What does an external auditor look for in SAP R/3 during SOX 404 Audits?

Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

What does an external auditor look for in SAP during SOX 404 Audits?

Corporations have most of the business processes run by implementing modules of an ERP such as SAP. The operations of business process becomes smooth but at the cost of complexity. The modular design of SAP R/3 leads to complex user access, conflict of duties and so on. Consequently, Auditing SAP R/3 is equally complex. Several existing implementations have found to have not taken care of issues such as undocumented access security or the missing authoritative ownership of the whole big picture or excessive privileges was allocated for the personnel, etc. Just walking into any SAP implementation done years ago, there are several issues that the external auditor can find as deficiencies. (See Appendix A for the definitions of SOX 404 Deficiencies - Significant Deficiency, Material weakness and control deficiencies) that has dire consequence of potential misstatements in 10Q. Even with the recent ‘go-live’ implementations, dynamic changes in the corporate world would end up creating deficiencies if due care is not taken. Consequently, It is observed that several corporations with huge SAP implementations have scheduled SAP audits as frequent as semi-annual. Thus it is important to understand the mindset of external auditors. Following are the issues that the external auditor will look for:

1. Segregation of duties – In SAP R/3, segregation of incompatible functions is a major control point. So, fixing the incompatible functions before the external auditor would get to see would be the key. Assessing whether incompatible functions are assigned to SAP users can be a tedious task. So how does one go about addressing such incompatibility issues? Let me explain using an example of the accounts payable process in SAP. Ideally, in A/P segregation of duties should exist between purchasing, goods receiving, invoice processing and cash disbursement functionalities. Below,

Step 1 - Document the entire process of payables. This would include Raising Purchase requisition, releasing purchase requisition, raising a purchase order PO, releasing purchase order, goods receipt, invoice entry, and finally processing payments.

Step 2 - For each of the sub-process identified above, identify the relevant transaction code in SAP. This can be done using the standard menus in SAP.

Step 3 - Identify the key control points within the process. In our example above, key control points would be raise PO, goods receipt, enter invoice, create and changing vendor master records.

Step 4 - Identify if there are any other incompatible duties. One such incompatible function would be payment processing and vendor master maintenance.

Step 5 - Identify the transaction codes in SAP, which allow access to these incompatible functions. Now in SAP the relevant transaction codes would be: XK01 / XK02 - Create Vendor / Change Vendor details, ME21 - Create PO, ME28 - Release PO, MB01 - Goods Receipt, MIRA / MIRO - Invoice Entry. The incompatible functions relevant for segregation of duties would be

XK01 / XK02 and ME28 ME21 and ME28 ME28 and MB01 XK01 / XK02 and MIRA / MIRO

Step 6 - Identify employees within the organization who have access to such incompatible functions. This can be done using SUIM, data analysis tools. If required analysis can be even done at the authorization profile level.

Step 7 - Once users with access to incompatible functions are identified, access to such functions should be restricted. The BASIS person who is responsible and knowledgeable enough to carry out such task should do this. External auditors steps would be very similar to above steps.

2. Inconsistent business process procedure – This is very commonly seen in today’s corporate environment where M&A is part of the game. The first question that’s asked is how was the data moved and what are the process procedures in place for each of the entity. Process procedures are crucial to be consistent across all the entity/business process, as inconsistent procedure will make the business prone for financial misstatements. For example, in one of the SAP audits of a corporation, all master material lists had tolerance limits excepting one master materials list belonging to one of the entity that was bought few years ago. This can be found out by running a filter on all master material lists for materials that allow over tolerance limits. The design risk here was, Users were allowed to specify delivery tolerances that would permit acceptance of delivery of a significantly larger quantity of goods than were ordered (Via requirements planning document and PO) and approved. Also, the overriding of delivery tolerances was allowed rather than preventing. Potentially, if the invoice was processed and paid based on this, there would be a misstatement. The business process procedures are categorized as manual and automated. The above is an example of automated procedure. An example of Manual business process procedures is central payment procedure in place or procedure followed when a new application server is released to production and certain procedures are passed such as OS patches brought up-to date, Anti-virus scanner with latest signatures installed, database hardened, server being taken through penetration tests and so on. Inconsistencies in Manual business process procedures are easy to find and remediate when compared to automated business process procedures. Consequently, external auditor would have automated scripts that discover inconsistencies in automated process procedures in place. We recommend that the SAP R/3 procedures be reviewed semi-annually for any inconsistent procedures due to changes that would have crept in, a tight SLDC process in place and finally enable STP (Straight-through processing) and use Transaction manager. The advantage of using Transaction manager is, it manages the execution of each step of the transaction's process, performs the accounting, ensures that separation of duties is enforced and captures the audit trail associated with that transaction. Not only does this increased automation save time spent on executing these steps, it eliminates the errors (and resulting investigation and reprocessing) that are a normal consequence of a manual approach.

