Auditing in SAP Environment CA Shirish PadeyCA Heta ShahCA Mitesh VoraCA Kajal ShahCA Rakesh LakhaniICAI-Mumbai Branch8th June,2019

n to Controls based AuditIntroduction to SAPAccessing and Navigating SAPSAP OrganizationReview of IT General Controls (Other than BASIS)Review of SAP BASISValidation of Automated ControlsAuthorization ConceptSegregation of DutiesData Migration to SAPSAP UpgradeReport ValidationJE Extraction and AnalysisRobotic Process Automation (RPA) in SAP

SESSION 1Introduction to Controls based Audit

1.1 Standards on Auditing SA315 – Identifying and Assessing the Risk of MaterialMisstatement Through Understanding of the Entityand its Environment– The auditor shall Obtain understanding of Internal Controls Obtain understanding of Information Systems,including related business processes Obtain understanding of how the entity has respondedto risks arising from IT Obtain an understanding of the entity’s controls overrisk of inaccurate or incomplete recording oftransactions in highly automated processingenvironment SA330 – The Auditor’s Responses to Assessed Risk– The auditor shall Consider effectiveness of General IT Controls

1.2 Accounting in ERPs All entries are Journal Entries There are NO Primary or Secondary Booksof Account – only data stored in Tables

1.3 Difficulty in Substantive Auditfor ERPs Absence of PrintoutsVoluminous dataDifficulty in Ledger ScrutinyDifficulty in audit of “manual” journalentries

1.4 Alternative? Reliance on IT General Controls– Relying on Automated Controls andAutomated Accounting Procedures– Reliance on Reports and System-DependentManual Controls– Reliance on Underlying Data


SESSION 2Introduction to SAP

2.1 SAP — What is it? SAP is a German multinational software corporationthat makes ERP with regional offices in almost 140 countries and has over approx. 437,000 customers in180 countries. In German: Systeme, Anwendungen und Produkte in derDatenverarbeitung In English: Systems, Applications and Products in Data Processing Founded in Walldorf, Deutschland (Germany), 1972 Not "Sap" — It is "S - A - P"

2.1 SAP — What is it? . [Contd.]

2.2 SAP - The Product R/3 and ERP Three tier architecture — Front end (GUI), Application Server,Database Server

2.2 SAP — The Product . [Contd.] Client — Server Architecture

2.3 R/3 and ERP: Three-Tier Computer Central Database(Storage of all data) Access to Dataase:(Read /Write data) Database Processing of datausing application logic Application Presentation Presentation of theprocessed data tothe user

2.4 Transport System SAP System SAP System SAP System Change Request DevelopmentQuality AssuranceProduction Moving changes from one system to another

2.5 SAP S/4 HANA Journey

2.6 Modules in SAP

2.6 SAP Modules [. contd .] SAP-FI (FInancial Accounting) SAP FI - General Ledger (GL)SAP FI - Accounts Payable (AP)SAP FI - Account Receivable (AR)SAP FI - Bank Accounting SAP-CO (COntrolling) SAP CO - Cost Element AccountingSAP CO - Cost Center AccountingSAP CO - Activity-Based CostingSAP CO - Product Cost ControllingSAP CO - Material Ledger SAP-SD (Sales & Distribution) SAP SD - Master DataSAP SD - SalesSAP SD - ShippingSAP SD - TransportationSAP SD - BillingSAP SD - Electronic DataInterchange (EDI) SAP-MM (MaterialManagement) SAP MM - PurchasingSAP MM - Inventory ManagementSAP MM - Warehouse ManagementSAP ML - Material Ledger

