Audit-proofing SAP systems

One of an auditor's many tasks is to closely examine complex IT systems regularly. In an interview with Dagmar Brösztl-Reinsch, she explains how to check SAP systems reliably, detailing the benefits of automated SAP usage analyses with RBE Plus.

IBIS: Ms. Brösztl-Reinsch, auditors are beginning to require access to up-to-date SAP documentation to assist them in their work. How does the SAP usage analysis with RBE Plus help?

Brösztl-Reinsch: There's a lot to document in an SAP system. RBE Plus helps us gain a reliable and comprehensive information base for our audits. Automated re-documentation of business processes provides us a quick overview of which ones are critical and which ones we can disregard. This means RBE Plus analyses can be conducted very cost-effectively. And that's a great advantage over the conventional documentation method. Conventional documentation frequently contains a huge amount of information and requires time-consuming manual analysis of processes.

IBIS: Which business processes are of particular interest to you?

Brösztl-Reinsch: Our priority is mainly risk-laden sub-processes. We focus particularly on examining processes relevant for financial reporting. This includes cross-company accounting procedures, balance sheet checks, inventory and valuation procedures, and all transactions in Financial Accounting . Checks for consistency across organizational user departments also play a major role.

IBIS: What risks do you spot and check in terms of user activities and authorizations?

Brösztl-Reinsch: In addition to a formal review of authorizations and conspicuous combinations in the authorization concept, we generally pay close attention to which authorization combinations users have actually implemented.

IBIS: Are there other user activities - ones involving business processes, for instance - that you make a point to track and scrutinize?

Brösztl-Reinsch: We look for segregation of duties throughout the entire process chain.

IBIS: Are all companies required to observe specific segregation of duties?

Brösztl-Reinsch: Adherence to specific segregation of duties becomes absolutely vital for organizations beyond a certain size, or for companies with departments upwards of a specific size. Smaller businesses, on the other hand, do not require this segregation - it may not even be possible. In that case, we perform rigorous and strict spot checks. These range from targeted tests all the way to in-depth transaction audits. They can also be complemented by compensatory process checks.

IBIS: What's your view on process integration beyond system boundaries?

Brösztl-Reinsch: This development presents a new challenge for the user's internal monitoring system and for the auditor's external monitoring system. And that's why we think appropriate monitoring functions are an absolute must. They neatly list all processes that have been checked. It helps us identify which business processes are running as stipulated and which ones aren't. To be able to approve without reservations an SAP system in all compliance aspects, this type of monitoring is imperative.

IBIS: What other challenges do you foresee automated system and usage analyses helping out with in the future?

Brösztl-Reinsch: Expectations of the tools implemented become higher over time. There are three developments I\d like to see for RBE Plus. First, appropriate monitoring should be added for periodic checks. Second, tool-aided integration of internal and external monitoring systems would be helpful. And third, it would be nice if RBE Plus analyses were also available for non-SAP IT systems.