Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
BACKGROUND OF SAP IMPLEMENTATION
July: Embarked on replacement of
antiquated information systems with SAP
enterprise software
Year-round: testing Human Resources and Payroll SAP modules.
October: Release 3, SAP Procurement and
Supply Chain began
January: Go Live for HR and Payroll
Mid-year: Release 3 postponed until SAP
system was stabilized
January: initiated Legacy Replacement Project (LRP) which
would complete the SAP implementation and
decommission the IFS system.
2
2005 2006 2007 2012
WHAT WERE OUR AUDIT OBJECTIVES?
We wanted to:
(1) Assess whether there were adequate controls
built in to the SAP configuration, and
(2) Recommend any value-added controls to
mitigate key risks to the Los Angeles Unified
School District.
3
Project Preparation
Blueprint
Realization
Final Preparation
Go Live Support
Run SAP
PHASE 2 – BUSINESS BLUEPRINT
4
LRP PROJECT PHASES
Project Preparation
•One month: January 2012
Blueprint
•From February through June 2012
•OIG started the audit in March
Realization •From June 2012 through May 2013
Final Preparation
•One month: June 2013
Go Live Support
•Starting in July 2013
•4 different rollouts through July 2014
Run SAP •IFS is fully decommissioned in December 2014
5
HOW DID WE DO THIS AUDIT?
List of all processes within scope of LRP implementation
Identified critical processes
Inform LRP Team
“To-Be” processes and design for the selected sub-processes
Assessment of Controls within To-Be documents
Key Risks Identified
Discussion with LRP Team
Review documents
Identified Additional Controls
Reviewed and validated risks and controls with LRP Team
6
NEXT STEP: WE IDENTIFIED CRITICAL
PROCESSES One business process by itself is a LARGE amount of analysis.
We selected the following business processes and sub-processes to focus on:
Procure to
Pay Acquire to
Retire
(aka Fixed
Assets)
Plan to
Report
Manage
Master
Data Process
Transactions Manage
Master
Data
Process
Transactions
Process
Transactions
7
NEXT STEP: SUMMARIZE RISKS
Identified 29 Risks for 5 sub-processes and 3 business processes
Examples of Risks
For the Procure to Pay business process
Manage Master Data
Duplicate vendor records may exist
Process Transactions
An incorrect purchase order amount could be paid resulting in potential
overpayments to vendors
For the Acquire to Retire business process
Process Transactions
Unapproved or incorrect changes are made to assets
8
WORKSHOPS WITH LRP TEAM
LRP
Team
Members
OIG Audit
Team
Project
Leads
Phoenix
Consultants
Chief ERP Director
9
NEXT STEP: PROVIDE SAP CONTROL
RECOMMENDATIONS 61 Recommendations
54 Agreed To
3 Recommendations May Be Implemented during Realization
For example:
Procure to Pay Recommendation
SAP automatically requires key vendor master data fields to
be populated with appropriate field characteristics in
accordance with LAUSD’s master data standards.
What does this really mean?
10
PROVIDE SAP CONTROL RECOMMENDATION
(CONTD.)
11
EXAMPLES OF OTHER RECOMMENDATIONS
SAP has been configured to check for duplicate
vendor records.
Configure a control that will check for duplicate
vendors based on Tax Identification Number.
SAP has been configured to require the duplicate
invoice check for all relevant vendor account
groups.
The duplicate invoice check vendor master field
will be set to required for all account groups.
12
EXAMPLE OF OTHER RECOMMENDATIONS
(CONTD.) SAP is configured to restrict changes to assets
after posting.
Users will not have the ability to change key
fields such as the asset acquisition date after
the posting of documents.
Funds Management is configured which prevents
the posting of transactions if funds are not
available.
13
NEXT STEPS
Follow-up audit
Objective
Timing
14