2.6 SAP Modules [. contd .] SAP-PP (Production Planning) SAP PP - Material RequirementsPlanningSAP PP - Capacity RequirementPlanningSAP PP - Sales and OperationsPlanningSAP PP - Production ordersSAP DS - Detailed Scheduling SAP-PS (Project System) SAP PS - PaymentsSAP PS - ConfirmationSAP PS - CostsSAP PS - ResourcesSAP PS - DatesSAP PS - Documents SAP-HR (Human Resource) SAP PA - Employee ManagementSAP PA - Personnel AdministrationSAP PA - BenefitsSAP PA - PayrollSAP PA - Time Management SAP-QM (Quality Management) SAP QM - Quality PlanningSAP QM - Quality InspectionprocessingSAP QM - Quality controlSAP QM - Test equipmentmanagement

2.6 SAP Product – features SAP Supports· Multiple Languages· Multiple Currencies Proprietary (High-level) Programming Language — ABAP(Advanced Business Application Programming) Can execute on any Operating System — UNIX,Windows etc. Can use any Database — Oracle, MS SQL, MS Access , SAPHana Currently, no Support for versions other than SAP R/3ECC (ERP Central Component ) 6.0 and SAP HANA

2.7 SAP – Points to Ponder Highly integrated On-line, Real-time Complex Data Structures Causes business process changes Causes organizational changes Very sophisticated testing of functionality and standard reports In-Built Controls Debit Credit tallyTrail of all transactions entered

2.8 SAP Business one SAP Business one — for Small / Medium Enterprises Not much complex as well as Not expensive ascompared to SAP R/3 Menu driven and NOT T-code (Transaction Code)driven as SAP R/3 Not much customization is possible No modules needs to buy entire package andRestrictions can be done on the basis of Licensepurchased Generally unable to rely on automated controls


SESSION 3Accessing and Navigating SAP


3.2 Logging On -SAP GUI To log on to an R/3 system with the SAP GUI, one need theproprietary SAP GUI (Graphical User Interface) softwareloaded on your system and an internet /network/VPNconnection Account on SAP R/3 System at Data Centre or hosting site Internet / Network, VPN Connection PC with SAP GUI

3.3 SAP GUI Configuration First, you need to tell the SAP GUI which system you want to log into:

3.4 System Definition Text description (free) Address of system (e.g. System Number System ID Logical name of systemRouter (usually notrequired ) SAP

3.5 Configured SAP GUI SelectSystem: double-click or Logon button

3.6 Logging On Enter Client Enter User Enter Password Don't worry about language— English will default in

The default screen is called the SAP Easy Access Screen. You can switch from one menu to the other by selecting theappropriate icon When you log on, you will see either your user menu (specific toyour role), or the SAP standard menu (lists all transactions) 3.7 SAP MenusSAP User MenuSAPStandardMenu

3.8 SAP Navigation: Using the System Two ways to choosea task: Clicking on themenu option Enter atransaction codein the commandfield

3.9 SAP Screen Components Title Bar SAP Menu Standard Toolbar Buttons Navigation icons Command Field Favorites Caution: on your DependingGUI version, the screen may look different even if the SAP version is the same! Application Toolbar Message Bar Status Bar


SESSION 4SAP Organization

4.1 SAP R/3 Organization Structure

4.2 SAP Organization Instance — One installation Client — At least one Client per Instance Company Code At least one Company Code per Client Generally a legal entity Trial Balance can be drawn at this level Cross Instance settings are not possible Cross Client settings are possible Cross Client consolidations are possible Some data can be defined at Client level, will applyto all Company Codes of that Client

4.1 SAP Organization Contd. Business Area — across Company Codes Plant — assigned to a single Company Code Purchasing Organization Sales Organization Very difficult to change SAP Organization afterimplementation Definition is extremely important forfunctionalities and security

4.2 SAP Organization Impact on Audit Appropriate scoping New GL for Multiple Reporting(s) — IFRS, ForeignReporting, Statutory and Tax Reporting Consolidations


SESSION 5Review of IT General Controls(Other than BASIS)

5.0 IT General ControlsITGCs may also be referred to as GeneralComputer Controls which are defined as"Controls, other than application controlswhich, relate to the environment withinwhich computer-based application systemsare developed, maintained and operatedand which are therefore applicable to allapplications”

5.0 IT General Controls ITGCs cover 5 domains –––––IT GovernanceAccess to Programs and DataChange ManagementProgram DevelopmentComputer Operations The objectives of general controls are to ensure the properdevelopment and implementation of applications, theintegrity of program and data files and of computeroperations. Like application controls, general controls may be eithermanual or programmed.

