GRC
HR
SCM
CRM
BI
Expand +


Article

 

Better Manage Enterprise Risk and Streamline Audit Lifecycle Management with SAP Audit Management (Part 1)

by Kehinde Eseyin, Security Architect

August 15, 2016

See how SAP Audit Management can help improve the different facets of the internal audit lifecycle, including audit planning and preparation while enforcing process control and risk management.

The need to address audit challenges related to insufficient audit resources and the numerous areas that need to be addressed by audit activities are some of the drivers for the implementation of SAP Audit Management. Adopting a risk-based approach to audit planning helps internal audit departments focus on risks that are critical to an organization before the risks are realized. Organizations are increasingly seeking tools capable of standardizing audit operations, centrally managing working papers, and enforcing an audit reporting standard.

I discuss the following topics using a business example that captures a typical audit lifecycle based on SAP Audit Management 1.2:

  • Creation of an auditable item
  • Creation of an audit
  • Creation, maintenance, and release of an audit plan
  • Initiation of an audit
  • Preparation and submission of a work program
  • Review and approval of a work program
The Business Example

I will use fictitious data to portray a business example to show how the system can be used to capture and streamline audit functions in an organization. I log on as a different protagonist during the workthrough. The story line for the business example in part 1 of this series is designed to address the following two phases of the five-cycle audit lifecycle:

  1. Audit planning
  2. Audit preparation

I cover the remaining three cycles, execution, reporting, and follow-up, in part 2 of this series.

Audit Planning: Audit planning involves establishing a comprehensive strategy for the audit engagement. This phase drives the discovery process as it relates to getting an acute understanding of dependencies including organizations, processes, the IT and functional environment, legal framework, regulatory requirements, and internal policies. Proper planning of an audit allows you to determine the type of field work to be done and the prerequisite skills and resources while managing audit expectations and the audit schedule.

In my business example; the audit manager will:

  • Create an auditable item and release it
  • Create an audit
  • Create an audit plan and release it

  • Initiate an audit

Audit preparation: The audit preparation phase allows you to concentrate the team’s effort and resources at meeting the audit objectives defined in the audit plan. This phase involves information gathering about important procedures and policies, organization structure, financial details, and the strategic plan aimed at providing the auditor with the knowledge base and understanding of the business environment and audit deliverables.

In my business example; the audit lead will:

  • Prepare a work program
  • Submit the work program

In my business example, the audit manager will:

  • Approve the work program
Accessing the SAP Audit Management User Interface Home Screen

The SAP Audit Management application can be accessed by following menu path Audit Management, powered by SAP HANA > Start Audit Management WebUI or via transaction code /UI2/FLP. That takes you to Figure 1, which displays the SAP Fiori Launchpad with the tiles relevant to SAP Audit Management.

(Note: You can access the SAP Fiori Launchpad via mobile devices.)


Figure 1
The home page of the SAP Audit Management appplication

To access an application, click a tile. The selection of tiles available to a user is driven by the corresponding authorization assigned to a user in the back end. For example, the tiles available to an audit manager most likely differ from those available to an auditor. In the remaining part of the article, I do not show this launchpad again. When I refer to accessing the SAP Audit Management user interface (UI) and choosing a tile, it is the tile in this launchpad to which I am referring.

Creation of an Auditable Item

An auditable item is any definition or element of a business that can be audited. It can be a process, activity, program, or risk depending on the business environment. When an auditable item is created, it is stored centrally in the audit universe. To create an auditable item, access the SAP Audit Management Launchpad as the audit manager and choose the Create Auditable Item tile. In the screen that displays, enter values in the fields as shown in Figure 2.


Figure 2
Value definition for the attributes of auditable items

Click the Save button. You get a message confirming the successful creation of the auditable item as shown in Figure 3.


Figure 3
A status message confirming the successful creation of auditable items

The audit universe houses all auditable items in an organization. In the audit universe, you can create, edit, and release auditable items. You can assign risks and dimensions to auditable items and upload attachments. The audit universe provides the environment to display other auditable item details such as assigned audit history, status, and administration data. Navigate back to the home page of the SAP Audit Management UI and choose the Audit Universe tile to access the library of auditable items in an organization as shown in Figure 4.


Figure 4
The auditable items library showing the audit universe

Choose the auditable item you just created (2016-00012 in my business example) and Figure 5 displays.


Figure 5
Audit universe master data

Following the creation of an auditable item, you might want to maintain additional attributes for the auditable item. To do this, click the Edit button and navigate to the Risks tab as shown in Figure 6.


