Webinar Auditing SAP

CLICK TO EDIT MASTER TITLE STYLE
Click to edit Master text styles

Click to edit Master text styles. Lots of paragraph
copy goes here, and here and here.
Second level
Third level
Fourth level
Fifth level
AUDITING AND THE SAP ENVIRONMENT

Presented by:
Phil Lim, Product Manager, ACL
Steve Biskie, Managing Director, High Water Advisors
CLICK the
About
TO Speakers
EDIT MASTER TITLE STYLE
Phil Lim has over seven years of experience working with compliance and audit groups
Click to edit Master text

styles
of Fortune
500 companies, helping them build technology enabled assurance programs
assess, test, and monitor risk.
Click to edit Master texttostyles.
Lots of paragraph
As aand
Product
Manager for ACL Services Ltd., he is currently responsible for the
copy goes here, and here
here.
integrated content portfolio.
Second level
Third level Phil has significant international experience; he was a key ACL consultant in Siemens
extensive continuous controls monitoring project -- combining and analyzing purchase
Fourth level
to payment data from over 1000 globally decentralized corporate entities daily, aimed at
detecting potential FCPA violations.
Fifth
level
Steve Biskie, co-founder and Managing Director of High Water Advisors, has over two
decades of experience optimizing GRC and audit performance through the use of
technology.
In addition to being a leader in the data analysis space, he is also an expert in audit and
compliance issues related to the SAP ERP system. He has authored dozens of articles,
was an expert reviewer for the book Security, Audit, and Control Features: SAP ERP
(3rd Edition), and in 2011 authored his own book through SAP Press titled Surviving an
SAP Audit.
He is a CPA, CITP, CISA, CGMA, and a two-time IIA All-Star Speaker.

Agenda

Second level
Third level
Fourth level
Approaches to
Dealing with
Fifth
level
Data Access
SAP IT (Basis)
Discussion of tools
and methodologies
pros and cons
Concerns
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing

Second level
Third level
Fourth level
Fifth level
Discussion of tools and methodologies pros and cons
Approaches to Data Access
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICK
Data
Access
TO EDIT
Approaches
MASTER TITLE
for SAP
STYLE

Standard
copy goes
here,SAP
and hereSAP
and Data
here.Browser
Reports
(SE16/SE16N)
Second level
Third level
Fourth level
SAP Query Fifth level
(SQ01/SQVI) or
SAP BI
Custom ABAP
SAP GRC (Access

Control/Process
Control/Fraud
Management)
Self-serve
IT Supported
ACL Direct Link
CLICK TOSAP
Standard
EDITReports
MASTER TITLE STYLE
What is it?

Click to edit
Master
textreports
styles. Lots
of paragraph
Using
system
that business
uses
Second level
Third level
Fourth level
Independence
from IT (self-serve)
Fifth
levelto set up
No additional
effort
Pros
Most are fairly easy to understand

Cons
Not designed for auditors (difficulty to find suspicious items only)

Downloads (even to Excel) require significant re-formatting to use
Many are client-specific (limited view across enterprise)
Not all relevant data might be housed in SAP
CLICK
SAP
Data
TO Browser
What is it?

Using
built-intext
SAP
transaction
to query records at the table level
Click to edit
Master
styles.
Lots ofcodes
paragraph
Examples:
SE16N
copy goes
here, andSE17,
here SE16,
and here.
Second level
Pros
Third level
Fourth level
Independence from IT (self-serve)
Fifth
Access nearly
anylevel
data in the system
Cons
Only able to perform single-table analysis with basic filters

No ability to join (large detail tables cannot be reduced by header data)
Limited ability to query large data sets (may time out)
Inherent limitations on extracting data from certain important tables
Difficult to repeat analysis, schedule extracts, and create audit trail
CLICK
SAP
Query
TO EDIT
/ Custom
MASTER
ABAP
TITLE STYLE
What is it?

