SAP ERP Audit Assurance Programs and ICQs 18nov09

Audit/Assurance Programs and ICQs
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) Audit/Assurance Programs and ICQs ISACA With more than 86,000 constituents in more than 160 countries, ISACA ( !isaca!org) is a leading glo al !ro"ider o# $no%ledge, certi#ications, communit&, ad"ocac& and education on in#ormation s&stems assurance and securit&, enter!rise go"ernance o# I', and I'(related ris$ and com!liance) *ounded in 1+6+, ISACA s!onsors international con#erences, !u lishes the "SACA #ournal, and de"elo!s international in#ormation s&stems auditing and control standards) It also administers the glo all& res!ected Certi#ied In#ormation S&stems Auditor, (CISA -), Certi#ied In#ormation Securit& .anager- (CIS.-) and Certi#ied in the /o"ernance o# 0nter!rise I' - (C/0I'-) designations) ISACA de"elo!ed and continuall& u!dates the C12I'-, 3al I', and 4is$ I' #rame%or$s, %hich hel! I' !ro#essionals and enter!rise leaders #ul#ill their I' go"ernance res!onsi ilities and deli"er "alue to the usiness) Disclaimer ISACA has designed and created Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs (the 6Wor$7), !rimaril& as an educational resource #or control !ro#essionals) ISACA ma$es no claim that use o# an& o# the Wor$ %ill assure a success#ul outcome) 'he Wor$ should not e considered inclusi"e o# an& !ro!er in#ormation, !rocedures and tests or e5clusi"e o# other in#ormation, !rocedures and tests that are reasona l& directed to o taining the same results) In determining the !ro!riet& o# an& s!eci#ic in#ormation, !rocedure or test, securit& !ro#essionals should a!!l& their o%n !ro#essional 8udgment to the s!eci#ic control circumstances !resented & the !articular s&stems or in#ormation technolog& en"ironment) While all care has een ta$en in researching and documenting the techni9ues descri ed in this te5t, !ersons em!lo&ing these techni9ues must use their o%n $no%ledge and 8udgment) ISACA and :eloitte, its !artners and em!lo&ees, shall not e lia le #or an& losses and/or damages (%hether direct or indirect), costs, e5!enses or claims %hatsoe"er arising out o# the use o# the techni9ues descri ed or reliance on the in#ormation in this re#erence guide) SAP, SAP 4/;, m&SAP, SAP 4/; 0nter!rise, SAP Strategic 0nter!rise .anagement (SAP S0.), SAP <etWea"er, A2AP, m&SAP 2usiness Suite, m&SAP Customer 4elationshi! .anagement, m&SAP Su!!l& Chain .anagement, m&SAP Product =i#ec&cle .anagement, m&SAP Su!!lier 4elationshi! .anagement and other SAP !roduct/ser"ices re#erenced herein are the trademar$s or registered trademar$s o# SAP A/ in /erman& and in se"eral other countries) 'he !u lisher grate#ull& ac$no%ledges SAP>s $ind !ermission to use these trademar$s and re!roduce selected diagrams and screen shots in this !u lication) SAP A/ is not the !u lisher o# this oo$ and is not res!onsi le #or it under an& as!ect o# !ress la%) Reservation of Rights ? @00+ ISACA) All rights reser"ed) <o !art o# this !u lication ma& e used, co!ied, re!roduced, modi#ied, distri uted, dis!la&ed, stored in a retrie"al s&stem or transmitted in an& #orm & an& means (electronic, mechanical, !hotoco!&ing, recording or other%ise) %ithout the !rior %ritten authoriAation o# ISACA) 4e!roduction and use o# all or !ortions o# this !u lication are !ermitted solel& #or academic, internal and noncommercial use and #or consulting/ad"isor& engagements, and must include #ull attri ution o# the material>s source) <o other right or !ermission is granted %ith res!ect to this %or$) ISACA ;B01 Algon9uin 4oad, Suite 1010 4olling .eado%s, I= 60008 CSA PhoneD E1)8FB)@G;)1GFG *a5D E1)8FB)@G;)1FF; 0(mailD info$isaca!org We siteD !isaca!org IS2< +B8(1(60F@0(11G(F Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs Printed in the Cnited States o# America C/0I' is a trademar$/ser"icemar$ o# ISACA) 'he mar$ has een a!!lied #or or registered in countries throughout the %orld)
? @00+ ISACA
All rights reser"ed)
Page @
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) Audit/Assurance Programs and ICQs
Acknowledgments
ISACA wishes to recognize:
Researcher .ar$ Sercom e, CISA, CA, CIA, S!onsoring Partner, :eloitte, Australia .atthe% Saines, CISA, CISSP, :eloitte, Australia .aria Wood&att, CISA, :eloitte, Australia 2ernadette =ouat, CISA, :eloitte, Australia <a8ee a Hossain, :eloitte, Australia .ar$ Hic$a ottom, Ph):, CISA, :eloitte, CI <eal J) 3ela&o, CISA, :eloitte, CSA Iain .uir, CISA, :eloitte, Australia Project Leaders Pi!!a /) Andre%s, CISA, ACA, CIA, IP./, Australia Anthon& P) <o le, CISA, CCP, 3iacom Inc), CSA E !ert Revie"ers A$in A$in oso&e, CISA, CIS., C/0I', P.I(4.P, Healthcare Cor!oration o# America (HCA), CSA 4o in 2asham, CISA, C/0I', S1APro8ects Inc), CSA Ste"e 2is$ie, CISA, CPA, CI'P, ConnectI<' Solutions, CSAK AC= Ser"ices, =td), Canada .ichael 2rin$loe", IP./, :enmar$ Adrienne C) Chung, CISA, CIS., CA, Chungs> Com!uter Assistance ==P, Canada Chang =u .iao, CISA, ACI2, CPA, .CS0, SAP '/C, Auditor(/eneral>s 1##ice, Singa!ore .a&an$ /arg, CISA, Atmel Cor!ortation, CSA :a"id ') /reen, Ph):), /o"ernors State Cni"ersit&, CSA /uha!ri&a I&er, CISA, ACA, /rad CWA, Cere rus Consulting, India 2a u Ja&endran, CISA, *CA, 2a u Ja&endran Consulting, India 0mma Johari, CISA, IP./, Australia Pam Iammermeier, CISA, Altran Control Solutions, CSA 4a8ni =alsinghani, CISA, CIS., 'echnoSols Consulting Ser"ices, Australia I) I) .oo$he&, CISA, CIS., CISSP, <et%or$ Intelligence India (<II), India Stane .oL$on, CISA, CIS., 34IS d)o)o), Slo"enia .oonga .um a, CISA, Mam ia 4e"enue Authorit&, Mam ia 2a u She$har Shett&, CISA, CISSP, 'im$en P"t) =td), India Sura!ong Sura otso!on, CISA, CIS., C/0I', I'I=, /ood&ear ('hailand) PC=, 'hailand William /) 'eeter, CISA, C/0I', P.P, CSA Jinu 3arghese, CISA, 1CA, Price%aterhouseCoo!ers ==P, Canada Cha$ri Wicharn, CISA, CIS., 'hailand :a"id Neung, CISA, CIA, C*0, IP./, China ISACA #oard of Directors $%%&'$%%( =&nn =a%ton, CISA, *2CS CI'P, *CA, *IIA, IP./ ==P, CI, International President /eorge Ata&a, CISA, CIS., C/0I', CISSP, IC' Control SA, 2elgium, 3ice President Ho%ard <icholson, CISA, C/0I', Cit& o# Salis ur&, Australia, 3ice President Jose Angel Pena I arra, C/0I', Consultoria en Comunicaciones e In#o) SA O C3, .e5ico, 3ice President 4o ert 0) Stroud, C/0I', CA Inc), CSA, 3ice President Ienneth =) 3ander Wal, CISA, CPA, 0rnst O Noung ==P (retired), CSA, 3ice President *ran$ Nam, CISA, CCP, C*0, C*SA, CIA, **A, *HICS, *HIIo:, *ocus Strategic /rou! Inc), Hong Iong, 3ice President .arios :amianides, CISA, CIS., CA, CPA, 0rnst O Noung, CSA, Past International President 0"erett C) Johnson Jr), CPA, :eloitte O 'ouche ==P (retired), CSA, Past International President /regor& ') /rochols$i, CISA, 'he :o% Chemical Com!an&, CSA, :irector
? @00+ ISACA
Page ;
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) Audit/Assurance Programs and ICQs 'on& Ha&es, C/0I', Queensland /o"ernment, Australia, :irector Jo Ste%art(4attra&, CISA, CIS., C/0I', A*CHS0, CH0, *ACS, *CPA, *IIA, CS0PS, 4S. 2ird Cameron, Australia, :irector Assurance Committee $%%&'$%%( /regor& ') /rochols$i, CISA, 'he :o% Chemical Com!an&, CSA, Chair Pi!!a /) Andre%s, CISA, ACA, CIA, Amcor, Australia 4ichard 2rise ois, CISA, C/A, 1##ice o# the Auditor /eneral o# Canada, Canada Sergio *legins$&, CISA, ICI, Crugua& 4o ert Johnson, CISA, CIS., C/0I', CISSP, 05ecuti"e Consultant, CSA Anthon& P) <o le, CISA, CCP, 3iacom Inc), CSA 4o ert /) Par$er, CISA, CA, C.C, *CA, :eloittte O 'ouche ==P (retired), Canada 0ri$ Pols, CISA, CIS., Shell International ( I'CI, <etherlands 3atsaraman 3en$ata$rishnan, CISA, CIS., C/0I', ACA, 0mirates Airlines, CA0
Table of Contents
Page
A!!endi5 :) SAP 04P 4e"enue, 05!enditure, In"entor&, 2asis Audit/Assurance Programs G 4e"enue Audit/Assurance Program))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))G 05!enditure Audit/Assurance Program))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))@B In"entor& Audit/Assurance Program))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))G0 2asis Audit/Assurance Program)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))B0 A!!endi5 0) SAP 04P Audit ICQs)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))10+ 4e"enue ICQ )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))110 05!enditure ICQ )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))11; In"entor& ICQ )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))116 2asis ICQ )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))1@1
? @00+ ISACA
Page F
Appendix D. SAP !P !e"en#e$ xpendit#re$ In"entor%$ &asis A#dit'Ass#rance Programs

!e"en#e &#siness C%cle
I. Introd#ction )vervie" ISACA de"elo!ed "TAFTM% A Professional Practices Frame ork for "T Assurance as a com!rehensi"e and good(!ractice(setting model) I'A* !ro"ides standards that are designed to e mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession o!erates) 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit and assurance) 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide direction in the a!!lication o# I' audit and assurance !rocesses) Pur!ose 'he audit/assurance !rogram is a tool and tem!late to e used as a road ma! #or the com!letion o# a s!eci#ic assurance !rocess)) 'his audit/assurance !rogram is intended to e utiliAed & I' audit and assurance !ro#essionals %ith the re9uisite $no%ledge o# the su 8ect matter under re"ie%, as descri ed in I'A*, section @@00P/eneral Standards) 'he audit/assurance !rograms are !art o# I'A*, section F000PI' Assurance 'ools and 'echni9ues) Control *rame"or+ 'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C12I' #rame%or$P s!eci#icall& C12I' F)1Pusing generall& a!!lica le and acce!ted good !ractices) 'he& re#lect I'A*, sections ;F00PI' .anagement Processes, ;600PI' Audit and Assurance Processes, and ;800PI' Audit and Assurance .anagement) .an& enter!rises ha"e em raced se"eral #rame%or$s at an enter!rise le"el, including the Committee o# S!onsoring 1rganiAations o# the 'read%a& Commission (C1S1) Internal Control *rame%or$) 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator& re9uirements & the CS Securities and 05change Commission (S0C) as directed & the CS Sar anes(15le& Act o# @00@ and similar legislation in other countries) 'he& see$ to integrate control #rame%or$ elements used & the general audit/assurance team into the I' audit and assurance #rame%or$) Since C1S1 is %idel& used, it has een selected #or inclusion in this audit/assurance !rogram) 'he re"ie%er ma& delete or rename columns in the audit !rogram to align %ith the enter!rise>s control #rame%or$) I, -overnance. Ris+ and Control I' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management !rocess) /o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies and management o"ersight controls) 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho% management a!!roaches and manages ris$) 2oth issues %ill e e"aluated as ste!s in the audit/assurance !rogram) Controls are the !rimar& e"aluation !oint in the !rocess) 'he audit/assurance !rogram %ill identi#& the control o 8ecti"es %ith ste!s to determine control design and e##ecti"eness)
? @00+ ISACA
Page G
Res!onsi/ilities of I, Audit and Assurance Professionals I' audit and assurance !ro#essionals are e5!ected to customiAe this document to the en"ironment in %hich the& are !er#orming an assurance !rocess) 'his document is to e used as a re"ie% tool and starting !oint) It ma& e modi#ied & the I' audit and assurance !ro#essionalK it is not intended to e a chec$list or 9uestionnaire) It is assumed that the I' audit and assurance !ro#essional holds the Certi#ied In#ormation S&stems Auditor (CISA) designation, or has the necessar& su 8ect matter e5!ertise re9uired to conduct the %or$ and is su!er"ised & a !ro#essional %ith the CISA designation and necessar& su 8ect matter e5!ertise to ade9uatel& re"ie% the %or$ !er#ormed) II. (sing This Doc#ment 'his audit/assurance !rogram %as de"elo!ed to assist the audit and assurance !ro#essional in designing and e5ecuting a re"ie%) :etails regarding the #ormat and use o# the document #ollo%) 0or+ Program Ste!s 'he #irst column o# the !rogram descri es the ste!s to e !er#ormed) 'he num ering scheme used !ro"ides uilt(in %or$ !a!er num ering #or ease o# cross(re#erence to the s!eci#ic %or$ !a!er #or that section) I' audit and assurance !ro#essionals are encouraged to ma$e modi#ications to this document to re#lect the s!eci#ic en"ironment under re"ie%) C)#I, Cross'reference 'he C12I' cross(re#erence !ro"ides the audit and assurance !ro#essional %ith the a ilit& to re#er to the s!eci#ic C12I' control o 8ecti"e that su!!orts the audit/assurance ste!) 'he C12I' control o 8ecti"e should e identi#ied #or each audit/assurance ste! in the section) .ulti!le cross( re#erences are not uncommon) Processes at lo%er le"els in the %or$ !rogram are too granular to e cross(re#erenced to C12I') 'he audit/assurance !rogram is organiAed in a manner to #acilitate an e"aluation through a structure !arallel to the de"elo!ment !rocess) C12I' !ro"ides in(de!th control o 8ecti"es and suggested control !ractices at each le"el) As the !ro#essional re"ie%s each control, he/she should re#er to C12I' F)1 or the "T Assurance &uide% 'sing C()"T #or good( !ractice control guidance) C)S) Com!onents As noted in the introduction, C1S1 and similar #rame%or$s ha"e ecome increasingl& !o!ular among audit and assurance !ro#essionals) 'his ties the assurance %or$ to the enter!rise>s control #rame%or$) While the I' audit/assurance #unction has C12I' as a #rame%or$, o!erational audit and assurance !ro#essionals use the #rame%or$ esta lished & the enter!rise) Since C1S1 is the most !re"alent internal control #rame%or$, it has een included in this document and is a ridge to align I' audit/assurance %ith the rest o# the audit/assurance #unction) .an& audit/assurance organiAations include the C1S1 control com!onents %ithin their re!ort and summariAe assurance acti"ities to the audit committee o# the oard o# directors) *or each control, the audit and assurance !ro#essional should indicate the C1S1 com!onent(s) addressed) It is !ossi le, ut generall& not necessar&, to e5tend this anal&sis to the s!eci#ic audit ste! le"el)
? @00+ ISACA
Page 6
'he original C1S1 internal control #rame%or$ contained #i"e com!onents) In @00F, C1S1 %as re"ised as the Enter*rise Risk Management +ERM, "ntegrated Frame ork and e5tended to eight com!onents) 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on 04. and integration into the usiness decision model) 04. is in the !rocess o# eing ado!ted & large enter!rises) 'he t%o #rame%or$s are com!ared in figure AD1)
*igure AD12Com!arison of C)S) Internal Control and ER3 Integrated *rame"or+s Internal Control *rame"or+ ER3 Integrated *rame"or+
Control Environment4 'he control en"ironment sets the tone o# an organiAation, in#luencing the control consciousness o# its !eo!le) It is the #oundation #or all other com!onents o# internal control, !ro"iding disci!line and structure) Control en"ironment #actors include the integrit&, ethical "alues, management>s o!erating st&le, delegation o# authorit& s&stems, as %ell as the !rocesses #or managing and de"elo!ing !eo!le in the organiAation) Internal EnvironmentD 'he internal en"ironment encom!asses the tone o# an organiAation, and sets the asis #or ho% ris$ is "ie%ed and addressed & an enter!rise>s !eo!le, including ris$ management !hiloso!h& and ris$ a!!etite, integrit& and ethical "alues, and the en"ironment in %hich the& o!erate)
Ris+ AssessmentD 0"er& enter!rise #aces a "ariet& o# ris$s #rom e5ternal and internal sources that must e assessed) A !recondition to ris$ assessment is esta lishment o# o 8ecti"es, and thus ris$ assessment is the identi#ication and anal&sis o# rele"ant ris$s to achie"ement o# assigned o 8ecti"es) 4is$ assessment is a !rere9uisite #or determining ho% the ris$s should e managed)
)/jective SettingD 1 8ecti"es must e5ist e#ore management can identi#& !otential e"ents a##ecting their achie"ement) 0nter!rise ris$ management ensures that management has in !lace a !rocess to set o 8ecti"es and that the chosen o 8ecti"es su!!ort and align %ith the enter!rise>s mission and are consistent %ith its ris$ a!!etite) Event IdentificationD Internal and e5ternal e"ents a##ecting achie"ement o# an enter!rise>s o 8ecti"es must e identi#ied, distinguishing et%een ris$s and o!!ortunities) 1!!ortunities are channeled ac$ to management>s strateg& or o 8ecti"e(setting !rocesses) Ris+ AssessmentD 4is$s are anal&Aed, considering the li$elihood and im!act, as a asis #or determining ho% the& could e managed) 4is$ areas are assessed on an inherent and residual asis)
Control ActivitiesD Control acti"ities are the !olicies and !rocedures that hel! ensure management directi"es are carried out) 'he& hel! ensure that necessar& actions are ta$en to address ris$s to achie"ement o# the enter!riseRs o 8ecti"es) Control acti"ities occur throughout the organiAation, at all le"els and in all #unctions) 'he& include a range o# acti"ities as di"erse as a!!ro"als, authoriAations, "eri#ications, reconciliations, re"ie%s o# o!erating !er#ormance, securit& o# assets and segregation o# duties) Information and CommunicationD In#ormation s&stems !la& a $e& role in internal control s&stems as the& !roduce re!orts, including o!erational, #inancial and com!liance(related in#ormation that ma$e it !ossi le to run and control the usiness) In a roader sense, e##ecti"e communication must ensure in#ormation #lo%s do%n, across and u! the organiAation) 0##ecti"e communication should also e ensured %ith e5ternal !arties, such as customers, su!!liers, regulators and shareholders) 3onitoringD Internal control s&stems need to e monitoredPa !rocess that assesses the 9ualit& o# the s&stem>s !er#ormance o"er time) 'his is accom!lished through ongoing monitoring acti"ities or se!arate e"aluations) Internal control de#iciencies detected through these monitoring acti"ities should e re!orted u!stream and correcti"e actions should e ta$en to ensure continuous im!ro"ement o# the s&stem)
Ris+ Res!onse4 .anagement selects ris$ res!onses Q a"oiding, acce!ting, reducing, or sharing ris$ Q de"elo!ing a set o# actions to align ris$s %ith the enter!rise>s ris$ tolerances and ris$ a!!etite) Control Activities4 Policies and !rocedures are esta lished and im!lemented to hel! ensure the ris$ res!onses are e##ecti"el& carried out)
Information and Communication4 4ele"ant in#ormation is identi#ied, ca!tured, and communicated in a #orm and time#rame that ena le !eo!le to carr& out their res!onsi ilities) 0##ecti"e communication also occurs in a roader sense, #lo%ing do%n, across, and u! the enter!rise)
3onitoring4 'he entiret& o# enter!rise ris$ management is monitored and modi#ications made as necessar&) .onitoring is accom!lished through ongoing management acti"ities, se!arate e"aluations, or oth)
In#ormation #or figure AD1 %as o tained #rom the C1S1 %e site
!coso!org-a.outus!htm)
'he original C1S1 internal control #rame%or$ addresses the needs o# the I' audit and assurance !ro#essionalD control en"ironment, ris$ assessment, control acti"ities, in#ormation and communication, and monitoring) As such, ISACA has elected to utiliAe the #i"e(com!onent
? @00+ ISACA All rights reser"ed) Page B
model #or these audit/assurance !rograms) As more enter!rises im!lement the 04. model, the additional three columns can e added, i# rele"ant) When com!leting the C1S1 com!onent columns, consider the de#initions o# the com!onents as descri ed in figure AD1) Reference/56!erlin+ /ood !ractices re9uire the audit and assurance !ro#essional to create a %or$ !a!er #or each line item, %hich descri es the %or$ !er#ormed, issues identi#ied and conclusions) 'he re#erence/h&!erlin$ is to e used to cross(re#erence the audit/assurance ste! to the %or$ !a!er that su!!orts it) 'he num ering s&stem o# this document !ro"ides a read& num ering scheme #or the %or$ !a!ers) I# desired, a lin$ to the %or$ !a!er can e !asted into this column) Issue Cross'reference 'his column can e used to #lag a #inding/issue that the I' audit and assurance !ro#essional %ants to #urther in"estigate or esta lish as a !otential #inding) 'he !otential #indings should e documented in a %or$ !a!er that indicates the dis!osition o# the #indings (#ormall& re!orted, re!orted as a memo or "er al #inding, or %ai"ed)) Comments 'he comments column can e used to indicate the %ai"ing o# a ste! or other notations) It is not to e used in !lace o# a %or$ !a!er descri ing the %or$ !er#ormed) III. Controls )at#rit% Anal%sis 1ne o# the consistent re9uests o# sta$eholders %ho ha"e undergone I' audit/assurance re"ie%s is a desire to understand ho% their !er#ormance com!ares to good !ractices) Audit and assurance !ro#essionals must !ro"ide an o 8ecti"e asis #or the re"ie% conclusions) .aturit& modeling #or management and control o"er I' !rocesses is ased on a method o# e"aluating the organiAation, so it can e rated #rom a maturit& le"el o# none5istent (0) to o!timiAed (G)) 'his a!!roach is deri"ed #rom the maturit& model that the So#t%are 0ngineering Institute (S0I) o# Carnegie .ellon Cni"ersit& de#ined #or the maturit& o# so#t%are de"elo!ment) 'he "T Assurance &uide% 'sing C()"T, a!!endi5 3IIP.aturit& .odel #or Internal Control, in figure AD$, !ro"ides a generic maturit& model sho%ing the status o# the internal control en"ironment and the esta lishment o# internal controls in an enter!rise) It sho%s ho% the management o# internal control, and an a%areness o# the need to esta lish etter internal controls, t&!icall& de"elo!s #rom an ad hoc to an o!timiAed le"el) 'he model !ro"ides a high( le"el guide to hel! C12I' users a!!reciate %hat is re9uired #or e##ecti"e internal controls in I' and to hel! !osition their enter!rise on the maturit& scale)
3aturit6 Level
0 <one5istent 1 Initial/ad hoc
*igure AD$23aturit6 3odel for Internal Control Status of the Internal Control Environment Esta/lishment of Internal Controls
'here is no recognition o# the need #or internal control) Control is not !art o# the organiAation>s culture or mission) 'here is a high ris$ o# control de#iciencies and incidents) 'here is some recognition o# the need #or internal control) 'he a!!roach to ris$ and control re9uirements is ad hoc and disorganiAed, %ithout communication or monitoring) :e#iciencies are not identi#ied) 0m!lo&ees are not a%are o# their res!onsi ilities) Controls are in !lace ut are not documented) 'heir o!eration 'here is no intent to assess the need #or internal control) Incidents are dealt %ith as the& arise) 'here is no a%areness o# the need #or assessment o# %hat is needed in terms o# I' controls) When !er#ormed, it is onl& on an ad hoc asis, at a high le"el and in reaction to signi#icant incidents) Assessment addresses onl& the actual incident) Assessment o# control needs occurs onl& %hen needed #or
@ 4e!eata le ut
? @00+ ISACA
Page 8
3aturit6 Level
intuiti"e
is de!endent on the $no%ledge and moti"ation o# indi"iduals) 0##ecti"eness is not ade9uatel& e"aluated) .an& control %ea$nesses e5ist and are not ade9uatel& addressedK the im!act can e se"ere) .anagement actions to resol"e control issues are not !rioritiAed or consistent) 0m!lo&ees ma& not e a%are o# their res!onsi ilities) Controls are in !lace and ade9uatel& documented) 1!erating e##ecti"eness is e"aluated on a !eriodic asis and there is an a"erage num er o# issues) Ho%e"er, the e"aluation !rocess is not documented) While management is a le to deal !redicta l& %ith most control issues, some control %ea$nesses !ersist and im!acts could still e se"ere) 0m!lo&ees are a%are o# their res!onsi ilities #or control) 'here is an e##ecti"e internal control and ris$ management en"ironment) A #ormal, documented e"aluation o# controls occurs #re9uentl&) .an& controls are automated and regularl& re"ie%ed) .anagement is li$el& to detect most control issues, ut not all issues are routinel& identi#ied) 'here is consistent #ollo%(u! to address identi#ied control %ea$nesses) A limited, tactical use o# technolog& is a!!lied to automate controls) An enter!rise%ide ris$ and control !rogram !ro"ides continuous and e##ecti"e control and ris$ issues resolution) Internal control and ris$ management are integrated %ith enter!rise !ractices, su!!orted %ith automated real(time monitoring %ith #ull accounta ilit& #or control monitoring, ris$ management and com!liance en#orcement) Control e"aluation is continuous, ased on sel#(assessments and ga! and root cause anal&ses) 0m!lo&ees are !roacti"el& in"ol"ed in control im!ro"ements) selected I' !rocesses to determine the current le"el o# control maturit&, the target le"el that should e reached and the ga!s that e5ist) An in#ormal %or$sho! a!!roach, in"ol"ing I' managers and the team in"ol"ed in the !rocess, is used to de#ine an ade9uate a!!roach to controls #or the !rocess and to moti"ate an agreed(u!on action !lan) Critical I' !rocesses are identi#ied ased on "alue and ris$ dri"ers) A detailed anal&sis is !er#ormed to identi#& control re9uirements and the root cause o# ga!s and to de"elo! im!ro"ement o!!ortunities) In addition to #acilitated %or$sho!s, tools are used and inter"ie%s are !er#ormed to su!!ort the anal&sis and ensure that an I' !rocess o%ner o%ns and dri"es the assessment and im!ro"ement !rocess) I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort and agreement #rom the rele"ant usiness !rocess o%ners) Assessment o# control re9uirements is ased on !olic& and the actual maturit& o# these !rocesses, #ollo%ing a thorough and measured anal&sis in"ol"ing $e& sta$eholders) Accounta ilit& #or these assessments is clear and en#orced) Im!ro"ement strategies are su!!orted & usiness cases) Per#ormance in achie"ing the desired outcomes is consistentl& monitored) 05ternal control re"ie%s are organiAed occasionall&) 2usiness changes consider the criticalit& o# I' !rocesses and co"er an& need to reassess !rocess control ca!a ilit&) I' !rocess o%ners regularl& !er#orm sel#(assessments to con#irm that controls are at the right le"el o# maturit& to meet usiness needs and the& consider maturit& attri utes to #ind %a&s to ma$e controls more e##icient and e##ecti"e) 'he organiAation enchmar$s to e5ternal est !ractices and see$s e5ternal ad"ice on internal control e##ecti"eness) *or critical !rocesses, inde!endent re"ie%s ta$e !lace to !ro"ide assurance that the controls are at the desired le"el o# maturit& and %or$ing as !lanned)
; :e#ined
F .anaged and measura le
G 1!timiAed
'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess) 'he I' audit and assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram and #ormulate an o 8ecti"e assessment o# the maturit& le"els o# the control !ractices) 'he maturit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to &ear to document !rogression in the enhancement o# controls) Ho%e"er, it must e noted that the !erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor) 'here#ore, an auditor should o tain the concerned sta$eholder>s concurrence e#ore su mitting the #inal re!ort to management) At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the !ro#essional assesses the current state o# the C12I' control #rame%or$ and assigns it a maturit& le"el using the si5(le"el scale) Some !ractitioners utiliAe decimals (5)@G, 5)G, 5)BG) to indicate gradations in the maturit& model) As a #urther re#erence, C12I' !ro"ides a de#inition o# the maturit& designations & control o 8ecti"e) While this a!!roach is not mandator&, the !rocess is !ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that %ish to im!lement it) It is suggested that a maturit& assessment e made at the C12I' control le"el) 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also o tain maturit& targets #rom the client/customer) Csing the assessed and target maturit& le"els, the !ro#essional can create an e##ecti"e gra!hic !resentation that descri es the achie"ement or ga!s et%een the actual and targeted maturit& goals) I*. Ass#rance and Control +ramework
? @00+ ISACA
Page +
ISACA I, Assurance *rame"or+ and Standards ISACA has long recogniAed the s!ecialiAed nature o# I' assurance and stri"es to ad"ance glo all& a!!lica le standards) /uidelines and !rocedures !ro"ide detailed guidance on ho% to #ollo% those standards) I' Audit and Assurance Standard S1G I' Controls, and I' Audit and Assurance /uideline /;8 Access Controls are rele"ant to this audit/assurance !rogram) ISACA Controls *rame"or+ C12I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridge the ga! among control re9uirements, technical issues and usiness ris$s) C12I' ena les clear !olic& de"elo!ment and good !ractice #or I' control throughout enter!rises) CtiliAing C12I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased aligns I' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise) 4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es for Successful "T &o/ernance, 1nd Edition, !u lished in @00B, #or the related control !ractice "alue and ris$ dri"ers) *. xec#ti"e S#mmar% of A#dit'Ass#rance +oc#s SAP ERP Securit6 'he re"ie% o# SAP hel!s management ensure that it is secure) Since launching its #irst !roduct o##ering almost ;0 &ears ago, SAP has gro%n glo all&) It has a!!ro5imatel& 1@ million users and +6,F00 installations in more than 1@0 countries and is the third(largest inde!endent so#t%are com!an& in the %orld) 'he com!an& name, SAP, is a /erman acron&m that loosel& translates in 0nglish to S&stems, A!!lications and Products in data !rocessing) 2e#ore SAP 04P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@- and the client/ser"er( ased s&stem SAP 4/;) 2oth 4/@ and 4/; are targeted to usiness a!!lication solutions and #eature com!le5it&, usiness and organiAational e5!erience, and integration) 'he 4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&K ho%e"er, this is not the case) 'he 4 in 4/@ and 4/; means 6real time)7 4elease le"els are annotated se!aratel& to the 4/@ or 4/; descri!tors) *or e5am!le, in SAP 4/; F)62, the F is the ma8or release num er, the 6 is the minor release num er #ollo%ing a ma8or release, and the 2 is the "ersion %ithin a release) 4/; %as introduced in 1++@ %ith a three(tier architecture !aradigm) In recent &ears, SAP has introduced Ser"ice 1riented Architecture (S1A) as !art o# SAP 04P) 'his com ines 04P %ith an o!en technolog& !lat#orm that can integrate SAP and non(SAP s&stems on the SAP <etWea"er- !lat#orm) 'he current core 04P solution o##ered & SAP is called SAP 0nter!rise Central Com!onent (0CC 6)0), re#erred here as SAP 04P) #usiness Im!act and Ris+ SAP is %idel& used in man& enter!rises) Im!ro!er con#iguration o# SAP could result in an ina ilit& #or the enter!rise to e5ecute its critical !rocesses)
? @00+ ISACA
Page 10
4is$s resulting #rom ine##ecti"e or incorrect con#igurations or use o# SAP could result in some o# the #ollo%ingD :isclosure o# !ri"ileged in#ormation Single !oints o# #ailure =o% data 9ualit& =oss o# !h&sical assets =oss o# intellectual !ro!ert& =oss o# com!etiti"e ad"antage =oss o# customer con#idence 3iolation o# regulator& re9uirements )/jective and Sco!e )/jective2'he o 8ecti"e o# the SAP 04P audit/assurance re"ie% is to !ro"ide management %ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# the enter!rise>s SAP 04P architecture) Sco!eP'he re"ie% %ill #ocus on con#iguration o# the rele"ant SAP 04P com!onents and modules %ithin the enter!rise) 'he selection o# the s!eci#ic com!onents and modules %ill e ased u!on the ris$s introduced to the enter!rise & these com!onents and modules) 3inimum Audit S+ills 'his re"ie% is considered highl& technical) 'he I' audit and assurance !ro#essional must ha"e an understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP tools, e5!osures and #unctionalit&) It should not e assumed that an audit and assurance !ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%)
? @00+ ISACA
Page 11
*I. !e"en#e &#siness C%cle A#dit'Ass#rance Program

