Continuous Auditing, Monitoring & Data Analytics

]

SHERRYANNE MEYER[ASUG INSTALLATION MEMBER

MEMBER SINCE: 2000

ANUP MAHESHWARI[ASUG ASSOCIATE MEMBER

MEMBER SINCE: 2008

AJAY VONKAREY[ASUG ASSOCIATE MEMBER

MEMBER SINCE: 1996

CONTINUOUS AUDITING,

CONTINUOUS MONITORING, AND

DATA ANALYTICS FOR AUDITING SAP

R/3MICHAEL BERARDI, MS-CIS, CISA

ASUG INSTALLATION MEMBER

MEMBER SINCE 2001

Real Experience. Real Advantage.

[ Michael Berardi

2


[ SAP R/3 ENVIRONMENT AT ENERGIZER

HOLDINGS INC.

Eveready Battery Company

Energizer and Eveready Batteries

SWS Schick

Playtex Products

SAP R/3 v. 4.7

Five instances of SAP R/3

USA – two instances

Sales (HP & PC)

Manufacturing (HP)

Europe

Sales (HP & PC)

Manufacturing (PC)

Human Resources/Payroll

3


[ FRAUD

TRIANGLE

4

OPPORTUNITY

PRESSURE RATIONALIZATION


[

LIMITS OF DATA ANALYSIS,

CONTINUOUS AUDITING

AND MONITORING

The only limits on what can be accomplished are the limits of

your imagination, creativity and access to the data

5


[ TERMS DEFINED

DATA ANALYSIS

CAATSContinuous

AuditingContinuous Monitoring


[ TOOLS

SAP R/3 (SE16, SE17, SAP Queries)

IDEA

• Benford‟s Law toolkit

ACL - http://www.acl.com

• Desktop

• Network version has evolved to Audit Exchange

• Webinars – www.acl.com/findmoney

Microsoft Access and Excel

http://www.acl.com/findmoney


[ Data Analysis Tools Outside SAP R/3

ACL

Direct Link for SAP R/3

ACL for the desktop

Audit Exchange

User Forums

http://www.acl.com

Idea (http://www.audimation.com)

Pre-built analysis for fraud - http://www.audimation.com/datas.cfm

Manufacturing applications http://www.audimation.com/applications/Manufacturing_Applications.pdf

Microsoft (Ms) Access

Ms Office

Approva

http://www.acl.com/

http://www.audimation.com/


[Approva BizRights

Process Controls: Process Configuration, Transactions, Master Data, …

Payroll

Financial Close

Order-to-Cash

Procure-to-Pay

Security Controls: Segregation of Duties, Sensitive Access…

System Controls: Password Policies, Transport Policies…

Mu

ltip

le C

on

tro

ls

OraclePeople

Soft HyperionLegacy Apps

Other AppsSAP

Multiple Applications

Collaboration AcrossBusiness Users, IT and Audit

Finance Managers

BusinessManagers

IT ManagersInternal & External

Auditors

Incre

asin

g R

eg

ula

tory

Pre

ssu

re &

Au

dit C

osts


[

10

LEARNING POINTS

Why apply data analysis with SAP R/3?

Understanding the benefits of data analysis, monitoring and continuous auditing

A cookbook approach to data analytics

Energizer Holdings success with continuous monitoring

Pre-written continuous monitoring and auditing tools


[WHY APPLY DATA ANALYSIS


[ BENEFITS OF DATA ANALYSIS

R/3 is data rich, report opportunistic

Testing the entire populations versus samples

Data analysis increases effectiveness and efficiency

Effective for working remotely or on-site

Easier to share information electronically than via hardcopy reports


[ BENEFITS OF DATA ANALYSIS

Benford‟s law – who can tell me what this is?


[

14

RETURN ON INVESTMENT

Continuous Monitoring

• Payroll

• SSN tests (invalid, duplicate, dead people)

• Setting criteria for percent change from run to run

• Accounts Payable

• Duplicate Payments

• Unclaimed credits

Continuous Auditing

• Systems such as Approva or those you build yourself can identify unusual transactions that might avoid a fraudulent payment

• Look for a series of split transactions, avoiding the dollar cutoff for either no receipt or no approval required


[ PAYROLL

Ghost Employees

• Invalid SSN

• No benefits or unusual items

• Dup Dir Deposit Info

Expense reimbursement

• AP vendor bill and employee reimbursemnt through payroll check for expense

Reported overtime during slow period

• Authorized overtime?

• Rounding up hours?

Segregation of Duties (SOD)

15


[ ACCOUNTS PAYABLE

Duplicate payments & vendor pre-payments

Invoice to invoice

Procurement card to invoice

Site draft to off-invoice

Duplicate vendor


[ ACCOUNTS PAYABLE (CONT.)

LOOSE INVOICES (NO PO)

Fictitious vendors

Employee vendor accounts

Duplicate freight charges

Missed earned vendor discounts

17


[ Revenue Leakage

Evaluation Software

Short Paid invoices

Unauthorized discounts or credit notes?

Price overrides

• Unlimited No. copies per Co.

• No Expiration

• Outstanding copies not disabled upon purchase

• Trends –always same vendor(s)?

