ISACA Journal - 2011 Volume 3

Automated Audit Testing for SAP Data—
Benefit or Just Another Black Box?

Stefan Wenig is chief executive officer (CEO) of the dab:Group, a company that specializes in data extraction, analysis of SAP data with ACL and automated audit routines. He has participated in developing data extraction software and is a consultant and globally active trainer for data analysis techniques. Wenig has been supporting internal audit departments in the field of data analysis for years.

Kyung-Hee Anita Kim-
Reinartz is branch
manager of the Dusseldorf
(Germany) office of the
dab:Group. Prior to joining
the dab:Group, she worked
for PricewaterhouseCoopers
for more than nine years.
Kim-Reinartz’s specialties are
forensic data analysis and,
notably, continuous controls
monitoring. She was a project
manager of the worldwide
continuous controls monitoring
implementation of a large
German technology company.

Automated audit testing has been discussed for many years. Buzzwords such as “continuous auditing” and “continuous monitoring” arose and have been talked and theorized about. In particular, internal auditors and public accountants who have to cope with increasing requirements in testing and compliance regulation are searching for more intelligent and integrated methods of automating testing. However, while evaluating IT tools and ways of standardizing audit routines, questions may arise regarding whether automation is really the future or whether there is the risk of creating a “black box”: a tool that makes auditors lose certainty and trust in the results due to the uncertainty about how the results were generated. False positives—results that turn out not to be real findings—may even support this reluctance.

This article discusses ways to standardize data extraction and audit routines. It is written based on SAP data, but this is exemplary for all complex enterprise resource planning (ERP) systems. Furthermore, the article discusses how to handle increasing amounts of data and how to avoid creating a black box.

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site

( www.isaca.org/journal), find the article, and choose the Comments tab to share your thoughts.

OVERVIEW OF THE ISSUE

The methods of digital data analysis are getting
more and more important in the globalized world.
The reasons are obvious:
• External requirements such as legal or
compliance aspects require more transparency
(100 percent of transactions), preferably in real
time (immediately).

• Business processes are implemented on highly integrated and complex ERP systems such as SAP.

• Globalization and technological progress lead to the generation of mass data in day-to-day business. Having to deal with large data sets and a growing variety of audit questions makes time the most essential resource for auditors.

• Data extraction and data analyzing tools are getting more powerful.

Large companies or conglomerates usually have ERP systems, such as SAP or Oracle Financials, in place—at least for their most important legal entities that cover the essential part of the transaction volume. However, instead of hosting a clutter of systems, most companies tend to harmonize their IT landscape and move toward a more standardized and integrated system. It is important to note that the databases of ERP systems are standardized up to a point. This means that the core table and field names of the data, which are necessary for standardized automation, are the same worldwide. Hence, audit routines can be predefined and are then generally applicable—worldwide, cross company and, at least within the core processes, independently of the business areas of an enterprise. Therefore, the vendor master data within nearly any release version of the SAP system can always be found in the vendor master-general section table—independent of any parameters such as company, system and location, as long as it is a standard SAP system. However, for other data that cannot be located that easily, a profound understanding of the data and the underlying business processes is inevitable.

Furthermore, not only auditors, but various departments are facing more and more internal and external requirements that occur due to compliance issues, legal aspects and tax regulations, for example. Abnormal transactions have to be detected and reported immediately; legal aspects and tax regulations require reporting to be published/reported in faster cycles. This shows that time and mature technology are crucial factors to enable enterprises to meet these requirements.

In a globalized and computerized world, particularly well-established business processes such as purchase-to-payment (P2P) and order-to-cash (O2C) are creating more and more data every day.