Secrets of an External Auditor for SAP GRC Access Control (Part Two)

grc audit at itelligence

This is the second in a two-part itelligence blog series that examines a day in the life of an external auditor using SAP GRC Access Control. Part one reviewed the ITGC-IT general controls and system generated reports that external auditors use daily. In part two, we will review common terminology and Financial Statement Assertions. 

Below are some more key terms and definitions:

COSO:  The Committee of Sponsoring Organizations of the tread way Commission provides detailed internal control criteria and defines the components of internal controls. This framework sets a standard for management to follow with regards to internal controls. Read more

PCAOB:  Established by Sarbanes-Oxley, the Public Company Accounting Oversight Board has broad powers to oversee audits and auditors of public companies. Through its oversight of public company auditors, the PCAOB influences how companies should prepare for their audits. In March 2004, the PCAOB issued auditing standard #2 which provides the requirement for the audit of internal controls over financial reporting. Read more

Internal Control over Financial Reporting:  A process designed by or under the supervision of the company’s principal executive and financial officers or persons performing similar functions and affected by the company’s board of directors, management and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the GAAP (Generally accepted accounting principles).

Test of Design:

Design effectiveness refers to when the controls compiled with would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial institutions. It involves consideration of the financial reporting objectives that the control is meant to achieve and whether it will achieve them.

Test of Operative Effectiveness:

Operating effectiveness refers to whether the control is operating as designed and whether the person performing the control has the necessary authority and qualifications to perform the control effectively. During the testing of operating effectiveness, management gathers evidence regarding how the control was applied, the consistency with which it was applied and by whom it was applied.

SAP GRC Process Controls:

SAP GRC Process Controls offer an application for end-to-end control management by managing automated and manual controls by prioritizing remediation activities and providing the management a complete overview of the Control Environment.

To understand the concepts of SAP GRC Process Controls, it is necessary to learn the different controls or control categories for SAP. The Controls mentioned below are considered as the base for testing SAP systems by External Auditors.

Preventative Controls:

Preventative Controls helps to prevent errors or fraud from occurring in the first place that could result in a misstatement of financial statements.

Examples of preventive controls are segregation of duties which is well handled by SAP GRC Access Control Application, adequate documentation, and physical control over assets.

By performing simulation in GRC Compliance Calibrator, we are implementing a preventive control that avoids introduction of SOD violations before a risk is introduced into the production environment.

Detective Controls:

Detective Controls helps in detecting errors or frauds that have already occurred that could result in a misstatement of financial statements.

Examples of detective controls are Periodic Review of Users and Segregation of duties, analyses, variance analyses and reconciliations. SAP GRC provides management reports at 5 different levels which can be achieved using the transaction code SUIM as well. The 5 levels are SOD at Transaction Code Level reports, SOD at Authorization Object Level reports, Critical Transactions Risk Analysis reports, Critical Role/Profile reports and Mitigation Control reports.

Authorizations: Approval of transactions executed in accordance with management’s generally accepted accounting principles and procedures.

Examples of authorizations include a supervisor’s approval using SAP GRC Access Enforcer (Compliant User Provisioning)  that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.

Interface/ Conversion Controls: Interface – Data interfaces transfer specifically defined portions of data between two computer systems and should ensure completeness and integrity of data being transferred.

Conversion:  The process of converting data from one system to a new system.

Key Performance Indicators: Financial and non-Financial quantitative measurements that are collected by the company, either continuously or periodically and used by the management to evaluate the extent and progress towards meeting the managements defined objectives.

Reconciliation: A control designed to determine that two items such as computer systems are consistent.

Segregation of duties: SAP has covered this well enough to be known as SAP GRC Access Control which describes SOD as segregation of duties and responsibilities of authorizing transactions, recording transactions and maintaining the custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.

Management Review: A person, other than the preparer analyzing and performing oversight of activities performed (does not apply solely to management doing the review)

System Access: The ability that an individual or group has within a computer information system processing environment, as defined by access rights configured in the system. The access rights in the system agree to access in practice.

System Configuration/Account Mapping: Configuration – ‘switches’ that can be set by turning them on or off to secure data against inappropriate processing, based on the organization’s business rules.

Account mapping – ‘switches’ that can be set related to how a transaction is posted to the GL and then to the financial statements.

Exception/ Edit Report:

Exception – A Report generated which shows violations of company standards.

Edit – A report generated that shows changes made to a master file.

SAP GRC Access Control - Identifying Relevant Financial Statement Assertions

A very important concept used by auditors is the Financial Statement Assertions.  Auditors use this as a framework to assess the financial statements and present them in a right manner.  Based on the Control Activity and the business value an assertion is used to make sure the business process runs fairly.

Below is a brief definition of each of these Assertions:

Consider the below example

The control is about monitoring the changes in the developer keys to detect unauthorized application changes. This control belongs to the Presentation and Disclosure assertion as mentioned in the above table.

Similarly let’s take another example

This control is monitoring changes to the configuration setting that allows or denies General Ledger postings by document types. This control belongs to the Rights and Obligations and Valuation or Allocation assertion as defined in the above table.

For completeness, consider this example

As external auditors continue to conduct tests to verify existence, occurrence or completeness, SAP GRC Process Controls can help you take a complete control over any misstatement in your financial statements.

Learn more about SAP GRC Access Control:

Read more GRC blogs by Rahul Urs.

Similar posts

Read more
SAP BOBJ 4.2
Read more
Read more
SAP BOBJ 4.2
Read more
Read more
SAP SuccessFactors Quarterly Release Highlights
Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow us: