June 2008

Evaluating SAP Controls for Sarbanes-Oxley Compliance

Internal auditors can play a vital role helping small and mid-size organizations achieve Sarbanes-Oxley compliance by optimizing the audit of IT general controls in SAP processes.

Jamison Tomasek, CPA
Director of Internal Audit
Courier Corp.

Christo Ovcharov
Consultant
Jefferson Wells

I n today's global economy, small and mid-size enterprises (SMEs) must compete with organizations of all types to meet the growing needs of an increasingly technology-empowered customer base. Consequently, many SMEs are adopting sophisticated enterprise resource planning (ERP) software packages, such as SAP, that are more commonly used in large organizations to speed information flow and streamline business processes. In addition, compliance requirements with the U.S. Sarbanes-Oxley Act of 2002 are forcing publicly listed SMEs to grapple with issues that large companies with more technology resources have faced for some time. These issues, where SAP is concerned, often center on the adoption of best practices for application security, change and operations management, and the performance of external audits over IT processes and controls. To help SMEs optimize SAP security efforts while keeping audit costs down, internal auditors can conduct a more focused review of IT general controls (ITGCs) surrounding Sarbanes-Oxley compliance requirements.

COMMON SAP CONTROL ISSUES

It is not uncommon for IT departments in SMEs to be unaware of security best practices specific to SAP and to lack the business knowledge necessary to perform a segregation of duties analysis. As a result, potential SAP control issues easily go unnoticed. IT departments in SMEs, for example, may require days rather than hours to respond to new user account requests, grant new rights to existing accounts, or allow the same person to authorize, develop, and transport program and configuration changes into the production environment.

Generally, security issues often start during SAP implementations in SMEs for three primary reasons:

  1. Administration processes are often overlooked by management during implementation.
    Software implementation activities of any kind typically are stressful for organizations lacking the resources to perform them. Where SAP is concerned, many SMEs experience pressure during the go-live phase resulting in an ad hoc implementation approach that is pushed to a lower priority.
  2. There is a lack of institutional SAP knowledge and IT controls expertise.
    In many SAP projects, consultants are hired throughout the implementation phase but are not retained to support the application. Due to the high cost of hiring consultants (e.g., hiring a security consultant ranges from US $6,000 to US $11,000 for a week in the United States), IT staff and business process owners in many SMEs must prepare in advance to work with hired consultants to make up for their lack of expertise. They also must work effectively and efficiently to avoid exorbitant implementation costs.
  3. Weak IT administration processes create segregation of duty problems and reduce reliance on the completeness and accuracy of SAP reports and automated controls.
    IT personnel and key users often are given extensive rights in the production environment during the implementation phase. Although these rights need to be revoked once the application goes live, they are usually maintained until a security audit reveals them. Worse, IT staff may not realize critical transactions were incorporated into a role. Other problems are due to lack of internal resources. For instance, many SMEs lack the segregation of duties that exist in large companies between the SAP administration team and IT security group due to the company's limited staff resources. And, while tools are available that can monitor controls and segregation of duties, many SMEs are unable to take advantage of them due to their high purchase, implementation, and maintenance costs.

 

Unfortunately, these issues are often the beginning of additional problems. For example, control gaps may exist due to an over-reliance on traditional and manual controls, as well as the lack of expertise and infrastructure needed to support ITGCs in a post-SAP implementation environment. Traditional management controls can become inefficient and ineffective as the SME grows, acquires other companies, and increases its SAP transaction volume and reliance on automated controls. In addition, tests of existing controls could fail due to a lack of documentation and reliance on informal IT controls (i.e., nonstandardized operating procedures that cannot be verified) rather than formal IT controls (i.e., controls that follow established standards and frameworks, such as the IT Infrastructure Library). Finally, internal and external audit costs could increase. This is because the implementation of a new application always puts stress on existing internal audit functions, while external audit fees increase because the audit firm needs to use its own SAP team. Costs also will directly increase if the SAP implementation project is outsourced.