5.1 IT Governance Management controls over IT IT Organization structure, including definition ofroles and responsibilities within IT Policies and Procedures, e.g.––––IT Security PoliciesChange ManagementInfrastructure maintenanceHR Policies Regulatory compliance Audit issues management

5.2 Access to Programs and Data Provisioning and modification of end-useraccess (SAP, Operating Systems, Databases,Networks) Timely revocation of user access(resigned/absconded users) Privileged access to SAP, Operating Systems,Databases, Networks Physical Accesses (access to data center,computing facilities, environmental controls) Password parameters

5.2 IT Risks within Access to Programsand Data User access is provided withoutappropriate prior approvals User access for terminated employees isnot removed in a timely manner User access is appropriately updated toreflect changes to individuals roles andresponsibilities Access to the system is restricted throughcomplex password parameters

5.2 Auditing in SAP Verify that access to critical system (application,operating system and database) functions isappropriately restricted on an as-needed basis Super-user profiles, i.e. SAP ALL andSAP NEW are not assigned to any user id Default SAP Accounts are locked and theirdefault passwords are changed Privileged (super-user) user access at theapplication, OS, database and network level isapproved Complex passwords are required at all levels

5.2 Auditing in SAP Logging is enabled at the system level andcritical configuration tables are logged Remote access (VPN, Web, etc.) isappropriately restricted and monitored User accounts that support internalprocesses, interfaces, job schedules, etc.are defined as system accounts (user types‘B’ or ‘C’) to prevent individuals from usingthose accounts

5.2 Auditing in SAP

5.2 Auditing in SAP

5.2 Auditing in SAP

5.2 Auditing in SAP

5.2 Auditing in SAP

5.3 Change Management Changes to application configurations,reports, programs Changes to Operating Systems, databasesand network Segregation of environments(development, test and production) Developer Access to live data is restricted

5.3 IT Risks within Change Management Unauthorized changes are made to theapplication, operating system, database ornetwork Changes are not tested sufficiently prior toimplementation in the production system

5.3 Auditing in SAP SAP environment is segregated into the 3-box system,i.e. development, testing/QA and production (live) Changes are adequately and independently tested andapproved before being implemented in the production Developers should not have access to production eitherthrough developer keys or through transactions. Production is locked for direct changes and is openedbased on specific approvals When direct changes are required in production, theyare made only through transport requests Business impact analysis of changes implemented

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.4 Computer Operations Batch Processing and schedulingInterface testingBackupDisaster Recovery and BCPNetwork security

5.4 IT Risks within ComputerOperations Failed batch jobs are not monitored andrescheduled Interfaces are not monitored System back-ups are not taken on a regular basis Back-ups are not tested for successful restoration Back-ups are not stored at an offsite location External access to the system is not appropriatelyrestricted Data center is not designed to prevent damage dueto heating, accidental fires, etc.

