Systems Applications Products audit

Last updated

A Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems Applications Products. It is a system that provides users with a soft[ ambiguous ] real-time business application. It contains a user interface and is considered very flexible. In an SAP audit, the two main areas of concern are security and data integrity.

Contents

Overview

Systems, Applications, Products in Data Processing, or SAP, was originally introduced in the 1980s as SAP R/2, which was a system that provided users with a soft real-time business application that could be used in multiple currencies and languages. As client–server systems began to be introduced, SAP brought out a server-based version of their software called SAP R/3, henceforth referred to as SAP, which was launched in 1992. SAP also developed a graphical user interface or GUI.

For the next 12 years, SAP dominated the large business applications market. It was successful primarily because it was flexible. Because SAP was a modular system (meaning that the various functions provided by it could be purchased piecemeal) it was a versatile system. A company could simply purchase modules that they wanted and customize the processes to match the company's business model. SAP's flexibility, while one of its greatest strengths is also one of its greatest weaknesses that leads to the SAP audit.

There are three main enterprise resource planning (ERP) systems used in today's larger businesses: SAP, Oracle, and PeopleSoft. ERPs are specifically designed to help with the accounting function and the control over various other aspects of the company's business such as sales, delivery, production, human resources, and inventory management. Despite the benefits of ERPs, there are many potential pitfalls that companies who turn to ERPs occasionally fall into.

Security

Segregation of duties

Security is the first and foremost concern in any SAP audit. There should be proper segregation of duties and access controls, which is paramount to establishing the integrity of the controls for the system. When a company first receives SAP, it almost lacks all security measures. When implementing SAP a company must go through an extensive process of outlining their processes and then building their system security from the ground up to ensure proper segregation of duties and proper access. Proper profile design and avoidance of redundant user IDs and superuser access will be important in all phases of operation. Along with this comes the importance of ensuring restricted access to terminals, servers, and the data center to prevent tampering. Because each company will have different modules each company's security structure will be distinctly different.

A typical example from SAP will be Creating a Vendor and also being able to pay an invoice. The Create a Vendor Transaction is XK01 and the Pay invoice transaction is FB60. If the User or Role in SAP has those two transactions then it will create a SOD Risk.

With security, it all starts at the beginning with the proper design and implementation of security and access measures for employees. For new employees, it is important that their access is set up properly and that future access granted has proper approval. After the system has been implemented the control over system changes and the approval process required for it is vital to ensure the continued security and functionality of the system. Without proper security measures in place from start to finish there will be a material weakness in the controls of the system because of this there will likely be some level of fraud as well.

Through security, you can monitor who has access to what data and processes and ensure that there is sufficient segregation of duties to prevent someone from perpetrating fraud. One of the major advantages of SAP is that it can be programmed to perform various audit functions for you. One of the most important of those is for reviewing user access and using the system to cross-check based on an access matrix to ensure that proper segregation is in place so a person with payment request access does not also have access to create a vendor.

System changes

After ensuring that security is set up to ensure proper segregation of duties the next area of concern surrounding security is with regards to system changes. All companies should have three different systems: the development system, the test system, and the production system. All changes to production will need to be run through an approval process and be tested to ensure that they will function properly when introduced into the production system. The security around who can authorize a change and who can pull that change through into production is paramount to ensuring the security and integrity of the system. A review of this process and the people involved with it will be key to the audit of the system.

The goal of auditing the access, steps and procedures for system updates is to ensure proper controls over change management of the system and to ensure that proper testing and authorization procedures are being used. [1]

Data integrity

Data integrity issues

Because SAP integrates data from legacy systems it is important to ensure that the mapping of the interaction between the legacy systems and SAP is thorough and complete. Without that, any data received from SAP would be suspect. It is also important that proper backups of the database be maintained along with an up-to-date and practiced disaster recovery plan to ensure continuity after a disaster. A thorough review of these plans along with the mapping of system interfaces will be important in this phase of the audit. However, because all SAP data are stored on inter-related tables users with certain security can change them. The output must be verified to ensure accuracy. SAP does provide some basic audit programs to assist with the review of data to ensure that it is processing properly. It is also customizable so that a user can create a program to audit a specific function.

The monitoring of change management, the moving of updates to the system from the development stage is one of the key elements of this particular concern. Because of this, review of the process of review and pull through to production needs to be a high priority.

