What does an external auditor look for in

SAP R/3 during SOX 404 Audits?

Ram Bapu, CISSP, CISM

Sandra Keigwin, CISSP
What does an external auditor look for in SAP during SOX 404 Audits?

Corporations have most of the business processes run by implementing modules of an ERP such as SAP.
The operations of business process becomes smooth but at the cost of complexity. The modular design of
SAP R/3 leads to complex user access, conflict of duties and so on. Consequently, Auditing SAP R/3 is
equally complex.

Several existing implementations have found to have not taken care of issues such as undocumented access
security or the missing authoritative ownership of the whole big picture or excessive privileges was
allocated for the personnel, etc. Just walking into any SAP implementation done years ago, there are
several issues that the external auditor can find as deficiencies. (See Appendix A for the definitions of SOX
404 Deficiencies - Significant Deficiency, Material weakness and control deficiencies) that has dire
consequence of potential misstatements in 10Q. Even with the recent ‘go-live’ implementations, dynamic
changes in the corporate world would end up creating deficiencies if due care is not taken. Consequently, It
is observed that several corporations with huge SAP implementations have scheduled SAP audits as
frequent as semi-annual. Thus it is important to understand the mindset of external auditors.

Following are the issues that the external auditor will look for:

1. Segregation of duties – In SAP R/3, segregation of incompatible functions is a major control

point. So, fixing the incompatible functions before the external auditor would get to see would be
the key. Assessing whether incompatible functions are assigned to SAP users can be a tedious
task. So how does one go about addressing such incompatibility issues? Let me explain using an
example of the accounts payable process in SAP. Ideally, in A/P segregation of duties should exist
between purchasing, goods receiving, invoice processing and cash disbursement functionalities.
Below,

Step 1 - Document the entire process of payables. This would include Raising Purchase
requisition, releasing purchase requisition, raising a purchase order PO, releasing purchase order,
goods receipt, invoice entry, and finally processing payments.

Step 2 - For each of the sub-process identified above, identify the relevant transaction code in
SAP. This can be done using the standard menus in SAP.

Step 3 - Identify the key control points within the process. In our example above, key control
points would be raise PO, goods receipt, enter invoice, create and changing vendor master records.

Step 4 - Identify if there are any other incompatible duties. One such incompatible function would
be payment processing and vendor master maintenance.

Step 5 - Identify the transaction codes in SAP, which allow access to these incompatible functions.
Now in SAP the relevant transaction codes would be: XK01 / XK02 - Create Vendor / Change
Vendor details, ME21 - Create PO, ME28 - Release PO, MB01 - Goods Receipt, MIRA / MIRO -
Invoice Entry. The incompatible functions relevant for segregation of duties would be

XK01 / XK02 and ME28

ME21 and ME28
ME28 and MB01
XK01 / XK02 and MIRA / MIRO
 Step 6 - Identify employees within the organization who have access to such incompatible
functions. This can be done using SUIM, data analysis tools. If required analysis can be even
done at the authorization profile level.

Step 7 - Once users with access to incompatible functions are identified, access to such functions
should be restricted. The BASIS person who is responsible and knowledgeable enough to carry
out such task should do this.

External auditors steps would be very similar to above steps.

2. Inconsistent business process procedure – This is very commonly seen in today’s corporate
environment where M&A is part of the game. The first question that’s asked is how was the data
moved and what are the process procedures in place for each of the entity. Process procedures are
crucial to be consistent across all the entity/business process, as inconsistent procedure will make
the business prone for financial misstatements. For example, in one of the SAP audits of a
corporation, all master material lists had tolerance limits excepting one master materials list
belonging to one of the entity that was bought few years ago. This can be found out by running a
filter on all master material lists for materials that allow over tolerance limits. The design risk here
was, Users were allowed to specify delivery tolerances that would permit acceptance of delivery
of a significantly larger quantity of goods than were ordered (Via requirements planning
document and PO) and approved. Also, the overriding of delivery tolerances was allowed rather
than preventing. Potentially, if the invoice was processed and paid based on this, there would be a
misstatement.
The business process procedures are categorized as manual and automated. The above is an
example of automated procedure. An example of Manual business process procedures is central
payment procedure in place or procedure followed when a new application server is released to
production and certain procedures are passed such as OS patches brought up-to date, Anti-virus
scanner with latest signatures installed, database hardened, server being taken through penetration
tests and so on.
Inconsistencies in Manual business process procedures are easy to find and remediate when
compared to automated business process procedures. Consequently, external auditor would
have automated scripts that discover inconsistencies in automated process procedures in
place. We recommend that the SAP R/3 procedures be reviewed semi-annually for any
inconsistent procedures due to changes that would have crept in, a tight SLDC process in
place and finally enable STP (Straight-through processing) and use Transaction manager.
The advantage of using Transaction manager is, it manages the execution of each step of the
transaction's process, performs the accounting, ensures that separation of duties is enforced and
captures the audit trail associated with that transaction. Not only does this increased automation
save time spent on executing these steps, it eliminates the errors (and resulting investigation and
reprocessing) that are a normal consequence of a manual approach.

