Audit Program for Investment by oaw17266

VIEWS: 128 PAGES: 8

Audit Program for Investment document sample

More Info
									Company (Name):
Fiscal Year End (Date):
                                                                                        A total of 39 tests have been                           Contains detailed testing                                                              Links to the pre-populated test
                                                                                        designed to evaluate ALL KEY risks                      instructions, rather than generic                                                      sheets with fill-in fields for
Tested on (Date)/ tested by (Name):
                                                                                        based on best practices and the                         descriptions of the tests to be                                                        company-specific information.
Tested in (System):


Treasury - Audit Program for SAP R/3 - SAMPLE
Control Activity                       Control         Control        IT Nature        Control Rating Query       Testing Procedures:                                                                                                    Testing Reference       Conclusion
                                       Activity Type   Nature         IT Dependent/    High/          No          For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain           Reference to supporting Effective/
                                       Preventive/     Manual/        Non IT-          Medium/                    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and        evidence considered     Ineffective
                                       Detective       Automated      Dependent        Low                        guidelines. The following testing procedures will assist auditors in performing tests of control for each control      pertinent
                                                                                                                  activity.

Borrowing

Control Objective TR1: Recorded debt represents a valid liability of the organization. Borrowings are accurately recorded in the appropriate period.
Loan repayments are valid, accurately calculated and recorded in the appropriate period.
(Control Objective Assertion: [Balance Sheet] Notes Payable / Long Term Debt: Accuracy, Validity, Completeness, Recording, Cut-Off)

Control Objective Background: If a disbursement is made and recorded but not forwarded to the lender or if the disbursement is processed more than once, an invalid loan repayments may occur. Invalid loan payments may
result in understatement of recorded loans.
TR1.02: Only authorized personnel      Preventive      Automated      IT Dependent     High                7      Perform the following procedures to produce a list of users with access to open and close posting periods:                      Tab 1
have the ability to open and close
accounting periods.
                                                                     In addition to the written step-             Execute transaction code SUIM
                                                                     by-step instructions, screen-                Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
                                                                     prints from SAP will be provided             "By Authorization Values "
                                                                     to visually assist those new to
                                                                     the system.
                                                                                                                  AUTHORIZATION OBJECT 1:
                                                                                                                  • S_TCODE:
                                     Covers ALL principal treasury                                                  OB52 (Open and Close Posting Period) OR
                                     subprocesses:                                                                  S_ALR_87003642 (Open and Close Posting Periods)
                                     • Borrowing
                                     • Managing Cash and Investments                                              AUTHORIZATION OBJECT 2:
                                     • Monitoring Derivative Transactions                                         • S_TABU_DIS:
                                                                                                                    Activity (ACTVT): 02 (Change)
                                                                                                                    Authorization Group (DICBERCLS): FC31 (authorization group for posting periods)


                                                                                                                  Note: Certain settings might be set as "modifiable" in production environment. If opening and closing posting
                                                                                                                  periods is not one of them, restricted access to transactions SCC4 & SE06 that are used to prevent or allow direct
                                                                                                                  changes to the production environment serves as a strong mitigating control (see queries No 13 & 14 below for
                                                                                                                  testing details).

                                                                                                                  Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
                                                                                                                  appropriate for the users to have such access, based on their job responsibilities and established policies,
                                                                                                                  procedures, standards, and guidance. Compare the results of the test with the information obtained from the
                                                                                                                  interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
                                                                                                                  conclusions.


                • • •                                                                                                                                                     • • •

Managing Cash and Investments




17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                                                                                                                                                                                       Page 1 of 8
Control Activity                       Control         Control         IT Nature        Control Rating Query       Testing Procedures:                                                                                                   Testing Reference       Conclusion
                                       Activity Type   Nature          IT Dependent/    High/          No          For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain          Reference to supporting Effective/
                                       Preventive/     Manual/         Non IT-          Medium/                    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and       evidence considered     Ineffective
                                       Detective       Automated       Dependent        Low                        guidelines. The following testing procedures will assist auditors in performing tests of control for each control     pertinent
                                                                                                                   activity.

