Auditing ERP Systems
Auditing ERP Systems
Auditing ERP Systems
AUDITING
What is an ERP
An Enterprise Resource Planning system is a packaged
business software system that allows a company to:
Automate and integrate the majority of its business
processes, producing efficient consistency across the
organization
Share common data and practices across the entire
enterprise, supported by one-time data entry
Produce and access information in a real-time
environment
What is an ERP ?
ERP Solutions
1. SAP
2. Oracle
3. People-soft
4. Microsoft Navision
5. BAAN / Infor
6. JDE JD Edwards
7. SSA Global
8. Ramco Marshal
9. Tally
Agenda
Multiple systems
Non integrated
In-house developed
Closed Systems
Legacy
environment
before
ERP
Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide
Business processes
Work-flow enabled.
Information Technology
Relevance of Security
BCP or DRP
Agenda
More reliable.
Visibility of data
Input Controls
Processing Controls
Output Controls
Inherent Controls
Configurable Controls
Security Controls
Reporting Controls
Yes/No
ERP Risks
Implementation Risk
Under utilization
Complexity, BCP/DRP
Understanding of IT in general.
Oracle ICM
JDE
Approva
CSI Auditor
ACL
Forward Looking
Agenda
SAP perspective.
Overview
SAP
Systems,
Applications, and
Products in Data processing.
Founded in 1972
SAP perspective.
Overview
Is world's largest ERP software company, and the world's
third-largest independent software supplier overall
Has 10+ million users, 80,000+ installations, 1,500 +
partners
Revenue $8 billion software, consulting and
maintenance roughly a third each
Employs over 29,600 people in more than 50 countries
Invests an average of 25% of revenue in R&D
Achieves high customer and employee satisfaction
SAP Solutions
Original product was SAP R/2 on the mainframe introduced in
1974
SAP R/3 introduced for smaller platforms in October 1992
Developed using a fourth generation proprietary language
developed by SAP called ABAP/4
Major application versions:
2.2h
3.0d, 3.0e, 3.0f, 3.1g, 3.1h, 3.1i
4.0b
4.5b
4.6b, 4.6c
Enterprise 4.7
mySAP ERP 2004 (ECC 5.0)
mySAP ERP 2005 (ECC 6.0)
Current Solutions
mySAP Business Suite
Set of application solutions for automating business processes
Industry Solutions
Specific functionality tailored for industry specific business
requirements
SAP xApps
Cross-application components that span multiple solutions and
business units
SAP NetWeaver
Technical platform for SAP and other solutions that provides a
flexible infrastructure and seamless integration
mySAP ERP
Features
Highly integrated
Comprehensive functionality
Complex data structures
Availability of data
Single point of entry
On-line data capture and real-time update
Effects
Requires strong application knowledge
Causes personnel and organizational structure changes
Causes business process changes
Functional Category
Financials
Financials
FI, CO, AA, PS, ECCS
Operations
Operations
Human Capital
Human Capital
PA, PD
Corporate Services
Corporate Services
T&E, EHS
Financials
General Ledger
Accounts Receivable
FI
Accounts Payable
Tax and Financial Reports
Special Purpose Ledger
Consolidations
Controlling
CO
Profitability Analysis
Activity Cost Management
Internal Orders
Asset Accounting
Depreciation
AA
Property Values
Insurance Policies
Capital Investment Grants
Project System
Project Tracking
Work Breakdown Structure
PS
Budget Management
Cost and Revenue Planning
Networks and Resources
Quotations
SD
Plant Maintenance
Plant Maintenance
PM
Quality Management
Quality Certificates
QM
Inspection Processing
Planning Tools
Quality Control
Quality Notifications
Personnel Administration
HR
Payroll, Benefits
Time Management
Planning and Development
Organization Management
Corporate Services
Travel Management
CS
SAP Insurance
SAP
Human
Resources
SAP Utilities
SAP Service Provider
SAP
Logistics
R/3
SAP
Financials
SAP Chemicals
SAP Pharmaceuticals
SAP Retail
SAP Media
SAP Aerospace & Defense
SAP Mill Products
SAP Banking
SAP perspective.
SAP perspective.
SAP perspective.
SAMPLE- Procurement as a Business Process
SAP perspective.
Invoice Processing or Invoice Verification (Semi
Automated)
SAP perspective.
Impact on IT Controls
IS operations
IS security
Database administration
Networking
Change Management
SAP perspective
Audit & Risk management
SAP perspective.
Audit Information System
The Audit Information System (AIS), transaction code SECR, is a
centrally organized location for the audit features and functions
developed in SAP ERP. It can be used in all versions since 3.0D. Not
all functions are available in each version, as functionality is based on
the release level. AIS does not provide any new SAP features, it
merely consolidates and draws upon existing SAP information
available within SAP standard transactions, tables and reports.
Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide
SAP perspective.
Audit Information System
AIS consists of an audit report tree structured around a range of
auditing functions, including:
Auditing procedures and documentation
Auditing evaluations
Downloading audit data
AIS is specifically targeted toward:
External auditing
Internal auditing/data protection
Controlling
System auditing
Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide
SAP perspective
GRC- New Approach
Definition of Governance, Risk, and Compliance
Heres a simple way to think about GRC:
Governance manages the strategic directives a company
wants to follow.
Risk management assesses the areas of exposure and
potential impacts.
Compliance is the tactical action to mitigate risk.
SAP Snaps Up Virsa Systems to Enhance Compliance Story, AMR Research,
April 3, 2006.
SAP perspective.
Final Word
Contact:
Email: [email protected]
Phone: +91-9930939977