GRC
HR
SCM
CRM
BI
Expand +


Article

 

Better Manage Enterprise Risk and Streamline Audit Lifecycle Management with SAP Audit Management (Part 2)

by Kehinde Eseyin, Security Architect

October 27, 2016

See how SAP Audit Management can help improve the audit execution and follow-up activities while enforcing process control and risk management.


Using fictitious data, I portray a business example to show how you can use the SAP Audit Management system to capture and streamline audit functions in an organization. The example captures a typical audit lifecycle based on SAP Audit Management 1.2:

  • Execution of the audit
  • Preparation and submission of a draft audit report
  • Review and approval of a draft audit report
  • Preparation and submission of a final audit report
  • Review and approval of the final audit report
  • Issuance of the audit report
  • Tracking of action and findings
  • Closing the audit

In part 1, I discussed how the SAP Audit Management can be used for the following activities:

  • Creation of an auditable item
  • Creation of an audit
  • Creation/maintenance and release of an audit plan
  • Initiation of an audit
  • Preparation and submission of a work program
  • Review and approval of work program

The Business Example

I log on as a different actor during the workthrough of my business example. (By actor I mean a role such as auditor, audit lead, or chief audit executive.) The story line for the business example in this article is designed to address the following phases of the audit lifecycle:

  1. Audit execution
  2. Audit reporting
  3. Audit follow-up

Audit execution: The audit execution phase is where the proper audit takes place. This is aimed at gaining assurance that the controls in the business environment are operating effectively while gathering and documenting empirical evidence to substantiate audit findings. This can involve making recommendations and setting out an action plan for identified audit concerns.

In my business example, the auditor will

  • Create a working paper
  • Create findings
  • Create an action

Audit reporting: In this phase, audit reports are created, reviewed, and communicated with the stakeholders, especially management.

In my business example, the audit lead will:

  • Submit the draft audit report
  • Submit the final audit report

In my business example, the audit manager will:

  • Approve the draft audit report
  • Approve the final audit report
  • Close the audit

In my business example, the chief audit executive will:

  • Issue an audit report

Audit follow-up: The follow-up phase allows auditors to establish management’s intent as it relates to identified findings and actions, while paying close attention to timelines defined for the deadline to address audit findings and implement an action plan.

In my business example, the audit lead will:

  • Track open actions
  • Track open findings
Execution of the Audit

The execution phase is when the auditor gets started with the proper auditing duties, which involve information gathering, interviewing auditees, documenting evidence and gathering findings, drawing conclusions, and offering recommendations. Log on to the SAP Audit Management system as the auditor and choose the My Ongoing Audits tile (Figure 1).


Figure 1
Approved work program ready for an audit

Choose an audit and Figure 2 displays with the status In Execution and additional tabs (such as Finding and Report) to capture findings and audit reports submission.


Figure 2
Basic information page about an audit with additional tabs

Choose the Work Program tab to carry out the activities detailed in the procedures under each scope (Figure 3). The procedure reads 0/1, which means no procedure has been completed out of the one possible procedure associated with the scope C-0-01 Account Payable Transactions and C-01-02 Account Receivable Transactions in my business example. When a work program is approved, the system generates a code for each structure node in this work program. This code, which is used for identification purposes, is appended to the corresponding node name. Reference codes for work program structure nodes are generated by appending a two-digit sequential number (C-01-01 and C-01-02 in my business example) to the code of the parent object (C-01 in my business example).


Figure 3
Work Program tab showing the procedures to be completed

In the Work Program tab, carry out the activities detailed in the procedure by choosing a particular procedure entry (C-01-01 Account Payable Transactions in my business example) and Figure 4 displays.


Figure 4
Scope details for a work program element

For the test procedures added to this scope, you can set the control effectiveness after testing and enter comments as desired. To do this, choose the procedure you want to work on and Figure 5 displays with the associated controls and steps.


Figure 5
Details of a procedure with associated steps

Choose the Set Control Effectiveness button and in the screen that displays, use the drop-down option to set a value for the Effectiveness field as shown in Figure 6. You can also add working papers and create findings directly here or assign a finding related to the procedure if it exists. For now, I will not add a working paper to the procedure. Choose the add (+) button to add a finding.


Figure 6
Set a value for control effectiveness

Findings represent the output from the auditing exercise that evaluates the audit evidence and compares it against the criteria used for the audit. Findings allow the auditor to capture any errors, irregularities, non-compliance, or adverse conditions identified during the audit process. As part of the finding definition, the auditor provides a recommendation for counteractive measures and an action plan to fix identified issues. To add findings to the procedure, click the Add button and in the screen that displays, enter values as shown in Figure 7.


Figure 7
Creation of a finding against a procedure

Click the Save button and you see a message confirming the creation of the finding. In the confirmation screen, click the Complete button, and in the dialog box screen that displays (not shown), click the OK button to confirm you want to complete the procedure. Figure 8 displays with the status changed to Completed.