Figure 6
Risk definition for an auditable item

Choose the add (+) button. In the screen that displays, select a risk you intend to assign to the auditable item as shown in Figure 7.


Figure 7
Risk library for assignment to auditable items

Click the OK button. You receive a confirmation message for the addition of the risk item to an auditable item (Figure 8).


Figure 8
Confirmation of the addition of a risk to an auditable item

Click the Dimensions tab to go to Figure 9.


Figure 9
The initial screen for the maintenance of a dimension against an auditable item

Click the add icon and in the screen that displays, choose the dimension you intend to add to the auditable item as shown in Figure 10.


Figure 10
Selection of dimensions to be assigned to the auditable item

Click the OK button and you receive a status message confirming the addition of the dimensions.

You can add an attachment to the auditable item via the Attachments tab. To review the status of the auditable item, choose the Administration Data tab and Figure 11 displays with the status of New Master.


Figure 11
Lifecycle status of the auditable item

Auditable items can assume any of the following statuses during their lifecycles:

  • New Master: No released version of the auditable item exists.
  • Released Master: Released versions of the auditable item exist, and the latest active version is the same as the master version.
  • Released & Updated Master: The auditable item has been updated after the last release.

For concise information about the details of an auditable item, choose the General Information tab and Figure 12 displays. The screen provides basic information about the auditable item based on the initial definition during creation and subsequent maintenance of the auditable item. For example, the risk is coming from the initial definition during creation. The highest risk score information is based on the highest risk score of the dimensions (North with a risk score of 60 and South with a risk score of 74) that were subsequently assigned to the auditable item. Risk Score is the risk score assigned to the auditable item as an object. The Highest Risk Score is the highest of the risk scores assigned to dimensions – also another audit object. The assignment of a risk score to a dimension – North or South -- is different from the assignment of a risk score to the auditable item.


Figure 12
Basic information about an auditable item

Before an auditable item can be assigned to an audit, it has to be released. To release the auditable iem, click the Release button and you receive a status message confirming the release.

Creation of an Audit

To create an audit, log on to the SAP Audit Management system as the Audit Manager and choose the Create Audit tile. In the screen that displays, enter values as shown in Figure 13. You can also create an audit via the Auditable Items tab of a draft audit plan. When you create an audit, the following fields are mandatory: Title, Audit Scope, Time Period for the audit, Type of audit, audit Group, and Category.


Figure 13
The initial screen for the creation of an audit

You can add an auditable item to an audit. To do this, choose the add icon in the Auditable Items section and in the screen that displays, select the auditable item you want to add, as shown in Figure 14.


Figure 14
Assignment of an auditable item to the audit

Choose the OK button and Figure 15 displays with the assigned auditable item in the Auditable Items section.


Figure 15
The assigned auditable item displayed in the Auditable Items section

Click the Save button.

Creation/Maintenance and Release of an Audit Plan

An audit plan allows an organization to centrally schedule and structure all audit activities to be performed for a particular period of time. Audit plans typically reflect top management’s perception about enterprise risk. To create audit plans, access the SAP Audit Management home screen and choose the Create Audit Plan tile. In the screen that displays, enter values as shown in Figure 16.


Figure 16
The initial screen for the creation of the audit plan

The initial screen for audit plan definition allows you to specify a title for the audit plan, the time frame, estimated effort, and financial budget. Click the Save button.

Following the successful creation of the audit plan, you may need to maintain the definitions of the audit plan by assigning business objects such as risks, dimension, auditable items, and audits. To maintain an audit plan while still logged on as the Audit Manager, choose the Maintain Draft Audit Plan tile and Figure 17 displays.


Figure 17
The library of draft audit plans

Choose the audit plan entry you intend to maintain and Figure 18 displays. When an audit plan is first created, it assumes the status of Draft as seen in my business example.


Figure 18
The draft audit plan

You can choose the Risks and Auditable Items tabs to update the corresponging entries. You can also assign an audit to the audit plan and have other associated business objects (such as risks and auditable items) updated in the audit plan. To maintain audit plans, choose the Audits tab and in the screen that displays (not shown), choose the add icon to add an audit business object to the audit plan and click the Save button. The status message The audits have been added to the audit plan displays as seen in Figure 19. Note that the Risks tab and Auditable Items tab have been updated accordingly based on the definition of the audit business object I created initially.


Figure 19
A status message confirming the addition of audits to the audit plan

(Note: You can only select the audits with a time period that overlaps with that of the audit plan. For example, you cannot include an audit with a time frame of 01.03.2016 to 30.03.2016 in an audit plan for 01.01.2017 to 30.12.2017.)

