ais customer

Solution Management FinancialsSAP AG

The SAP Audit Information System

SAP AG 2003 / Audit Information System, 2

Audit Information System – overview

Administration of AIS

System audit with AIS

Business audit with AIS

Tools and data export

Summary and Q&A

Agenda


SAP Audit Information System (AIS)

AIS is the auditors‘ toolbox within the SAP environmentStructured collection and pre-setting of standard reportsSuitable for auditors with limited SAP experienceRole-based organization

Comprehensive functionality for system and business auditsProvides monitoring of system inherent and configurable controlsImplements numerous reporting controls

Business audit structured according to Financial statementsBusiness Processes

AIS reporting tree links to multiple types of documentationAIS documentation, SAP Library, IMG documentation, web addresses

Data export to external analysis and audit toolsonline real time or batch processed queriesdocument data, account balances, and financial statement data


Audit Information System (AIS)

• Audit planning

• Work program

- System audit- Business audit

Expo

rt in

terf

ace

Online controls onthe SAP database• System information• Reconciliation• B/S, P&L• Account balances• Documents

Data export• Account balances• Line items

Non-SAP Environment mySAP ERP Environment

Work paperprep.

Report

Analysis software( ACL / IDEA / … )

Reporting software

Line items

Balances

...Accounts

CustomersVendorsAssetsMaterialOrders

Invoices…


AIS – Motivation and Availability

Why should one be interested in the topic?In an environment of mass transactions, system support for audit is a must.Corporate governance requirements

Why use the SAP Audit Information System?Acts as a bridge between auditors and the SAP systemHelps to understand SAP terminology and structuresOptimized for the SAP system, direct access to critical data

What is the effort involved in installing and using AIS?AIS provides data without requiring much system resource.Queries can be run in batch or online.

Availability of AISFirst available with SAP R/3 Release 3.xLargely enhanced for use on top of SAP R/3 4.6C and R/3 EnterpriseEnhancements available as part of mySAP solutions and as part of Sarbanes-Oxley Act (SOA) package


Continuous Audit

RatingBasel II

GoB, GoBSCOSO II

Sarbanes-Oxley Act Parallel

Valuation

SEMRisk Mgmt, Consolidation,

Bal. Scorecard, Man.Cockpit

I A S

SoftwareCertificate

US-GAAP

GDPdUAudit InformationSystem

MICManagement of

Internal Controls

DARTData Retention

Tool

Corporate Governance


SOA Section 302 – Requirements

Certification of disclosure in companies’ quarterly and annual reportsManagement responsibility for effective disclosure controls and procedures over financial reporting, operations and complianceDisclosure of significant deficiencies in internal control to audit committee and external auditorsCertification of contents of SEC reports* by CEO and CFO

(*) filed annually and/or quarterly, depending on size and location of company

ActivityIdentify scope of the company’s disclosure controls and procedures.Document business processes and process controls over all major activities within an entity (beyond solely processes impacting financial reporting).Assess internal control effectiveness.Identify and track resulting issues and remediation plans.Cascade the accountability for control evaluation and roll up the results (e.g., resulting in a dashboard confirming ability to sign certification).


SOA Section 404 – Requirements

Management report on internal control over financial reportingAnnual report should include a report by management on the effectiveness of internal control over financial reporting.

Documentation of control design of effectiveness testingDisclosure of any material weaknessesAttestation by external auditors

Note: Further periodic requirements are covered under Section 302.

ActivityIdentify areas of scope relevant for evaluating the effectiveness of internal control over financial reporting.Document the design of significant controls. Perform evaluation of control design and effectiveness. Identify resulting control issues and monitor remediation.Document changes in processes and controls; surface any associated issues.Prepare internal control report.Attestation by external auditors


SAP Principles and Applications Supporting SOA

SAP principlesInherent controlsConfigurable controlsReporting controls

SAP applicationsManagement of Internal ControlsWhistle BlowerAudit Information SystemBusiness ConsolidationRisk ManagementManagement CockpitBalanced ScorecardBusiness Planning and Simulation

implements

checks


SAP standard roles

Audit Measure

Audit Result

Individual auditor menu

. . . . . . . . . . . .

Documentation / Maintenance

A u d i t

Risk Assessment

Step1

Step2

Step3

Step4

Step5

Step6

Stepn

Enterprise Process

G/L accnts Customers Vendors Inventory

Receivables Cash FinancialInstruments Payables

Revenue Personal expense

Dataexport . . .

Vendors

Inventory

Customers

Revenue

Receivables

Data export

Audit Environment


Audit-specific documentation and training

AIS, Views/Target Groups

Business audit Tax auditSystem audit

Internal auditors

External auditors

Data securityofficers

Tax auditors


Audit Information System


IMG DocumentationSelected table areas

AIS DocumentationInformation on audit steps

SAP LibrarySelected chapters

Internet LinksSelected Web addresses

Additional Information within the AIS







Summary and Q&A

Agenda


GeneralSAP R/3 Security GuideTop 10 security reportsSystem configuration System logs Software status (transport, support packages). . .

Users and authorizationsCentral user administrationCritical combinations of transactions. . .

Tables/repositoryTable authorizationTable recordingsAccess statisticsChange documents. . .

