Systems, Applications, Products in data processing, or SAP, was originally introduced in the 1980s as SAP R/2, which was a system that provided users with a soft real-time business application that could be used with multiple currencies and languages. As client–server systems began to be introduced, SAP brought out a server based version of their software called SAP R/3, henceforth referred to as SAP, which was launched in 1992. SAP also developed a graphical user interface, or GUI, to make the system more user friendly and to move away from the mainframe style user interface. For the next 10 years SAP dominated the large business applications market. It was successful primarily because it was extremely flexible. Because SAP was a modular system (meaning that the various functions provided by it could be purchased piecemeal) it was an extremely versatile system. A company could simply purchase modules that they wanted and customize the processes to match the company’s business model. SAP’s flexibility, while one of its greatest strengths is also one of its greatest weaknesses that lead to the SAP audit. There are three main enterprise resource planning (ERP) systems used in today’s larger businesses: SAP, Oracle, and PeopleSoft. ERP's are specifically designed to help with the accounting function and the control over various other aspects of the companies business such as sales, delivery, production, human resources, and inventory management. Despite the benefits of ERP’s, there are also many potential pitfalls that companies who turn to ERP’s occasionally fall into. Security
Segregation of duties
Security is the first and foremost concern in any SAP audit. There should be proper segregation of duties and access controls, which is paramount to establishing the integrity of the controls for the system. When a company first receives SAP it is almost devoid of all security measures. When implementing SAP a company must go through an extensive process of outlining their processes and then building their system security from the ground up to ensure proper segregation of duties and proper access. Proper profile design and avoidance of redundant user ID’s and superuser access will be important in all phases of operation. Along with this comes the importance of ensuring restricted access to terminals, servers, and the data center to prevent tampering. Because each company will have different modules each company’s security structure will be distinctly different. A typical Example from SAP will be Creating a Vendor and also able to pay an invoice. The Create a Vendor Transaction is XK01 and pay invoice transaction FB60. If the User or Role in SAP has those two transactions then it will create a SOD Risk. With security it all starts at the beginning with the proper design and implementation of security and access measures for employees. For new employees it is important that their access is set up properly and that future access granted has proper approval. After the system has been implemented the control over system changes and the approval process required for it is vital to ensure the continued security and functionality of the system. Without proper security measures in place from start to finish there will be a material weakness in the controls of the system because of this there will likely be some level of fraud as well. Through security you are able to monitor who has access to what data and processes and ensure that there is sufficient segregation of duties so as to prevent someone from perpetrating fraud. One of the major advantages of SAP is that it can be programmed to perform various audit functions for you. One of the most important of those is for reviewing user access and using the system to cross check based on an access matrix to ensure that proper segregation is in place so a person with payment request access does not also have access to create a vendor. System changes
After ensuring that security is set up...
Please join StudyMode to read the full document