C,S,
CommunicationInformation and Control Environment Risk Assessment Control Activities
Audit/Assurance Program Ste!
A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P 1) 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreed(u!on corrections and note remaining de#iciencies) 1)1 :etermine %hetherD Senior management has assigned res!onsi ilities #or in#ormation, its !rocessing and its use Cser management is res!onsi le #or !ro"iding in#ormation that su!!orts the entit&>s o 8ecti"es and !olicies In#ormation s&stems management is res!onsi le #or !ro"iding the ca!a ilities necessar& #or achie"ement o# the de#ined in#ormation s&stems o 8ecti"es and !olicies o# the entit& Senior management a!!ro"es !lans #or de"elo!ment and ac9uisition o# in#ormation s&stems 'here are !rocedures to ensure that the in#ormation s&stem eing de"elo!ed or ac9uired meets user re9uirements 'here are !rocedures to ensure that in#ormation s&stems, !rograms and con#iguration changes are tested ade9uatel& !rior to im!lementation All !ersonnel in"ol"ed in the s&stem ac9uisition and con#iguration acti"ities recei"e ade9uate training and su!er"ision 'here are !rocedures to ensure that in#ormation s&stems are im!lemented/con#igured/u!graded in accordance %ith the esta lished standards Cser management !artici!ates in the con"ersion o# data #rom the e5isting s&stem to the ne% s&stem *inal a!!ro"al is o tained #rom user management !rior to going li"e %ith a ne% in#ormation/u!graded s&stem 'here are !rocedures to document and schedule all changes to in#ormation s&stems (including $e& A2AP !rograms) 'here are !rocedures to ensure that onl& authoriAed changes are
? @00+ ISACA)
.01 .01
Monitoring
C)#I, Cross' reference
Reference Issue 56!er' Cross' lin+ reference
Comments
Page 1@
C,S,
initiated
'here are !rocedures to ensure that onl& authoriAed, tested and
documented changes to in#ormation s&stems are acce!ted into the !roduction client 'here are !rocedures to allo% #or and control emergenc& changes 'here are !rocedures #or the a!!ro"al, monitoring and control o# the ac9uisition and u!grade o# hard%are and s&stems so#t%are 'here is a !rocess #or monitoring the "olume o# named and concurrent SAP 04P users to ensure that the license agreement is not eing "iolated 'he organiAation structure, esta lished & senior management, !ro"ides #or an a!!ro!riate segregation o# incom!ati le #unctions 'he data ase, a!!lication and !resentation ser"ers are located in a !h&sicall& se!arate and !rotected en"ironment (i)e), a data center) 0mergenc&, ac$u! and reco"er& !lans are documented and tested on a regular asis to ensure that the& remain current and o!erational 2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems to resume o!erations in the e"ent o# an interru!tion A!!lication controls are designed %ith regard to an& %ea$nesses in segregation, securit&, de"elo!ment and !rocessing controls that ma& a##ect the in#ormation s&stem Access to the Im!lementation /uide (I./) during !roduction has een restricted 'he !roduction client settings ha"e een #lagged to not allo% changes to !rograms and con#iguration #7 PRELI3I:AR; A8DI, S,EPS 1) /ain an understanding o# the SAP 04P en"ironment) 1)1 'he same ac$ground in#ormation o tained #or the SAP 04P 2asis Securit& audit !lan is re9uired #or and rele"ant to the usiness c&cles) In !articular, the #ollo%ing in#ormation is im!ortantD
? @00+ ISACA)
P1@ P1;
Page 1;
Monitoring
Comments
C,S,
3ersion and release o# SAP 04P im!lemented 'otal num er o# named users (#or com!arison
%ith logical access securit& testing results) <um er o# SAP instances and clients Accounting !eriod, com!an& codes and chart o# accounts Identi#ication o# the com!onents eing used (Human Ca!ital .anagement, *inancials, 1!erations, Cor!orate Ser"ices) Whether the organiAation has created an& locall& de"elo!ed A2AP !rograms or re!orts :etails o# the ris$ assessment a!!roach ta$en in the organiAation to identi#& and !rioritiAe ris$s Co!ies o# the organiAation>s $e& securit& !olicies and standards 1)@ 1 tain details o# the #ollo%ingD 1rganiAational .anagement .odel as it relates to sales/re"enue acti"it&, i)e), sales organiAation unit structure in SAP 04P and com!an& sales organiAation chart (re9uired %hen e"aluating the results o# access securit& control testing) An inter"ie% o# the s&stems im!lementation team, i# !ossi le, and !rocess design documentation #or sales and distri ution @) Identi#& the signi#icant ris$s and determine the $e& controls) @)1 :e"elo! a high(le"el !rocess #lo% diagram and o"erall understanding o# the 4e"enue !rocessing c&cle, including the #ollo%ing su !rocessesD .aintain !ricing/customer master data Sales order !rocessing In"oice !rocessing Pa&ment recei!t @)@ Assess the $e& ris$s, determine $e& controls or control %ea$nesses, and test controls (re#er sam!le testing !rogram elo% and cha!ter F #or techni9ues #or testing con#igura le controls and logical access securit&) regarding the #ollo%ing #actorsD
? @00+ ISACA)
P1F P16 P1+ :S@ :SG AI@ AI6 .01 .0@
AI1 :SG :S6
P1+ AI1 :S1; P1+ :SG :S+

Page 1F
Monitoring
Comments
C,S,
'he controls culture o# the organiAation (e)g), a 8ust(enough control
!hiloso!h&)
'he need to e5ercise 8udgment to determine the $e& controls in the
!rocess and %hether the controls structure is ade9uate (An& %ea$nesses in the control structure should e re!orted to e5ecuti"e management and resol"ed)) C7 DE,AILED A8DI, S,EPS 17 3aintain customer/!ricing master data7 %71 Changes made to master data are valid. com!lete. accurate and timel67 0)1)1 :etermine %hether the #ollo%ing re!orts o# changes to master data ha"e een com!ared to authoriAed source documents and/or a manual log o# re9uested changes to ensure the& %ere in!ut accuratel& and on a timel& asisD *or customer master data, use transaction code 13G1 (also accessi le using transaction code SA;8 and !rogram 4*:A2=00) to generate a list denoting the date and time o# change, old and ne% "alues #or #ields, and details o# the user %ho in!ut the change) Cse transaction code SSA=4S8B00+++; (also accessi le using transaction code SA;8 and !rogram 4*:I=IA2) to dis!la& changes to credit management and credit in#ormation change details #or com!arison to authoriAed source documents) Cse transaction ..0F to dis!la& master data changes #or indi"idual materials) /enerate a list o# !ricing changes using transaction 3I1@ and su se9uentl& selecting the #ollo%ing !ath #rom menu o!tionsD 0n"ironment T Changes T Change 4e!ort) Chec$ the accurac& o# changes made to the !ricing master records and also the time at %hich these changes ha"e een a!!lied (%hich is essential to the e##ecti"e !rocessing o# !ricing
? @00+ ISACA)
.0@
AI@ AI6 :S6 :S11
Monitoring
Comments
Page 1G
C,S,
changes) against authoriAed source documentation) 0)1)@ 4e"ie% organiAation !olic& and !rocess design s!eci#ications regarding access to maintain master data) 'est user access to create and maintain customer, material and !ricing master data as #ollo%sD Customer master dataP'ransaction codes
*:01/*:0@/*:0G/*:06 (*inance), 3:01/3:0@/3:0G/3:06 (Sales), U:01/U:0@/U:0G/U:06/U:0B/U:++ (Central) .aterial master dataP'ransaction codes ..01 (Create),
..0@ (Change), ..06 (:elete) Pricing master dataP'ransaction codes 3I11 and
AI@ AI6 :SG :S11
3I1@
0)1); :etermine %hether the con#igura le control settings address the ris$s !ertaining to the "alidit&, com!leteness and accurac& o# master data and %hether the& ha"e een set in accordance %ith management intentions) 3ie% the settings online using the I./ as #ollo%sD Customer Account /rou!sD 'ransaction SP41 .enu Path P*inancial Accounting T Accounts 4ecei"a le O Accounts Pa&a le T Customer Accounts T .aster :ataT Pre!aration #or Creating Customer .aster :ata T :e#ine Account /rou! With Screen =a&out (Customers) .aterial '&!esD 'ransaction SP41 .enu PathP=ogistics /eneral T .aterial .aster T 2asic Settings T .aterial '&!es T :e#ine Attri utes o# .aterial '&!es Industr& SectorD 'ransaction SP41 PathP=ogistics /eneral T .aterial .aster T *ield Selection T :e#ine industr& sectors and industr&(sector s!eci#ic #ield selection Cnderstand the organiAation>s !ricing !olic& and its
? @00+ ISACA)
P1+ :S+ :S11 :S1@
Monitoring
Comments
Page 16
C,S,
con#iguration in SAP 04P (e)g), hard(coded, manual o"erride !ossi le, user enters !rice)) Pricing condition t&!es and records can e re"ie%ed against the organiAation>s !ricing !olic& using the #ollo%ing menu !ath and transaction codes 'ransaction SP41 .enu PathPSales and :istri ution T 2asic *unctions T PricingD
Q 3(FF #or material !rice condition record Q 3(F8 #or !rice list t&!e condition records Q 3(G@ #or customer(s!eci#ic condition t&!e %7$ 3aster data remain current and !ertinent7 0)@)1 :etermine %hether management runs the #ollo%ing re!orts, or e9ui"alent, & master data t&!e and con#irm e"idence o# management>s re"ie% o# the data #or currenc& and ongoing !ertinenceD Customer master dataP4un transaction code *)@0 .aterial master dataP4un transaction code ..S; Pricing master dataP4un transaction code 3I1; 'ransaction *);@ !ro"ides an o"er"ie% o# customers #or %hich no credit limit has een entered) Chec$ the out!ut #rom transaction *);@ to con#irm a credit limit has een set #or customers in the range re9uiring a limit) $7 Sales )rder Purchasing $717 Sales orders are !rocessed "ith valid !rices and terms and !rocessing is com!lete. accurate and timel67 @)1)1) :etermine %hether the a ilit& to create, change or delete sales orders, contracts, and deli"er& schedules is restricted to authoriAed !ersonnel & testing access to the #ollo%ing transactionsD Create (3A01)/Change (3A0@) Sales 1rder
? @00+ ISACA)
P18 :S; :S11 .01
Monitoring
Comments
Page 1B
C,S,
Create (3A;1)/Change (3A;@) :eli"er& Schedules Create (3AF1)/Change (3AF@) Contracts
@)1)@) 4e#er to master data integrit& !oint 1)1)@) @)1);) 4e#er to master data integrit& !oint 1)1);) @)1)F) Cnderstand the !olicies and !rocedures regarding reconciliation o# sales orders) 4e"ie% o!erations acti"it& at selected times and chec$ #or e"idence that reconciliations are eing !er#ormed) $7$7 )rders are !rocessed "ithin a!!roved customer credit limits7 @)@)1) :etermine %hether the con#igura le cont rol sett i ngs address t he ri s$s !ertaining to the !rocessing o# orders outside customer credit limits and %hether the& ha"e een set in accordance %ith management intentions) 3ie% the settings online using the I./ as #ollo%sD 'ransaction SP41 .enu PathP*inancial Accounting T Accounts 4ecei"a le O Accounts Pa&a le T Credit .anagement T Credit Control Account 05ecute transaction 13AI to sho% the t&!e o# credit chec$ !er#ormed #or the corres!onding transaction t&!es in order !rocessing) 05ecute transaction 13AB to determine %hether a credit chec$ is !er#ormed #or a!!ro!riate document t&!es eing used) 05ecute transaction 13A: to sho% the credit grou!s that ha"e een assigned to the deli"er& t&!es eing used) 05ecute transaction 13A8 to sho% an o"er"ie% o# de#ined credit chec$s #or credit control areas) $7<7 )rder entr6 data are com!letel6 and accuratel6 transferred to the shi!!ing and invoicing activities7 @);)1) 1 tain a #ull list o# incom!lete sales documents #rom the s&stem using transaction 3)00 (also accessi le using transaction code
? @00+ ISACA) All rights reser"ed) Page 18
Monitoring
Comments
C,S,
SA;8 and !rogram 43AC*044)) 4e"ie% items on the list %ith the a!!ro!riate o!erational management, and ascertain i# there are legitimate reasons #or the sales documents that remain incom!lete) <7 Invoice Processing <717 Controls are in !lace to !revent du!licate shi!ments or dela6 in the shi!!ing of goods to customers7 ;)1)1) /enerate the list o# current s&stem con#iguration settings relating to co!& control et%een sales and shi!!ing documents using transaction 3'=AP :is!la& Co!&ing ControlD Sales :ocument to :eli"er& :ocument) Select each com ination o# deli"er& t&!e and sales document t&!e, and clic$ the Item utton) :ou le(clic$ on each item categor&, and "eri#& that the entr& #or the indicator 9t&/"alue !os)/neg) has een set to E (automatic u!date occurs et%een documents as deli"eries are made #or line items s!eci#ied in the sales document)) :e!ending on the "olume o# shi!!ing and sales in!ut manuall& it ma& also e necessar& to "eri#& a sam!le o# shi!!ing and sales in!ut #or accurac&) ;)1)@) :etermine %hether the #ollo%ing shi!!ing re!orts are used to assist in controlling the shi!!ing !rocessD 2ac$logP3)1G Process :eli"er& :ue =istP3=0F 1ut ound :eli"eries #or Pic$ingP3=06 1ut ound :eli"eries #or Con#irmation P3=06C 1ut ound :eli"eries to e =oaded P3=06= <7$7 Invoices are generated using authori=ed terms and !rices and are accuratel6 calculated and recorded7 ;)@)1) :is!la& current s&stem settings relating to in"oice !re!aration online using the I./D 'ransaction SP41 .enu Path PSales and :istri ution T 2illing T 2illing :ocuments) :etermine %hether the connection et%een source and target
? @00+ ISACA) All rights reser"ed) Page 1+
Monitoring
Comments
C,S,
documents su!!orts the accurate #lo% o# illing details through the sales !rocess and su!!orts the accurate calculation and !osting o# in"oice data) <7<7 All goods shi!!ed are invoiced. in a timel6 manner7 ;);)1) 05ecute transaction 3*0FPProcess 2illing :ue =ist) All goods/ser"ices that ha"e not een in"oiced, or that ha"e een onl& !artiall& in"oiced, %ill a!!ear on the list, sorted & in"oice due date) 4e"ie% the aging o# items in the list) *or items outstanding #or more than one illing !eriod, see$ an e5!lanation #rom management as to %h& the items ha"e not een illed) ;);)@) Assess user access to !ic$ing lists, deli"er& notes and goods issues & testing access to the #ollo%ing transactionsD Create Single :eli"er&P3=01 Process :eli"er& :ue =istP3=0F Change 1ut ound :eli"eriesP3=0@ ;););) 05ecute transaction 3*0; :is!la& In"oice and clic$ on the e5!ansion utton ne5t to the illing document #ield and select 2illing :ocuments Still to 2e Passed 1nto Accounting) 1 tain e5!lanation #or an& in"oices that a!!ear in this list) 'est user access to transactions to enter in"oices and con#irm this is consistent %ith sta## 8o roles and management>s intentions) Sales Accounts 4ecei"a le 0ntr&P3*01 and 3*0F *inance 0ntr&P*2B0 <7>7 Credit notes and adjustments to accounts receiva/le are accuratel6 calculated and recorded7 ;)F)1) Assess user access to sales order return and credit notes transactions as #ollo%sD Sales entr&D Create Sales :ocumentP3A01 Sales entr&D Change Sales :ocumentP3A0@ *inance 0ntr&P*2BG
? @00+ ISACA) All rights reser"ed) Page @0
Monitoring
Comments
C,S,
<7?7 Credit notes for all goods returned and adjustments to accounts
receiva/le are issued in accordance "ith organi=ation !olic6 and in a timel6 manner7 ;)G)1) 3ie% the sales document t&!es con#igured & using transaction 3138) =oo$ #or the entire sales document t&!es that relate to sales order returns and credit re9uests) :ou le(clic$ on one o# these document t&!es) In the /eneral Control section o# the screen, there is a re#erence mandator& #ield) 3eri#& that the setting has een set to .) 4e!eat this #or all o# the other rele"ant document t&!es) :iscuss the re#erence #ield settings in !lace #or the selected document t&!es %ith management) :etermine %hether the con#iguration in !lace is set as management intended) ;)G)@) 4e"ie% the con#iguration settings #or deli"er& and illing loc$s online using the I./ as #ollo%sD Shi!!ingD 'ransaction SP41 .enu PathP=ogistics 05ecution TShi!!ing T :eli"eries T :e#ine 4easons #or 2loc$ing in Shi!!ing 2illingD 'ransaction SP41 .anu PathPSales and :istri ution T 2illing T 2illing :ocuments T :e#ine 2loc$ing T 4eason #or 2illing :etermine %hether the settings su!!ort the !rocessing o# credits in line %ith the organiAation>s credit management !olic& and are consistent %ith management>s intention) >7 Pa6ment Recei!t
>717 Cash recei!ts are entered accuratel6. com!letel6 and in a timel6 manner7
F)1)1) 'a$e a sam!le o# an$ reconciliations and test #or ade9uate clearance o# reconciling items and a!!ro"al & #inance management) F)1)@) :etermine %hether the s&stem has een con#igured to not allo% !rocessing o# cash recei!ts outside o# a!!ro"ed an$ accounts) 05ecute transaction *I1@ and ascertain to %hich an$ accounts a cash
Monitoring
Comments
C,S,
recei!t can e !osted) :etermine i# this is consistent %ith management>s intentions) F)1);) Cse the transaction code *)@1PCustomer 1!en Items (also accessi le using transaction code SA;8 and !rogram 4*:0P=00) to re"ie% customer o!en items) 'he re!ort lists each item and the amount o%ed) At the end o# the listing, the total amount still to e collected is calculated) 'ransaction code SSA=4S8B00++G6 ( Customer 1!en) >7$7 Cash recei!ts are valid and are not du!licated7 F)@)1) 4e"ie% the accounts recei"a le reconciliation and determine %hether there are an& amounts unallocated or an& reconciling items) :etermine the aging o# these items and ma$e in9uir& o# management as to the reasons #or these items remaining unallocated or unreconciled) >7<7 Cash discounts are calculated and recorded accuratel67 F);)1) 4e"ie% the settings in !lace #or tolerance le"els #or allo%a le cash discounts and cash !a&ment di##erences & the #ollo%ing transactionsD 12AF, to determine the tolerance grou!s that ha"e een set u! #or users and the tolerance limits that ha"e een set #or those grou!s 12GB, to determine the users %ho ha"e een allocated to the grou!s identi#ied earlier :iscuss %ith management the settings that are in !lace #or tolerance le"els #or allo%a le cash discounts and cash !a&ment di##erences) :etermine %hether the con#iguration in !lace agrees %ith management>s intentions) >7>7 ,imel6 collection of cash recei!ts is monitored7 F);)1) As #or F)1);, determine %hether accounts recei"a le aging re!orts are re"ie%ed regularl& to ensure that the collection o#
? @00+ ISACA) All rights reser"ed) Page @@
Monitoring
Comments
C,S,
!a&ments is eing !er#ormed in a timel& manner)
? @00+ ISACA)
Monitoring
Comments
Page @;
*II. )at#rit% Assessment

'he maturit& assessment is an o!!ortunit& #or the re"ie%er to assess the maturit& o# the !rocesses re"ie%ed) 2ased on the results o# audit/assurance re"ie%, and the re"ie%er>s o ser"ations, assign a maturit& le"el to each o# the #ollo%ing C 12I' control !ractices)
C)#I, Control Practice AI@71 Change Standards and Procedures 1) :e"elo!, document and !romulgate a change management #rame%or$ that s!eci#ies the !olicies and !rocesses, includingD 4oles and res!onsi ilities Classi#ication and !rioritiAation o# all changes ased on usiness ris$ Assessment o# im!act AuthoriAation and a!!ro"al o# all changes & the usiness !rocess o%ners and I' 'rac$ing and status o# changes Im!act on data integrit& (e)g), all changes to data #iles eing made under s&stem and a!!lication control rather than & direct user inter"ention) @) 0sta lish and maintain "ersion control o"er all changes) ;) Im!lement roles and res!onsi ilities that in"ol"e usiness !rocess o%ners and a!!ro!riate technical I' #unctions) 0nsure a!!ro!riate segregation o# duties) F) 0sta lish a!!ro!riate record management !ractices and audit trails to record $e& ste!s in the change management !rocess) 0nsure timel& closure o# changes) 0le"ate and re!ort to management changes that are not closed in a timel& #ashion) G) Consider the im!act o# contracted ser"ices !ro"iders (e)g), o# in#rastructure, a!!lication de"elo!ment and shared ser"ices) on the change management !rocess) Consider integration o# organiAational change management !rocesses %ith change management !rocesses o# ser"ice !ro"iders) Consider the im!act o# the organiAational change management !rocess on contractual terms and S=As) AI@7$ Im!act Assessment. Prioriti=ation and Authori=ation 1) :e"elo! a !rocess to allo% usiness !rocess o%ners and I' to re9uest changes to in#rastructure, s&stems or a!!lications) :e"elo! controls to ensure that all such changes arise onl& through the change re9uest management !rocess) @) CategoriAe all re9uested changes (e)g), in#rastructure, o!erating s&stems, net%or$s, a!!lication s&stems, !urchased/!ac$aged a!!lication so#t%are)) ;) PrioritiAe all re9uested changes) 0nsure that the change management !rocess identi#ies oth the usiness and technical needs #or the change) Consider legal, regulator& and contractual reasons #or the re9uested change) F) Assess all re9uests in a structured #ashion) 0nsure that the assessment !rocess addresses im!act anal&sis on in#rastructure, s&stems and a!!lications) Consider securit&, legal, contractual and com!liance im!lications o# the re9uested change) Consider also interde!endencies amongst changes) In"ol"e usiness !rocess o%ners in the assessment !rocess, as a!!ro!riate) G) 0nsure that each change is #ormall& a!!ro"ed & usiness !rocess o%ners and I' technical sta$eholders, as a!!ro!riate)
? @00+ ISACA) All rights reser"ed) Page @F
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) Audit/Assurance Programs and ICQs C)#I, Control Practice AI@7> Change Status ,rac+ing and Re!orting 1) 0nsure that a documented !rocess e5ists %ithin the o"erall change management !rocess to declare, assess, authoriAe and record an emergenc& change) @) 0nsure that emergenc& changes are !rocessed in accordance %ith the emergenc& change element o# the #ormal change management !rocess) ;) 0nsure that all emergenc& access arrangements #or changes are a!!ro!riatel& authoriAed, documented and re"o$ed a#ter the change has een a!!lied) F) Conduct a !ostim!lementation re"ie% o# all emergenc& changes, in"ol"ing all concerned !arties) 'he re"ie% should consider im!lications #or as!ects such as #urther a!!lication s&stem maintenance, im!act on de"elo!ment and test en"ironments, a!!lication so#t%are de"elo!ment 9ualit&, documentation and manuals, and data integrit&) DS?7< Identit6 3anagement 1) 0sta lish and communicate !olicies and !rocedures to uni9uel& identi#&, authenticate and authoriAe access mechanisms and access rights #or all users on a need(to($no%/need(to(ha"e asis, ased on !redetermined and !rea!!ro"ed roles) Clearl& state accounta ilit& o# an& user #or an& action on an& o# the s&stems and/or a!!lications in"ol"ed) @) 0nsure that roles and access authoriAation criteria #or assigning user access rights ta$e into accountD Sensiti"it& o# in#ormation and a!!lications in"ol"ed (data classi#ication) Policies #or in#ormation !rotection and dissemination (legal, regulator&, internal !olicies and contractual re9uirements) 4oles and res!onsi ilities as de#ined %ithin the enter!rise 'he need(to(ha"e access rights associated %ith the #unction Standard ut indi"idual user access !ro#iles #or common 8o roles in the organiAation 4e9uirements to guarantee a!!ro!riate segregation o# duties ;) 0sta lish a method #or authenticating and authoriAing users to esta lish res!onsi ilit& and en#orce access rights in line %ith sensiti"it& o# in#ormation and #unctional a!!lication re9uirements and in#rastructure com!onents, and in com!liance %ith a!!lica le la%s, regulations, internal !olicies and contractual agreements) F) :e#ine and im!lement a !rocedure #or identi#&ing ne% users and recording, a!!ro"ing and maintaining access rights) 'his needs to e re9uested & user management, a!!ro"ed & the s&stem o%ner and im!lemented & the res!onsi le securit& !erson) G) 0nsure that a timel& in#ormation #lo% is in !lace that re!orts changes in 8o s (i)e), !eo!le in, !eo!le out, !eo!le change)) /rant, re"o$e and ada!t user access rights in co(ordination %ith human resources and user de!artments #or users %ho are ne%, %ho ha"e le#t the organiAation, or %ho ha"e changed roles or 8o s) Assessed 3aturit6 ,arget 3aturit6 Reference 56!erlin+ Comments
? @00+ ISACA)
Page @G
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) Audit/Assurance Programs and ICQs C)#I, Control Practice DS?7> 8ser Account 3anagement 1) 0nsure that access control !rocedures include ut are not limited toD Csing uni9ue user I:s to ena le users to e lin$ed to and held accounta le #or their actions A%areness that the use o# grou! I:s results in the loss o# indi"idual accounta ilit& and are !ermitted onl& %hen 8usti#ied #or usiness or o!erational reasons and com!ensated & mitigating controls) /rou! I:s must e a!!ro"ed and documented) Chec$ing that the user has authoriAation #rom the s&stem o%ner #or the use o# the in#ormation s&stem or ser"ice, and the le"el o# access granted is a!!ro!riate to the usiness !ur!ose and consistent %ith the organiAational securit& !olic& A !rocedure to re9uire users to understand and ac$no%ledge their access rights and the conditions o# such access 0nsuring that internal and e5ternal ser"ice !ro"iders do not !ro"ide access until authoriAation !rocedures ha"e een com!leted .aintaining a #ormal record, including access le"els, o# all !ersons registered to use the ser"ice A timel& and regular re"ie% o# user I:s and access rights @) 0nsure that management re"ie%s or reallocates user access rights at regular inter"als using a #ormal !rocess) Cser access rights should e re"ie%ed or reallocated a#ter an& 8o changes, such as trans#er, !romotion, demotion or termination o# em!lo&ment) AuthoriAations #or s!ecial !ri"ileged access rights should e re"ie%ed inde!endentl& at more #re9uent inter"als) DS(71 Configuration Re!ositor6 and #aseline 1) Im!lement a con#iguration re!ositor& to ca!ture and maintain con#iguration management items) 'he re!ositor& should include hard%areK a!!lication so#t%areK middle%areK !arametersK documentationK !roceduresK and tools #or o!erating, accessing and using the s&stems, ser"ices, "ersion num ers and licensing details) @) Im!lement a tool to ena le the e##ecti"e logging o# con#iguration management in#ormation %ithin a re!ositor&) ;) Pro"ide a uni9ue identi#ier to a con#iguration item so the item can e easil& trac$ed and related to !h&sical asset tags and #inancial records) F) :e#ine and document con#iguration aselines #or com!onents across de"elo!ment, test and !roduction en"ironments, to ena le identi#ication o# s&stem con#iguration at s!eci#ic !oints in time (!ast, !resent and !lanned)) G) 0sta lish a !rocess to re"ert to the aseline con#iguration in the e"ent o# !ro lems, i# determined a!!ro!riate a#ter initial in"estigation) 6) Install mechanisms to monitor changes against the de#ined re!ositor& and aseline) Pro"ide management re!orts #or e5ce!tions, reconciliation and decision ma$ing) DS(7$ Identification and 3aintenance of Configuration Items 1) :e#ine and im!lement a !olic& re9uiring all con#iguration items and their attri utes and "ersions to e identi#ied and maintained) @) 'ag !h&sical assets according to a de#ined !olic&) Consider using an automated mechanism, such as arcodes)
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) Audit/Assurance Programs and ICQs C)#I, Control Practice ;) :e#ine a !olic& that integrates incident, change and !ro lem management !rocedures %ith the maintenance o# the con#iguration re!ositor&) F) :e#ine a !rocess to record ne%, modi#ied and deleted con#iguration items and their relati"e attri utes and "ersions) Identi#& and maintain the relationshi!s et%een con#iguration items in the con#iguration re!ositor&) G) 0sta lish a !rocess to maintain an audit trail #or all changes to con#iguration items) 6) :e#ine a !rocess to identi#& critical con#iguration items in relationshi! to usiness #unctions (com!onent #ailure im!act anal&sis)) B) 4ecord all assetsPincluding ne% hard%are and so#t%are, !rocured or internall& de"elo!edP%ithin the con#iguration management data re!ositor&) 8) :e#ine and im!lement a !rocess to ensure that "alid licenses are in !lace to !re"ent the inclusion o# unauthoriAed so#t%are) DS(7< Configuration Integrit6 Revie" 1) 'o "alidate the integrit& o# con#iguration data, im!lement a !rocess to ensure that con#iguration items are monitored) Com!are recorded data against actual !h&sical e5istence, and ensure that errors and de"iations are re!orted and corrected) @) Csing automated disco"er& tools %here a!!ro!riate, reconcile actual installed so#t%are and hard%are !eriodicall& against the con#iguration data ase, license records and !h&sical tags) ;) Periodicall& re"ie% against the !olic& #or so#t%are usage the e5istence o# an& so#t%are in "iolation or in e5cess o# current !olicies and license agreements) 4e!ort de"iations #or correction) Assessed 3aturit6 ,arget 3aturit6 Reference 56!erlin+ Comments
? @00+ ISACA)
Page @B
xpendit#re &#siness C%cle