5.4 Auditing in SAP Access to batch scheduling and monitoring tools isrestricted to the IT operations team Access to back-up tools is restricted to the IToperations team Failed batch jobs, interfaces and back-ups are trackedthrough a ticketing system and are resolved Back-ups are stored at an offsite location and areperiodically tested for successful restoration External access to the system is appropriatelyrestricted through firewalls, etc. and periodicallytested



6.0 SAP BASIS reviewITGC Domain – Computer Operations Access to maintain (create new or change/delete existing) jobschedules is appropriately restricted Access to executed critical job schedules is appropriately restricted Critical batch jobs, especially those that have a financial impact, areidentified and are monitored Failed batches are monitored and resolvedThe above procedures apply like-wise to any interfaces that have beenset-up with external applications

6.0 SAP NetWeaver / Basis What is SAP NetWeaver / BasisRole of SAP Basis team memberIT Risks within SAP BasisSAP Basis review

6.1 What is SAP NetWeaver /Basis?SAP ApplicationSAP NetWeaver / BasisDatabaseOperating SystemHardware

6.1 What is SAP NetWeaver /Basis? NetWeaver is a toolkit used to enhance businessfunctionalities delivered by SAP components. Often interchangeably referred to as SAP Basis(reference to the original toolkit that was thefoundation of SAP R/3). Act as a filter between the actual business logic in SAPR/3 and the specifics of the operating system anddatabase underneath. SAP business programmers could focus on writingbusiness logic and not have to worry whether or not itwould work on the various permutations of hardware,operating system and/or database.

6.2 Role of SAP Basis team member Activities that an SAP NetWeaver SystemAdministrator does day-to-day, include:– create users/assign roles (within SAP)– run backup– check db/os space utilization, add space ifnecessary– install SAP software, configure SAP parameters– monitor CPU/Memory/disk space/performance– configure connectivity between SAP componentsor SAP/non-SAP components– SAP software change management (i.e. TransportManagement).

6.3 IT Risks within SAP Basis Critical system administration access is not appropriatelyrestricted, e.g.– super-user access across the application– creating/modifying user access and roles– direct access to data through table maintenance– opening production (live) system for making direct changes– applying tested and approved changes to the productionsystem– access execute programs directly in production system– access to execute operating system and database commands– access to application activity logs– access to manage interfaces with other applications– access to modify system parameters (passwords, logging,etc.)

6.3 IT Risks within SAP Basis Conflicting accesses not appropriately segregated,e.g.– access develop/code a change AND implement it inthe production system– developers have access to production environment Activities performed by Basis team members arenot logged and reviewed periodically, e.g.– review of security audit logs for critical activities– where change transports are owned and implementedby Basis team, they are adequately and independentlytested prior to implementation


SESSION 7Validation of Automated Controls

7. Business Processes Period End Financial ReportingOrder to CashProcure to PayManufacture to InventoryAcquire to Retire

7.1 Period End Financial ReportingKey sub-processes Organization Structure :ClientChart of Accounts GL accounting master data :- At Chart of Accounts level- At Company code level Period Maintenance :– FI/MM Periods– 12 4 periods– Account type wise Foreign Exchange– Exchange Rates– Translation accounting– Revaluation accounting New GL functionality Parallel ledgers, Real-time document splittingCompany CodeKey T-CodesFS00 – GL MastersOB52 – Period MaintenanceOB08 – Exchange RatesFB01 – Journals processing

7.1 Period End Financial ReportingKey Automations GL marked for deletion and not blocked for postingAuto-posting enabled for key GL AccountsDocument change rules not active for key fieldsPark and Post workflow for JournalsAutomated GL determination for Translation and Revaluation Gain/LossAutomated entries classification possible in SAPInherent controls– Sub-ledger to GL reconciliation automated for Recon Accounts– No change possible to accounting relating fields once a document isposted– Debits Credits– Some fields are inherently required in a Journal EntryAccess to maintain periods is restrictedAccess to process / post Journals is restrictedSOD between Maintain period and process JournalsSOD between park and post journals in SAP

Reconciliation Account Type Auto Post Indicator

Document Change RuleForeign Exchange AccountingPosting BlockThis master record is blocked ONLY inthis Company CodeThis master record is marked for deletionONLY in this Company Code

