal a!!ro"al is otained #rom user management !rior to

going li"e %ith a ne% in#ormation/u!graded s&stem

'here are !rocedures to document and schedule all changes to

in#ormation s&stems (including $e& A2AP !rograms)

'here are !rocedures to ensure that onl& authoried changes

are initiated

'here are !rocedures to ensure that onl& authoried, tested and

documented changes to in#ormation s&stems are acce!ted into the

!roduction client

'here are !rocedures to allo% #or and control emergenc&

changes

'here are !rocedures #or the a!!ro"al, monitoring and control

o# the ac9uisition and u!grade o# hard%are and s&stems so#t%are

'here is a !rocess #or monitoring the "olume o# named and

concurrent SAP 4P users to ensure that the license agreement is not

eing "iolated

'he organiation structure, estalished & senior management,

!ro"ides #or an a!!ro!riate segregation o# incom!atile #unctions

'he dataase, a!!lication and !resentation ser"ers are located

in a !h&sicall& se!arate and !rotected en"ironment (ie, a data center)

mergenc&, ac$u! and reco"er& !lans are documented and

tested on a regular asis to ensure that the& remain current and

o!erational

2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems

to resume o!erations in the e"ent o# an interru!tion

A!!lication controls are designed %ith regard to an&

? @00+ ISACA All rights reser"ed Page ;6


37/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comments

ControlEnvironment

RiskAssessment

ControlActivities


Monitoring

%ea$nesses in segregation, securit&, de"elo!ment and !rocessing

controls that ma& a##ect the in#ormation s&stem

Access to the Im!lementation uide (I.) during !roduction

has een restricted

'he !roduction client settings ha"e een #lagged to not allo%

changes to !rograms and con#iguration

#7 PRELI3I:AR; A8DI, S,EPS

1 ain an understanding o# the SAP 4P en"ironment

11 'he same ac$ground in#ormation otained #or the SAP 4P 2asis

Securit& audit !lan is re9uired #or and rele"ant to the usiness c&cles In

!articular, the #ollo%ing in#ormation is im!ortantD

3ersion and release o# SAP 4P im!lemented

'otal numer o# named users (#or com!arison %ith logical access

securit& testing results)

s $e& securit& !olicies and standards

P@

P;

PF

P6

P+

:S@

:SG

AI@

AI6

.@

1@ tain details o# the #ollo%ingD

'he rganiational .anagement .odel as it relates to e5!enditure

acti"it&, ie, !urchasing organiation unit structure in SAP 4P and

!urchasing/accounts !a&ale organiation chart (re9uired %hen

AI1

:SG

:S6

? @00+ ISACA All rights reser"ed Page ;B


38/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comments

ControlEnvironment

RiskAssessment

ControlActivities


Monitoring

e"aluating the results o# access securit& control testing)

An inter"ie% o# the s&stems im!lementation team, i# !ossile, and

the !rocess design documentation #or materials management

@ Identi#& the signi#icant ris$s and determine the $e& controls

@1 :e"elo! a highle"el !rocess #lo% diagram and o"erall

understanding o# the 5!enditure !rocessing c&cle, including the

#ollo%ing su!rocessesD

.aster data maintenance

Purchasing

In"oice !rocessing

Processing disursements

P+

AI1

:S11

@@ Assess the $e& ris$s, determine $e& controls or control %ea$nesses,

and test controls (re#er to sam!le testing !rogram elo% and cha!ter I3

#or techni9ues #or testing con#igurale controls and logical access

securit&) regarding the #ollo%ing #actorsD 'he controls culture o# the organiation (eg, a ustenough control

!hiloso!h&)

'he need to e5ercise udgment to determine the $e& controls in the

!rocess and %hether the controls structure is ade9uate (An&

%ea$nesses in the control structure should e re!orted to e5ecuti"e

management and resol"ed)

P+:SG

:S+

.@

C7 DE,AILED A8DI, S,EPS

17 3aster Data 3aintenance

171 Changes made to master data are valid. com!lete. accurate

and timel67

111 :etermine %hether the changes made to the master data are X

? @00+ ISACA All rights reser"ed Page ;8


39/137




C)#I,

Cross'

reference

C,S,

Reference

56!er'

lin+

Issue

Cross'

reference

Comments

ControlEnvironment

RiskAssessment

ControlActivities


Monitoring

com!lete, accurate and timel& sing the s!eci#ied transaction code or

SA;8, determine %hether the #ollo%ing re!ort o# changes to master

data are com!ared to authoried source documents and/or a manual log

o# re9uested changes to ensure that the& %ere in!ut accuratel& and on a

timel& asisD

*or "endor master data, use transaction code SA=48B0100;+

(also accessile through transaction code SA;8 and !rogram

4*A2=00) to !roduce a list o# master data changes

AI6

:S11

11@ :etermin

sap erp audit assurance programs and icqs 18nov09

Documents