Posted by: Omar Sharif 23 Jun 10 - 5:09PM | Omar Sharif

I still am surprised by the methods in which audits of SAP systems take place.
The likes of the ACE report, hundreds of pages of transactions, objects and field values dumped into the laps of
Internal Audit and SAP Security Team. OK, now what?
Key Control Values (KCV), searching for specific settings and values within SAP
The point of this is?
Critical transaction lists, nobody should have this access?
Segregation of Duties, violations must be removed?
Various tools both from SAP and other parties developed to reduce the level of risk in the business. Sometimes, we
need to step back and understand what we are trying to achieve. Most clients raise the same questions to all of the
above.
What is the basis of the above?
Is this actually resolving anything?
I have witnessed at first hand experience where the implementation of tools designed to reduce risk, has done quite
the opposite. This situation occurs when Internal Audit are pushing through an external remit, without having the
power to make changes to business processes.
The SAP Security team, are not the decision makers, they are often just following instructions from the business, to
grant access to individuals so that they can perform their daily activities.
A new approach is required that can demonstrate the risk levels for each component of the business
process. Against each risk level, a pre-determined set of options should be agreed, as actions and
responsibilities for process owners.
SAP Audits must move away from technical inspection, and towards business process inspection.

Sarbanes-Oxley Practices for Good Corporate Governance

Part of the Sarbanes-Oxley For Dummies Cheat Sheet
Sarbanes-Oxley (SOX) was passed to combat corruption at big public companies like Enron,WorldCom,
Tyco, Adelphia, Global TelLink, HealthSouth, and Arthur Andersen. But small and not-for-profit companies are finding
they have no choice but to adopt many of the same standards if they want to get insurance, attract investors and
donors, and repel lawsuits. SOX compliance is becoming a portfolio building block that no company can ignore.
Heres what to do:

Form an audit committee. Your companys audit committee should consist of independent directors who sit
on the board and ensure the integrity of your companys audit process. After SOX, its tough to explain to
investors and regulatory authorities why your company never got around to convening an audit committee.

Combat Section 404 audit-chondria and policy paranoia. Auditors and governance officers want to shine
by conscientiously complying with SOX Section 404. However, they have to do their jobs within the bounds of

budget and reason. Not every audit issue deserves full-throttle testing, and not every trivial process needs
accompanying polices and controls.

Prevent whistle-blower complaints from becoming lawsuits. Every company has its share of
complainers and malcontents. However, when employee or vendor complaints regard matters than can affect
the companys financial statements, the issues need to be fully documented and vetted.

Keep a lid on insurance premiums. Increasingly, insurance companies are looking at SOX compliance as
an unofficial underwriting criterion in quoting officers and directors liability policies and other coverage relative
to companies exposure. Put simply, SOX compliance can save premium dollars.

Be credible in raising capital. No investor or donor wants to assume unnecessary risk. Documenting your
companys compliance with the relevant aspects of SOX shows creditors and donors that your company
operates in an ethical, controlled environment and that its future growth is a good bet.

Deal with real data in making decisions. No company can make good decisions if its financial data is
speculative and its procedures are hazy. The good news about SOX is that it has created spinoff software tools
and checklists to help your CEOs, CFOs, and other management teammembers get a handle on whats
happening with your company.

Figure out if SAS 70 applies to you (even if the rest of SOX doesnt). If your company provides services
to publicly traded companies, your clients may be asking you for an SAS 70 report. Even if you dont have to
comply with SOX, your customers may have to document that they only outsource to service providers with
good internal controls in place and may be looking for you to provide the appropriate SAS 70 documentation.

Communicate about control. When a company experiences a breach of ethics or internal control, its
important to be able to trace the company communications to see where the breakdown occurred. Clear
communications about controls, procedures, and ethics can protect conscientious management and employees
at all levels while laying the blame on those attempting to circumvent SOX standards. The SOX spinoff market
has produced tools and checklists to test communication as well as other types of control.

Prepare management for new levels of liability. SOX places more responsibility (and potentialliability) on
management than ever before. Management needs to understand what it can no longer delegate under SOX
and develop a strategy for maintaining control over what can be handed off to others.

Adopt a code of ethics, and mean it. Every company should adopt a simple code of ethics and
communicate it to everyone in the organization. In any company, new situations that arent covered by specific
policies will arise. However, in the post-Enron era of SOX, the companys code of ethics should cover everything

SAS70

SAS 70 (the Statement on Auditing Standards No. 70) defines the

standards an auditor must employ in order to assess the contracted
internal controls of a service organization. Service organizations, such
as hosted data centers, insurance claims processors and credit
processing companies, provide outsourcing services that affect the
operation of the contracting enterprise. The SAS 70 was developed by
the American Institute of Certified Public Accountants (AICPA) as a
simplification of a set of criteria for auditing standards originally
defined in 1988.

Under SAS 70, auditor reports are classified as either Type I or Type II.
In a Type I report, the auditor evaluates the efforts of a service
organization at the time of audit to prevent accounting inconsistencies,
errors and misrepresentation. The auditor also evaluates the likelihood
that those efforts will produce the desired future results. A Type II
report includes the same information as that contained in a Type I
report; in addition, the auditor attempts to determine the effectiveness
of agreed-on controls since their implementation. Type II reports also
incorporate data compiled during a specific time period, usually a
minimum of six months.
SAS 70 reports are commissioned at the request of either a service
organization (the company) or the user organization (customers). It is
in the service organization's best interests to provide consistent
service auditor's reports. Positive independent reports build a
customer's trust and confidence in the service organization and satisfy
any concerns. Furthermore, Type II reports identify any operational
areas that need improvement. A lack of current reports, on the other
hand, may generate multiple audit requests from the user organization
and these audits can be costly for the service organization.
RELATED GLOSSARY TERMS: CIO (Chief Information Officer), business
integration, change management strategy, business process, systems
thinking, SRI International (SRI), clean room technique (clean room
design), work breakdown structure (WBS), cutting edge, process
mapping