Cover
Contents
Preface
Why This Book Is Important
The Structure of This Book
How to Use This Book
Audit and Compliance Professionals
SAP Project Managers
SAP Security Administrators or Consultants
Basis or Other Technical SAP Administrators
SAP Developers
Business Analyst
SAP User
Functional Business Manager
Senior Management
SAP Consultants
Disclaimer
International Issues
Acknowledgments
Parting Note to the Readers of This Book
1: Introduction for Auditors
1.1 How SAP S/4HANA Differs from Other ERP Systems
1.2 Terminology
1.2.1 SAP S/4HANA Architecture-Related Terms
1.2.2 Code-Related Terms
1.3 Planning the Audit and System Assessment
1.4 Recent Updates to SAP Control-Related Functionality
1.4.1 IT General Controls-Related Changes
1.4.2 IT Application Controls-Related Changes
1.5 Major Differences Between SAP S/4HANA and SAP ERP
1.5.1 Reduction in Tables
1.5.2 Universal Journal
1.5.3 Material Ledger
1.5.4 Business Partners
1.5.5 Foreign Trade
1.5.6 Financial Supply Chain Management
1.5.7 Additional Optional Functionality
1.5.8 Other Notable Changes
1.6 Collecting and Documenting Evidence for Audit Workpapers
1.6.1 Date Stamp
1.6.2 Environment Data
1.6.3 Testing in Production
1.6.4 Complete and Accurate Evidence
1.7 Useful Resources
1.8 Summary
2: Understanding Audits as a Non-Auditor
2.1 Audit Overview
2.2 Types of Auditors
2.2.1 Internal Auditors
2.2.2 External Auditors
2.2.3 Specialty Auditors
2.3 Categories of Audit Objectives
2.4 Auditing Principles and Considerations
2.4.1 Independence
2.4.2 Objectivity
2.4.3 Professional Skepticism
2.4.4 Evidence
2.5 Understanding the Audit
2.5.1 Risk-Based Auditing
2.5.2 Internal Controls
2.5.3 Thinking Like an Auditor
2.5.4 Applying Audit Investigative Techniques
2.6 Audit Reporting
2.6.1 Reporting Process
2.6.2 Responding to Preliminary Audit Issues
2.6.3 Negotiating Issues
2.6.4 Report Distribution
2.6.5 Management Response and Follow-Up
2.7 Rules of Engagement
2.7.1 Understanding the Audit Objective
2.7.2 Working with the Auditor
2.7.3 Establishing the Audit Environment
2.7.4 Dos and Donβts
2.8 Common Problems and Solutions
2.8.1 Risk Assessment and Internal Control Design
2.8.2 Process Inconsistency
2.8.3 Documentation
2.8.4 Periodic SAP User Reviews
2.8.5 Non-Standard Process Monitoring
2.8.6 User Education and Understanding
2.8.7 Master Data Control
2.9 Emerging Audit Technologies
2.9.1 Largely Automated Control Testing
2.9.2 Full Population Testing Using Data Analytics
2.9.3 Use of Robotic Process Automation
2.9.4 Integration with GRC Platforms
2.10 Summary
3: The Typical SAP Audit
3.1 Timing for the Audit
3.1.1 Pre-Implementation Review
3.1.2 Post-Implementation Review
3.1.3 Ongoing Operations Review
3.2 The Building Blocks of an SAP S/4HANA Audit
3.2.1 Project Governance (Implementations and Upgrades)
3.2.2 IT General Controls
3.2.3 Basis and Security Settings
3.2.4 SAP Process-Specific Technical Settings
3.2.5 Business Processes Enabled by SAP S/4HANA
3.3 SAP S/4HANA Internal Control Maturity Model
3.4 The Start of the Audit
3.4.1 Planning
3.4.2 Fieldwork
3.4.3 Reporting
3.4.4 Follow-Up
3.5 Summary
4: SAP S/4HANA Implementations and Upgrades
4.1 What Is a Control-Conscious Implementation?
4.2 Reasons for Designing Internal Controls During an Implementation
4.2.1 Regulatory Requirements
4.2.2 Business Partner Relationships
4.2.3 Process Completeness
4.2.4 Control Redesign and Optimization
4.2.5 Reduce Costly Rework and Manual Effort
4.2.6 Upgrade-Specific Reasons to Design Controls
4.3 Creating a Control-Conscious Integrated Implementation Team
4.3.1 Audit Involvement and Rules of Engagement
4.3.2 Implementation Team Skills and Knowledge
4.3.3 Setting the Stage for Effective Control Design
4.3.4 Reporting of the Controls Workstream Status
4.3.5 Controls KPI Reporting
4.4 Designing Effective Controls
4.4.1 Defining Relevant Processes and Subprocesses