7.2 Order to cashKey sub-processes Organization Structure :ClientCompany CodeSales AreaPlantMaster data :- Customer Master Data at Client, Co Code and Sales Area level- Pricing master data at Sales Area level- Credit LimitsKey T-CodesSales Orders processingDelivery and Post Goods Issue processing XD01 – Customer MastersVK11 – Price MastersSales Invoice processingVA01 – Sales OrderCredit Block and releaseVL01 – DeliveryRelease of Sales Invoice for accountingVF01 – Sales InvoiceReceipt of MoneyAgeing of Receivables Review

7.2 Order to cashKey Automations All Customer Masters are assigned Recon GL AccountsPricing procedures appropriately configuredPrices not changeable in Sales Orders and defaults from Price MastersDelivery requires a preceding Sales OrderDeliveries cannot be processed in excess of Sales Order quantitySales Invoice cannot be processed in excess of DeliveriesAppropriate Revenue RecognitionPrices in Sales Invoice not changeable and defaults from Price master/salesorderAutomated GL determination for Deliveries and Sales invoicesAutomated Rebate processingAccess to maintain Price Masters is restrictedAccess to release blocked invoice is restrictedSOD between Sales Order and Delivery and InvoicingSOD between Price Masters and Sales orders processing

Sales Account Determination Ageing of Debtors – settings for “Payment Terms from Invoice” Price Masters changeability

Sales order – Delivery – Invoice linkingDelivery quantity minus Invoice QuantityQuantity is calculated positivelyCopy price elements unchanged andredetermine taxesOrder

7.3 Procure to PayKey sub-processes Organization Structure :ClientCompany CodePurchase OrgPlantMaster data :- Vendor Master Data at Client, Co Code and Purchase Org level- Purchase Info records for Vendor and Materials- Material mastersKey T-CodesPurchase Orders processingPurchase Order ReleaseXK01 – Vendor MastersGoods Receipts processingMM01 – Material MastersVendor Invoice processingME21N – Purchase OrderThree way matchMIGO – Goods ReceiptRelease of Blocked Vendor Invoices for payments MIRO – Vendor InvoiceF110 - PaymentsPayments

7.3 Procure to PayKey Automations All Vendor Masters are assigned Recon GL Accounts3 way match indicators are appropriately set in Purchase OrdersAll Purchase Orders subject to release in SAPGoods Receipt cannot be processed in excess of Purchase Order quantityVendor Invoice cannot be processed in excess of Goods receiptPrices in Vendor Invoice not changeable and defaults from Purchase OrderTabs in invoice for differential amount posting should be inactiveVendor not changeable in invoiceAutomated GL determination for Goods Receipts and Vendor invoicesDuplicate Invoice checkAutomated payments accountingPayments to Alternate PayeesAccess to release Purchase Orders is restrictedAccess to release blocked invoices is restrictedSOD between PO create and PO releaseSOD between Vendor Masters and Payments processing

Purchase Order Approval 3 way match configuration (PO – GR - IR) 3 way match indicators in PO Invoice tolerances for 3 way match

Duplicate invoice Check Account determination

7.4 Manufacture to InventoryKey sub-processes Organization Structure :ClientCompany CodePlantStorage LocationMaster data :- Material Master Data – Basic, Accounting, Costing, Plant, Sales Views- Bill of Material- RoutingKey T-CodesConsumption processingMM01 – Material MastersProduction order processingCS01 – BOMOther goods movementsCA01 – RoutingInventory valuationMB01 – Goods Movements

7.4 Manufacture to InventoryKey Automations Inventory valuation method appropriateAutomated Accounting of goods movementAll transactions result in value and quantity updateNegative stock not configuredNo direct changes to material costNo use of sensitive movement types like 501/309/561Split valuation activeSOD between Inventory count and posting Inventory count resultsAccess to direct changes to Material cost is restrictedAccess to sensitive movements is restricted

