Systems Applications Products audit

A Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems Applications Products. It is a system that provides users with a soft real-time business application. It contains a user interface and is considered very flexible. In an SAP audit, the two main areas of concern are security and data integrity.

Overview
Systems, Applications, Products in Data Processing, or SAP, was originally introduced in the 1980s as SAP R/2, which was a system that provided users with a soft real-time business application that could be used in multiple currencies and languages. As client–server systems began to be introduced, SAP brought out a server-based version of their software called SAP R/3, henceforth referred to as SAP, which was launched in 1992. SAP also developed a graphical user interface or GUI.

For the next 12 years, SAP dominated the large business applications market. It was successful primarily because it was flexible. Because SAP was a modular system (meaning that the various functions provided by it could be purchased piecemeal) it was a versatile system. A company could simply purchase modules that they wanted and customize the processes to match the company's business model. SAP's flexibility, while one of its greatest strengths is also one of its greatest weaknesses that leads to the SAP audit.

There are three main enterprise resource planning (ERP) systems used in today's larger businesses: SAP, Oracle, and PeopleSoft. ERPs are specifically designed to help with the accounting function and the control over various other aspects of the company's business such as sales, delivery, production, human resources, and inventory management. Despite the benefits of ERPs, there are many potential pitfalls that companies who turn to ERPs occasionally fall into.

Segregation of duties
Security is the first and foremost concern in any SAP audit. There should be proper segregation of duties and access controls, which is paramount to establishing the integrity of the controls for the system. When a company first receives SAP, it almost lacks all security measures. When implementing SAP a company must go through an extensive process of outlining their processes and then building their system security from the ground up to ensure proper segregation of duties and proper access. Proper profile design and avoidance of redundant user IDs and superuser access will be important in all phases of operation. Along with this comes the importance of ensuring restricted access to terminals, servers, and the data center to prevent tampering. Because each company will have different modules each company's security structure will be distinctly different.

A typical example from SAP will be Creating a Vendor and also being able to pay an invoice. The Create a Vendor Transaction is XK01 and the Pay invoice transaction is FB60. If the User or Role in SAP has those two transactions then it will create a SOD Risk.

With security, it all starts at the beginning with the proper design and implementation of security and access measures for employees. For new employees, it is important that their access is set up properly and that future access granted has proper approval. After the system has been implemented the control over system changes and the approval process required for it is vital to ensure the continued security and functionality of the system. Without proper security measures in place from start to finish there will be a material weakness in the controls of the system because of this there will likely be some level of fraud as well.

Through security, you can monitor who has access to what data and processes and ensure that there is sufficient segregation of duties to prevent someone from perpetrating fraud. One of the major advantages of SAP is that it can be programmed to perform various audit functions for you. One of the most important of those is for reviewing user access and using the system to cross-check based on an access matrix to ensure that proper segregation is in place so a person with payment request access does not also have access to create a vendor.

System changes
After ensuring that security is set up to ensure proper segregation of duties the next area of concern surrounding security is with regards to system changes. All companies should have three different systems: the development system, the test system, and the production system. All changes to production will need to be run through an approval process and be tested to ensure that they will function properly when introduced into the production system. The security around who can authorize a change and who can pull that change through into production is paramount to ensuring the security and integrity of the system. A review of this process and the people involved with it will be key to the audit of the system.

The goal of auditing the access, steps and procedures for system updates is to ensure proper controls over change management of the system and to ensure that proper testing and authorization procedures are being used.

Data integrity issues
Because SAP integrates data from legacy systems it is important to ensure that the mapping of the interaction between the legacy systems and SAP is thorough and complete. Without that, any data received from SAP would be suspect. It is also important that proper backups of the database be maintained along with an up-to-date and practiced disaster recovery plan to ensure continuity after a disaster. A thorough review of these plans along with the mapping of system interfaces will be important in this phase of the audit. However, because all SAP data are stored on inter-related tables users with certain security can change them. The output must be verified to ensure accuracy. SAP does provide some basic audit programs to assist with the review of data to ensure that it is processing properly. It is also customizable so that a user can create a program to audit a specific function.

The monitoring of change management, the moving of updates to the system from the development stage is one of the key elements of this particular concern. Because of this, review of the process of review and pull through to production needs to be a high priority.

Controls
Controls around the system need to be reviewed, especially around the accounts payable and accounts receivable sub ledgers. Auditors must perform or review reconciliations between SAP and external information such as bank reconciliation and A/P statement reconciliation. They must review cost center and responsibility accounting, management review and budgetary control and the route of authorization for non-routine transactions.

The audit review should include a review of validation of data that is input in certain transactions, the design of ABAP statements and their authority checks matching documents prior to closing. Also, with regard to the master file control there must be an independent review of master file changes and creation of transactional responsibilities to identify any redundant master files.

When it comes to data integrity the primary concerns are the integration of data from the legacy systems and then ensuring that data being input into the system for processing has been properly approved and is accompanied by the proper documentation. Through reviewing these aspects of the processing from implementation through to production you can gain reasonable confidence that the controls surrounding the data are sufficient and that the data are likely free of material error. The use of the built in audit functions will greatly assist with this process and the ability to create your own audit programs will allow you to customize the work to the company you are working with.

Control risks
The two major control risks that need to be monitored with SAP are security and data integrity. To ensure that both are sufficient it is important that both be properly outlined and developed during implementation. User profiles must be designed properly and access must be sufficiently segregated to minimize the chance of fraud. Use of the SAP audit functions to cross check the user access with the matrix of allowable accesses is the quickest and easiest way to ensure that duties and access are properly segregated. New and old users must be entered and removed promptly and avoidance and monitoring of any super user access is imperative. Review of the access to upload and pull through changes to production and review of the associated authorization process is important from both a security and data integrity point of view.

To further ensure data integrity it is important that proper documentation be reviewed along with confirmation of any external data available either through a legacy system or through a third party. This is important with regard to certain sensitive accounts, such as accounts payable. Review of controls around budgets and management review and also review of authorization for non-routine transactions and physical access will be imperative to ensuring the accuracy of the data input and output from the system. The use of and development of tools within SAP will help accelerate this process and help to ensure that it is accurate. These are the two most vital parts to any SAP audit and successful review of them should allow you to determine the adequacy of control around the SAP system and access to it to determine whether or not there are any material deficiencies with the systems control.