Using
built intext
SAP
transaction
to query records at the table level
Click to edit
Master
styles.
Lots ofcodes
paragraph
Alternatively,
SAPhere.
AIS
copy goes
here, and using
here and
Examples
Second
level: SQ1, SE16, SECR
Third level
Pros Fourth level
Fifth level
Independence from IT (self-serve)

Access nearly any data in the system
Cons
Only performs basic analysis

Limited ability to query large data sets or join multiple tables
Difficult to repeat analysis and schedule extracts
Lacks audit trail
CLICK
SAP
Query
TO EDIT
/ Custom
MASTER
ABAP
TITLE STYLE
What is it?
UseMaster
of built-in
Query
(SQ01, SQVI)
Click to edit
textSAP
styles.
Lotstools
of paragraph
SAP
IT teams
(both
infrastructure
and functional teams), help
copy goes
here,
and here
and
here.
implement custom ABAP queries for audit purposes
Second level
Third level
Pros Fourth level
Fifth level
Access the data you want the way you want it

Ability to join tables and perform more complex analysis
Cons
IT reluctant to grant query transactions due to performance concerns

Cost ABAP developers are not cheap
Turnaround time for query development
Difficult to maintain over time as the business changes (processes
and controls change, so do tolerances & thresholds)
9
CLICK
SAP
BITO EDIT MASTER TITLE STYLE
What is it?
Using
SAP BIs
toolset Lots
(e.g. of
SAP
BusinessObjects) to query
Click to edit
Master
text styles.
paragraph
Pros
Second level
Third level
Integrated solution
Fourth level
Intended for end-user access
Fifth level
Ability to access non-SAP data (if in BI warehouse)
Cons
Not designed for Audit
BI/BW data often cleansed as part of ETL process
Typically Aggregated / summarized data audit and compliance
processes often require analysis of detailed transactions
Reconciliation to source system can be challenging
10
CLICK
SAP
GRC
TO (Access
EDIT MASTER
Control/Process
TITLE STYLE
Control) - consider FM
What is it?

Using SAP Access Control for security analysis
Click to edit
Master text styles. Lots of paragraph
Using SAP Process Control for continuous monitoring
copy goes
here,
and
hereManagement
and here. for fraud analytics
Using
SAP
Fraud
Second level
Third level
Pros
Fourth level
Integrated solution
Fifth level
May be already owned in-house

Ability to drill from findings/issues into live SAP data
Analysis speed (for customers on the SAP HANA platform)
Cons
Intended for business management, not audit
Designed for productionized testing, not ad-hoc analysis
Subject to internal IT change control processes (which take time)
HANA platform out of reach for many audit/compliance departments
11
CLICK
ACL
Direct
TO EDIT
Link MASTER
for SAP TITLE STYLE
What is it?

SAPMaster
Certified
Add-on
forLots
ACLof
Analytics
technologies to provide direct
Click to edit
text
styles.
paragraph
access to SAP data
Second level
Third level
Fourth level
Independence
from IT (self-serve)
Audit trail Fifth level
Pros
Repeatable; can schedule extract and analysis

Performs complex analysis off of the SAP system, limiting impact to
performance
Handles large, transactional data volumes
Cons
Some SAP IT teams resistant to idea (perceived impact on
performance/security)
Not a magic bullet; you still need to do your auditor due diligence
12

Second level
Third level
Fourth level
Fifth level
Dealing with SAP IT (BASIS) Concerns

security, performance, data volumes
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICK
SAP
IT TO
Teams

Second level
Third level
Fourth level
Fifth level
SAP IT Team
Infrastructure
Functional
Commonly referred to as BASIS
Commonly referred to as
Business Analysts / ABAP
developers
Responsible for security,

hardware, installations, code
promotions, etc.
Create new SAP queries, new

SAP functionality, integration
14
CLICK TO EDITConcerns
Infrastructure
MASTER TITLE STYLE
Whatever tool/methodology you use to access your SAP Data
Second level
Third level
Fourth level
Fifth level
Security
Who will have access, and
how?
How will we prevent
unauthorized access?
What user permissions do
you need?
How do you protect data that
has been extracted?
Production
Impact
How will we prevent
untested queries from
running in Production?
What is the impact on
our system?
Data
Volumes
How much
space is going
to be used?
Network?
CPU?
15
CLICK TO EDIT
Addressing
Security
MASTER
Concerns
TITLE STYLE

