Table of Contents

Open all
Close all
Preface
17
Why This Book Is Important
17
The Structure of This Book
20
How to Use This Book
21
Audit and Compliance Professionals
22
SAP Project Managers
22
SAP Security Administrators or Consultants
23
Basis or Other Technical SAP Administrators
23
SAP Developers
24
Business Analyst
24
SAP User
24
Functional Business Manager
25
Senior Management
25
SAP Consultants
25
Disclaimer
25
International Issues
26
Acknowledgments
27
Parting Note to the Readers of This Book
28
1 Introduction for Auditors
29
1.1 How SAP S/4HANA Differs from Other ERP Systems
30
1.2 Terminology
35
1.2.1 SAP S/4HANA Architecture-Related Terms
36
1.2.2 Code-Related Terms
40
1.3 Planning the Audit and System Assessment
42
1.4 Recent Updates to SAP Control-Related Functionality
46
1.4.1 IT General Controls-Related Changes
46
1.4.2 IT Application Controls-Related Changes
47
1.5 Major Differences Between SAP S/4HANA and SAP ERP
48
1.5.1 Reduction in Tables
48
1.5.2 Universal Journal
49
1.5.3 Material Ledger
50
1.5.4 Business Partners
50
1.5.5 Foreign Trade
51
1.5.6 Financial Supply Chain Management
51
1.5.7 Additional Optional Functionality
51
1.5.8 Other Notable Changes
52
1.6 Collecting and Documenting Evidence for Audit Workpapers
52
1.6.1 Date Stamp
52
1.6.2 Environment Data
53
1.6.3 Testing in Production
53
1.6.4 Complete and Accurate Evidence
54
1.7 Useful Resources
55
1.8 Summary
56
2 Understanding Audits as a Non-Auditor
57
2.1 Audit Overview
58
2.2 Types of Auditors
60
2.2.1 Internal Auditors
60
2.2.2 External Auditors
61
2.2.3 Specialty Auditors
63
2.3 Categories of Audit Objectives
65
2.4 Auditing Principles and Considerations
67
2.4.1 Independence
67
2.4.2 Objectivity
68
2.4.3 Professional Skepticism
69
2.4.4 Evidence
71
2.5 Understanding the Audit
72
2.5.1 Risk-Based Auditing
72
2.5.2 Internal Controls
73
2.5.3 Thinking Like an Auditor
79
2.5.4 Applying Audit Investigative Techniques
81
2.6 Audit Reporting
83
2.6.1 Reporting Process
84
2.6.2 Responding to Preliminary Audit Issues
84
2.6.3 Negotiating Issues
84
2.6.4 Report Distribution
85
2.6.5 Management Response and Follow-Up
86
2.7 Rules of Engagement
86
2.7.1 Understanding the Audit Objective
87
2.7.2 Working with the Auditor
87
2.7.3 Establishing the Audit Environment
87
2.7.4 Dos and Don’ts
87
2.8 Common Problems and Solutions
88
2.8.1 Risk Assessment and Internal Control Design
88
2.8.2 Process Inconsistency
89
2.8.3 Documentation
90
2.8.4 Periodic SAP User Reviews
92
2.8.5 Non-Standard Process Monitoring
93
2.8.6 User Education and Understanding
94
2.8.7 Master Data Control
94
2.9 Emerging Audit Technologies
95
2.9.1 Largely Automated Control Testing
95
2.9.2 Full Population Testing Using Data Analytics
96
2.9.3 Use of Robotic Process Automation
97
2.9.4 Integration with GRC Platforms
98
2.10 Summary
98
3 The Typical SAP Audit
99
3.1 Timing for the Audit
99
3.1.1 Pre-Implementation Review
100
3.1.2 Post-Implementation Review
101
3.1.3 Ongoing Operations Review
102
3.2 The Building Blocks of an SAP S/4HANA Audit
102
3.2.1 Project Governance (Implementations and Upgrades)
105
3.2.2 IT General Controls
108
3.2.3 Basis and Security Settings
110
3.2.4 SAP Process-Specific Technical Settings