Domain

Recommended Key Controls

Change Management

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SAP modification requests for normal and emergency changes, test results, IT and business owners’ approvals, and confirmations for installation in production are documented and retained for at least two years and available for internal and external audit testing.

SAP modifications are created in the development environment, tested in a quality assurance environment, and transported by an SAP administrator into the production environment. The SAP administrator obtains and files evidence of IT and the business owners’ approvals before transporting changes into production.

Developers and business analysts do not have rights to import changes into the production environment.

The production client is kept locked for direct configuration changes and is unlocked and locked back via SCC4 when such changes are required (e.g. for number range updates and accounting period definitions).

Every quarter, an IT manager reviews the lists of imports and direct changes in production and confirms changes were documented and approved. The IT manager performing these reviews should not have rights to import and make SCC4 changes in production.

Access Management

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Access to modifications of the SAP security parameters is restricted to SAP administrators.

SAP security parameters and the administrative accounts for the SAP application, database, and servers are set as defined in the company security policies and in the IT narratives.

The SAP administrators grant, change, and revoke employees' and contractors' SAP access after authorization by their supervisors, the business owners for the respective modules, and the SAP team. The SAP administrators also disable SAP access for employees and contractors who no longer work for the company as soon as they receive requests to do so.

Business owners review the lists of SAP user accounts with update rights in their areas at least once a year and confirm the users need such access to perform their duties.

Operations

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Scheduled job creation and changes follow change management procedures.

Daily, SAP administrators monitor and send e-mails to IT management and operations teams with status reports and confirmations that exceptions in the following areas were addressed:

  • Scheduled jobs failures.
  • Interface failures.
  • Backup failures.
  • Locked accounts.

Backup and recovery backup policies exist and are documented. Backup schedules, rotation, and retention periods meet policy requirements. Backup media are secured onsite and off-site at all times. Restoration process is periodically tested (e.g., via the quality assurance environment, refresh production backups determine if it's possible to recreate the production environment in case of disaster).

Table 1. Key SAP controls for Sarbanes-Oxley Section 404 compliance

KEY SUCCESS FACTORS

The appearance of SAP control issues, even minor ones on a deficiency list, can result in increased work for internal auditors, IT staff, and senior managers as they strive to address reviews of deficiencies by the audit committee. However, while the list of problems many SMEs face around SAP security can be extensive, auditors can provide recommendations to enhance ITGC effectiveness. For optimal results aligning ITGCs with Section 404 compliance requirements, internal auditors can advise that SMEs using SAP should:

  • Consider managing and overseeing the SAP process internally to achieve efficiency and alignment with the top-down approach described in the U.S. Public Company Accounting Oversight Board's Auditing Standard No. 5. This standard brings a risk-based approach and reliance on higher-level controls. However, only internal staff members who have strong knowledge of the organization can assess accurately how SAP relates to the business control assessments.
  • Employ external consultants with SAP and Sarbanes-Oxley expertise to perform independent tests that external auditors can use. These consultants should be hired to work throughout the duration of the project rather than for a brief testing period.
  • Assign ownership of ITGCs and security controls to IT department managers. In many SMEs the IT department's SAP personnel have the greatest familiarity with ITGCs and security controls, in particular. Additionally, ITGCs are part of the organization's hardware and IT network, while database security is a component of the SAP application. Thus, IT managers in SMEs might be better positioned to oversee ITGC and security control functionality.
  • Reduce costs by starting the IT audit process early in the fiscal year, obtaining guidance and sharing intermediate results with external auditors. Many companies perform the bulk of their IT audit efforts during the fiscal year's last quarter. Conducting the IT audit earlier can help reduce SAP implementation and security costs as more time is allotted for their improvement.
  • Consider training internal audit personnel during the SAP implementation project's testing phase. Even if external consultants performed the testing, the ability of company personnel to perform SAP audits is useful in understanding and maintaining the security control environment on an ongoing basis.

