Evaluating SAP Controls for Sarbanes-Oxley Compliance

Feature articles cover the full gamut of IT audit subjects, including the latest trends, techniques, and research in technology.

Evaluating SAP Controls for Sarbanes-Oxley Compliance

Internal auditors can play a vital role helping small and mid-size organizations achieve Sarbanes-Oxley compliance by optimizing the audit of IT general controls in SAP processes.

JAMISON TOMASEK, CPA
DIRECTOR OF INTERNAL AUDIT, COURIER CORP.

CHRISTO OVCHAROV
CONSULTANT, JEFFERSON WELLS

In today's global economy, small and mid-size enterprises (SMEs) must compete with organizations of all types to meet the growing needs of an increasingly technology-empowered customer base. Consequently, many SMEs are adopting sophisticated enterprise resource planning (ERP) software packages, such as SAP, that are more commonly used in large organizations to speed information flow and streamline business processes. In addition, compliance requirements with the U.S. Sarbanes-Oxley Act of 2002 are forcing publicly listed SMEs to grapple with issues that large companies with more technology resources have faced for some time. These issues, where SAP is concerned, often center on the adoption of best practices for application security, change and operations management, and the performance of external audits over IT processes and controls. To help SMEs optimize SAP security efforts while keeping audit costs down, internal auditors can conduct a more focused review of IT general controls (ITGCs) surrounding Sarbanes-Oxley compliance requirements.

COMMON SAP CONTROL ISSUES

It is not uncommon for IT departments in SMEs to be unaware of security best practices specific to SAP and to lack the business knowledge necessary to perform a segregation of duties analysis. As a result, potential SAP control issues easily go unnoticed. IT departments in SMEs, for example, may require days rather than hours to respond to new user account requests, grant new rights to existing accounts, or allow the same person to authorize, develop, and transport program and configuration changes into the production environment.

Generally, security issues often start during SAP implementations in SMEs for three primary reasons:

  1. Administration processes are often overlooked by management during implementation.
    Software implementation activities of any kind typically are stressful for organizations lacking the resources to perform them. Where SAP is concerned, many SMEs experience pressure during the go-live phase resulting in an ad hoc implementation approach that is pushed to a lower priority.
  2. There is a lack of institutional SAP knowledge and IT controls expertise.
    In many SAP projects, consultants are hired throughout the implementation phase but are not retained to support the application. Due to the high cost of hiring consultants (e.g., hiring a security consultant ranges from US $6,000 to US $11,000 for a week in the United States), IT staff and business process owners in many SMEs must prepare in advance to work with hired consultants to make up for their lack of expertise. They also must work effectively and efficiently to avoid exorbitant implementation costs.
  3. Weak IT administration processes create segregation of duty problems and reduce reliance on the completeness and accuracy of SAP reports and automated controls.
    IT personnel and key users often are given extensive rights in the production environment during the implementation phase. Although these rights need to be revoked once the application goes live, they are usually maintained until a security audit reveals them. Worse, IT staff may not realize critical transactions were incorporated into a role. Other problems are due to lack of internal resources. For instance, many SMEs lack the segregation of duties that exist in large companies between the SAP administration team and IT security group due to the company's limited staff resources. And, while tools are available that can monitor controls and segregation of duties, many SMEs are unable to take advantage of them due to their high purchase, implementation, and maintenance costs.

Unfortunately, these issues are often the beginning of additional problems. For example, control gaps may exist due to an over-reliance on traditional and manual controls, as well as the lack of expertise and infrastructure needed to support ITGCs in a post-SAP implementation environment. Traditional management controls can become inefficient and ineffective as the SME grows, acquires other companies, and increases its SAP transaction volume and reliance on automated controls. In addition, tests of existing controls could fail due to a lack of documentation and reliance on informal IT controls (i.e., nonstandardized operating procedures that cannot be verified) rather than formal IT controls (i.e., controls that follow established standards and frameworks, such as the IT Infrastructure Library). Finally, internal and external audit costs could increase. This is because the implementation of a new application always puts stress on existing internal audit functions, while external audit fees increase because the audit firm needs to use its own SAP team. Costs also will directly increase if the SAP implementation project is outsourced.

Domain

Recommended Key Controls

Change Management

SAP modification requests for normal and emergency changes, test results, IT and business owners’ approvals, and confirmations for installation in production are documented and retained for at least two years and available for internal and external audit testing.

SAP modifications are created in the development environment, tested in a quality assurance environment, and transported by an SAP administrator into the production environment. The SAP administrator obtains and files evidence of IT and the business owners’ approvals before transporting changes into production.

Developers and business analysts do not have rights to import changes into the production environment.

The production client is kept locked for direct configuration changes and is unlocked and locked back via SCC4 when such changes are required (e.g. for number range updates and accounting period definitions).

Every quarter, an IT manager reviews the lists of imports and direct changes in production and confirms changes were documented and approved. The IT manager performing these reviews should not have rights to import and make SCC4 changes in production.

