Auditingand GRCAutomation inSAP - Springer978-3-642-35302-4/1.pdf · From ICS concept to SAP...
30
Auditing and GRC Automation in SAP
Transcript of Auditingand GRCAutomation inSAP - Springer978-3-642-35302-4/1.pdf · From ICS concept to SAP...
Auditing and GRC Automation in SAP
Maxim Chuprunov
Auditing andGRC Automationin SAP
Maxim ChuprunovRiscomp GmbHRothenthurm, Switzerland
ISBN 978-3-642-35301-7 ISBN 978-3-642-35302-4 (eBook)DOI 10.1007/978-3-642-35302-4
Library of Congress Control Number: 2013932469
©2011 by Galileo Press, Bonn, Germany.Title of the German original: Handbuch SAP-RevisionISBN: 978-3-8362-1603-6
ACM Computing Classification (1998): J.1, K.4, K.5, K.6
Springer© Springer-Verlag Berlin Heidelberg 2013This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically therights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way,and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the GermanCopyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer.Violations are liable to prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absenceof a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free forgeneral use.
Printed on acid-free paper.
Springer is part of Springer Science+Business Mediawww.springer.com
v
Foreword
Over the last few years, financial statement scandals, cases of fraud and corruption, dataprotection violations, and other legal violations have led to numerous liability cases,damages claims, and loss of reputations. As a reaction to these developments, numer-ous regulations have been issued: Corporate Governance, Sarbanes-Oxley Act, IFRS,Basel II and III, Solvency II, BilMoG, to name just a few. The requirements behind theseregulations are complex and no longer affect only internationally active listed compa-nies – the topic of “compliance” has also found its way into management levels andmonitoring bodies (such as supervisory boards, internal audit teams, auditing).
Under the term compliance, we generally understand the observance of legislation,guidelines, and voluntary codes within an organization. There are generally recognizedframework concepts for setting up a compliance management system (for example,COSO,OECDprinciples of corporate governance), alongwith framework concepts thatemphasize the specific details of individual industries or compliance-relevant areas (forexample, FDA compliance).
The first step has been taken in many ways: organizations have reacted to the floodof national and international compliance laws and directives and have taken measuresto ensure compliance. The task now is to integrate the individual activities, such as theinternal control system, the risk management system, contract management, internalaudit, etc. in a compliance management system and – as far as possible – to automateit in order to achieve a balance between compliance and performance. The observanceof compliance alone represents an additional cost factor for organizations; it is onlywith the balance between compliance and performance that the opportunities offeredby the implementation of the regulatory requirements can be used. Therefore, the im-provements in the processes, combined with efficiency increases, can and should beimplemented within the scope of observance of the regulatory requirements. In gen-eral, an improvement in and standardization of the processes, under consideration ofregulatory requirements, requires the inclusion of the IT systems; here, the SAP solu-tions for GRC are an option.
The literature currently available restricts itself primarily tomapping controls in SAPERP and auditing SAP systems. This book also provides help in this respect, but goesfar beyond this content. Starting with the requirements for compliance (Part I), it notonly addresses and answers compliance-relevant questions in the form of an audit guidefor an SAP ERP system (Part II), but also shows how to map an (automated) compli-ance management system in an SAP ERP system (Part III). This book thus addressesthe current need for solutions for implementing compliance management systems inan organization. Furthermore, the book shows which risks and controls internal andexternal audit should focus on when auditing an internal control system mapped inSAP or a compliance management system.
The implementation of a compliance management system in SAP ERP requiresknowledge of both the underlying legislation and legal standards and the technicaloptions for implementation. In this book, Maxim Chuprunov has applied his extensiveexperience from both areas. This experience comes from his professional career to date,during which he has been involved on one hand with auditing IT systems in general,
vi Foreword
and SAP systems in particular, and on the other hand with the implementation of SAPERP systems and the SAP solutions for GRC.
I am convinced that it is precisely this combination of theoretical and practicalknowledge that make this book so special. Both those who decide on and those whoimplement compliance and compliance management systems in an organization, aswell as internal and external auditors and monitoring bodies, will benefit from thisbook in their respective fields of activities.
AnnettNowatzki,member of the board of directors at DSJ Revision undTreuhand AG,Berlin.
vii
Trust Is Good, Control Is Cheaper:Introduction
Thenecessity of overcoming risks and establishing an internal control system (ICS) is atthe very top of the agenda for top management in organizations and has brought auditand consultancy companies good business for many years.
Why compliance?Can the implementation of legal requirements have a deeper meaning and benefitbeyond simply complying with legislation? Of course it can – if you do it correctly.Experience from practice shows the following:4 One aspect that is often neglected is the fact that due to its traditional orientation
on compliance, an ICS can also include the monitoring of business processes withregard to efficiency, profitability, and performance. Therefore, an ICS is not justabout legislation.
4 Even if the compliance is only in the sense of legislative compliance, this is generallymore cost-effective as non-compliance can be expensive (as shown, for example,by the bribery scandal at SIEMENS in 2006, which was covered extensively in thepress).
4 As a set of rules issued by the state in the exercise of its regulatory role, complianceprotects the general public from many evils. You may remember the spectacularbankruptcies of ENRON, FLOWTEX, etc. Amongst other things, they were causedby manipulation of external financial reporting.
4 Various compliance initiatives require that complex processes in an organizationare described cleanly (often for the first time). It is easier to control transparentprocesses, and the controls identified also benefit business operation.
4 An inefficient compliance management process uses up a lot of resources. Au-tomating this process can ease the workload for the organization’s managementconsiderably.
4 And last but not least: compliance can have direct financial advantages, such aslower capital lockup as a result of more precise or risk-specific equity definition, orcheaper credit due to an improved rating by rating agencies.
Why is compliancea challenge?
Thus, there are numerous reasons for considering compliance requirements assomething other than just a necessary evil. However, efficient implementation of theserequirements and setting up an effective ICS were, and still are, not easy:4 The complex ERP environment requires specific know-how, and in the case of IT-
supported business processes, it is not always clear what risks they bear and whatcontrol mechanisms are in place.
