IT

1
IT Auditing 13 ERP Jur
Huizenga jhuizenga_at_nl-csi.com www.nl-csi.com
2
Roadmap
2. Business opportunities 3. Information risk
management
4. Financial mgt and IT organisation 5. System
development 6. IT management 7. Security
13. ERP 14. E-business 15. Forensic
8. and 9. IT and the financial statement 10. Due
diligence 11. Digital durability 12. Knowledge
management
3
Program

• Business opportunities with ERP
• The case of SAP
• Controls in SAP
• Auditing a SAP environment
• The Internet revolution

4
Business opportunities with ERP

• What is ERP all about
• Common characteristics
• Do ERP systems deliver?
• A technical view

5
Business opportunities with ERP

• What is ERP all about
• Common characteristics
• Do ERP systems deliver?
• A technical view

6
Enterprise Resource Planning

• Basic idea store all business information in a
  huge central relational database and give access
  to information using standard functions
• Automatic actions on predefined conditions
• Used for inventory control, BOM management, human
  resources management, planning, shipping
• ERP-systems interconnected by Electronic Data
  Interchange (EDI)
• Examples SAP, Baan, Peoplesoft, J.D. Edwards,
• ERP a quick solution forY2K and uro

7
Characteristics ERP systems

• Covers the whole business range
• Primary business process
• purchase production
  salespayment
  collection
• Supporting processes
• Finance Control
• HR
• Office
• modular approach

8
Basic ERP
Inbound logistics
Operations
Outbound logistics
Marketing sales
Services
9
Implementation strategy
Business
Technology Impact
10
High level of traceability

• easy-to-use trace capability on transaction level
• What has happened with sales order 124003
• who, what and when
• extensive logging in log files
• transaction level
• parameter settings
• access control

11
Do ERP systems deliver?On a scale of 1 (low) to
5 (high)

• Market related
• Reduce time-to-market 2.75
• Make to order 3.20
• Manage supply chain 3.30
• Internal organization
• Reduce cost of ownership 2.60
• Improve cost control 3.60
• Technical aspects
• Improve integrated information 3.90
• Migration of old systems 3.80

12
A technical view()

• Integrated file structure
• one single database for the entire organization
• Table driven
• via table settings the standard package can be
  customized to the organization
• Multiple hard- software platforms
• Open architectures
• Client/Server technology
• easy connectivity with other systems
• Web enabled

13
A tecnical view (-)

• All eggs in one basket
• ERP system down --gt the company down
• unlimited access to the ERP system, means
  unlimited access to the company
• BOM info
• financial info
• customers info
• In many cases complex to
• design
• implement
• administer

14
Market share
15
SAP

• Omni potent
• all major business processes
• many industry solutions
• Big
• 12.000 tables
• 20.000 transaction codes
• 30.000 reports / batch programs
• On-line Help 242 Mb
• Complex
• Authorizations made Easy document of 320 pages

16
Some SAP fundamentals

• Functional overview
• Technical overview

17
Functional overview (1)

• SAP systems are
• build in modules, however very much integrated.
• real-time on-line systems
• the user has a direct link to the computer and
  the SAP system will immediately process the
  information.
• Open systems

18
Functional overview (2)
R/3 Integration Model
Sales Distribution SD
FI Financial Accounting
CO Controlling
Materials Management MM
AA Asset Accounting
Production Planning PP
R/3 BASIC SYSTEM
PS Project System
Quality Management QM
Plant Maintenance PM
WF Workflow
IS Industry Solutions
Human Resources HR
19
Functional overview (3)

• Overview of modules - Basis
• Basic System (BC - obligatory)
• Includes
• The Data Dictionary
• Help functions
• Data communication
• Table Management (customizing)
• The programming language ABAP/4 ( JAVA and .net)
• Development Workbench

20
Functional overview (4)

• Overview of modules - Accounting
• Financial Accounting (FI)
• Accounts Receivable (AR)
• Accounts Payable (AP)
• General Ledger (GL)
• Asset Accounting (AA)
• Legal Consolidation (LC)
• Controlling (CO)
• Enterprise controlling (EIS)
• Project System (PS)

21
Functional overview (5)

• Overview of modules - Logistics
• Sales and Distribution (SD)
• Materials Management (MM)
• a/o Purchasing
• Warehouse Management (WM)
• Production Planning (PP)
• Quality Assurance (QA)
• Plant Maintenance (PM)
• Project Management (PS)

22
Functional overview (6)

• Overview of modules - other
• Human Resources (HR)
• Office Communication (OC)
• Data Warehouse (WH)
• Workflow management (WFM)
• Industry Solutions (IS)
• IS-H healthcare
• IS-IS insurance, loans, securities, real estate
• IS-OIL oil industry
• IS-B banks
• IS-PS public sector
• IS-PI process industry