Figure 8
Completed procedure in an audit scope

Follow the same instructions for the second procedure and click the back button afterwards. You should have a screen that looks like Figure 9 with the procedure completeness showing 1/1.


Figure 9
Completed procedure in the Work Program tab

Working papers are grouped and stored in different folders on the Working Paper tab of an audit. Click the Working Paper tab and navigate to the desired folder by clicking the appropriate folder name in the folder directory of the Work Program tab. That takes you to Figure 10.


Figure 10
Navigate through the folder structure in the Working Paper tab

Choose the add (+) icon and a dialog box (not shown) displays that allows you to select the working paper you want to attach to the audit. Click the OK button and you should have a  screen similar to Figure 11. When you create a working paper under a node, the system generates a reference code (C-01-01-01 in my business example) for the working paper by appending a two-digit number (01 in our business example) after the work program code (C-01-01; Account Payable Transaction in my business example).


Figure 11
Status message confirming the creation of working paper

Click the Finding tab and Figure 12 displays with the finding created against the procedure previously. Board Relevant is the finding category and Revew of Payment Terms is the finding.


Figure 12
Finding assigned to the procedure

You can choose the add (+) button to create a new finding. To associate an action plan against the finding, choose the finding to display the details page as shown in Figure 13.


Figure 13
Details page of a finding

Choose the add (+) icon under the Action Plan section and in the screen that displays, enter values as shown in Figure 14.


Figure 14
Creation of an action plan for a finding

Click the Save button and you see a confirmation message that the action was created.

Preparation and Submission of Draft Audit Report

When the auditor completes the audit exercise, the audit lead can review the activities and proceed to generate a draft audit report to be sent to the audit manager. The audit manager reviews the report and makes an approval decision (approve or reject). To submit the draft audit report, log on as the audit lead and choose the My Ongoing Audits tile (Figure 15).


Figure 15
Ongoing audits with status definition

Choose the audit entry for which you want to submit the draft report and in the screen that displays (not shown), navigate to the Report tab shown in Figure 16.


Figure 16
Report tab for an audit in the In Execution phase

An audit report can be assigned by uploading a local file or by generating it online using report templates. You can create audit reports for audits in any of the following statuses: In Execution, Draft Report Approved, Rework Draft Report, or Rework Final Report. The system allows you to upload the audit report as a local file by dragging and dropping the file or by choosing the add (+) icon to browse the audit report. Alternatively, you can automatically generate the audit report based on a template by choosing the Generate button. In the screen that displays, select a report category and a report rating, enter the executive summary, and select a report template as shown in Figure 17.

(Note: The drag-and-drop functionality does not work in the Internet Explorer browser.)


Figure 17
Generation of an audit report

Click the OK button and Figure 18 displays with the generated report in the Report tab.


Figure 18
Automatically generated report assigned to the audit

Click the Submit Draft Report button to go to Figure 19. Select the category, rating, and report and enter an optional comment.


Figure 19
Confimation for the submission of draft audit report.

Click the OK button and you receive a confirmation message that the draft report has been submitted.

Review and Approval of the Draft Audit Report

Once the audit lead submits the draft report, the audit manager can progress to making an approval decision (approve or reject) about the draft audit plan. If the draft report is approved, the audit lead can go ahead to prepare the final audit report and submit it for review and approval. If the draft report is rejected, the system sends back the audit report to the audit lead for further review and resubmission. To approve an audit report, navigate to the SAP Audit Management user interface as the audit manager and choose the Approve Audit Report tile. Figure 20 displays with the applicable audit entries.


Figure 20
Audits with status - draft report submitted waiting for approval decision

Choose the audit entry you want to work on and Figure 21 displays.


Figure 21
Report tab of the audit entry

Review the audit exercise documentaion and you can download the audit report and choose Approve or Reject. I choose Approve in this business example. In the dialog-box screen (not shown) that displays, enter an optional note. Click the OK button and you see a status message confirming the submission of the draft audit report.

Preparation and Submission of Final Audit Report

The audit lead can only submit a final audit report after the draft audit report has been approved. As the audit lead, log on to the SAP Audit Management user interface and choose the My Ongoing Audits tile and Figure 22 displays.


Figure 22
Audit entries relevant to the audit lead

Choose the audit entry you want to work on and in the screen that displays (not shown), navigate to the Report tab. Figure 23 displays.


Figure 23
Reports tab of an audit entry

An audit report can be associated with an audit by uploading a local file or by generating it online using report templates. The system allows you to upload an audit report as a local file by dragging and dropping the file or choosing the add (+) icon to browse the audit report. Alternatively, you can automatically generate the audit report based on a template by clicking the Generate button. In the screen that displays, select a report category and a report rating, enter the executive summary, and select a report template as shown in Figure 24.


Figure 24
Generation of final audit report

Click the OK button and Figure 25 displays with the generated audit report.


Figure 25
Generated final audit report

Click the Submit Final Report button and then select the category, rating, report, and optional comments as shown in Figure 26.