4 Neglecting compliance requirements during the implementation of an SAP systemcan have serious consequences. Hindsight is always a great thing – but not con-sidering compliance requirements when implementing SAP generally makes youpoorer. Implementing SAP is a costly undertaking and a subsequent redesign istime-consuming and expensive.
4 Controls must be lived: it is not the controls that are correctly documented andtested that are effective, but those that are actually executed. However, withouta check, compliance is unimaginable – but the automation that is often missing
viii Trust Is Good, Control Is Cheaper: Introduction
in practice causes a great deal of administrative effort. Microsoft Excel sheets,e-mails, and manual system evaluations often dominate the audit and ICS world,and real-time reporting is frequently not possible.
4 The automation of an ICS could provide answers to many of the questions that cur-rently occupy the world of compliance:5 How can you bring operative and audit-specific views of control mechanisms
together?5 Is real-time reporting of the status of compliance available at the push of a but-
ton?5 How can youmap the ICS so that the different requirements of riskmanagement,
internal audit, external financial statement audit, and industry-specific controlare fulfilled efficiently?
How to do itcorrectly
In order to implement an ICS correctly, you have to bring together many parts of thepuzzle:4 Internal ICS and compliance objectives with regard to efficiency, profitability, and
performance4 Legal requirements and their effect on today’s world of ERP-supported processes4 “Translation” of the compliance requirements into the language of a respective ERP
system – for example, SAP ERP4 Design and structure of an ICS model in the IT environment4 Automation of an ICS compliance process4 Automation of test and monitoring scenarios through integration4 Handling of internal and external audit as well as risk management integration.
The highly topical and exciting overview and the vision of the automated ICS andcompliance processes in the SAP ERP environment of a well-managed organization,in which the individual pieces of the puzzle come together, motivated me to write thisbook.
Subject, Structure, and Content of the Book
Ever-increasingrequirements
The big wave of legislation-driven ICS projects was triggered by the Sarbanes-OxleyAct in 2002. It also affected all European companies listed on the US stock exchange.Gradually, the requirements and risks etc. to be made transparent and minimized bythe ICS encroached on other organizations in Europe through EU directives and otherlocal legal initiatives. Overall, the worldwide trend, regardless of whether we considerthe impending introduction of China SOXor developments in other emergingmarkets,shows that a functioning ICS, as a compliance requirement demanded by the state, isestablishing itself quickly.
Compliance as partof GRC
The topic of governance, risk, and compliance as a single concept (referred to as anintegrated GRC approach) appeared on the market only recently, and the merging ofGRC with the topics of strategy and performance is a very new trend. It is reflected inrelevant software solutions as well as recognized reference models. Thus, it is no longerappropriate to consider compliance in isolation.
Trust Is Good, Control Is Cheaper: Introductionix
ICS in the ITenvironment
In this book, compliance is understood as the process, mapped in an ICS, that isintended to guarantee conformity with legal requirements and internal policies andobjectives (in particular, efficiency and profitability). An ICS was already known be-fore the age of the computer, but new special features have arisen with the progress ofinformation technology: the transaction audit as an audit approach, and in particu-lar, the consideration of the ICS and the software-specific application controls withinthe framework of external audit have become established as mandatory. The answer tothe question of what that all means for organizations whose processes run with ERPsupport must be clearly structured and described.
Compliance at thepush of a button
The last few years have seen an increase in the number of software products on themarket that allow you to design the ICS process efficiently – where applicable, in inter-action with risk management. However, the basic understanding of the processes in anIT-supported compliance management process is not delivered with the software.
Concept of thisbook
As you have seen, there are numerous puzzle pieces around the highly topical issuesof ICS and compliance. You have to bring them together to get a good overview. Thisbook considers the connection of compliance with the other parts of GRC (corporategovernance and risk management), insofar as this is required by the integration view,in order to indicate the possible synergies and to explain the integrated GRC approach.This book, however, focuses on ICS compliance itself. It looks at this topic from the viewof an SAP ERP-dominated IT environment, and develops it, from a design perspective,in three stages:
1. From legislation to concept2. From concept to content3. From concept and content to automation
Figure 1 summarizes the idea and structure of this book.
PART I – From Legislation to Concept:ICS and Compliance in the ERP Environment
ICS compliance in the SAP ERP environment – these words trigger many questions,even for experts: Which view of compliance is meant? Which legal and internalrequirements are in focus? What does an integrated GRC approach based on SAPsoftware look like? The first part of the book provides answers to these fundamentalquestions.
In Chap. 1, “Legal Requirements in ICS Compliance,” you will learn what is under-stood under the term ICS, and what the relevant legal compliance requirements are inan international and cross-industry comparison.
Chapter 2, “The Auditor Is Coming: When, Why, and How to Cope,” explains thespecial conditions that the audit in the IT environment is subject to and summarizesthe most important facts and recommendations from audit practice.
In Chap. 3, “ICS Requirements and ERP Systems: Basic Principles, Frameworks,Structure,” we show you the basic principles for defining the content of an ICS in theSAPERP environment and the internationally recognized studies and referencemodelsthat can help you to do this. The chapter highlights the importance of the continuous
x Trust Is Good, Control Is Cheaper: Introduction
Concept of this book
From legislation to ICS concept
The ICS: criteria and requirements
Frameworks for ICS implementation
SAP AG & compliance — overview
ICS compliance
ICS automation
- DIY approach: understand SAP- Controls and auditing them in the SAP environment: structured according to ICS principles- Special topics: fraud and FDA
From ICS concept to SAP content
ICS automation: Process modelingand implementation with SAP GRCPC
Automated monitoring and audit through integration with SAP ERP
Implementation experience
From ICS concept and SAP content to automation
1.
2.
3.
. Figure 1 Concept of this book
monitoring approach. A new feature in this edition is the description of how to set upan efficiency-oriented and profitability-oriented ICS framework.