In the audit plan, you can view all assigned audits to the audit plan. Click the Overview tab and change the view to Month to display the schedule of the audit plan against the scheduled audit (Figure 20). This view provides a graphical representation of the planned audit vis-à-vis the audit plan.


Figure 20
A graphical representation of the audit in the audit plan

Navigate back to the list of draft audit plans (Draft Audit Plan tile) and select the audit plan. Figure 21 displays with the options to edit, delete, or release the audit plan.


Figure 21
Audit plan master data

For the purpose of this article, I release the audit plan by choosing the Release button and a screen  (not shown) displays with a confirmation dialog box. Click the OK button and the message The audit plan has been released displays. To access all the released audit plans, choose the Display Released Audit Plans tile in the SAP Audit Management UI and Figure 22 displays.


Figure 22
A released audit plan

Choose the audit plan to review its status and you see it has changed to Released as seen in Figure 23.


Figure 23
View the status of the released audit plan

Furthermore, a released audit plan can be copied or archived by clicking the Copy and Archive buttons respectively. When you get to the end of the released plan period, you can release a draft plan to replace the corresponding released plan. The system allows you to manually archive an old released audit plan after a new plan has been released. If you have audits that are not yet completed in the released audit plan, the system allows you to copy these audits to the draft plan before releasing it.

(Note: When you copy a released audit plan, the released plan is archived automatically. It is not possible to change the details or audit list in a released audit plan.)

Initiation of an Audit

After an audit has been successfully created, it exists in the draft status in the Initiate Audit tile. To display audits in draft status, access the SAP Audit Management home screen as the audit manager. Choose the Initiate Audits tile and Figure 24 appears.


Figure 24
The home screen for initiating an audit

Choose an audit and Figure 25 displays.


Figure 25
Draft audit in the initiate audit tile

The Initiate Audits screen gives you the capability to update the details of an audit, maintain the audit team, associate risks with the audit, and consequently initiate the audit. More importantly, you need to assign team members for mandatory protagonists before you can initiate an audit. To maintain a team member, navigate to the Team tab as shown in Figure 26.


Figure 26
The Team tab of an audit entry

Click the edit icon and in the screen that displays, search for team member names and then assign team members to the audit roles as shown in Figure 27.


Figure 27
Assignment of users to audit roles

Click the Save button and you see a status message confirming the update. In the screen that appears click the Initiate button and enter a comment in the dialog box (not shown) that displays. Click the OK button and Figure 28 displays.


Figure 28
A status message confirming the initiation of the audit

Preparation and Submission of the Work Program

After an audit has been initiated, it moves to the audit preparation phase. At this stage, the audit lead typically needs to prepare a work program for the audit. The work program helps define the methodologies, detailed procedures, and test steps that will be adopted during the audit exercise. You can access the initiated audit item in the Prepare Audit tile. Alternatively, you can configure the system to allow notification to be sent to the actor (audit lead in this business example) via emails as shown in Figure 29, which is accessible by choosing the applicable message (not shown) via transaction code SOST in this case.


Figure 29
Notification to prepare a work program

Choose the link in the body of the mail. In the log-on screen (not shown) that displays, enter the user name and password and the system takes you directly to the Work Program tab of the audit as shown in Figure 30. The key activities in the audit preparation phase are the development and documentation of the audit work program by the audit lead aimed at achieving the audit engagement objectives. The audit lead sets up the structure (key scope and scope) of the work program, defines the detailed procedures for the audit, and submits it for the approval of the audit manager before commencing the audit.

(Note: The Key Scope and Scope fields are placeholders. They can be anything you need to help you manage the organization of the work program and they are configurable in customization. They are similar to a table of contents with headings and sub-headings.)


Figure 30
The initial screen for the preparation of a work program

It is possible to copy a work program from another audit using the copy option. When you copy a work program, the associated risks, controls, and procedures are also copied. You can also add new key scopes and scopes manually. Click the edit icon and in the screen that displays, enter values for the Key Scope and Scope fields as shown in Figure 31. Use the add (+) option to add additional entries.


Figure 31
Definition of key scope and scope values in the work program

Click the Save button and a screen showing a confirmation message that the work program has been created appears. It is possible to assign controls and risks to work packages by choosing a particular key scope/scope entry—for example, Financial Control Checks/Account Payable Transactions—and Figure 32 displays. This can only be done before the work program is approved.