Second level
Third level
Fourth level
Fifth level
Security
Who will have access, and
how?
How will we prevent
unauthorized access?
What user permissions do
you need?
How do you protect data that
has been extracted?
ACL Direct Link follows user permissions to tables

and is Read Only
Server environment can be used to secure both
sensitive data and control scripts run on
production
Data
Volumes
ACL Direct Link is SAP Certified
How much
Existing IT policies regarding use
of extract
space
is going
to be
used?
tools can also be applied to ACL
Direct
Link
Network?
CPU?
16
CLICK TO EDIT
Addressing
Production
MASTERImpact
TITLEConcerns
STYLE
Can set up your query development
process to prevent untested code from
torunning
edit inMaster
Productiontext styles
Click
Click to ACL
editDirect
Master
text styles. Lots of paragraph
Link translates to native
ABAPhere,
code (mostly
table here.
copy goes
and straight
here and
dumps, seldom complex joins)
Second
level to equivalent SAP
Comparable
tools (e.g.
Third
levelSE16)
Fourth mode
level
Runs in background
Fifth level
Can test performance in a QA
environment prior to deploying
to production
Production
Impact
How will we prevent
untested queries from
running in Production?
What is the impact on
our system?
Differing passwords can be used

to ensure that only authorized
individuals can query from
production
17
CLICK TO EDIT
Addressing
DataMASTER
Volume Concerns
TITLE STYLE

Massive queries are possible (there is no longer a 4GB
limit)
Second level
Third level
An auditor can schedule Direct Link queries to run in
Fourth level
background and at off-peak times to minimize production
Fifth level
impact
ACL Direct Link is used by large US Federal Government
entities with billions of records
You will need space to store queries
Data
Volumes
How much
space is going
to be used?
Network?
CPU?
18

Second level
Third level
Fourth level
Fifth level
Common Risk Areas

example tests in P2P, O2C, GL/R2R
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE STYLE

Second level
Third level
Fourth level
Fifth level
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
20
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Top styles.
Spend Lots of paragraph
Click toNew
edit Vendor
Master text
Second level
Risk
Third level
Fourth level
Vendors without previous relationships with the organization present
Fifth
level
a higher risk
for exposure
to compliance violations.
Test Description
Identify invoices to vendors created in the investigation period
greater than X cumulative spend.
Tables used: LFA1, BSAK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
21
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Orders
Click toRetroactive
edit MasterPurchase
text styles.
Lots of paragraph
Second level
Risk
Third level
Fourth level
Circumvention of purchasing controls can result in authorized
Fifth
levelfraud
transactions
and/or
Test Description
In the investigation period, identify invoices with an invoice document
date before the Purchase Order creation date.
Tables used: EKBE, EKPO
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
22
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Click toOne
editTime
Master
Vendors
Second level
Third level
Payments
to one-time-vendors
are typically subject to fewer purchasing controls.
Fourth
level
Fifth level
Risk
Test Description
In the investigation period, identify One Time Vendors with more than X spend or
more than Y transactions.
In the investigation period, identify a sample of one time vendor transactions for
review.
Tables used: BSEC, LFA1
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
23
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Click toNon-PO
edit Master
Invoices
Second level
Third level
Payments
made outside
Fourth
level of the purchasing workflow may have fewer controls.
Fifth level
Risk
Test Description
In the investigation period, identify vendors with a total non-PO spend greater than
a threshold X. Exclude vendors by type such as taxes.
In the investigation period, identify any non-PO invoices that were created by
unauthorized individuals.
In the investigation period, identify a sample of non-PO invoices for further review.
Tables used: EKBE, BSIK, BSAK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
24
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Click toReceiving
edit Master
styles.
Lots of paragraph
vs. text
Invoice
SOD
Second level
Risk
Third level
Fourth level
Segregation of duties is somehow not maintained between the receiver
Fifth level
of goods/services
and the person who created or modified the invoice.
Test Description
In the investigation period, identify transactions where the receiver was
the same person that created or modified the invoice.
Tables used: EKBE, BSIK, BSAK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
25
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

vs. Vendor
MasterLots
SODof paragraph
Click toInvoice
edit Master
text styles.
Second level
Risk
Third level
Fourthoflevel
Segregation
duties is somehow not maintained between the
creator/modifier
vendor information and the person who invoices the
Fifthoflevel
vendor
Test Description
In the investigation period, identify invoices created or modified by the
same individual as the vendor creator/modifier.
Tables used: EKBE, BSIK, BSAK, LFA1