113
3.2.5 Business Processes Enabled by SAP S/4HANA
115
3.3 SAP S/4HANA Internal Control Maturity Model
117
3.4 The Start of the Audit
120
3.4.1 Planning
121
3.4.2 Fieldwork
123
3.4.3 Reporting
123
3.4.4 Follow-Up
126
3.5 Summary
126
4 SAP S/4HANA Implementations and Upgrades
127
4.1 What Is a Control-Conscious Implementation?
127
4.2 Reasons for Designing Internal Controls During an Implementation
131
4.2.1 Regulatory Requirements
132
4.2.2 Business Partner Relationships
134
4.2.3 Process Completeness
134
4.2.4 Control Redesign and Optimization
135
4.2.5 Reduce Costly Rework and Manual Effort
136
4.2.6 Upgrade-Specific Reasons to Design Controls
137
4.3 Creating a Control-Conscious Integrated Implementation Team
139
4.3.1 Audit Involvement and Rules of Engagement
140
4.3.2 Implementation Team Skills and Knowledge
143
4.3.3 Setting the Stage for Effective Control Design
148
4.3.4 Reporting of the Controls Workstream Status
149
4.3.5 Controls KPI Reporting
150
4.4 Designing Effective Controls
150
4.4.1 Defining Relevant Processes and Subprocesses
151
4.4.2 Creating the Risk Inventory
151
4.4.3 Linking Controls to Risks
153
4.4.4 Tracking Control Design Progress
156
4.4.5 Additional Risks Resulting from Control Decisions
157
4.5 Common SAP S/4HANA Audit-Related Implementation Issues
158
4.5.1 Schedule and Resource Management
158
4.5.2 Requirements Traceability
159
4.5.3 Design and Configuration of Automated Controls
159
4.5.4 Data Migration Failures
160
4.5.5 Identification of Late-Stage Design Issues
161
4.5.6 Organizational Change Management
161
4.5.7 Operational Resilience Changes
161
4.6 Control Considerations by Implementation Phase
162
4.6.1 Prepare
163
4.6.2 Explore
163
4.6.3 Realize
164
4.6.4 Deploy
169
4.6.5 Run
169
4.6.6 Impact by Phase
170
4.7 Auditing the SAP S/4HANA Implementation or Upgrade
171
4.8 Summary
173
5 IT General Controls, Basis Settings, and Security
175
5.1 IT General Controls
175
5.1.1 Overview
176
5.1.2 Standards
178
5.1.3 Highlights for an SAP Audit
180
5.2 Basis Settings and Transport Considerations
186
5.2.1 Logging Options
186
5.2.2 System Development and Related Controls
195
5.2.3 Profile Parameters
203
5.3 SAP User Security
208
5.3.1 User Master Record
208
5.3.2 User Types
210
5.3.3 SAP’s Authorization Concept
211
5.3.4 Creating and Maintaining Roles and Related Authorizations
212
5.3.5 Auditing User Security
215
5.3.6 Common Audit Issues and Observations
220
5.4 SAP Fiori Security
220
5.4.1 SAP Fiori Security Basics
221
5.4.2 Auditing SAP Fiori Security
222
5.4.3 Common Audit Issues and Observations
224
5.5 SAP HANA Database and Platform Security
225
5.5.1 The SAP HANA Platform
226
5.5.2 Auditing the SAP HANA Database
228
5.5.3 Common Audit Issues and Observations
228
5.6 Special Considerations for SAP S/4HANA Cloud
229
5.6.1 What Does SAP Deliver in the Cloud?
229
5.6.2 Key Differences
230
5.6.3 SAP S/4HANA Cloud Security Framework
232
5.6.4 SAP S/4HANA Cloud in Practice
236
5.6.5 Auditing SAP S/4HANA Cloud
237
5.6.6 Audit Observations and Words of Caution
240
5.7 Cybersecurity
242
5.8 Summary
243
6 Record-to-Report Cycle
245
6.1 Record-to-Report Cycle in SAP S/4HANA
246
6.2 Risks
248
6.3 Understanding the Enterprise Structure