4.4.2 Creating the Risk Inventory
4.4.3 Linking Controls to Risks
4.4.4 Tracking Control Design Progress
4.4.5 Additional Risks Resulting from Control Decisions
4.5 Common SAP S/4HANA Audit-Related Implementation Issues
4.5.1 Schedule and Resource Management
4.5.2 Requirements Traceability
4.5.3 Design and Configuration of Automated Controls
4.5.4 Data Migration Failures
4.5.5 Identification of Late-Stage Design Issues
4.5.6 Organizational Change Management
4.5.7 Operational Resilience Changes
4.6 Control Considerations by Implementation Phase
4.6.1 Prepare
4.6.2 Explore
4.6.3 Realize
4.6.4 Deploy
4.6.5 Run
4.6.6 Impact by Phase
4.7 Auditing the SAP S/4HANA Implementation or Upgrade
4.8 Summary
5: IT General Controls, Basis Settings, and Security
5.1 IT General Controls
5.1.1 Overview
5.1.2 Standards
5.1.3 Highlights for an SAP Audit
5.2 Basis Settings and Transport Considerations
5.2.1 Logging Options
5.2.2 System Development and Related Controls
5.2.3 Profile Parameters
5.3 SAP User Security
5.3.1 User Master Record
5.3.2 User Types
5.3.3 SAPβs Authorization Concept
5.3.4 Creating and Maintaining Roles and Related Authorizations
5.3.5 Auditing User Security
5.3.6 Common Audit Issues and Observations
5.4 SAP Fiori Security
5.4.1 SAP Fiori Security Basics
5.4.2 Auditing SAP Fiori Security
5.4.3 Common Audit Issues and Observations
5.5 SAP HANA Database and Platform Security
5.5.1 The SAP HANA Platform
5.5.2 Auditing the SAP HANA Database
5.5.3 Common Audit Issues and Observations
5.6 Special Considerations for SAP S/4HANA Cloud
5.6.1 What Does SAP Deliver in the Cloud?
5.6.2 Key Differences
5.6.3 SAP S/4HANA Cloud Security Framework
5.6.4 SAP S/4HANA Cloud in Practice
5.6.5 Auditing SAP S/4HANA Cloud
5.6.6 Audit Observations and Words of Caution
5.7 Cybersecurity
5.8 Summary
6: Record-to-Report Cycle
6.1 Record-to-Report Cycle in SAP S/4HANA
6.2 Risks
6.3 Understanding the Enterprise Structure
6.4 Key Concepts
6.5 Master Data
6.5.1 General Ledger Account Master
6.5.2 Profit Center Master
6.5.3 Cost Center Master
6.5.4 Banking Master
6.6 Security Considerations
6.6.1 Restricting Postings to Functional Areas
6.6.2 Limiting Access to Powerful Transactions
6.6.3 Establishing Controls and Security over Master Data
6.7 Understanding and Testing Common Controls
6.7.1 Risk: Journal Entry Posting to the Wrong Financial Accounting Period
6.7.2 Risk: Journal Entries Contain Data Input Errors
6.7.3 Risk: Unauthorized or Unapproved Manual Journal Entries
6.7.4 Risk: Assets Are Not Properly Valued
6.7.5 Other Configurable Controls
6.8 Additional Procedures and Considerations
6.8.1 Optimizing the Closing Process
6.8.2 Implement Procedures to Resolve All Parked and Held Documents Prior to Closing
6.8.3 Confirm Receivables and Payables Account Balances
6.9 Useful Audit-Relevant Report Highlights
6.9.1 Reports Identifying Changed Data
6.9.2 Incomplete Information
6.9.3 Potential Issues
6.9.4 Other Useful Reports
6.10 Summary
7: Order-to-Cash Cycle
7.1 Order-to-Cash Cycle in SAP S/4HANA
7.2 Risks
7.3 Understanding the Enterprise Structure
7.4 Key Concepts
7.5 Master Data
7.5.1 Business Partners
7.5.2 Condition Records
7.5.3 Credit Master
7.6 Security Considerations
7.6.1 Restricting Transactions to Functional Sales Areas
7.6.2 Limiting Access to Powerful Transactions
7.6.3 Establishing Controls and Security over Master Data
7.7 Understanding and Testing Common Controls
7.7.1 Risk: Missing Data Entry in Critical Fields
7.7.2 Risk: Price and/or Quantity Errors Result in Erroneous Revenue Recognition
7.7.3 Risk: Customer Non-Payment Resulting in Lost Revenue and Misstated Accounts Receivable
7.7.4 Risk: Returns and/or Credits Provided for Items Not Ordered, or in Excess of Invoiced Values
7.8 Additional Procedures and Considerations
7.8.1 Implement Order Entry Completeness and Timeliness Procedures
7.8.2 Provide Order Confirmations