P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
26
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Invoicestext styles. Lots of paragraph
Click toDuplicate
edit Master
Risk
Second level
Third level
Amiskeying
of the invoice number may result in the duplicate payment of an invoice
A miskeying
of which
vendor to associate to an invoice may result in a duplicate payment of an
Fourth
level
invoice
Fifth
Duplicate vendors
couldlevel
result in invoices being paid multiple times
Test Description
In the investigation period, identify invoices to the same vendor but with different invoice
reference document number patterns.
In the investigation period, identify invoices with the same amount to different vendors with the
same tax identification number.
Tables used: BSIK, BSAK, LFA1
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
27
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
P2P STYLE

Payments
Click toEarly
edit Master
Second level
Third level
Fourth
level
Payments
made
that do not follow standard payment terms may
represent a significant
Fifth level opportunity cost of capital
Risk
Test Description
In the investigation period, identify invoices with an opportunity cost of
early payment greater than X, based off of a cost of capital and standard
payment terms days
Tables used: BSIK, BSAK, REGUH, PAYR
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
28
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE

in Static
Click toActivity
edit Master
textAccounts
styles. Lots of paragraph
Second level
Third level
Fourth
level
Unusual
manual
postings to accounts may be an indication of fraud or
financial misstatement
Fifth level
Risk
Test Description
In the investigation period, identify manual journal entries posted to
accounts with infrequent activity. Accounts with infrequent activity are
defined by an externally provided list.
Tables used: BSIS, BSAS, SKA1, SKAT
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
29
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE

Journal
Descriptions
Click toManual
edit Master
textEntry
styles.
Lots of paragraph
Second level
Risk
Third level
Fourth level
Inadequate documentation of manual journal entries may represent a
Fifth
compliance
risk level
Test Description
In the investigation period, identify manual journal entries with
descriptions shorter than X characters.
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
30
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE

or Infrequent
Transaction
Code
Click toInvalid
edit Master
text styles.
Lots of paragraph
Second level
Risk
Third level
Fourth level
Infrequently used transaction codes may represent a circumvention
of controls Fifth level
Test Description
In the investigation period, identify journal entries with an SAP
transaction code that is infrequently used.
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
31
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
GL/R2R
STYLE

Search
Click toKeyword
edit Master
Second level
Risk
Third level
Fourthcontaining
level
Transactions
suspicious keywords may represent a
compliance
risk (e.g. FCPA, Sunshine Act, Dodd Frank Conflict
related
Fifth level
Minerals, etc.)
Test Description
In the investigation period, identify journal entry or account descriptions
containing a suspicious keyword.

P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
32
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
O2C STYLE

Write-offs
Click toAdjustments,
edit MasterCredit
text Notes,
styles.and
Lots
of paragraph
Risk
Second level
Third level
Adjustments, credit notes, and write-offs can be abused or used to cover up
Fourth
fraudulent
activity.level
Fifth level
Test Description
In the investigation period, identify customers where there are adjustments, credit
notes, and write-offs greater than X in total and Y% of their total activity.
In the investigation period, identify sales adjustments created or modified by an
unauthorized individual.
Tables used: BSAD, KNA1
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
33
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
O2C STYLE

Order Line
Product
Click toSales
edit Master
text vs.
styles.
LotsPrice
of paragraph
Second level
Third level
Fourth
level
Data entry
errors
could result in sales prices below desired prices
Excessivediscounts
Fifth levelcould be a sign of bribery, and require investigation
Risk
for anti-bribery/FCPA purposes

Test Description
In the investigation period, identify sales order line items where the price
varies more than X% or Y amount from the product price.
Tables used: VBAK, VBAP, KONV, KONP, KNA1
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
34
CLICK Areas
Target
TO EDIT
in SAP
MASTER
ERP TITLE
O2C STYLE

Credit
Click toCustomer
edit Master
textLimits
styles. Lots of paragraph
Second level
Third level
Fourth
level of customer credit limits can expose an organization
Inadequate
review
to collection
risk level
Fifth
Risk
Test Description
In the investigation period, identify customers with credit limits that have
not been reviewed in the past X days and/or with unusually high credit
limit.
Tables used: VBAK, VBAP, KNA1, KNKK
P2P
Purchase to
Payment (MM
Module)
GL/R2R
General
Ledger, Record
to Report
(FI Module)
O2C
Order to Cash
(SD Module)
35

Second level
Third level
Fourth level
Fifth level
Finding your Data
Best practices on executing testing
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing
CLICKforTOFinding
TIPS
EDIT MASTER
your DataTITLE STYLE

