Professional Documents
Culture Documents
Second level
Third level
Fourth level
Fifth level
CLICK the
About
TO Speakers
EDIT MASTER TITLE STYLE
Phil Lim has over seven years of experience working with compliance and audit groups
Second level
Third level Phil has significant international experience; he was a key ACL consultant in Siemens
extensive continuous controls monitoring project -- combining and analyzing purchase
Fourth level
to payment data from over 1000 globally decentralized corporate entities daily, aimed at
detecting potential FCPA violations.
Fifth
level
Steve Biskie, co-founder and Managing Director of High Water Advisors, has over two
decades of experience optimizing GRC and audit performance through the use of
technology.
In addition to being a leader in the data analysis space, he is also an expert in audit and
compliance issues related to the SAP ERP system. He has authored dozens of articles,
was an expert reviewer for the book Security, Audit, and Control Features: SAP ERP
(3rd Edition), and in 2011 authored his own book through SAP Press titled Surviving an
SAP Audit.
He is a CPA, CITP, CISA, CGMA, and a two-time IIA All-Star Speaker.
Second level
Third level
Fourth level
Approaches to
Dealing with
Fifth
level
Data Access
SAP IT (Basis)
Discussion of tools
and methodologies
pros and cons
Concerns
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
Second level
Third level
Fourth level
Fifth level
Discussion of tools and methodologies pros and cons
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICK
Data
Access
TO EDIT
Approaches
MASTER TITLE
for SAP
STYLE
Self-serve
IT Supported
CLICK TOSAP
Standard
EDITReports
MASTER TITLE STYLE
What is it?
Second level
Third level
Fourth level
Independence
from IT (self-serve)
Fifth
levelto set up
No additional
effort
Pros
CLICK
SAP
Data
TO Browser
EDIT MASTER TITLE STYLE
What is it?
Second level
Pros
Third level
Fourth level
Independence from IT (self-serve)
Fifth
Access nearly
anylevel
data in the system
Cons
CLICK
SAP
Query
TO EDIT
/ Custom
MASTER
ABAP
TITLE STYLE
What is it?
CLICK
SAP
Query
TO EDIT
/ Custom
MASTER
ABAP
TITLE STYLE
What is it?
Click to edit Master text styles
UseMaster
of built-in
Query
(SQ01, SQVI)
Click to edit
textSAP
styles.
Lotstools
of paragraph
SAP
IT teams
(both
infrastructure
and functional teams), help
copy goes
here,
and here
and
here.
implement custom ABAP queries for audit purposes
Second level
Third level
Pros Fourth level
Fifth level
CLICK
SAP
BITO EDIT MASTER TITLE STYLE
What is it?
Click to edit Master text styles
Using
SAP BIs
toolset Lots
(e.g. of
SAP
BusinessObjects) to query
Click to edit
Master
text styles.
paragraph
copy goes here, and here and here.
Pros
Second level
Third level
Integrated solution
Fourth level
Intended for end-user access
Fifth level
Ability to access non-SAP data (if in BI warehouse)
Cons
Not designed for Audit
BI/BW data often cleansed as part of ETL process
Typically Aggregated / summarized data audit and compliance
processes often require analysis of detailed transactions
Reconciliation to source system can be challenging
10
CLICK
SAP
GRC
TO (Access
EDIT MASTER
Control/Process
TITLE STYLE
Control) - consider FM
What is it?
Second level
Third level
Pros
Fourth level
Integrated solution
Fifth level
CLICK
ACL
Direct
TO EDIT
Link MASTER
for SAP TITLE STYLE
What is it?
Second level
Third level
Fourth level
Independence
from IT (self-serve)
Audit trail Fifth level
Pros
Second level
Third level
Fourth level
Fifth level
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICK
SAP
IT TO
Teams
EDIT MASTER TITLE STYLE
Second level
Third level
Fourth level
Fifth level
SAP IT Team
Infrastructure
Functional
Commonly referred to as
Business Analysts / ABAP
developers
14
CLICK TO EDITConcerns
Infrastructure
MASTER TITLE STYLE
Whatever tool/methodology you use to access your SAP Data
Click to edit Master text styles
Click to edit Master text styles. Lots of paragraph
copy goes here, and here and here.
