Home    ||     About Us    ||     People    ||     Services    ||     Products    ||     Contact Us    ||      

Audit Approach

ITS follows a risk based audit approach to review the applications (SAP and non SAP environment) and covers:

1. Planning

  1. Make necessary arrangements with the management.
  2. Identify business cycles / processes and general control domains that we will review.
  3. Agree on the objectives of the assignment with the management.
  4. Tailor the standard approach suggested, to the extent required and applicable.

We will contact the client's management and discuss the above topics.

2. SAP environment documentation and gap analysis:

  1. To gather information in respect of the computer environment and the SAP implementation, we will understand:
    1. the specifics of the entity's business
    2. the entity's accounting system
    3. the SAP company structure as implemented at the client
    4. the computer environment (hardware, interfaces with other applications, if any).
  2. To identify the risks induced by the SAP implementation.


  • Arrange meeting with project /process owners to understand the process.
  • Gather documentation.
  • Carry out gap analysis.
  • Adjust the scope / or approach to reflect the results of gap analysis.
  • Assess the key SAP related business risks using a risk assessment methodology.

3. General / IT controls

  • Review the security settings of the operating system to ensure that the SAP files and directories are appropriately protected.
  • Review security at the Database level to ensure that direct access to the database is restricted. Appropriate security measures at the database level are keys to ensure the integrity, confidentiality and availability of the system.
  • Gain an understanding of the computer control structure around system. In addition to more generic matters, the focus lies on:
    1. Change management of SAP tables and ABAP's
    2. Implementation controls over the different SAP modules
    3. The authorization concept
    4. Computer operations


  • Gather background information during an interview of the system administrator.
  • Gather the relevant information by means of one or several interviews.
  • Use of Audit checklist.
  • Consider using a security toolkit to carry out a more detailed assessment of the logical security controls.
  • Ascertain whether relevant computer controls procedures are operating effectively requires assessing how and the consistency with which they have been applied throughout.
  • Carry out detailed tests to assess the effectiveness of the general controls/ IT controls procedures.

4. Application controls
We will determine which of the following checklists to be completed:

  • Purchase cycle
  • Sales cycle
  • Financial accounting cycle
  • Payroll cycle
  • Others

The audit questionnaire addressing the different business cycles are designed to gain an understanding of the application control structure. They focus on control procedures that are performed to address specific control objectives relating to transaction level and cycle level controls over SAP derived account balances and classes of transactions.
The specific control objectives at the transaction level are:

  • Authorization
  • Completeness
  • Accuracy

The control objectives at the cycle level are:

  • Integrity of the standing data
  • Completeness and accuracy of updating
  • Completeness and accuracy of accumulated data
  • Restricted access to assets and records.


  • We will interview personnel in the various departments using SAP to complete the audit questionnaire.
  • In all cases, we will try to establish that the relevant control procedures have been placed in operation. We will also perform appropriate tests to assess the effectiveness of the application control procedures.
  • Apart from the system controls, we will also consider manual procedures, monitoring and reconciliation.

5. Consolidate findings and validate

To consolidate all weaknesses found and to consider the implications of any unmet control objectives.


  • Obtain the records of control weaknesses and review the potential implications of these weaknesses for the entity under review.
  • Rank all weaknesses according to the ECHO classification:
    1. Exposures
    2. Concerns
    3. Housekeeping
    4. Okay issues
  • Classify all weaknesses:
    1. Weaknesses to be formally reported
    2. Weaknesses to be reported orally
    3. Weaknesses not to be reported

    At this stage, we will

  • summarise all the control weaknesses with their possible implications in the form of a draft report;
  • rank and classify the weaknesses
  • recommendations / Suggestions to mitigate / reduce the risks

6. Discuss findings with management
We will brief the management, the key users with regard to the internal control concerns with their possible implications noted by us.

7. Reporting

  • We will summarise all findings and recommendations and will hand it over to the management.
  • Obtain management responses.
    Present findings at an exit meeting.

We use custom developed audit interrogation software to:

- identify duplicate master records
- check authorisation profile and identify conflict of segregation of duties, if any.

We follow a Lotus Notes based audit program / checklist which we customise for each assignment. The audit program includes programs for reviewing non SAP interfaces.

We have the relevant understanding and experience of SOX.
Application Development Standards Review (Software Quality Assurance Review)
Software quality assurance is a discipline which provides a review and control mechanism over software quality. It is achieved through formal reviews and audits of the development process and of development deliverables.

The review ensures that there are appropriate application development standards (project initiation and feasibility study, analysis and design, construction and implementation) in place for development and documentation of application systems and that quality process are being adhered to on systems delivery projects. It ensures that all systems are developed in a consistent manner and documentation is adequate for their long term support and maintenance. The benefit from such a review is assurance that the system under development fully meets user requirements, has adequate controls built in and is being developed in a manner that will lead to a high quality and maintainable product being delivered within time and cost budgets. A structured methodology for carrying out a review of a systems development project is used.

The review helps in ensuring that quality processes are being adhered to on systems delivery projects. It also ensures that the users get the right system at the right time and that the project deadlines are met. The review involves Initial project planning, Checklist mapping, detailed risk assessment and planning, Task preparation, Task completion and Project completion.