#1:
QUICK WINS
Click to edit Master text styles.STEP
Lots of
paragraph
specific, narrow risk where there are likely findings. Identify likely data elements required
copyChoose
goes ahere,
and here and here.
(e.g. clearly vendor number and invoice number would be required for a duplicate invoice test)
Second level
Third level
STEP
Fourth
level #2: Use Entity Relational Diagrams
Entity ERDs help you visualize which tables you might need as well as other, related tables that might also
Fifth level
be helpful
STEP #3: Determine actual fields required

Use ABAP Dictionary (SAP SE11 Transaction) can be very helpful
37
CLICK
SAP
P2P
TOEntity
EDIT MASTER
RelationalTITLE
Diagram
STYLE

Second level
Third level
Fourth level
Fifth level
CLICK
SAP
P2P
TOEntity
EDIT MASTER
RelationalTITLE
Diagram
STYLE

Second level
Third level
Fourth level
Fifth level
MM
FI
CLICK
SAP
P2P
TOEntity
EDIT MASTER
RelationalTITLE
Diagram
STYLE

Vendors
Click to edit Master text styles. LotsOne
of Time
paragraph
Purchase
Purchase Orders
Second level
Requisitions
Goods/Services Receipts/
Third level
Invoice Receipts
Fourth level
Fifth level
Vendor Master
Invoice Postings/Payments
CLICK TO
Asking
ForEDIT
HelpMASTER
(and other
TITLE
Resources)
STYLE

ACL Consulting Services & Highwater Advisors
Second level ACL Audit and Financial Control Solution

level waste, abuse, and financial misstatement risks with pre-defined data analytics
AddressupThird
to 30 fraud,
Fourth level
Navigating
Fifth level
Webinar on
the SAP Data Dictionary (and ER Diagram)
: http://tinyurl.com/lk97byt
SAP Functional (Business Analyst) Teams
Assistance with identifying tables you might need, understanding related tables that might also be helpful,
and providing insight into non-standard customizations that might impact analysis
41

Second level
Third level
Fourth level
Fifth level
Q&A
Approaches
to Data
Access
Dealing with
SAP IT (Basis)
Concerns
Discussion of tools
and methodologies
pros and cons
Security,
Performance, and
Data Volumes
Common Risk
Areas
Finding Your
Data
Example Tests
Best practices on
executing testing

Second level
Third level
Fourth level
Fifth level
For more information please contact us:
Phil Lim
Steve Biskie
phil_lim@acl.com
steve.biskie@
highwateradvisors.com

Webinar Auditing SAP

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Webinar Auditing SAP

Hochgeladen von

Copyright:

Verfügbare Formate

CLICK TO EDIT MASTER TITLE STYLE

Click to edit Master text styles

AUDITING AND THE SAP ENVIRONMENT

Click to edit Master text

integrated content portfolio.

CLICK TO EDIT MASTER TITLE STYLE

Click to edit Master text styles

CLICK TO EDIT MASTER TITLE STYLE

Click to edit Master text styles

Approaches to Data Access

Click to edit Master text styles

SAP GRC (Access

ACL Direct Link

Click to edit Master text styles

Most are fairly easy to understand

Not designed for auditors (difficulty to find suspicious items only)

Click to edit Master text styles

Only able to perform single-table analysis with basic filters

Click to edit Master text styles

Independence from IT (self-serve)

Only performs basic analysis

Access the data you want the way you want it

IT reluctant to grant query transactions due to performance concerns

Click to edit Master text styles

May be already owned in-house

Click to edit Master text styles

Repeatable; can schedule extract and analysis

CLICK TO EDIT MASTER TITLE STYLE

Click to edit Master text styles

Dealing with SAP IT (BASIS) Concerns

Click to edit Master text styles

Commonly referred to as BASIS

Responsible for security,

Create new SAP queries, new

Click to edit Master text styles

ACL Direct Link follows user permissions to tables

dumps, seldom complex joins)

Differing passwords can be used

Click to edit Master text styles

CLICK TO EDIT MASTER TITLE STYLE

Click to edit Master text styles

Common Risk Areas

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Tables used: EKBE, BSIK, BSAK, LFA1

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Click to edit Master text styles

Tables used: BSIS, BSAS, SKA1, SKAT

Click to edit Master text styles

Click to edit Master text styles

for anti-bribery/FCPA purposes

Click to edit Master text styles

CLICK TO EDIT MASTER TITLE STYLE

Click to edit Master text styles

Finding your Data