I. Introd#ction Overview ISACA de"elo!ed "TAFTM% A Professional Practices Frame ork for "T Assurance as a com!rehensi"e and good(!ractice(setting model) I'A* !ro"ides standards that are designed to e mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession o!erates) 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit and assurance) 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide direction in the a!!lication o# I' audit and assurance !rocesses) Purpose 'he audit/assurance !rogram is a tool and tem!late to e used as a roadma! #or the com!letion o# a s!eci#ic assurance !rocess) 'his audit/assurance !rogram is intended to e utiliAed & I' audit and assurance !ro#essionals %ith the re9uisite $no%ledge o# the su 8ect matter under re"ie%, as descri ed in I'A*, section @@00P/eneral Standards) 'he audit/assurance !rograms are !art o# I'A*, section F000PI' Assurance 'ools and 'echni9ues) Control Framework 'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C12I' #rame%or$P s!eci#icall& C12I' F)1Pusing generall& a!!lica le and acce!ted good !ractices) 'he& re#lect I'A*, sections ;F00PI' .anagement Processes, ;600PI' Audit and Assurance Processes, and ;800PI' Audit and Assurance .anagement) .an& enter!rises ha"e em raced se"eral #rame%or$s at an enter!rise le"el, including the Committee o# S!onsoring 1rganiAations o# the 'read%a& Commission (C1S1) Internal Control *rame%or$) 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator& re9uirements & the CS Securities and 05change Commission (S0C) as directed & the CS Sar anes(15le& Act o# @00@ and similar legislation in other countries) 'he& see$ to integrate control #rame%or$ elements used & the general audit/assurance team into the I' audit and assurance #rame%or$) Since C1S1 is %idel& used, it has een selected #or inclusion in this audit/assurance !rogram) 'he re"ie%er ma& delete or rename columns in the audit !rogram to align %ith the enter!rise>s control #rame%or$) IT Governance, Risk and Control I' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management !rocess) /o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies and management o"ersight controls) 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho% management a!!roaches and manages ris$) 2oth issues %ill e e"aluated as ste!s in the audit/assurance !rogram) Controls are the !rimar& e"aluation !oint in the !rocess) 'he audit/assurance !rogram %ill identi#& the control o 8ecti"es %ith ste!s to determine control design and e##ecti"eness) Responsibilities of IT Audit and Assurance Professionals I' audit and assurance !ro#essionals are e5!ected to customiAe this document to the en"ironment in %hich the& are !er#orming an assurance !rocess) 'his document is to e used as a re"ie% tool
ISACA @00+
Page @8
and starting !oint) It ma& e modi#ied & the I' audit and assurance !ro#essionalK it is not intended to e a chec$list or 9uestionnaire) It is assumed that the I' audit and assurance !ro#essional holds the Certi#ied In#ormation S&stems Auditor (CISA) designation, or has the necessar& su 8ect matter e5!ertise re9uired to conduct the %or$ and is su!er"ised & a !ro#essional %ith the CISA designation and necessar& su 8ect matter e5!ertise to ade9uatel& re"ie% the %or$ !er#ormed) II. (sing This Doc#ment 'his audit/assurance !rogram %as de"elo!ed to assist the audit and assurance !ro#essional in designing and e5ecuting a re"ie%) :etails regarding the #ormat and use o# the document #ollo%) Work Pro ram !teps 'he #irst column o# the !rogram descri es the ste!s to e !er#ormed) 'he num ering scheme used !ro"ides uilt(in %or$ !a!er num ering #or ease o# cross(re#erence to the s!eci#ic %or$ !a!er #or that section) I' audit and assurance !ro#essionals are encouraged to ma$e modi#ications to this document to re#lect the s!eci#ic en"ironment under re"ie%) CO"IT Cross#reference 'he C12I' cross(re#erence !ro"ides the audit and assurance !ro#essional %ith the a ilit& to re#er to the s!eci#ic C12I' control o 8ecti"e that su!!orts the audit/assurance ste!) 'he C12I' control o 8ecti"e should e identi#ied #or each audit/assurance ste! in the section) .ulti!le cross( re#erences are not uncommon) Processes at lo%er le"els in the %or$ !rogram are too granular to e cross(re#erenced to C12I') 'he audit/assurance !rogram is organiAed in a manner to #acilitate an e"aluation through a structure !arallel to the de"elo!ment !rocess) C12I' !ro"ides in(de!th control o 8ecti"es and suggested control !ractices at each le"el) As the !ro#essional re"ie%s each control, he/she should re#er to C12I' F)1 or the "T Assurance &uide% 'sing C()"T #or good( !ractice control guidance) CO!O Components As noted in the introduction, C1S1 and similar #rame%or$s ha"e ecome increasingl& !o!ular among audit and assurance !ro#essionals) 'his ties the assurance %or$ to the enter!rise>s control #rame%or$) While the I' audit/assurance #unction has C12I' as a #rame%or$, o!erational audit and assurance !ro#essionals use the #rame%or$ esta lished & the enter!rise) Since C1S1 is the most !re"alent internal control #rame%or$, it has een included in this document and is a ridge to align I' audit/assurance %ith the rest o# the audit/assurance #unction) .an& audit/assurance organiAations include the C1S1 control com!onents %ithin their re!ort and summariAe assurance acti"ities to the audit committee o# the oard o# directors) *or each control, the audit and assurance !ro#essional should indicate the C1S1 com!onent(s) addressed) It is !ossi le, ut generall& not necessar&, to e5tend this anal&sis to the s!eci#ic audit ste! le"el) 'he original C1S1 internal control #rame%or$ contained #i"e com!onents) In @00F, C1S1 %as re"ised as the Enter*rise Risk Management +ERM, "ntegrated Frame ork and e5tended to eight com!onents) 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on
ISACA @00+
Page @+
04. and integration into the usiness decision model) 04. is in the !rocess o# eing ado!ted & large enter!rises) 'he t%o #rame%or$s are com!ared in figure AD1)
'he original C1S1 internal control #rame%or$ addresses the needs o# the I' audit and assurance !ro#essionalD control en"ironment, ris$ assessment, control acti"ities, in#ormation and communication, and monitoring) As such, ISACA has elected to utiliAe the #i"e(com!onent model #or these audit/assurance !rograms) As more enter!rises im!lement the 04. model, the additional three columns can e added, i# rele"ant) When com!leting the C1S1 com!onent columns, consider the de#initions o# the com!onents as descri ed in figure AD1)
ISACA @00+
Page ;0
Reference$%&perlink /ood !ractices re9uire the audit and assurance !ro#essional to create a %or$ !a!er #or each line item, %hich descri es the %or$ !er#ormed, issues identi#ied and conclusions) 'he re#erence/h&!erlin$ is to e used to cross(re#erence the audit/assurance ste! to the %or$ !a!er that su!!orts it) 'he num ering s&stem o# this document !ro"ides a read& num ering scheme #or the %or$ !a!ers) I# desired, a lin$ to the %or$ !a!er can e !asted into this column) Issue Cross#reference 'his column can e used to #lag a #inding/issue that the I' audit and assurance !ro#essional %ants to #urther in"estigate or esta lish as a !otential #inding) 'he !otential #indings should e documented in a %or$ !a!er that indicates the dis!osition o# the #indings (#ormall& re!orted, re!orted as a memo or "er al #inding, or %ai"ed)) Comments 'he comments column can e used to indicate the %ai"ing o# a ste! or other notations) It is not to e used in !lace o# a %or$ !a!er descri ing the %or$ !er#ormed) III. Controls )at#rit% Anal%sis 1ne o# the consistent re9uests o# sta$eholders %ho ha"e undergone I' audit/assurance re"ie%s is a desire to understand ho% their !er#ormance com!ares to good !ractices) Audit and assurance !ro#essionals must !ro"ide an o 8ecti"e asis #or the re"ie% conclusions) .aturit& modeling #or management and control o"er I' !rocesses is ased on a method o# e"aluating the organiAation, so it can e rated #rom a maturit& le"el o# none5istent (0) to o!timiAed (G)) 'his a!!roach is deri"ed #rom the maturit& model that the So#t%are 0ngineering Institute (S0I) o# Carnegie .ellon Cni"ersit& de#ined #or the maturit& o# so#t%are de"elo!ment) 'he "T Assurance &uide% 'sing C()"T, a!!endi5 3IIP.aturit& .odel #or Internal Control, in figure AD$, !ro"ides a generic maturit& model sho%ing the status o# the internal control en"ironment and the esta lishment o# internal controls in an enter!rise) It sho%s ho% the management o# internal control, and an a%areness o# the need to esta lish etter internal controls, t&!icall& de"elo!s #rom an ad hoc to an o!timiAed le"el) 'he model !ro"ides a high( le"el guide to hel! C12I' users a!!reciate %hat is re9uired #or e##ecti"e internal controls in I' and to hel! !osition their enter!rise on the maturit& scale)
3aturit6 Level
'here is no recognition o# the need #or internal control) Control is not !art o# the organiAation>s culture or mission) 'here is a high ris$ o# control de#iciencies and incidents) 'here is some recognition o# the need #or internal control) 'he a!!roach to ris$ and control re9uirements is ad hoc and disorganiAed, %ithout communication or monitoring) :e#iciencies are not identi#ied) 0m!lo&ees are not a%are o# their res!onsi ilities) Controls are in !lace ut are not documented) 'heir o!eration is de!endent on the $no%ledge and moti"ation o# indi"iduals) 0##ecti"eness is not ade9uatel& e"aluated) .an& control %ea$nesses e5ist and are not ade9uatel& addressedK the im!act can e se"ere) .anagement actions to resol"e control issues are not !rioritiAed or consistent) 0m!lo&ees ma& not e a%are o# their res!onsi ilities) 'here is no intent to assess the need #or internal control) Incidents are dealt %ith as the& arise) 'here is no a%areness o# the need #or assessment o# %hat is needed in terms o# I' controls) When !er#ormed, it is onl& on an ad hoc asis, at a high le"el and in reaction to signi#icant incidents) Assessment addresses onl& the actual incident) Assessment o# control needs occurs onl& %hen needed #or selected I' !rocesses to determine the current le"el o# control maturit&, the target le"el that should e reached and the ga!s that e5ist) An in#ormal %or$sho! a!!roach, in"ol"ing I' managers and the team in"ol"ed in the !rocess, is used to de#ine an ade9uate a!!roach to controls #or the !rocess and to moti"ate an agreed(u!on action !lan)
@ 4e!eata le ut intuiti"e
ISACA @00+
Page ;1
Controls are in !lace and ade9uatel& documented) 1!erating e##ecti"eness is e"aluated on a !eriodic asis and there is an a"erage num er o# issues) Ho%e"er, the e"aluation !rocess is not documented) While management is a le to deal !redicta l& %ith most control issues, some control %ea$nesses !ersist and im!acts could still e se"ere) 0m!lo&ees are a%are o# their res!onsi ilities #or control) 'here is an e##ecti"e internal control and ris$ management en"ironment) A #ormal, documented e"aluation o# controls occurs #re9uentl&) .an& controls are automated and regularl& re"ie%ed) .anagement is li$el& to detect most control issues, ut not all issues are routinel& identi#ied) 'here is consistent #ollo%(u! to address identi#ied control %ea$nesses) A limited, tactical use o# technolog& is a!!lied to automate controls) An enter!rise%ide ris$ and control !rogram !ro"ides continuous and e##ecti"e control and ris$ issues resolution) Internal control and ris$ management are integrated %ith enter!rise !ractices, su!!orted %ith automated real(time monitoring %ith #ull accounta ilit& #or control monitoring, ris$ management and com!liance en#orcement) Control e"aluation is continuous, ased on sel#(assessments and ga! and root cause anal&ses) 0m!lo&ees are !roacti"el& in"ol"ed in control im!ro"ements) Critical I' !rocesses are identi#ied ased on "alue and ris$ dri"ers) A detailed anal&sis is !er#ormed to identi#& control re9uirements and the root cause o# ga!s and to de"elo! im!ro"ement o!!ortunities) In addition to #acilitated %or$sho!s, tools are used and inter"ie%s are !er#ormed to su!!ort the anal&sis and ensure that an I' !rocess o%ner o%ns and dri"es the assessment and im!ro"ement !rocess) I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort and agreement #rom the rele"ant usiness !rocess o%ners) Assessment o# control re9uirements is ased on !olic& and the actual maturit& o# these !rocesses, #ollo%ing a thorough and measured anal&sis in"ol"ing $e& sta$eholders) Accounta ilit& #or these assessments is clear and en#orced) Im!ro"ement strategies are su!!orted & usiness cases) Per#ormance in achie"ing the desired outcomes is consistentl& monitored) 05ternal control re"ie%s are organiAed occasionall&) 2usiness changes consider the criticalit& o# I' !rocesses and co"er an& need to reassess !rocess control ca!a ilit&) I' !rocess o%ners regularl& !er#orm sel#(assessments to con#irm that controls are at the right le"el o# maturit& to meet usiness needs and the& consider maturit& attri utes to #ind %a&s to ma$e controls more e##icient and e##ecti"e) 'he organiAation enchmar$s to e5ternal est !ractices and see$s e5ternal ad"ice on internal control e##ecti"eness) *or critical !rocesses, inde!endent re"ie%s ta$e !lace to !ro"ide assurance that the controls are at the desired le"el o# maturit& and %or$ing as !lanned)
3aturit6 Level
; :e#ined
G 1!timiAed
'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess) 'he I' audit and assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram and #ormulate an o 8ecti"e assessment o# the maturit& le"els o# the control !ractices) 'he maturit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to &ear to document !rogression in the enhancement o# controls) Ho%e"er, it must e noted that the !erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor) 'here#ore, an auditor should o tain the concerned sta$eholders> concurrence e#ore su mitting the #inal re!ort to management) At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the !ro#essional assesses the current state o# the C12I' control #rame%or$ and assigns it a maturit& le"el using the si5(le"el scale) Some !ractitioners utiliAe decimals (5)@G, 5)G, 5)BG) to indicate gradations in the maturit& model) As a #urther re#erence, C12I' !ro"ides a de#inition o# the maturit& designations & control o 8ecti"e) While this a!!roach is not mandator&, the !rocess is !ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that %ish to im!lement it) It is suggested that a maturit& assessment e made at the C12I' control le"el) 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also o tain maturit& targets #rom the client/customer) Csing the assessed and target maturit& le"els, the !ro#essional can create an e##ecti"e gra!hic !resentation that descri es the achie"ement or ga!s et%een the actual and targeted maturit& goals) I*. Ass#rance and Control +ramework I!ACA IT Assurance Framework and !tandards ISACA has long recogniAed the s!ecialiAed nature o# I' assurance and stri"es to ad"ance
ISACA @00+
Page ;@
glo all& a!!lica le standards) /uidelines and !rocedures !ro"ide detailed guidance on ho% to #ollo% those standards) I' Audit/Assurance Standard S1G I' Controls, and I' Audit/Assurance /uideline /;8 Access Controls are rele"ant to this audit/assurance !rogram) I!ACA Controls Framework C12I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridge the ga! among control re9uirements, technical issues and usiness ris$s) C12I' ena les clear !olic& de"elo!ment and good !ractice #or I' control throughout enter!rises) CtiliAing C12I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased aligns I' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise) 4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es for Successful "T &o/ernance, 1nd Edition, !u lished in @00B, #or the related control !ractice "alue and ris$ dri"ers) V. Executive Summary of Audit/Assurance ocus !AP 'RP !ecurit& 'he re"ie% o# SAP hel!s management ensure that it is secure) Since launching its #irst !roduct o##ering almost ;0 &ears ago, SAP has gro%n glo all&) It has a!!ro5imatel& 1@ million users and +6,F00 installations in more than 1@0 countries and is the third(largest inde!endent so#t%are com!an& in the %orld) 'he com!an& name, SAP, is a /erman acron&m that loosel& translates in 0nglish to S&stems, A!!lications and Products in data !rocessing) 2e#ore SAP 04P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@- and the client/ser"er( ased s&stem SAP 4/;) 2oth 4/@ and 4/; are targeted to usiness a!!lication solutions and #eature com!le5it&, usiness and organiAational e5!erience, and integration) 'he 4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&K ho%e"er, this is not the case) 'he 4 in 4/@ and 4/; means 6real time)7 4elease le"els are annotated se!aratel& to the 4/@ or 4/; descri!tors) *or e5am!le, in SAP 4/; F)62, the F is the ma8or release num er, the 6 is the minor release num er #ollo%ing a ma8or release, and the 2 is the "ersion %ithin a release) 4/; %as introduced in 1++@ %ith a three(tier architecture !aradigm) In recent &ears, SAP has introduced Ser"ice 1riented Architecture (S1A) as !art o# SAP 04P) 'his com ines 04P %ith an o!en technolog& !lat#orm that can integrate SAP and non(SAP s&stems on the SAP <etWea"er- !lat#orm) 'he current core 04P solution o##ered & SAP is called SAP 0nter!rise Central Com!onent (0CC 6)0), re#erred here as SAP 04P) "usiness Impact and Risk SAP is %idel& used in man& enter!rises) Im!ro!er con#iguration o# SAP could result in an ina ilit& #or the enter!rise to e5ecute its critical !rocesses) 4is$s resulting #rom ine##ecti"e or incorrect con#igurations or use o# SAP could result in some o# the #ollo%ingD :isclosure o# !ri"ileged in#ormation
ISACA @00+
Page ;;
Single !oints o# #ailure =o% data 9ualit& =oss o# !h&sical assets =oss o# intellectual !ro!ert& =oss o# com!etiti"e ad"antage =oss o# customer con#idence 3iolation o# regulator& re9uirements
Ob(ective and !cope )/jective2'he o 8ecti"e o# the SAP 04P audit/assurance re"ie% is to !ro"ide management %ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# the enter!rise>s SAP 04P architecture) !cope)The review will focus on configuration of the relevant SAP ERP components and modules within the enterprise. The selection of the specific components and modules will be based upon the risks introduced to the enterprise by these components and modules. *inimum Audit !kills 'his re"ie% is considered highl& technical) 'he I' audit and assurance !ro#essional must ha"e an understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP tools, e5!osures and #unctionalit&) It should not e assumed that an audit and assurance !ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%)
ISACA @00+
Page ;F
VI. Ex!enditure "usiness Cycle Audit/Assurance #rogram

C,S,
Information and Communication Control Environment Risk Assessment Control Activities
A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P 1)1 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreed(u!on corrections and note remaining de#iciencies) 1)@ :etermine %hetherD Senior management has assigned res!onsi ilities #or in#ormation, its !rocessing and its use Cser management is res!onsi le #or !ro"iding in#ormation that su!!orts the entit&>s o 8ecti"es and !olicies In#ormation s&stems management is res!onsi le #or !ro"iding the ca!a ilities necessar& #or achie"ement o# the de#ined in#ormation s&stems o 8ecti"es and !olicies o# the entit& Senior management a!!ro"es !lans #or de"elo!ment and ac9uisition o# in#ormation s&stems 'here are !rocedures to ensure that the in#ormation s&stem eing de"elo!ed or ac9uired meets user re9uirements 'here are !rocedures to ensure that in#ormation s&stems, !rograms and con#iguration changes are tested ade9uatel& !rior to im!lementation All !ersonnel in"ol"ed in the s&stem ac9uisition and con#iguration acti"ities recei"e ade9uate training and su!er"ision 'here are !rocedures to ensure that in#ormation s&stems are im!lemented/con#igured/u!graded in accordance %ith the esta lished standards Cser management !artici!ates in the con"ersion o# data #rom the e5isting s&stem to the ne% s&stem
.01 .01
? @00+ ISACA
Monitoring
Reference Issue 56!er' Cross' Comments lin+ reference
Page ;G
C,S,
*inal a!!ro"al is o tained #rom user management !rior to going li"e %ith a ne% in#ormation/u!graded s&stem 'here are !rocedures to document and schedule all changes to in#ormation s&stems (including $e& A2AP !rograms) 'here are !rocedures to ensure that onl& authoriAed changes are initiated 'here are !rocedures to ensure that onl& authoriAed, tested and documented changes to in#ormation s&stems are acce!ted into the !roduction client 'here are !rocedures to allo% #or and control emergenc& changes 'here are !rocedures #or the a!!ro"al, monitoring and control o# the ac9uisition and u!grade o# hard%are and s&stems so#t%are 'here is a !rocess #or monitoring the "olume o# named and concurrent SAP 04P users to ensure that the license agreement is not eing "iolated 'he organiAation structure, esta lished & senior management, !ro"ides #or an a!!ro!riate segregation o# incom!ati le #unctions 'he data ase, a!!lication and !resentation ser"ers are located in a !h&sicall& se!arate and !rotected en"ironment (i)e), a data center) 0mergenc&, ac$u! and reco"er& !lans are documented and tested on a regular asis to ensure that the& remain current and o!erational 2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems to resume o!erations in the e"ent o# an interru!tion A!!lication controls are designed %ith regard to an&
? @00+ ISACA
Monitoring
Page ;6
C,S,
%ea$nesses in segregation, securit&, de"elo!ment and !rocessing controls that ma& a##ect the in#ormation s&stem Access to the Im!lementation /uide (I./) during !roduction has een restricted 'he !roduction client settings ha"e een #lagged to not allo% changes to !rograms and con#iguration #7 PRELI3I:AR; A8DI, S,EPS 1) /ain an understanding o# the SAP 04P en"ironment) 1)1 'he same ac$ground in#ormation o tained #or the SAP 04P 2asis Securit& audit !lan is re9uired #or and rele"ant to the usiness c&cles) In !articular, the #ollo%ing in#ormation is im!ortantD 3ersion and release o# SAP 04P im!lemented 'otal num er o# named users (#or com!arison %ith logical access securit& testing results) <um er o# SAP instances and clients Accounting !eriod, com!an& codes and chart o# accounts Identi#ication o# the com!onents eing used (Human Ca!ital .anagement, *inancials, 1!erations, Cor!orate Ser"ices) Whether the organiAation has created an& locall& de"elo!ed A2AP !rograms or re!orts :etails o# the ris$ assessment a!!roach ta$en in the organiAation to identi#& and !rioritiAe ris$s Co!ies o# the organiAation>s $e& securit& !olicies and standards 1)@ 1 tain details o# the #ollo%ingD 'he 1rganiAational .anagement .odel as it relates to e5!enditure acti"it&, i)e), !urchasing organiAation unit structure in SAP 04P and !urchasing/accounts !a&a le organiAation chart (re9uired %hen
P1@ P1; P1F P16 P1+ :S@ :SG AI@ AI6 .0@
AI1 :SG :S6
? @00+ ISACA
Monitoring
Page ;B
C,S,
e"aluating the results o# access securit& control testing) An inter"ie% o# the s&stems im!lementation team, i# !ossi le, and the !rocess design documentation #or materials management @) Identi#& the signi#icant ris$s and determine the $e& controls) @)1 :e"elo! a high(le"el !rocess #lo% diagram and o"erall understanding o# the 05!enditure !rocessing c&cle, including the #ollo%ing su !rocessesD .aster data maintenance Purchasing In"oice !rocessing Processing dis ursements @)@ Assess the $e& ris$s, determine $e& controls or control %ea$nesses, and test controls (re#er to sam!le testing !rogram elo% and cha!ter I3 #or techni9ues #or testing con#igura le controls and logical access securit&) regarding the #ollo%ing #actorsD 'he controls culture o# the organiAation (e)g), a 8ust(enough control !hiloso!h&) 'he need to e5ercise 8udgment to determine the $e& controls in the !rocess and %hether the controls structure is ade9uate (An& %ea$nesses in the control structure should e re!orted to e5ecuti"e management and resol"ed)) C7 DE,AILED A8DI, S,EPS 17 3aster Data 3aintenance 171 Changes made to master data are valid. com!lete. accurate and timel67 1)1)1 :etermine %hether the changes made to the master data are
P1+ AI1 :S11
P1+ :SG :S+ .0@
? @00+ ISACA
Monitoring
Page ;8
C,S,
com!lete, accurate and timel&) Csing the s!eci#ied transaction code or SA;8, determine %hether the #ollo%ing re!ort o# changes to master data are com!ared to authoriAed source documents and/or a manual log o# re9uested changes to ensure that the& %ere in!ut accuratel& and on a timel& asisD *or "endor master data, use transaction code SSA=4S8B0100;+ (also accessi le through transaction code SA;8 and !rogram 4*IA2=00) to !roduce a list o# master data changes) 1)1)@ :etermine %hether access to create and change "endor !ricing master data is restricted to a dedicated area and to authoriAed indi"iduals) 4e"ie% organiAation !olic& and !rocess design s!eci#ications regarding access to maintain master data) 'est user access & using transaction code SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@K re#er to cha!ter F on ho% to test user access) to create and maintain "endor master data as #ollo%sD *inance entr&P'ransaction codes *I01 (Create), *I0@ (Change), *I0G (2loc$/Cn loc$), *I06 (:elete) Purchasing entr&P'ransaction codes .I01 (Create), .I0@ (Change), .I0G (2loc$/Cn loc$), .I06 (:elete) CentraliAed entr&P'ransaction codes UI01 (Create), UI0@ (Change), UI0G (2loc$/Cn loc$), UI06 (:elete) 'est user access to transactions to maintain "endor !ricing in#ormationD Create in#o recordP.011 Change in#o recordP.01@ :elete in#o recordP.01G
AI6 :S11
? @00+ ISACA
Monitoring
Page ;+
C,S,
Create conditionP.0I1 Change conditionP.0I@ Create condition %ith re#erenceP.0IF 1)1); :etermine %hether the con#igura le control settings address the ris$s !ertaining to the "alidit&, com!leteness and accurac& o# master data and %hether the& ha"e een set in accordance %ith management intentions) 3ie% the settings online using transaction code 12:; and ascertain %hether account grou!s ha"e een set u! co"ering one(time "endor or other "endor accounts) *or high(ris$ account grou!s such as one(time "endors, chec$ %hether authoriAation has een mar$ed as a re9uired #ield) 1)1)F :etermine %hether a naming con"ention should e used #or "endor names (e)g), as !er letterhead) to minimiAe the ris$ o# esta lishing du!licated "endor master records) 05tract a list o# "endor account names #rom ta le =*A1 (#ieldsD <A.0 1 V name, =I*<4 V "endor num er)) 4e"ie% a sam!le #or com!liance %ith the organiAation>s naming con"ention) 3ie% or search the list (using scan search so#t%are tools, i# a"aila le) #or !otential du!licates) 17$ Inventor6 master data remain current and !ertinent7 1)@)1 :etermine %hether management !eriodicall& re"ie%s master data to chec$ their currenc& and ongoing !ertinence, and %hether the a!!ro!riate management dis!la&s or !roduces a list o# "endors using re!ort 4*II3M00 or e9ui"alent) Con#irm e"idence o# management>s re"ie% o# the data on a rotating asis #or currenc& and ongoing !ertinence) $7 Purchasing $71 Purchase order entr6 and changes are valid. com!lete. accurate and timel67
:S+ :S11 :S1@
P1+ :S11
:S11 .01
? @00+ ISACA
Monitoring
Page F0
C,S,
@)1)1 :etermine %hether !urchase orders are handled %ith a "alid !rocess and terms and i# !rocessing is com!lete, accurate and timel&) :etermine %hether the a ilit& to create, change, or cancel !urchase re9uisitions, !urchase orders, and outline agreements (standing !urchase orders) is restricted to authoriAed !ersonnel & testing access to the #ollo%ing transactionsD Create Purchase 4e9uisitionP.0G1/.0G1< Change Purchase 4e9uisitionP.0G@/.0G@< 4elease Purchase 4e9uisitionP.0GF/.0GF< Collecti"e 4elease o# Purchase 4e9uisitionP.0GG Create Purchase 1rder, 3endor Ino%nP.0@1/.0@1< Change Purchase 1rderP.0@@/.0@@< @)1)@ :etermine %hether the SAP 04P source list #unctionalit& allo%s s!eci#ied materials to e !urchased onl& #rom "endors included in the source list #or the s!eci#ied material) 'hrough discussions %ith management, determine (t&!es o#) materials #or %hich source lists should e a"aila le in the s&stem) Also, determine (t&!es o#) materials #or %hich a source list should not e !resent) 05amine a selection o# materials and "ie% the corres!onding source list using the #ollo%ing re!orts to corro orate the !er#ormance o# the control acti"it& in the a!!ro!riate accounting !eriodD .006 re!orts on all material items and %hether the& elong to a source list or not) .00. sho%s all material items and an& associated "endors (including historic data)) 'o run .00., s!eci#& a material or a range o# materials) Cse the match code, clic$ on the Search Hel! o!tion and choose o!tion JPmaterial & material grou!Pto get a list o# materials)
:SG :S11
:S11
? @00+ ISACA
Monitoring
Page F1
C,S,
Select the !re"iousl& mentioned sam!le o# orders and chec$ against source list re!orts to determine i# s!eci#ic materials ha"e een !rocured %ith unlisted "endors) @)1); :etermine %hether the SAP 04P release strateg& is used to authoriAe !urchase orders, outline agreements (standing !urchase orders) and unusual !urchases (e)g), ca!ital outla&s)) 1 tain su##icient understanding o# the s&stem con#iguration to assess the ade9uac& o# the release strateg& as de#ined and im!lemented & the organiAation, as %ell as the #unction and e##ecti"eness o# esta lished !olicies, !rocedures, standards and guidance) 05ecute the #ollo%ing transactions to o tain an understanding o# the %a& the s&stem has een con#iguredD 4elease !rocedureD Purchase 1rdersP'ransaction SP41 menu !athD .aterials .anagement T Purchasing T Purchase 1rder T 4elease Procedure #or Purchase 1rders T :e#ine 4elease Procedure #or Purchase 1rders 4e9uisitions (%ith classi#ication)P'ransaction SP41 menu !athD .aterial .anagement T Purchasing T Purchase 4e9uisitions T 4elease Procedure T Procedure %ith Classi#ication T Set C! Procedure %ith Classi#ication $ Clic$ on 4elease Strateg&) Select the strategies one & one, & dou le(clic$ing on the strateg&) <ote the release codes that are sho%n and chec$ authoriAation (authoriAation o 8ects .S2A<*S*4/ and .S0I<IS*4/) #or these release codes) $ Clic$ on Classi#ication) 'his %ill sho% the conditions under %hich the !urchase document %ill e loc$ed) Ascertain i# these conditions com!l& %ith management>s intentions) 4elease !rocedure Purchase 4e9uisitions (%ithout classi#ication)P 'ransaction SP41 menu !athD .aterial .anagement T Purchasing
:SG :S+ :S1; .01
? @00+ ISACA
Monitoring
Page F@
C,S,
T Purchase 4e9uisitions T 4elease Procedure T Set C! Procedure %ithout Classi#ication $ Clic$ on 4elease Prere9uisites) <ote the release codes that are sho%n and chec$ authoriAation #or these release codes) $ 4e(e5ecute the a o"e SP41 menu !ath and clic$ on :etermination o# 4elease Strateg&) 'his %ill sho% the conditions under %hich the !urchase document %ill e loc$ed) Ascertain i# these conditions com!l& %ith management>s intentions) 'est user access to transactions #or release strategiesD $ 4elease Purchase 1rderP.0@8 $ 4elease 1utline AgreementP.0;G $ 4elease Purchase 4e9uisitionP.0GF $ Collecti"e 4elease o# Purchase 4e9uisitionsP.0GG $7$ -oods are received onl6 for valid !urchase orders and goods recei!ts are recorded com!letel6. accuratel6 and in a timel6 manner7 @)@)1 :etermine %hether goods (or materials or e9ui!ment) are recei"ed onl& %hen there are "alid !urchase orders, or i# goods recei!ts are al%a&s recorded com!letel&, accuratel& and in a timel& manner) :etermine %hether an in"estigation ta$es !lace %hen recei!ts ha"e no !urchase order or e5ceed the !urchase order 9uantit& & more than an esta lished amount) :oes management re"ie% e5ce!tion re!orts o# goods not recei"ed on time #or recorded !urchasesW 4un transaction code 3=102 (also accessi le using transaction code SA;8 and !rogram 4.060.00) to !roduce a listing o# !urchase orders outstanding) Ascertain #rom management i# there are an& reasons #or an& long(
:SG :S+
? @00+ ISACA
Monitoring
Page F;
C,S,
outstanding items on the re!ort) @)@)@ :etermine %hether order entr& data are trans#erred com!letel& and accuratel& to the shi!!ing and in"oicing acti"ities, and i# the a ilit& to in!ut, change or cancel goods recei"ed transactions is restricted to authoriAed in ound logistics/ra% materials !ersonnel) 'est user access to transactions #or goods recei!t as #ollo%sD /oods 4ecei!t #or Purchase 1rder P.201 /oods 4ecei!ts, Purchase 1rder Cn$no%nP.20A /oods 4ecei!t #or Production 1rder P.2;1 1ther /oods 4ecei!tsP.21C Cancel/4e"erse .aterial :ocument P.2S'
AI@ :SG :S11
'est user access to high(ris$ mo"ement t&!es transaction code .21C, authoriAation o 8ect .S.S0/S2WA and #ields AC'3 and mo"ement t&!es 2WA4' G61 through G66) 'hese s!ecial mo"ement t&!es re#lect the initial stoc$ entr& in the SAP 04P s&stem at the time o# con"ersion to the SAP 04P s&stem) $7< Defective goods are returned to su!!liers in a timel6 manner7 @);)1 :etermine %hether de#ecti"e goods (or materials or e9ui!ment) are returned in a timel& manner to su!!liers, are ade9uatel& segregated #rom other goods in a 9ualit& assurance onding area, and are regularl& monitored (assigned a s!eci#ic mo"ement t&!e, e)g), 1@@) to ensure :S@ timel& return to su!!liers, and %hether credit is recei"ed in a timel& :S11 manner) Ascertain #rom management the mo"ement t&!e used to loc$ !rocessing and #or returning re8ected goods to su!!liers (e)g), mo"ement t&!e 1@@)) 05ecute transaction .2G1 %ith the a!!ro!riate mo"ement t&!e) :etermine i# there are an& long(outstanding materials
? @00+ ISACA
Monitoring
Page FF
C,S,
!ending return to su!!liers or recei!t o# a!!ro!riate credits) <7 Invoice Processing <71 Amounts !osted to accounts !a6a/le re!resent goods or services received7 ;)1)1 :etermine %hether amounts !osted to accounts !a&a le re!resent goods or ser"ices recei"edK the a ilit& to in!ut, change, cancel or release "endor in"oices #or !a&ment is restricted to authoriAed !ersonnelK and the a ilit& to in!ut "endor in"oices that do not ha"e a !urchase order and/or goods recei!t is restricted to authoriAed !ersonnel) 'est user access to transactions #or in"oice !rocessingD 0nter In"oiceP.4H4, .I41, .401 Change In"oiceP*20@ Process 2loc$ed In"oiceP.40@ Cancel In"oiceP.408 0nter Credit .emoP.4H/ <7$ Accounts !a6a/le amounts are calculated com!letel6 and accuratel6 and recorded in a timel6 manner7 ;)@)1 :etermine %hether the SAP 04P so#t%are is con#igured to !er#orm a three(%a& match) 'ransaction SP41 menu !athD .aterials .anagement T Purchasing T Purchase 1rder T :e#ine Screen =a&out at :ocument =e"el (Change 3ie% #ield selection at document le"elD 1"er"ie%) & selecting .0@1PCreate Purchase 1rder and then selecting /4/I4 Control) :etermine %hether /4/I4 Control has een set glo all& to re9uired entr&) I# the /4/I4 Control indicator has not een set glo all& #or all "endors, determine %hether it has een set #or !articular "endors & dis!la&ing ta le =*.1, #ield name W0240, using transaction S016) Where /4/I4 Control has not een set,
AI6 :S6 :S+
:SG :S+
? @00+ ISACA
Monitoring
Page FG
C,S,
ascertain #rom management i# there are an& reasons) ;)@)@ :etermine %hether the SAP 04P so#t%are is con#igured %ith 9uantit& and !rice tolerance limits) Chec$ tolerance limits #or !rice "ariances and message settings #or in"oice "eri#ication (online matching) as #ollo%sD 3ariance settingsD 05ecute transaction 1.46) 'he s&stem %ill sho% an o"er"ie% o# the de#ined tolerance limits) :ou le(clic$ on the entries that relate to the organiAation eing audited) Chec$ t%o entriesD one #or tolerance $e& P0 (!rice) and one #or tolerance $e& S0 (discount)) <ote the "alues sho%n) 2oth a lo%er and u!!er limit ma& e s!eci#ied as a !ercentage "alue) (P0 also allo%s setting o# an a solute "alue)) .essage settingsD $ 'ransaction SP41 menu !athD .aterials .anagement T Purchasing T 0n"ironment :ata T :e#ine Attri utes o# S&stem .essages $ Clic$ on the Position utton) 0nter "alues 00, 06 and @0B (message #or !rice "ariance) and !ress 0nter) <ote the "alue in the cat #ield) Possi le "alues are W #or %arning and 0 #or error) Ascertain %hether the "alues noted com!l& %ith management intentions) ;)@); :etermine i# /4/I4 account alances using transaction code SSP62S1@0001;G (also accessi le using transaction code SA;8 and !rogram 4.0B.SA=) are e5ecuted and re"ie%ed !eriodicall&) Chec$ that there are a!!ro!riate !rocedures in !lace to in"estigate unmatched !urchase orders) In !articular, long(outstanding items should e
:S+ :S10
AI6
? @00+ ISACA
Monitoring
Page F6
C,S,
#ollo%ed u! and cleared) ;)@)F :etermine %hether re!orts o# outstanding !urchase orders are re"ie%ed regularl&) 4un the transaction code SA;8 and !rogram 4.060.00 to !roduce a listing o# !urchase orders outstanding and re"ie% long(outstanding items %ith management) ;)@)G :etermine %hether the SAP 04P so#t%are restricts the a ilit& to modi#& the e5change rate ta le to authoriAed !ersonnel, management a!!ro"es "alues in the centrall& maintained e5change rate ta le and the SAP 04P so#t%are automaticall& calculates #oreign currenc& translations ased on "alues in the centrall& maintained e5change rate ta le) :etermine %hether management re"ie%s a sam!le o# changes to e5change rates a o"e a certain !ercentage %ith regard to the "olume and "alue o# #oreign currenc& transactions #or the organiAation) 'est user access to the e5change rates and the related authoriAation o 8ectsD 05change rate "ia standard transactionP*irst, e5ecute transaction SCCC) Clic$ on Position) 0nter "alue 3S'CC44 and !ress 0nter) <ote the "alue in the authoriAation grou! #ield) 'hen test user access to transaction code 1208, authoriAation o 8ectD SS'A2CS:IS (Class 2asisD Administration), #ield acti"it&D "alue 0@ and #ield authoriAation grou!D "alue noted %ith transaction SCCC) 05change rate "ia "ie% maintenanceP*irst, e5ecute transaction SCCC) Clic$ on Position) 0nter ta le name "alue 3S'0014, clic$ on Choose) <ote the "alue in the authoriAation grou! #ield) :o the same #or ta le 3S'CC4*) 'hen test user access to transaction codes as #ollo%s %ith authoriAation o 8ectD SS'A2CS:IS (Class
P111
AI6 :SG
? @00+ ISACA
Monitoring
Page FB
C,S,
2asisD Administration), #ield acti"it&D 0@ and #ield authoriAation grou!D "alue noted %ith transaction SCCCD .aintain 'a le 4ounding CnitsP12+0 .aintain 'a le *oreign Currenc& 4atiosP122S 'a le 3ie% .aintenancePS.;0 <7< Credit notes and other adjustments are calculated com!letel6 and accuratel6 and recorded in a timel6 manner7 ;);)1 :etermine %hether the a ilit& to in!ut, change, cancel or release credit notes is restricted to authoriAed !ersonnel) 'est user access to !ost in"oices directl& to "endor accountsD 0nter Credit <oteP.4H/ 0nter In"oiceP.4H4, .I41, .401 >7 Processing Dis/ursements >71 Dis/ursements are made onl6 for goods and services received. and are calculated accuratel6. recorded and distri/uted to the a!!ro!riate su!!liers in a timel6 manner7 F)1)1 :etermine %hether dis ursements are made onl& #or goods and ser"ices recei"ed, and are calculated accuratel&, recorded and distri uted to the a!!ro!riate su!!liers in a timel& manner) :etermine %hether management a!!ro"es the SAP 04P !a&ment run !arameter s!eci#ication) 'est user access to transactions to !rocess dis ursementsD Automatic Pa&ment 'ransactionsP*110S Parameters #or Pa&ment P*110 Pa&ment With PrintoutP*(G8 F)1)@ 'est user access to loc$ed in"oices D Change :ocumentP*20@ Change =ine ItemsP*20+
P1@ :SG
:SG P16
? @00+ ISACA
Monitoring
Page F8
C,S,
2loc$/Cn loc$ 3endor (Centrall&)PUI0G 2loc$/Cn loc$ 3endorP*I0G
? @00+ ISACA
Monitoring
Page F+
VII. Maturity Assessment