 

Keeping these recommendations in mind will enable auditors to point to areas of improvement during the SAP implementation project. The case study in the next section illustrates how these recommendations can be incorporated as part of an SAP implementation project to enhance the Section 404 compliance initiative.

2007 SAP COMPLIANCE PROJECT TIMELINE

The case study involves the SAP implementation project of a division of a corporation that buys finished goods and sells products through various channels, including large and small retail stores, mid-level distributors, and print and online catalogs. The division has a total annual revenue of approximately US $100 million. The framework was developed by internal audit staff after a previous audit found a large number of SAP-related security control deficiencies, which took IT department staff and external and internal auditors a significant number of hours to complete.

Q1: Define the implementation project's approach and secured external support.
The SAP implementation project began during the fiscal year's first quarter (Q1) with a review conducted by the internal audit director, who is also responsible for the company's IT audit function. During the audit, the director reviewed previous external audit reports on the division's SAP controls. While no material weaknesses or significant deficiencies were noted, the external auditors found minor deficiencies within the SAP ITGCs. Throughout the two prior fiscal years, the company relied on compensating controls to overcome serious issues in SAP access activities, resulting in additional high-level scrutiny of the SAP environment by the external auditors.

Based on the audit, the director decided to address the SAP access control gaps and reduce related external audit costs. Because the SAP Basis administrator had recently resigned, the company didn't have the in-house expertise to address these gaps. With the help of a consulting firm, external audit testing was planned for the fourth quarter. In addition, the audit director scheduled a risk assessment and documentation review of SAP controls to take place during the second quarter and management testing for the third quarter.

Q2: Review approach with external auditors and obtain updated guidance regarding SAP ITGCs.
During the second quarter, the internal audit director performed a companywide risk assessment that identified critical ITGCs in the SAP application's entity-level and automated business processes. As a result, the director updated the narrative documenting the IT control activities and together with the external consultant confirmed the format for documenting risk control matrixes, test plans, and test results.

Next, the director and consultant initiated the SAP compliance project. Their main goal was to limit the number of key ITGCs in the SAP application between 10 and 15 controls. This number was determined using a standard benchmarking process that matched control objectives to specific controls. (Note: Many SMEs can only afford to cover each objective with only one or two key controls. For example, objectives such as "logical security tools and techniques are implemented and configured to enable program access restriction" and "modifications to existing applications are implemented appropriately" are usually implemented with one or two controls.)

After the scope of work was set, the first phase of the project took place, which included:

  • Holding meetings and discussions on best practices and Sarbanes-Oxley requirements with internal audit, IT operations, and development teams.
  • Evaluating the current SAP control environment.
  • Identifying the evidence required to test key controls.
  • Further updating the IT polices and procedures that support ITGCs and the risk control matrix.
  • Developing test plans for key SAP ITGCs.
  • Performing walkthrough tests.
  • Identifying control gaps and failures and recommending remediation.

Two IT Governance Institute publications were used for guidance and as reference during this phase of the project: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting (2nd edition) and Security, Audit, and Control Features SAP R/3: A Technical and Risk Management Reference Guide. Additionally, guidance documents from external audit companies were used to develop and test the SAP controls framework.

Q3: Perform testing and update all documentation.
After reviewing walkthrough test results, the consultant and internal audit director suggested initial recommendations and remediation efforts. In addition, the risk assessment was revised and the director reviewed and updated key controls and test plans with the external auditors. The initial number of key ITGCs and their testing sample sizes also were reduced, which enabled the division to save time and reduce testing costs. (Note: Most of the general guidance for SAP application testing puts significant effort into evaluating supporting systems such as databases. However in many SMEs, testing costs and sample sizes of SAP controls can be reduced due to the limited size, purpose, and risk of the SAP database. As a result, testing of SAP controls can be per

 


COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2013 Cover Subscribe Now

Mitigate Career Risk CRMA

Save on IIA Seminars  

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP