The IT department is well aware of SOX IT controls. However, this department may also assist in providing information for business cycle testing to comply with SOX. It is important that IT and SAP process owners know that to expect from these audits. Some auditors would not have the access privilege or the knowledge to perform data extractions in SAP. In this case, they need the IT assistance. In this post, I explained that a SOX auditor usually covers in reviewing processes based on SAP.
1- Incompatible SAP Accesses for a Business Process
A SOX auditor would ask for a list of users with access to critical transactions. The definition on critical transactions depends on each company and process. However, most of the critical accesses are related to posting, creating and approving key transactions. Customized transactions (Y and Z) are also reviewed when involving high risk approvals. Manual tasks (eg. signing checks or approving reconciliations) are usually added to this analysis. Please refer to my article listing the most common Segregation of Duties Conflicts in SAP for further details.
2- Inconsistencies in SAP Master Files
A SOX auditor would ask for master files to check inconsistencies. Most of this audit process relates to applying filters in the same table or linking different tables. SOX auditors need to control the standardization of business processes and flows. For instance, SOX auditors would review customer credit limits (RF02L), tolerance keys (T169G), customer/vendor masters (eg. addresses, banks, duplications, payment terms, tax codes), and exchange rates (TCURR).
3- Inconsistencies in SAP Paramete
SOX auditors would ask for some parameters in SAP. Typically, they would need to assure that the 3-way match is set, the posting periods are limited in time, the approval flows are reasonable (parking and approving FI documents), and the approver delegations (FMWF_MDRUL) follow internal guidelines, etc.
4- Inconsistencies in custom interfaces to SAP
SOX auditors would walkthrough and test SAP interfaces with external applications (generally related to eBanking and eBusiness). They would be concerned about data integrity and security.
From Governance, Risk Management and Compliance Blog