'he maturit& assessment is an o!!ortunit& #or the re"ie%er to assess the maturit& o# the !rocesses re"ie%ed) 2ased on the results o# audit/assurance re"ie%, and the re"ie%er>s o ser"ations, assign a maturit& le"el to each o# the #ollo%ing C 12I' control !ractices)
C)#I, Control Practice

AI@71 Change Standards and Procedures 1) :e"elo!, document and !romulgate a change management #rame%or$ that s!eci#ies the !olicies and !rocesses, includingD X 4oles and res!onsi ilities X Classi#ication and !rioritiAation o# all changes ased on usiness ris$ X Assessment o# im!act X AuthoriAation and a!!ro"al o# all changes & the usiness !rocess o%ners and I' X 'rac$ing and status o# changes X Im!act on data integrit& (e)g), all changes to data #iles eing made under s&stem and a!!lication control rather than & direct user inter"ention) @) 0sta lish and maintain "ersion control o"er all changes) ;) Im!lement roles and res!onsi ilities that in"ol"e usiness !rocess o%ners and a!!ro!riate technical I' #unctions) 0nsure a!!ro!riate segregation o# duties) F) 0sta lish a!!ro!riate record management !ractices and audit trails to record $e& ste!s in the change management !rocess) 0nsure timel& closure o# changes) 0le"ate and re!ort to management changes that are not closed in a timel& #ashion) G) Consider the im!act o# contracted ser"ices !ro"iders (e)g), o# in#rastructure, a!!lication de"elo!ment and shared ser"ices) on the change management !rocess) Consider integration o# organiAational change management !rocesses %ith change management !rocesses o# ser"ice !ro"iders) Consider the im!act o# the organiAational change management !rocess on contractual terms and S=As) AI@7$ Im!act Assessment. Prioriti=ation and Authori=ation 1) :e"elo! a !rocess to allo% usiness !rocess o%ners and I' to re9uest changes to in#rastructure, s&stems or a!!lications) :e"elo! controls to ensure that all such changes arise onl& through the change re9uest management !rocess) @) CategoriAe all re9uested changes (e)g), in#rastructure, o!erating s&stems, net%or$s, a!!lication s&stems, !urchased/!ac$aged a!!lication so#t%are)) ;) PrioritiAe all re9uested changes) 0nsure that the change management !rocess identi#ies oth the usiness and technical needs #or the change) Consider legal, regulator& and contractual reasons #or the re9uested change) F) Assess all re9uests in a structured #ashion) 0nsure that the assessment !rocess addresses im!act anal&sis on in#rastructure, s&stems and a!!lications) Consider securit&, legal, contractual and com!liance im!lications o# the re9uested change) Consider also interde!endencies among changes) In"ol"e usiness !rocess o%ners in
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
? @00+ ISACA
Page G0

the assessment !rocess, as a!!ro!riate) G) 0nsure that each change is #ormall& a!!ro"ed & usiness !rocess o%ners and I' technical sta$eholders, as a!!ro!riate) AI@7> Change Status ,rac+ing and Re!orting 1) 0nsure that a documented !rocess e5ists %ithin the o"erall change management !rocess to declare, assess, authoriAe and record an emergenc& change) @) 0nsure that emergenc& changes are !rocessed in accordance %ith the emergenc& change element o# the #ormal change management !rocess) ;) 0nsure that all emergenc& access arrangements #or changes are a!!ro!riatel& authoriAed, documented and re"o$ed a#ter the change has een a!!lied) F) Conduct a !ostim!lementation re"ie% o# all emergenc& changes, in"ol"ing all concerned !arties) 'he re"ie% should consider im!lications #or as!ects such as #urther a!!lication s&stem maintenance, im!act on de"elo!ment and test en"ironments, a!!lication so#t%are de"elo!ment 9ualit&, documentation and manuals, and data integrit&) DS?7< Identit6 3anagement 1) 0sta lish and communicate !olicies and !rocedures to uni9uel& identi#&, authenticate and authoriAe access mechanisms and access rights #or all users on a need(to($no%/need(to(ha"e asis, ased on !redetermined and !rea!!ro"ed roles) Clearl& state accounta ilit& o# an& user #or an& action on an& o# the s&stems and/or a!!lications in"ol"ed) @) 0nsure that roles and access authoriAation criteria #or assigning user access rights ta$e into accountD X Sensiti"it& o# in#ormation and a!!lications in"ol"ed (data classi#ication) X Policies #or in#ormation !rotection and dissemination (legal, regulator&, internal !olicies and contractual re9uirements) X 4oles and res!onsi ilities as de#ined %ithin the enter!rise X 'he need(to(ha"e access rights associated %ith the #unction X Standard ut indi"idual user access !ro#iles #or common 8o roles in the organiAation X 4e9uirements to guarantee a!!ro!riate segregation o# duties ;) 0sta lish a method #or authenticating and authoriAing users to esta lish res!onsi ilit& and en#orce access rights in line %ith sensiti"it& o# in#ormation and #unctional a!!lication re9uirements and in#rastructure com!onents, and in com!liance %ith a!!lica le la%s, regulations, internal !olicies and contractual agreements) F) :e#ine and im!lement a !rocedure #or identi#&ing ne% users and recording, a!!ro"ing and maintaining access rights) 'his needs to e re9uested & user management, a!!ro"ed & the s&stem o%ner and im!lemented & the res!onsi le securit& !erson) G) 0nsure that a timel& in#ormation #lo% is in !lace that re!orts changes in 8o s (i)e), !eo!le in, !eo!le out, !eo!le change)) /rant, re"o$e and ada!t user access rights in co(ordination %ith human resources and user de!artments #or users %ho are ne%, %ho ha"e le#t the organiAation, or %ho ha"e changed roles or 8o s)
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
? @00+ ISACA
Page G1

DS?7> 8ser Account 3anagement 1) 0nsure that access control !rocedures include ut are not limited toD X Csing uni9ue user I:s to ena le users to e lin$ed to and held accounta le #or their actions X A%areness that the use o# grou! I:s results in the loss o# indi"idual accounta ilit& and are !ermitted onl& %hen 8usti#ied #or usiness or o!erational reasons and com!ensated & mitigating controls) /rou! I:s must e a!!ro"ed and documented) X Chec$ing that the user has authoriAation #rom the s&stem o%ner #or the use o# the in#ormation s&stem or ser"ice, and the le"el o# access granted is a!!ro!riate to the usiness !ur!ose and consistent %ith the organiAational securit& !olic& X A !rocedure to re9uire users to understand and ac$no%ledge their access rights and the conditions o# such access X 0nsuring that internal and e5ternal ser"ice !ro"iders do not !ro"ide access until authoriAation !rocedures ha"e een com!leted X .aintaining a #ormal record, including access le"els, o# all !ersons registered to use the ser"ice X A timel& and regular re"ie% o# user I:s and access rights @) 0nsure that management re"ie%s or reallocates user access rights at regular inter"als using a #ormal !rocess) Cser access rights should e re"ie%ed or reallocated a#ter an& 8o changes, such as trans#er, !romotion, demotion or termination o# em!lo&ment) AuthoriAations #or s!ecial !ri"ileged access rights should e re"ie%ed inde!endentl& at more #re9uent inter"als) DS(71 Configuration Re!ositor6 and #aseline 1) Im!lement a con#iguration re!ositor& to ca!ture and maintain con#iguration management items) 'he re!ositor& should include hard%areK a!!lication so#t%areK middle%areK !arametersK documentationK !roceduresK and tools #or o!erating, accessing and using the s&stems, ser"ices, "ersion num ers and licensing details) @) Im!lement a tool to ena le the e##ecti"e logging o# con#iguration management in#ormation %ithin a re!ositor&) ;) Pro"ide a uni9ue identi#ier to a con#iguration item so the item can e easil& trac$ed and related to !h&sical asset tags and #inancial records) F) :e#ine and document con#iguration aselines #or com!onents across de"elo!ment, test and !roduction en"ironments, to ena le identi#ication o# s&stem con#iguration at s!eci#ic !oints in time (!ast, !resent and !lanned)) G) 0sta lish a !rocess to re"ert to the aseline con#iguration in the e"ent o# !ro lems, i# determined a!!ro!riate a#ter initial in"estigation) 6) Install mechanisms to monitor changes against the de#ined re!ositor& and aseline) Pro"ide management re!orts #or e5ce!tions, reconciliation and decision ma$ing) DS(7$ Identification and 3aintenance of Configuration Items 1) :e#ine and im!lement a !olic& re9uiring all con#iguration items and their attri utes and "ersions to e identi#ied and maintained)
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
? @00+ ISACA
Page G@

@) 'ag !h&sical assets according to a de#ined !olic&) Consider using an automated mechanism, such as arcodes) ;) :e#ine a !olic& that integrates incident, change and !ro lem management !rocedures %ith the maintenance o# the con#iguration re!ositor&) F) :e#ine a !rocess to record ne%, modi#ied and deleted con#iguration items and their relati"e attri utes and "ersions) Identi#& and maintain the relationshi!s et%een con#iguration items in the con#iguration re!ositor&) G) 0sta lish a !rocess to maintain an audit trail #or all changes to con#iguration items) 6) :e#ine a !rocess to identi#& critical con#iguration items in relationshi! to usiness #unctions (com!onent #ailure im!act anal&sis)) B) 4ecord all assetsPincluding ne% hard%are and so#t%are, !rocured or internall& de"elo!edP%ithin the con#iguration management data re!ositor&) 8) :e#ine and im!lement a !rocess to ensure that "alid licenses are in !lace to !re"ent the inclusion o# unauthoriAed so#t%are) DS(7< Configuration Integrit6 Revie" 1) 'o "alidate the integrit& o# con#iguration data, im!lement a !rocess to ensure that con#iguration items are monitored) Com!are recorded data against actual !h&sical e5istence, and ensure that errors and de"iations are re!orted and corrected) @) Csing automated disco"er& tools %here a!!ro!riate, reconcile actual installed so#t%are and hard%are !eriodicall& against the con#iguration data ase, license records and !h&sical tags) ;) Periodicall& re"ie% against the !olic& #or so#t%are usage the e5istence o# an& so#t%are in "iolation or in e5cess o# current !olicies and license agreements) 4e!ort de"iations #or correction)
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
? @00+ ISACA
Page G;
Security, Audit and Control Features SAP ERP% A Technical and Risk Management Reference &uide, 3rd Edition
In"entor% &#siness C%cle

I. Introd#ction Overview ISACA de"elo!ed "TAFTM% A Professional Practices Frame ork for "T Assurance as a com!rehensi"e and good(!ractice(setting model) I'A* !ro"ides standards that are designed to e mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession o!erates) 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit and assurance) 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide direction in the a!!lication o# I' audit and assurance !rocesses) Purpose 'he audit/assurance !rogram is a tool and tem!late to e used as a roadma! #or the com!letion o# a s!eci#ic assurance !rocess) 'his audit/assurance !rogram is intended to e utiliAed & I' audit and assurance !ro#essionals %ith the re9uisite $no%ledge o# the su 8ect matter under re"ie%, as descri ed in I'A*, section @@00P/eneral Standards) 'he audit/assurance !rograms are !art o# I'A*, section F000PI' Assurance 'ools and 'echni9ues) Control Framework 'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C12I' #rame%or$P s!eci#icall& C12I' F)1Pusing generall& a!!lica le and acce!ted good !ractices) 'he& re#lect I'A*, sections ;F00PI' .anagement Processes, ;600PI' Audit and Assurance Processes, and ;800PI' Audit and Assurance .anagement) .an& enter!rises ha"e em raced se"eral #rame%or$s at an enter!rise le"el, including the Committee o# S!onsoring 1rganiAations o# the 'read%a& Commission (C1S1) Internal Control *rame%or$) 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator& re9uirements & the CS Securities and 05change Commission (S0C) as directed & the CS Sar anes(15le& Act o# @00@ and similar legislation in other countries) 'he& see$ to integrate control #rame%or$ elements used & the general audit/assurance team into the I' audit and assurance #rame%or$) Since C1S1 is %idel& used, it has een selected #or inclusion in this audit/assurance !rogram) 'he re"ie%er ma& delete or rename columns in the audit !rogram to align %ith the enter!rise>s control #rame%or$) IT Governance, Risk and Control I' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management !rocess) /o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies and management o"ersight controls) 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho% management a!!roaches and manages ris$) 2oth issues %ill e e"aluated as ste!s in the audit/assurance !rogram) Controls are the !rimar& e"aluation !oint in the !rocess) 'he audit/assurance !rogram %ill identi#& the control o 8ecti"es %ith ste!s to determine control design and e##ecti"eness) Responsibilities of IT Audit and Assurance Professionals I' audit and assurance !ro#essionals are e5!ected to customiAe this document to the en"ironment in %hich the& are !er#orming an assurance !rocess) 'his document is to e used as a re"ie% tool
ISACA @00+
Page GF
and starting !oint) It ma& e modi#ied & the I' audit and assurance !ro#essionalK it is not intended to e a chec$list or 9uestionnaire) It is assumed that the I' audit and assurance !ro#essional holds the Certi#ied In#ormation S&stems Auditor (CISA) designation, or has the necessar& su 8ect matter e5!ertise re9uired to conduct the %or$ and is su!er"ised & a !ro#essional %ith the CISA designation and necessar& su 8ect matter e5!ertise to ade9uatel& re"ie% the %or$ !er#ormed) II. (sing This Doc#ment 'his audit/assurance !rogram %as de"elo!ed to assist the audit and assurance !ro#essional in designing and e5ecuting a re"ie%) :etails regarding the #ormat and use o# the document #ollo%) Work Pro ram !teps 'he #irst column o# the !rogram descri es the ste!s to e !er#ormed) 'he num ering scheme used !ro"ides uilt(in %or$ !a!er num ering #or ease o# cross(re#erence to the s!eci#ic %or$ !a!er #or that section) I' audit and assurance !ro#essionals are encouraged to ma$e modi#ications to this document to re#lect the s!eci#ic en"ironment under re"ie%) CO"IT Cross#reference 'he C12I' cross(re#erence !ro"ides the audit and assurance !ro#essional %ith the a ilit& to re#er to the s!eci#ic C12I' control o 8ecti"e that su!!orts the audit/assurance ste!) 'he C12I' control o 8ecti"e should e identi#ied #or each audit/assurance ste! in the section) .ulti!le cross( re#erences are not uncommon) Processes at lo%er le"els in the %or$ !rogram are too granular to e cross(re#erenced to C12I') 'he audit/assurance !rogram is organiAed in a manner to #acilitate an e"aluation through a structure !arallel to the de"elo!ment !rocess) C12I' !ro"ides in(de!th control o 8ecti"es and suggested control !ractices at each le"el) As the !ro#essional re"ie%s each control, he/she should re#er to C12I' F)1 or the "T Assurance &uide% 'sing C()"T #or good( !ractice control guidance) CO!O Components As noted in the introduction, C1S1 and similar #rame%or$s ha"e ecome increasingl& !o!ular among audit and assurance !ro#essionals) 'his ties the assurance %or$ to the enter!rise>s control #rame%or$) While the I' audit/assurance #unction has C12I' as a #rame%or$, o!erational audit and assurance !ro#essionals use the #rame%or$ esta lished & the enter!rise) Since C1S1 is the most !re"alent internal control #rame%or$, it has een included in this document and is a ridge to align I' audit/assurance %ith the rest o# the audit/assurance #unction) .an& audit/assurance organiAations include the C1S1 control com!onents %ithin their re!ort and summariAe assurance acti"ities to the audit committee o# the oard o# directors) *or each control, the audit and assurance !ro#essional should indicate the C1S1 com!onent(s) addressed) It is !ossi le, ut generall& not necessar&, to e5tend this anal&sis to the s!eci#ic audit ste! le"el) 'he original C1S1 internal control #rame%or$ contained #i"e com!onents) In @00F, C1S1 %as re"ised as the Enter*rise Risk Management +ERM, "ntegrated Frame ork and e5tended to eight com!onents) 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on
ISACA @00+
Page GG
04. and integration into the usiness decision model) 04. is in the !rocess o# eing ado!ted & large enter!rises) 'he t%o #rame%or$s are com!ared in figure AD1)
ISACA @00+
Page G6
3aturit6 Level
'here is no recognition o# the need #or internal control) Control is not !art o# the organiAation>s culture or mission) 'here is a high ris$ o# control de#iciencies and incidents) 'here is some recognition o# the need #or internal control) 'he a!!roach to ris$ and control re9uirements is ad hoc and disorganiAed, %ithout communication or monitoring) :e#iciencies are not identi#ied) 0m!lo&ees are not a%are o# their res!onsi ilities) Controls are in !lace ut are not documented) 'heir o!eration is de!endent on the $no%ledge and moti"ation o# indi"iduals) 0##ecti"eness is not ade9uatel& e"aluated) .an& control %ea$nesses e5ist and are not ade9uatel& addressedK the im!act can e se"ere) .anagement actions to resol"e control issues are not !rioritiAed or consistent) 0m!lo&ees ma& not e a%are o# their res!onsi ilities) 'here is no intent to assess the need #or internal control) Incidents are dealt %ith as the& arise) 'here is no a%areness o# the need #or assessment o# %hat is needed in terms o# I' controls) When !er#ormed, it is onl& on an ad hoc asis, at a high le"el and in reaction to signi#icant incidents) Assessment addresses onl& the actual incident) Assessment o# control needs occurs onl& %hen needed #or selected I' !rocesses to determine the current le"el o# control maturit&, the target le"el that should e reached and the ga!s that e5ist) An in#ormal %or$sho! a!!roach, in"ol"ing I' managers and the team in"ol"ed in the !rocess, is used to de#ine an ade9uate a!!roach to controls #or the !rocess and to moti"ate an agreed(u!on action !lan)
ISACA @00+
Page GB
3aturit6 Level
; :e#ined
Controls are in !lace and ade9uatel& documented) 1!erating e##ecti"eness is e"aluated on a !eriodic asis and there is an a"erage num er o# issues) Ho%e"er, the e"aluation !rocess is not documented) While management is a le to deal !redicta l& %ith most control issues, some control %ea$nesses !ersist and im!acts could still e se"ere) 0m!lo&ees are a%are o# their res!onsi ilities #or control) 'here is an e##ecti"e internal control and ris$ management en"ironment) A #ormal, documented e"aluation o# controls occurs #re9uentl&) .an& controls are automated and regularl& re"ie%ed) .anagement is li$el& to detect most control issues, ut not all issues are routinel& identi#ied) 'here is consistent #ollo%(u! to address identi#ied control %ea$nesses) A limited, tactical use o# technolog& is a!!lied to automate controls) An enter!rise%ide ris$ and control !rogram !ro"ides continuous and e##ecti"e control and ris$ issues resolution) Internal control and ris$ management are integrated %ith enter!rise !ractices, su!!orted %ith automated real(time monitoring %ith #ull accounta ilit& #or control monitoring, ris$ management and com!liance en#orcement) Control e"aluation is continuous, ased on sel#(assessments and ga! and root cause anal&ses) 0m!lo&ees are !roacti"el& in"ol"ed in control im!ro"ements) Critical I' !rocesses are identi#ied ased on "alue and ris$ dri"ers) A detailed anal&sis is !er#ormed to identi#& control re9uirements and the root cause o# ga!s and to de"elo! im!ro"ement o!!ortunities) In addition to #acilitated %or$sho!s, tools are used and inter"ie%s are !er#ormed to su!!ort the anal&sis and ensure that an I' !rocess o%ner o%ns and dri"es the assessment and im!ro"ement !rocess) I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort and agreement #rom the rele"ant usiness !rocess o%ners) Assessment o# control re9uirements is ased on !olic& and the actual maturit& o# these !rocesses, #ollo%ing a thorough and measured anal&sis in"ol"ing $e& sta$eholders) Accounta ilit& #or these assessments is clear and en#orced) Im!ro"ement strategies are su!!orted & usiness cases) Per#ormance in achie"ing the desired outcomes is consistentl& monitored) 05ternal control re"ie%s are organiAed occasionall&) 2usiness changes consider the criticalit& o# I' !rocesses and co"er an& need to reassess !rocess control ca!a ilit&) I' !rocess o%ners regularl& !er#orm sel#(assessments to con#irm that controls are at the right le"el o# maturit& to meet usiness needs and the& consider maturit& attri utes to #ind %a&s to ma$e controls more e##icient and e##ecti"e) 'he organiAation enchmar$s to e5ternal est !ractices and see$s e5ternal ad"ice on internal control e##ecti"eness) *or critical !rocesses, inde!endent re"ie%s ta$e !lace to !ro"ide assurance that the controls are at the desired le"el o# maturit& and %or$ing as !lanned)
G 1!timiAed
'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess) 'he I' audit and assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram and #ormulate an o 8ecti"e assessment o# the maturit& le"els o# the control !ractices) 'he maturit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to &ear to document !rogression in the enhancement o# controls) Ho%e"er, it must e noted that the !erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor) 'here#ore, an auditor should o tain the concerned sta$eholder>s concurrence e#ore su mitting the #inal re!ort to management) At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the !ro#essional assesses the current state o# the C12I' control #rame%or$ and assigns it a maturit& le"el using the si5(le"el scale) Some !ractitioners utiliAe decimals (5)@G, 5)G, 5)BG) to indicate gradations in the maturit& model) As a #urther re#erence, C12I' !ro"ides a de#inition o# the maturit& designations & control o 8ecti"e) While this a!!roach is not mandator&, the !rocess is !ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that %ish to im!lement it) It is suggested that a maturit& assessment e made at the C12I' control le"el) 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also o tain maturit& targets #rom the client/customer) Csing the assessed and target maturit& le"els, the !ro#essional can create an e##ecti"e gra!hic !resentation that descri es the achie"ement or ga!s et%een the actual and targeted maturit& goals) I*. Ass#rance and Control +ramework I!ACA IT Assurance Framework and !tandards ISACA has long recogniAed the s!ecialiAed nature o# I' assurance and stri"es to ad"ance
ISACA @00+
Page G8
glo all& a!!lica le standards) /uidelines and !rocedures !ro"ide detailed guidance on ho% to #ollo% those standards) I' Audit and Assurance Standard S1G I' Controls, and I' Audit and Assurance /uideline /;8 Access Controls are rele"ant to this audit/assurance !rogram) I!ACA Controls Framework C12I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridge the ga! among control re9uirements, technical issues and usiness ris$s) C12I' ena les clear !olic& de"elo!ment and good !ractice #or I' control throughout enter!rises) CtiliAing C12I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased aligns I' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise) 4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es for Successful "T &o/ernance, 1nd Edition, !u lished in @00B, #or the related control !ractice "alue and ris$ dri"ers) *. xec#ti"e S#mmar% of A#dit'Ass#rance +oc#s !AP 'RP !ecurit& 'he re"ie% o# SAP hel!s management ensure that it is secure) Since launching its #irst !roduct o##ering almost ;0 &ears ago, SAP has gro%n glo all&) It has a!!ro5imatel& 1@ million users and +6,F00 installations in more than 1@0 countries and is the third(largest inde!endent so#t%are com!an& in the %orld) 'he com!an& name, SAP, is a /erman acron&m that loosel& translates in 0nglish to S&stems, A!!lications and Products in data !rocessing) 2e#ore SAP 04P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@- and the client/ser"er( ased s&stem SAP 4/;) 2oth 4/@ and 4/; are targeted to usiness a!!lication solutions and #eature com!le5it&, usiness and organiAational e5!erience, and integration) 'he 4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&K ho%e"er, this is not the case) 'he 4 in 4/@ and 4/; means 6real time)7 4elease le"els are annotated se!aratel& to the 4/@ or 4/; descri!tors) *or e5am!le, in SAP 4/; F)62, the F is the ma8or release num er, the 6 is the minor release num er #ollo%ing a ma8or release, and the 2 is the "ersion %ithin a release) 4/; %as introduced in 1++@ %ith a three(tier architecture !aradigm) In recent &ears, SAP has introduced Ser"ice 1riented Architecture (S1A) as !art o# SAP 04P) 'his com ines 04P %ith an o!en technolog& !lat#orm that can integrate SAP and non(SAP s&stems on the SAP <etWea"er- !lat#orm) 'he current core 04P solution o##ered & SAP is called SAP 0nter!rise Central Com!onent (0CC 6)0), re#erred here as SAP 04P) "usiness Impact and Risk SAP is %idel& used in man& enter!rises) Im!ro!er con#iguration o# SAP could result in an ina ilit& #or the enter!rise to e5ecute its critical !rocesses) 4is$s resulting #rom ine##ecti"e or incorrect con#igurations or use o# SAP could result in some o# the #ollo%ingD :isclosure o# !ri"ileged in#ormation
ISACA @00+
Page G+
Single !oints o# #ailure =o% data 9ualit& =oss o# !h&sical assets =oss o# intellectual !ro!ert& =oss o# com!etiti"e ad"antage =oss o# customer con#idence 3iolation o# regulator& re9uirements
Ob(ective and !cope )/jective2'he o 8ecti"e o# the SAP 04P audit/assurance re"ie% is to !ro"ide management %ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# the enter!rise>s SAP 04P architecture) Sco!eP'he re"ie% %ill #ocus on con#iguration o# the rele"ant SAP 04P com!onents and modules %ithin the enter!rise) 'he selection o# the s!eci#ic com!onents and modules %ill e ased u!on the ris$s introduced to the enter!rise & these com!onents and modules) *inimum Audit !kills 'his re"ie% is considered highl& technical) 'he I' audit and assurance !ro#essional must ha"e an understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP tools, e5!osures, and #unctionalit&) It should not e assumed that an audit and assurance !ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%)
ISACA @00+
Page 60
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs
*I. In"entor% &#siness C%cle A#dit'Ass#rance Program

