The ones which fall through the net: plausibility and SAP security

In some areas of process standardization, compliance and correctness or access restrictions, it is sometimes quite difficult, if not impossible, to assign them to one of the classic processes of purchasing, sales or fixed assets. However, this does not mean that audit questions such as superuser activities, separation of duty conflicts or weekend bookings are any less critical.

It is precisely for such audit questions that we have implemented a special process for cross-process issues in zap Audit. This covers all audit questions that cannot be assigned to a specific process. You can find out more about why and how we have done this in this blog post.

Why do cross-process analyses exist?

“Cross Process Analytics” – Sounds a bit vague, you may say?! After all, why should it not be possible to classify every data indicator into a purchase-to-pay or order-to-cash process? Well, the answer is simple: There are audit questions that focus on finding “superficial” weaknesses. For example, it is a question of a general nature if you have entered your posting data on time, so as to ensure that your accounts are in order. It is completely irrelevant whether the document comes from purchase-to-pay, order-to-cash or fixed assets and inventory. The timely entering of documents is without a doubt always a relevant “secondary virtue”. And there are plenty of other audit questions of this type…

What is the role of the GoBD?

Recording of postings falls within the scope of Germany’s “Generally Accepted Accounting Principles”, or GAAP (German: “Grundsätze ordnungsmäßiger Buchführung – GoB“). You can find more details of these in the “Principles for properly maintaining and storing books, records and documents in electronic form and for data access” (German: “Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff – GoBD“), provided by the German tax authorities in their most recent version issued by the German Federal Ministry of Finance (BMF) on November 14, 2014. You can read about the timely recording of postings in section 46:

“Every cashless business transaction should be recorded as directly as possible after it occurs. According to the GoB, every business transaction should be posted on continuous, ongoing basis over time (Journal). It is contrary to the nature of commercial accounting to restrict itself to the collection of documents and, after a long period has elapsed, to enter the business transactions into basic records or basic books based on these documents.” (Subsection 46 of the GoBD)

The official text of the GoBD can be found on the website of the Federal Ministry of Finance:

BMF - GoBD (external link)

Some other examples of cross-process indicators in zap Audit are:

FI documents with a long interval between posting and processing date

The purpose of this indicator is to identify compliance and correctness.

There is the risk of fraudulent or erroneous postings in (re)opened periods.

The criterion for this indicator is:

The FI document has been marked, because the posting date differs by more than 40 days from the processing date. The period of 40 days corresponds to one accounting period plus 10 days to close the period.

If you want to read more on the topic, please take a look at our blog series about “Postings in a timely manner”.

FI documents posted during weekend

The purpose of this indicator is to identify compliance and correctness.

There is the risk that fraudulent activities might have been performed outside regular business hours.

The criterion for this indicator is:

The document has been marked because it was updated at the weekend. Postings done by system users are not listed (Usertype B: System User (Internal RFC and Background Processing) and C: Communication User (External RFC)).

More information about postings made during the weekend can be found here.

Missing reversed document

The purpose of this indicator is to identify compliance and correctness.

There is the potential risk of business transactions not being recorded correctly in a period.

The criterion for this indicator is:

The document has been marked because it is a reversal and the reversed document could not be found in the data.

How is this related to SAP Security?

Permissions which are assigned too generously in most cases come back to haunt you further down the line. One of the most famous phenomena of this type has to be the “apprentice trap”. With trainees being taken on across a large number of departments, more and more authorizations keep on being added over time and no-one takes any care to revoke the authorizations that are no longer required. In some cases, it may even been the case that trainees have acquired more rights in the SAP system over the years than, for example, a managing director. A small number of IT departments go down an even easier route and simply assign administration rights to selected users. Nevertheless, the SAP_ALL or SAP_NEW profile, typically used in such cases, is not permitted according to the recommendations of the DSAG working group. In addition to this indicator, other indicators relating to access restrictions that are integrated into zap Audit are:

Operations done by superusers

The purpose of this indicator is to identify access restrictions.

There is the risk of fraudulent activities, because one user could perform two critical transactions due to having comprehensive access rights.

The criterion for this indicator is:

The document was marked because it was performed by a user possessing standard SAP privileged access rights.

You can find out how to perform an even more in-depth analysis of users with extensive SAP authorizations here.

A single user did the complete business process

The purpose of this indicator is to identify access restrictions.

There is a high risk of fraud if the entire sequence is performed by one individual.

The criterion for this indicator is:

All documents in a sequence that have been performed entirely by the same user are marked.

Documents without users

The purpose of this indicator is to identify compliance and correctness.

There is the risk that a transaction cannot be traced back to a user.

The criterion for this indicator is:

The document was marked because the user field is empty.

Plausibility

In some cases, however, there are extraordinary occurrences. It then becomes a matter of process plausibility. Some examples of this include:

Documents posted by users with high reversal rates

The purpose of this indicator is to identify process standardization.

The resulting risk is:

High reversal rates for a user are an indicator that transactions may be prone to error.

The criterion for this indicator is:

The document will be marked when the posting user has a reversal rate of >= 20% or is in the top 20% of users with reversals. Only reversal documents are listed.

Cyclic change of a field

The purpose of this indicator is to identify process standardization.

The resulting risk is:

There is the risk that critical fields were changed multiple times to circumvent internal controls.

The criterion for this indicator is:

The document will be marked when the same data field was changed more than one time within a sequence. The change was cyclic, meaning it was changed and then changed back to the initial value.

(One-time account) CPD documents

The purpose of this indicator is to identify compliance and correctness.

The resulting risk is:

High potential for fraud because standard vendor controls have been circumvented.

The criterion for this indicator is:

The document will be marked when it is flagged with CPD (Conto pro Diverse / one-time account).

For more information on the analysis of one-time account (CPD) documents in SAP, please refer here.

Perhaps you want to find out even more about “multidisciplinary” audit questions in zap Audit? If so, then you can download the details of all 20 cross-process indicators for free here:

Download pdf

Artikel teilen

Facebook
Twitter
XING
LinkedIn