PART II: TERMS OF REFERENCE

A- General Terms of Reference (TORs)

i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
x.
xi.
xii.
xiii.
xiv.
xv.
xvi.

xvii.
xviii.

To point out and remove the deficiencies in the basic settings and in the business
control environment;
To evaluate the relevant project, business controls and data risks to provide
management with comfort to accomplish the desired outcomes;
To help to integrate financial and business controls to drive opportunities for
improvement and costs savings;
To review the system implementation from the compliance standpoint (accounting,
tax and legal requirements);
To check the parameters relating to security and segregation of duties;
To review the configuration of key automated procedures and controls within the
business processes;
To review the data migration for its completeness and accuracy.
To review, optimize and ensure adequacy of the control environment to be supported
by the systems built-in controls
To review SAP Governance, Risk and Compliance (GRC) and how it can be used to
enhance the internal control environment
To assist in establishing effective and efficient processes and controls within the ERP
system at the right cost, reflecting the business risks and objectives balanced against
the risk appetite of management;
To help in identifying areas where manual procedures and controls can be automated
for the benefit of business performance and controls;
To assist in optimizing management information reporting in the ERP system;
To perform data quality reviews including fraud detection techniques, verification of
interfaces, data quality assessment and cleaning, complex algorithms and verification
of reports
To evaluate the potential risks of undetected errors, fraud, or material misstatement to
the financial and operating data when business functions and users have incompatible,
elevated or powerful access to the system;
To review critical system parameters settings, verify key user accounts and profiles,
and assess the authorization list for sensitive transactions;
To evaluate the performance of SAP ERP implementation partner in the light of
XXXXXs strategic, business and operational needs according to the scope covered in
the contract document signed between XXXXX and M/S AbacusConsulting Pvt. Ltd,
Lahore.
To suggest XXXXX regarding HR and business process re-engineering (To-Be)
requirements for successful SAP ERP implementation and integration as well as for
adoptive and sustainable post implementation SAP solution utilization.
Timeline for achieving the deliverables mentioned in this TOR should be in
accordance with the timeline of the main SAP ERP implementation Project.

B- Quality Audit: SAP system Audit from a functional and process perspective.
i. Check whether there is any gap between the requirements (BBP defined
processes) and actual implementation in SAP.
ii. Review list of customizations and confirm whether there are no unreported
customizations.
iii. Analyze how effectively the SAP non-standard processes, if any have been
implemented.
iv. Analyze whether, there are avoidable duplication, complexity and redundancy in
the system.
v. Prepare detailed action plan to bridge the above gap, if any and prioritization of
the same through appropriate tools & techniques.
vi. Check whether all BBP processes that have been mapped to SAP processes are in
line with SAP best practices.

C- Security & Control Audit: SAP System Audit from the internal controls, security, and
i.

interface perspective.
Reporting on the implementation of Internal Controls.

ii.

Checking the security and authorization design for the SAP system.

iii.

Reporting on the design practices and methodologies adopted in architecting the

interfaces.

iv.

Reporting on System Administration Audit, Business process Audit & Data Protection
Audit.

D- Technical Audit
i. System Performance: System performance check based on hardware, network
and applications parameters (using suitable software tools if necessary) and
recommend improvements.
ii. Obsolescence: Check whether the OS and database in use are capable of meeting
upgrades of SAP and recommend future road map for these products.
iii. Evaluation of Back-up Management: Evaluate the Back-up Management and
recommend improvements.

E- SAP modules to be covered:

The following SAP modules would be covered under the SAP Audit & optimization as described
in previous sections of the RFP. The composition of Consulting Firms team for the engagement
shall be based on the experience and expertise required for the relevant modules in each workstream
1. Accounting & Financial Information System (FI-CO)
2. Material Management System (MM)
3. Project Management & Project Costing System (PS)
Module wise reports with recommendations of objective course correction in specific areas
should be provided. Effort should be made to associate with the implementer so that consensus
solutions may be proposed where feasible.

4.1

Technical and Quality Audits

In this phase we will perform:

System Administration Audit

o Review and evaluate system administrator procedures for monitoring the state
o
o

of security on the system.

Review of user access management procedures
Review the process used by the system administrator for setting initial

o
o

passwords for new users and communicating those passwords

Review of SAP default settings
Review of SAP super user profiles and privileged user access rights

o
o

management.
Review of power access and direct access to data tables and programs.
Ensure that the server has auditing enabled according to organizations

policies
Review of changes introduced to the Production environment are authorized,

tested, and approved.

Review of segregation of access between development and production

environments.
Business process Audit
o The review will center on control efficiency; systems/ business processes can
be over-controlled as well as under-controlled. Therefore, the review will focus
on validating that an efficient level of control exists, and relevant control
o

objectives are supported to achieve desired management objectives.

In order to assess the business process controls in SAP, we will use PwC own
risk and control matrices, which we will use to validate the key business

process controls of all in scope modules.

Data Protection Audit
o Review the information processing is carried out in secured and controlled

manner to maintain Confidentiality, Integrity and Availability of information.

System Performance Audit
o Ensure that the production systems are processed completely and accurately in
accordance with managements control objectives; and that processing
problems are identified and resolved completely and accurately to maintain

the integrity of financial and non-financial data.

Operating System and Database Capability Audit
o Review whether the operating system and database in use are capable enough
to meet the future business requirements. Our review will consider the
o

technology, people and process aspects.

Forecast of workload and capacity is performed to identify resource
bottlenecks.

Evaluation of Back-Up Management

o Review data replication settings for data backup from production system to
o

Data Recovery (DR) system.

Review that the timing and frequency of the data replication process should be
aligned with business need for short-term recovery of data in problem