Sei sulla pagina 1di 10
SAP MIC: Management of Internal Controls Management Auditor Assess Test Attest Document Processes & Controls
SAP MIC: Management of Internal Controls
Management
Auditor
Assess
Test
Attest
Document
Processes &
Controls
Control
Scoping and
Set-Up
Operating
Design &
Effective-
Remediate
Sign-Off,
Prepare
Certification /
Internal Control
Report
and
Report
ness
Issues
SAP AG 2006, mySAP ERP 2005, 1
Disclaimer These materials are subject to change without notice. These materials are provided by SAP
Disclaimer
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies
("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not
be liable for errors or omissions with respect to the materials. The
only warranties for SAP Group products and services are those
that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP AG 2006, mySAP ERP 2005, 2
SAP MIC: Import of Automated Control Testing Results Many companies use dedicated control testing applications
SAP MIC: Import of Automated Control Testing Results
Many companies use dedicated control testing applications to test control effectiveness. These
results are automatically pushed into MIC via an XI interface.
Example: Test of a Segregation of Duties (SOD) control
1) Dedicated tool performs analysis of control effectiveness in ERP system
User Violation Detailed
Report Time: Feb 1, 2005 12:59 PM
User
Rule
Priority
Exception
John Black
Create Master Data + Trigger payment
High
1 Violation
XI
2) Results pushed to MIC
Test logs created
Remediation
workflows triggered
Business Benefits
Lowered TCO
Lower cost of compliance
SAP AG 2006, mySAP ERP 2005, 3
SAP Automation of MIC Controls - 2005 …. External mySAP CRM SOD mySAP ERP Toolset
SAP Automation of MIC Controls - 2005
….
External
mySAP CRM
SOD
mySAP ERP
Toolset
Report
XI
MIC
PDF
Control
Execution
Post to
Schedule
Execute
Report
MIC
Job
Report
Generated
Database
SAP AG 2006, mySAP ERP 2005, 4
SAP Automation of MIC Controls - 2005 1. Trigger External Testing Testing Application Report PDF
SAP Automation of MIC Controls - 2005
1. Trigger
External
Testing
Testing
Application
Report
PDF
2. Send
Result
Report
XI
MIC
PDF
3. Send Result
Post to
Schedule
Execute
Send
MIC
Job
Report
Report
Database
SAP AG 2006, mySAP ERP 2005, 5
SAP MIC: Audit Information System (AIS) Link AIS can be used to perform control effectiveness
SAP MIC: Audit Information System (AIS) Link
AIS can be used to perform control effectiveness testing within the SAP transactional
system. A direct link from MIC to AIS will streamline testing activities.
Tester executes report
MIC Test Log
Test procedure:
Perform G/L Account
Analysis in AIS
Enter AIS
Tester
enters AIS
via link in
MIC
Findings:
Tester
Reconciliation delays
exist: see document
100003716/2003 for more
info
documents
results in
MIC
Business Benefits
Lowered TCO
Lower cost of compliance
SAP AG 2006, mySAP ERP 2005, 6
SAP MIC: XI Upload of Master Data/Central Catalogs Many companies have initial SOX/control documentation in
SAP MIC: XI Upload of Master Data/Central Catalogs
Many companies have initial SOX/control documentation in PC-based tools or MS
Excel. Via an XI interface, this data can be uploaded into MIC.
SAP MIC
Org Unit Hierarchy
Central Process Catalog
Process Group 1: Sales and Distribution
PC4You Corporate
Legacy SOX
System / MS Excel
Process Group 1.1: Sales
PC4You North America
XI Interface
Process 1: Contract Negot.
PC4You USA - East
populates
PC4You USA - West
Process 2: Order Process.
SAP MIC
PC4You Canada
with
Process 3: CRM
existing
data
PC4You Mexico
PC4You EMEA
Process 4: Sales Support
Process Group 1.2: …
Process 5: …
Process Group 2: …
Process 6: …
Business Benefits
Reduced implementation time
Reduced migration costs / TCO
Reduced cost of compliance
SAP AG 2006, mySAP ERP 2005, 7
SAP Analytics Supporting Corporate Governance Overview – Project Progress Control Design Assessment Process Design
SAP Analytics Supporting Corporate Governance
Overview – Project Progress
Control Design Assessment
Process Design Assessment
Issue Analysis
SAP AG 2006, mySAP ERP 2005, 8
Application Pre-Requisites These systems are used for data sources: mySAP ERP 2005 (FINBASIS 600) SP02
Application Pre-Requisites
These systems are used for data sources:
mySAP ERP 2005 (FINBASIS 600) SP02
or mySAP ERP 2004 (FINBASIS 300) SP11
These modules are used as data sources:
a back-end application SAP Management of Internal Controls (MIC) as part of mySAP
ERP (must be implemented before this particular analytic app can be deployed)
This particular analytic application is fully Remote Function Call (RFC)-
based (no BW installation necessary), reading data directly from the
respective back-end application (SAP MIC). The following advantages
result from this approach:
Direct MIC data access (no BI-extraction necessary). The use of MIC’s built-
in buffering capability is recommended to optimize performance
Long texts available – long texts relating to controls, issues or other objects
are critical in the corporate governance context. It is now possible to display
these texts in an analytic app as the BW limitation (max. 60 characters)
does not apply here
Authorization / Personalization maintained in the back-end application (SAP
MIC) applies in the analytic app as well (no double authorization
maintenance or personalization necessary)
SAP AG 2006, mySAP ERP 2005, 9
SAP MIC: Other enhancements Customer-defined fields Each customer can choose to add additional documentation fields
SAP MIC: Other enhancements
Customer-defined fields
Each customer can choose to add additional documentation fields to
master data objects such as controls or processes
Mass tester assignment
Testers can be assigned to cover all controls within a particular
organizational unit or process group
Segregation of duties analysis of MIC authorizations
Reports covering which authorizations can be combined within the MIC
application itself (e.g. should a control owner be allowed to test their own
control?)
Versioning for all documents attached to MIC objects
SAP AG 2006, mySAP ERP 2005, 10