How to audit SAP S/4HANA Cloud (Part 1.1)
1.1. Legal and Regulatory Requirements – Local GAAP
The IT-Audit procedures described in this blog posts are intended as a guidance for an IT-Auditor familiar with both, SAP ERP systems and with knowledge of the legal requirements for IT-Audits as part of the annual year-end audit. This is a prerequisite to understand the blog posts.
The blog posts are neither legally binding nor a mandatory guideline or standard and solely serve as an orientational guidance. Any responsibility for the type, scope, and results of external and internal audits remains with the auditor. It is also the auditor’s responsibility to define the selected key audit areas in accordance with relevant regulations and standards.
Generally, when conducting IT-Audits as part of the annual year-end audit, certain provisions and guidelines apply. As an example, here are some applicable German guidelines:
- Statutory commercial and tax law provisions (§§ 238 et seq. German Commercial Code (Handelsgesetzbuch, “HGB”) and §§ 140 – 148 German Fiscal Code (Abgabenordnung, “AO”));
- Generally accepted accounting principles (Grundsätze ordnungsmäßiger Buchführung, “GoB”);
- The Letter of the Federal Minister of Finance dated 28. November 2019 „Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff“ (GoBD), broadly translated as “Principles of proper electronic bookkeeping and storage of financial statements as well as commercial documents and of their retrieval”;
- Accounting publication by the Select Committee for Information Technology (Fachausschuss für Informationstechnologie, “FAIT”) of the German Institute of Auditors (Institut der Wirtschaftsprüfer in Deutschland e.V., “IDW”) entitled “Principles of proper accounting in connection with the use of information technology” (Grundsätze ordnungsmäßiger Buchführung bei Einsatz von Informationstechnologie, “IDW RS FAIT 1”);
- Principles of proper accounting in connection with the use of electronic archiving systems (Grundsätze ordnungsmäßiger Buchführung beim Einsatz von Archivierungssystemen, “IDW RS FAIT 3”);
- IDW auditing standard „Project related audit using information technology” (Projektbegleitende Prüfung bei Einsatz von Informationstechnologie IDW PS 850).
- Processes and Functions, including Cloud Computing“ (IDW RS FAIT 5)
Similar guidelines and standards are in place for most countries. In addition to the general audit guidelines, specific requirements for software operated in the cloud apply. Furthermore, multiple frameworks try to address cloud risks, among them are, as an example, CSA Cloud Controls Matrix, ISO 27001, COBIT 5, Consensus Assessments Initiative Questionnaire (CAIQ), Payment Card Industry Data Security Standard (PCI-DSS), National Institute of Standards in Technology (NIST) 800-53 and – as mentioned above – IDW RS FAIT 5. The following figure illustrates how IDW RS FAIT 5 accounts for different complexity levels of IT outsourcing:
Besides the type of outsourcing, IDW RS FAIT 5 also classifies outsourcing projects by the underlying provider model:
- Public Cloud: All outsourcing companies have access to services.
- Private Cloud: Only one particular outsourcing company (group) has access to the services.
- Hybrid Cloud: Hybrid form consisting of a combination of the above mentioned models.
Furthermore, IDW RS FAIT 5 defines four phases of an outsourcing projects and the corresponding requirements for each phase. Lifecycle according to IDW RS FAIT 5:
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.
Or contact us on LinkedIn.
Feel free to share your feedback and thoughts in the comment section below.
Who we are
This blog is written by:
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA
With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification.
Florian Eller (SAP) – Product Management SAP S/4HANA Security
Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security.
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA
Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing.
Patrick Boch (SAP) – Product Management SAP S/4HANA Security
Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade.
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance)
Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance)
Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.