Moving Average Inventory ValuationStandard Cost Inventory Valuation

7.5 Acquire to RetireKey sub-processes Organization Structure :– ClientChart of DepreciationCompany CodeMaster data :- Asset Master Data – General, Depreciation ViewsDepreciation Calculation and accountingCapitalization , retirement and scrapping accountingKey Automations Key T-CodesAS01 – Asset MastersAppropriate Depreciation configurationAFAB – DepreciationAutomated GL account determinationAIBU – CapitalizationFields in Asset Master dataABAVN – ScrappingNegative Books values not permittedABAON - RetirementReal-time posting and calculationABUMN – TransferRestricted access to Asset Masters and transactions

Asset Master Data and Depreciation

Account determination1 0000 Depreciation Posting to GL


SESSION 8Authorization Concept

8.1 Users and Authorization Concept Users must be setupand roles assigned touser master recordsbefore you can use theSAP System. A user can only log onto the system if he orshe has a user masterrecord. Usermenuauthorizations areassigned to themaster record viaor more roles.andalsouserone

8.2 User Master RecordInformation

8.3 Roles and Profiles Roles contain Profiles. The system will automatically add the appropriate Profile(s) foreach Role assigned Profiles contain Authorization Objects. Single profile consists of single or multiple Authorisations. Composite profile consist of multiple profiles. Profiles that come delivered with the system or were created from scratch can beassigned directly to users. Profiles that were created for a Role are attached to that Role cannot be assigneddirectly. You must assign the Role and the system will then assign the user thecorrect Profile. In SAP systems, users are typically assigned the appropriate roles / profiles by thesecurity team

8.4 Authorization Objects Authorization Objects are the keys to SAP security When you attempt actions in SAP the system checks to see whether youhave the appropriate Authorizations. (AUTH CHECK Statement) The same Authorization Objects can be used by different Transactions Example —in order to create, change or display an accounting document, a usermust have the Authorization Object F BKPF BUK with the appropriatevalues

8.5 Examples of AuthorisationPurposeAuthorizationExample 1Example 2Create postingfor Apple Co.Change postingfor Orange C0AuthorizationABCDescriptionF BKPF BUKAuthorizationObjectACTVTField 1Company Code BUKRSField 2AuthorizationXYZActivityValue 1Value 201(Create)1000(Apple Co.)TechnicalName02(Change)2000(Orange Co)

8.6 Profiles and authorisation object in SAP

8.7 SAP Structural SecurityComponentsSAP ProfileGeneratorSAPAuthorizationStructureSAP AccessRestrictionElementsUserUSOBT CUSOBX C(SU24)RolesProfileMenu dataAuthorizationfield valuesAuthorizationobject fields

8.8 Mechanism of Access Control User logs onto SAP. User authorisations loaded into the user buffer. User requests transaction directly or through the menu tree. SAP checks if the transaction is blocked. SAP verifies access to the transaction code in the user buffer. Authorisations required read from ABAP program. SAPverifies that authorisations are available in the user buffer. SAP allows user to perform called transaction. If any of the above verifications fail – Access isdenied.

8.9 SAP Security: Transactions2 SUo1: Creates and maintains usersSUo2: Creates and maintains profilesPFCG: Profile GeneratorSU53: Displays LAST authorization failureSTo1: Traces keystrokesSUo3: Lists objects and classesSMo4: Monitors user activitySE16: can be used to download SAP security tables.SU1o: Adds or deletes a profile to all users


SESSION 9Segregation of Duties

9.1 SOD - Impact on AuditSOD Conflict Risks Evaluation of SOD is primarily for fraud risk. Impact of SODs on automated controls. For e.g. end to end access in Purchase & Payable process. Multiple Tcode can perform the same function. I dentification of SOD per transaction requires SAP expertise.