Control Objective TR2: Investments represent true assets of the organization. Investments are accurately recorded in the appropriate period.
Borrowing
(Control Objective Assertion: [Balance Sheet] Investments: Accuracy, Validity, Recording, Cut-Off)
Control Objective Background: Recorded investments may not represent assets of the organization if invalid investment transactions are used to hide unauthorized sales or misappropriation of funds. Alternatively, expense
items may inappropriately be recorded as investments, resulting in overstatement of assets and net income.
                  • • •                                                                                                                                                  • • •
TR2.05: Only authorized personnel      Preventive      Automated       IT Dependent     High                19     SAP system controls include the authorization concept that allows to restrict access to receiving, importing, and             Tab 7
have the ability to:                                                                                               processing electronic or manual bank statements to appropriate personnel.
• Import and post-process bank
statements.                                                                                                        For organizations that manually enter bank account statements they receive (the bank credits the automatic debit
                                                                                                                   and the bank directs debit to the entity's account), perform the following procedures to produce a listing of users
                                                                                                                   with access to process and/or modify bank statements manually in the system using transaction FF67:

                                                                                                                   Execute transaction code SUIM
                                                                                                                   Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
                                                                                                                   "By Authorization Values "



                                                                                                                   AUTHORIZATION OBJECT 1:
                                                                                                                   • S_TCODE:
                                                                                                                     FF67 (Manual Bank Statement)

                                                                                                                   AUTHORIZATION OBJECT 2:
                                                                                                                   • F_FEBB_BUK:
                                                                                                                     Activity (ACTVT): 01 (Create) OR 02 (Change)
                                                                                                                     Company Code (BUKRS): * (means SOME comp. codes) or specify based on the scope of the audit


                                                                                                                   Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
                                                                                                                   appropriate for the users to have such access, based on their job responsibilities and established policies,
                                                                                                                   procedures, standards, and guidance. Compare the results of the test with the information obtained from the
                                                                                                                   interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
                                                                                                                   conclusions.


                • • •                                                                                                                                                       • • •

*** THIS IS A SAMPLE, NOT A COMPLETE AUDIT PROGRAM ***

The complete audit program is available at http://soxmadeeasy.com/SAP_Treasury.html and contains 39 Tests designed to help audit, risk and security professionals attain reasonable assurance that controls over Treasury
business cycle in SAP R/3 operate effectively and in accordance with management's intentions, including:

• Borrowing - controls to ensure that recorded debt represents a valid liability of the organization; loan repayments are valid, accurately calculated and recorded in the appropriate period:
  - SAP edits/validations for financial documents (i.e., document type, document change rules, posting keys, tolerance groups, etc.)
  - Testing to ensure open posting periods are limited to the current period (OBBP, OB52, etc.)
  - Access to open and close accounting periods (OB52, S_ALR_87003642, etc.)
  - Monitoring procedures of the loan register for accuracy and ongoing pertinence

• Managing Cash and Investments - controls to ensure that investments represent true assets of organization and that all investment transactions are accurately recorded in the appropriate period:
  - Access to maintain (add, change, or delete) bank accounts in SAP R/3 (transactions FI03, FI13, FI04, Fi12, FI01, FI02, FI06, etc.)
  - Access to receive, import, and process electronic or manual bank statements (transactions FF67, FF_5, FEBA, etc.)
  - Access to the lockbox function to handle the receipt
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls and processing of incoming payments (transactions FLB1, FLB2)                                                                                                                                                                         Page 2 of 8
  - Access to post incoming payments that do not come through the lockbox process (F-28, FB05, etc.)
  - Access to set up repetitive wires, process payment proposals for non repetitive wires (FRFT, F110, etc.)
  - Access to process incoming checks (post electronic check deposits & process incoming checks manually) (transactions FF/4, FFB4, FF/5, FFB5, FF68, FCHG, etc.)
Control Activity                      Control         Control         IT Nature         Control Rating Query     Testing Procedures:                                                                                                 Testing Reference       Conclusion
                                      Activity Type   Nature          IT Dependent/     High/          No        For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain        Reference to supporting Effective/
                                      Preventive/     Manual/         Non IT-           Medium/                  reasonable assurance that controls operate effectively in accordance with established policies, procedures, and     evidence considered     Ineffective
                                      Detective       Automated       Dependent         Low                      guidelines. The following testing procedures will assist auditors in performing tests of control for each control   pertinent
                                                                                                                 activity.
• Managing Cash and Investments - controls to ensure that investments represent true assets of organization and that all investment transactions are accurately recorded in the appropriate period:
  - Access to maintain (add, change, or delete) bank accounts in SAP R/3 (transactions FI03, FI13, FI04, Fi12, FI01, FI02, FI06, etc.)
Borrowing to receive, import, and process electronic or manual bank statements (transactions FF67, FF_5, FEBA, etc.)
  - Access
  - Access to the lockbox function to handle the receipt and processing of incoming payments (transactions FLB1, FLB2)
  - Access to post incoming payments that do not come through the lockbox process (F-28, FB05, etc.)
  - Access to set up repetitive wires, process payment proposals for non repetitive wires (FRFT, F110, etc.)
  - Access to process incoming checks (post electronic check deposits & process incoming checks manually) (transactions FF/4, FFB4, FF/5, FFB5, FF68, FCHG, etc.)
  - Access to process maintain memo records
  - SAP edits and validations specific to document number ranges
  - Positive Pay process controls (set up, monitoring accuracy of the file transfer to the bank)
  - Reconciliation of bank statements to SAP postings process control
  - Access to prevent or allow direct changes to the production environment using transactions SCC4 and SE06
  - Monitoring procedures of the recorded investment purchases, sales, and maturities of investments