System Audit with AIS


System Audit


System Audit - Authorization

Critical combination of transactions addresses the issue ofsegregation of duties (SOD)


Critical Combination of Transactions – SOD


System Audit - Repository/Tables


Repository/Tables - Information System


Repository/Tables - Data Browser







Summary and Q&A

Agenda


AIS – Standard Roles for Business Audit (1)

Account-oriented approach

Balance sheet Fixed assetsReal estate (*)InventoryReceivablesFinancial instruments (*)Cash (*)Payables

Income statementSales revenue (*)Raw material consumed (*)Personnel expenses

Segment reporting (*)

Internal activity allocation (*)

Consolidated financial statement (*)* = new as of Q4 / 2003


Process-oriented approach

From purchase to pay (*)VendorsPurchasingIncoming invoicesPayablesOutgoing payments

From order to cash (*)CustomersRevenuesReceivablesIncoming payments

AIS – Standard Roles for Business Audit (2)

* = new as of Q4 / 2003


AIS - Business Audit


AIS Organizational Overview


Organizational Overview - Client


Organizational Overview - Company Code


Organizational Overview - # of Customers

KNA1

KNC1

KNB1


AIS - Financial Statements - General


General Ledger (GLT0)


Account Analysis G/L Account

The analysis is also available for- A/R accounts- A/P accounts


Account Analysis – Data Selection


Account Analysis – Offsetting Accounts


Account Analysis – Daily Volume


Account Analysis – Timely Update ?


Account Analysis – Top Posting Volume


Account Analysis - Documents


AIS – Business Audit of Receivables (1)

AIS – Receivables

Customer master data

Top 10 reports

Reconciliation

Customers – balances

Customers – documents

Risks on receivables

Cut-off check

A/R Information System

Overview about customersNew customersCustomers marked for deletionChanged customersMissing credit data…


AIS – Business Audit of Receivables (2)

AIS – Receivables

Customer master data

Top 10 reports

Reconciliation

Customers – balances

Customers – documents

Risks on receivables

Cut-off check

A/R Information System







Summary and Q&A

Agenda


QueryQuery

DrillDrill--downdownreportingreporting

InformationInformationsystemssystems

D A R TD A R T

A B A PA B A P

Tools Used for Online and Offline Controls


SAP SAP -- DBDBList

Dialog

Drill-down

Extract(flat file)

A B A PA B A P

Advanced Business Application Programming

ABAP is the programming language used in R/3.

Call SAP standard or customer-specific programs.

Online Controls – ABAP


Calling up reportsusing theapplication menu

Calling up reports directly using thesystem menu

Report selection w/ GL

Legal requirements

AccountG/L account balances

SystemServices

Reporting

R F S S L D 0 0Program:

G/L account balances

provided by program

RFSSLD00

ABAP Reporting – Calling Up Reports


Call report

Table of variables

T-BILANZ INTT-BUK 0001T-GJAHR2002T-from/to 0100 - 0999

G/L Account balances/RFSSLD00

with variant (1)

G/L Account balances

Chart of Accts. INTG/L Account 1-999Company code 0001Fiscal year 2002

Variants for RFSSLD00

VAR1 :Chart of accounts INTG/L Account 1-999Company code T-BUKFiscal year T-GJAHR

VAR2 :Chart of accounts INTCompany code T-BUK

VARn :

G/L account balances

provided by program

RFSSLD00

ABAP Reporting – Using Variants


SAP SAP -- DBDB

QueryQuery

SAP Query

The application SAP Query is used to create lists not already contained in the SAP standard.

It has been designed for users with little or no knowledge of the SAP programming language ABAP.

List

Dialog

Drill-down

Extract(flat file)

Online Controls – Query


SAP SAP -- DBDB

DrillDrill--downdownReportingReporting

SAP drill-down reporting

With drill-down reporting, SAP provides you with an interactive information system to let you evaluate the data collected in your application.

List

Dialog

Drill-down

Extract(flat file)

Online Controls – Drilldown Reporting


SAP SAP -- DBDB

InformationInformationsystemssystems

Component-specific information tools:

General ledger Information SystemAccounts receivable Information SystemAccounts payable Information SystemLogistics Information SystemRepository Information System. . .

List

Dialog

Drill-down

Extract(flat file)

Online Controls – Information Systems


SAP SAP -- DBDB

D A R TD A R T

Data Retention Tool ( D A R T ):

Data retention and evaluation oftax-relevant data.

Data extraction and storageView query Export function (SAP-Audit-Format)

List

Dialog

Drill-down

Extract(flat file)

Offline Controls – DART


Download

SAP DBSAP DB

Probability-based auditing(statistical sampling algorithms)

A C L I D E A . . .

Scenario for the Export of Data

Single audit


Data Export


Data Export - G/L Account, Document Items



Data Collection (Phase 1, Batch)

Download (Phase 2, Dialogue)



3rd party audit software







Summary and Q&A

Agenda


7 Key Points about SAP Audit Information System

1. SAP Audit Information System (AIS) is the auditor‘s toolboxin the SAP environment.

2. It provides a structured, easy-to-learn access to audit-relevant data in the SAP system.

3. AIS is being used by external auditors, internal auditors, tax auditors and data security officers.

4. There are comprehensive online controls for system audit, business audit, and tax audit.

5. AIS supports data export of master data, account balances, and documents to 3rd party audit and analysis tools.

6. AIS does only require few system resources.


AIS – Benefits

AIS is the auditor‘s toolbox within SAP.

Online Controls and Data Export

Easy to use functionality

Comprehensive offering for

System audit

Business audit

Tax audit


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.

Copyright 2003 SAP AG. All Rights Reserved