Chapter 4, “HowDoes SAPDeal with Risk- and Compliance-Related Topics?” sum-marizes the most important facts for making your compliance-relevant processesmoreefficient. These facts range from certification of SAP software solutions to sources ofdocumentation for controlmechanisms in SAP and an itemization of the software prod-ucts. This chapter also describes the integrated GRC approach that is based on thecomponents of the SAP solutions for GRC Release 10.0.
PART II – From Concept to Content: Audit Guide for SAP ERP
Howdo you translate the ICS compliance requirements into the language of SAP?Whatrisks and controls are there in SAP ERP-supported processes? And how can you im-plement and monitor the efficiency of the SAP ERP-supported processes? You will findthe answers to these questions in the second part of the book.
Trust Is Good, Control Is Cheaper: Introductionxi
In Chap. 5, “Audit-Relevant SAP Basics,” we explain the basic connections in theSAP system and provide you with a tool for an independent search for control- andaudit-relevant information in SAP ERP.
Chapter 6, “IT General Controls in SAP ERP,” looks at both general organizationalcontrols and topics around change management, critical authorizations, and the basicsystem security.
In Chap. 7, “General Application Controls in SAP ERP,” you will learn how to en-sure the general observance of the principles of traceability and completeness duringprocessing in SAP ERP.
The titles of Chap. 8, “Controls in Financial Accounting,” Chap. 9, “Control Mech-anisms in the SAP ERP-Supported Procure to Pay Process,” and Chap. 10, “ControlMechanisms in the SAP ERP-Supported Order to Cash Process” speak for themselves:these SAP-supported processes bear risks that directly endanger observance of com-pliance. The related control mechanisms are vital for survival and are described in therespective chapters.
In Chap. 11, “Data Protection Compliance in SAP ERP Human Capital Manage-ment,” you will learn which legal requirements regulate the treatment of personal dataand how to implement these requirements in SAP ERP.
Chapter 12, “Fraud in an SAP System,” is dedicated to the topic of fraud. There isalways a risk of fraudulent activities wherever material values andmoney are dealt withusing SAP. In this chapter we use examples to show how you can handle this risk.
Chapter 13, “Excursion: FDACompliance andControls in SAP,” affects every readerof this book either directly or indirectly: the control mechanisms required by law inthe pharmaceuticals and food industries, which focus primarily on the quality of theproducts manufactured, must be mapped in the SAP processes. We address the mostimportant of these controls here.
Chapter 14, “Examples of Efficiency-Oriented and Profitability-Oriented AnalysisScenarios in SAP ERP,” gives detailed examples for each of the four elements of anefficiency-oriented ICS framework: process-oriented analyses, quality of master data,master data changes and user input, and supplementing reports. The aim of the highlevel of detail presented is to provide you with “do-it-yourself ” instructions for settingup various analysis scenarios. It is also intended to give you an impression of the workinvolved in implementing continuous monitoring scenarios.
PART III – From Concept and Content to Implementation:Automation of an Internal Control System
Compliance at the push of a button is a realistic scenario. Software products that helpyou to automate an ICS are now available on the market. What is not widely availableon the market, however, is a range of ICS processes and ICS content, together with theirsoftware-based implementation, from one source. On one hand, the Big Four auditingcompanies, as well as various compliance consultancy agencies, offer ICS content andconcepts often based onMicrosoft Excel; on the other hand, the conceptual complianceview is missing in both existing literature about ICS and GRC software and from con-sultants from software companies. The aim of this part of the book is to give you bothconceptual and technical instructions for implementing ICS and compliance manage-ment processes (based on the SAP solutions for GRC Release 10.0).
xii Trust Is Good, Control Is Cheaper: Introduction
In Chap. 15, “ICS Automation: How to Set the COSO Cube in Motion,” we ad-dress the conceptual importance of ICS automation and explain the individual buildingblocks that you can use to model the automation of ICS processes. You do this in theform of an ICS implementation matrix.
InChap. 16, “ICSAutomation Using SAPProcess Control,” we show you how to im-plement the compliance and ICSmanagement process using SAPGRCProcess Control.You will also learn why, and using which integration scenarios, Process Control can beseen as part of an integrated GRC concept and strategy and performance managementconcept.
In Chap. 17, “Implementation of Automated Test and Monitoring Scenarios in theSAP ERP Environment,” we explain which options – including the integration of SAPProcessControlwith your SAPERP systems–make the great vision of a “test at the pushof a button” possible. We will take you step-by-step through the setup of the continuousmonitoring approach in SAP GRC Process Control 10.0.
Chapter 18, “Experiences from Practice and Projects,” presents numerous projectexperiences that show how organizations from various industries have automated theircompliance processes. The chapter summarizes the most important facts about projectsetup for implementing SAP GRC Process Control and gives some examples of imple-mentation projects at SAP customers.
Target Audience for this Book
As a reader, what existing knowledge do you have? Although only healthy commonsense and some basic business knowledge is required for Part I of this book, overall,and particularly for the remaining parts, SAP ERP experience would be an advantage.A compliance and ICS consultancy background is ideal for this book.
Who is the target audience for this book?4 ICS owners, internal audit employees, external auditors, IT auditors, compli-
ance expertsThis is the book for you – from the first to the last chapter!
4 Managers of SAP competence centers, project managers, data governance ex-perts, business analysts, and consultants for SAP ERP implementationsIt is not easy to consider the compliance requirements when implementing SAPERP. Therefore, Part I and Part II in particular provide you with important infor-mation for designing your implementation projects so that they are audit-compliantand ICS-compliant, and for daily operation of the SAP ERP applications.
4 SAP consultants for SAP GRC ProductsPart III should be mandatory reading for you. In your implementation projects,where the focus is on the process view of the ICS, you should never lose the refer-ence to the ICS content: therefore, Part II is also important for you. And last butnot least: it is essential that you understand the complex connections between legalrequirements and the implementation of these requirements in the IT environmentin order to find a common compliance language with customers. Therefore, Part Iwould also be relevant for you.
4 MBA, business, and information management studentsPart I and Part II of this book are particularly interesting for you: Part I looks in de-tail at the legal requirements in an international comparison, as well as the business
Trust Is Good, Control Is Cheaper: Introductionxiii
design of the ICS in the IT environment. The overview of internationally recognizedGRC reference models could also be interesting for you. Part III explains what theautomation of an ICS means from a concept perspective.
