SAP Access Controls: An Audit Introduction
In the first part of this series we introduced why access control in SAP is important and how to communicate that importance to stakeholders (or roadblocks) in your organization, click here to read it. The second key piece is being able to have important conversations with the right level of technical understanding around access controls.
LET’S DEFINE A CONTROL
The formal definition of a control is as follows: internal control is a process or set of processes put in place to ensure the achievement of an organization’s goals or objectives. Controls are really just the parts of your business process that provide certain checks and roadblocks that would prevent inaccuracies or fraud from being processed whether due to mistake or fraud.
Let’s look at a simple business process to understand where the controls typically take place and how they are designed. We can start by considering the process of creating a manual journal entry. Management has decided if you are going to record a similar financial transaction, you need to have certain qualifications which lead to you to be provisioned for access to request this journal entry. Further, if this journal entry is below $500, because you had these qualifications, there should be no need for a review process delaying the business from accomplishing an important task. However, if you are recording an entry for $1000, it needs to be reviewed by the finance manager and if the transaction is for $100,000 it needs to be reviewed by the Controller of the company. Finally, those entries for under $500 with no review should be accumulated into a report that gets reviewed quarterly for impact to the financial records to ensure they do not combine to a large sum.
Where is the internal control in that process? Yes, it’s a trick question. There are many internal controls in that process, including the back-end detective review, the workflows with many different thresholds, and even the provisioning process and assessment of an individual’s skill. Finally, management deciding upon what those thresholds are in the first place is even a control. But what I would like you to take away is the entire process with at least 5 controls would not be reliable if access hadn’t been set up properly in the first place for the JE processor, their manager, and even the controller. This is what we call an IT General Control.
ACCESS CONTROLS IN YOUR FINANCIAL SYSTEM
Let’s first discuss the basics of access controls in a financial system – this will prepare you for more technical discussion points later.
PREVENTATIVE V. DETECTIVE
In general, controls fall into one of two categories: preventative or detective. Preventative controls prevent things from happening whereas detective controls detect things that have already happened. The requirements of Sarbanes Oxley and most audit regulations only concern themselves with the accuracy of the financial statements, but not the most effective and efficient manner of managing a business. Clearly, preventing any fraud or financial misstatement from happening is better than finding it after it already perpetuated itself.
IT GENERAL CONTROLS
IT General Controls are foundational controls that do not directly impact transactions and financial statements, but indirectly make it possible to rely on all the automated processes and controls built into an SAP environment. General controls are typically made up of security and access controls, change management, and operational controls. Without properly set up general controls, it would not be possible to rely upon the preventative or detective direct internal controls over financial reporting. This is like building a mansion on top of a foundation that is crumbling, the walls and roof will not be standing for long.
TYPES OF ACCESS CONTROL
Let’s talk about the different types of access controls, specifically, that you might see in the wild:
- Configuration: system settings, code, or scripting that enforces a control
- Password settings – configuration of password requirements
- Workflow – scripting or configuration of approval paths within the system such as routing of journal entries for approval
- Transactional: controls that operate on a transactional basis
- Access Grant Approval – approval of access requests
- Access Termination – timely removal of access when no longer required
- Periodic Reviews: manual review of access setups to identify errors
- User Access Review – review of users and their assigned role/responsibility/group
- Role/Responsibility/Group Review – review of role or responsibility to see of what they are comprised
- Critical Access Review – review of users with elevated access, i.e. access that allows the user to change how the system operates
- Segregation-of-Duties Review – review of users for combinations of access prohibited by company policy, e.g. create a supplier, pay a supplier, approve a payment
- Security Configuration Review – review of the system configurations that support access, such as password policies, workflow, etc.
- Automated Monitoring: systematic monitoring of access to identify errors – this often mimics the manual reviews mentioned above but is more immediate and reduces the period of exposure due to access errors or breaches
- Firewall/Intrusion Monitoring
- Access and SOD Monitoring
LET’S GET STARTED!
All control environments begin with policies – guiding principles that define the rules of play. The tone at the top is critical for any management team to clearly communicate the importance of the internal controls. For example, a policy might be that IT users don’t have access to perform business transactions. The related procedure or control would be – when approving access, IT users should not be granted access to any business functions. It is that simple … in theory. My overarching recommendation would be to leverage your Internal Audit function, or if none exists, to talk to your auditors that come on-site. If you have neither internal nor external auditors, then reach out to a local public accounting firm to ask for some help!
The next article in this series will discuss the basics of SAP’s security model and how you can apply the concepts from this article to your environment. Get SAP Under Control!