• Managing Derivative Transactions - controls to ensure recorded derivative transactions represent assets or liabilities of the organization & accurately recorded in the financial statements:
  - Approval of derivative transactions
  - Monitoring counterparty confirmations to ensure completeness of derivative transaction records


The audit program covers all critical monitoring tools and techniques, configuration settings and access controls to ascertain the reliability of the SAP R/3 control environment over the Treasury business process.




17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                                                                                                                                                                                   Page 3 of 8
Exception Details           Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls    For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                        Date              Completed/    Testing Details
                                                                                        For ineffective   In Progress   If applicable
                                                                                        controls




17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                                                  Page 4 of 8
Exception Details           Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls    For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                        Date              Completed/    Testing Details
                                                                                        For ineffective   In Progress   If applicable
                                                                                        controls




17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                                                  Page 5 of 8
Exception Details           Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls    For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                        Date              Completed/    Testing Details
                                                                                        For ineffective   In Progress   If applicable
                                                                                        controls




17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                                                  Page 6 of 8
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                             Tab 1




Users with access to open and close posting periods in SAP R/3:                                                                                    Click to Return To The Audit Program

Count        User ID        User Name                Locked?                       Valid From   Valid Through       User Type                      Access Appropriate Exceptions     Comments/ Exception Detail
*Insert                                              (Yes/No)                                   *Exclude IDs that   *Exclude D (System) and C      as per the Job     Noted?
additional                                           *Exclude locked user IDs                   are past their      (Communication) IDs (no end    Responsibilities?  (Yes/No)
rows as                                              ("0" or "Blank" in this field              validity date (no   user access); leave A          (Yes/No)
needed                                               means that user ID is NOT                  access)             (Dialog) and S (Service) IDs
                                                     locked)                                                        for analysis
1
2
3
4
5


Total              0                                                                                                                                        0                0




                                                                                                                                                                                                                  Page 7 of 8
17b5af4f-1398-488b-8ac2-39dfaa159f9e.xls                                                                            Tab 7




Users with access to process and/or modify bank statements manually in the system using transaction FF67:                                         Click to Return To The Audit Program

Count        User ID        User Name               Locked?                       Valid From   Valid Through       User Type                      Access Appropriate Exceptions     Comments/ Exception Detail
*Insert                                             (Yes/No)                                   *Exclude IDs that   *Exclude D (System) and C      as per the Job     Noted?
additional                                          *Exclude locked user IDs                   are past their      (Communication) IDs (no end    Responsibilities?  (Yes/No)
rows as                                             ("0" or "Blank" in this field              validity date (no   user access); leave A          (Yes/No)
needed                                              means that user ID is NOT                  access)             (Dialog) and S (Service) IDs
                                                    locked)                                                        for analysis
1
2
3
4
5


Total              0                                                                                                                                       0                0




                                                                                                                                                                                                                 Page 8 of 8

								
To top