3. Unsecured customized programs - Almost all SAP implementations have many customized 'Z'

transactions or 'Y' transactions built in to suit the business process. Although there is nothing wrong the problem is, these customized transactions are not secured, making them vulnerable. External auditor would look how secure they are. Make sure that they are secured either via S_TCODE or assigning an authorization object to the transaction via transaction code SE93. SAP auditors can find a listing of all customized Y and Z transactions through the menu path (Menu Path >> system >> Services >> Reporting) or through transaction SA38. Below is a screen shot that appears.

Here to find all programs i.e. customized transactions beginning with "Y" and "Z", in the ‘Program’ field, enter "YA" in the field ‘from’ and "ZZ" in the field ‘to’. The listing of all customized programs within SAP appears. On this listing, external auditors would look for the following three issues.

a. Customized Transaction Title - As an SAP auditor, the first thing you should check is that all custom programs have sufficiently descriptive titles stating the purpose of the program. Any missing title descriptions should be reported.

b. Test Transactions - Next, click on the binocular button and make a search for terms like "TST" or "TEST". Ideally, there should not be any customized Y or Z transactions in the production environment. Test programs Y and Z lying in production environment should be removed.

c. Critical Customized Transactions - SAP Customized transactions which are used to execute critical functions like deleting codes, other programs etc pose another security risk. SAP auditors can find such programs using terms like "DEL", "DELETE" or "REMOVE". Such programs are normally are the ones which need to be removed from SAP before Go Live but have been overlooked. Apart form these, other programs which look conspicuous / attract attention like ones with exclamation marks (!), question marks (?), should also be investigated by R/3 auditors.

4. Excessive or Unauthorized access to Master table & SAP basis - Many companies make the mistake of giving access to sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc to users in production. On the other hand access is given to BASIS or development staff to run transactions in SAP production environment. Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley. We recommend that during the semi-annual audit, business owners check these areas for any creep of violations.

5. Unrestricted posting periods – Corporations strictly close the books at specified timeline but

some of the corporations allow posting as closing of the books are not done in a timely manner. If that’s happening, SAP R/3 does not have any control in avoiding a misstatement. Make sure that business owners close the books at specified timeline. Else, unauthorized entries in previous open periods can result in severe deficiency under SOX.

6. SAP access to terminated employees or presence of redundant ‘testing’ users accounts – 80% of the time, we have observed that corporations would have access for terminated employees are not revoked. Another popular observation is the presence of redundant users accounts that was created to test with names very close to current employee with same role, functions and authorizations. The lack of tight change management with proper test environment and release to production process in place is the main reason for this. During semi-annual audit, business owners need to review for any such violations.

7. Database and OS hardening – Recommend the SAP R/3 servers to have database hardened and

OS patches to be current with anti-virus signatures to be current. Also recommend that unnecessary ports to be closed, vulnerability checks are performed and accordingly remediate before moving the server to production.