3. Unsecured customized programs - Almost all SAP implementations have many customized 'Z'
transactions or 'Y' transactions built in to suit the business process. Although there is nothing
wrong the problem is, these customized transactions are not secured, making them vulnerable.
External auditor would look how secure they are. Make sure that they are secured either via
S_TCODE or assigning an authorization object to the transaction via transaction code SE93.

SAP auditors can find a listing of all customized Y and Z transactions through the menu path
(Menu Path >> system >> Services >> Reporting) or through transaction SA38.
Below is a screen shot that appears.
 Here to find all programs i.e. customized transactions beginning with "Y" and "Z", in the
‘Program’ field, enter "YA" in the field ‘from’ and "ZZ" in the field ‘to’. The listing of all
customized programs within SAP appears. On this listing, external auditors would look for the
following three issues.
a. Customized Transaction Title - As an SAP auditor, the first thing you should check is
that all custom programs have sufficiently descriptive titles stating the purpose of the
program. Any missing title descriptions should be reported.
b. Test Transactions - Next, click on the binocular button and make a search for terms like
"TST" or "TEST". Ideally, there should not be any customized Y or Z transactions in the
production environment. Test programs Y and Z lying in production environment should
be removed.
c. Critical Customized Transactions - SAP Customized transactions which are used to
execute critical functions like deleting codes, other programs etc pose another security
risk. SAP auditors can find such programs using terms like "DEL", "DELETE" or
"REMOVE". Such programs are normally are the ones which need to be removed from
SAP before Go Live but have been overlooked. Apart form these, other programs which
look conspicuous / attract attention like ones with exclamation marks (!), question marks
(?), should also be investigated by R/3 auditors.

4. Excessive or Unauthorized access to Master table & SAP basis - Many companies make the
mistake of giving access to sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12,
SM13, SC38, SM59, KE54 etc to users in production. On the other hand access is given to BASIS
or development staff to run transactions in SAP production environment. Such unrestricted access
can lead to a potential control deficiency under Sarbanes Oxley. We recommend that during the
semi-annual audit, business owners check these areas for any creep of violations.

5. Unrestricted posting periods – Corporations strictly close the books at specified timeline but
some of the corporations allow posting as closing of the books are not done in a timely manner. If
that’s happening, SAP R/3 does not have any control in avoiding a misstatement. Make sure that
business owners close the books at specified timeline. Else, unauthorized entries in previous open
periods can result in severe deficiency under SOX.
6. SAP access to terminated employees or presence of redundant ‘testing’ users accounts – 80%
of the time, we have observed that corporations would have access for terminated employees are
not revoked. Another popular observation is the presence of redundant users accounts that was
created to test with names very close to current employee with same role, functions and
authorizations. The lack of tight change management with proper test environment and release to
production process in place is the main reason for this. During semi-annual audit, business owners
need to review for any such violations.

7. Database and OS hardening – Recommend the SAP R/3 servers to have database hardened and
OS patches to be current with anti-virus signatures to be current. Also recommend that
unnecessary ports to be closed, vulnerability checks are performed and accordingly remediate
before moving the server to production.

8. Interfaces and error handling – A typical SAP system may have many interfaces from existing
legacy systems as well as interfaces to other external systems. Inbound interfaces to SAP from
 legacy systems usually consist of a file, which is sent from the legacy system to SAP, and
processed in the background via a standard SAP transaction. Outbound interfaces from SAP to
external systems usually consist of a file, which is sent from SAP to the external system and
processed at periodic intervals by the external system. Alternatively, users can download data
from SAP to their PC and then process it as they wish, for example, in a spreadsheet.