7.8.3 Eliminate Duplicates from the Material Master and Customer Master
7.8.4 Establish Procedures for Verifying Pricing Conditions
7.8.5 Review One-Time Customer Usage
7.8.6 Monitor Customer Payments and Payment Application
7.9 Useful Audit-Relevant Report Highlights
7.9.1 Reports Identifying Changed Data
7.9.2 Incomplete Information or Processing
7.9.3 Customer Receivables-Related Reports
7.9.4 Other Useful Reports
7.10 Summary
8: Purchase-to-Pay Cycle
8.1 Purchase-to-Pay Cycle in SAP S/4HANA
8.2 Risks
8.3 Understanding the Enterprise Structure
8.4 Key Concepts
8.5 Master Data
8.5.1 Business Partner
8.5.2 Material Master Record
8.5.3 Purchasing Info Record
8.5.4 Source List
8.6 Security Considerations
8.6.1 Restricting Transactions to Functional Purchasing Organizations
8.6.2 Limiting Access to Powerful Transactions
8.6.3 Establishing Controls and Security over Master Data
8.7 Understanding and Testing Common Controls
8.7.1 Risk: Missing Data Entry in Critical Fields
8.7.2 Risk: Master and Transactional Data Contain Data Input Errors
8.7.3 Risk: Payments for Goods Not Received or in Amounts Not Consistent with the Purchase Order
8.7.4 Risk: Unauthorized Purchase Order
8.7.5 Other Configurable Controls
8.8 Additional Procedures and Considerations
8.8.1 Eliminate Duplicates from the Vendor Master and Material Master
8.8.2 Review One-Time Vendor Usage
8.8.3 Closely Monitor Evaluated Receipts Activity
8.8.4 Monitor Vendor Payments and Payment Application
8.8.5 Limit, if Not Prohibit, Manual Payments
8.9 Useful Audit-Relevant Report Highlights
8.9.1 Reports Identifying Changed Data
8.9.2 Incomplete Information or Processing
8.9.3 Potential Issues
8.9.4 Other Useful Reports
8.10 Summary
9: Forecast-to-Stock Cycle
9.1 Forecast-to-Stock Cycle in SAP S/4HANA
9.2 Risks
9.3 Understanding the Enterprise Structure
9.4 Key Concepts
9.5 Master Data
9.6 Security Considerations
9.6.1 Limiting Access to Powerful Authorizations
9.6.2 Restricting Authorizations to Adjust Inventory
9.7 Understanding and Testing Common Controls
9.7.1 Risk: Erroneous or Fraudulent Inventory Adjustments
9.7.2 Other Configurable Controls
9.8 Useful Audit-Relevant Report Highlights
9.8.1 Reports Identifying Changed Data
9.8.2 Reports for Viewing Stock Values and Making Inventory Selections
9.8.3 Viewing Material Documents
9.8.4 Reports for Identifying Potential Processing Problems
9.8.5 Other Useful Reports
9.9 Summary
10: Audit Tips, Tricks, and Tools
10.1 The Audit Information System
10.1.1 Accessing the Audit Information System
10.1.2 Navigating the Audit Information System
10.1.3 Using the Audit Information System for Your Audit
10.2 Data Analysis Techniques for Uncovering Audit and Compliance Issues
10.2.1 Benefit of Using Data Analysis
10.2.2 Examples of Audit Analysis in Common Business Cycles
10.2.3 Using Data Analysis Techniques
10.2.4 Understanding the Data Dictionary
10.2.5 Specialized Data Analysis Tools
10.3 SAP Governance, Risk, and Compliance Solutions
10.4 Continuous Auditing, Monitoring, and Risk Assessment
10.5 Robotic Process Automation
10.5.1 Examples of Robotic Process Automation
10.5.2 Security and Control Considerations
10.6 Summary
11: Final Audit Preparations
11.1 Overview
11.2 Pre-Planning
11.3 Documentation: Preparing an Audit Information Repository
11.3.1 SAP System Information
11.3.2 SAP Support Team Organization Details
11.3.3 Policies and Procedures
11.3.4 Self-Assessment Procedures and Results
11.3.5 Known Weaknesses and Mitigation Procedures
11.4 Systems: Preparing for the Auditor
11.4.1 Creating and Testing Auditor Access
11.4.2 Reconciling to a Nonproduction Test Environment
11.4.3 Ensuring Resolution of Prior Audit Issues
11.5 Employees: Preparing Your Team
11.5.1 Explain the Audit Process
11.5.2 Establish Audit Ground Rules
11.5.3 Backfill Responsibilities
11.5.4 Perform a Readiness Review
11.6 Summary
The Author
Index