9.1 SOD - Impact on AuditKey considerations Identification of "critical" SODs. Identification of compensating controls. Business Process Review controls may not address the risk of SOD conflicts. Extracting data for such transactions can be done using SAP standard tables SOD Analysis is "Point-in-time” Profiles also may have changed Risk of multiple user id being used by the same person. E.g. Generic user ids,Sharing of passwords. Assessment of SODs through·Tcode —SUIM·Tools such as Bizrights, SAP GRC·Auditors proprietary tools


SESSION 10Data Migration - SAP

IT MigrationIT Migration A process of movement of any one or group of ITAssets from one state of existence to another.IT Assets Hardware, Software, Data, related infrastructureData Migration A process of moving data from one data structureto another. It is required when any organisationreplaces Application or Database system

Objectives of Migration Audit Data Integrity Control Adequacy Business Continuity Effectiveness

SAP Migration- Phases Vendor Selection Process Re-engineering Change Management Data Migration

Data Migration to SAP - Process Determining Source and Target Data Formats Data Mapping (Mapping A/c Balances etc.) Data Conversion/cleansing Business Sign-off Data Conversion program Test plan and Test Data Data Validation and Reconciliation Integration Testing Promote to Production Data conversion Execution Data Validation Final Signoff by all stakeholders

Data Migration to SAP – Key Points Addressing Open PO’s Open, SO’s etc. Uploads through T-Code “LSMW” or“LTMC” if migrating to S4 HANA Scrutinize the “Data Migration Account” Sign-Offs Archival of Legacy


SAP Upgrade SAP does not support earlier versions. Support for ECC 6.0 will end in 2025. Existing ECC6.0 installations need to Move to SAPS4/HANA. In a Technical Upgrade, existing functionality is notchanged.– There is no Data Migration In a Functional Upgrade, all business processes andcontrols will have to be re-assessed for changes.– There will be Data Migration.

SESSION 12Report Validation

12.1 Report Validation Reports may be Standard or Customized Customized Reports begin with Y or Z “System-dependent Manual Controls” alsorely on Reports from SAP. Identify source of the Report – SAP or BWReport?

12.2 Reports – Impact on Audit In case ITGC are reliable – Standard Reports may be relied upon in caseof no change in the design/logic of thestandard report. Need to establish there is nochange.– Logic of Customized Reports (beginning withY or Z) should be validated, either throughwhite-box or black box testing– Ensure appropriateness of Input Parameters

12.2 Reports – Impact on Audit -contd. In case of inadequate ITGCs, additionalprocedures will be required to determinecompleteness and accuracy of the data Generally detailed substantive testing ofreports is done to ensure completenessand accuracy of reports We may be able to leverage on testingperformed by the client

SESSION 13JE Extraction and Analysis

13.1 Manual JE’s – Impact on Audit Fraud Risk and Risk of ManagementOverride of Controls JE’s are either manual or automated Non-reliance on ITGCs – all entries on parwith Manual entries Substantive audit of manual JE’s notpractical

13.1 Manual JE’s – Impact on Audit– contd. All entries posted in BSEG and BKPFTables. Roll-forward to ensure completeness ofpopulation Cut-off to be defined for analysis Opening and Closing Trial Balances perSAP need to match up with audited figures

13.2 Manual JE’s – Impact on Audit– contd. JE Roll-forward and Analysis through useof CAATs Identification of “Doc-Types” used forManual Journal Entries may be incorrect Identification of T-Codes used for passingmanual entries extremely critical

13.2 Manual JE’s – Impact on Audit– contd. Criteria for analysis very critical– Back-dated entries– Transactions passed by IT users– Materiality overall and for specific accounts– Unusual Account Combination/Passed atunreasonable times


Session 14Robotic Process Automation (RPA) in SAP

AutomationWhat is Automation?Automation, the applica

SAP SD - Electronic Data Interchange (EDI) ¾ SAP-MM ( M aterial M anagement) SAP MM - Purchasing SAP MM - Inventory Management SAP MM - Warehouse Management SAP ML - Material Ledger . 2.6 SAP Modules [. contd .] ¾ SAP-PP (