Appropriate procedures need to be implemented to ensure the use of interfaces is well controlled
and to protect the integrity of system data.

Following are the critical issues that external auditors would look for:

a. Data interfaced from legacy systems into SAP or from SAP to external systems may not
be completely transferred or the files loaded may be corrupted.
b. Unauthorized changes may be made during batch input error correction.
c. Unauthorized changes may be made to batch input (interfaced files) without detection.

The key is the documented error codes for every failure in transferring between legacy/SAP and
these errors are detected and corrected in a timely manner with sufficient audit trails and
approvals.

9. Inherent and configurable controls - Inherent controls are predefined controls that defined in
SAP R/3. Such controls do not need to be configured separately in SAP. Such inherent controls
are helpful in preventing any major errors since SAP itself prevents the same thorough such
inherent controls.

Below are some of the inherent controls that could be utilized to prevent errors leading to SOX
404 deficiencies.

Duplicate checks through message control

Sequential documents through number ranges
Automatic integration and postings
Online data analysis
All transactions through unique documents
History of transactions executed by users retained including date, time and user.
Logging and history of program changes
Configurable controls are those customized to the business process needs. These are added during
first implementation before going-live or can be added at any point of time. SAP AIS (Audit
Information System) consists of tools, which can be used to monitor inherent controls within
SAP as well as configurable controls within SAP.
 Appendix A
A paper on Compliance week (Oct 2004) noted that 51% of disclosures in recent months were due to
problematic financial systems. Other big issues showing up as significant deficiencies/ material
weaknesses: - Personnel Issues: segregation of duties, inadequate staffing/training, supervision issues-
Tone at the Top (following instances of restatement)- Poorly documented accounting practices. So, What is
this significant deficiencies/ material weakness?

The following is an excerpt taken directly from aicpa.org.

Control Deficiency: The design or operation of a control that does not allow management or employees, in
the normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis.

Example: A member of the accounting department has been assigned responsibility to

perform reconciliations on all bank accounts on a monthly basis. This person also has
responsibility for opening the mail and preparing the daily deposit to the bank. The
person’s manager is required to review each reconciliation when completed, but the
manager does not consistently sign off on the reconciliation indicating review. Two
internal control deficiencies exist here: (1) the lack of segregation of duties because one
individual is preparing the cash deposit and reconciling the cash accounts and (2) the lack
of documentation of a control because the manager does not evidence review so it is not
clear that the review has been performed.

Significant Deficiency: A control deficiency that adversely affects the company’s ability to initiate, record,
process, or report external financial data reliably in accordance with generally accepted accounting
principles (GAAP).
Alone or with other deficiencies, this type of control deficiency results in more than a remote likelihood
that a misstatement of the financials, that is more than inconsequential in amount, will not be prevented or
detected.

Example: The company uses a standard sales contract making it necessary for the
accounting department to review completed sales contracts for changes to standard
shipping terms to assure the proper timing for recognizing revenue from sales. Because
the terms are not always reviewed, revenue has been overstated on occasion. It is unlikely
that any single sales contract could result in a material overstatement of revenue, and
there are controls in place to ensure that materials misstatements do not occur. However,
a misstatement that is more than inconsequential yet less than material could result,
creating a significant deficiency in internal control.

Material Weakness: A significant deficiency that, alone or with others, results in more than a remote
likelihood that a material misstatement of the financials will not be prevented or detected.

Examples of weaknesses that would likely be considered material depending on the

circumstances include:

• Ineffective oversight by the audit committee over the external financial reporting
process, and the internal controls over financial reporting
• Material misstatements in the financial statements not initially identified by the
company’s internal controls
• Significant deficiencies that have been communicated to management and the
audit committee but that remain uncorrected after a reasonable period of time
• Restatement of previously issued financial statements to correct a material
misstatement
• For larger, more complex entities, ineffective internal audit functions
• For complex entities in highly regulated industries, ineffective regulatory
compliance function
• Fraud of any magnitude on the part of senior management
• An ineffective control environment