4 Senior managementRegardless of whether you are the CFO, CEO, or CIO in your organization, or arefulfilling your duties in the executive board or audit committee, you will not havebeen able to escape compliance issues. Even if you do not use SAP for processesin your organization, and a correct definition of the SAP-specific content of yourICS is irrelevant for you, you will certainly have thought about designing the ICSefficiently: the experiences of other organizations in handling ICS and compliancetopics as described inPart IIwill provide youwith goodpoints of reference. Further-more, the legal and other compliance requirements, recommendations for dealingwith the external audit, and the overview of the GRC framework concepts fromPart I of this book will be of interest to you. You should also not miss out on thevisionary and conceptual explanations on the topic of “compliance at the push ofa button” in Part III.
Notes for Reading this Book
This book contains various orientation aids that will help you to read it.Information boxesGray information boxes provide information that is helpful and good to know, but
that stands apart somewhat from the actual explanation text. To enable you to categorizethe information in the boxes immediately, we have assigned symbols to the boxes:
Tip Start !
4 The Tips and Notes identified by this symbol provide recommendations that willmake your work easier. These boxes also contain information on further topics orimportant content that you should note.
> Important Start4 The Caution symbol draws your attention to topics or areas where you should exercise
particular caution.
Example Start [e.g.]
4 Examples, indicated by this symbol, indicate scenarios from practice and illustratethe functions presented.
Marginal notesMarginal notes enable you to search the book for topics you are particularly inter-ested in or to find parts that you have already read. The marginal notes are adjacent tothe respective section that contains the corresponding information.
xiv Trust Is Good, Control Is Cheaper: Introduction
The audit procedures that are integrated in the presentation, for example, are indi-cated throughout the book with the marginal note “Check:” (followed in each case bykey words reflecting the content).
Acknowledgments
Now it is time to thank everyone without whose support I would not have been able tocomplete this book project.
The English edition of the book, which you are currently holding, would not havebeen possible without the highly professional translation by Tracey Duffy (TSD Trans-lations). In addition to, in my opinion, a very successful translation, Tracey Duffy alsocontributed to the quality of this book with her comments regarding content and withher great attention to detail. Many thanks also to Ralf Gerstner (Springer) for his expertadvice and support in this project.
During the time in which I wrote this book, in addition tomymain task asmanagingdirector and consultant at Riscomp GmbH, and parallel to many exciting projects, myfriends and family often had to do without me. I would firstly like to thank them fortheir understanding and support.
Many people gave me comments, ideas, and information on various questions:many thanks to the SAP experts Jürgen Möller, Dominik Yow-Sin-Cheung, DanielWelzbacher, Jan Gardiner, David Ramsay, and Atul Sudhalkar – for support in trickyquestions surrounding the SAP GRC suite. Heartfelt thanks also to Dr. Karol Bliznak(SAP AG) for input regarding mapping the “risk-intelligent strategic execution” ap-proach with SAP products. I would also like to thank Jürg Kasper (Canton Zürich) forhis creative input regarding the automation of test and monitoring scenarios.
Esteemed colleagues have also written contributions to this book: with his highlycompetent and proven in practice description of the control mechanisms in the SAPERP-supported Procure to Pay and Order to Cash processes, GerhardWasnick relievedme of a great deal of work. Günther Emmenegger (SAP Schweiz AG) wrote the chap-ter on mapping FDA-requirements in the SAP environment. Volker Lehnert wrote themajority of the chapter on data-protection relevant controls in SAP ERP HCM. MarcMichely (PricewaterhouseCoopers) contributed the section on fraud scenarios in SAP.The practical reports on mapping compliance requirements arose in close cooperationwith Jan Laurisjen (Ericsson) and Michele Poffo (Tecan). Reto Bachmann providedinput for the contribution on efficiency-oriented scenarios. AndreasWiegenstein (Vir-tualforge) has contributed to the Sect. 6.4.2 describing key elements of the ABAP codesecurity.
For various support, information, and help, I would also like to thank Dr. MichaelAdam (SAP AG), Dr. Gero Mäder, Thomas Schmale (SAP AG), Evelyn Salie (SAPSchweiz AG), Arnold Babel (SAP Schweiz AG), Peter Heidkamp (KPMG), FlorianKöller (SAP AG), Walter Harrer (SAP Schweiz AG), and Christian Brunner (SAPSchweiz AG).
Two, three, or four heads are better than one: Annett Nowatzki (DSJ Revision undTreuhand AG) and Patricia Sprenger at Galileo Press read first drafts, preliminary ver-sions, and raw versions, as well as the finished text of the German edition of the bookand improved it with their comments.
Trust Is Good, Control Is Cheaper: Introductionxv
Despite the support that I have received frommany quarters, I alone am responsiblefor any errors that remain.
I hope that this book will help you to solve your tasks concerning compliance, audit,and ICS automation with SAP, and wish you every success and enjoyment with yourreading.