250
6.4 Key Concepts
253
6.5 Master Data
255
6.5.1 General Ledger Account Master
255
6.5.2 Profit Center Master
257
6.5.3 Cost Center Master
257
6.5.4 Banking Master
258
6.6 Security Considerations
258
6.6.1 Restricting Postings to Functional Areas
258
6.6.2 Limiting Access to Powerful Transactions
259
6.6.3 Establishing Controls and Security over Master Data
260
6.7 Understanding and Testing Common Controls
263
6.7.1 Risk: Journal Entry Posting to the Wrong Financial Accounting Period
264
6.7.2 Risk: Journal Entries Contain Data Input Errors
269
6.7.3 Risk: Unauthorized or Unapproved Manual Journal Entries
281
6.7.4 Risk: Assets Are Not Properly Valued
283
6.7.5 Other Configurable Controls
287
6.8 Additional Procedures and Considerations
291
6.8.1 Optimizing the Closing Process
291
6.8.2 Implement Procedures to Resolve All Parked and Held Documents Prior to Closing
292
6.8.3 Confirm Receivables and Payables Account Balances
292
6.9 Useful Audit-Relevant Report Highlights
292
6.9.1 Reports Identifying Changed Data
293
6.9.2 Incomplete Information
294
6.9.3 Potential Issues
296
6.9.4 Other Useful Reports
296
6.10 Summary
296
7 Order-to-Cash Cycle
299
7.1 Order-to-Cash Cycle in SAP S/4HANA
300
7.2 Risks
302
7.3 Understanding the Enterprise Structure
304
7.4 Key Concepts
307
7.5 Master Data
307
7.5.1 Business Partners
308
7.5.2 Condition Records
313
7.5.3 Credit Master
314
7.6 Security Considerations
316
7.6.1 Restricting Transactions to Functional Sales Areas
316
7.6.2 Limiting Access to Powerful Transactions
317
7.6.3 Establishing Controls and Security over Master Data
318
7.7 Understanding and Testing Common Controls
322
7.7.1 Risk: Missing Data Entry in Critical Fields
322
7.7.2 Risk: Price and/or Quantity Errors Result in Erroneous Revenue Recognition
326
7.7.3 Risk: Customer Non-Payment Resulting in Lost Revenue and Misstated Accounts Receivable
338
7.7.4 Risk: Returns and/or Credits Provided for Items Not Ordered, or in Excess of Invoiced Values
341
7.8 Additional Procedures and Considerations
344
7.8.1 Implement Order Entry Completeness and Timeliness Procedures
344
7.8.2 Provide Order Confirmations
345
7.8.3 Eliminate Duplicates from the Material Master and Customer Master
345
7.8.4 Establish Procedures for Verifying Pricing Conditions
345
7.8.5 Review One-Time Customer Usage
347
7.8.6 Monitor Customer Payments and Payment Application
347
7.9 Useful Audit-Relevant Report Highlights
348
7.9.1 Reports Identifying Changed Data
348
7.9.2 Incomplete Information or Processing
350
7.9.3 Customer Receivables-Related Reports
352
7.9.4 Other Useful Reports
352
7.10 Summary
353
8 Purchase-to-Pay Cycle
355
8.1 Purchase-to-Pay Cycle in SAP S/4HANA
356
8.2 Risks
357
8.3 Understanding the Enterprise Structure
360
8.4 Key Concepts
362
8.5 Master Data
363
8.5.1 Business Partner
363
8.5.2 Material Master Record
369
8.5.3 Purchasing Info Record
372
8.5.4 Source List
373
8.6 Security Considerations
374
8.6.1 Restricting Transactions to Functional Purchasing Organizations
374
8.6.2 Limiting Access to Powerful Transactions
375
8.6.3 Establishing Controls and Security over Master Data
376
8.7 Understanding and Testing Common Controls
380
8.7.1 Risk: Missing Data Entry in Critical Fields
