It is time to plan for audit report improvements for SAP Access Control and GRC. The Public Company Accounting Oversight Board, established by Congress as part of the Sarbanes-Oxley Act, has responsibility to oversee audits by public companies. Since 2012, the PCAOB has been particularly active, and last year the PCAOB announced significant changes to auditing standards.
In addition to changes and proposed changes to accounting standards, the PCAOB has been actively releasing staff guidance in the form of practice alerts, directing additional validation of source reporting assumptions, ensuring that system-generated reports are complete and accurate, and verifying top-down risk assessments are conducted (one auditor acquaintance of mine recently termed the current PCAOB validation process “brutal”).
Practically speaking, SAP customers publicly traded in the U.S. have been seeing and will continue to see increased scrutiny from their external auditors. So what does this mean for SAP customers with U.S. Sarbanes-Oxley obligations? And in particular, what does this mean for SAP customers with SAP Access Control and GRC in place to monitor separation of duties and automate security design and role assignment?
Canned Access Control/GRC reports and rule sets are relatively easy to verify assumptions around completeness and accuracy. That said, the SAP-delivered rule set is not one size fits all – some high risks for certain industries will be medium risks for others, and vice-versa. For those of you who like to spend this time of year planning strategy for the coming year, I recommend considering the following questions when planning your FY 2016 audit report improvements to stay ahead of trends in SOX reporting requirements:
- Have we conducted a top-down risk assessment with high, medium and low SOD risks in our AC/GRC rule set(s) in scope, and have the results been verified and signed off on by senior management? And are we able to trace rule set changes to findings in this risk assessment?
- Mitigating controls are, by design, limited to being effective for one year. Still, many SAP customers will re-apply them for another year without giving a whole lot of thought to the underlying assumptions. Did your risk assessment ensure that the residual risk after mitigating controls is in effect is acceptable? And is there traceability of these management signoffs to your mitigating controls?
- Are my technical controls for my GRC landscape adequately defined and documented? Have we spent time adequately negative testing GRC roles (for example, can mitigating controls owners approve firefighter requests?)
- Have my risk owners been adequately defined by senior management and adequately documented?
- Have my BPOs been adequately defined by senior management?
The PCAOB practice and standards changes have had and will continue to have an impact; the full extent of that impact has yet to be determined. That said, early compliance will have significantly less organizational impact than mid-year remediation. It never hurts to plan ahead for improvements in SAP Access Control and GRC!