Maxim Chuprunov
xvii
Contents
List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
I From Legislation to Concept:ICS and Compliance in the ERP Environment
1 Legal Requirements in ICS Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Definition of Terms and Differentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Internal Control System (ICS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Legal ICS Requirements Around theWorld – theMany Faces of SOX . . . . . . . . . . 5
1.2.1 SOX in the USA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.2 SOX in Canada (NI 52-109) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.3 SOX in Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.4 SOX in China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 ICS Requirements in Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.1 Eighth EU Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.2 Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.3 Switzerland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.4 Austria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.5 United Kingdom of Great Britain and Northern Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.6 France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.7 Denmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.8 Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.9 Spain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 ICS Requirements in the Financial Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.1 Solvency II in the Insurance Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4.2 Basel II and III in Banking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.5 ICS as Contributing Factor to Business Success? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 The Auditor Is Coming: When,Why, and How to Cope . . . . . . . . . . . . . . . . . . . 19
2.1 ICS in the IT Environment from the View of Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.1 The Challenge Presented by Information Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.2 Transaction Audit as Audit Approach in the IT Environment . . . . . . . . . . . . . . . . . . . . . . . . 21
xviii Contents
2.1.3 Approaches for a Transaction Audit: Focus on ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.4 ICS and Mandatory Transaction Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 ICS Assurance in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.1 The Auditor’s Focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.2 Selected Auditing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.3 Types of External Audit in the ERP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.4 Recommendations for Working with the Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3 ICS Requirements and ERP Systems:Basic Principles, Frameworks, Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.1 Defining ICS Content in the SAP ERP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.1.1 ICS Basic Principles in the ERP Environment: From GAAP to GAPCAS . . . . . . . . . . . . . . . 35
3.1.2 Who Defines the Rules in the SAP Environment? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.1.3 Control Identification Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.1.4 Structure of a Classic ICS Framework in the ERP Environment . . . . . . . . . . . . . . . . . . . . . . 40
3.1.5 Structure of Efficiency-Oriented and Profitability-Oriented Controlsin the ERP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 ICS-Relevant Reference Models and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.1 COSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.2 CobiT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.3 ITIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.4 GAIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2.5 ITAF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2.6 Risk IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.7 Val IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.8 CMMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.2.9 MOF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.2.10 ISO 27k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.2.11 PCI-DSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.2.12 Summary View of Reference Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4 HowDoes SAP Deal with Risk- and Compliance-Related Topics? . . . . . . . 57
4.1 Software Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.1.1 SAP Note 671016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.1.2 Certification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2 Compliance-RelevantGuides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.2.1 SAP Online Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Contentsxix
4.2.2 Security Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.2.3 DSAG Guides: Audit Guides, Data Protection Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.3 Integrated Approach in SAP GRC 10.0and Further Compliance-Relevant Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.3.1 SAP Governance, Risk, and Compliance Suite 10.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.3.2 SAP Process Control 10.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.3.3 SAP Access Control 10.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.3.4 Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.5 SAP Risk Management 10.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.6 Summary Overview of Integration Scenarios in SAP GRC 10.0 . . . . . . . . . . . . . . . . . . . . . . 79
4.3.7 SAP Audit Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.3.8 SAP Audit Information System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3.9 SAP Security Optimization Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.3.10 RSECNOTE Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.4 Compliance-Relevant Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.4.1 Direct ICS Content: What Controls Are Available in SAP? . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.4.2 Content with ICS Relevance: Standard Business Processes and Controls in SAP . . . . . 89
4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
II From Concept to Content: Audit Guide for SAP ERP
5 Audit-Relevant SAP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.1 In the BeginningWas the Table: SAP as Table-Controlled Application . . . . . . . . 96
5.1.1 Data in an SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.1.2 Controls in the SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.1.3 Table-Specific Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.1.4 Transaction-Specific Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.1.5 Program-Specific Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.1.6 The Relationship Between Programs and Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.1.7 The Relationship Between Programs and Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.1.8 Summary of the Search Options in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.1.9 Organizational Structures in the SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.2 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.2.1 Flow and Hierarchy of Authorization Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.2.2 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.2.3 Determining Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
5.2.4 Roles in the SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
5.2.5 Users in the SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5.2.6 User Types in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
xx Contents
5.2.7 Example of an Authorization Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6 IT General Controls in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.1 Organizational Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.1.1 IT Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.1.2 IT Outsourcing: Who Is Responsible for the Controls? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.1.3 Guidelines and Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
6.2 Controls in the Area of ChangeManagement and Development . . . . . . . . . . . . . . 136
6.2.1 SAP System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.2.2 Change and Transport Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
6.2.3 Client Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6.2.4 Maintenance and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.2.5 SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.3 Security Controls for Access to the SAP System and for Authentication . . . . . . 145
6.3.1 Identity and Life Cycle of the User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.3.2 Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
6.3.3 Handling Standard Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.3.4 Emergency User Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.4 Security and Authorization Controls within SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.4.1 Protecting Programs and Transactions – Basic Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
6.4.2 Protecting Programs and Transactions – Advanced Level . . . . . . . . . . . . . . . . . . . . . . . . . . 154
6.4.3 Protecting Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.4.4 Controlling Authorization Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
6.4.5 Critical Administration Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
