1ISACA JOURNAL VOLUME 6, 2009
custom-developed objects that may require testing. Although the
IT auditing section contains information necessary to perform the
SAP production system IT audit, auditing the technical client used
to implement system patches, updates and upgrades is not
addressed.
The last two chapters (13 and 14) describe ERP system control
concerns; SAP tools that address governance, risk and compliance;
future ERP and SAP directions; and other discussions relevant to
auditing SAP. Though audit guidance in these chapters applies
specifically to the SAP tool set, the audit considerations could
easily be applied to any of the provisioning tools.
Finally, Security, Audit and Control Features SAP ERP, 3rd
Edition, concludes with appendices including: Audit programs with
detailed audit task
work steps and a CobiT cross-reference Internal control
questionnaires for the three
business cycles and Basis Recommended SAP transactions to be
locked and tables to be logged and reviewed In conclusion, the
third edition is required
reading for any SAP audit, control, risk or security
professional. For many, this book will become a well-worn
reference, guiding them through their daily SAP ERP tasks. For
others, it will remain a one-time or occasional read to enhance
their basic understanding of SAP ERP. The third edition surpasses
earlier versions in the presentation of SAP ERP control
fundamentals and audit best practices. This text is a necessity for
the bookshelf of any SAP ERP audit or control department.
Editors NotESecurity, Audit and Control Features SAP ERP, 3rd
Edition, is available from the ISACA Bookstore. For information,
see the ISACA Bookstore Supplement in this Journal, visit
www.isaca.org/bookstore, e-mail [email protected] or telephone
+1.847.660.5650.
Security, Audit and Control Features SAP ERP, 3rd Edition, is a
must have for any finance, operational or IT auditor or risk
management, IT security or compliance professional, especially
those beginning their work in an SAP environment. It is also an
excellent reference for experienced SAP auditors and other experts
and those IT and business managers responsible for SAP control
processes. Through study and application of the how-to control and
audit activities found in the third edition, even the new SAP
auditor will have the potential to quickly rise to SAP best
practice audit and control standards.
There are five broad topic areas within Security, Audit and
Control Features SAP ERP, 3rd Edition: The preparatory section
(chapters 1 to 4)
includes an introduction to enterprise resource planning (ERP)
system fundamentals and SAPs ERP system basics, followed by
recommended risk management and audit methods. These chapters
provide a necessary foundation for any SAP audit professional.
The business cycle section (chapters 5 to 10) consists of a
general overview of the SAP revenue, expenditure and inventory
business cycle processes, including activity flows and controls.
This section also includes audit considerations: risk, controls and
detailed testing steps. The business cycle chapters provide the
necessary knowledge base for both finance and IT auditors in
understanding SAP ERP. The auditing chapters provide substantial
information outlining risk, key controls and detailed testing
guidance.
The IT auditing section (chapters 11 and 12) lays the foundation
for system administration (SAP Basis administration), describes in
detail the risks and controls central to SAP system administration,
and details techniques any auditor could follow when testing
control effectiveness. This chapter shows the IT auditor not only
how to effectively test Basis controls but also how to identify
additional
Published by ISACA
reviewed by Pam
Kammermeier, CisA, is
IT manager at Altran Control
Solutions, USA. She has
more than 12 years audit
experience and 20-plus years
IT experience.
Security, Audit and Control Features SAP ERP, 3rd Edition
Book Review