Access Management

Access to modifications of the SAP security parameters is restricted to SAP administrators.

SAP security parameters and the administrative accounts for the SAP application, database, and servers are set as defined in the company security policies and in the IT narratives.

The SAP administrators grant, change, and revoke employees' and contractors' SAP access after authorization by their supervisors, the business owners for the respective modules, and the SAP team. The SAP administrators also disable SAP access for employees and contractors who no longer work for the company as soon as they receive requests to do so.

Business owners review the lists of SAP user accounts with update rights in their areas at least once a year and confirm the users need such access to perform their duties.

Operations

Scheduled job creation and changes follow change management procedures.

Daily, SAP administrators monitor and send e-mails to IT management and operations teams with status reports and confirmations that exceptions in the following areas were addressed:

  • Scheduled jobs failures.
  • Interface failures.
  • Backup failures.
  • Locked accounts.

Backup and recovery backup policies exist and are documented. Backup schedules, rotation, and retention periods meet policy requirements. Backup media are secured onsite and off-site at all times. Restoration process is periodically tested (e.g., via the quality assurance environment, refresh production backups determine if it's possible to recreate the production environment in case of disaster).

Table 1. Key SAP controls for Sarbanes-Oxley Section 404 compliance

KEY SUCCESS FACTORS

The appearance of SAP control issues, even minor ones on a deficiency list, can result in increased work for internal auditors, IT staff, and senior managers as they strive to address reviews of deficiencies by the audit committee. However, while the list of problems many SMEs face around SAP security can be extensive, auditors can provide recommendations to enhance ITGC effectiveness. For optimal results aligning ITGCs with Section 404 compliance requirements, internal auditors can advise that SMEs using SAP should:

  • Consider managing and overseeing the SAP process internally to achieve efficiency and alignment with the top-down approach described in the U.S. Public Company Accounting Oversight Board's Auditing Standard No. 5. This standard brings a risk-based approach and reliance on higher-level controls. However, only internal staff members who have strong knowledge of the organization can assess accurately how SAP relates to the business control assessments.
  • Employ external consultants with SAP and Sarbanes-Oxley expertise to perform independent tests that external auditors can use. These consultants should be hired to work throughout the duration of the project rather than for a brief testing period.
  • Assign ownership of ITGCs and security controls to IT department managers. In many SMEs the IT department's SAP personnel have the greatest familiarity with ITGCs and security controls, in particular. Additionally, ITGCs are part of the organization's hardware and IT network, while database security is a component of the SAP application. Thus, IT managers in SMEs might be better positioned to oversee ITGC and security control functionality.
  • Reduce costs by starting the IT audit process early in the fiscal year, obtaining guidance and sharing intermediate results with external auditors. Many companies perform the bulk of their IT audit efforts during the fiscal year's last quarter. Conducting the IT audit earlier can help reduce SAP implementation and security costs as more time is allotted for their improvement.
  • Consider training internal audit personnel during the SAP implementation project's testing phase. Even if external consultants performed the testing, the ability of company personnel to perform SAP audits is useful in understanding and maintaining the security control environment on an ongoing basis.

Keeping these recommendations in mind will enable auditors to point to areas of improvement during the SAP implementation project. The case study in the next section illustrates how these recommendations can be incorporated as part of an SAP implementation project to enhance the Section 404 compliance initiative.

2007 SAP COMPLIANCE PROJECT TIMELINE

The case study involves the SAP implementation project of a division of a corporation that buys finished goods and sells products through various channels, including large and small retail stores, mid-level distributors, and print and online catalogs. The division has a total annual revenue of approximately US $100 million. The framework was developed by internal audit staff after a previous audit found a large number of SAP-related security control deficiencies, which took IT department staff and external and internal auditors a significant number of hours to complete.

Q1: Define the implementation project's approach and secured external support.
The SAP implementation project began during the fiscal year's first quarter (Q1) with a review conducted by the internal audit director, who is also responsible for the company's IT audit function. During the audit, the director reviewed previous external audit reports on the division's SAP controls. While no material weaknesses or significant deficiencies were noted, the external auditors found minor deficiencies within the SAP ITGCs. Throughout the two prior fiscal years, the company relied on compensating controls to overcome serious issues in SAP access activities, resulting in additional high-level scrutiny of the SAP environment by the external auditors.

Based on the audit, the director decided to address the SAP access control gaps and reduce related external audit costs. Because the SAP Basis administrator had recently resigned, the company didn't have the in-house expertise to address these gaps. With the help of a consulting firm, external audit testing was planned for the fourth quarter. In addition, the audit director scheduled a risk assessment and documentation review of SAP controls to take place during the second quarter and management testing for the third quarter.

Q2: Review approach with external auditors and obtain updated guidance regarding SAP ITGCs.
During the second quarter, the internal audit director performed a companywide risk assessment that identified critical ITGCs in the SAP application's entity-level and automated business processes. As a result, the director updated the narrative documenting the IT control activities and together with the external consultant confirmed the format for documenting risk control matrixes, test plans, and test results.