6.4.6 Consideration of the Principle of Segregation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
7 General Application Controls in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.1 The Principle of Unalterability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.1.1 Protecting Data in Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
7.1.2 Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
7.1.3 Modifiability of Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
7.2 Controls for Data-Related Traceability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
7.2.1 Change Documents in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
7.2.2 Table Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
7.2.3 Document Number Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7.3 Traceability of User Activities in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
7.3.1 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Contentsxxi
7.3.2 Security Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.3.3 History of Transaction Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
7.3.4 Traceability of System Changes in the Changeand Transport Management System (CTS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.4 Cross-Process Processing Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.4.1 Monitoring Update Terminations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
7.4.2 Completeness of the ALE Interface Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.4.3 Remote Function Call Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
7.4.4 Completeness of Batch Input Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
7.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
8 Controls in FinancialAccounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
8.1 Underlying Control Mechanisms in General Ledger Accounting (FI-GL) . . . . . . 189
8.1.1 Principle: Real-Time Postings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
8.1.2 Financial Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
8.1.3 G/L AccountMaster Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
8.1.4 Checking that Transaction Figures Are Consistentwith the Accounting Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
8.1.5 Selected Controls for Closing Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
8.1.6 ReconciliationWork in FI-GL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.2 Controls over the Accuracy and Quality of Datain General Ledger Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.2.1 Accurate Account Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.2.2 Field Status Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.2.3 Calculating Taxes for Manual Postings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
8.2.4 Validations in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
8.2.5 Foreign Currencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
8.3 Completeness of Processing in General Ledger Accounting . . . . . . . . . . . . . . . . . . . 205
8.3.1 Document Parking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
8.3.2 Recurring Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
8.3.3 Reconciliation Ledger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8.4 Data Security and Protection in General Ledger Accounting . . . . . . . . . . . . . . . . . . 209
8.4.1 Protecting Company Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
8.4.2 Tolerance Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.4.3 Protecting Master Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.4.4 Critical Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
8.4.5 Segregation of Duties in General Ledger Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
8.5 Controls in Asset Accounting (FI-AA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
8.5.1 Basics of Asset Accounting in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
xxii Contents
8.5.2 Default Values for Asset Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
8.5.3 Account Determination in Asset Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
8.5.4 Consistency Check for Account Determination and Configuration . . . . . . . . . . . . . . . . . 221
8.5.5 Depreciation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
8.5.6 Asset History Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
8.5.7 Low Value Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
8.5.8 Authorization Control in Asset Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
8.5.9 Critical Authorizations in Asset Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
8.6 Controls in Accounts Payable (FI-AP) and Accounts Receivable (FI-AR) . . . . . . . 229
8.6.1 Accuracy of the ReconciliationAccounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
8.6.2 Payment Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
8.6.3 One-Time Customers and Vendors – Caution! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
8.6.4 Ageing Structure and Value Adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
8.6.5 Segregation of Duties for Master Data Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
8.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9 Control Mechanisms in the SAP ERP-Supported Procureto Pay Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
9.1 Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
9.1.1 Maintenance of the Organizational Structures Consistent with Authorizations . . . . . 238
9.1.2 Segregation of Duties in Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
9.2 Goods Receipts and Invoice Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
9.2.1 Goods Receipts: Critical Movement Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
9.2.2 3-Way Match and Payment Blocks in Logistics Invoice Verification . . . . . . . . . . . . . . . . . . 243
9.2.3 Check for Duplicate Invoice Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
9.3 GR/IR Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
9.3.1 Clearing the GR/IR Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
9.3.2 Closing Operations and Reporting of the GR/IR Account in the Balance Sheet . . . . . . 247
9.4 Controls for Stocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
9.4.1 Maintenance of Material Master Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
9.4.2 Non-Valuated Stock Value and Split Valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
9.4.3 Account Determination for Material Movements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
9.4.4 Correction of Stock Values: Inventory and Material Devaluations . . . . . . . . . . . . . . . . . . . 253
9.4.5 Release of Scrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
9.4.6 Product Cost Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
9.4.7 Goods Issues from Non-Valuated Stock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
9.5 Corporate Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
9.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Contentsxxiii
10 Control Mechanisms in the SAP ERP-Supported Orderto Cash Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
10.1 Controls in the Preparatory Sales and Distribution Phase . . . . . . . . . . . . . . . . . . . . . 260
10.1.1 Controls during Order Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
10.1.2 Quality of Customer Master Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
10.1.3 Segregation of Duties for Master Data Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
10.1.4 Credit Limit Assignment and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
10.2 Controls in Order Fulfillment and Revenue Recognition . . . . . . . . . . . . . . . . . . . . . . 264
10.2.1 Controls for Delivery of Goods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
10.2.2 Pricing and Determination of Sales Tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.2.3 Return Deliveries and Credit Memos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.2.4 Billing Due List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.2.5 Completeness of Accounting Entry of Billing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . 270
10.2.6 Dunning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
11 Data Protection Compliance in SAP ERP Human CapitalManagement 275
11.1 Legal Data Protection Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
11.1.1 Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
11.1.2 Basic Principles: European Union Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
11.1.3 Co-Determination and Employee Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
11.1.4 Excursion: Protection of Patient Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
11.2 General Data Protection-Relevant Control Mechanisms in SAP . . . . . . . . . . . . . . . 286
11.2.1 Tracing Changes to Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
11.2.2 Logging Report Calls in SAP ERP HCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
11.2.3 Deleting Data and Making it Unrecognizable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
11.2.4 Personal Data Outside SAP ERP HCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
11.3 Special Requirements of SAP ERP HCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
11.4 Authorizations and Roles in SAP ERP HCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
11.4.1 Differentiating Attributes in SAP ERP HCM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
11.4.2 Personnel Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
11.4.3 Structural Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