380
8.7.2 Risk: Master and Transactional Data Contain Data Input Errors
381
8.7.3 Risk: Payments for Goods Not Received or in Amounts Not Consistent with the Purchase Order
387
8.7.4 Risk: Unauthorized Purchase Order
391
8.7.5 Other Configurable Controls
397
8.8 Additional Procedures and Considerations
401
8.8.1 Eliminate Duplicates from the Vendor Master and Material Master
401
8.8.2 Review One-Time Vendor Usage
402
8.8.3 Closely Monitor Evaluated Receipts Activity
403
8.8.4 Monitor Vendor Payments and Payment Application
403
8.8.5 Limit, if Not Prohibit, Manual Payments
404
8.9 Useful Audit-Relevant Report Highlights
404
8.9.1 Reports Identifying Changed Data
404
8.9.2 Incomplete Information or Processing
406
8.9.3 Potential Issues
408
8.9.4 Other Useful Reports
408
8.10 Summary
409
9 Forecast-to-Stock Cycle
411
9.1 Forecast-to-Stock Cycle in SAP S/4HANA
412
9.2 Risks
413
9.3 Understanding the Enterprise Structure
416
9.4 Key Concepts
417
9.5 Master Data
421
9.6 Security Considerations
425
9.6.1 Limiting Access to Powerful Authorizations
426
9.6.2 Restricting Authorizations to Adjust Inventory
426
9.7 Understanding and Testing Common Controls
427
9.7.1 Risk: Erroneous or Fraudulent Inventory Adjustments
428
9.7.2 Other Configurable Controls
431
9.8 Useful Audit-Relevant Report Highlights
433
9.8.1 Reports Identifying Changed Data
433
9.8.2 Reports for Viewing Stock Values and Making Inventory Selections
435
9.8.3 Viewing Material Documents
437
9.8.4 Reports for Identifying Potential Processing Problems
440
9.8.5 Other Useful Reports
441
9.9 Summary
441
10 Audit Tips, Tricks, and Tools
443
10.1 The Audit Information System
443
10.1.1 Accessing the Audit Information System
444
10.1.2 Navigating the Audit Information System
446
10.1.3 Using the Audit Information System for Your Audit
447
10.2 Data Analysis Techniques for Uncovering Audit and Compliance Issues
448
10.2.1 Benefit of Using Data Analysis
450
10.2.2 Examples of Audit Analysis in Common Business Cycles
452
10.2.3 Using Data Analysis Techniques
454
10.2.4 Understanding the Data Dictionary
456
10.2.5 Specialized Data Analysis Tools
458
10.3 SAP Governance, Risk, and Compliance Solutions
459
10.4 Continuous Auditing, Monitoring, and Risk Assessment
460
10.5 Robotic Process Automation
461
10.5.1 Examples of Robotic Process Automation
461
10.5.2 Security and Control Considerations
463
10.6 Summary
466
11 Final Audit Preparations
467
11.1 Overview
468
11.2 Pre-Planning
469
11.3 Documentation: Preparing an Audit Information Repository
471
11.3.1 SAP System Information
472
11.3.2 SAP Support Team Organization Details
477
11.3.3 Policies and Procedures
480
11.3.4 Self-Assessment Procedures and Results
481
11.3.5 Known Weaknesses and Mitigation Procedures
484
11.4 Systems: Preparing for the Auditor
487
11.4.1 Creating and Testing Auditor Access
488
11.4.2 Reconciling to a Nonproduction Test Environment
489
11.4.3 Ensuring Resolution of Prior Audit Issues
489
11.5 Employees: Preparing Your Team
490
11.5.1 Explain the Audit Process
490
11.5.2 Establish Audit Ground Rules
490
11.5.3 Backfill Responsibilities
491
11.5.4 Perform a Readiness Review
491
11.6 Summary
492
The Author
493
Index
495