Milford Sprecher

1
Audit Support in SAP

• Milford Sprecher
• SAP Public Services, Inc.

2
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Tools and Data Export
Summary and QA
3
Reasons/Methodology for Financial Audits

• Financial audits
• Generally begin with an assessment of internal
  controls under the assumption that good internal
  controls reduces the risk of improprieties in the
  system
• Are performed after adequate planning and with
  proper supervision
• Are performed by obtaining competent evidential
  matter through inspection, observation, inquiries
  and confirmations to afford a reasonable basis
  for an opinion3
• 3 Taylor, Donald H. and Glezen, G. William.
  Auditing Integrated Concepts and Procedures,
  Second Edition, New York John Wiley Sons, 1982

4
Legal Environment (Today)

• Sarbanes-Oxley Act 2002
• New regulations for auditing firms including more
  independence requirements
• Reinforces older case law and acts
• Places more attention, requirements and
  responsibilities on management
• Elevates internal accounting controls to
  assertion level requiring an opinion from auditor

5
How Can Technology Help?

• System tools to facilitate documentation,
  assessment and testing of internal control
  environment
• Ability to implement continuous automated control
  techniques to ensure continued compliance with
  Sarbanes-Oxley requirements (e.g., monitoring of
  key disclosure controls, electronic sign-offs of
  control procedure completion, etc.)
• Ability to provide consistent business process
  and control practices
• Automated auditing techniques
• Control gap analysis and resolution performance
  management and tracking

6
SAP Principles Supporting Audit Requirements

• Inherent controls
• are delivered with SAP and do not need to be
  designed into the system
• Configurable controls
• automated controls to be defined at the time of
  system configuration
• Security controls
• user access and segregation of duties controls
• Reporting controls
• controls that rely on standard or ad-hoc reports
  from SAP

7
Internal Controls

• SAP Security Guide
• Contains examples of best practices for
  separation of duties
• System Audit
• Function in System Audit to make sure there are
  separation of duties (after the fact)
• MIC (Management of Internal Controls)
• Documents processes, risk and internal controls
  in place
• Third Party Products
• SAP Compliance Calculator by Versa
• Contains segregation of duties testing
• Sarbanes-Oxley driven

8
SAP MIC Phases and Roles
Continuous Improvement
Management
Auditor
Scoping and Set-Up
Document Processes and Controls
Sign-Off, Prepare Certification / Internal
Control Report
Assess Control Design and Remediate Issues
Test Operating Effective- ness
Attest and Report
CEO / CFO
Internal Control Manager
Org.Unit Manager
Process Group Owner
Control Owner
Evaluator
Tester
Issue and Remediation Plan Owner
Internal and External Auditor
9
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Tools and Data Export
Summary and QA
10
SAP Audit Information System (AIS)

• AIS is the auditors toolbox within the SAP
  environment
• Structured collection and pre-setting of standard
  reports
• Suitable for auditors with limited SAP experience
• Role-based organization
• Comprehensive functionality for system and
  business audits
• Provides monitoring of system inherent and
  configurable controls
• Implements numerous reporting controls
• Business audit structured according to
• Financial statements
• Business Processes
• AIS reporting tree links to multiple types of
  documentation
• AIS documentation, SAP Library, IMG
  documentation, web addresses
• Data export to external analysis and audit tools
• online real time or batch processed queries
• document data, account balances, and financial
  statement data

11
Audit Information System (AIS)
Non-SAP Environment
mySAP ERP Environment

• Audit planning
• Work program- System audit- Business audit

A I S
... AccountsCustomers Vendors AssetsMaterialOr
ders Invoices

• Online controls onthe SAP database
• System information
• Reconciliation
• B/S, PL
• Account balances
• Documents
• Data export
• Account balances
• Line items

Analysis software ( ACL / IDEA / )
Line items
Export interface
Reporting software
Balances
Work paper prep.
Report
12
AIS Motivation and Availability

• Why should one be interested in this?
• In an environment of mass transactions, system
  support for audit is a must.
• Corporate governance requirements
• Why use the SAP Audit Information System?
• Acts as a bridge between auditors and the SAP
  system
• Helps to understand SAP terminology and
  structures
• Optimized for the SAP system, direct access to
  critical data
• What is the effort involved in installing and
  using AIS?
• AIS provides data without requiring much system
  resource.
• Queries can be run in batch or online.
• AIS is simple to implement five to 10
  consulting days including training.

13
Audit Information System
14
The Audit Information System
The Audit Information System facilitates smoother
and better quality audits. It consists of a
number of single roles and is a - Collection, -
Structure, and - Default setup of SAP standard
programs. The AIS is the Toolbox of the auditor
in SAP environment.
15
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Tools and Data Export
Summary and QA
16
Tools Used for Online and Offline Controls
A I S
17
Online Controls Query
List
SAP - DB
Dialog
Query
Drill- down
SAP Query The application SAP Query is used to
create lists not already contained in the SAP
standard.
Extract (flat file)
18
Selected Queries Delivered by SAP
19
Online Controls Drilldown Reporting
List
SAP - DB
Dialog
Drill-downReporting
Drill- down
SAP drill-down reporting With drill-down
reporting, SAP provides you with an interactive
information system to let you evaluate the data
collected in your application.
Extract (flat file)
20
Online Controls Information Systems
List
SAP - DB
Dialog
Information systems
Drill- down

• Component-specific information tools
• General ledger Information System
• Accounts receivable Information System
• Accounts payable Information System
• Logistics Information System
• Repository Information System
• . . .

Extract (flat file)
21
Offline Controls DART
List
SAP - DB
Dialog
D A R T
Drill- down

• Data Retention Tool ( D A R T )
• Data retention and evaluation of
• tax-relevant data.
• Data extraction and storage
• View query
• Export function (SAP-Audit-Format)

Extract (flat file)
22
Auditing Overview
mySAP Audit Information System (AIS) Overview
Administration of AIS
Tools and Data Export
Summary and QA
23
7 Key Points to Take Home

• SAP Audit Information System (AIS) is the
  auditors toolboxin the SAP environment.
• It provides a structured, easy-to-learn access to
  audit-relevant data in the SAP system.
• AIS is being used by external auditors, internal
  auditors/financial analysts, tax auditors and
  data security officers.
• There are comprehensive online controls for
  system audit, business audit, and tax audit.
• AIS supports data export of master data, account
  balances, and documents to 3rd party audit and
  analysis tools.
• AIS can be implemented quickly and with low
  effort, and easily adjusted to the requirements
  of the customer.
• AIS requires few system resources.

24
AIS Benefits

• AIS is the auditors toolbox within SAP.
• Online Controls and Data Export
• Easy to use functionality
• Comprehensive offering for
• System audit
• Business audit
• Tax audit