Second level
Third level
Fourth level
Fifth level
Security
Who will have access, and
how?
How will we prevent
unauthorized access?
What user permissions do
you need?
How do you protect data that
has been extracted?
Production
Impact
How will we prevent
untested queries from
running in Production?
What is the impact on
our system?
Data
Volumes
How much
space is going
to be used?
Network?
CPU?
15
CLICK TO EDIT
Addressing
Security
MASTER
Concerns
TITLE STYLE
Second level
Third level
Fourth level
Fifth level
Security
Who will have access, and
how?
How will we prevent
unauthorized access?
What user permissions do
you need?
How do you protect data that
has been extracted?
Data
Volumes
ACL Direct Link is SAP Certified
How much
Existing IT policies regarding use
of extract
space
is going
to be
used?
tools can also be applied to ACL
Direct
Link
Network?
CPU?
16
CLICK TO EDIT
Addressing
Production
MASTERImpact
TITLEConcerns
STYLE
Can set up your query development
process to prevent untested code from
torunning
edit inMaster
Productiontext styles
Click
Click to ACL
editDirect
Master
text styles. Lots of paragraph
Link translates to native
ABAPhere,
code (mostly
table here.
copy goes
and straight
here and
Second
level to equivalent SAP
Comparable
tools (e.g.
Third
levelSE16)
Fourth mode
level
Runs in background
Fifth level
Can test performance in a QA
environment prior to deploying
to production
Production
Impact
How will we prevent
untested queries from
running in Production?
What is the impact on
our system?
CLICK TO EDIT
Addressing
DataMASTER
Volume Concerns
TITLE STYLE
limit)
Second level
Third level
An auditor can schedule Direct Link queries to run in
Fourth level
background and at off-peak times to minimize production
Fifth level
impact
ACL Direct Link is used by large US Federal Government
entities with billions of records
You will need space to store queries
Data
Volumes
How much
space is going
to be used?
Network?
CPU?
18
Second level
Third level
Fourth level
Fifth level
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE STYLE
Second level
Third level
Fourth level
Fifth level
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
20
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Risk
Third level
Fourth level
Vendors without previous relationships with the organization present
Fifth
level
a higher risk
for exposure
to compliance violations.
Test Description
Identify invoices to vendors created in the investigation period
greater than X cumulative spend.
Tables used: LFA1, BSAK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
21
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Risk
Third level
Fourth level
Circumvention of purchasing controls can result in authorized
Fifth
levelfraud
transactions
and/or
Test Description
In the investigation period, identify invoices with an invoice document
date before the Purchase Order creation date.
Tables used: EKBE, EKPO
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
22
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Third level
Payments
to one-time-vendors
are typically subject to fewer purchasing controls.
Fourth
level
Fifth level
Risk
Test Description
In the investigation period, identify One Time Vendors with more than X spend or
more than Y transactions.
In the investigation period, identify a sample of one time vendor transactions for
review.
Tables used: BSEC, LFA1
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
23
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Third level
Payments
made outside
Fourth
level of the purchasing workflow may have fewer controls.
Fifth level
Risk
Test Description
In the investigation period, identify vendors with a total non-PO spend greater than
a threshold X. Exclude vendors by type such as taxes.
In the investigation period, identify any non-PO invoices that were created by
unauthorized individuals.
In the investigation period, identify a sample of non-PO invoices for further review.
Tables used: EKBE, BSIK, BSAK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
24
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Risk
Third level
Fourth level
Segregation of duties is somehow not maintained between the receiver
Fifth level
of goods/services
and the person who created or modified the invoice.
Test Description
In the investigation period, identify transactions where the receiver was
the same person that created or modified the invoice.
