SAP Audit Management: Improve and Protect Business


By Derek Guimond, Business Development Manager (Cyprus & Middle East), EMEA & Asia Pacific

The avant-garde, experimental poet E.E. Cummings famously wrote:

Spring is like a perhaps hand
(which comes carefully
out of Nowhere)arranging
a window,into which people look…”

Internal Audits are a bit like E.E. Cummings’s metaphorical “perhaps hand”.

The purpose of internal audit activity is to obtain independent, objective assurances whilst evaluating evidence in the pursuit of improving the organisational effectiveness of governance, risk management, and control processes – all without negatively affecting business as usual.

An internal audit may identify for change many things, few things or nothing; all without breaking anything – instead, the aim is to optimise existing processes, design new processes, and to protect business by identifying, remediating, and eliminating risks.

Let’s run through a mini-thought experiment to conceptualise SAP Audit Management in action.

A large, global, multinational corporation that produces and distributes consumer products has identified that their Eastern European production has increased; however, profitability in the same market segment has decreased. The board orders an internal audit to investigate.

Let’s run through a mini-thought experiment to conceptualise SAP Audit Management in action:

A large, global, multinational corporation that produces and distributes consumer products has identified that their Eastern European production has increased; however, profitability in the same market segment has decreased. The board orders an internal audit to investigate.

 

  1. Audit Manager utilises SAP Audit Management application.
  2. Audit Manager downloads and reviews relevant audit documents.
  3. Audit Manager plans audit.
  4. Audit Manager selects team and scopes the audit program.
  5. Schedules audit.
  6. Audit team searches for audit working papers using SAP HANA and their existing spreadsheets.
  7. Team member investigates production, looks at audit-able items in Audit Management application because SAP Risk Management integrates with SAP Audit Management.
  8. Team member investigates operational facilities.
  9. Team member identifies that gauges in a warehouse are giving incorrect readings that are obfuscating production records.
  10. Team member reports findings and audit issue.
  11. In parallel, another team member audits SAP Access Control to investigate access provisioning for operational staff.
  12. Team member identifies an Access Control risk concerning unwarranted access provisioning privileges for a certain user group.
  13. Team member reports findings and audit issue.
  14. Audit Manager reviews reports, makes updates, provides recommendations and sends the report to the board.
  15. Board reviews report and approves recommended changes.

Although the initial plan was to investigate operations to determine the source of a supply chain problem, the audit team also correctly identified and remediated an access control risk that improved company-wide IT security.

This thought experiment illustrates three key points:

  1. Internal audits add value by refining and augmenting operations,
  2. Internal audits add value by improving IT security, and
  3. IT security is an ongoing review-and-improve area of business.

SAP Audit Management is an essential item in a business’s digital toolset.

Audit Management utilises three lines of defence to avert cyber security risks. As outlined below, operational management is responsible for cyber security risk at the governance, policy, and audit levels.

By integrating with SAP Risk Management, SAP Business Integrity Screening, and SAP Process Control, businesses can layer levels of security to establish stronger IT security in an effort to improve collaboration with stakeholder management in the pursuit of value-based business outcomes.

Board members and management may want more internal audit involvement regarding macroeconomic trends such as new regulations, cybersecurity, technology advancements or company-specific considerations such as business strategy changes or financial challenges.

If you’re seeking a more technical explanation of how to create an audit utilising SAP Audit Management software, there’s a good technical blog post here and you can watch a 15 minute Audit Management demonstration by Winterhawk’s CTO Cavan Arrowsmith here.

There are several other key software solutions that integrate with SAP Audit Management such as SAP Risk Management, SAP Business Integrity Screening, and SAP Process Control; you can find more material regarding Winterhawk’s GRC solution portfolio here.

If you would like to learn more about how Winterhawk can support your business through SAP Audit Management click here or contact us at info@winterhawk.com.