11.4.4 AuthorizationMain Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
11.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
12 Fraud in an SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
12.1 Introduction to “Fraud” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
12.1.1 Types of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
12.1.2 Fraud and the SAP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
xxiv Contents
12.2 Fraud Scenarios in SAP Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
12.2.1 “Write-Debugging” Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
12.2.2 Processing a Batch Input Session under a Different User ID . . . . . . . . . . . . . . . . . . . . . . . . 307
12.3 Fraud Scenarios in the General Ledger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
12.3.1 Fraudulent Manual Document Postings in the General Ledger . . . . . . . . . . . . . . . . . . . . . 308
12.3.2 Identification and Analysis of Manual Journal Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
12.4 Fraud Scenarios in the Sales Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.4.1 Issuing Fictitious Invoices to Fictitious Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
12.4.2 Granting Improper Credit Memos or Discounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
12.4.3 Excessive Use of Free Goods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
12.4.4 Improper Write-Off of Open Customer Receivables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
12.5 Fraud Scenarios in Personnel Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
12.5.1 Fictitious Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
12.5.2 Limited Access to Own HR Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
12.5.3 Segregation of Duties for Confidential Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
12.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
13 Excursion: FDA Compliance and Controls in SAP . . . . . . . . . . . . . . . . . . . . . . . . 319
13.1 Legal Requirements in theManufacture of Food andMedicinal Products . . . . 319
13.1.1 FDA-Relevant Legal Requirements in an International Comparison . . . . . . . . . . . . . . . . . 320
13.1.2 GxP – The FDA Basic Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
13.1.3 IT from the View of FDA Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.2 Validation of IT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.2.1 Validation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
13.2.2 Controls in Implementation Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
13.3 FDA Compliance in IT-Supported Business Processes . . . . . . . . . . . . . . . . . . . . . . . . . 325
13.3.1 Examples: Controls in Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
13.3.2 Examples: Controls in Production Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
13.3.3 Examples: Controls in Quality Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
13.3.4 Examples: Controls in Asset Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
13.3.5 Examples: Controls for Batch Traceability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
13.3.6 Examples: Controls in Warehouse Management Processes . . . . . . . . . . . . . . . . . . . . . . . . . 327
13.4 Observing FDA Compliance for SystemMaintenance, SystemUpdates,and System Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
13.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
14 Examples of Efficiency-Oriented and Profitability-OrientedAnalysis Scenarios in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
14.1 Process-Related Data Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Contentsxxv
14.1.1 Comparison of the Purchase Order Date with the Goods Receipt Date . . . . . . . . . . . . . 332
14.1.2 Timely Release or Creation of Purchase Requisitions and Purchase Orders . . . . . . . . . . 336
14.1.3 Time between Incoming Purchase Order and Confirmation of the Customer Order . 343
14.1.4 Ten Further Examples of Possible Data-Based Process Analyses . . . . . . . . . . . . . . . . . . . . 344
14.2 Analysis of Master Data Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
14.2.1 Quality of Customer Master Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
14.2.2 Produced Materials with No Bill of Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
14.2.3 Reconciliation of Material Costs within a Company Code . . . . . . . . . . . . . . . . . . . . . . . . . . 347
14.2.4 Ten Further Examples of Possible Master Data Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
14.3 Manual Data Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
14.3.1 Changes to Purchase Requisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
14.3.2 Changes to Purchasing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
14.3.3 Changes to Sales Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
14.3.4 Manual Data Changes – Ten Further Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
14.4 Supplementing SAP ERP Standard Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
14.4.1 Planning Parameters Added to Stock Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
14.4.2 Customer Master Data Added to Credit Management Analysis . . . . . . . . . . . . . . . . . . . . . 359
14.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
III From Concept and Content to Implementation:Automation of an Internal Control System
15 ICS Automation: How to Set the COSO Cube inMotion . . . . . . . . . . . . . . . . . . 363
15.1 Basic Concept of ICS Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
15.1.1 COSO Cube in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
15.1.2 Concept of ICS Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
15.2 ICS-Relevant Objects and Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
15.2.1 Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
15.2.2 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
15.2.3 Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
15.2.4 Control Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
15.2.5 Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
15.2.6 Account Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
15.2.7 Example of an ICS Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
15.3 Basic Scenarios of ICS Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
15.3.1 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
15.3.2 Selection and Prioritization of Control Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
15.3.3 Control Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
15.3.4 Design Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
xxvi Contents
15.3.5 Effectiveness Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
15.3.6 Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
15.3.7 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
15.3.8 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
15.3.9 Sign-Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
15.3.10 Report Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
15.3.11 Persons as Links Between ICS Objects and Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
15.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
16 ICS Automation Using SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
16.1 Introduction: ICS Implementation with SAP Process Control . . . . . . . . . . . . . . . . . . 381
16.2 Technical Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
16.2.1 Technical Architecture and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
16.2.2 Initial Configuration of the Standard Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
16.2.3 Information Sources on Implementing, Operating,and Upgrading SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
16.3 Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
16.3.1 ICS Master Data in SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
16.3.2 ICS Data Model in SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
16.3.3 Central vs. Local ICS Master Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
16.3.4 Time Dependency of ICS Master Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
16.3.5 Traceability of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
16.3.6 Concept of Object-Related Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
16.3.7 Customer-Specific Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
16.3.8 Multiple Compliance Framework Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
16.4 Implementation of the ICS Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
16.4.1 ICS Documentation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
16.4.2 Scoping Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
16.4.3 Planning Process, Tests, and Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
16.4.4 Issue Remediation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
16.4.5 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
16.5 ICS and Compliance Implementation: Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
16.5.1 AuthorizationModel in SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
16.5.2 Object-Related Security in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
16.5.3 First Level vs. Second Level Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
16.5.4 Predefined Best Practice Role Concept in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
16.5.5 Adjusting the Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
16.6 SAP Process Control as GRC Component – New Features and Developments . 433