8. Interfaces and error handling – A typical SAP system may have many interfaces from existing

legacy systems as well as interfaces to other external systems. Inbound interfaces to SAP from

legacy systems usually consist of a file, which is sent from the legacy system to SAP, and processed in the background via a standard SAP transaction. Outbound interfaces from SAP to external systems usually consist of a file, which is sent from SAP to the external system and processed at periodic intervals by the external system. Alternatively, users can download data from SAP to their PC and then process it as they wish, for example, in a spreadsheet.

Appropriate procedures need to be implemented to ensure the use of interfaces is well controlled and to protect the integrity of system data. Following are the critical issues that external auditors would look for:

a. Data interfaced from legacy systems into SAP or from SAP to external systems may not

be completely transferred or the files loaded may be corrupted.

b. Unauthorized changes may be made during batch input error correction.

c. Unauthorized changes may be made to batch input (interfaced files) without detection.

The key is the documented error codes for every failure in transferring between legacy/SAP and these errors are detected and corrected in a timely manner with sufficient audit trails and approvals.

9. Inherent and configurable controls - Inherent controls are predefined controls that defined in

SAP R/3. Such controls do not need to be configured separately in SAP. Such inherent controls are helpful in preventing any major errors since SAP itself prevents the same thorough such inherent controls.

Below are some of the inherent controls that could be utilized to prevent errors leading to SOX 404 deficiencies.

Duplicate checks through message control

Sequential documents through number ranges

Automatic integration and postings

Online data analysis

All transactions through unique documents

History of transactions executed by users retained including date, time and user.

Logging and history of program changes

Configurable controls are those customized to the business process needs. These are added during first implementation before going-live or can be added at any point of time. SAP AIS (Audit Information System) consists of tools, which can be used to monitor inherent controls within SAP as well as configurable controls within SAP.

Appendix A A paper on Compliance week (Oct 2004) noted that 51% of disclosures in recent months were due to problematic financial systems. Other big issues showing up as significant deficiencies/ material weaknesses: - Personnel Issues: segregation of duties, inadequate staffing/training, supervision issues- Tone at the Top (following instances of restatement)- Poorly documented accounting practices. So, What is this significant deficiencies/ material weakness? The following is an excerpt taken directly from aicpa.org.

Control Deficiency: The design or operation of a control that does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Example: A member of the accounting department has been assigned responsibility to perform reconciliations on all bank accounts on a monthly basis. This person also has responsibility for opening the mail and preparing the daily deposit to the bank. The person’s manager is required to review each reconciliation when completed, but the manager does not consistently sign off on the reconciliation indicating review. Two internal control deficiencies exist here: (1) the lack of segregation of duties because one individual is preparing the cash deposit and reconciling the cash accounts and (2) the lack of documentation of a control because the manager does not evidence review so it is not clear that the review has been performed.

Significant Deficiency: A control deficiency that adversely affects the company’s ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP). Alone or with other deficiencies, this type of control deficiency results in more than a remote likelihood that a misstatement of the financials, that is more than inconsequential in amount, will not be prevented or detected.

Example: The company uses a standard sales contract making it necessary for the accounting department to review completed sales contracts for changes to standard shipping terms to assure the proper timing for recognizing revenue from sales. Because the terms are not always reviewed, revenue has been overstated on occasion. It is unlikely that any single sales contract could result in a material overstatement of revenue, and there are controls in place to ensure that materials misstatements do not occur. However, a misstatement that is more than inconsequential yet less than material could result, creating a significant deficiency in internal control.

Material Weakness: A significant deficiency that, alone or with others, results in more than a remote likelihood that a material misstatement of the financials will not be prevented or detected.

Examples of weaknesses that would likely be considered material depending on the circumstances include:

• Ineffective oversight by the audit committee over the external financial reporting process, and the internal controls over financial reporting

• Material misstatements in the financial statements not initially identified by the company’s internal controls

• Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time

• Restatement of previously issued financial statements to correct a material misstatement

• For larger, more complex entities, ineffective internal audit functions

• For complex entities in highly regulated industries, ineffective regulatory compliance function

• Fraud of any magnitude on the part of senior management

• An ineffective control environment