Steve Biskie is the Best Practices Director for ACL Services Ltd, a worldwide provider of audit analytics software. He is also the founder of SAP Audit Solutions, a consultancy focused on helping companies manage the SAP audit process. He has been involved in the audit of SAP systems and implementation of GRC in SAP environments since 1993as an external auditor (with Deloitte), internal auditor, consultant, and project team member. He is a nationally-recognized expert on SAP audit and control, and speaks frequently on the subject at various conferences (GRC2008 and SAPPHIRE).

Learn to think like an auditor when implementing and maintaining SAP S/4HANA

... Preface ... 17

... Why This Book Is Important ... 17

... The Structure of This Book ... 20

... How to Use This Book ... 21

... Disclaimer ... 25

... International Issues ... 26

... Acknowledgments ... 27

... Parting Note to the Readers of This Book ... 28

1 ... Introduction for Auditors ... 29

1.1 ... How SAP S/4HANA Differs from Other ERP Systems ... 30

1.2 ... Terminology ... 35

1.3 ... Planning the Audit and System Assessment ... 42

1.4 ... Recent Updates to SAP Control-Related Functionality ... 46

1.5 ... Major Differences Between SAP S/4HANA and SAP ERP ... 48

1.6 ... Collecting and Documenting Evidence for Audit Workpapers ... 52

1.7 ... Useful Resources ... 55

1.8 ... Summary ... 56

2 ... Understanding Audits as a Non-Auditor ... 57

2.1 ... Audit Overview ... 58

2.2 ... Types of Auditors ... 60

2.3 ... Categories of Audit Objectives ... 65

2.4 ... Auditing Principles and Considerations ... 67

2.5 ... Understanding the Audit ... 72

2.6 ... Audit Reporting ... 83

2.7 ... Rules of Engagement ... 86

2.8 ... Common Problems and Solutions ... 88

2.9 ... Emerging Audit Technologies ... 95

2.10 ... Summary ... 98

3 ... The Typical SAP Audit ... 99

3.1 ... Timing for the Audit ... 99

3.2 ... The Building Blocks of an SAP S/4HANA Audit ... 102

3.3 ... SAP S/4HANA Internal Control Maturity Model ... 117

3.4 ... The Start of the Audit ... 120

3.5 ... Summary ... 126

4 ... SAP S/4HANA Implementations and Upgrades ... 127

4.1 ... What Is a Control-Conscious Implementation? ... 127

4.2 ... Reasons for Designing Internal Controls During an Implementation ... 131

4.3 ... Creating a Control-Conscious Integrated Implementation Team ... 139

4.4 ... Designing Effective Controls ... 150

4.5 ... Common SAP S/4HANA Audit-Related Implementation Issues ... 158

4.6 ... Control Considerations by Implementation Phase ... 162

4.7 ... Auditing the SAP S/4HANA Implementation or Upgrade ... 171

4.8 ... Summary ... 173

5 ... IT General Controls, Basis Settings, and Security ... 175

5.1 ... IT General Controls ... 175

5.2 ... Basis Settings and Transport Considerations ... 186

5.3 ... SAP User Security ... 208

5.4 ... SAP Fiori Security ... 220

5.5 ... SAP HANA Database and Platform Security ... 225

5.6 ... Special Considerations for SAP S/4HANA Cloud ... 229

5.7 ... Cybersecurity ... 242

5.8 ... Summary ... 243

6 ... Record-to-Report Cycle ... 245

6.1 ... Record-to-Report Cycle in SAP S/4HANA ... 246

6.2 ... Risks ... 248

6.3 ... Understanding the Enterprise Structure ... 250

6.4 ... Key Concepts ... 253

6.5 ... Master Data ... 255

6.6 ... Security Considerations ... 258

6.7 ... Understanding and Testing Common Controls ... 263

6.8 ... Additional Procedures and Considerations ... 291

6.9 ... Useful Audit-Relevant Report Highlights ... 292

6.10 ... Summary ... 296

7 ... Order-to-Cash Cycle ... 299

7.1 ... Order-to-Cash Cycle in SAP S/4HANA ... 300

7.2 ... Risks ... 302

7.3 ... Understanding the Enterprise Structure ... 304

7.4 ... Key Concepts ... 307

7.5 ... Master Data ... 307

7.6 ... Security Considerations ... 316

7.7 ... Understanding and Testing Common Controls ... 322

7.8 ... Additional Procedures and Considerations ... 344

7.9 ... Useful Audit-Relevant Report Highlights ... 348

7.10 ... Summary ... 353

8 ... Purchase-to-Pay Cycle ... 355

8.1 ... Purchase-to-Pay Cycle in SAP S/4HANA ... 356

8.2 ... Risks ... 357

8.3 ... Understanding the Enterprise Structure ... 360

8.4 ... Key Concepts ... 362

8.5 ... Master Data ... 363

8.6 ... Security Considerations ... 374

8.7 ... Understanding and Testing Common Controls ... 380

8.8 ... Additional Procedures and Considerations ... 401

8.9 ... Useful Audit-Relevant Report Highlights ... 404

8.10 ... Summary ... 409

9 ... Forecast-to-Stock Cycle ... 411

9.1 ... Forecast-to-Stock Cycle in SAP S/4HANA ... 412

9.2 ... Risks ... 413

9.3 ... Understanding the Enterprise Structure ... 416

9.4 ... Key Concepts ... 417

9.5 ... Master Data ... 421

9.6 ... Security Considerations ... 425

9.7 ... Understanding and Testing Common Controls ... 427

9.8 ... Useful Audit-Relevant Report Highlights ... 433

9.9 ... Summary ... 441

10 ... Audit Tips, Tricks, and Tools ... 443

10.1 ... The Audit Information System ... 443

10.2 ... Data Analysis Techniques for Uncovering Audit and Compliance Issues ... 448

10.3 ... SAP Governance, Risk, and Compliance Solutions ... 459

10.4 ... Continuous Auditing, Monitoring, and Risk Assessment ... 460

10.5 ... Robotic Process Automation ... 461

10.6 ... Summary ... 466

11 ... Final Audit Preparations ... 467

11.1 ... Overview ... 468

11.2 ... Pre-Planning ... 469

11.3 ... Documentation: Preparing an Audit Information Repository ... 471

11.4 ... Systems: Preparing for the Auditor ... 487

11.5 ... Employees: Preparing Your Team ... 490

11.6 ... Summary ... 492

... The Author ... 493

... Index ... 495