C,S,
A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P 1) 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreed(u!on corrections and note remaining de#iciencies) 1)1 :etermine %hetherD Senior management has assigned res!onsi ilities #or in#ormation, its !rocessing and its use Cser management is res!onsi le #or !ro"iding in#ormation that su!!orts the entit&>s o 8ecti"es and !olicies In#ormation s&stems management is res!onsi le #or !ro"iding the ca!a ilities necessar& #or achie"ement o# the de#ined in#ormation s&stems o 8ecti"es and !olicies o# the entit& Senior management a!!ro"es !lans #or de"elo!ment and ac9uisition o# in#ormation s&stems 'here are !rocedures to ensure that the in#ormation s&stem eing de"elo!ed or ac9uired meets user re9uirements 'here are !rocedures to ensure that in#ormation s&stems, !rograms and con#iguration changes are tested ade9uatel& !rior to im!lementation All !ersonnel in"ol"ed in the s&stem ac9uisition and con#iguration acti"ities recei"e ade9uate training and su!er"ision 'here are !rocedures to ensure that in#ormation s&stems are im!lemented/con#igured/u!graded in accordance %ith the esta lished standards Cser management !artici!ates in the con"ersion o# data #rom the e5isting s&stem to the ne% s&stem
.01 .01
ISACA @00+
Monitoring
Page 61
C,S,
*inal a!!ro"al is o tained #rom user management !rior to going li"e %ith a ne% in#ormation/u!graded s&stem 'here are !rocedures to document and schedule all changes to in#ormation s&stems (including $e& A2AP !rograms) 'here are !rocedures to ensure that onl& authoriAed changes are initiated 'here are !rocedures to ensure that onl& authoriAed, tested and documented changes to in#ormation s&stems are acce!ted into the !roduction client 'here are !rocedures to allo% #or and control emergenc& changes 'here are !rocedures #or the a!!ro"al, monitoring and control o# the ac9uisition and u!grade o# hard%are and s&stems so#t%are 'here is a !rocess #or monitoring the "olume o# named and concurrent SAP 04P users to ensure that the license agreement is not eing "iolated 'he organiAation structure, esta lished & senior management, !ro"ides #or an a!!ro!riate segregation o# incom!ati le #unctions 'he data ase, a!!lication and !resentation ser"ers are located in a !h&sicall& se!arate and !rotected en"ironment (i)e), a data center) 0mergenc&, ac$u! and reco"er& !lans are documented and tested on a regular asis to ensure that the& remain current and o!erational 2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems to resume o!erations in the e"ent o# an interru!tion A!!lication controls are designed %ith regard to an& %ea$nesses in segregation, securit&, de"elo!ment and !rocessing controls that ma& a##ect the in#ormation s&stem
ISACA @00+
Monitoring
Page 6@
C,S,
Access to the Im!lementation /uide (I./) during !roduction has een restricted 'he !roduction client settings ha"e een #lagged to not allo% changes to !rograms and con#iguration #7 PRELI3I:AR; A8DI, S,EPS 1) /ain an understanding o# the SAP 04P en"ironment) 1)1 'he same ac$ground in#ormation o tained #or the SAP 04P 2asis Securit& audit !lan is re9uired #or and rele"ant to the usiness c&cles) In !articular, the #ollo%ing in#ormation is im!ortantD 3ersion and release o# SAP 04P im!lemented 'otal num er o# named users (#or com!arison %ith logical access securit& testing results) <um er o# SAP instances and clients Accounting !eriod, com!an& codes and chart o# accounts Identi#ication o# the com!onents eing used (Human Ca!ital .anagement, *inancials, 1!erations, Cor!orate Ser"ices) Whether the organiAation has created an& locall& de"elo!ed A2AP !rograms or re!orts :etails o# the ris$ assessment a!!roach ta$en in the organiAation to identi#& and !rioritiAe ris$s Co!ies o# the organiAation>s $e& securit& !olicies and standards 1)@ 1 tain the #ollo%ing rele"ant usiness c&cle detailsD 'he 1rganiAational .odel as it relates to in"entor& acti"it&, i)e), !lant organiAation unit structure in SAP 04P and manu#acturing organiAation chart (re9uired %hen e"aluating the results o# access securit& control testing) An inter"ie% o# the s&stems im!lementation team, i# !ossi le, and
P1@ P1; P1F P16 P1+ :S@ :SG AI@ AI6 .0@
P1F AIF
ISACA @00+
Monitoring
Page 6;
C,S,
!rocess design documentation #or materials and %arehouse management @) Identi#& the signi#icant ris$s and determine the $e& controls) @)1 :e"elo! a high(le"el !rocess #lo% diagram and o"erall understanding o# the In"entor& !rocessing c&cle, including the #ollo%ing su !rocessesD .aster data maintenance 4a% materials management Producing and costing in"entor& Handling and shi!!ing #inished goods @)@ Assess the $e& ris$s, determine $e& controls or control %ea$nesses, and test controls (re#er to detailed sam!le testing !rogram elo% and cha!ter F #or techni9ues #or testing con#igura le controls and logical access securit&) regarding the #ollo%ing #actorsD 'he controls culture o# the organiAation (e)g), a 8ust(enough control !hiloso!h&) 'he need to e5ercise 8udgment to determine the $e& controls in the !rocess and %hether the controls structure is ade9uate (An& %ea$nesses in the control structure should e re!orted to e5ecuti"e management and resol"ed)) C7 DE,AILED A8DI, S,EPS 17 3aster Data 3aintenance 171 Changes made to master data are valid. com!lete. accurate and timel67 1)1)1 'a$e a sam!le o# in"entor& #ile u!dates using transaction .2G+, %hich allo%s users to !er#orm a search on multi!le materials & a !articular range o# dates and chec$ ac$ to authoriAed source documentation) 4e"ie% the !rocess #or !h&sical stoc$(ta$es to con#irm the com!lete, accurate, "alid and timel&
:S6 :S11 :S1@ :S1;
P1+ .0@
:S11 :S1;
ISACA @00+
Monitoring
Page 6F
C,S,
17$
recording o# stoc$ di##erences) 1)1)@ 4e"ie% organiAation !olic& and !rocess design s!eci#ications regarding access to maintain material master data) 'est user access to the #ollo%ing transaction codesD Create .aterialP..01 Change .aterialP..0@ *lag .aterial #or :eletionP..06 1)1); :etermine %hether the con#igura le control settings address the ris$s !ertaining to the "alidit&, com!leteness and accurac& o# master data and %hether the& ha"e een set in accordance %ith management intentions) 3ie% the settings online using the I./ as #ollo%sD .aterial '&!esD 'ransaction SP41 .enu PathP=ogistics /eneral T .aterial .aster T 2asic Settings T .aterial '&!es T :e#ine Attri utes o# .aterial '&!es Industr& SectorD 'ransaction SP41 .enu PathP=ogistics /eneral T .aterial .aster T *ield Selection T :e#ine industr& sectors and industr&(sector(s!eci#ic #ield selection :e#ault Price '&!esD 05ecute transaction 1.W1 and determine %hether de#ault settings ha"e een set #or the !rice t&!e #or material records) 'olerances #or !h&sical in"entor& di##erencesD 05ecute transaction 1.J@ and com!are de#ined tolerances to organiAational !olic& and 8udge #or reasona leness) Inventor6 master data remain current and !ertinent7 1)@)1 :etermine %hether the a!!ro!riate management runs the materials list transaction code ..60, or e9ui"alent, & material t&!e and con#irm e"idence o# management>s re"ie% o# the data on a
:S11 :S1;
P1+ :S6 :S11 :S1@ :S1; .01 .0@
:S11 .01 .0F
ISACA @00+
Monitoring
Page 6G
C,S,
rotating asis #or currenc& and ongoing !ertinence) 17< Settings or changes to the /ill of materials or !rocess order settlement rules are valid. com!lete. accurate and timel67 1);)1 4e"ie% organiAation !olic& and !rocess design s!eci#ications regarding access to maintain ill o# materials and !rocess order settlement rules) 'est user access to the #ollo%ing transaction codesD Create .aterial 21.PCS01 Change .aterial 21.PCS0@ .a$e .ass ChangesPCS@0 Change Single(la&ered 21.PCSB@ Change .ulti(la&ered 21.PCSBG Change settlement rulesPC14@K <ondis!la&a le transaction code I12I (re#er to menu !athD =ogistics T Production Process T Process 1rder T Process 1rder T :is!la&) 0nter the !rocess order num er and !ress 0nter then go to Header T Settlement 4ule) 1);)@ 'a$e a sam!le o# 21. u!dates using transaction CS80 and chec$ ac$ to authoriAed source documentation) $7 Ra" 3aterials 3anagement $71 Inventor6 is sala/le. usa/le and safeguarded adeAuatel67 @)1)1 Con#irm that the distri ution resource !lanning (:4P) !rocess ta$es into account stoc$ on hand, #orecast re9uirements, economic order 9uantities and ac$ orders) 05ecute transaction code .2G. and ascertain the reason #or an& old stoc$ eing held (shel#(li#e list)) Cse transaction .CF6 to identi#& slo%(mo"ing items and .CG0 #or 6dead7 stoc$ (i)e), stoc$ that has not een used #or a certain !eriod o# time)) 'est that managers are re"ie%ing this
:S1; .01
:S1;
:S6 :S1; .01
ISACA @00+
Monitoring
Page 66
C,S,
in#ormation on a regular asis) $7$ Ra" materials are received and acce!ted onl6 "ith valid !urchase orders and are recorded accuratel6 and in a timel6 manner7 @)@)1 'est that management e5ecutes the re!ort o# outstanding !urchase orders using transaction .0@= (re#er to 05!enditure c&cle @)@)1) and #ollo% u! on an& long(outstanding items) @)@)@ 4e"ie% the reconciliation o# the goods recei"ed/in"oice recei"ed account (transaction code .2GS, re#er to 05!enditure c&cle ;)@);) and con#irm that unmatched items ha"e een in"estigated in a timel& manner) @)@); 'est user access to transactions #or goods recei!t (re#er to 05!enditure c&cle @)@)@) as #ollo%sD /oods 4ecei!t #or Purchase 1rder P.201 /oods 4ecei!ts Purchase 1rder Cn$no%nP.20A /oods 4ecei!t #or 1rderP.2;1 0nter 1ther /oods 4ecei!tsP.21C Cancel .aterial :ocumentP.2S' /oods .o"ementP.I/1 @)@)F 'est the controls o"er in"entor& stoc$ ta$es (re#er to 1)1)1)) $7< Defective ra" materials are returned to su!!liers in a timel6 manner7 @);)1 Ascertain #rom management the mo"ement t&!e used to loc$ !rocessing and #or returning re8ected goods to su!!liers (e)g), mo"ement t&!e 1@@)) 05ecute transaction .2G1 %ith the a!!ro!riate mo"ement t&!e (re#er to 05!enditure c&cle @);)1)) :etermine i# there are an& long(outstanding materials !ending return to su!!liers or recei!t o# a!!ro!riate credits) <7 Producing and Costing Inventor6
:S1; .01 .0@
:S1@ :S1; .01
:S1;
ISACA @00+
Monitoring
Page 6B
C,S,
<71 ,ransfers of materials to/from !roduction. !roduction costs and defective !roducts/scra! are valid and recorded accuratel6. com!letel6 and in the a!!ro!riate !eriod7 ;)1)1 4e"ie% the !olic& and !rocedures concerning the trans#er o# materials and con#irm that the a o"e controls are in !lace and o!erating) 'est that in"entor&(in(transit accounts are regularl& re"ie%ed to ensure the accounts are cleared and reconciled) Con#irm that de#ault !rice t&!es ha"e een esta lished #or all materials (re#er to 1)1);)) ;)1)@ 'est user access to 21.s (re#er to 1);)1)) ;)1); 'est user access to issue goods (transaction code .21A), !ost trans#ers et%een !lants (transaction code .212) and mo"e goods (transaction code .I/1)) ;)1)F 'est user access to create (transaction code C401) or change (transaction code C40@) %or$ centers) >7 5andling and Shi!!ing *inished -oods >71 *inished goods received from !roduction are recorded com!letel6 and accuratel6 in the a!!ro!riate !eriod7 F)1)1 'est in"entor& stoc$(ta$e !rocedures (re#er to 1)1)1)) F)1)@ 'est user access to change settlement rules (re#er to 1);)1)) >7$ -oods returned /6 customers are acce!ted in accordance "ith the organi=ationBs !olicies F)@)1 4e"ie% the !olicies and !rocedures #or recei"ing in"entor& ac$ into the %arehouse) 4e"ie% some returns o# in"entor& and ensure that the& are su!!orted %ith ade9uate documentation #rom the 9ualit& ins!ector) Ascertain #rom management the mo"ement
:S6 .0@
:S1; .01 :S1; .01
X X
:S1; .01 :S1; .01 AIF .01 AIF .01
X X X X
ISACA @00+
Monitoring
Page 68
C,S,
t&!e used #or goods returned #rom customers) 05ecute transaction .2G1 %ith the a!!ro!riate mo"ement t&!e) :etermine i# there are an& long(outstanding materials !ending return to in"entor& or !ro"ision o# a!!ro!riate credits) >7< Shi!ments are recorded accuratel6. in a timel6 manner and in the a!!ro!riate !eriod7 F);)1 'est user access to 'rans#er Stoc$ 2et%een Plants (transaction code ='0F) or Change 1ut ound :eli"er& (transaction code 3=0@<)) F);)@ 'a$e a sam!le o# the deli"er& due list and the 1%ed to Customer re!ort and test #or e"idence o# management action) 4e"ie% settings, using transaction code 1.W2, and con#irm that accounts assignments are set to "alid C1/S accounts)
:S1; .01 :S1; .01 .0F
ISACA @00+
Monitoring
Page 6+
*II. )at#rit% Assessment 'he maturit& assessment is an o!!ortunit& #or the re"ie%er to assess the maturit& o# the !rocesses re"ie%ed) 2ased on the results o# audit/assurance re"ie%, and the re"ie%er>s o ser"ations, assign a maturit& le"el to each o# the #ollo%ing C12I' control !ractices)
C)#I, Control Practice AI@71 Change Standards and Procedures 1) :e"elo!, document and !romulgate a change management #rame%or$ that s!eci#ies the !olicies and !rocesses, includingD X 4oles and res!onsi ilities X Classi#ication and !rioritiAation o# all changes ased on usiness ris$ X Assessment o# im!act X AuthoriAation and a!!ro"al o# all changes & the usiness !rocess o%ners and I' X 'rac$ing and status o# changes X Im!act on data integrit& (e)g), all changes to data #iles eing made under s&stem and a!!lication control rather than & direct user inter"ention) @) 0sta lish and maintain "ersion control o"er all changes) ;) Im!lement roles and res!onsi ilities that in"ol"e usiness !rocess o%ners and a!!ro!riate technical I' #unctions) 0nsure a!!ro!riate segregation o# duties) F) 0sta lish a!!ro!riate record management !ractices and audit trails to record $e& ste!s in the change management !rocess) 0nsure timel& closure o# changes) 0le"ate and re!ort to management changes that are not closed in a timel& #ashion) G) Consider the im!act o# contracted ser"ices !ro"iders (e)g), o# in#rastructure, a!!lication de"elo!ment and shared ser"ices) on the change management !rocess) Consider integration o# organiAational change management !rocesses %ith change management !rocesses o# ser"ice !ro"iders) Consider the im!act o# the organiAational change management !rocess on contractual terms and S=As) AI@7$ Im!act Assessment. Prioriti=ation and Authori=ation 1) :e"elo! a !rocess to allo% usiness !rocess o%ners and I' to re9uest changes to in#rastructure, s&stems or a!!lications) :e"elo! controls to ensure that all such changes arise onl& through the change re9uest management !rocess) @) CategoriAe all re9uested changes (e)g), in#rastructure, o!erating s&stems, net%or$s, a!!lication s&stems, !urchased/!ac$aged a!!lication so#t%are)) ;) PrioritiAe all re9uested changes) 0nsure that the change management !rocess identi#ies oth the usiness and technical needs #or the change) Consider legal, regulator& and contractual reasons #or the re9uested change) F) Assess all re9uests in a structured #ashion) 0nsure that the assessment !rocess addresses im!act anal&sis on in#rastructure, s&stems and a!!lications) Consider securit&, legal, contractual and com!liance im!lications o# the re9uested change) Consider also interde!endencies amongst changes) In"ol"e Assessed 3aturit6 ,arget 3aturit6 Reference 56!erlin+ Comments
ISACA @00+
Page B0
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs C)#I, Control Practice usiness !rocess o%ners in the assessment !rocess, as a!!ro!riate) G) 0nsure that each change is #ormall& a!!ro"ed & usiness !rocess o%ners and I' technical sta$eholders, as a!!ro!riate) AI@7> Change Status ,rac+ing and Re!orting 1) 0nsure that a documented !rocess e5ists %ithin the o"erall change management !rocess to declare, assess, authoriAe and record an emergenc& change) @) 0nsure that emergenc& changes are !rocessed in accordance %ith the emergenc& change element o# the #ormal change management !rocess) ;) 0nsure that all emergenc& access arrangements #or changes are a!!ro!riatel& authoriAed, documented and re"o$ed a#ter the change has een a!!lied) F) Conduct a !ostim!lementation re"ie% o# all emergenc& changes, in"ol"ing all concerned !arties) 'he re"ie% should consider im!lications #or as!ects such as #urther a!!lication s&stem maintenance, im!act on de"elo!ment and test en"ironments, a!!lication so#t%are de"elo!ment 9ualit&, documentation and manuals, and data integrit&) DS?7< Identit6 3anagement 1) 0sta lish and communicate !olicies and !rocedures to uni9uel& identi#&, authenticate and authoriAe access mechanisms and access rights #or all users on a need(to($no%/need(to(ha"e asis, ased on !redetermined and !rea!!ro"ed roles) Clearl& state accounta ilit& o# an& user #or an& action on an& o# the s&stems and/or a!!lications in"ol"ed) @) 0nsure that roles and access authoriAation criteria #or assigning user access rights ta$e into accountD X Sensiti"it& o# in#ormation and a!!lications in"ol"ed (data classi#ication) X Policies #or in#ormation !rotection and dissemination (legal, regulator&, internal !olicies and contractual re9uirements) X 4oles and res!onsi ilities as de#ined %ithin the enter!rise X 'he need(to(ha"e access rights associated %ith the #unction X Standard ut indi"idual user access !ro#iles #or common 8o roles in the organiAation X 4e9uirements to guarantee a!!ro!riate segregation o# duties ;) 0sta lish a method #or authenticating and authoriAing users to esta lish res!onsi ilit& and en#orce access rights in line %ith sensiti"it& o# in#ormation and #unctional a!!lication re9uirements and in#rastructure com!onents, and in com!liance %ith a!!lica le la%s, regulations, internal !olicies and contractual agreements) F) :e#ine and im!lement a !rocedure #or identi#&ing ne% users and recording, a!!ro"ing and maintaining access rights) 'his needs to e re9uested & user management, a!!ro"ed & the s&stem o%ner and im!lemented & the res!onsi le securit& !erson) G) 0nsure that a timel& in#ormation #lo% is in !lace that re!orts changes in 8o s (i)e), !eo!le in, !eo!le out, !eo!le change)) /rant, re"o$e and ada!t user access rights in co(ordination %ith human resources and user de!artments #or users %ho are ne%, %ho ha"e le#t the organiAation, or %ho ha"e changed roles or 8o s) Assessed 3aturit6 ,arget 3aturit6 Reference 56!erlin+ Comments
ISACA @00+
Page B1
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs C)#I, Control Practice DS?7> 8ser Account 3anagement 1) 0nsure that access control !rocedures include ut are not limited toD X Csing uni9ue user I:s to ena le users to e lin$ed to and held accounta le #or their actions X A%areness that the use o# grou! I:s results in the loss o# indi"idual accounta ilit& and are !ermitted onl& %hen 8usti#ied #or usiness or o!erational reasons and com!ensated & mitigating controls) /rou! I:s must e a!!ro"ed and documented) X Chec$ing that the user has authoriAation #rom the s&stem o%ner #or the use o# the in#ormation s&stem or ser"ice, and the le"el o# access granted is a!!ro!riate to the usiness !ur!ose and consistent %ith the organiAational securit& !olic& X A !rocedure to re9uire users to understand and ac$no%ledge their access rights and the conditions o# such access X 0nsuring that internal and e5ternal ser"ice !ro"iders do not !ro"ide access until authoriAation !rocedures ha"e een com!leted X .aintaining a #ormal record, including access le"els, o# all !ersons registered to use the ser"ice X A timel& and regular re"ie% o# user I:s and access rights @) 0nsure that management re"ie%s or reallocates user access rights at regular inter"als using a #ormal !rocess) Cser access rights should e re"ie%ed or reallocated a#ter an& 8o changes, such as trans#er, !romotion, demotion or termination o# em!lo&ment) AuthoriAations #or s!ecial !ri"ileged access rights should e re"ie%ed inde!endentl& at more #re9uent inter"als) DS(71 Configuration Re!ositor6 and #aseline 1) Im!lement a con#iguration re!ositor& to ca!ture and maintain con#iguration management items) 'he re!ositor& should include hard%areK a!!lication so#t%areK middle%areK !arametersK documentationK !roceduresK and tools #or o!erating, accessing and using the s&stems, ser"ices, "ersion num ers and licensing details) @) Im!lement a tool to ena le the e##ecti"e logging o# con#iguration management in#ormation %ithin a re!ositor&) ;) Pro"ide a uni9ue identi#ier to a con#iguration item so the item can e easil& trac$ed and related to !h&sical asset tags and #inancial records) F) :e#ine and document con#iguration aselines #or com!onents across de"elo!ment, test and !roduction en"ironments, to ena le identi#ication o# s&stem con#iguration at s!eci#ic !oints in time (!ast, !resent and !lanned)) G) 0sta lish a !rocess to re"ert to the aseline con#iguration in the e"ent o# !ro lems, i# determined a!!ro!riate a#ter initial in"estigation) 6) Install mechanisms to monitor changes against the de#ined re!ositor& and aseline) Pro"ide management re!orts #or e5ce!tions, reconciliation and decision ma$ing) DS(7$ Identification and 3aintenance of Configuration Items 1) :e#ine and im!lement a !olic& re9uiring all con#iguration items and their attri utes and "ersions to e identi#ied and maintained) Assessed 3aturit6 ,arget 3aturit6 Reference 56!erlin+ Comments
ISACA @00+
Page B@
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs C)#I, Control Practice @) 'ag !h&sical assets according to a de#ined !olic&) Consider using an automated mechanism, such as arcodes) ;) :e#ine a !olic& that integrates incident, change and !ro lem management !rocedures %ith the maintenance o# the con#iguration re!ositor&) F) :e#ine a !rocess to record ne%, modi#ied and deleted con#iguration items and their relati"e attri utes and "ersions) Identi#& and maintain the relationshi!s et%een con#iguration items in the con#iguration re!ositor&) G) 0sta lish a !rocess to maintain an audit trail #or all changes to con#iguration items) 6) :e#ine a !rocess to identi#& critical con#iguration items in relationshi! to usiness #unctions (com!onent #ailure im!act anal&sis)) B) 4ecord all assetsPincluding ne% hard%are and so#t%are, !rocured or internall& de"elo!edP%ithin the con#iguration management data re!ositor&) 8) :e#ine and im!lement a !rocess to ensure that "alid licenses are in !lace to !re"ent the inclusion o# unauthoriAed so#t%are) DS(7< Configuration Integrit6 Revie" 1) 'o "alidate the integrit& o# con#iguration data, im!lement a !rocess to ensure that con#iguration items are monitored) Com!are recorded data against actual !h&sical e5istence, and ensure that errors and de"iations are re!orted and corrected) @) Csing automated disco"er& tools %here a!!ro!riate, reconcile actual installed so#t%are and hard%are !eriodicall& against the con#iguration data ase, license records and !h&sical tags) ;) Periodicall& re"ie% against the !olic& #or so#t%are usage the e5istence o# an& so#t%are in "iolation or in e5cess o# current !olicies and license agreements) 4e!ort de"iations #or correction) Assessed 3aturit6 ,arget 3aturit6 Reference 56!erlin+ Comments
ISACA @00+
Page B;
&asis C%cle
I. Introd#ction Overview ISACA de"elo!ed "TAFTM% A Professional Practices Frame ork for "T Assurance as a com!rehensi"e and good(!ractice(setting model) I'A* !ro"ides standards that are designed to e mandator&, and are the guiding !rinci!les under %hich the I' audit and assurance !ro#ession o!erates) 'he guidelines !ro"ide in#ormation and direction #or the !ractice o# I' audit and assurance) 'he tools and techni9ues !ro"ide methodologies, and tools and tem!lates to !ro"ide direction in the a!!lication o# I' audit and assurance !rocesses) Purpose 'he audit/assurance !rogram is a tool and tem!late to e used as a road ma! #or the com!letion o# a s!eci#ic assurance !rocess) 'his audit/assurance !rogram is intended to e utiliAed & I' audit and assurance !ro#essionals %ith the re9uisite $no%ledge o# the su 8ect matter under re"ie%, as descri ed in I'A*, section @@00P/eneral Standards) 'he audit/assurance !rograms are !art o# I'A*, section F000PI' Assurance 'ools and 'echni9ues) Control Framework 'he audit/assurance !rograms ha"e een de"elo!ed in alignment %ith the C12I' #rame%or$P s!eci#icall& C12I' F)1Pusing generall& a!!lica le and acce!ted good !ractices) 'he& re#lect I'A*, sections ;F00PI' .anagement Processes, ;600PI' Audit and Assurance Processes, and ;800PI' Audit and Assurance .anagement) .an& enter!rises ha"e em raced se"eral #rame%or$s at an enter!rise le"el, including the Committee o# S!onsoring 1rganiAations o# the 'read%a& Commission (C1S1) Internal Control *rame%or$) 'he im!ortance o# the control #rame%or$ has een enhanced due to regulator& re9uirements & the CS Securities and 05change Commission (S0C) as directed & the CS Sar anes(15le& Act o# @00@ and similar legislation in other countries) 'he& see$ to integrate control #rame%or$ elements used & the general audit/assurance team into the I' audit and assurance #rame%or$) Since C1S1 is %idel& used, it has een selected #or inclusion in this audit/assurance !rogram) 'he re"ie%er ma& delete or rename the columns in the audit !rogram to align %ith the enter!rise>s control #rame%or$) IT Governance, Risk and Control I' go"ernance, ris$ and control are critical in the !er#ormance o# an& assurance management !rocess) /o"ernance o# the !rocess under re"ie% %ill e e"aluated as !art o# the !olicies and management o"ersight controls) 4is$ !la&s an im!ortant role in e"aluating %hat to audit and ho% management a!!roaches and manages ris$) 2oth issues %ill e e"aluated as ste!s in the audit/assurance !rogram) Controls are the !rimar& e"aluation !oint in the !rocess) 'he audit/assurance !rogram %ill identi#& the control o 8ecti"es %ith ste!s to determine control design and e##ecti"eness) Responsibilities of IT Audit and Assurance Professionals I' audit and assurance !ro#essionals are e5!ected to customiAe this document to the en"ironment
ISACA @00+
Page BF
in %hich the& are !er#orming an assurance !rocess) 'his document is to e used as a re"ie% tool and starting !oint) It ma& e modi#ied & the I' audit and assurance !ro#essionalK it is not intended to e a chec$list or 9uestionnaire) It is assumed that the I' audit and assurance !ro#essional holds the Certi#ied In#ormation S&stems Auditor (CISA) designation, or has the necessar& su 8ect matter e5!ertise re9uired to conduct the %or$ and is su!er"ised & a !ro#essional %ith the CISA designation and necessar& su 8ect matter e5!ertise to ade9uatel& re"ie% the %or$ !er#ormed) II. (sing This Doc#ment 'his audit/assurance !rogram %as de"elo!ed to assist the audit and assurance !ro#essional in designing and e5ecuting a re"ie%) :etails regarding the #ormat and use o# the document #ollo%) Work Pro ram !teps 'he #irst column o# the !rogram descri es the ste!s to e !er#ormed) 'he num ering scheme used !ro"ides uilt(in %or$ !a!er num ering #or ease o# cross(re#erence to the s!eci#ic %or$ !a!er #or that section) I' audit and assurance !ro#essionals are encouraged to ma$e modi#ications to this document to re#lect the s!eci#ic en"ironment under re"ie%) CO"IT Cross#reference 'he C12I' cross(re#erence !ro"ides the audit and assurance !ro#essional %ith the a ilit& to re#er to the s!eci#ic C12I' control o 8ecti"e that su!!orts the audit/assurance ste!) 'he C12I' control o 8ecti"e should e identi#ied #or each audit/assurance ste! in the section) .ulti!le cross( re#erences are not uncommon) Processes at lo%er le"els in the %or$ !rogram are too granular to e cross(re#erenced to C12I') 'he audit/assurance !rogram is organiAed in a manner to #acilitate an e"aluation through a structure !arallel to the de"elo!ment !rocess) C12I' !ro"ides in(de!th control o 8ecti"es and suggested control !ractices at each le"el) As the !ro#essional re"ie%s each control, he/she should re#er to C12I' F)1 or the "T Assurance &uide% 'sing C()"T #or good( !ractice control guidance) CO!O Components As noted in the introduction, C1S1 and similar #rame%or$s ha"e ecome increasingl& !o!ular among audit and assurance !ro#essionals) 'his ties the assurance %or$ to the enter!rise>s control #rame%or$) While the I' audit/assurance #unction has C12I' as a #rame%or$, o!erational audit and assurance !ro#essionals use the #rame%or$ esta lished & the enter!rise) Since C1S1 is the most !re"alent internal control #rame%or$, it has een included in this document and is a ridge to align I' audit/assurance %ith the rest o# the audit/assurance #unction) .an& audit/assurance organiAations include the C1S1 control com!onents %ithin their re!ort and summariAe assurance acti"ities to the audit committee o# the oard o# directors) *or each control, the audit and assurance !ro#essional should indicate the C1S1 com!onent(s) addressed) It is !ossi le, ut generall& not necessar&, to e5tend this anal&sis to the s!eci#ic audit ste! le"el) 'he original C1S1 internal control #rame%or$ contained #i"e com!onents) In @00F, C1S1 %as re"ised as the Enter*rise Risk Management +ERM, "ntegrated Frame ork and e5tended to eight
ISACA @00+
Page BG
com!onents) 'he !rimar& di##erence et%een the t%o #rame%or$s is the additional #ocus on 04. and integration into the usiness decision model) 04. is in the !rocess o# eing ado!ted & large enter!rises) 'he t%o #rame%or$s are com!ared in figure AD1)
ISACA @00+
Page B6
3aturit6 Level
'here is no recognition o# the need #or internal control) Control is not !art o# the organiAation>s culture or mission) 'here is a high ris$ o# control de#iciencies and incidents) 'here is some recognition o# the need #or internal control) 'he a!!roach to ris$ and control re9uirements is ad hoc and disorganiAed, %ithout communication or monitoring) :e#iciencies are not identi#ied) 0m!lo&ees are not a%are o# their res!onsi ilities) Controls are in !lace ut are not documented) 'heir o!eration is de!endent on the $no%ledge and moti"ation o# indi"iduals) 0##ecti"eness is not ade9uatel& e"aluated) .an& control %ea$nesses e5ist and are not ade9uatel& addressedK the im!act can e se"ere) .anagement actions to resol"e control 'here is no intent to assess the need #or internal control) Incidents are dealt %ith as the& arise) 'here is no a%areness o# the need #or assessment o# %hat is needed in terms o# I' controls) When !er#ormed, it is onl& on an ad hoc asis, at a high le"el and in reaction to signi#icant incidents) Assessment addresses onl& the actual incident) Assessment o# control needs occurs onl& %hen needed #or selected I' !rocesses to determine the current le"el o# control maturit&, the target le"el that should e reached and the ga!s that e5ist) An in#ormal %or$sho! a!!roach, in"ol"ing I' managers and the team in"ol"ed in the !rocess, is used to
ISACA @00+
Page BB
issues are not !rioritiAed or consistent) 0m!lo&ees ma& not e a%are o# their res!onsi ilities) Controls are in !lace and ade9uatel& documented) 1!erating e##ecti"eness is e"aluated on a !eriodic asis and there is an a"erage num er o# issues) Ho%e"er, the e"aluation !rocess is not documented) While management is a le to deal !redicta l& %ith most control issues, some control %ea$nesses !ersist and im!acts could still e se"ere) 0m!lo&ees are a%are o# their res!onsi ilities #or control) 'here is an e##ecti"e internal control and ris$ management en"ironment) A #ormal, documented e"aluation o# controls occurs #re9uentl&) .an& controls are automated and regularl& re"ie%ed) .anagement is li$el& to detect most control issues, ut not all issues are routinel& identi#ied) 'here is consistent #ollo%(u! to address identi#ied control %ea$nesses) A limited, tactical use o# technolog& is a!!lied to automate controls) An enter!rise%ide ris$ and control !rogram !ro"ides continuous and e##ecti"e control and ris$ issues resolution) Internal control and ris$ management are integrated %ith enter!rise !ractices, su!!orted %ith automated real(time monitoring %ith #ull accounta ilit& #or control monitoring, ris$ management and com!liance en#orcement) Control e"aluation is continuous, ased on sel#(assessments and ga! and root cause anal&ses) 0m!lo&ees are !roacti"el& in"ol"ed in control im!ro"ements) de#ine an ade9uate a!!roach to controls #or the !rocess and to moti"ate an agreed(u!on action !lan) Critical I' !rocesses are identi#ied ased on "alue and ris$ dri"ers) A detailed anal&sis is !er#ormed to identi#& control re9uirements and the root cause o# ga!s and to de"elo! im!ro"ement o!!ortunities) In addition to #acilitated %or$sho!s, tools are used and inter"ie%s are !er#ormed to su!!ort the anal&sis and ensure that an I' !rocess o%ner o%ns and dri"es the assessment and im!ro"ement !rocess) I' !rocess criticalit& is regularl& de#ined %ith #ull su!!ort and agreement #rom the rele"ant usiness !rocess o%ners) Assessment o# control re9uirements is ased on !olic& and the actual maturit& o# these !rocesses, #ollo%ing a thorough and measured anal&sis in"ol"ing $e& sta$eholders) Accounta ilit& #or these assessments is clear and en#orced) Im!ro"ement strategies are su!!orted & usiness cases) Per#ormance in achie"ing the desired outcomes is consistentl& monitored) 05ternal control re"ie%s are organiAed occasionall&) 2usiness changes consider the criticalit& o# I' !rocesses and co"er an& need to reassess !rocess control ca!a ilit&) I' !rocess o%ners regularl& !er#orm sel#(assessments to con#irm that controls are at the right le"el o# maturit& to meet usiness needs and the& consider maturit& attri utes to #ind %a&s to ma$e controls more e##icient and e##ecti"e) 'he organiAation enchmar$s to e5ternal est !ractices and see$s e5ternal ad"ice on internal control e##ecti"eness) *or critical !rocesses, inde!endent re"ie%s ta$e !lace to !ro"ide assurance that the controls are at the desired le"el o# maturit& and %or$ing as !lanned)
3aturit6 Level
; :e#ined
G 1!timiAed
'he maturit& model e"aluation is one o# the #inal ste!s in the e"aluation !rocess) 'he I' audit and assurance !ro#essional can address the $e& controls %ithin the sco!e o# the %or$ !rogram and #ormulate an o 8ecti"e assessment o# the maturit& le"els o# the control !ractices) 'he maturit& assessment can e a !art o# the audit/assurance re!ort, and used as a metric #rom &ear to &ear to document !rogression in the enhancement o# controls) Ho%e"er, it must e noted that the !erce!tion o# the maturit& le"el ma& "ar& et%een the !rocess/I' asset o%ner and the auditor) 'here#ore, an auditor should o tain the concerned sta$eholder>s concurrence e#ore su mitting the #inal re!ort to management) At the conclusion o# the re"ie%, once all #indings and recommendations are com!leted, the !ro#essional assesses the current state o# the C12I' control #rame%or$ and assigns it a maturit& le"el using the si5(le"el scale) Some !ractitioners utiliAe decimals (5)@G, 5)G, 5)BG) to indicate gradations in the maturit& model) As a #urther re#erence, C12I' !ro"ides a de#inition o# the maturit& designations & control o 8ecti"e) While this a!!roach is not mandator&, the !rocess is !ro"ided as a se!arate section at the end o# the audit/assurance !rogram #or those enter!rises that %ish to im!lement it) It is suggested that a maturit& assessment e made at the C12I' control le"el) 'o !ro"ide #urther "alue to the client/customer, the !ro#essional can also o tain maturit& targets #rom the client/customer) Csing the assessed and target maturit& le"els, the !ro#essional can create an e##ecti"e gra!hic !resentation that descri es the achie"ement or ga!s et%een the actual and targeted maturit& goals) IV. Ass#rance And Control +ramework I!ACA IT Assurance Framework and !tandards
ISACA @00+
Page B8
ISACA has long recogniAed the s!ecialiAed nature o# I' assurance and stri"es to ad"ance glo all& a!!lica le standards) /uidelines and !rocedures !ro"ide detailed guidance on ho% to #ollo% those standards) I' Audit/Assurance Standard S1G I' Controls, and I' Audit/ Assurance /uideline /;8 Access Controls are rele"ant to this audit/assurance !rogram) I!ACA Controls Framework C12I' is an I' go"ernance #rame%or$ and su!!orting tool set that allo%s managers to ridge the ga! among control re9uirements, technical issues and usiness ris$s) C12I' ena les clear !olic& de"elo!ment and good !ractice #or I' control throughout enter!rises) CtiliAing C12I' as the control #rame%or$ on %hich I' audit/assurance acti"ities are ased aligns I' audit/assurance %ith good !ractices as de"elo!ed & the enter!rise) 4e#er to ISACA>s C()"T Control Practices% &uidance to Achie/e Control (.0ecti/es for Successful "T &o/ernance, 1nd Edition, !u lished in @00B, #or the related control !ractice "alue and ris$ dri"ers) *. xec#ti"e S#mmar% of A#dit'Ass#rance +oc#s !AP 'RP !ecurit& 'he re"ie% o# SAP hel!s management ensure that it is secure) Since launching its #irst !roduct o##ering almost ;0 &ears ago, SAP has gro%n glo all&) It has a!!ro5imatel& 1@ million users and +6,F00 installations in more than 1@0 countries and is the third(largest inde!endent so#t%are com!an& in the %orld) 'he com!an& name, SAP, is a /erman acron&m that loosel& translates in 0nglish to S&stems, A!!lications and Products in data !rocessing) 2e#ore SAP 04P, SAP had t%o main !roductsD the main#rame s&stem SAP- 4/@- and the client/ser"er( ased s&stem SAP 4/;) 2oth 4/@ and 4/; are targeted to usiness a!!lication solutions and #eature com!le5it&, usiness and organiAational e5!erience, and integration) 'he 4/@ and 4/; terminolog& is sometimes ta$en to mean release @ and release ; res!ecti"el&K ho%e"er, this is not the case) 'he 4 in 4/@ and 4/; means 6real time)7 4elease le"els are annotated se!aratel& to the 4/@ or 4/; descri!tors) *or e5am!le, in SAP 4/; F)62, the F is the ma8or release num er, the 6 is the minor release num er #ollo%ing a ma8or release, and the 2 is the "ersion %ithin a release) 4/; %as introduced in 1++@ %ith a three(tier architecture !aradigm) In recent &ears, SAP has introduced Ser"ice 1riented Architecture (S1A) as !art o# SAP 04P) 'his com ines 04P %ith an o!en technolog& !lat#orm that can integrate SAP and non(SAP s&stems on the SAP <etWea"er- !lat#orm) 'he current core 04P solution o##ered & SAP is called SAP 0nter!rise Central Com!onent (0CC 6)0), re#erred here as SAP 04P) "usiness Impact and Risk SAP is %idel& used in man& enter!rises) Im!ro!er con#iguration o# SAP could result in an ina ilit& #or the enter!rise to e5ecute its critical !rocesses) 4is$s resulting #rom ine##ecti"e or incorrect con#igurations or use o# SAP could result in some o# the #ollo%ingD
ISACA @00+
Page B+
:isclosure o# !ri"ileged in#ormation Single !oints o# #ailure =o% data 9ualit& =oss o# !h&sical assets =oss o# intellectual !ro!ert& =oss o# com!etiti"e ad"antage =oss o# customer con#idence 3iolation o# regulator& re9uirements
)/jective and Sco!e )/jective2'he o 8ecti"e o# the SAP 04P audit/assurance re"ie% is to !ro"ide management %ith an inde!endent assessment relating to the e##ecti"eness o# con#iguration and securit& o# the enter!rise>s SAP 04P architecture) !cope)The review will focus on configuration of the relevant SAP ERP components and modules within the enterprise. The selection of the specific components and modules will be based upon the risks introduced to the enterprise by these components and modules. 3inimum Audit S+ills 'his re"ie% is considered highl& technical) 'he I' audit and assurance !ro#essional must ha"e an understanding o# SAP est !ractice !rocesses and re9uirements, and e highl& con"ersant in SAP tools, e5!osures and #unctionalit&) It should not e assumed that an audit and assurance !ro#essional holding the CISA designation has the re9uisite s$ills to !er#orm this re"ie%)
ISACA @00+
Page 80
VI. "asis Cycle Audit/Assurance #rogram

