Sap Audit Management Module - Excel by odj14894


Sap Audit Management Module document sample

More Info
									Company (Name):
                                                                                     A total of 48 tests have been                           Contains detailed testing                                                              Links to the pre-populated test
Fiscal Year End (Date):
                                                                                     designed to evaluate ALL KEY risks                      instructions, rather than generic                                                      sheets with fill-in fields for
Tested on (Date)/ tested by (Name):
                                                                                     based on best practices and the                         descriptions of the tests to be                                                        company-specific information.
Tested in (System):

Payroll and HR (Personnel) - Audit Program for SAP R/3 - SAMPLE
Control Activity                        Control         Control     IT Nature       Control Rating Query       Testing Procedures:                                                                                                     Testing Reference      Conclusion
                                        Activity Type   Nature      IT Dependent/   High/          No          For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain            Reference to           Effective/
                                        Preventive/     Manual/     Non IT-         Medium/                    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and         supporting evidence    Ineffective
                                        Detective       Automated   Dependent       Low                        guidelines. The following testing procedures will assist auditors in performing tests of control for each control       considered pertinent

Hiring Personnel

Control Objective HR1: Additions to the payroll master files represent valid employees. All new employees are added to the payroll master files.
Control Objective Assertion: [Balance Sheet] Payroll related accruals / provisions & [Income Statement] Salaries, Wages & Related Expenses: Validity, Completeness
HR1.03: The personnel and the           Preventive      Automated   IT Dependent    High                 2     A job is a general classification of task areas (e.g. head of department). A job is a standard description of an                 Tab 2
organizational reporting structure                                                                             activity that can be performed by a person. Perform the following procedures to generate a listing of users with
are current.                                                        In addition to the written step-           access to maintain or edit existing jobs in SAP R/3:
                                                                    by-step instructions, screen-
Access to modify personnel and                                      prints from SAP will be provided           Execute transaction code SUIM
organizational reporting structure in                               to visually assist those new to            Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
SAP R/3 is limited to appropriate                                   the system.                                "By Authorization Values "
                                                                                                               AUTHORIZATION OBJECT 1:
                                                                                                               • S_TCODE:
                                        Covers ALL principal hr/payroll                                          PO03 (Maintain Jobs)
                                        • Hiring Personnel                                                     AUTHORIZATION OBJECT 2:
                                        • Terminating Personnel                                                • PLOG:
                                        • Recording Time                                                         Plan Version (PLVAR): * (means users authorized to maintain jobs in ANY/SOME plan version(s))
                                        • Calculating Payroll                                                    Subtype (SUBTYP): * (means access to maintain ANY/SOME subtypes of given infotypes)
                                        • Disbursing Payroll                                                     Planning Status (ISTAT): * (means ANY planning status in which the user is authorized for access)
                                        • Maintaining Master Files                                               Function Code (PPFCODE): INSE (Insert) OR AEND (Change) OR DEL (Delete) OR "*" (All/Any)
                                                                                                                 Infotype (INFOTYP): * (means users authorized to maintain jobs for ANY/SOME infotypes)
                                                                                                                 Object Type (OTYPE): C (means "Jobs") OR P (means "Persons/Employees") OR "*" (All/Any)

                                                                                                               Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is
                                                                                                               appropriate for such users to have such access, based on their job responsibilities and established policies,
                                                                                                               procedures, standards, and guidance. Compare the results of the test with the information obtained from the
                                                                                                               interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your

f0874d57-315d-4814-973e-b6b813e1f160.xls                                                                                                                                                                                                                                    Page 1 of 4
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable

f0874d57-315d-4814-973e-b6b813e1f160.xls                                                                                                 Page 2 of 4
f0874d57-315d-4814-973e-b6b813e1f160.xls                                                                           Tab 2

Users with access to maintain or edit existing jobs in SAP R/3:

Count        User ID       User Name           Locked?                         Valid From   Valid Through       User Type                      Access               Exceptions   Comments/ Exception
*Insert                                        (Yes/No)                                     *Exclude IDs that   *Exclude D (System) and C      Appropriate as per   Noted?       Detail
additional                                     *Exclude locked user IDs                     are past their      (Communication) IDs (no        the Job              (Yes/No)
rows as                                        ("0" or "Blank" in this field                validity date (no   end user access); leave A      Responsibilities?
needed                                         means that user ID is                        access)             (Dialog) and S (Service) IDs   (Yes/No)
                                               NOT locked)                                                      for analysis

Total              0                                                                                                                                    0                0

                                                                                                                                                                                                       Page 3 of 4
f0874d57-315d-4814-973e-b6b813e1f160.xls                                            Tab 8

Count        Employee ID   Employee Name   Start Date            Selected For   Employee is a      Approved By                                    Approved On Exceptions         Comments/ Exception Detail
*Insert                                    * Do not list         Testing?       Valid New Hire?    (Name, Title)                                  (Date)      Noted?
additional                                 employees hired       (Yes/No)       (Yes/No)                                                                      (Yes/No)
rows as                                    before or after the
needed                                     period of intended                                     Complete for new employees selected for testing in Column "E". N/A for remaining new hires.


Total              0                                                    0               0                                                                               0

                                                                                                                                                                                                   Page 4 of 4

To top