Figure 26
Confirmation screen for the submission of final audit report

Click the OK button and you see a status message confirming the submission of the final audit report.

Review and Approval of Final Audit Report

Once the audit lead submits the final audit report, the audit manager can make an approval decision (approve or reject). If the final report is approved, the chief audit executive can go ahead to issue the final audit report. If the final report is rejected, the system sends back the audit report to the audit lead for further review and resubmission. As the audit manager, log on to the SAP Audit Management user interface and navigate to the Approve Audit Reports tile. Figure 27 displays.


Figure 27
Audit entries waiting for approval

Choose the audit entry you want to work on and Figure 28 displays.


Figure 28
Audit entry showing the draft report approval and final report approval information

Click the Approve button and in the screen that displays (not shown), enter optional notes. Click the OK button and and you see a status message confirming the approval of the final report.

Issuance of the Audit Report

Following the approval of the final audit report, the chief audit executive issues the final report to the appropriate stakeholders to keep them abreast of the outcome of the audit exercise as it relates to the audit objectives and scope, including conclusions, recommendations, and action plans. To issue the audit report as the chief audit executive, log on to SAP Audit Management user interface (UI) and navigate to the Issue Audit Reports tile. Figure 29 displays.


Figure 29
Audit entries ready for issue

Choose the audit entry you want to work on, navigate to the Reports tab, and Figure 30 displays.


Figure 30
Reports tab of audit entry with status – Final Report Approved

Click the Issue Audit Report button and in the screeen that displays (not shown), enter an optional note, and click the OK button. A status message confirms that the audit report is issued.

Issuing the audit report changes the status of the audit to Audit Report Issued and the audit can now be closed. For the purposes of this article, I do not close the audit at this point.

Tracking of Action and Findings

During and after the audit, the auditor needs to review the action plan at intervals. Actions and findings are closely integrated in the SAP Audit Management system and consequently have dependencies. For example, to close a finding, you must first complete all open actions under the finding. Furthermore, if you make a finding obsolete, actions under the finding with the status In Process are also set to obsolete. To perform follow-up activities on actions, access the SAP Audit Management UI and navigate to the tile Track Open Actions. Figure 31 displays. When the final audit report is approved, the status of all action plans automatically changes from Draft to Open, as you can see for the action plan associated with the action in my business example.


Figure 31
Actions associated with an audit

Choose the action you want to process. Figure 32 displays showing the details of the action including the log of the change in status by the audit manager who approved the final audit report.


Figure 32
Details of an action showing the log of the status change

Actions that have the Open status can be set to In Process by auditors or by the responsible persons by choosing the Set In Process button. In the screen that displays (not shown), enter optional notes. Click the OK button and a status message confirms the change in status of the action to In Process.

For actions that are in process, the responsible person typically communicates with the auditor via email about updates to the action. Based on the feedback, the auditor can set the action to any of the following statuses: Reasonably Controlled, Follow-Up Required, or Complete. For the purpose of this article, I set the action to Complete by clicking the Complete button in Figure 33, which is accessible by selecting an audit entry in the Track Open Actions tile.


Figure 33
Set the status of an action to Complete

In the dialog-box screen that displays (not shown), enter optional notes. Click the OK button and you receive a confimration message that the status is set to Complete.

As part of the follow-up activities, you need to monitor open findings by evaluating management’s response to recommendations, countermeasures, and action plans relevant to the audit. You can open a finding by logging on to the SAP Audit Management user interface and choosing the Track Open Findings tile to go to Figure 34.


Figure 34
Library of open findings

Click the finding you want to work on and Figure 35 displays.


Figure 35
Details of the finding relevant to an audit item

Open findings can be set to obsolete or closed depending on the feedback from the management response. You  choose to close the finding when the actions in the finding have been taken, or when management decides to accept the risks of not performing the recommended actions. Furthermore, you can set the status of a finding to obsolete in the event that the finding and the actions are no longer relevant. For the purposes of this article, I close this finding by clicking the Close button. In the dialog-box screen that displays, enter an optional note and click the OK button. A status message confirms the closed status of the audit.

Closing the Audit

Following the issue of the final audit report, the chief audit executive or audit manager can close the audit. When you close the audit, findings and actions associated with the audit can still be tracked and managed. To close an audit, log on to the SAP Audit Management system as the audit manager and click the Track Ongoing Audits tile. Figure 36 displays.


Figure 36
Audit entries with different statuses

Choose an audit entry with the status Final Report Issued and Figure 37 displays.


Figure 37
Details of an audit with status – Final Report Issued

Click the Close button and in the dialog-box screen (not shown) that displays, enter an optional note. Click the OK button and a status message confirms the closure of the audit.

Be sure to read the first article in this two-part series:

"Better Manage Enterprise Risk and Streamline Audit Lifecycle Management with SAP Audit Management (Part 1)"

An email has been sent to:





 

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