AUDITING IN SAP

ICAI WIRC
6-FEB-2021
 INTRODUCTION TO ITGC

2
REPORTING ON INTERNAL FINANCIAL CONTROLS OVER
FINANCIAL REPORTING (ICFR)

143 (3) of Companies Act 2013

 The auditor’s report shall also state whether the company has adequate internal financial controls
system in place and the operating effectiveness of such controls.

3
 ITGCs are an integral part of many different

WHY ARE ITGCS IMPORTANT? operational and regulatory (federal and state)
audits, including:

• IT operational reviews

• HIPAA assessments
Information Technology General Controls (ITGCs) can be defined as internal
controls that assure the secure, stable, and reliable performance of • SSAE16 assessments

computer hardware, software and IT personnel connected to financial • PCI reviews/audits

systems. • SOX assessments

ITGCs affect the ability to rely on application controls and IT dependent

manual controls.

Without effective ITGCs, reliance cannot be placed on any application The use of IT has the potential to be the major
driver of economic wealth in the 21st century.
controls or IT dependent manual controls unless additional procedures are In some industries, IT is a necessary competitive
performed (e.g., benchmarking). Even these additional procedures limit resource to differentiate and provide a
competitive advantage, while in many others it
the ability to rely upon more than one application control at a time.
determines survival, not just prosperity.

ITGCs link indirectly to the achievement of the financial statement assertions through application controls.

4
ITGC TESTING
ITGC APPROACH AND
ITGC APPLICATION SCOPE AREAS COVERED
METHODOLOGY
As part of our current year audit of the financial
statements of the XXX, we have reviewed the • User Management
system of internal accounting controls to the • Change Management
extent we considered necessary to determine the Planning • Computer Operations
nature, timing, and extent of our audit procedures. ITGC
From our perspective, IT General Controls are an • Entity Level Controls
integral part of the overall system of internal
accounting controls. Accordingly, we performed a
Walkthrough • Automated Controls
review of the IT processes and supporting control • Interface Controls
environment in lines with the documented policies ITAC
and procedures. Assess
and
During the year we have scoped in XX IT • Report Testing
Analyse IPE/
applications. Below is the list of significant • Journal Entry Analysis
applications covered by us. Other
Final Report
Application Name Description •No significant exceptions were
noted that would impact the
SAP ERP for Financials, HR Overall financials.
and Procurement Remediation Conclusio •Some observations noted were
(If any) n categorized as recommendations
XYZ Application Timesheet management and/or non-significant ones.
and approval

5
WHY TEST ITGCS?

ITGCs are relevant when we require assurance on automated procedures such as:
 Calculations performed by an IT system,
 Reports generated by an IT system,
 Automated controls (e.g. 3 way match),
 Security (including segregation of duties),
 Interfaces between IT systems.

In case of inadequate ITGCs, the auditor will not be able to rely on automated controls and the underlying data;
and would require to perform manual controls and substantive audit procedures.

6
 INTRODUCTION TO SAP

7
WHAT IS SAP

 SAP SE is a German multinational software corporation based in Walldorf, Baden-

Württemberg, that develops enterprise software to manage business operations and
customer relations. The company is especially known for its ERP software.

 SAP software products provide powerful instruments for helping companies to manage
their financials, logistics, human resources, and other business areas. The backbone of
SAP software offering is SAP ERP system which is the most advanced Enterprise
Resource Planning (ERP) system from currently available ones.

8
SAP ARCHITECTURE

9
MODULES IN SAP

• ABAP • FICO

Functional
• Basis • SD
Technical

• MM
• HR
• PP
• BI
• HCM

10
SAP HIERARCHY

Company Code
• A legally and
• One installation • Atleast one client per

Client
Instance

organizationally
instance independent entity
with its own financial
statements
• Balanced set of
books; balance sheet
and P&L statement
• Financial statements
for multiple
companies can be
consolidated
• Multiple companies

11
 AUDITING IN SAP

12
AUDITING IN SAP

On a broader level, below areas are covered while we perform SAP audit –

 Change Management
 User Management
 System Administration
 Configuration controls
 Business Controls & Reports

13
CHANGE MANAGEMENT

Relevant SAP
What to Test Risk Associated or WCGW Controls Associated
Table/TCodes
•Normal Changes in SAP •E070 •Unauthorized/untested •Normal/emergency
changes might be changes in SAP are
•Segregated environments •STMS implemented into the SAP implemented as per
production environment process defined by
management.
•SoD •DEVACCESS
•Segregated environments
•Direct Changes to SAP •SCC4 Log/SE06 Log/SE16 are defined
Log
•There exists SoD between
developer and
implementor of a change.

•Direct changes to
production are restricted.

14
USER MANAGEMENT

Relevant SAP
What to Test Risk Associated or WCGW Controls Associated
Table/TCodes

•User Creation •RSUSR100N- User Created •Unauthorized access •User Management in SAP
might be granted to user, is as per process defined
•User Access Modification •RSUSR100N- Profile leading to unauthorized by management.
Added/Role Added transactions
•User Termination •Terminated ser’s access
•RSUSR100N- User •User Ids of left is revoked in a timely
Deleted/Lock Changed employees could be used manger.
•Generic IDs to perform unauthorized
transactions and the •Generic ID usage is
•USER_ADDR, USR02 accountability for the minimum.
same could not be
ascertained.

15
SYSTEM ADMINISTRATION

Relevant SAP
What to Test Table/TCodes
Risk Associated or WCGW Controls Associated

•Sensitive •SUIM •Unauthorized access •Sensitive access in SAP is

accesses/critical SAP might be granted to user, restricted to authorized
access leading to unauthorized users
•SAP_ALL/SAP_NEW
transactions
•Privileged access is
•Privileged users restricted to authorized
users.

•Access review of all sap

users is performed.

16
CONFIGURATION CONTROLS

Relevant SAP
What to Test Risk Associated or WCGW Controls Associated
Table/TCodes
•Client and system •SCC4, SE06 •Unauthorized changes •Production client is
settings might be implemented locked from direct
•RSPARAM – rec/client into the SAP production changes.
•Table logging environment
•RSPARAM – login •Table logging is enabled.
•Password settings parameters •In absence of table
logging, direct changes •Password settings are in-
to production client line with policy defined
•Default passwords •RSUSR003 would not be traceable. by the management.

•If password settings are •Default password of

not set appropriately, system delivered IDs is
the security at changed.
application level may be
compromised.

17
GENERIC SAP RCM

Below RCM consists of the generic controls (ITGCs) that are to be tested while
auditing SAP environment. The detailed test procedures are included in this
document.

18
BUSINESS CONTROLS & REPORT

Business Process
Report Testing
Controls
•Activity v/s •Standard v/s
control Customized

•Manual v/s
automated

•Impacting
financials

19
 THANK YOU !

20