Figure 32
The initial screen for the assignment of risk, controls, and procedures to the work program

To assign a risk to the work program, choose the add (+) icon in the Risks section. Figure 33 displays with only the risks pre-assigned to the audit where you have to select the particular risk to add to the scope. For a risk to be assigned to an audit, it must have been assigned to an auditable item.


Figure 33
Selected risk from the risks added to the audit

Click the OK button and you see a screen with a status message confirming the addition of the risk (Figure 34).


Figure 34
A status message confirming the assignment of risk to the scope

To add a control to the scope, click the add (+) icon in the Controls section and Figure 35 displays with only the controls that have been assigned to one of the risks under the corresponding audit. You choose the controls that you want to assign to the scope for that audit.


Figure 35
Selection of controls to add to the scope

Click the OK button and you see a status message confirming the addition of controls to the scope.

Audit procedures are developed and carried out by auditors to gain assurance about the success (or failure) of an audit based on comprehensive evidences gathered during the audit. SAP Audit Management supports different audit procedures including test procedure, questionnaire, and automatic detection tasks. Detection tasks represent an integration capability with SAP Fraud Management because they can be assigned and scheduled to run automatically to pick out abnormalities in business data. The test procedure allows you to define the controls to be tested while creating comprehensive test steps to evaluate compliance (or otherwise) with defined controls. The questionnaire allows you to prepare a list of questions with predefined answers to select with the option to provide comment. Choose the add (+) button in the Procedures section and Figure 36 displays with the possible audit procedures. (The system was designed so that the procedures are in the Controls section. That is because of the size of the browser, the options do not fit into the Procedures section.)


Figure 36
The supported types of audit procedures

In this article, I only explain the assignment of the test procedure to a scope. Choose the Test option and in the screen that displays, enter values for the title, desciption, planned start/end date, and responsible person fields as shown in Figure 37. Note that the Test procedure has the name Check Payment Terms.


Figure 37
Attribute definition for a test procedure

Click the OK button and Figure 38 displays with the added procedure in the Procedures section of the scope.


Figure 38
A status message showing the addition of a procedure to a scope

To maintain the control and test steps for the scope, navigate to the details page by choosing the procedure and Figure 39 displays.


Figure 39
The details page of a procedure

Choose the add (+) button in the Controls section to assign the controls that you want to test to the procedure. Figure 40 displays with only the controls that are associated with the work package scope where you can select the controls to add to the procedure.


Figure 40
Selected controls to assign to the procedure

Click the OK button. Figure 41 displays.


Figure 41
Controls assigned to a procedure

You can add test steps to the procedure by choosing the add (+) icon in the steps section and then clicking the Add Step button.

Observe that there is an additional option to copy test steps to the procedure if a control that has a test plan is imported from SAP Process Control. Click the Add Step button and in the screen that displays, enter values for the title and description as shown in Figure 42.


Figure 42
Definition of title and description for test steps

Click the OK button and you see a screen confirming that the step was added to the procedure.

For the purposes of this article, I will add another step test to the procedure (screeprints not shown) and also add another procedure for the account receiveable transactions scope. Click the back icon when finished. In the scope details screen (not shown) that displays, click the back icon again to get to the Work Package tab (Figure 43).

(Note: Procedures can only be maintained [added, edited, and deleted] before the work program is approved.)


Figure 43
The Work Program tab showing the assignment of procedures to the scope

Choose Submit and in the screen that displays, enter a comment in the optional notes dialog box (not shown) that displays. Click the OK button to confirm the submission and the window closes.

Review and Approval of Work Program

After the audit lead has submitted the work program, the audit manager receives the work program, reviews it, and decides whether to approve or reject it. As the audit manager, log on the SAP Audit Management home screen and choose the Approve Audit Preparation tile. Figure 44 displays with the list of work programs submitted and waiting for your approval.


Figure 44
Submitted work program waiting for an approval decision

Choose a work program for which you want to make a decision and Figure 45 displays.


Figure 45
The approval decision screen for the work program

You can choose to approve or reject the work program. If you approve the work program, the audit status changes to In Execution from Work Program Submitted and the audit lead or auditors can start the audit work. If you reject the work program, the audit goes back the audit lead who prepared the work program. The audit lead finds the rejected audit in the Prepare Audits tile, revises the work program, and resubmits it until an approval decision is made. For the purpose of this article, I click the Approve option and in the optional notes screen (not shown) that displays, enter a note. Click the OK button, and you see a screen confirming the approval.

Be sure to read the second article in this two-part series:

"Better Manage Enterprise Risk and Streamline Audit Lifecycle Management with SAP Audit Management (Part 2)"

An email has been sent to:





 

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