Get documents about "Authorization to Represent the Company
W
Description
Authorization to Represent the Company document sample
Document Sample
Company (Name):
Fiscal Year End (Date):
A total of 73 tests have been Contains detailed testing Links to the pre-populated test
designed to evaluate ALL KEY risks instructions, rather than generic sheets with fill-in fields for
Tested on (Date)/ tested by (Name):
based on best practices and the descriptions of the tests to be company-specific information.
Tested in (System):
Expenditure - Audit Program for SAP R/3 - SAMPLE
Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
Purchasing
Control Objective EXP1: Purchase orders are only placed for approved purchase requisitions.
(Control Objective Assertion: [Balance Sheet] Accrued Expenses: Validity; Payables: Validity; Prepaid Expenses: Validity & [Income Statement] Operating Expenses: Validity)
Control Objective Background: Purchase requisitions are normally used only if an independent purchasing function that procures goods and services to fulfill the organization’s
requirements has been established. The purchasing function should not acquire goods or services for which purchase requisitions have not been approved by management.
EXP1.01: Only authorized personnel Preventive Automated IT Dependent High 1 Generate listings of users who have access to create and/or change purchase orders and/or outline agreements. Tab 1
have the ability to create, change, or Assess whether it is appropriate for such users to have such access, based on their job responsibilities and
cancel: established policies, procedures, standards, and guidance.
• Purchase orders,
• Outline agreements Perform the following procedures to verify which users have the ability to Create Purchase Order (Vendor Known)
(standing purchase orders). in SAP via ME21 or ME21N:
In addition to the written step-
by-step instructions, screen-
prints from SAP will be provided Execute transaction code SUIM
to visually assist those new to Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
the system. "By Authorization Values "
AUTHORIZATION OBJECT 1:
• S_TCODE:
Covers ALL principal expenditure ME21 or ME21N (Create Purchase Order, Vendor Known)
subprocesses:
• Purchasing AUTHORIZATION OBJECT 2:
• M_BEST_EKO:
• Processing Accounts Payable
Activity (ACTVT): 01 (Create)
• Processing Disbursements
Purchasing Org. (EKORG): * (means SOME purch. orgs.) or specify based on the scope of the audit
• Master File maintenance
AUTHORIZATION OBJECT 3:
• M_BEST_WRK:
Activity (ACTVT): 01 (Create)
Plant (WERKS): * (means SOME plants) or specify based on the scope of the audit
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 1 of 10
Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
Note: Additional authorization objects to consider for this assessment include:
Purchasing • M_BEST_EKG (can be used to limit your query to specific purchasing group(s) for which purchase orders can
be created, e.g., Activity (ACTVT): 01 (Create); Purchasing Group (EKGRP): specify your selected value here)
• M_BEST_BSA (can be used to limit your query to specific purchasing document type(s) for which purchase
orders can be created, e.g., Activity (ACTVT): 01 (Create) ; Purchasing document type (BSART): specify your
selected value here)
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
appropriate for the users to have such access, based on their job responsibilities and established policies,
procedures, standards, and guidance. Compare the results of the test with the information obtained from the
interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
conclusions.
• • • • • •
Control Objective EXP2: Purchase orders are entered accurately.
(Control Objective Assertion: [Balance Sheet] Accrued Expenses: Recording; Payables: Recording; Prepaid Expenses: Recording & [Income Statement] Operating Expenses: Recording)
Control Objective Background: Inaccurate input of purchase orders could lead to financial losses due to incorrect goods or services being purchased.
EXP2.01: System edits / validations have Preventive Automated IT Dependent High 24 Tolerance limits - for two aspects, namely price variance (the net price compared to the valuation price) and N/A
been configured in the SAP R/3 system maximum cash discount deduction, variances may be set. It is also possible to specify in the system whether the (if needed, include
for the following documents: message that the system issues is a warning or an error message. reference to supporting
• Purchase Requisitions evidence considered
• Purchase orders Perform the following procedures to check if the tolerance limits for price variance (PO versus Receipt) are set up pertinent)
• Contracts correctly:
• Outline agreements
• Payment Transactions. • Variance settings:
Execute transaction code OMEU (Set tolerance limits for price variance)
In addition, the following configurations The system will show an overview of the defined tolerance limits
have been implemented according to Double-click on the entries that relate to the company being audited
management's intentions: Two entries must be checked: Tolerance key PE (price) & Tolerance key SE (discount)
• Matching parameters designed to Note the values shown:
flag "potential" duplicate invoices - Both a lower and upper limit may be specified
• Tolerances and posting rules for 2 - Both in an absolute (PE only) & a percentage value
and 3 way matching.
Ascertain whether the values noted comply with management’s intentions.
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 2 of 10
In addition, the following configurations
have been implemented according to
management's intentions:
• Matching parameters designed to
flag "potential" duplicate invoices
Control Activity posting rules for 2
• Tolerances and Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
and 3 way matching. Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
• Message settings:
Purchasing Execute transaction code OME0 (Define system messages for price variance)
Click on the "Position" button
Enter values 00, 06 and 207 (message for price variance) and press "Enter"
Note the value in the field "Categories"
If tolerance limits are exceeded, possible messages are a W for warning and an E for an error
Ascertain whether the values noted comply with management’s intentions.