C)S)
A7 PRI)R A8DI,/E9A3I:A,I): REP)R, *)LL)0'8P 1) 4e"ie% !rior re!ort, i# one e5ists, "eri#& com!letion o# an& agreed(u!on corrections and note remaining de#iciencies) 1)1 :etermine %hetherD Senior management has assigned res!onsi ilities #or in#ormation, its !rocessing and its use Cser management is res!onsi le #or !ro"iding in#ormation that su!!orts the entit&>s o 8ecti"es and !olicies In#ormation s&stems management is res!onsi le #or !ro"iding the ca!a ilities necessar& #or achie"ement o# the de#ined in#ormation s&stems o 8ecti"es and !olicies o# the entit& Senior management a!!ro"es !lans #or de"elo!ment and ac9uisition o# in#ormation s&stems 'here are !rocedures to ensure that the in#ormation s&stem eing de"elo!ed or ac9uired meets user re9uirements 'here are !rocedures to ensure that in#ormation s&stems, !rograms and con#iguration changes are tested ade9uatel& !rior to im!lementation All !ersonnel in"ol"ed in the s&stem ac9uisition and con#iguration acti"ities recei"e ade9uate training and su!er"ision 'here are !rocedures to ensure that in#ormation s&stems are im!lemented/con#igured/u!graded in accordance %ith the esta lished standards Cser management !artici!ates in the con"ersion o# data #rom the e5isting s&stem to the ne% s&stem
.01 .01
ISACA @00+
Monitoring
Page 81
C)S)
*inal a!!ro"al is o tained #rom user management !rior to going li"e %ith a ne% in#ormation/u!graded s&stem 'here are !rocedures to document and schedule all changes to in#ormation s&stems (including $e& A2AP !rograms) 'here are !rocedures to ensure that onl& authoriAed changes are initiated 'here are !rocedures to ensure that onl& authoriAed, tested and documented changes to in#ormation s&stems are acce!ted into the !roduction client 'here are !rocedures to allo% #or and control emergenc& changes 'here are !rocedures #or the a!!ro"al, monitoring and control o# the ac9uisition and u!grade o# hard%are and s&stems so#t%are 'here is a !rocess #or monitoring the "olume o# named and concurrent SAP 04P users to ensure that the license agreement is not eing "iolated 'he organiAation structure, esta lished & senior management, !ro"ides #or an a!!ro!riate segregation o# incom!ati le #unctions 'he data ase, a!!lication and !resentation ser"ers are located in a !h&sicall& se!arate and !rotected en"ironment (i)e), a data center) 0mergenc&, ac$u! and reco"er& !lans are documented and tested on a regular asis to ensure that the& remain current and o!erational 2ac$u! and reco"er& !lans allo% users o# in#ormation s&stems to resume o!erations in the e"ent o# an interru!tion A!!lication controls are designed %ith regard to an&
ISACA @00+
Monitoring
Page 8@
C)S)
%ea$nesses in segregation, securit&, de"elo!ment and !rocessing controls that ma& a##ect the in#ormation s&stem Access to the Im!lementation /uide (I./) during !roduction has een restricted 'he !roduction client settings ha"e een #lagged to not allo% changes to !rograms and con#iguration #7 PRELI3I:AR; A8DI, S,EPS 1) /ain an understanding o# the SAP 04P en"ironment) 1)1 :etermine %hat "ersion and release o# the SAP 04P so#t%are has een im!lemented) I# multi!le "ersions, document the "arious "ersions) 1)@ 1 tain details o# the #ollo%ingD 1!erating s&stem(s) and !lat#orms 'otal num er o# named users (#or com!arison %ith limits s!eci#ied in contract) <um er o# SAP 04P instances and clients Accounting !eriod, com!an& codes and chart o# accounts :ata ase management s&stem used to store data #or the SAP 04P s&stem =ocation o# the ser"ers and the related =A</WA< connections (need to "eri#& securit& and controls, including en"ironmental, surrounding the hard%are and the net%or$ securit& controls surrounding the connecti"it&) and, i# !ossi le, co!ies o# net%or$ to!olog& diagrams =ist o# usiness !artners, related organiAations and remote locations that are !ermitted to connect to the 04P en"ironment 3arious means used to connect to the 04P en"ironment (e)g), dial(u!, remote access ser"er, Internet transaction ser"er) and the
P1F P1@ P1; :S@ :S1@
ISACA @00+
Monitoring
Page 8;
C)S)
net%or$ diagram, i# a"aila le @) In a standard SAP 04P con#iguration, con#irm that se!arate s&stems #or de"elo!ment, test and !roduction are im!lemented) @)1 :etermine %hetherD 'his a!!roach %as ta$en 'he instances are totall& se!arate s&stems or are %ithin the same s&stem @)@ :etermine %hether the SAP !roduction en"ironment is connected to other SAP or non(SAP s&stems) I# &es, o tain details as to the nature o# connecti"it&, #re9uenc& o# in#ormation trans#ers, and securit& and control measures surrounding these trans#ers (i)e), to ensure accurac& and com!leteness)) ;) Identi#& the com!onents eing used (Human Ca!ital .anagement, *inancials, 1!erations, Cor!orate Ser"ices)) ;)1 Identi#& %hether the organiAation has im!lemented an& o# the #ollo%ingD Internet transaction ser"er An& o# the <e% :imension !roducts (e)g), Su!!l& Chain .anagement, Customer 4elationshi! .anagement, 2usiness Intelligence) Audit In#ormation S&stem) I# im!lemented, determine ho% it is used (i)e), onl& #or annual audits or on a regular asis to monitor and re!ort on securit& issues)) ;)@ :etermine %hether the organiAation ma$es use o# an& m&SAP #unctionalit&) I# &es, descri e the #unctionalit& and !ur!ose) ;); :etermine %hether the organiAation has created an& locall& de"elo!ed APA2/F !rograms/re!orts or ta les) I# &es, determine ho% these !rograms/re!orts are used) :e!ending on the im!ortance/e5tent
P1@
P1@ :SG
P1@ P1@ P1; .0@
P1@ AI@ AI6
ISACA @00+
Monitoring
Page 8F
C)S)
o# use, re"ie% and document the de"elo!ment and change management !rocess surrounding the creation/modi#ication o# these !rograms/re!orts or ta les) ;)F 1 tain co!ies o# the organiAation>s $e& securit& !olicies and standards) Highlight $e& areas o# concern, includingD In#ormation securit& !olic& Sensiti"it& classi#ication =ogical and !h&sical access control re9uirements <et%or$ securit& re9uirements, including re9uirements #or encr&!tion, #ire%alls, etc) Plat#orm securit& re9uirements (e)g), con#iguration re9uirements) ;)G 1 tain in#ormation regarding an& a%areness !rograms that ha"e een deli"ered to sta## on the $e& securit& !olicies and standards) Consider s!eci#icall& the #re9uenc& o# deli"er& and an& statistics on the e5tent o# co"erage (i)e), %hat !ercentage o# sta## has recei"ed the a%areness training)) ;)6 .aintain authoriAations and !ro#iles, #or e5am!leD Ha"e 8o roles, including the related transactions, een de#ined and documentedW :o !rocedures #or maintaining (creating/changing/deleting) roles e5ist and are the& #ollo%edW ;)B :etermine %hether ade9uate access administration !rocedures e5ist in %ritten #orm) :o an& o# the #ollo%ing !rocedures e5ist %ithin the organiAationW I# &es, document the !rocess and comment on com!liance %ith the !olicies and standards, and the ade9uac& o# resulting documentation) Procedures to add/change/delete user master records Procedures to handle tem!orar& access re9uests
P16 :SG :S1@
P16 :SB
P1B AIF :SG
P1B AIF :SG
ISACA @00+
Monitoring
Page 8G
C)S)
Procedures to handle emergenc& access re9uests Procedures to remo"e users %ho ha"e ne"er logged into the s&stem Procedures to automaticall& noti#& the administration sta## %hen em!lo&ees holding sensiti"e or critical !ositions lea"e the organiAation or change !ositions ;)8 1 tain co!ies o# the organiAation>s change management !olicies, !rocesses and !rocedures, and change documentation) Consider s!eci#icall&D 'rans!ort !rocesses and !rocedures, including allo%ed trans!ort !aths 0mergenc& change !rocesses and !rocedures :e"elo!ment standards, including naming con"entions, testing re9uirements and mo"e( to(!roduction re9uirements ;)+ :etermine %hether the organiAation has a de#ined !rocess #or creating and maintaining clients) I# &es, o tain co!ies and documentation related to the creation and maintenance o# clients) ;)10 :etermine the organiAation>s a!!roach to SAP Ser"ice .ar$et!lace) 3eri#& the e5tent o# access !ermitted and !rocesses used to re9uest, a!!ro"e, authenticate, grant, monitor and terminate SAP Ser"ice .ar$et!lace access) F) 4e"ie% outstanding audit #indings, i# an&, #rom !re"ious &ears) Assess im!act on current audit) G) Identi#& the signi#icant ris$s and determine the $e& controls) G)1 1 tain details o# the ris$ assessment a!!roach ta$en in the organiAation to identi#& and !rioritiAe ris$s) G)@ 1 tain co!ies o# and re"ie%D Com!leted ris$ assessments im!acting the SAP 04P en"ironment
AIF AI6
P1@ AI6 :S@ :SG .01 .0@ P1+ P1+ .01
ISACA @00+
Monitoring
Page 86
C)S)
A!!ro"ed re9uests to de"iate #rom securit& !olicies and standards
Assess the im!act o# the a o"e documents on the !lanning o# the SAP 04P audit) G); In the case o# a recent im!lementation/u!grade, o tain a co!& o# the securit& im!lementation !lan) Assess %hether the !lan too$ into account the !rotection o# critical o 8ects %ithin the organiAation and segregation o# duties) :etermine %hether an a!!ro!riate naming con"ention (i)e), #or !ro#iles) has een de"elo!ed to hel! securit& maintenance and to com!l& %ith re9uired SAP 04P naming con"entions) C7 DE,AILED A8DI, S,EPS 17 A!!lication Installation CIm!lementation -uide and )rgani=ational 3odelD 171 Configuration changes are made in the develo!ment environment and trans!orted to !roduction7 1)1)1 'est that access to the transaction code (SP41) and the authoriAation o 8ect (SSI./SAC'3) #or the I./ ha"e een restricted in the !roduction en"ironment) 1)1)@ 4estrict access to transaction code SCCF, %hich controls the !roduction client settings) 05ecute this transaction code, and dou le(clic$ on each client eing tested) 4e"ie% each o# the settings #or a!!ro!riateness, including the last changed & and last changed date #ields) It is im!ortant to note that the <o Changes setting should e set #or cross(client ta les) Protection #or the Client Co!ier and Com!arison 'ool should e set to <o 1"er%riting) Also ensure that eCAA' and CAA' are set to <ot Allo%ed)
P1; P1B :SG
ISACA @00+
Monitoring
Page 8B
C)S)
Identi#& changes directl& made into !roduction & re"ie%ing a log o# changes to ta le '000) 3alidate that a usiness need e5isted #or such direct change and an a!!ro!riate change management !rocess %as #ollo%ed) 1)1); 1 tain in#ormation #rom the s&stem on the 1.. & re"ie%ing ta les or & utiliAing the SAP 04P Audit In#ormation S&stem, %hich de!icts the 1.. gra!hicall& (re#er to #igure 1@)G)) Com!are it to the real organiAation structure and inter"ie% management in relation to di##erences or di##iculties that ma& ha"e emerged during or a#ter the im!lementation) 1)1)F 'est access to the transaction code (SP41) and the authoriAation o 8ect (SSI./SAC'3) #or the I./ in the !roduction en"ironment) 1)1)G 'est the #ollo%ing access to "alidate %ho can ma$e changes directl& to the !roduction clientD a) '(codeD SCCF AuthoriAation 1 8ectD SS'A2CS:IS Acti"it& "alueD 0@ AuthoriAation grou!D SS AuthoriAation 1 8ectD SS'A2CSC=I Indicators #or cross clientD 5 ) '(codeD SCCF AuthoriAation 1 8ectD SSA:.IS*C: S&s Admin #unctionD '000 AuthoriAation 1 8ectD SSC'SSA:.I Admin 'as$D I<I' 17$ Changes to critical num/er ranges are controlled7
ISACA @00+
Monitoring
Page 88
C)S)
1)@)1 3ia transaction SCI., re"ie% authoriAation o 8ect SS<C.204 (Y) #or those users %ith the #ollo%ing authoriAation "alue setsD .aintain <um er 4ange Inter"alsP0@ Change <um er 4ange StatusP11 InitialiAe <um er =e"elsP1; .aintain <um er 4ange 1 8ects #or all <um er 4ange 1 8ects P1B 1)@)@ 2& using transaction code S016, ro%se ta le '::A') In the ta le name #ield enter MY and then NY to identi#& all o# the custom ta les) :etermine those ta les that ha"e O<CO %ithin the authoriAation grou! #ield) Assess %hether these settings (O<CO) are a!!ro!riate) 1)@); 'est access to modi#& critical ta les "ia the o 8ects SS'A2CS:IS ("alue 0@) and transaction codes S.;1 or S.;0) I# the ta le is cross(client, the user master record must contain a third o 8ect, S S'A2CSC=I ("alue U)) Cse transaction code SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@) to chec$ #or these restrictions) 'est access to u!date ta les %ith authoriAation grou! SS, as no one should ha"e u!date access to this critical s&stems ta le) $7 A!!lication Develo!ment CA#AP/> 0or+/ench and ,rans!ort S6stemD $71 A!!lication modifications are !lanned. tested and im!lemented in a !hased manner7 @)1)1 :etermine the s&stem landsca!e and client strateg&, and re"ie% the change control !olicies and !rocedures (including
AI6 :SG
ISACA @00+
Monitoring
Page 8+
C)S)
documentation) to trans!ort o 8ects et%een en"ironments) Wor$ %ith the 2asis/'rans!ort Administrator to o tain a random sam!le o# trans!orts and trace ac$ to documentation) 0nsure that authoriAation #or the trans!ort %as o tained and con#irm that the s!eci#ied trans!ort !ath %as #ollo%ed) *or emergenc& changes, ensure that the s!eci#ied emergenc& !rocess %as #ollo%ed) Con#irm that a!!ro!riate authoriAations %ere o tained and documentation %as su se9uentl& com!leted) 4e"ie% the S&stem Change o!tion and con#irm it has een set to <o Changes Allo%ed (re#er to 1)1)@ a o"e)) 4e"ie% segregation o# duties %ith res!ect to creating and releasing change re9uests) 'est user access to authoriAation o 8ect SS'4A<SP4' and AC'3'K e5!ect 0; and an& trans!ort t&!e (''NP0)) Assess the a!!ro!riateness o# such access in com!arison %ith the users> 8o #unctions) $7$ Customi=ed A#AP/> !rograms are secured a!!ro!riatel67 @)@)1 'o identi#& customiAed !rograms that ha"e not een assigned to an authoriAation grou!, enter transaction code S016) 2ro%se the ta le '4:I4 and enter the "alues o# MY and then NY in the !rogram name #ield) 'his %ill !roduce a list o# all customiAed !rograms, assuming that the organiAation has #ollo%ed standard naming con"ention %hen customiAing !rograms) *ilter this list #or !rograms that do not ha"e a "alue in the authoriAation grou! #ield (S0CC)) Concentrate the in"estigation on users %ho ha"e S0;8, SA;8, S080 and S0;B transaction codes) 'hese users automaticall& ha"e access to run man& o# these !rograms) @)@)@ *rom this list, select a re!resentati"e sam!le o# customiAed !rograms and chec$ the source code to see %hether an authorit&(
ISACA @00+
Monitoring
Page +0
C)S)
chec$ statement has een included) Cse transaction code SA;8 and run the A2AP/F !rogram 4SA2APSC %ith the a!!ro!riate !rogram name and authorit& chec$ in the A2AP/F language commands selection #ield to dis!la& the authorit&(chec$ statements #or each o# the sam!led !rograms) <ote that the results ma& include other !rograms called & the sam!led !rograms %ith the a!!ro!riate authorit&(chec$ statements) Con#irm the results o# the test %ith management) @)@); 4e"ie% and assess the "alue #or the !arameters elo% (use 4SPA4A. re!ort)D Auth/noSchec$SinSsomeScases (Can e either N or <) I# set to the recommended "alue o# N Z!ermit authoriAation chec$s[, monitor the content o# SC@F care#ull& to ma$e sure that these entries are set a!!ro!riatel&)) Auth/r#cSauthorit&Schec$ (recommend set to @ to !ermit #ull chec$ing) @)@)F Cse transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@) to test the num er o# users %ho ha"e access to e5ecute all !rograms inde!endent o# the authoriAation grou! assigned) 0nter the authoriAation o 8ect SSP41/4A. %ith the acti"it& "alue o# SC2.I' or 2'CSC2.I' and the authoriAation o 8ect SS'C1:0 %ith a transaction code o# SA;8, S0;B, S0;8 or S080) @)@)G 4e"ie% the !olic&, !rocedures and criteria #or esta lishing !rogram authoriAation grou!s, assigning the A2AP/F !rograms to grou!s and including authorit&(chec$ statements in !rograms) Com!are the results #rom testing to esta lished !olicies, !rocedures, standards and guidance (note that organiAations ma& use additional
:SG
ISACA @00+
Monitoring
Page +1
C)S)
transactions, ta les, authoriAation o 8ects, A2AP/F !rograms, and re!orts to control their s&stems)) $7< ,he creation or modification of !rograms is !erformed in the develo!ment s6stem and migrated through the test s6stem to !roduction7 @);)1 'o !roduce a list o# users %ho ha"e access to de"elo! !rograms in the !roduction s&stem, e5ecute transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@) %ith the authoriAation o 8ect SS:030=1P, the acti"it& "alues o# 01, 0@ or 06) A2AP/F !rograms that are not assigned to an authoriAation grou! ma& e changed & an& user %ith authoriAation #or o 8ect SS:030=1P, de!ending on %hether the user has een assigned a de"elo!er>s $e& and the correct o 8ect $e&s) $7> Access for ma+ing changes to the dictionar6 is restricted to authori=ed individuals7 @)F)1 05ecute transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@)) 4e"ie% users %ith the #ollo%ing authoriAation to determine %hether the& are a!!ro!riateD :ata dictionar& o 8ectD SS:030=1P %ith an& o# the acti"it& "alues 01, 0@, 06, 0B and access to an& o# the transaction codes S011, S01@, S01G, S016, S0;B, S0;8, S080 $7? Access to modif6 and develo! Aueries is restricted7 @)G)1 Csing transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@), enter the authoriAation o 8ect SSQC04N %ith acti"it& "alue 0@ and transaction codeD $ SQ01 to identi#& all users %ho can create and maintain 9ueries)
ISACA @00+
Monitoring
Page +@
C)S)
In addition, use the authoriAation o 8ect SSQC04N %ith acti"it& "alue @; and transaction codes $ SQ0@ or SQ0; to !roduce a re!ort identi#&ing all users %ho can maintain #unctional areas and user grou!s) 4e"ie% the lists %ith management #or reasona leness) $7@ Relevant com!an6 codes are set to Productive in the !roduction environment7 @)6)1 'ransaction code 124; contains a list o# com!an& codes and %hether the& ha"e een set to Producti"e) 'his in#ormation is also a"aila le in ta le '001 and can e "ie%ed using transaction code S016) Per#orm a re"ie% o# this list) In instances %here com!an& codes ha"e not een set to Producti"e, in"estigate the reasons %ith management) <7 A!!lication )!erations CCom!uting Center 3anagement S6stemD <71 ,he Com!uting Center 3anagement S6stem CCC3SD is configured a!!ro!riatel67 ;)1)1 'o ensure that the CC.S dis!la&s meaning#ul data, determine "ia in9uir& %hether transaction 4M0F %as used to set u! o!erations modes, instances and timeta les) ;)1)@ :etermine ho% the organiAation is monitoring its SAP 04P s&stem) Cnderstand the !olicies, !rocedures, standards and guidance regarding the e5ecution o# SAPS'A4' and S'1PSAP !rograms or their e9ui"alent in the organiAation>s en"ironment) Chec$ that onl& authoriAed !ersonnel ma& e5ecute these !rograms) ;)1); /enerate a list o# users %ith the a ilit& to access the Alert .onitor & !er#orming online access authoriAation testing #or these
ISACA @00+
Monitoring
Page +;
C)S)
authoriAation o 8ects SS4M=SA:., acti"it& "alues 01 (administrator) and 0; (dis!la&) and transaction code, "alue A=01 (i# a ;)5 s&stem) or 4M@0 (i# a F)5 s&stem or SAP 0CC s&stem)) <7$ #atch !rocessing o!erations are secured a!!ro!riatel67 ;)@)1 1 tain a list o# atch users & e5ecuting transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@) %ith the #ollo%ing authoriAationsD 2atch in!utD transaction codePS.;G, authoriAation o 8ectP SS2:CS.1<I, #ieldD 2:CAI'I, "alueD :0=0, *400, =1CI, 401/ and #ieldD 2:C/41CP, "alueD Y 2atch administrationD transaction codeP S.;6/S.;B, authoriAation o 8ectPSS2'CH SA:., #ieldD 2'CA:.I<, "alueD N 2atch schedulingD transaction codeP S.;6, authoriAation o 8ectPSS2'CH SJ12, #ieldD J12AC'I1<, "alueD :0=0, 40=0, authoriAation o 8ectP SS2'CHS<A., "alueD Y 2atch !rocessingD transaction codePS.;B, authoriAation o 8ect PSS2'CH SJ12, #ieldD J12AC'I1<, "alueD :0=0, 40=0, P=A<, authoriAation o 8ectPSS2'CHS<A., "alueD Y 0"ent triggeringD transaction codePS.6F, authoriAation o 8ect PSS2'CH SA:., #ieldD 2'CA:.I<, "alueD N ;)@)@ :etermine & corro orati"e in9uir& that u!load !rograms ha"e een remo"ed #rom the !roduction en"ironment as a!!ro!riate) <7< Default s6stem !arameter settings are revie"ed and configured to suit the organi=ationBs environment7
ISACA @00+
Monitoring
Page +F
C)S)
;);)1 1 tain a !rintout o# the "alues o# the #ollo%ing $e& !arameters (run re!ort 4SPA4A. "ia transaction code SA;8 on each instance, as a!!ro!riate) and com!are to the re9uirements as set out in the !olicies and standards in figure 1$7() Con#irm that the s&stem !ro#ile !arameter #iles and de#ault)!#l are !rotected #rom unauthoriAed access) Con#irm that there is a mechanism/!rocess to ensure that the !ro#iles are regularl& chec$ed to ascertain that the& ha"e not een changed ina!!ro!riatel&) 1 tain an& related change documentation and ensure thatD $ 'he documentation is authoriAed) $ 4elated log entries re#lect the e5!ected changes) $ A current !rintout o# the 4SCS4006 re!ort is o tained and re"ie%ed #or unusual items or trends) :etermine %hether management has a !rocess #or #re9uent monitoring o# unsuccess#ul login attem!ts and/or loc$ed users "ia a re"ie% o# this re!ort) I# &es, o tain details on the #ollo%ing #re9uenc& o# monitoring) 4e"ie% a reasona le sam!le o# !re"iousl& #ollo%ed(u! re!orts and assess the a!!ro!riateness o# the #ollo%(u! on unusual #indings) 4un transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@)) 4e"ie% and #ollo% u! onD $ Csers %ith original !ass%ords $ Csers %ho ha"e not logged in during the last 60 da&s $ Csers %ho ha"e not changed their !ass%ords in the last 60 da&s (or an& duration that is a!!ro!riate #or the
ISACA @00+
Monitoring
Page +G
C)S)
organiAation) 1 tain a sam!le o# user master records in the !roduction en"ironment and %or$ %ith the authoriAation securit& administrator and the 8o descri!tions to assess segregation o# duties (re#er to cha!ter F #or more guidance) and the a!!ro!riateness o# the access granted) ;);)@ 05ecute transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@) %ith the transaction code S.01 to !ro"ide a list o# all users %ho ha"e access to loc$ or unloc$ transaction codes in the s&stem) 4e"ie% and con#irm this list %ith management to ensure that onl& authoriAed users ha"e access) ;);); 0nter transaction code S.01 to dis!la& a list o# transaction codes %ith a chec$ o5 eside them) A cross in the chec$ o5 indicates that the transaction code has een loc$ed) 4e"ie% sensiti"e transaction codes to ensure that the& ha"e een loc$ed #rom user access) Such transaction codes include ut are not limited toD SCCGPClient :elete SCC1PClient Co!& (ma& o"er%rite the !roduction client) S.F+P05ecute =ogical Commands (ma& allo% !ass( through to o!erating s&stem) S.6+P05ecute =ogical Commands (ma& allo% !ass( through to o!erating s&stem) <7> 8sers are !revented from logging in "ith trivial or easil6 guessa/le !ass"ords7 ;)F)1 2ased on the re"ie% o# the $e& securit& !olicies, determine %hether there are an& character com inations (a!art #rom the SAP
P16 :SG
ISACA @00+
Monitoring
Page +6
C)S)
04P standards) that the !olic& has !rohi ited #rom use) I# &es, o tain a !rintout o# the contents o# ta le CS4F0 and con#irm that the list o# 6illegal7 %ords is contained therein) <7? SAP Router is configured to act as a gate"a6 to secure communications into and out of the SAP ERP environment7 ;)G)1 :iscuss %ith the o!erating s&stem administrators the !rocedures surrounding changes to SAP 4outer and the !rocedures surrounding restarting SAP 4outer %hen it goes do%n) ;)G)@ 1 tain a list o# indi"iduals %ith "ie% and/or change access to the SAP 4outer inar&) 4e"ie% the list %ith $e& management and assess the a!!ro!riateness o# the segregation o# duties) ;)G); 4e9uest an e5tract o# the SAP 4outer !ermissions ta le (#or e5am!le, e5ecute the C<IU command SAP router Q= \!athT) #rom the o!erating s&stem administrator) 4e"ie% the !ermissions ta le %ith the o!erating s&stems administrator) Com!are %ith the net%or$ diagram to assess the a!!ro!riateness o# the IP addresses and %ith change control documentation to con#irm that management has a!!ro!riatel& authoriAed changes) ;)G)F I# logging is acti"e, ascertain the #re9uenc& %ith %hich the logs are re"ie%ed and #ollo%ed u!) ;)G)G 1 tain a reasona le sam!le o# the logs and re"ie% them %ith the o!erating s&stems administrator) <7@ Remote access /6 soft"are vendors is controlled adeAuatel67 ;)6)1 :etermine the organiAation>s a!!roach to SAP Ser"ice .ar$et!lace) 3eri#& the e5tent o# access !ermitted and the !rocesses used to re9uest, a!!ro"e, authenticate, grant, monitor and terminate SAP Ser"ice .ar$et!lace access) Chec$ that
AIF :SG .01 .0@
:S@ :SG
ISACA @00+
Monitoring
Page +B
C)S)
changes are su 8ect to normal testing and migration controls) ;)6)@ 1 tain a list o# SAP Ser"ice .ar$et!lace users on the !roduction client) 0nter transaction code 1SS1 using the client>s administrator I:) Clic$ on the SAP<0' icon #ollo%ed & the Administration icon) Per#orm an authoriAation anal&sis & authoriAation o 8ect "ie%) 'his %ill !ro"ide a list o# all users assigned to the SAP Ser"ice .ar$et!lace & authoriAation o 8ect) In !articular, re"ie% #or reasona leness %ith management the users %ho ha"e een assigned to administration authoriAation and o!en ser"ice connections) <7E SAP ERP Remote *unction Call CR*CD and Common Programming Interface2Communications CCPI'CD are secured7 ;)B)1 Ascertain %hether the login in#ormation (dialog and/or nondialog users) is stored and re"ie%ed) 1 tain a re!resentati"e sam!le and re"ie% to ensure that dialog users are a!!ro!riate (i)e), "alid em!lo&ees %ith authoriAation) and that nondialog user I:s are a!!ro!riate) 'o do this, e5ecute transaction code S.G+) 'his %ill dis!la& the ta le 4*C:0S, %hich controls the communication et%een s&stems) 'he ta le lists the 4*C destinations, %hich %ill include all SAP 04P connections that are on the s&stem) 05!and each o# the SAP 04P connections and dou le(clic$ on each connection to "eri#& that no dialog user I: is listed %ith its !ass%ord) ;)B)@ :etermine %hether these s&stems are !rotected %ith the a!!ro!riate net%or$ measures (e)g), SAP 4outer/#ire%all/ routers)) ;)B); Assess the strength/ade9uac& (i)e), ro ustness) o# !ass%ord measures to authenticate 4*C connections)
P1@ AIF :SG .01 .0@
ISACA @00+
Monitoring
Page +8
C)S)
;)B)F Con#irm %ith the SAP 04P securit& authoriAation manager that authorit& chec$s are included in #unctional modules called "ia 4*C) ;)B)G 3ia transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@), identi#& users %ho ha"e access to transaction code S.G+) Assess %hether this access is a!!ro!riate (%or$ %ith user access management)) ;)B)6 I# using release F)0 or higher, ascertain %hether S<C !rotection has een a!!lied to 4*C calls) I# &es, cross(re#erence to S<C documentation and testing !er#ormed earlier) <7& ,he technolog6 infrastructure is configured to secure communications and o!erations in the SAP ERP environment7 ;)8)1 *ire%all
AIF :SG .01 .0@ ;)8)1)@ 1 tain a list o# indi"iduals %ith "ie% and/or change access :SG
;)8)1)1 :iscuss %ith the #ire%all administrators the !rocedures surrounding changes to the #ire%all rules and reco"er& o# #ire%alls in the e"ent o# an outage) to the #ire%all rules) 4e"ie% the list %ith $e& management and assess the a!!ro!riateness o# the segregation o# duties) :S1; ;)8)1); 4e"ie% the !ermissions ta le %ith the #ire%all administrator) Com!are %ith net%or$ diagram to assess the a!!ro!riateness o# the IP addresses) ;)8)1)F I# logging is set to =ogging Acti"e, ascertain the #re9uenc& %ith %hich the logs are re"ie%ed and #ollo%ed u!) ;)8)1)G 1 tain a reasona le sam!le o# the logs and re"ie% them %ith the #ire%alls administrator)
X
U
ISACA @00+
Monitoring
Page ++
C)S)
;)8)@ Secure <et%or$ Communications (S<C) ;)8)@)1 Identi#& the communication !aths that ha"e een !rotected AIF :SG & S<C/e5ternal securit& !roduct) ;)8)@)@ Assess %hether the le"el o# !rotection is a!!ro!riate #or each o# the "arious communication !aths) Cse the re9uirements set out in the in#ormation securit& !olic& and "arious ris$ assessments to assist in the assessment) ;)8)@); 4e"ie% the con#iguration #or each !ath %ith the net%or$ securit& administrator #or a!!ro!riateness) ;)8); Secure Store and *or%ard (SS*) .echanisms and :igital Signatures ;)8);)1 :etermine %hether there are an& regional la%s or regulations %ith %hich the organiAation must com!l& that go"ern the use o# digital signatures) I# &es, con#irm that the organiAation is in com!liance) ;)8);)@ :etermine %hether the organiAation uses an e5ternal !roduct #or SS*) I# &esD Ascertain %hether the organiAation uses hard%are( or so#t%are( ased $e&s) :escri e the controls surrounding issuance and changing o# the !u lic and !ri"ate $e&s) Ascertain %hether the organiAation uses sel#(signed certi#icates or CA(signed certi#icates) ;)8);); I# using release F)G or higher, determine %hether SAPS0CC=I2 is used as the de#ault SS* !ro"ider) I# &es, determine %hether the #ile SAPS0CC)!se is !rotected
.01 .0@
:SG .0;
P1@ :SG :S1;
:SG
ISACA @00+
Monitoring
Page 100
C)S)
#rom unauthoriAed access) ;)8)F Wor$station Securit& ;)8)F)1 3ia ins!ection, ensure that sta## utiliAes the a"aila le securit& measures surrounding %or$stations/PCs (e)g), screen sa"ers, !o%er(on !ass%ords, third(!art& securit& !roducts, !h&sical controls)) Consider s!eci#icall& %hetherD Csers are a le to &!ass screen sa"er/!o%er(on !ass%ords) Screen sa"ers acti"ate automaticall& or are (as a rule) acti"ated & users %hen the& lea"e their %or$ areas) ;)8)F)@ 4egarding "irus !rotection, determine %hetherD 3irus scanners are used on the net%or$ and/or %or$stations) 3irus signatures are $e!t u! to date) 'here is a !rocedure #or disseminating "irus education to users) ;)8)F); Assess ade9uac& o# !h&sical controls) Consider s!eci#icall&D Are the %or$stations in secure/restricted areasW Ho% is the area secured (e)g), securit& cards, $e&s, com ination loc$s)W :o indi"iduals circum"ent these controls (i)e), !igg& ac$ at entrance, !ro! o!en the door)W ;)8)G 1!erating S&stem and :ata ase Securit& ;)8)G)1 Wor$ %ith the s&stems and data ase administrator to con#irm that the de#ault !ass%ords on the standard
:SG
:SG :S1;
:SG :S1@
ISACA @00+
Monitoring
Page 101
C)S)
o!erating s&stem and data ase user I:s ha"e een changed, a!!ro!riate securit& !arameters ha"e een set and a!!ro!riate securit& !rocedures are in !lace and o!erating) >7 A!!lication Securit6 CProfile -enerator and Securit6 AdministrationD >71 Duties "ithin the securit6 administration environment are adeAuatel6 segregated7 F)1)1 :etermine %hether the s&stem administrator tas$s are segregated into the #ollo%ing administrator #unctions & generating user lists #or the #ollo%ing authoriAations using transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@)D *or the Pro#ile /eneratorD $ Create and change rolesPCsed to de#ine and u!date roles) Cse authoriAation SSCS04SA/4 %ith authoriAation #ield "alues o# 01 and 0@) 'est this in con8unction %ith transaction code P*C/) $ 'rans!ort rolesPCsed to trans!ort or acti"ate roles to/in !roduction) Cse authoriAation SSCS04SA/4 %ith authoriAation #ield "alue o# @1) 'est this in con8unction %ith transaction code P*C/) $ Assign roles/!ro#iles to user master recordsPCsed to assign or trans#er roles/!ro#iles into the user master records #or the rele"ant users) Cse authoriAation SSCS04SA/4 %ith authoriAation #ield "alue o# 0@ and authoriAation SSCS04S/4P %ith authoriAation #ield "alue o# @@) 'est this in con8unction %ith transaction code P*C/) Also test the manual maintenance o# roles/!ro#iles (SC0@/SC0;) in
:SG
ISACA @00+
Monitoring
Page 10@
C)S)
use !rior to P*C/) AuthoriAation .aintenanceD Cse authoriAation SSCS04SAC' %ith authoriAation #ield "alue 01, 0@, 0B, @@) 'est this in con8unction %ith transaction SC0;) Cser .aintenanceD Cse authoriAation SSCS04SP41 %ith authoriAation #ield "alue 01, 0@, 0B, @@) 'est this in con8unction %ith transaction SC0@) *or user master maintenanceD $ Create/change/loc$/delete changesD Cse authoriAation o 8ect SSCS04S/4P %ith authoriAation #ield "alues o# 01, 0@, 0G, 06) 'est this in con8unction %ith transaction code SC01) $ Assign roles/!ro#iles to user master recordsD Cse authoriAation SSCS04SA/4 %ith authoriAation #ield "alue o# 0@, and authoriAation SSCS04S/4P %ith authoriAation #ield "alue @@ and 0@)
I# #ull segregation is not !ossi le among the #our #unctions listed a o"e, management should at minimum consider segregating the creation o# roles/!ro#iles and assignment o# roles/!ro#iles) I# the segregation o# duties o!tion is !ractical, assess SCI. T Change :ocuments T *or Csers/*or Pro#iles/*or AuthoriAations (also accessi le through transaction code SA;8 and !rograms 4SCS4100/101/10@) #or e"idence o# re"ie% and action & management) F)1)@ 'est user access to e##ect mass changes to user master records authoriAation o 8ects SSCS04S/4P and SSCS04S P41
ISACA @00+
Monitoring
Page 10;
C)S)
%ith authoriAation #ield "alues o# 01, 0@, 0G and 06, and transaction codes SC10 (:elete/Add a Pro#ile #or All Csers) and SC1@ (:elete All Csers)) >7$ AdeAuate securit6 authori=ation documentation is maintained7 F)@)1 Select a random sam!le o# authoriAed change documentation that !ertains to changes to user master records) 4un SCI. T Change :ocuments T *or Csers (also accessi le through transaction code SA;8 and !rogram 4SCS4100) and assess %hether the changes made are as documented) F)@)@) Select a random sam!le o# authoriAed change documentation that !ertains to changes to !ro#iles) 4un SCI. T Change :ocuments T *or Pro#iles (also accessi le through transaction code SA;8 and !rogram 4SCS4101) and assess %hether the changes made are as documented) F)@); Select a random sam!le o# authoriAed change documentation that !ertains to changes to authoriAations) 4un SCI. T Change :ocuments T *or AuthoriAations (also accessi le through transaction code SA;8 and !rogram 4SCS410@) and assess %hether the changes made are as documented) >7< ,he su!eruser SAPF is !ro!erl6 secured7 F);)1 'o determine %hether the SAPY user has een loc$ed, e5ecute transaction SA;8 (re!orting) %ith transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@)) 0nter SAPY in the user #ield and !ress *8) 3eri#& that the SAPY grou! #ield sa&s SCP04) Clic$ t%ice on the 1ther 3ie% utton) 'he user status #ield #or SAPY should sa& loc$ed) F);)@ *or SAPY, run transaction code SA;8 and !rogram
AI6 :SG .01 AI6 :SG .01
AI6 :SG .01
:SG
ISACA @00+
Monitoring
Page 10F
C)S)
4SCS400; to con#irm thatD 'he I: has een deacti"ated in all clients and a ne% su!eruser created) 'he !ass%ord has een changed #rom the de#ault (i)e), not tri"ial)) >7> Default users are secured !ro!erl67 F)F)1 'o test %hether the de#ault !ass%ord has een changed #or ::IC, SAPCPIC and 0arl&Watch, e5ecute the SAP 04P re!ort 4SCS400; and determine i# the de#ault !ass%ords ha"e een changed) 'o determine %hether the SAPCPIC and 0arl&Watch users ha"e een loc$ed, e5ecute transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@)) 0nter the user name in the user #ield and !ress *8) 3eri#& that the grou! #ield sa&s SCP04) Clic$ t%ice on the 1ther 3ie% utton) 'he user status #ield should sa& loc$ed) >7? Access to !o"erful !rofiles is restricted7 F)G)1 4e"ie% #or a!!ro!riateness users assigned the !ri"ileged !ro#iles o# SAPSA== and SAPS<0W) Csers %ho ha"e een assigned these su!eruser !ro#iles/roles should e assigned to user grou! su!er or e9ui"alent, %hich should e maintained & a limited num er o# 2asis !ersonnel onl&) 'o !er#orm this test, e5ecute transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@)) In the !art noted as Selection Criteria #or Cser enter SAPSA==
:SG
ISACA @00+
Monitoring
Page 10G
C)S)
into the !ro#ile #ield) Clic$ on the utton to the right o# the te5t o5) 0nter SAPS<0W in the #irst em!t& te5t o5) Clic$ on Co!&) 'his re!ort %ill list all users %ho ha"e su!eruser #unctionalit&) Chec$ other !o%er#ul !ro#iles #or user accessD SSA)SNS'0. (S&stem administration authoriAations) SS4M=SA:.I< (CC.S administration authoriAations) SSCS04SA== (All user administration authoriAations) SSA)CS04 and SSA)A:.I< (used to administer user master record authoriAations) Chec$ the user list identi#ied & this test to ascertain %hether indi"iduals %ho ha"e access to the !re"iousl& mentioned #unctionalit& re9uire this access, ased on their 8o res!onsi ilities and esta lished !olicies, !rocedures, standards and guidance) >7@ ,he authori=ation grou! that contains !o"erful users is restricted7 F)6)1 Identi#& the s&stem administrators %ithin the enter!rise and determine to %hich user grou!s their user I:s elong) Csing transaction SCI. T Csers T Csers & Com!le5 Selection Criteria (also accessi le using transaction code SA;8 and !rogram 4SCS400@), re"ie% the s&stem #or users %ith the authoriAation o 8ect SSCS04SA/4 (Pro#ile /enerator en"ironment) %ith the acti"it& "alues 01, 0@, @1 and @@, and transaction code P*C/ or the authoriAation o 8ect SSCS04S/4P (manual maintenance) %ith the acti"it& "alues o# 01, 0@, 0G and 06 and the transaction code SC01) 'he authoriAation #ield user grou! in user master maintenance should e similar to one o# the "alues identi#ied
ISACA @00+
Monitoring
Page 106
C)S)
a o"e) 'his %ould usuall& e the grou! SCP04 or I'1(SNS'0.) >7E Changes to Central 8ser Administration CC8AD are authori=ed and revie"ed regularl6 /6 management7 F)B)1 2ecause all organiAations are structured di##erentl& and ha"e di##erent re9uirements, initial discussions %ith the organiAation should e conducted to o tain an understanding o# the organiAation>s structure and con#iguration re9uirements #or CCA) 'o test %hether CCA has een con#igured a!!ro!riatel&, e5ecute the transaction codes SA=0, SCCA and SCC. and re"ie% the a!!ro!riateness o# the con#igured settings #or the organiAation) >7& Changes to critical SAP ERP ta/les are logged /6 the s6stem and revie"ed /6 management7 F)8)1 4e"ie% securit& !rocedures created & management that identi#& %hat ta les are eing logged and ho% o#ten these logs are re"ie%ed & management) *or changes to e logged, the s&stem !ro#ile !arameter rec/client needs to e acti"ated) Chec$ this & re"ie%ing the re!ort 4SPA4A. and ensuring that the "alue #or this !arameter is set to A== or to the client num ers that %ill ha"e ta le logging ena led) 0nter transaction code S016 and enter ta le 'P41' as the o 8ect name along %ith an U in the P41'*=A/ #ield) 'his %ill identi#& ta les that ha"e their changes logged) 4un re!ort 4S'2P41' (ta le log) or 4S'2HIS' (ta le change anal&sis), %hich lists all changes to ta les that ha"e log data changes acti"ated in their technical settings #or the !eriod s!eci#ied) 'a$e a re!resentati"e sam!le o# changes to these ta les and com!are these to the original su!!orting in#ormation/documentation) 1 tain e5!lanations #or an& changes #or %hich su!!orting in#ormation or documentation is not a"aila le)
:SG
:SG
ISACA @00+
Monitoring
Page 10B
C)S)
>7( Changes made to the data dictionar6 are authori=ed and revie"ed regularl67 F)+)1 Cnderstand management>s !olicies and !rocedures regarding the re"ie% o# data dictionar& re!orts) Assess the ade9uac& o# such !olicies, !rocedures, standards and guidance, ta$ing into account theD *re9uenc& %ith %hich the re"ie% is !er#ormed =e"el o# detail in the re!orts 1ther inde!endent data to %hich management com!ares the re!orts =i$elihood that the !erson !er#orming the re"ie% %ill e a le to identi#& e5ce!tion items <ature o# e5ce!tion items that the& can e e5!ected to identi#& >71% Access to S6stems Administrations *unctions is restricted7 F)10)1 SSA:.IS*C: is an e5tremel& !o%er#ul securit& o 8ect that grants access to se"eral critical 2asis Administration #unctions, as %ell as some #unctional user #unctions (such as s!ool)) It should e assigned %ith great care, and %ith onl& the discrete "alues needed & users)
'he o 8ect de#ines one authoriAation #ield, s&stem administration #unctions) 'est #or the #ollo%ing #ield "alues) 'hese "alues should e restricted to 2asis grou! onl&)
<A:.D <et%or$ administration (S.GF, S.GG, S.G8, S.G+)) 1nl& 2asis grou!) PA:.D Process administration (S.G0, S.G1, S.0F)K
ISACA @00+
Monitoring
Page 108
C)S)
interce!t ac$ground 8o (de ugging #unction in ac$ground 8o administration, transaction S.;B)) 1nl& 2asis grou!) S.0@D AuthoriAation to create, change and delete s&stem messages CA:.D C!date administration (S.1;) '000D Create ne% client (SCCF) '=CID =oc$/unloc$ transaction (S.01) .0.1D Set SAP memor& management 9uota using re!ort 4S.0.14N) C1=AD Administration o# 1=0 automation ser"ers and controls % AC:AP2asis audit administration % 4S0'P4eset/delete data %ithout archi"ing % SN<CP4eset u##ers % C2C*P4eset all user u##ers % 'C'4P'a le control settings throughout the s&stem % Wild card (Y), i)e), all "alues >711 Log and trace files are a!!ro!riatel6 configured and secured7 F)11)1 *or Securit& Audit log, using release F)0 or higherD Con#irm that the Securit& Audit log has een acti"ated & running the re!ort 4SPA4A. and con#irming the #ollo%ing !arameter "aluesD Q 4sau/ena le (acti"ates logging on to a!!lication ser"erK i# the "alue is 0, it is not acti"e) Q 4sau/local/#ile (s!eci#ies the location o# the logK con#irms that it is a!!ro!riatel& located) Q 4sau/ma5Sdis$s!ace/local (s!eci#ies the ma5imum siAe o# the logK con#irms that the siAe is ade9uate #or the
:SG .01
ISACA @00+
Monitoring
Page 10+
C)S)
organiAation) 1 tain a listing o# e"ents that are logged (can e done "ia S.@0)) 4e"ie% #or a!!ro!riateness and lin$ to re9uired logging that ma& e s!eci#ied in the securit& !olicies and standards) :etermine the #re9uenc& and thoroughness o# the re"ie% o# the logs) I# !ossi le, o tain a re!resentati"e sam!le o# the logs and assess the ade9uac& o# the #ollo%(u! !rocess and re"ie% #or unusual items) F)11)@ 4e"ie% the s&stem logD 4un the re!ort 4SPA4A. and re"ie% the #ollo%ing !arameter "alues to o tain the locations o# the log #ilesD Q 4slg/local/#ile (s!eci#ies the location o# the local log on the a!!lication ser"erK de#aultD /usr/sa!/\SI:T/:@0/log/S=1/\SAPSinstanceS]T) Q 4slg/collectSdaemon/host (s!eci#ies the a!!lication ser"er that maintains the central logK de#aultD \hostname o# main instanceT) Q 4slg/central/#ile (s!eci#ies the location o# the acti"e #ile #or the central log on the a!!lication ser"erK de#aultD /usr/sa!/\SI:T/SNS/glo al/S=1/J) Q 4slg/central/oldS#ile (s!eci#ies the location o# the old #ile #or the central log on the a!!lication ser"erK de#aultD /usr/sa!/\SI:T/SNS/glo al/S=1/J1) Q 4slg/ma5Sdis$s!ace/local (s!eci#ies the ma5imum length o# the local logK de#aultD 0)G .2) Q 4slg/ma5Sdis$s!ace/central (s!eci#ies the ma5imum
:SG :S10 :S11 :S1; .01
ISACA @00+
Monitoring
Page 110
C)S)
length o# the central logK de#aultD @ .2) Q 4str/#ile (the a solute !athname o# the trace #ileD the trace #ilename is '4AC0\SAP 04P s&stem num erT) 1 tain a listing o# e"ents that are logged (can e done "ia S.@1)) 4e"ie% #or a!!ro!riateness (including the siAe o# each local and central log #ile) and lin$ to re9uired logging, %hich ma& e s!eci#ied in the securit& !olicies and standards) :etermine the #re9uenc& and thoroughness o# the re"ie% o# the logs) I# !ossi le, o tain a re!resentati"e sam!le o# the logs and assess the ade9uac& o# the #ollo%(u! !rocess and re"ie% #or unusual items) Wor$ %ith the o!erating s&stem administrator to determine %ho has !ermissions to these #iles) 0nsure that the access is a!!ro!riate)
ISACA @00+
Monitoring
Page 111
VII. Maturity Assessment 'he maturit& assessment is an o!!ortunit& #or the re"ie%er to assess the maturit& o# the !rocesses re"ie%ed) 2ased on the results o# audit/assurance re"ie%, and the re"ie%er>s o ser"ations, assign a maturit& le"el to each o# the #ollo%ing C12I' control !ractices)
C)#I, Control Practice AI@71 Change Standards and Procedures 1) :e"elo!, document and !romulgate a change management #rame%or$ that s!eci#ies the !olicies and !rocesses, includingD X 4oles and res!onsi ilities X Classi#ication and !rioritiAation o# all changes ased on usiness ris$ X Assessment o# im!act X AuthoriAation and a!!ro"al o# all changes & the usiness !rocess o%ners and I' X 'rac$ing and status o# changes X Im!act on data integrit& (e)g), all changes to data #iles eing made under s&stem and a!!lication control rather than & direct user inter"ention) @) 0sta lish and maintain "ersion control o"er all changes) ;) Im!lement roles and res!onsi ilities that in"ol"e usiness !rocess o%ners and a!!ro!riate technical I' #unctions) 0nsure a!!ro!riate segregation o# duties) F) 0sta lish a!!ro!riate record management !ractices and audit trails to record $e& ste!s in the change management !rocess) 0nsure timel& closure o# changes) 0le"ate and re!ort to management changes that are not closed in a timel& #ashion) G) Consider the im!act o# contracted ser"ices !ro"iders (e)g), o# in#rastructure, a!!lication de"elo!ment and shared ser"ices) on the change management !rocess) Consider integration o# organiAational change management !rocesses %ith change management !rocesses o# ser"ice !ro"iders) Consider the im!act o# the organiAational change management !rocess on contractual terms and S=As)
Assessed 3aturit6
,arget 3aturit6
Reference 56!erlin+
Comments
ISACA @00+
Page 11@
C)#I, Control Practice AI@7$ Im!act Assessment. Prioriti=ation and Authori=ation 1) :e"elo! a !rocess to allo% usiness !rocess o%ners and I' to re9uest changes to in#rastructure, s&stems or a!!lications) :e"elo! controls to ensure that all such changes arise onl& through the change re9uest management !rocess) @) CategoriAe all re9uested changes (e)g), in#rastructure, o!erating s&stems, net%or$s, a!!lication s&stems, !urchased/!ac$aged a!!lication so#t%are)) ;) PrioritiAe all re9uested changes) 0nsure that the change management !rocess identi#ies oth the usiness and technical needs #or the change) Consider legal, regulator& and contractual reasons #or the re9uested change) F) Assess all re9uests in a structured #ashion) 0nsure that the assessment !rocess addresses im!act anal&sis on in#rastructure, s&stems and a!!lications) Consider securit&, legal, contractual and com!liance im!lications o# the re9uested change) Consider also interde!endencies among changes) In"ol"e usiness !rocess o%ners in the assessment !rocess, as a!!ro!riate) G) 0nsure that each change is #ormall& a!!ro"ed & usiness !rocess o%ners and I' technical sta$eholders, as a!!ro!riate) AI@7> Change Status ,rac+ing and Re!orting 1) 0sta lish a !rocess to allo% re9uestors and sta$eholders to trac$ the status o# re9uests throughout the "arious stages o# the change management !rocess) @) CategoriAe change re9uests in the trac$ing !rocess (e)g), re8ected, a!!ro"ed ut not &et initiated, a!!ro"ed and in !rocess, and closed)) ;) Im!lement change status re!orts %ith !er#ormance metrics to ena le management re"ie% and monitoring o# oth the detailed status o# changes and the o"erall state (e)g), aged anal&sis o# change re9uests)) 0nsure that status re!orts #orm an audit trail so changes can su se9uentl& e trac$ed #rom ince!tion to e"entual dis!osition) F) .onitor o!en changes to ensure that all a!!ro"ed changes are closed in a timel& #ashion, de!ending on !riorit&) DS?7< Identit6 3anagement 1) 0sta lish and communicate !olicies and !rocedures to uni9uel& identi#&, authenticate and authoriAe access mechanisms and access rights #or all users on a need(to($no%/need(to(ha"e asis, ased on !redetermined and !rea!!ro"ed roles) Clearl& state accounta ilit& o# an& user #or an& action on an& o# the s&stems and/or a!!lications in"ol"ed) @) 0nsure that roles and access authoriAation criteria #or assigning user access rights ta$e into accountD X Sensiti"it& o# in#ormation and a!!lications in"ol"ed (data classi#ication) X Policies #or in#ormation !rotection and dissemination (legal, regulator&, internal !olicies and contractual re9uirements) X 4oles and res!onsi ilities as de#ined %ithin the enter!rise X 'he need(to(ha"e access rights associated %ith the #unction X Standard ut indi"idual user access !ro#iles #or common 8o roles in the organiAation
Assessed Target Reference Comments .aturit& Maturity Hyperlink
ISACA @00+
Page 11;
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs C)#I, Control Practice X 4e9uirements to guarantee a!!ro!riate segregation o# duties ;) 0sta lish a method #or authenticating and authoriAing users to esta lish res!onsi ilit& and en#orce access rights in line %ith sensiti"it& o# in#ormation and #unctional a!!lication re9uirements and in#rastructure com!onents, and in com!liance %ith a!!lica le la%s, regulations, internal !olicies and contractual agreements) F) :e#ine and im!lement a !rocedure #or identi#&ing ne% users and recording, a!!ro"ing and maintaining access rights) 'his needs to e re9uested & user management, a!!ro"ed & the s&stem o%ner and im!lemented & the res!onsi le securit& !erson) G) 0nsure that a timel& in#ormation #lo% is in !lace that re!orts changes in 8o s (i)e), !eo!le in, !eo!le out, !eo!le change)) /rant, re"o$e and ada!t user access rights in coordination %ith human resources and user de!artments #or users %ho are ne%, %ho ha"e le#t the organiAation, or %ho ha"e changed roles or 8o s) DS?7> 8ser Account 3anagement 1) 0nsure that access control !rocedures include ut are not limited toD X Csing uni9ue user I:s to ena le users to e lin$ed to and held accounta le #or their actions X A%areness that the use o# grou! I:s results in the loss o# indi"idual accounta ilit& and are !ermitted onl& %hen 8usti#ied #or usiness or o!erational reasons and com!ensated & mitigating controls) /rou! I:s must e a!!ro"ed and documented) X Chec$ing that the user has authoriAation #rom the s&stem o%ner #or the use o# the in#ormation s&stem or ser"ice, and the le"el o# access granted is a!!ro!riate to the usiness !ur!ose and consistent %ith the organiAational securit& !olic& X A !rocedure to re9uire users to understand and ac$no%ledge their access rights and the conditions o# such access X 0nsuring that internal and e5ternal ser"ice !ro"iders do not !ro"ide access until authoriAation !rocedures ha"e een com!leted X .aintaining a #ormal record, including access le"els, o# all !ersons registered to use the ser"ice X A timel& and regular re"ie% o# user I:s and access rights @) 0nsure that management re"ie%s or reallocates user access rights at regular inter"als using a #ormal !rocess) Cser access rights should e re"ie%ed or reallocated a#ter an& 8o changes, such as trans#er, !romotion, demotion or termination o# em!lo&ment) AuthoriAations #or s!ecial !ri"ileged access rights should e re"ie%ed inde!endentl& at more #re9uent inter"als) DS(71 Configuration Re!ositor6 and #aseline 1) Im!lement a con#iguration re!ositor& to ca!ture and maintain con#iguration management items) 'he re!ositor& should include hard%areK a!!lication so#t%areK middle%areK !arametersK documentationK !roceduresK and tools #or o!erating, accessing and using the s&stems, ser"ices, "ersion num ers and licensing details) @) Im!lement a tool to ena le the e##ecti"e logging o# con#iguration management in#ormation %ithin a re!ositor&) ;) Pro"ide a uni9ue identi#ier to a con#iguration item so the item can e easil& trac$ed and related to !h&sical
ISACA @00+
Page 11F
Security, Audit and Control Features SAP ERP, 3rd Edition (Technical and Risk Management Reference Series) 05cer!t o# the Audit/Assurance Programs and ICQs C)#I, Control Practice asset tags and #inancial records) F) :e#ine and document con#iguration aselines #or com!onents across de"elo!ment, test and !roduction en"ironments, to ena le identi#ication o# s&stem con#iguration at s!eci#ic !oints in time (!ast, !resent and !lanned)) G) 0sta lish a !rocess to re"ert to the aseline con#iguration in the e"ent o# !ro lems, i# determined a!!ro!riate a#ter initial in"estigation) 6) Install mechanisms to monitor changes against the de#ined re!ositor& and aseline) Pro"ide management re!orts #or e5ce!tions, reconciliation and decision ma$ing) DS(7$ Identification and 3aintenance of Configuration Items 1) :e#ine and im!lement a !olic& re9uiring all con#iguration items and their attri utes and "ersions to e identi#ied and maintained) @) 'ag !h&sical assets according to a de#ined !olic&) Consider using an automated mechanism, such as arcodes) ;) :e#ine a !olic& that integrates incident, change and !ro lem management !rocedures %ith the maintenance o# the con#iguration re!ositor&) F) :e#ine a !rocess to record ne%, modi#ied and deleted con#iguration items and their relati"e attri utes and "ersions) Identi#& and maintain the relationshi!s among con#iguration items in the con#iguration re!ositor&) G) 0sta lish a !rocess to maintain an audit trail #or all changes to con#iguration items) 6) :e#ine a !rocess to identi#& critical con#iguration items in relationshi! to usiness #unctions (com!onent #ailure im!act anal&sis)) B) 4ecord all assetsPincluding ne% hard%are and so#t%are, !rocured or internall& de"elo!edP%ithin the con#iguration management data re!ositor&) 8) :e#ine and im!lement a !rocess to ensure that "alid licenses are in !lace to !re"ent the inclusion o# unauthoriAed so#t%are) DS(7< Configuration Integrit6 Revie" 1) 'o "alidate the integrit& o# con#iguration data, im!lement a !rocess to ensure that con#iguration items are monitored) Com!are recorded data against actual !h&sical e5istence, and ensure that errors and de"iations are re!orted and corrected) @) Csing automated disco"er& tools %here a!!ro!riate, reconcile actual installed so#t%are and hard%are !eriodicall& against the con#iguration data ase, license records and !h&sical tags) ;) Periodicall& re"ie% against the !olic& #or so#t%are usage the e5istence o# an& so#t%are in "iolation or in e5cess o# current !olicies and license agreements) 4e!ort de"iations #or correction)
ISACA @00+
Page 11G
Appendix . SAP !P A#dit IC-s