Controls

Controls around the system need to be reviewed, especially around the accounts payable and accounts receivable sub ledgers. Auditors must perform or review reconciliations between SAP and external information such as bank reconciliation and A/P statement reconciliation. They must review cost center and responsibility accounting, management review and budgetary control and the route of authorization for non-routine transactions.

The audit review should include a review of validation of data that is input in certain transactions, the design of ABAP statements and their authority checks matching documents prior to closing. Also, with regard to the master file control there must be an independent review of master file changes and creation of transactional responsibilities to identify any redundant master files.

When it comes to data integrity the primary concerns are the integration of data from the legacy systems and then ensuring that data being input into the system for processing has been properly approved and is accompanied by the proper documentation. Through reviewing these aspects of the processing from implementation through to production you can gain reasonable confidence that the controls surrounding the data are sufficient and that the data are likely free of material error. The use of the built in audit functions will greatly assist with this process and the ability to create your own audit programs will allow you to customize the work to the company you are working with.

Control risks

The two major control risks that need to be monitored with SAP are security and data integrity. To ensure that both are sufficient it is important that both be properly outlined and developed during implementation. User profiles must be designed properly and access must be sufficiently segregated to minimize the chance of fraud. Use of the SAP audit functions to cross check the user access with the matrix of allowable accesses is the quickest and easiest way to ensure that duties and access are properly segregated. New and old users must be entered and removed promptly and avoidance and monitoring of any super user access is imperative. Review of the access to upload and pull through changes to production and review of the associated authorization process is important from both a security and data integrity point of view.

To further ensure data integrity it is important that proper documentation be reviewed along with confirmation of any external data available either through a legacy system or through a third party. This is important with regard to certain sensitive accounts, such as accounts payable. Review of controls around budgets and management review and also review of authorization for non-routine transactions and physical access will be imperative to ensuring the accuracy of the data input and output from the system. The use of and development of tools within SAP will help accelerate this process and help to ensure that it is accurate. These are the two most vital parts to any SAP audit and successful review of them should allow you to determine the adequacy of control around the SAP system and access to it to determine whether or not there are any material deficiencies with the systems control.

See also

Related Research Articles

<span class="mw-page-title-main">Enterprise resource planning</span> Corporate task of optimizing the existing resources in a company

Enterprise resource planning (ERP) is the integrated management of main business processes, often in real time and mediated by software and technology. ERP is usually referred to as a category of business management software—typically a suite of integrated applications—that an organization can use to collect, store, manage and interpret data from many business activities. ERP systems can be local-based or cloud-based. Cloud-based applications have grown in recent years due to the increased efficiencies arising from information being readily available from any location with Internet access.

Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Accounting information system</span> System of collecting, storing and processing financial and accounting data

An accounting information system (AIS) is a system of collecting, storing and processing financial and accounting data that are used by decision makers. An accounting information system is generally a computer-based method for tracking accounting activity in conjunction with information technology resources. The resulting financial reports can be used internally by management or externally by other interested parties including investors, creditors and tax authorities. Accounting information systems are designed to support all accounting functions and activities including auditing, financial accounting porting, -managerial/ management accounting and tax. The most widely adopted accounting information systems are auditing and financial reporting modules.

Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval, and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Change management auditing is the process by which companies can effectively manage change within their information technology systems. Changes to computer software must be monitored in order to reduce the risk of data loss, corruption, malware, errors, and security breaches.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

<span class="mw-page-title-main">Separation of duties</span> Concept of having more than one person required to complete a task

Separation of duties (SoD), also known as segregation of duties, is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises. In the political realm, it is known as the separation of powers, as can be seen in democracies where the government is separated into three independent branches: a legislature, an executive, and a judiciary.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

<span class="mw-page-title-main">SAP ERP</span> German enterprise resource planning software

SAP ERP is an enterprise resource planning software developed by the German company SAP SE. SAP ERP incorporates the key business functions of an organization. The latest version of SAP ERP (V.6.0) was made available in 2006. The most recent SAP enhancement package 8 for SAP ERP 6.0 was released in 2016. It is now considered legacy technology, having been superseded by SAP S/4HANA.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

Information technology general controls (ITGC) are controls that apply to all systems, components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations.

<span class="mw-page-title-main">Continuous auditing</span>

Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

ERP Security is a wide range of measures aimed at protecting Enterprise resource planning (ERP) systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the organization including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management.

Web API security entails authenticating programs or users who are invoking a web API.

References

  1. Biskie, Steve. Surviving an SAP® Audit (PDF). GalileoPress.