ITS follows a risk based audit approach to review the applications (SAP
and non SAP environment) and covers:
- Make necessary arrangements with the management.
- Identify business cycles / processes and general control domains that we
- Agree on the objectives of the assignment with the management.
- Tailor the standard approach suggested, to the extent required and
We will contact the client's management and discuss the above topics.
2. SAP environment documentation and gap analysis:
- To gather information in respect of the computer environment and the SAP
implementation, we will understand:
- the specifics of the entity's business
- the entity's accounting system
- the SAP company structure as implemented at the client
- the computer environment (hardware, interfaces with other applications,
- To identify the risks induced by the SAP implementation.
- Arrange meeting with project /process owners to understand the process.
- Gather documentation.
- Carry out gap analysis.
- Adjust the scope / or approach to reflect the results of gap analysis.
- Assess the key SAP related business risks using a risk assessment
3. General / IT controls
- Review the security settings of the operating system to ensure that the
SAP files and directories are appropriately protected.
- Review security at the Database level to ensure that direct access to the
database is restricted. Appropriate security measures at the database level
are keys to ensure the integrity, confidentiality and availability of the
- Gain an understanding of the computer control structure around system. In
addition to more generic matters, the focus lies on:
- Change management of SAP tables and ABAP's
- Implementation controls over the different SAP modules
- The authorization concept
- Computer operations
- Gather background information during an interview of the system
- Gather the relevant information by means of one or several interviews.
- Use of Audit checklist.
- Consider using a security toolkit to carry out a more detailed assessment
of the logical security controls.
- Ascertain whether relevant computer controls procedures are operating
effectively requires assessing how and the consistency with which they have
been applied throughout.
- Carry out detailed tests to assess the effectiveness of the general
controls/ IT controls procedures.
4. Application controls
We will determine which of the following checklists to be completed:
- Purchase cycle
- Sales cycle
- Financial accounting cycle
- Payroll cycle
The audit questionnaire addressing the different business cycles are
designed to gain an understanding of the application control structure. They
focus on control procedures that are performed to address specific control
objectives relating to transaction level and cycle level controls over SAP
derived account balances and classes of transactions.
The specific control objectives at the transaction level are:
The control objectives at the cycle level are:
- Integrity of the standing data
- Completeness and accuracy of updating
- Completeness and accuracy of accumulated data
- Restricted access to assets and records.
- We will interview personnel in the various departments using SAP to
complete the audit questionnaire.
- In all cases, we will try to establish that the relevant control
procedures have been placed in operation. We will also perform appropriate
tests to assess the effectiveness of the application control procedures.
- Apart from the system controls, we will also consider manual procedures,
monitoring and reconciliation.
5. Consolidate findings and validate
To consolidate all weaknesses found and to consider the implications of any
unmet control objectives.
- Obtain the records of control weaknesses and review the potential
implications of these weaknesses for the entity under review.
- Rank all weaknesses according to the ECHO classification:
- Okay issues
- Classify all weaknesses:
- Weaknesses to be formally reported
- Weaknesses to be reported orally
- Weaknesses not to be reported
At this stage, we will
- summarise all the control weaknesses with their possible implications in
the form of a draft report;
- rank and classify the weaknesses
- recommendations / Suggestions to mitigate / reduce the risks
6. Discuss findings with management
We will brief the management, the key users with regard to the internal
control concerns with their possible implications noted by us.
- We will summarise all findings and recommendations and will hand it over
to the management.
- Obtain management responses.
Present findings at an exit meeting.
We use custom developed audit interrogation software to:
- identify duplicate master records
- check authorisation profile and identify conflict of segregation of
duties, if any.
We follow a Lotus Notes based audit program / checklist which we customise
for each assignment. The audit program includes programs for reviewing non
We have the relevant understanding and experience of SOX.
Application Development Standards Review (Software Quality Assurance Review)
Software quality assurance is a discipline which provides a review and
control mechanism over software quality. It is achieved through formal
reviews and audits of the development process and of development
The review ensures that there are appropriate application development
standards (project initiation and feasibility study, analysis and design,
construction and implementation) in place for development and documentation
of application systems and that quality process are being adhered to on
systems delivery projects. It ensures that all systems are developed in a
consistent manner and documentation is adequate for their long term support
and maintenance. The benefit from such a review is assurance that the system
under development fully meets user requirements, has adequate controls built
in and is being developed in a manner that will lead to a high quality and
maintainable product being delivered within time and cost budgets. A
structured methodology for carrying out a review of a systems development
project is used.
The review helps in ensuring that quality processes are being adhered to on
systems delivery projects. It also ensures that the users get the right
system at the right time and that the project deadlines are met. The review
involves Initial project planning, Checklist mapping, detailed risk
assessment and planning, Task preparation, Task completion and Project