Big4Guy

Any organization trying to achive its business goals is faced with many risks. Such risks can be from insiders, employees, outsiders, compliance issues, strategic, environmental etc. To cater to such risks organizations employ controls. Such controls may be Entity Level Controls, IT General controls and Application Controls. The Sarbanes Oxley Act further complicates matters with its own set of compliance conditions. My topic of discussion today, is major control deficiencies in an SAP environment. An ERP like SAP comes with its own share of solutions as well as problems for a business process. A recent brainstorming session with my fellow consultants, distilled out some major control focus areas in SAP. Controlling SAP can be a mammoth task. Below, I have listed some of the key Control Deficiencies in SAP.

1. Segregation of Duties - Out of the 8 consultants in the meeting, 100% voted segregation of duties as the most important point of control focus or deficiency.

2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is another problem area in many SAP implementations.

3. Unsecured Customized Programs - Almost SAP implementations I have seen have many customized 'Z' transactions or 'Y' transactions built in to suit the business process. Nothing wrong with that. But, the problem is these customized transactions are not secured, making them vulnerable.

4. Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc to users in production. On the other hand access is given to BASIS or development staff to run transactions in SAP production environemnt. Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley.

5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can result in unauthorized entires in previous open periods. This can become a severe control deficiency under SOX.

6. SAP Access to Terminated Employees - One of our top SAP consultants pointed out that in 80% of the companies he visited, SAP access had not been revoked for employees who had been terminated. This can potentially lead to control deficiency.

7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal as such runs on an operating system. If databases and operating systems are not hardened, the whole SAP environment is put at risk.

More on Sarbanes Oxley Controls >>

Accountability Risk Factors , Financial Reporting Assertions , SOX Auditor - Permitted Services