• Excessive rebates?

18


[

19

BEST PRACTICES

Follow the SDLC process in the selection and

implementation of a data analytics

tool

Include I.T. in the process

Allocate enough storage space on the SAP server for what the selected tool

produces

Follow the SDLC process in the

creation of new queries, so as not

to impact the production system(s)


[ LEARNING POINTS


[ A DATA ANALYSIS APPROACH – DATA

COOKBOOK

Don‟t re-create the wheel every time you develop a new report

Maintain a list of the tables and procedures followed

Cookbook a catalogue of Recipes

Recipes may reference existing R/3 reports or table sources and procedures to produce reports

Sources of information on tables and the location of data exists both within R/3 and through internet resources


[

SHAREPOINT TOOL

Using SharePoint to organize and store data analysis, continuous auditing

and continuous monitoring „recipes‟ or procedures

22


[ AUDIT SITE WITH LINK TO COOKBOOK

23


[

SHAREPOINT SITE USED FOR RECIPES

24


[


[


[


[


[


[


[


[


[


[


[


[


[ LEARNING POINTS


[ SAP R/3 Tables for testing

According to ACL there are over 20,000 tables in SAP

R/3

The following are the top 20 Tables:

BKPF - Financial Documents Header

BSEG - Financial Document Items

EKKO - Purchasing Document Header

EKPO - Purchasing Document Item

BSAD - Cleared Customer Invoices (paid)

BSAK - Cleared Vendor Invoices (paid)



BSIS - General Ledger Accounts

KNA1 - Customer Master (General Data)

KNKK - Customer Master (Credit Data)

KNVV - Customer Master (Sales Data)

LFA1, LFB1, LFM1 - Vendor Master

MARC - Material Master

VBAK - Customer Orders - Header

VBAP - Customer Orders - Items

VBRK - Customer Invoices - Header

VBRP - Customer Invoices - Items



DD02T - Table Titles

TSTCT - Transaction Titles

Create your own list of tables,

transactions and reports you find

useful

Join ASUG Internal Controls SIG

discussion groups to grow your

knowledge


[ Good Information Sources

Google – http://www.google.com

SAPGenie - http://www.sapgenie.com

SAPGenie Table Diagrams

http://www.sapgenie.com/abap/tables.htm#Finance%20Tables

SAP Help on the Web - http://help.sap.com/

SAP R/3 Application Help

http://help.sap.com/saphelp_470/helpdata/EN/e1/8e51341a06084

de10000009b38f83b/frameset.htm

http://www.google.com/

http://www.sapgenie.com/

http://www.sapgenie.com/abap/tables.htm

http://help.sap.com/

http://help.sap.com/saphelp_470/helpdata/EN/e1/8e51341a06084de10000009b38f83b/frameset.htm

http://help.sap.com/saphelp_470/helpdata/EN/e1/8e51341a06084de10000009b38f83b/frameset.htm


[ Good Information Sources

ISACA

http://www.isaca.org and select downloads for SAP ICQ & Audit

Programs

ISACA Bookstore for guides such as “Security, Audit and

Control Features SAP R/3 A Technical and Risk Management

Reference Guide”

http://www.isaca.org/


[ LEARNING POINTS


[ SAP R/3 transactions to facilitate data analysis

Transactional access required

Display only access

Data Dictionary (SE11)

Ability to view tables (SE16, SE17)

Demonstration of Transaction Code SE16

Using R/3 transactions to locate table data

Demonstration of using Help - Technical Settings


[

SE11 – DATA DICTIONARY

45


[

Transaction SE11 to

display data dictionary

information


[


[

SE16 – EXTRACTING FROM

TABLE FIELDS

48


[

Transaction Code SE16

TCODE: SE16


[



[



[



[



[

HOW DO I FIND THE TABLE

AND FIELD IN WHICH DATA

RESIDES?54


[

Click on the paper in the

bottom left corner gives

critical information such as

Tcode

When working with the users....


[

So how do I find the source of

information?


[ So how do I find the source of information?


[ So how do I find the source of information?


[To save to a file on

your local hard drive

follow this menu tree


[ LEARNING POINTS


[ SAP Queries – Tcode SQ01

61


[ Key Learning Points!

Grow your knowledge of SAP R/3

Discussion groups

ASUG chapter meetings

Locate training

Find good sources of SAP R/3 information related to

internal controls

Start a cheat sheet of transactions, tables, programs and

reports

Start your own library of data extraction and analysis

methods and reference them in the applicable internal

controls test plans


[

MICHAEL BERARDI

[email protected]

Questions or Comments?

THANKS,

63

mailto:[email protected]


[

64

[

] Thank you for participating.

SESSION CODE:

4506 – Data Analysis, Continuous Auditing and Monitoring

Please remember to complete and return your

evaluation form following this session.

For ongoing education on this area of focus, visit the Year-Round

Community page at www.asug.com/yrc


[ IDEA by AUDIMATION

65


[

66


[

67


[ http://www.slideshare.net/acc_shan/sap-hr-

presentation-08052002-presentation

68

Technology

Continuous Auditing, Monitoring & Data Analytics