16.6.1 Policy Management and Other New Features in Release 10.0 . . . . . . . . . . . . . . . . . . . . . . . 433
Contentsxxvii
16.6.2 Integrationwith SAP Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
16.6.3 Integrationwith SAP Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
16.6.4 Merging GRC, Strategy, and Performance Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
16.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
17 Implementation of Automated Test andMonitoring Scenariosin the SAP ERP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
17.1 Automated Test andMonitoring Scenarios in the SAP Environment . . . . . . . . . . 441
17.1.1 Offline CAAT Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
17.1.2 Online CAAT Reports and Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
17.1.3 ComplianceManagement Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
17.2 Automated Tests andMonitoring in SAP Solutionsfor GRC Release 10.0 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
17.2.1 ContinuousMonitoring Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
17.2.2 ContinuousMonitoring Framework – Potential and Expectations . . . . . . . . . . . . . . . . . . 450
17.3 Setting up CMF Scenarios in SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
17.3.1 Connecting SAP Solutions for GRC with Business Applications . . . . . . . . . . . . . . . . . . . . . 453
17.3.2 Data Sources in SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
17.3.3 Creating Business Rules in CMF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
17.3.4 Monitoring Data Changes in CMF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
17.3.5 Automation Using Predefined Best Practice Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
17.3.6 Connecting Controls with Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
17.3.7 And off You Go! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
17.4 Potential of CMF Scenarios in SAP Process Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
17.4.1 Use of SAP NetWeaver Business Warehouse for ContinuousMonitoring . . . . . . . . . . . . 470
17.4.2 Thoughts About SAP BusinessObjects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
17.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
18 Experiences from Practice and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
18.1 Practical Experiences: Projects for ICS and Compliance Automation . . . . . . . . . 473
18.1.1 Tools for Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
18.1.2 Best Practice Project Structure for ICS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
18.1.3 Business Blueprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
18.1.4 ICS Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
18.1.5 Factors that Influence the Project Expense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
18.1.6 Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
18.2 Project Examples for ICS and Compliance Automation . . . . . . . . . . . . . . . . . . . . . . . . 482
18.2.1 Coverage of Swiss Compliance Requirements at KUONI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
18.2.2 Integrated GRC Approach at Tecan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
xxviii Contents
18.3 SOX at Ericsson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
18.3.1 ICS Framework at Ericsson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
18.3.2 SOX Compliance Process at Ericsson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
18.3.3 Experiences from Previous Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
18.3.4 Optimization Potential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
18.3.5 Steps Towards Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
18.4 Reviewof the Stages of Evolution of the ICS and Conclusion . . . . . . . . . . . . . . . . . 496
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
The Author of this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Contributors to this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
xxix
List of Abbreviations
AAF Audit and Assurance Faculty StandardAASB Auditing and Assurance Standards BoardACF Automated Controls FrameworkACP Acquisition and production costsADA Asset databaseAICPA American Institute of Certified Public AccountantsAIS Audit Information SystemAktG Aktiengesetz [Stock Corporation Act] (Germany)AM SAP Audit ManagementAMF Autorité des marchés financiers (France)AMF Automated Monitoring FrameworkAMS Application Management ServicesARF Automated Rules FrameworkARM Access Risk ManagementAS SAP NetWeaver Application ServerASAP Accelerated SAPBaFin Bundesanstalt für Finanzdienstleistungsaufsicht [Federal Financial Su-
pervisory Authority] (Germany)BC Set Business Configuration SetBDSG Bundesdatenschutzgesetz [Data Protection Act] (Germany)BetrVG Betriebsverfassungsgesetz [WorksCouncil ConstitutionAct] (Germany)BMGS Bundesministerium für Gesundheit und soziale Sicherung [Federal Min-
istry for Health and Social Affairs] (Germany)BPP Business Process ProcedureBRF Business Rules FrameworkBRG Business Role GovernanceBS British StandardBSI Bundesamt für Sicherheit in der Informationstechnik [Federal Office for
Information Security] (Germany)CAAT Computer Assisted Auditing TechniquesCAPA Corrective And Preventive ActionsCATT Computer Aided Test ToolCCM Continuous Control MonitoringCCMS Computer Center Management SystemCEA Centralized Emergency AccessCFR Code of Federal Regulations (USA)CHMP Committee for Medicinal Products for Human UseCICA Canadian Institute of Chartered AccountantsCMF Continuous Monitoring FrameworkCMS Compliance management softwareCobiT Control Objectives for Information and Related TechnologiesCOE Council of EuropeCOSO Committee of Sponsoring Organizations of the Treadway Commission
xxx List of Abbreviations
CTS Change and Transport Management SystemCUP Compliant User ProvisioningDART Tool Data Retention ToolDCGK Deutscher Corporate Governance Kodex [Corporate Governance Code]
(Germany)DI SAP NetWeaver Development InfrastructureDMS Documentation management systemeCATT Extended CATTECN Ericsson Corporate NetworkELC Entity level controlsEMA European Medicines AgencyEMEA Economic zone Europe, Middle East, and Africa (Europe, Middle East,
and Africa)ERM Enterprise Role ManagementFDA Food and Drug Administration (USA)FEFO First expired, first outFIFO First in, first outFM SAP Fraud ManagementFOEN Federal Office of the Environment (Switzerland)FOPH Federal Office of Public Health (Switzerland)FPM Financial Performance ManagementFSA Financial Services AgencyGAAP Generally Accepted Accounting PrinciplesGAIT Guide to the Assessment of IT RiskGAMP Good Automated Manufacturing PracticeGDPdU Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen
[Principles for data access and verifiability of digital documents] (Ger-many)
GLP Good Laboratory PracticeGMP Good Manufacturing PracticeGRC Governance, risk, and complianceGS Guidance StatementHCM SAP ERP Human Capital ManagementHIPAA Health Insurance Portability and Accountability Act (USA)HPFB Health Products and Food Branch (Canada)ICH International Conference on HarmonizationIdM SAP NetWeaver Identity ManagementIDoc Intermediate documentIDW Institut der Wirtschaftsprüfer [Institute of Public Auditors] (Germany)IFAC International Federation of AccountantsIFRS International Financial Reporting StandardsIIA Institute of Internal AuditorsIMG Implementation GuideISA International Standards on AuditingISAE International Standard on Assurance EngagementsISPE International Society for Pharmaceutical EngineeringISS IssueITAF Information Technology Assurance Framework
List of Abbreviationsxxxi
ITIL Information Technology Infrastructure LibraryITSEC Information Technology Security Evaluation CriteriaITSEM IT Security Evaluation ManualJ-SOX Japanese SOXKDF Vendor databaseKonTraG Gesetz zur Kontrolle und Transparenz im Unternehmensbereich [Con-
trol and Transparency in Business Act] (Germany)KRI Key Risk IndicatorLIFO Last in, first outLVA Low value assetsMaRisk (VA) Minimum Requirements for Risk Management (Germany, binding
guideline)MCF Multiple Compliance FrameworkMDEC Medical Device Evaluation Committee (Australia)MHLW Ministry for Health, Labour and Welfare (Japan)MOF Microsoft Operations FrameworkMQT Multi Application Query ToolMRC Management Risk ControllingNI National InstrumentNPCB National Pharmaceutical Control Bureau (Malaysia)NWBC SAP NetWeaver Business ClientOR Correct reportingP&L Profit and loss statementPC SAP Process ControlPCI-DSS Payment Card Industry Data Security StandardPIC/S Pharmaceutical Inspection Cooperation SchemePKI Public Key InfrastructurePMSB Pharmaceutical and Medical Safety Bureau (Japan)PublG Publizitätsgesetz [Public Disclosure Act] (Germany)RAR Risk Analysis & RemediationRBE Reversed Business EngineeringREV ReviewRFC Remote function callRM SAP Risk ManagementRPL Remediation planRTA Real Time AgentsSAL Security Audit LogSAS Self-assessmentSDF G/L account databaseSDM Software Deployment ManagerSEC Securities and Exchange Commission (USA)SGB Sozialgesetzbücher [Social Welfare Code] (Germany)SHI Swiss Agency for Therapeutic ProductsSLA Service Level AgreementSoD Segregation of dutiesSOP Standard Operation ProcedureSOS Security Optimization ServiceSOX Sarbanes-Oxley Act
xxxii List of Abbreviations
SPM Superuser Privilege ManagementSSO Single sign-onTGA Therapeutic Goods Administration (Australia)TMS Transport Management SystemUAM User Access ManagementUAR User Access ReviewUME User Management EngineVMP Validation Master PlanVRV Invoice verification database: invoicesWIP Work in progress
