Skip to Content

SAP GRC- Governance, Risk and Compliance and Secrets of an External Auditor Part II

Need more Secrets??  Allrite, this time I will make it as descriptive as possible. But before we go ahead

SAP GRC Access Controls tools have been re-named by SAP. We now have

  • Risk Analysis and Remediation – RAR (formerly Compliance Calibrator)
  • Compliant User Provisioning – CUP (formerly Access Enforcer)
  • Enterprise Risk Management – ERM (formerly Role Expert)
  • Super User Privilege Management – SPM (formerly Firefighter)

Based on my previous blog  SAP GRC- Governance, Risk and Compliance and Secrets of an External Auditor. I had mentioned a couple of terms without a detailed explanation.  Below are some of the Key terms and definitions.

COSO:  The Committee of Sponsoring Organizations of the tread way Commission provides detailed internal control criteria and defines the components of internal controls. This framework sets a standard for management to follow with regards to internal controls. Read more

PCAOB:  Established by Sarbanes-Oxley, the Public Company Accounting Oversight Board has broad powers to oversee audits and auditors of public companies. Through its oversight of public company auditors, the PCAOB influences how companies should prepare for their audits. In March 2004, the PCAOB issued auditing standard #2 which provides the requirement for the audit of internal controls over financial reporting. Read more

Internal Control over financial Reporting:  A process designed by or under the supervision of the company’s principal executive and financial officers or persons performing similar functions and affected by the company’s board of directors, management and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the GAAP (Generally accepted accounting principles)

Test of Design:

Design effectiveness refers to when the controls compiled with would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial institutions. It involves consideration of the financial reporting objectives that the control is meant to achieve and whether it will achieve them.

Test of Operative Effectiveness:

Operating effectiveness refers to whether the control is operating as designed and whether the person performing the control has the necessary authority and qualifications to perform the control effectively. During the testing of operating effectiveness, management gathers evidence regarding how the control was applied, the consistency with which it was applied and by whom it was applied.

SAP GRC Process Controls

SAP GRC Process Controls offer an application for end-to-end control management by managing automated and manual controls by prioritizing remediation activities and providing the management a complete overview of the Control Environment.

To understand the concepts of SAP GRC Process Controls, it is necessary to learn the different controls or control categories for SAP. The Controls mentioned below are considered as the base for testing SAP systems by External Auditors.

Preventative Controls:

Preventative Controls helps to prevent errors or fraud from occurring in the first place that could result in a misstatement of financial statements.

Examples of preventive controls are segregation of duties which is well handled by GRC Access Controls Application, adequate documentation, and physical control over assets.

By performing simulation in GRC Compliance Calibrator, we are implementing a preventive control that avoids introduction of SOD violations before a risk is introduced into the production environment.

Detective Controls:

Detective Controls helps in detecting errors or frauds that have already occurred that could result in a misstatement of financial statements.

Examples of detective controls are Periodic Review of Users and Segregation of duties, analyses, variance analyses and reconciliations. SAP GRC provides management reports at 5 different levels which can be achieved using the transaction code SUIM as well. The 5 levels are SOD at Transaction Code Level reports, SOD at Authorization Object Level reports, Critical Transactions Risk Analysis reports, Critical Role/Profile reports and Mitigation Control reports.

Authorizations: Approval of transactions executed in accordance with management’s generally accepted accounting principles and procedures.

Example of authorizations include a supervisor’s approval using SAP GRC Access Enforcer (Compliant User Provisioning)  that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.

Interface/ Conversion Controls: Interface – Data interfaces transfer specifically defined portions of data between two computer systems and should ensure completeness and integrity of data being transferred.

Conversion:  The process of converting data from one system to a new system.

Key Performance Indicators: Financial and non Financial quantitative measurements that are collected by the company, either continuously or periodically and used by the management to evaluate the extent and progress towards meeting the managements defined objectives.

Reconciliation: A control designed to determine that two items such as computer systems are consistent.

Segregation of duties: SAP has covered this well enough to be known as SAP GRC Access Controls which describes SOD as segregation of duties and responsibilities of authorizing transactions, recording transactions and maintaining the custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity.

Management Review: A person, other than the preparer analyzing and performing oversight of activities performed (does not apply solely to management doing the review)            

System Access: The ability that an individual or group has within a computer information system processing environment, as defined by access rights configured in the system. The access rights in the system agree to access in practice.

System Configuration/Account Mapping: Configuration – ‘switches’ that can be set by turning them on or off to secure data against inappropriate processing, based on the organization’s business rules.

Account mapping – ‘switches’ that can be set related to how a transaction is posted to the GL and then to the financial statements.

Exception/ Edit Report: 

Exception – A Report generated which shows violations of company standards.

Edit – A report generated that shows changes made to a master file.

A very important concept used by auditors is the Financial Statement Assertions.  Auditors use this as a framework to assess the financial statements and present them in a right manner.  Based on the Control Activity and the business value an assertion is used to make sure the business process runs fairly.

Below is a brief definition of each of these Assertions:

Consider the below example 

The control is about monitoring the changes in the developer keys to detect unauthorized application changes. This control belongs to the Presentation and Disclosure assertion as mentioned in the above table.

Similarly let’s take another example

This control is monitoring changes to the configuration setting that allows or denies General Ledger postings by document types. This control belongs to the Rights and Obligations and Valuation or Allocation assertion as defined in the above table.

For completeness, consider this example

As external auditors continue to conduct tests to verify existence, occurrence or completeness, SAP GRC Process Controls can help you take a complete control over any misstatement in your financial statements.

A lot of folks asked me to write more on ITGC as I had briefly mentioned about Access to programs and data in my first blog. 

1 Comment
You must be Logged on to comment or reply to a post.
  • During the migration process problems have been reported for this blog. The blog content may look corrupt due to not supported HTML code on this platform. Please adjust the blog content manually before moving it to an official community.