Next, the director and consultant initiated the SAP compliance project. Their main goal was to limit the number of key ITGCs in the SAP application between 10 and 15 controls. This number was determined using a standard benchmarking process that matched control objectives to specific controls. (Note: Many SMEs can only afford to cover each objective with only one or two key controls. For example, objectives such as "logical security tools and techniques are implemented and configured to enable program access restriction" and "modifications to existing applications are implemented appropriately" are usually implemented with one or two controls.)

After the scope of work was set, the first phase of the project took place, which included:

    • Holding meetings and discussions on best practices and Sarbanes-Oxley requirements with internal audit, IT operations, and development teams.
    • Evaluating the current SAP control environment.
    • Identifying the evidence required to test key controls.
    • Further updating the IT polices and procedures that support ITGCs and the risk control matrix.
    • Developing test plans for key SAP ITGCs.
    • Performing walkthrough tests.
    • Identifying control gaps and failures and recommending remediation.

Two IT Governance Institute publications were used for guidance and as reference during this phase of the project: IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting (2nd edition) and Security, Audit, and Control Features SAP R/3: A Technical and Risk Management Reference Guide. Additionally, guidance documents from external audit companies were used to develop and test the SAP controls framework.

Q3: Perform testing and update all documentation.
After reviewing walkthrough test results, the consultant and internal audit director suggested initial recommendations and remediation efforts. In addition, the risk assessment was revised and the director reviewed and updated key controls and test plans with the external auditors. The initial number of key ITGCs and their testing sample sizes also were reduced, which enabled the division to save time and reduce testing costs. (Note: Most of the general guidance for SAP application testing puts significant effort into evaluating supporting systems such as databases. However in many SMEs, testing costs and sample sizes of SAP controls can be reduced due to the limited size, purpose, and risk of the SAP database. As a result, testing of SAP controls can be performed as part of the SME's evaluation of general computer controls (GCCs). Likewise, testing of the SAP application's hardware and associated network can be combined with the GCCs' evaluation.)

After meeting with the external auditors, the consultant and internal audit, IT operations, and development teams collected test evidence and documented test results during the next four weeks. The internal audit director then evaluated the test results, found out if test failures were due to his lack of knowledge of the specific testing environment, and determined how remaining failures could be fixed. In the end, mitigating or compensating controls were not identified because testing was performed with sufficient time left to remedy and retest failures before the end of the fiscal year.

The final output of the project consisted of:

    • All test results. (Many SAP reports need particular filtering of selection criteria to yield expected results.)
    • Updated risk control matrixes, test plans, and test results for the SAP application's ITGCs.
    • A list of recommended changes to the SAP settings and processes. The list represented a super set of controls in addition to the external auditor's list.
    • A plan for quarterly review of SAP controls for the subsequent fiscal year.

Due to the close cooperation with the consultant during the project, the internal audit director and his team gained a deeper understanding of the SAP environment and were able to perform considerable testing and analysis without outside support.

Q4. Review results.
The external auditors tested the SAP application's ITGCs during the fourth quarter. Because the external consultant's work was relied on extensively, the internal audit team was well aware of any issues and responded promptly to information requests from the external auditors. The result: The audit team reduced the amount of time it took to complete the Sarbanes-Oxley compliance review by more than 30 percent in comparison to previous fiscal years. In addition, the external auditors found minor SAP issues related to segregation of duties within the IT department, but they did not concern the external auditors because of the isolated nature of these exceptions and the clean results of the other testing.

USING THE FRAMEWORK

Using this framework provided the division with many benefits, which were confirmed in subsequent SAP implementation projects including:

    • Fewer external audit billable hours.
    • A more cost-effective approach to SAP security due to a proactive approach, in which security issues were avoided rather than discovered, aided by a strong partnership between the internal audit and IT departments.
    • A proven SAP ITGC testing approach and documentation process that can be leveraged in future years.
    • Cost savings in the use of external consultants, as a focused rather than open-ended Sarbanes-Oxley approach was used, in which clear project goals were set jointly by the internal audit and IT departments. This partnership also produced comparable time and cost savings for internal audit and IT staff.
    • A safer and more secure financial reporting control environment for the company as a whole.

By using this or a similar framework for SAP controls testing, internal auditors can add significant value to their role and improve their organization's Section 404 compliance efforts. Regardless of the framework used, auditors need to keep in mind that controls testing in an SAP application should not be a bewildering process that requires outsourcing the entire activity or leaving it in the hands of the IT department; nor does it have to be a costly process for SMEs with limited resources.

Jamison Tomasek, CPA, is head of internal audit at Courier Corp., a printing and publishing company headquartered in North Chelmsford, Mass.

Christo Ovcharov is a consultant with the Boston office of Jefferson Wells, a technology risk management, internal audit, tax, and finance and accounting professional services company.