Get documents about "Audit Program for Investment
Description
Audit Program for Investment document sample
Document Sample
Company (Name):
Fiscal Year End (Date):
A total of 39 tests have been Contains detailed testing Links to the pre-populated test
designed to evaluate ALL KEY risks instructions, rather than generic sheets with fill-in fields for
Tested on (Date)/ tested by (Name):
based on best practices and the descriptions of the tests to be company-specific information.
Tested in (System):
Treasury - Audit Program for SAP R/3 - SAMPLE
Control Activity Control Control IT Nature Control Rating Query Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ No For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
Borrowing
Control Objective TR1: Recorded debt represents a valid liability of the organization. Borrowings are accurately recorded in the appropriate period.
Loan repayments are valid, accurately calculated and recorded in the appropriate period.
(Control Objective Assertion: [Balance Sheet] Notes Payable / Long Term Debt: Accuracy, Validity, Completeness, Recording, Cut-Off)
Control Objective Background: If a disbursement is made and recorded but not forwarded to the lender or if the disbursement is processed more than once, an invalid loan repayments may occur. Invalid loan payments may
result in understatement of recorded loans.
TR1.02: Only authorized personnel Preventive Automated IT Dependent High 7 Perform the following procedures to produce a list of users with access to open and close posting periods: Tab 1
have the ability to open and close
accounting periods.
In addition to the written step- Execute transaction code SUIM
by-step instructions, screen- Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
prints from SAP will be provided "By Authorization Values "
to visually assist those new to
the system.
AUTHORIZATION OBJECT 1:
• S_TCODE:
Covers ALL principal treasury OB52 (Open and Close Posting Period) OR
subprocesses: S_ALR_87003642 (Open and Close Posting Periods)
• Borrowing
• Managing Cash and Investments AUTHORIZATION OBJECT 2:
• Monitoring Derivative Transactions • S_TABU_DIS:
Activity (ACTVT): 02 (Change)
Authorization Group (DICBERCLS): FC31 (authorization group for posting periods)
Note: Certain settings might be set as "modifiable" in production environment. If opening and closing posting
periods is not one of them, restricted access to transactions SCC4 & SE06 that are used to prevent or allow direct
changes to the production environment serves as a strong mitigating control (see queries No 13 & 14 below for
testing details).
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
appropriate for the users to have such access, based on their job responsibilities and established policies,
procedures, standards, and guidance. Compare the results of the test with the information obtained from the
interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
conclusions.
• • • • • •
Managing Cash and Investments
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Page 1 of 8
Control Activity Control Control IT Nature Control Rating Query Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ No For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
Control Objective TR2: Investments represent true assets of the organization. Investments are accurately recorded in the appropriate period.
Borrowing
(Control Objective Assertion: [Balance Sheet] Investments: Accuracy, Validity, Recording, Cut-Off)
Control Objective Background: Recorded investments may not represent assets of the organization if invalid investment transactions are used to hide unauthorized sales or misappropriation of funds. Alternatively, expense
items may inappropriately be recorded as investments, resulting in overstatement of assets and net income.
• • • • • •
TR2.05: Only authorized personnel Preventive Automated IT Dependent High 19 SAP system controls include the authorization concept that allows to restrict access to receiving, importing, and Tab 7
have the ability to: processing electronic or manual bank statements to appropriate personnel.
• Import and post-process bank
statements. For organizations that manually enter bank account statements they receive (the bank credits the automatic debit
and the bank directs debit to the entity's account), perform the following procedures to produce a listing of users
with access to process and/or modify bank statements manually in the system using transaction FF67:
Execute transaction code SUIM
Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
"By Authorization Values "
AUTHORIZATION OBJECT 1:
• S_TCODE:
FF67 (Manual Bank Statement)
AUTHORIZATION OBJECT 2:
• F_FEBB_BUK:
Activity (ACTVT): 01 (Create) OR 02 (Change)
Company Code (BUKRS): * (means SOME comp. codes) or specify based on the scope of the audit
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
appropriate for the users to have such access, based on their job responsibilities and established policies,
procedures, standards, and guidance. Compare the results of the test with the information obtained from the
interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
conclusions.
• • • • • •
*** THIS IS A SAMPLE, NOT A COMPLETE AUDIT PROGRAM ***
The complete audit program is available at http://soxmadeeasy.com/SAP_Treasury.html and contains 39 Tests designed to help audit, risk and security professionals attain reasonable assurance that controls over Treasury
business cycle in SAP R/3 operate effectively and in accordance with management's intentions, including:
• Borrowing - controls to ensure that recorded debt represents a valid liability of the organization; loan repayments are valid, accurately calculated and recorded in the appropriate period:
- SAP edits/validations for financial documents (i.e., document type, document change rules, posting keys, tolerance groups, etc.)