'he #ollo%ing internal control 9uestionnaires (ICQs) !ro"ide suggested control o 8ecti"es/ 9uestions to co"er #or conducting an audit o# the three usiness c&cles co"ered in Security, Audit
and Control Features SAP ERP% A Technical and Risk Management Reference &uide, 3rd Edition
(4e"enue, In"entor& and 05!enditure), and the SAP 2asis com!onent) 'he& also !ro"ide re#erences to the rele"ant C12I' F)1 control o 8ecti"es) 2ecause there ma& e more than one control !er ris$, a num ering se9uence #or ris$s, controls and testing techni9ues has een ado!ted throughout each o# the cha!ters dealing %ith the auditing o# core usiness c&cles or the 2asis A!!lication In#rastructure, as sho%n in the #ollo%ing ta le) :um/ering SeAuence for Ris+s. Controls and ,esting ,echniAues
ISACA @00+
Page 116
Revenue #usiness C6cle ICQ

Res!onse Comments C)#I, Control )/jectives/Questions ;es :o :/A References 17 3aster Data 3aintenance 171 Changes made to master data are valid. com!lete. accurate and timel67 :S11 1)1)1 :oes rele"ant management, other than the initiators, chec$ online re!orts o# master data additions and changes ac$ to source documentation on a sam!le asisW 1)1)@ Is access to create and change master data restricted to authoriAed indi"idualsW 1)1); Ha"e con#igura le controls een designed into the !rocess to maintain the integrit& o# master dataW :SG :S+
17$ 3aster data remain current and !ertinent7 :S11 1)@)1 :oes management !eriodicall& re"ie% master data to chec$ their accurac&W :S@ 1)@)@ Ha"e a!!ro!riate credit limits een loaded #or customersW $7 Sales )rder Processing $71 Sales orders are !rocessed "ith valid !rices and terms. and !rocessing is com!lete. accurate and timel67 AI6 @)1)1 Is the a ilit& to create, change or delete sales :SG orders, contracts and deli"er& schedules restricted to authoriAed !ersonnelW @)1)@ Has the a ilit& to modi#& sales !ricing in#ormation een restricted to authoriAed !ersonnel (re#er to master data integrit& 1)1)@)W @)1)@ Has the s&stem een con#igured to limit the o"er%riting o# !rices com!ared to the !rice master data (SAP allo%s #or no changes or a certain tolerance le"el)W @)1); Has the s&stem een con#igured such that a sales order is loc$ed #or #urther !rocessing %hen the customer either gets too lo% a !rice or the !rice the sales !erson gi"es is not satis#actor& (re#er to master data integrit& 1)1);)W @)1)F Are #a5 orders reconciled !eriodicall& et%een the s&stem and #a5 !rintouts to reduce the ris$ o# du!licate ordersW $7$ )rders are !rocessed "ithin a!!roved customer credit limits7 @)@)1 Has the SAP 04P so#t%are een con#igured to disallo% the !rocessing o# sales orders that e5ceed customer credit limitsW :S+ :SG
P18
:S+
ISACA @00+
Page 11B

Res!onse Comments C)#I, Control )/jectives/Questions ;es :o :/A References $7< )rder entr6 data are com!letel6 and accuratel6 transferred to the shi!!ing and invoicing activities7 :S11 @);)1 Are re!orts o# o!en sales documents !re!ared and .01 monitored to chec$ #or timel& shi!mentW <7 Shi!!ing. Invoicing. Returns and Adjustments <71 Controls are in !lace to !revent du!licate shi!ments or dela6 in the shi!!ing of goods to customers7 :S6 ;)1)1 :oes the SAP 04P so#t%are match goods shi!!ed to o!en line items on an o!en sales order and close each line item as the goods are shi!!ed, there & !re"enting #urther shi!ments #or those line itemsW ;)@)1 Are a"aila le shi!!ing re!orts used to assist in controlling the shi!!ing !rocessW <7$ Invoices are generated using authori=ed terms and !rices and are calculated and recorded accuratel67 ;)@)1 :oes the SAP 04P so#t%are automaticall& calculate in"oice amounts and !ost in"oices ased on con#iguration dataW <7< All goods shi!!ed are invoiced in a timel6 manner7 ;);)1 Are re!orts o# goods shi!!ed ut not in"oiced and unin"oiced de it and credit note re9uests !re!ared and in"estigated !rom!tl&W ;);)@ Is the a ilit& to create, change or delete !ic$ing sli!s, deli"er& notes and goods issues restricted to authoriAed !ersonnelW :SG P111
AIG
AIB
AIB ;);); Are re!orts o# in"oices issued ut not !osted in *I !re!ared and in"estigated !rom!tl&W <7> Credit notes and adjustments to accounts receiva/le are accuratel6 calculated and recorded7 :SG ;)F)1 Is the a ilit& to create, change or delete sales order return and credit re9uests and su se9uent credit note transactions restricted to authoriAed !ersonnelW <7? Credit notes for all goods returned and adjustments to accounts receiva/le are issued in accordance "ith organi=ation !olic6 and in a timel6 manner7 ;)G)1 Are sales order returns and credit re9uest transactions matched to in"oicesW
ISACA @00+
Page 118

Res!onse Comments C)#I, Control )/jectives/Questions ;es :o :/A References ;)G)@ Ha"e !rocessing controls, including a illing AI@ loc$ or a deli"er& loc$, een con#igured to :S+ loc$ credit memos or #ree(o#(charge su se9uent deli"er& documents that do not com!l& %ith the organiAation>s !olic& on credits or returnsW >7 Collecting and Processing Cash Recei!ts >71 Cash recei!ts are entered accuratel6. com!letel6 and in a timel6 manner7 F)1)1 Are an$ statements reconciled to the general ledger regularl&W :S+ F)1)@ Has the s&stem een con#igured to not allo% !rocessing o# cash recei!ts outside o# a!!ro"ed an$ accountsW AIF F)1); Are customer o!en items and accounts recei"a le aging re!orts !re!ared and anal&Aed regularl&W >7$ Cash recei!ts are valid and are not du!licated7 P1F F)@)1 Are recei!ts allocated to a customer>s account su!!orted & a remittance ad"ice that cross( re#erences to an in"oice num erW F)@)1 Is an& unallocated cash or amount recei"ed that is not cross(re#erenced to an in"oice num er immediatel& #ollo%ed u! %ith the customerW >7< Cash discounts are calculated and recorded accuratel67 F);)1 Ha"e tolerance le"els #or allo%a le cash discounts and cash !a&ment di##erences in the SAP 04P s&stem een de#ined such that amounts in e5cess o# such le"els cannot e entered into the SAP 04P s&stemW >7> ,imel6 collection of cash recei!ts is monitored7 F)F)1 As #or F)1);, are customer o!en items and accounts recei"a le aging re!orts !re!ared and anal&Aed regularl&W P18 P1+ :S11
P1F AIF
ISACA @00+
Page 11+
E !enditure #usiness C6cle ICQ

Control )/jectives/Questions Res!onse ;es :o :/A Comments C)#I, References
17 3aster Data 3aintenance 171 Changes made to master data are valid. com!lete. accurate and timel67 1)1)1 :oes rele"ant management, other than the initiators, chec$ online re!orts o# master data additions and changes ac$ to source documentation on a sam!le asisW 1)1)@ Is access to create and change master data restricted to authoriAed indi"idualsW 1)1)@ Are user accounts "alidated against H4 lists and access in alignment %ith role re9uirementsW 1)1)@ Are user accounts re"ie%ed & management in line %ith organiAation !olic&W 1)1); Ha"e con#igura le controls een designed into the !rocess to maintain the integrit& o# master dataW 1)1)F Is a naming con"ention used #or "endor names (e)g), as !er letterhead) to minimiAe the ris$ o# esta lishing du!licated "endor master recordsW 17$ Inventor6 master data remain current and !ertinent7 1)@)1 :oes management !eriodicall& re"ie% master data to chec$ their accurac&W $7 Purchasing $71 Purchase order entr6 and changes are valid. com!lete. accurate and timel67 @)1)1 Is the a ilit& to create, change or cancel !urchase re9uisitions, !urchase orders and outline agreements (standing !urchase orders) restricted to authoriAed !ersonnelW @)1)@ :oes the SAP 04P source list #unctionalit& allo% s!eci#ied materials to e !urchased onl& #rom "endors included in the source list #or the s!eci#ied materialW @)1); Is the SAP 04P release strateg& used to authoriAe !urchase re9uisitions, !urchase orders, outline agreements (standing !urchase orders) and unusual !urchases (e)g), ca!ital outla&s)W $7$ -oods are received onl6 for valid !urchase orders and goods recei!ts are recorded com!letel6. accuratel6 and in a timel6 manner7 P1F :S11
:SG
:S+ :S@
:S11
AI6 :SG
:S@
AI6
ISACA @00+
Page 1@0