Tables used: EKBE, BSIK, BSAK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
25
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Risk
Third level
Fourthoflevel
Segregation
duties is somehow not maintained between the
creator/modifier
vendor information and the person who invoices the
Fifthoflevel
vendor
Test Description
In the investigation period, identify invoices created or modified by the
same individual as the vendor creator/modifier.
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
26
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
27
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE
Second level
Third level
Fourth
level
Payments
made
that do not follow standard payment terms may
represent a significant
Fifth level opportunity cost of capital
Risk
Test Description
In the investigation period, identify invoices with an opportunity cost of
early payment greater than X, based off of a cost of capital and standard
payment terms days
Tables used: BSIK, BSAK, REGUH, PAYR
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
28
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE
Second level
Third level
Fourth
level
Unusual
manual
postings to accounts may be an indication of fraud or
financial misstatement
Fifth level
Risk
Test Description
In the investigation period, identify manual journal entries posted to
accounts with infrequent activity. Accounts with infrequent activity are
defined by an externally provided list.
Tables used: BSIS, BSAS, SKA1, SKAT
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
29
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE
Second level
Risk
Third level
Fourth level
Inadequate documentation of manual journal entries may represent a
Fifth
compliance
risk level
Test Description
In the investigation period, identify manual journal entries with
descriptions shorter than X characters.
Tables used: BSIS, BSAS, SKA1, SKAT
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
30
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE
Second level
Risk
Third level
Fourth level
Infrequently used transaction codes may represent a circumvention
of controls Fifth level
Test Description
In the investigation period, identify journal entries with an SAP
transaction code that is infrequently used.
Tables used: BSIS, BSAS, SKA1, SKAT
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
31
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE
Second level
Risk
Third level
Fourthcontaining
level
Transactions
suspicious keywords may represent a
compliance
risk (e.g. FCPA, Sunshine Act, Dodd Frank Conflict
related
Fifth level
Minerals, etc.)
Test Description
In the investigation period, identify journal entry or account descriptions
containing a suspicious keyword.
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
32
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
O2C STYLE
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
33
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
O2C STYLE
Second level
Third level
Fourth
level
Data entry
errors
could result in sales prices below desired prices
Excessivediscounts
Fifth levelcould be a sign of bribery, and require investigation
Risk
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
34
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
O2C STYLE
Second level
Third level
Fourth
level of customer credit limits can expose an organization
Inadequate
review
to collection
risk level
Fifth
Risk
Test Description
In the investigation period, identify customers with credit limits that have
not been reviewed in the past X days and/or with unusually high credit
limit.
Tables used: VBAK, VBAP, KNA1, KNKK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
35
Second level
Third level
Fourth level
Fifth level
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICKforTOFinding
TIPS
EDIT MASTER
your DataTITLE STYLE
(e.g. clearly vendor number and invoice number would be required for a duplicate invoice test)
Second level
Third level
STEP
Fourth
level #2: Use Entity Relational Diagrams
Entity ERDs help you visualize which tables you might need as well as other, related tables that might also
Fifth level
be helpful
37
CLICK
SAP
P2P
TOEntity
EDIT MASTER
RelationalTITLE
Diagram
STYLE
Second level
Third level
Fourth level
Fifth level
CLICK
SAP
P2P
TOEntity
EDIT MASTER
RelationalTITLE
Diagram
STYLE
Second level
Third level
Fourth level
Fifth level
MM
FI
CLICK
SAP
P2P
TOEntity
EDIT MASTER
RelationalTITLE
Diagram
STYLE
Vendor Master
Invoice Postings/Payments
CLICK TO
Asking
ForEDIT
HelpMASTER
(and other
TITLE
Resources)
STYLE
: http://tinyurl.com/lk97byt
SAP Functional (Business Analyst) Teams
Assistance with identifying tables you might need, understanding related tables that might also be helpful,
and providing insight into non-standard customizations that might impact analysis
41
Second level
Third level
Fourth level
Fifth level
Q&A
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
Second level
Third level
Fourth level
Fifth level
Phil Lim
Steve Biskie
phil_lim@acl.com
steve.biskie@
highwateradvisors.com