Security, Audit and Control Features SAP ERP, 3rd Edition [Paperback]

Deloitte Touche Tohmatsu Research Team and Isaca (Author)

Book Description

Publication Date: August 19, 2009

Security, Audit and Control Features SAP® ERP, 3rd Edition, part of the Technical and Risk Management Reference Series, enables assurance, security and risk professionals to evaluate risks and controls in existing ERP implementations and facilitates the design and building of controls into system upgrades and enhancements.

The publication is based on SAP ERP [also known as SAP ERP Central Component (ECC)], the latest version of which is SAP ECC 6.0.

This in-demand new edition has been updated to reflect:

• New/modified SAP transaction codes and reports
• SAP ERP based on a service oriented architecture (SOA). SOA combines SAP ERP with an open technology platform that can integrate SAP and non-SAP systems using the SAP Netweaver platform.
• SAP GRC suite of tools, including Access Control and Process Control, which offers corporate governance and risk management solutions

Editorial Reviews

Review

Security, Audit and Control Features SAP ERP, 3rd Edition, is a "must have" for any finance, operational or IT auditor or risk management, IT security or compliance professional, especially those beginning their work in an SAP environment. It is also an excellent reference for experienced SAP auditors and other experts and those IT and business managers responsible for SAP control processes. Through study and application of the "how-to" control and audit activities found in the third edition, even the new SAP auditor will have the potential to quickly rise to SAP best practices audit and control standards.

There are five broad topic areas within Security, Audit and Control Features SAP ERP, 3rd Edition:

• The preparatory section (chapters 1 to 4) includes an introduction to enterprise resource planning (ERP) system fundamentals and SAP's ERP system basics, followed by recommended risk management and audit methods. These chapters provide a necessary foundation for any SAP audit professional.
• The business cycle section (chapters 5 to 10) consists of a general overview of the SAP revenue, expenditure and inventory business cycle processes, including activity flows and controls. This section also includes audit considerations: risk, controls and detailed testing steps. The business cycle chapters provide the necessary knowledge base for both finance and IT auditors in understanding SAP ERP. The auditing chapters provide substantial information outlining risk, key controls and detailed testing guidance.
• The IT auditing section (chapters 11 and 12) lays the foundation for system administration (SAP Basis administration), describes in detail the risks and controls central to SAP system administration, and details techniques any auditor could follow when testing control effectiveness. This chapter shows the IT auditor not only how to effectively test Basis controls but also how to identify additional custom-developed objects that may require testing. Although the IT auditing section contains information necessary to perform the SAP production system IT audit, auditing the technical client used to implement system patches, updates and upgrades is not addressed.
• The last two chapters (13 and 14) describe ERP system control concerns; SAP tools that address governance, risk and compliance; future ERP and SAP directions; and other discussions relevant to auditing SAP. Though audit guidance in these chapters applies specifically to the SAP tool set, the audit considerations could easily be applied to any of the provisioning tools.
• Finally, Security, Audit and Control Features SAP ERP, 3rd Edition, concludes with appendices including:
  Audit programs with detailed audit task work steps and a COBIT cross-reference
  Internal control questionnaires for the three business cycles and Basis
  Recommended SAP transactions to be locked and tables to be logged and reviewed

In conclusion, the third edition is required reading for any SAP audit, control, risk or security professional. For many, this book will become a well-worn reference, guiding them through their daily SAP ERP tasks. For others, it will remain a one-time or occasional read to enhance their basic understanding of SAP ERP. The third edition surpasses earlier versions in the presentation of SAP ERP control fundamentals and audit best practices. This text is a necessity for the bookshelf of any SAP ERP audit or control department.

--Pam Kammermeier, CISA - ISACA Journal Volume 6, 2009

Product Details

• Paperback: 470 pages
• Publisher: Isaca; 3rd Edition edition (August 19, 2009)
• Language: English
• ISBN-10: 1604201150
• ISBN-13: 978-1604201154
• Product Dimensions: 8.8 x 5.9 x 0.9 inches
• Shipping Weight: 1.4 pounds
• Average Customer Review: 5.0 out of 5 stars  See all reviews (1 customer review)
• Amazon Best Sellers Rank: #780,009 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

5.0 out of 5 stars This book is a pearl for SAP auditors, February 28, 2010

By 

Hugo Assuncao - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: Security, Audit and Control Features SAP ERP, 3rd Edition (Paperback)

This book is a practical one, oriented for SAP version ECC 5 and 6, but with plenty of examples for R/3 version 4.6c and 4.7.

Outlines key risks and controls associated with the implementation of ERP systems and the audit impact arising from it. Refers the importance of adopting a control framework and compares an audit framework for SAP with Cobit 4.1.

Explains the SAP risk based audit, key concepts, authorizations, methods of testing configurable controls, key controls, security access configuration and segregation of duties.

Covers the auditing of the revenue (master data, sales order, shipping, invoicing, returns and adjustments, cash receipts), expenditure (master data, purchasing, invoicing, disbursements ), inventory (master data, raw materials, producing and costing, handling and shipping finished goods) business cycles, including financial statement assertions, with extensive testing techniques, referring transactions involved, tables, authorization objects.

Half of the book is filled with audit/assurance programs for all the business cycles.
Explains the BASIS technical infrastructure (Implementation Guide-IMG, Organization Management Model-OMM, ABAP/4 Workbench, Transport Management System-TMS, Computer Center Management System-CCMS, Profile Generator-PFCG, Security Administration-SA system landscape) and provides a sample tool for auditing the SAP BASIS Application infrastructure.

Provides an overall understanding of the SAP BusinessObjecs GRC Access control and Process control solutions and explains new trends about SAP and ERP audits.