Control )/jectives/Questions @)@)1 When goods recei"ed are matched to o!en !urchase orders, are recei!ts %ith no !urchase order or those that e5ceed the !urchase order 9uantit& & more than an esta lished amount in"estigatedW @)@)1 :oes management re"ie% e5ce!tion re!orts o# goods not recei"ed on time #or recorded !urchasesW @)@)@ Is the a ilit& to in!ut, change or cancel goods recei"ed transactions restricted to authoriAed in ound logistics/ra% materials !ersonnelW $7< Defective goods are returned to su!!liers in a timel6 manner7 @);)1 Are re8ected ra% materials ade9uatel& segregated #rom other ra% materials in a 9ualit & assurance onding area and are the& regularl& monitored (assigned a mo"ement t&!e o# 1@@) to ensure timel& return to su!!liersW <7 Invoice Processing <71 Amounts !osted to accounts !a6a/le re!resent goods or services received7 ;)1)1 Is the a ilit& to in!ut, change, cancel or release "endor in"oices #or !a&ment restricted to authoriAed !ersonnelW ;)1)1 Is the a ilit& to in!ut "endor in"oices that do not ha"e a !urchase order and/or goods recei!t as su!!ort #urther restricted to authoriAed !ersonnelW :SG P1F :SG Res!onse ;es :o :/A Comments C)#I, References :S6
:SG
:SG
<7$ Accounts !a6a/le amounts are calculated com!letel6 and accuratel6 and recorded in a timel6 manner7 :S+ ;)@)1 Is the SAP 04P so#t%are con#igured to !er#orm a three(%a& matchW :S+ ;)@)@ Is the SAP 04P so#t%are con#igured %ith 9uantit& and !rice tolerance limitsW :S11 ;)@); Is the /4/I4 account regularl& reconciledW :S11 ;)@)F Are re!orts o# outstanding !urchase orders regularl& re"ie%edW :SG ;)@)G :oes the SAP 04P so#t%are restrict the a ilit& to modi#& the e5change rate ta le to authoriAed !ersonnelW P16 ;)@)G :oes management a!!ro"e "alues in the centrall& maintained e5change rate ta leW
ISACA @00+
Page 1@1

Control )/jectives/Questions ;)@)G :oes the SAP 04P so#t%are automaticall& calculate #oreign currenc& translation, ased on "alues in the centrall& maintained e5change rate ta leW Res!onse ;es :o :/A Comments C)#I, References :S11
<7< Credit notes and other adjustments are calculated com!letel6 and accuratel6 and recorded in a timel6 manner7 :SG ;);)1 Is the a ilit& to in!ut, change, cancel or release credit notes restricted to authoriAed !ersonnelW >7 Processing Dis/ursements >71 Dis/ursements are made onl6 for goods and services received and are calculated. recorded and distri/uted to the a!!ro!riate su!!liers accuratel6 in a timel6 manner7 P16 F)1)1 :oes management a!!ro"e the SAP 04P !a&ment run !arameter s!eci#icationW :SG F)1)@ :oes the SAP 04P so#t%are restrict to authoriAed !ersonnel the a ilit& to release in"oices that ha"e een loc$ed #or !a&ment, either #or an indi"idual in"oice or #or a s!eci#ied "endorW
ISACA @00+
Page 1@@
Inventor6 #usiness C6cle ICQ

Control )/jectives/Questions Res!onse C)#I, ;es :o :/A Comments References 17 3aster Data 3aintenance 171 Changes made to master data are valid. com!lete. accurate and timel67 1)1)1 :oes rele"ant management, other than the initiators, chec$ online re!orts (using transaction code ..0F) o# master data additions and changes ac$ to source documentation on a sam!le asisW 1)1)1 :o !ersons inde!endent o# da&(to(da& custod& or recording o# in"entor& count !h&sical in"entor& on a continuous in"entor& asisW 1)1)1 Are monthl& stoc$(ta$es !er#ormedW 1)1)1 Where in"entor& ad8ustment #orms are used, are the& se9uentiall& !renum ered and is the se9uence o# such #orms accounted #orW 1)1)@ Ha"e the creation and maintenance o# master data een assigned and restricted to a dedicated area %ithin the organiAation that understands ho% the& ma& a##ect organiAational !rocesses and the im!ortance o# timel& changesW 1)1); Ha"e con#igura le controls een designed into the !rocess to maintain the integrit& o# master dataW 17$ Inventor6 master data remain current and !ertinent7 1)@)1 :oes management !eriodicall& re"ie% master data to chec$ their accurac&W 17< Settings or changes to the /ill of materials or !rocess order settlement rules are valid. com!lete. accurate and timel67 1);)1 Is the a ilit& to create, change or delete the ill o# materials restricted to authoriAed !ersonnelW 1);)@ :oes rele"ant management, other than the initiators, chec$ online re!orts o# ill o# materials or settlement rule additions and changes ac$ to source documentation on a sam!le asisW $7 Ra" 3aterials 3anagement $71 Inventor6 is sala/le. usa/le and adeAuatel6 safeguarded7 AI6 :SG P1F :S11
.0@
:S1; :S1;
:S11
:S+
:S11
ISACA @00+
Page 1@;

Res!onse C)#I, ;es :o :/A Comments References :S1 @)1)1 Are ra% material re9uirements !lanned ased on :S; #orecast orders and !roduction !lans and does the s&stem #unctionalit& monitor and maintain in"entor& le"els in accordance %ith organiAation !oliciesW Control )/jectives/Questions @)1)1 Is the sala ilit& o# #inished goods and usa ilit& o# ra% materials (including shel# li#e dates) assessed regularl& during continuous in"entor& counts and are an& scra!!ed goods or ra% materials a!!ro!riatel& a!!ro"edW @)1)1 :oes the 9ualit& de!artment test a sam!le o# ra% materials and are re8ected ra% materials ade9uatel& segregated #rom other ra% materials into a se!arate 9ualit& assurance onding area and regularl& monitored & the 9ualit& de!artment !ersonnel to ensure timel& return to su!!liersW @)1)1 :oes management re"ie% re!orts o# slo%( turno"er in"entor& to ensure that it is still sala le or usa leW @)1)1 :o goods in%ards/out%ards !ersonnel monitor all incoming and outgoing "ehicles and ensure that all goods lea"ing the !remises are accom!anied & dul& com!leted documentation (e)g), intercom!an& stoc$ trans#er order, deli"er& doc$et or goods returned note)W @)1)1 Are goods deli"ered onl& to designated, !h&sicall& secure loading a&s %ithin the %arehouses and are the& acce!ted onl& & authoriAed in ound logistic/ra% materials !ersonnelW @)1)1 Is in"entor& stored in !ro!erl& secured (gates loc$ed at night and !remises alarmed), en"ironmentall& conditioned %arehouse locations %here access is restricted to authoriAed !ersonnelW :S;
:S6
:S11
:S;
:S; :S1@
:S1@
$7$ Ra" materials are received and acce!ted onl6 "ith valid !urchase orders. and are recorded accuratel6 and in a timel6 manner7 @)@)1 Are goods recei"ed matched online %ith !urchase order details and/or in"oicesW :S1;
ISACA @00+
Page 1@F

Control )/jectives/Questions @)@)1 Are long(outstanding goods recei!t notes, !urchase orders and/or in"oices in"estigated on a timel& asis and accrued as a!!ro!riateW @)@)1 Are documents cancelled once matched or on !a&ment o# the in"oice to !re"ent reuseW @)@)1 :oes management re"ie% e5ce!tion re!orts o# goods not recei"ed on time #or recorded !urchasesW @)@)@ When goods recei"ed are matched to o!en !urchase orders, are recei!ts %ith no !urchase order, or those that e5ceed the !urchase order 9uantit& & more than an esta lished amount, in"estigatedW @)@); Is the a ilit& to in!ut, change or cancel goods recei"ed transactions restricted to authoriAed in ound logistics/ra% materials !ersonnelW @)@)F :o !ersons inde!endent o# da&(to(da& custod& or recording o# in"entor& count !h&sical in"entor& on a continuous in"entor& asisW @)@)F Are in"entor& counts reconciled to in"entor& records and in"entor& records reconciled to the general ledgerW $7< Defective ra" materials are returned to su!!liers in a timel6 manner7 @);)1 Are re8ected ra% materials ade9uatel& segregated #rom other ra% materials in a 9ualit& assurance onding area and are the& regularl& monitored (assigned a mo"ement t&!e o# 1@@) to ensure timel& return to su!!liersW @);)1 Are de#ecti"e ra% materials recei"ed #rom su!!liers logged and recorded in the 9ualit& management s&stem and is the log monitored to ensure that the de#ecti"e goods are returned !rom!tl& and credit is recei"ed in a timel& mannerW Res!onse C)#I, ;es :o :/A Comments References .0@
P18 .01
P18
:SG
P1F
P18
P1F .0@
:S@
<7 Producing and Costing Inventor6 <71 ,ransfers of materials to/from !roduction. !roduction costs and defective !roducts/scra! are valid and recorded accuratel6. com!letel6 and in the a!!ro!riate !eriod7
ISACA @00+
Page 1@G

Control )/jectives/Questions ;)1)1 Are in"entories recei"ed, including trans#ers, counted and com!ared to the !ic$ list (that is used to record mo"ements o# in"entor& in the #inancial records) & !ersonnel in the area assuming res!onsi ilit& #or the in"entor& (e)g), !roduction, goods storage), and are the& recorded in the a!!ro!riate !eriodW ;)1)1 :oes management reconcile the in"entor&(in( transit accounts regularl& and do these accounts net o## against other !lants> outgoing in"entor&( in(transit accountsW ;)1)1 Is an a!!ro!riate costing method used #or ra% materials at !urchase order !rice and is the ra% materials costing rolled into #inished goods on a monthl& asisW ;)1)1 :oes the 9ualit& de!artment, ased on its $no%ledge o# da&(to(da& acti"ities, re"ie% records o# scra!!ed and re%or$ed items and chec$ %hether such items ha"e een correctl& identi#ied and !ro!erl& recorded in the a!!ro!riate accounting !eriodW ;)1)1 Is the a ilit& to create or change ills o# material restricted to authoriAed !ersonnelW ;)1)1 Is access to the material trans#ers and ad8ustments transactions a!!ro!riatel& restricted to authoriAed !ersonnelW Res!onse C)#I, ;es :o :/A Comments References :S1;
P18 :S;
:S1;
:S;
AI6 :SG AI6 :SG
AI6 ;)1)1 Is the a ilit& to create or change %or$ centers :SG restricted to authoriAed !ersonnelW AI6 ;)1)@ Is the a ilit& to create or change ills o# material :SG restricted to authoriAed !ersonnelW AI6 ;)1); Is access to the material trans#ers and :SG ad8ustments transactions a!!ro!riatel& restricted to authoriAed !ersonnelW AI6 ;)1)F Is the a ilit& to create or change %or$ centers :SG restricted to authoriAed !ersonnelW >7 5andling and Shi!!ing *inished -oods >71 *inished goods received from !roduction are recorded com!letel6 and accuratel6 in the a!!ro!riate !eriod7 P1F F)1)1 :o !ersons inde!endent o# da&(to(da& custod& or recording o# in"entor& count !h&sical in"entor& on a continuous in"entor& asis (re#er to 1)1)1)W
ISACA @00+
Page 1@6

Control )/jectives/Questions Res!onse C)#I, ;es :o :/A Comments References
F)1)@ Is the changing o# the settlement rules restricted to authoriAed users (re#er to 1);)1)W >7$ -oods returned /6 customers are acce!ted in accordance "ith the organi=ationBs !olicies7 P111 F)@)1 Are 9ualit& control ins!ections !er#ormed #or .01 #inished goods returned & customers and/or recei"ed #rom !roduction to assess %hether such goods should e returned to in"entor&, re%or$ed or scra!!edW F)@)1 :oes the 9ualit& assurance team ins!ect the goods e#ore a credit note can e issuedW >7< Shi!ments are recorded accuratel6. in a timel6 manner and in the a!!ro!riate !eriod7 F);)1 Is access restricted to trans#erring stoc$ et%een :S1@ !lants or e5ecuting the Post /oods Issue that creates the intercom!an& stoc$ trans#er ad"ice and/or generates an electronic (0:I) or manual in"oiceW .01 F);)1 :o out ound logistics/#inished goods !ersonnel monitor all incoming and outgoing "ehicles and ensure that all goods lea"ing the !remises are accom!anied & dul& com!leted documentation (e)g), deli"er& doc$et or goods returned note)W F);)1 2e#ore goods are shi!!ed, are the details o# the a!!ro"ed order com!ared to actual goods !re!ared #or shi!ment & an indi"idual inde!endent o# the order !ic$ing !rocessW F);)@ Are the SAP 04P re!orts (deli"er& due list and o%ed(to(customer re!ort) o# o!en sales documents !re!ared and monitored to ensure timel& shi!mentW F);)@ :oes the SAP 04P account assignment con#iguration ensure that amounts #or shi!!ed goods are !osted to the a!!ro!riate C1/S accountW P1F
:S11
ISACA @00+
Page 1@B
#asis Securit6 C6cle ICQ

Control )/jectives/Questions Res!onse C)#I, Comments ;es :o :/A References P16 SAP ERP Control Environment A7 Esta/lish control over information and information s6stems7 A1 Has senior management esta lished !olicies and standards go"erning the in#ormation s&stems o# the entit&W A@ Has senior management assigned res!onsi ilities #or in#ormation, its !rocessing and its useW A; Is user management res!onsi le #or !ro"iding in#ormation that su!!orts the entit&>s o 8ecti"es and !oliciesW AF Is user management res!onsi le #or the com!leteness, accurac&, authoriAation, securit& and timeliness o# in#ormationW AG Is in#ormation s&stems management res!onsi le #or !ro"iding the in#ormation s&stems ca!a ilities necessar& #or achie"ement o# the de#ined in#ormation s&stems o 8ecti"es and !olicies o# the entit&W A6 :oes senior management a!!ro"e !lans #or de"elo!ment and ac9uisition o# in#ormation s&stemsW AB :oes senior management monitor the e5tent to %hich de"elo!ment/con#iguration, o!eration and control o# in#ormation s&stems com!lies %ith esta lished !olicies and !lansW
P1@ P1F
P18 :S11 P1; :S1 :S; P1G .01
A8 Are there outstanding audit #indings #rom !re"ious .01 &earsW .0@ #7 Ensure that the information s6stems selected C"hether ne" im!lementation or u!gradeD meet the needs of the entit67 21 Are there !rocedures to ensure that decisions to de"elo! P1G or ac9uire in#ormation s&stems are made in AI1 accordance %ith the o 8ecti"es and !olicies o# the entit&W 2@ Are there !rocedures to determine costs, sa"ings and ene#its e#ore a decision is made to de"elo! or ac9uire an in#ormation s&stemW 2; Are there !rocedures to ensure that the in#ormation s&stem eing de"elo!ed or ac9uired meets user re9uirementsW 2F Are there !rocedures to ensure that in#ormation s&stems, !rograms and con#iguration changes are ade9uatel& tested !rior to im!lementationW AI1
AI1
AI@ AI;
ISACA @00+
Page 1@8

Res!onse C)#I, Comments ;es :o :/A References C7 Ensure that the acAuisition and configuration of information s6stems C"hether ne" im!lementation or u!gradeD are carried out in an efficient and effective manner7 C1 Are standards esta lished and en#orced to ensure the P110 e##icienc& and e##ecti"eness o# the s&stems AI1 ac9uisition and con#iguration !rocessW AI@ Control )/jectives/Questions C@ Are there !rocedures to ensure that all s&stems are ac9uired and con#igured in accordance %ith the esta lished standardsW C; Is an a!!ro"ed ac9uisition !lan (!ro8ect !lan) used to measure !rogressW CF :o all !ersonnel in"ol"ed in s&stem ac9uisition and con#iguration acti"ities recei"e ade9uate training and su!er"isionW AI@
P110 P1B
D7 Ensure the efficient and effective im!lementation or u!grade of information s6stems7 :1 Has res!onsi ilit& een assigned #or im!lementation, P1F con#iguration and u!grade o# in#ormation s&stemsW :@ Are there !rocedures to ensure the e##icienc& and e##ecti"eness o# the im!lementation, con#iguration and u!grade o# in#ormation s&stemsW :; Are there !rocedures to ensure that in#ormation s&stems are im!lemented, con#igured and u!graded in accordance %ith the esta lished standardsW :F Is an a!!ro"ed im!lementation !lan used to measure !rogressW :G Is e##ecti"e control maintained o"er the con"ersion o# in#ormation and the initial o!eration o# the in#ormation s&stemW :6 :oes user management !artici!ate in the con"ersion o# data #rom the e5isting s&stem to the ne% s&stemW :B Is #inal a!!ro"al o tained #rom user management !rior to going li"e %ith a ne% im!lementation and/or u!graded s&stemW E7 Ensure the efficient and effective maintenance of information s6stems7 01 Are there !rocedures to document and schedule all !lanned changes to in#ormation s&stems (including $e& A2AP !rograms)W 0@ Are there !rocedures to ensure that onl& authoriAed changes are initiatedW AIF
AI;
P110 AIB
AIB AIB
AI6
AI6
ISACA @00+
Page 1@+

Control )/jectives/Questions 0; Are there !rocedures to ensure and "eri#& that onl& authoriAed, tested and documented changes to in#ormation s&stems are acce!ted into the !roduction clientW 0F Are there !rocedures to re!ort !lanned in#ormation s&stems changes to in#ormation s&stems management and to the users a##ectedW 0G Are there !rocedures to allo% #or and control emergenc& changesW 06 Are controls in !lace to !re"ent and identi#& unauthoriAed changes to in#ormation s&stems (including $e& A2AP !rograms)W Res!onse C)#I, Comments ;es :o :/A References AI6 AIB
AI6 :S8 AI6 AI6 :SG
*7 Ensure that !resent and future reAuirements of users of information s6stems !rocessing can /e met7 *1 Are there %ritten agreements et%een users and :S1 in#ormation s&stems !rocessing, de#ining the nature and le"el o# ser"ices to e !ro"idedW *@ Is there a!!ro!riate management re!orting %ithin in#ormation s&stems !rocessingW *; :oes in#ormation s&stems !rocessing management $ee! senior and user management in#ormed a out technical de"elo!ments that could su!!ort the achie"ement o# the o 8ecti"es and !olicies o# the entit&W *F Are there !rocedures/ca!acit& !lanning acti"ities to e5amine the ade9uac& o# in#ormation !rocessing resources to meet entit& o 8ecti"es in the #utureW *G Are there !eriodic !lanning acti"ities to e5amine the ade9uac& o# the "olume o# s$illed sta## (i)e), o!erating s&stem, hard%are, net%or$, SAP 04P) to su!!ort the s&stems no% and in the #utureW *6 Are there !rocedures #or the a!!ro"al, monitoring and control o# the ac9uisition and u!grade o# hard%are and s&stems so#t%areW *B Is there a !rocess #or monitoring the "olume o# named and concurrent SAP 04P users to ensure that the license agreement is not eing "iolatedW *8 I# the SAP 04P im!lementation is not at the most current "ersion, is there a !lanned u!grade a!!roachW :SF .01 :S; :SF
:S;
P1B
AI; :S; :S; .0; P1; AI; :S;
ISACA @00+
Page 1;0

/1 /@ Res!onse C)#I, Comments ;es :o :/A References Ensure the efficient and effective use of resources "ithin information s6stems !rocessing7 P1G Are udgets #or in#ormation s&stems !rocessing acti"ities !re!ared on a regular asisW P16 Are standards esta lished and en#orced to ensure e##icient and e##ecti"e use o# in#ormation s&stems !rocessingW :SG Is there an incident management !rocess that :S10 ensures that in#ormation !rocessing !ro lems are detected and corrected on a timel& asisW :S6 Are users o# in#ormation s&stems !rocessing #acilities accounta le #or the resources used & themW Control )/jectives/Questions
7 Ensure that there is an a!!ro!riate segregation of incom!ati/le functions "ithin the entit67
/;
/F
5
H1 :oes the organiAation structure esta lished & senior management !ro"ide #or an a!!ro!riate segregation o# incom!ati le #unctionsD a) 2asis administration ) 'rans!ort/im!ort c) :e"elo! !rogram change d) :e"elo! role change e) Cser securit& administration #) Change monitoring g) Cser testing h) AuthoriAe change i) Per#orm change
I 7 Ensure that all access to information and information s6stems is authori=ed7
P1F
I1
Are there !rocedures to ensure and "eri#& that in#ormation and in#ormation s&stems are accessed in accordance %ith esta lished !olicies and !roceduresW
:SG
G7 J1
J@
Ensure that information s6stems !rocessing is !rotected !h6sicall6 from unauthori=ed access and from accidental or deli/erate loss or damage7 Are the data ase, a!!lication and !resentation :S1@ ser"ers located in a !h&sicall& se!arate and !rotected en"ironment (i)e), a data center)W Are there !rocedures to ensure that en"ironmental :S1@ conditions (such as tem!erature and humidit&) #or hard%are #acilities are ade9uatel& controlledW
H7
Ensure that information !rocessing can /e recovered and resumed after o!erations have /een interru!ted7 I1 Are there !rocedures to allo% in#ormation !rocessing :SF to resume o!erations in the e"ent o# an interru!tionW
ISACA @00+
Page 1;1

Control )/jectives/Questions I@ Are emergenc&, ac$u! and reco"er& !lans documented and tested on a regular asis to ensure that the& remain current and o!erationalW I; :o !ersonnel recei"e ade9uate training and su!er"ision in emergenc& ac$u! and reco"er& !roceduresW Res!onse C)#I, Comments ;es :o :/A References :SF
:SF :SB
L7 Ensure that critical user activities can /e maintained and recovered follo"ing interru!tion7 =1 Are there ac$u! and reco"er& !lans to allo% users o# :SF in#ormation s&stems to resume o!erations in the e"ent o# an interru!tionW =@ Are all in#ormation and resources re9uired & users to resume !rocessing ac$ed u! regularl&W =; :o user !ersonnel recei"e ade9uate training and su!er"ision in the conduct o# the reco"er& !roceduresW =F Are a!!lication controls designed %ith regard to an& %ea$nesses in segregation, securit&, de"elo!ment and !rocessing controls that ma& a##ect the in#ormation s&stemW Are there !rocedures to ensure that out!ut is re"ie%ed & users/management #or com!leteness, accurac& and consistenc&W Is there some method o# ensuring that control !rocedures relating to com!leteness, accurac& and authoriAation are ensuredW :SF :S11 :SF :SB :SF :SG
=G
:SF .01 :SF .0@ P16 :SF
=6
=B
Are there esta lished !olicies and !rocedures #or record retentionW 17 A!!lication Installation CIm!lementation -uide and )rgani=ational 3odelD
171 Configuration changes are made in the develo!ment environment and trans!orted to !roduction7 1)1)1 Has access to the Im!lementation /uide (I./) in !roduction een restrictedW 1)1)@ Ha"e the !roduction client settings een esta lished to not allo% changes to !rograms and con#igurationW 17$ ,he )rgani=ational 3odel has /een configured correctl6 to meet the needs of the organi=ation7 :SG :S+
ISACA @00+
Page 1;@

Control )/jectives/Questions 1)@)1 Was the 1rganiAational .odel %ell thought(out and agreed u!on earl& in the im!lementation and did the rele"ant organiAation grou!s assist %ith $e& design decisionsW 1)@)@ Has access to the organiAation con#iguration #unctionalit& een restrictedW 17< Changes to critical num/er ranges are controlled7 1);)1 Has the SAP 04P so#t%are securit& een a!!ro!riatel& con#igured to restrict the a ilit& to change critical num er ranges (i)e), com!an& codes, chart o# accounts and accounting !eriod data)W 1);)1 Has the !roduction en"ironment een set so modi#ications are not !ossi leW 17> Access to s6stem and customi=ing ta/les is narro"l6 restricted7 1)F)1 Ha"e all o# the customiAed SAP 04P ta les een assigned to the a!!ro!riate authoriAation grou!W 1)F)@ Has the a ilit& to modi#& critical ta les een a!!ro!riatel& restricted in the !roduction s&stemW $7 A!!lication Develo!ment CA#AP/> 0or+/ench and ,rans!ort S6stemD $71 A!!lication modifications are !lanned. tested and im!lemented in a !hased manner7 @)1)1 Are a!!ro!riate change controls !rocedures #ollo%ed #or all trans!ortsW @)1)1 Has the !roduction s&stem change o!tion een set to <o Changes Allo%edW @)1)1 Has the a ilit& to create "s) release change re9uests een segregatedW $7$ Customi=ed A#AP/> !rograms are secured a!!ro!riatel67 @)@)1 Ha"e customiAed A2AP/F !rograms een assigned to authoriAation grou!sW AI6 AI6 P1F Res!onse C)#I, Comments ;es :o :/A References P1F
:SG
:SG
AI6
P1F :SG AI6 :SG
P1F :SG
AI6 @)@)@ Has an authorit&(chec$ statement een included %ithin customiAed A2AP/F !rograms so the user>s authorit& to access o 8ects is chec$ed at run timeW $7< ,he creation or modification of !rograms is !erformed in the develo!ment s6stem and migrated through the test s6stem to !roduction7
ISACA @00+
Page 1;;

Control )/jectives/Questions @);)1 Has access to directl& change !roduction source code %ithin the !roduction en"ironment een restricted and monitoring esta lishedW Res!onse C)#I, Comments ;es :o :/A References AI6
$7> Access for ma+ing changes to the dictionar6 is restricted to authori=ed individuals7 @)F)1 Has the a ilit& to ma$e changes to the SAP 04P data dictionar& een restricted and access !ri"ileges a!!ro!riatel& assigned ased on 8o res!onsi ilitiesW $7? Access to modif6 and develo! Aueries is restricted7 @)G)1 Ha"e authoriAation grou!s #or creating and running the A2AP/F 9ueries een a!!ro!riatel& esta lished in the SAP 04P so#t%are so that some end users can maintain and e5ecute 9ueries, %hile others can onl& e5ecute e5isting 9ueriesW $7@ Relevant com!an6 codes are set to Productive in the !roduction environment7 @)6)1 Ha"e com!an& codes that are %or$ing !roducti"el& een set to Producti"e to reduce the ris$ that deletion !rograms ma& reset the com!an& code data & mista$eW <7 A!!lication )!erations CCom!uting Center 3anagement S6stemD <71 ,he Com!uting Center 3anagement S6stem is configured a!!ro!riatel67 ;)1)1 Ha"e o!eration modes, instances and the CC.S timeta le een correctl& de#ined, such that the CC.S dis!la& is meaning#ulW ;)1)1 Is access to the s&stem and start(u! !ro#iles tightl& controlledW ;)1)1 Are change !rocedures #ollo%ed strictl& and changes to the !ro#iles %ell documentedW ;)1)1 Has access to the CC.S Alert .onitor een !ro!erl& securedW <7$ #atch !rocessing o!erations are secured a!!ro!riatel67 ;)@)1 Ha"e atch in!ut, atch administration and atch !rocessing ca!a ilities een restricted a!!ro!riatel&W P1F AI6 P1F :SG P1F
AI@
AI6 AI6 :S11 AI6 :S10 :SG :S11
ISACA @00+
Page 1;F

Control )/jectives/Questions ;)@)1 Ha"e atch u!load !rograms created to load initial master data and ta$e on alances een deleted #rom the !roduction en"ironment #ollo%ing go(li"eW Res!onse C)#I, Comments ;es :o :/A References AIB
<7< Default s6stem !arameter settings are revie"ed and configured to suit the organi=ationBs environment7 AIF ;);)1 :uring im!lementation, did the organiAation set the SAP 04P s&stem !ro#ile !arameters to a!!ro!riate "aluesW <7> Critical and sensitive transaction codes are loc+ed in !roduction7 ;)F)1 Ha"e sensiti"e transaction codes een loc$ed in the !roduction en"ironment and does the organiAation ha"e !rocedures #or loc$ing and unloc$ing these transaction codesW :SG :S11
<7? 8sers are !revented from logging on "ith trivial or easil6 guessa/le !ass"ords7 :SG ;)G)1 Has management set u! a list o# 6illegal7 :S1; !ass%ords that users are not allo%ed to useW <7@ SAP Router is configured to act as a gate"a6 to secure communications into and out of the SAP ERP environment7 :SG ;)6)1 Is the net%or$ !rotected & SAP 4outer and a #ire%allW AI6 ;)6)1 Are a!!ro!riate change management !rocedures #or an& modi#ications to the SAP 4outer !ermission ta le in !lace and o!eratingW :SG ;)6)1 Is the SAP 4outer log #ile used to monitor remote communications acti"it&W ;)6)1 Are Secure <et%or$ Communications (S<C) and an e5ternal securit& !roduct used to !rotect the communication among the com!onents o# the SAP 04P s&stemW <7E Remote access /6 soft"are vendors is controlled adeAuatel67 ;)B)1 Is SAP>s or the su!!ort !ro"ider>s access restricted to a test/de"elo!ment en"ironment, ideall& on a se!arate #ile ser"er #rom the !roduction en"ironment, acti"ated onl& on re9uest, and all acti"it& logged and re"ie%ed & an indi"idual %ith the a ilit& to understand the actions that ha"e een ta$enW AI6 :SG
ISACA @00+
Page 1;G

Control )/jectives/Questions ;)B)@ Are changes su 8ect to normal testing and migration controls e#ore eing im!lemented on the !roduction s&stemW Res!onse C)#I, Comments ;es :o :/A References AI6
<7& SAP ERP Remote *unction Call CR*CD and Common Programming Interface2 Communications CCPI'CD are secured7 ;)8)1 Ha"e the SAP 04P 4*C and CPI(C communications een secured so that an& user %ho ma$es use o# a connection %ill e !rom!ted to enter a username and !ass%ordW :SG
<7( ,he technolog6 infrastructure is configured to secure communications and o!erations in the SAP ERP environment7 ;)+)1 Has the technolog& in#rastructure een P1@ con#igured to secure communications and :SG o!erations in the SAP 04P en"ironmentW Consider the #ollo%ing areasD *ire%all Secure <et%or$ Communications (S<C) Secure Store and *or%ard (SS*) mechanisms and digital signatures Wor$station securit& 1!erating s&stem and data ase securit& >7 A!!lication Securit6 CProfile -enerator and Securit6 AdministrationD >71 Duties "ithin the securit6 administration environment are adeAuatel6 segregated7 P1F F)1)1 Has the organiAation allocated the securit& administration #unction among di##erent indi"idualsW >7$ AdeAuate securit6 authori=ation documentation is maintained7 F)@)1 Was original documentation o# the SAP 04P authoriAations and their use de"elo!ed and signed o## & management during the im!lementation and has it een maintained ade9uatel&W >7< ,he su!eruser SAPF is !ro!erl6 secured7 F);)1 Has the SAPY een assigned to the securit& administrators authoriAation grou! to !re"ent inad"ertent deletion, the !ass%ord changed #rom the de#ault, all !ro#iles and authoriAations deleted and the user loc$edW F);)@ Has the s&stem !arameter (login/noSautomaticSuserS sa!star) een setW >7> Default users are secured !ro!erl67 :SG AIB :SF
AI6
ISACA @00+
Page 1;6

Control )/jectives/Questions F)F)1 Ha"e the !ass%ords #or the de#ault users ::IC, SAPCPIC and 0arl&Watch een changed #rom the de#aultW >7? Access to !o"erful !rofiles is restricted7 F)G)1 Has a ne% su!eruser account %ith the SAPSA== and SAPS<0W !ro#iles een created %ith a con#idential I: and secret !ass%ord #or emergenc& use and has access to !o%er#ul !ro#iles een restricted a!!ro!riatel&W F)G)@ Are !rocedures in !lace to ensure that use o# the SAPSA== authorit& is authoriAed, a!!ro"ed, logged, monitored and re"ie%edW >7@ ,he authori=ation grou! that contains !o"erful users is restricted7 F)6)1 Has the authoriAation grou! that contains !o%er#ul users een restricted to the ne% su!eruser and a ac$u!W AI; :SG AI1 :SG Res!onse C)#I, Comments ;es :o :/A References :SG
>7E Changes to critical SAP ERP ta/les are logged /6 the s6stem and revie"ed /6 management7 F)B)1 Are all changes to the critical SAP 04P ta les logged & the s&stem and does the !eriodic re"ie% o# these logs #orm !art o# the securit& !rocedures #or the organiAationW (Include the list o# ta les %ith logging im!lemented)) >7& Changes made to the data dictionar6 are authori=ed and revie"ed regularl67 F)8)1 Are details o# modi#ications to the data dictionar& maintained and change control !rocedures #ollo%edW F)8)@ Are the SAP 04P :ata :ictionar& In#ormation S&stem re!orts (:: re!orts) regularl& generated and re"ie%ed & managementW >7( Log and trace files are a!!ro!riatel6 configured and secured7 F)+)1 Is logging a!!ro!riatel& con#igured and are log and trace #iles secured at the o!erating s&stem le"el at the location s!eci#ied %ithin the s&stem !ro#ileW :S+ AI6 :S11 :S11 .01 AI6 :S11
ISACA @00+
Page 1;B

SAP ERP Audit Assurance Programs and ICQs 18nov09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP ERP Audit Assurance Programs and ICQs 18nov09

Uploaded by

Copyright:

Available Formats

Audit/Assurance Programs and ICQs

All rights reser"ed)

All rights reser"ed)

All rights reser"ed)

Appendix D. SAP !P !e"en#e$ xpendit#re$ In"entor%$ &asis A#dit'Ass#rance Programs

All rights reser"ed)

All rights reser"ed)

All rights reser"ed)

F .anaged and measura le

All rights reser"ed)

All rights reser"ed)

All rights reser"ed)

*I. !e"en#e &#siness C%cle A#dit'Ass#rance Program

Audit/Assurance Program Ste!

All rights reser"ed)

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

All rights reser"ed)

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

P1F P16 P1+ :S@ :SG AI@ AI6 .01 .0@

AI1 :SG :S6

P1+ AI1 :S1; P1+ :SG :S+

All rights reser"ed)

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

'he controls culture o# the organiAation (e)g), a 8ust(enough control

AI@ AI6 :S6 :S11

All rights reser"ed)

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

AI@ AI6 :SG :S11

P1+ :S+ :S11 :S1@

All rights reser"ed)

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

P18 :S; :S11 .01

All rights reser"ed)

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

Create (3A;1)/Change (3A;@) :eli"er& Schedules Create (3AF1)/Change (3AF@) Contracts

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

C)#I, Cross' reference

Reference Issue 56!er' Cross' lin+ reference

Audit/Assurance Program Ste!

!a&ments is eing !er#ormed in a timel& manner)