- Testing to ensure open posting periods are limited to the current period (OBBP, OB52, etc.)
- Access to open and close accounting periods (OB52, S_ALR_87003642, etc.)
- Monitoring procedures of the loan register for accuracy and ongoing pertinence
• Managing Cash and Investments - controls to ensure that investments represent true assets of organization and that all investment transactions are accurately recorded in the appropriate period:
- Access to maintain (add, change, or delete) bank accounts in SAP R/3 (transactions FI03, FI13, FI04, Fi12, FI01, FI02, FI06, etc.)
- Access to receive, import, and process electronic or manual bank statements (transactions FF67, FF_5, FEBA, etc.)
- Access to the lockbox function to handle the receipt
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls and processing of incoming payments (transactions FLB1, FLB2) Page 2 of 8
- Access to post incoming payments that do not come through the lockbox process (F-28, FB05, etc.)
- Access to set up repetitive wires, process payment proposals for non repetitive wires (FRFT, F110, etc.)
- Access to process incoming checks (post electronic check deposits & process incoming checks manually) (transactions FF/4, FFB4, FF/5, FFB5, FF68, FCHG, etc.)
Control Activity Control Control IT Nature Control Rating Query Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ No For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
• Managing Cash and Investments - controls to ensure that investments represent true assets of organization and that all investment transactions are accurately recorded in the appropriate period:
- Access to maintain (add, change, or delete) bank accounts in SAP R/3 (transactions FI03, FI13, FI04, Fi12, FI01, FI02, FI06, etc.)
Borrowing to receive, import, and process electronic or manual bank statements (transactions FF67, FF_5, FEBA, etc.)
- Access
- Access to the lockbox function to handle the receipt and processing of incoming payments (transactions FLB1, FLB2)
- Access to post incoming payments that do not come through the lockbox process (F-28, FB05, etc.)
- Access to set up repetitive wires, process payment proposals for non repetitive wires (FRFT, F110, etc.)
- Access to process incoming checks (post electronic check deposits & process incoming checks manually) (transactions FF/4, FFB4, FF/5, FFB5, FF68, FCHG, etc.)
- Access to process maintain memo records
- SAP edits and validations specific to document number ranges
- Positive Pay process controls (set up, monitoring accuracy of the file transfer to the bank)
- Reconciliation of bank statements to SAP postings process control
- Access to prevent or allow direct changes to the production environment using transactions SCC4 and SE06
- Monitoring procedures of the recorded investment purchases, sales, and maturities of investments
• Managing Derivative Transactions - controls to ensure recorded derivative transactions represent assets or liabilities of the organization & accurately recorded in the financial statements:
- Approval of derivative transactions
- Monitoring counterparty confirmations to ensure completeness of derivative transaction records
The audit program covers all critical monitoring tools and techniques, configuration settings and access controls to ascertain the reliability of the SAP R/3 control environment over the Treasury business process.
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Page 3 of 8
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Page 4 of 8
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Page 5 of 8
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Page 6 of 8
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Tab 1
Users with access to open and close posting periods in SAP R/3: Click to Return To The Audit Program
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert (Yes/No) *Exclude IDs that *Exclude D (System) and C as per the Job Noted?
additional *Exclude locked user IDs are past their (Communication) IDs (no end Responsibilities? (Yes/No)
rows as ("0" or "Blank" in this field validity date (no user access); leave A (Yes/No)
needed means that user ID is NOT access) (Dialog) and S (Service) IDs
locked) for analysis
1
2
3
4
5
Total 0 0 0
Page 7 of 8
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls Tab 7
Users with access to process and/or modify bank statements manually in the system using transaction FF67: Click to Return To The Audit Program
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert (Yes/No) *Exclude IDs that *Exclude D (System) and C as per the Job Noted?
additional *Exclude locked user IDs are past their (Communication) IDs (no end Responsibilities? (Yes/No)
rows as ("0" or "Blank" in this field validity date (no user access); leave A (Yes/No)
needed means that user ID is NOT access) (Dialog) and S (Service) IDs
locked) for analysis
1
2
3
4
5
Total 0 0 0
Page 8 of 8
Related docs
Other docs by oaw17266