• • • • • •
Processing Disbursements
Control Objective EXP8: Disbursements are only made for goods and/or services received.
(Control Objective Assertion: [Balance Sheet] Accrued Expenses: Completeness; Payables: Completeness; Prepaid Expenses: Validity & [Income Statement] Operating Expenses: Validity)
Control Objective Background: Unauthorized payments could be made to fictitious parties, and such errors might not be detected.
EXP8.02: Only authorized personnel Preventive Automated IT Dependent High 65 When a vendor invoice is entered in the system, it can be blocked. To do this, management can enter a blocking Tab 36
have the ability to: key in the item, which represents the reason for blocking. If management wants to block the account of a business
• Release invoices that have been partner from payment, they enter the blocking key in the business partner's master record. A posting block can be
blocked for payment, either for an set for a specific vendor account for certain company codes or for all company codes. When a vendor account is
individual invoice or for a specified blocked centrally, both posting and order processing (when implemented Materials Management) is prevented. A
vendor. vendor account can also be blocked for posting to this account only.
Perform the following procedures to produce a list of users with access to process blocked invoices in SAP:
Execute transaction code SUIM
Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
"By Authorization Values "
AUTHORIZATION OBJECT 1:
• S_TCODE:
MR02 (Process blocked invoices)
AUTHORIZATION OBJECT 2:
• M_RECH_SPG:
Activity (ACTVT): 02
Blocking reason (SPEGR): * (means SOME blocking reason(s)) or restrict to selected values below:
- G (Order price quantity) OR
- M (Quantity) OR
- P (Price) OR
- Q (Manually) OR
- T (Date)
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 3 of 10
Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
Purchasing appropriate for the users to have such access, based on their job responsibilities and established policies,
procedures, standards, and guidance. Compare the results of the test with the information obtained from the
interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
conclusions.
• • • • • •
*** THIS IS A SAMPLE, NOT A COMPLETE AUDIT PROGRAM ***
The complete audit program is available at http://soxmadeeasy.com/SAP_Expenditure.html and contains 73 tests designed to help audit, risk and security professionals attain reasonable assurance that controls over Expenditure
business cycle in SAP R/3 operate effectively and in accordance with management's intentions, including:
• Purchasing - controls to ensure that purchase orders are entered accurately & (if purchasing function has been established) only placed for approved purchase requisitions, etc.:
- Access to create, maintain, & release purchase orders, purchase requisitions and outline agreements
- Release procedure for purchase orders and purchase requisitions; source list maintenance
- System edits for purchase requisitions, purchase orders, outline agreements, & payment transactions
- Tolerances and posting rules for price variance (PO versus Receipt)
- Tolerances and posting rules for PO/Invoice Price variance and quantity variance (Invoice versus PO)
- Goods received invoice verification and GR-based invoice verification
- System edits for purchasing documents (document type, posting keys, tolerance groups) and more.
• Processing Accounts Payable - controls to ensure that the amounts posted to the A/P represent goods/services received, accurately calculated and recorded; credit notes and other adjustments
related to the A/P are accurately calculated, recorded and processed, etc.:
- Access to enter/maintain/release credit notes, invoices, credit memos, and recurring payments
- Access to maintain the exchange rate table, rounding units, and foreign currency ratios
- Access to maintain the Goods receipt/ Invoice receipt (GR/IR) account
- Access to create, change, or delete vendor pricing information and much more.
• Processing Disbursements - controls to ensure that disbursements are only made for goods/services received, accurately calculated and recorded, and distributed to the appropriate suppliers, etc.:
- Access to modify payment run parameters, edit payment run proposal, execute payment run
- Access to block/unblock vendors, release invoices blocked for payment
- Alternative payee and one time vendor functionalities
- Edits/validations of the payment and order entry transactions and much more.
• Maintaining Supplier and/or Vendor Master Files - controls to ensure validity, accuracy, and timeliness of changes to the vendor master files, etc.:
- Access to create, change, or delete vendor master records
- Segregation/separation of duties within SAP R/3 expenditures functions
- Monitoring changes to vendor master data and more.
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 4 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 5 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 6 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 7 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Page 8 of 10
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Tab 1
Users with access to create purchase orders via ME21 or ME21N: Click to Return To The Audit Program
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert (Yes/No) *Exclude IDs that *Exclude D (System) and C as per the Job Noted?
additional *Exclude locked user IDs are past their (Communication) IDs (no end Responsibilities? (Yes/No)
rows as ("0" or "Blank" in this field validity date (no user access); leave A (Yes/No)
needed means that user ID is NOT access) (Dialog) and S (Service) IDs
locked) for analysis
1
2
3
4
5
Total 0 0 0
Page 9 of 10
ba23ff41-2c77-4adc-8056-0eca609e182f.xls Tab 36
Users with access to process blocked invoices via MR02: Click to Return To The Audit Program
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert (Yes/No) *Exclude IDs that *Exclude D (System) and C as per the Job Noted?
additional *Exclude locked user IDs are past their (Communication) IDs (no end Responsibilities? (Yes/No)
rows as ("0" or "Blank" in this field validity date (no user access); leave A (Yes/No)
needed means that user ID is NOT access) (Dialog) and S (Service) IDs
locked) for analysis
1
2
3
4
5
Total 0 0 0
Page 10 of 10
Related docs
Other docs by ecm33842