23
Integrated functionality
Sales
Production
Purchasing
Raw materials
Accounting
Controlling
24
Functional overview (7)
PP
PS
Customers
Project networks
Sales and operations planning Demand
management/ Master production scheduling Material
requirements planning Capacity
requirements planing Production
control Costing Information system
SD
Sales Shipping Invoicing
PM
Plant Maintenance - repairs - maintenance
MM
Purchasing Warehousing Invoice verification
QM
Inspection planning management
Vendors
Cost Accounting
Human Resources
Financial Accounting
25
Functional Overview (8)
client
logical SAP system legal entity level
reporting levels sales organizations
distribution channels plants projects
........
company
company
26
Technical Overview (1)
R/3 System Client/Server Configurations
Presentation
Application
Database
Central System /Laptop
Distributed Presentation
Two-tierClient/Server
Three-tierClient/Server
Multi-Layer Cooperative Client/Server
27
Technical Overview (2)
Three Level Computer Hierarchy
Central DB
Database update
Batch-processing
Buffer for the central DB
Buffer for the central DB
Application logic
User Interaction
28
SAP Controls

• Configuration
• Workflow forces approval by boss
• Customizing
• Accept payment differences lt 5
• Organizational elements
• Only maintain customer data for sales
  organization Benelux
• Authorizations
• Only view pricing data
• ICP (Internal Control Procedure)
• Perform check on undelivered orders weekly

29
Configuration

• System configuration within standard SAP system?
  modifying SAP system tables
• Add/modify functionality using SAP development
  tools (ABAP)
• Add functionality using other tools
• Interfacing with other systems

30
Customizing consequences
31
Change Management

• SAP System Landscape
• Sandbox
• Development
• QA
• Shadow
• Production
• Transport mechanism
• Client copy
• Transport and copy authorizations

32
Example transport routes
Development 1
Development 1
QA
Production
Development 1
Transport
Shadow
Copy
Sandbox
33
Position of authorizations
Position of authorizations in internal control
Preventive controls
34
Authorizations conceptual overviewof the
Authorization Organizer ...
Departments
Modules
Users
Functions
Tasks
Authorizations
Standard SAP CSI addition
Auth. object fields
easy to manage
very complex but stable
35
Authorisations functional
36
Authorizations technical
37
SAP Authorization in practice
DATA
Program logic
Authorization checks act like road blocks (you
only need to identify payment has already been
done)
38
Authorizations example
Checks
Before
Transaction Start
First Check authorization object S_TCODE


Second Execute transaction FK01
TSTC
TSTCA
Tables


and

Tcode
FK01
Start FK01
Program
SAPMF02K
Start FK01
Dynpro
105
authority
-
check
object
F_LFA1_APP
field
ACTVT
value
01
Check
user
Check
user
field
APPKZ
value
F
master record
master record
Authorization
?
YES

program continues
Result of
Result of
NO


error message
the check
the check
39
ICP (Internal Control Procedure)
40
SAP Audit

• General IT Controls
• Security organization
• System migration
• Base system
• Standard security settings
• Not active users
• Superuser SAP_ALL
• Authorizations
• Business process
• Customizing
• Interfaces with other systems
• Reconciliations

41
SAP Audit tools

• Audit Information system
• Collection of standard SAP Reports
• Own ABAPs (SAP Reports)
• Download to ACL
• For authorizations CSI Authorization Auditor
  90 queries on authorizations aimed at full
  assessment of separation of duties

42
Sample queries
43
The internet revolution

• Globalization
• Virtualization
• Transparency

44
(No Transcript)
45
Porter revisted
46
SAP and the net (My.SAP.com)

• Access through a browser
• Electronic marketplace
• Web portal
• ASP (Application Server Provider)

47
mySAP.com overview
R/2
legacy
3rd
Non mySAP.com
party
Open
Internet
standards
3.1H
R/3 4.6
FI
Single
LO
Sign
Workplace
HR
SEM
On
CFM
industry-specific,
BBP
APO
role-based,
KM
mySAP.com components
personalized,
drag relate
BW
CRM
Web browser access
Internal
Corporate boundary
External
Market-
Partner
mySAP.com Internet services
Other Internet services
SAP
48
Architecture
non-mySAP.com components
SAP GUI for HTML HTML 3.2
Catalog
Direct BAPI Call
Intranet
R/3 data
DB
SNC
ECO
HTTPS
ITS Internet Platform IAC WebTr IAC
WebRFC SAP GUI for HTML - Gate - A
HTTP Server W
- Transactions for Web transactions - Function
modules For WebRFC (WebRFC templates) - Entire
R/3 func
Internet
ALE
BAPI
HTML
WPS
PortalBuilder
DIAG RFC
TCP/IP
Catalog
CGI ISAPI NSAPI
IDoc RFC BAPI
- Service files - WebRFC - Service files
- HTML Bus Templ - (see R/3) - Styles
OCI
SAP GUI for windows 32-bit W
SAP GUI for java Java VM
BC
MIME files Images, Videos Sounds
SAP_at_Web Studio
mySAP.com and non-mySAP.com Internet services
XML
Applications
49
Audit considerations

• Governance (who is responsible for what)
• Access control
• single sign-on
• authentication
• role management
• Transaction security
• Continuity (back-up/recovery)