SAP GRC- Governance, Risk and Compliance and Secrets of an External Auditor.
Have you ever imagined learning what an external auditor does in his daily life? If the external auditors had to mention the secrets of their trade the company would not be spending a lot of money on them working day and night trying to evaluate your ICOFR- Internal Control over financial reporting and start marking you down with deficiencies, significant deficiencies and good lord !! those Material weaknesses ….Needless to say these are the secrets of auditing which can make our life easy with those auditors!! Hence, I decided to share my knowledge about these controls for SOX -Sarbanes Oxley evaluation. Before we get into the controls here are some of the terminologies used in the secret world of Auditing. TOD- Test of design, TOE- Test of Operative effectiveness, PCAOB- Public Company Accounting Oversight Board.
Here goes the story…SEC (Securities exchange Commission) set up a board called PCAOB sometime in 2004 to oversee the auditors of public companies in order to protect their interests of investors. The external auditors follow the rules or auditing standards set by this board. Here are the auditing standards defined by PCAOB. http://www.pcaob.com/Standards/index.aspx. The general documentation every external auditor on this planet uses something called ITGC – IT general controls. The ITGC has four sections where the controls are defined and evaluated. This is a template used by these auditors to evaluate the company’s processes after mapping them from the ICOFR-Internal Control over Financial Reporting. The four sections are Access to programs and Data, Program Changes, Program Development and Computer Operations. TOD or test of design is used to document the control objectives, Control numbers and their description. Ever since SAP bought VIRSA the world has changed in terms of those auditors having to spend less time with their clients and unfortunately suck little blood and money from their clients J. SAP Solutions for Governance, Risk, and Compliance: GRC Access Control (comprising applications formerly known as Virsa Compliance Calibrator, Virsa Firefighter, Virsa Access Enforcer and Virsa Risk Terminator) Virsa Compliance Callibrator is a fantastic tool to solve the SOD conflicts and streamline a steady definition of the roles and authorization. This tool will satisfy the section I.E section of the ITGC and there is no chance they can mark you down with any kind of deficiencies. The Virsa Access Enforcer is another tool which will satisfy the I.C controls. The I.B controls can be satisfied by using another tool called Virsa Firefighter which handles exceptional access requests. The Virsa Role Expert is another web based tool. Auditors love to snap your monitors with their highly traditional early Stone Age practice tool called (Alt+Prt Sc) and of course cut all the trees on this planet by printing reams of paper. So get ready to snap your own monitors and make your printer auditor friendly. The I.A controls involve the following solutions: maintain a policy document that provides security related guidance for your SAP system landscape. Make sure every user has his own unique ID and no system accounts exist. Make sure the user access to the SAP system is done with the use of profiles defined. Auditors use a system generated report (No excel sheets involved) to assess the periodic review of user access which will satisfy the I.D controls. So generating reports to satisfy their strict controls can only help you from seeing a deficiency in their Test of Operative Effectiveness.
(More to come in SAP GRC- Governance, Risk and Compliance and Secrets of an External Auditor Part –II)
Posts
