WIXLIB

SAP Thought LeadershipInternal Audit Requirementsand SAP SolutionsSupport for the Internal AuditBusiness Process

Software has enabled internal audit functions to be more efficient and effective, andimproving function ality and value will bring even greater benefits. SAP softwaresolutions address the more significant tech nology needs of the internal audit function.The solutions enable the planning, man agement, and execution of internal audit projects;enter prise risk management; data mining and analytics; and automated testing.

CONTENT4Executive Summary5The Internal Audit Function’s Useof Software6 Risk Assessment and Develop ment of the Overall Audit Plan7 Engagement Planning8 Performance of the Engagement8 Working Papers and AuditDocumentation8 Data Analytics and AutomatedTesting of Controls and Data9 Continuous Control and DataAuditing9 The Use and Value of Technologyfor Audit Projects10 Communicating the Results of theEngagement10 Department Administration10 Managing Resources10 Monitoring Actions11 Reporting Progress Against Plan11 Performing Quality Assurance11 The Next Evolution of InternalAudit12 The Value Provided by Software13SAP Solutions for InternalAuditors13 Audit Management Functionalityin SAP NetWeaver13 SAP BusinessObjects RiskManagement14 SAP BusinessObjects AccessControl14 SAP BusinessObjects ProcessControl14 Additional Automated Controls14 Automated Testing of Controls14 Other Considerations15 SAP BusinessObjects BISolutions16 Solution Combinations17 For More InformationAbout the AuthorNorman Marks was the leader of internal audit functions at U.S. and globalcor porations for more than 15 years. In that capacity, he at times functioned asthe chief ethics and compliance officer and as the chief risk officer.He is a recognized international leader in the theory and practice of internalauditing and was profiled by magazines of the American Institute of CertifiedPublic Accountants and The Institute of Internal Auditors (IIA).Marks authored some of IIA’s most downloaded publications, including SarbanesOxley §404: A Guide for Management by Internal Controls Practitioners andGuide to the Assessment of IT General Controls Scope based on Risk (known asthe GAIT methodology).

Executive SummaryMaking Internal Audit Functions MoreEfficient and EffectiveThe internal audit function has a keyrole in any organization’s governance,risk, and compliance (GRC) operations.The Institute of Internal Auditors’ (IIA)definition of internal auditing statesthe fundamental purpose, nature, andscope of internal auditing: “Internalauditing is an independent, objectiveassurance and consulting activitydesigned to add value and improve anorganization’s operations. It helps anorganization accomplish its objectivesby bringing a systematic, disciplinedapproach to evaluate and improvethe effectiveness of risk management,control, and governance processes.”1Internal audit adds value by providingboard and management stakeholderswith assurance that GRC processes areeffective, while identifying areas wherethere are opportunities for improve ment.This assurance, or peace of mind,enables the stakeholders to “sleepduring the storm,” knowing they canrely on management’s GRC processes.Software has enabled internal auditfunctions to be more efficient and effec tive, and improving functionality andvalue will bring even greater benefits inthe future. SAP software solutionsaddress the more significant technologyneeds of the internal audit function.Specifically, the solutions enable: Planning, management, and execu tionof internal audit projects Enterprise risk management pro cesses in which internal audit riskassessment is integrated Data mining and analytics Automated testing, including thedocumentation of results and themonitoring of related action items,with particular strength in the areaof continuous monitoring and auditingof risks and controlsThe SAP applications that are particu larly relevant are: SAP BusinessObjects RiskManagement SAP BusinessObjects Access Control SAP BusinessObjects ProcessControl SAP BusinessObjects businessintelligence solutions Audit management functionality in theSAP NetWeaver technology platformIn this paper we discuss how internalaudit functions use software, wheresoftware provides the most value, andthe functionality included in SAPapplications to meet internal auditors’most pressing needs.1. Source: Institute of Internal Auditors’ definition at f/definition-of-internal-auditing.4SAP Thought Leadership – Internal Audit Requirements and SAP Solutions

The Internal Audit Function’s Useof SoftwareAddressing the Technology Needsof the Audit LifecycleTo understand internal audit’s use oftechnology, it is important to reviewhow a typical internal audit departmentoperates. While each department mayhave a different methodology (or auditlifecycle) that is a variation on thistheme, a typical internal audit depart ment performs the following activities:2.3.4.5.6. Risk assessment and developmentof the overall audit plan– Standard 2010 on planning inthe Standards published by TheInstitute of Internal Auditors (IIA)states: “The chief audit executivemust establish risk-based plans todetermine the priorities of theinternal audit activity, consistentwith the organization’s goals.”2– Standard 2010 also provides thisinterpretation: “The chief auditexecutive is responsible for devel oping a risk-based plan. The chiefaudit executive takes into accountthe organization’s risk managementframework, including using riskappetite levels set by managementfor the different activities or partsof the organization. If a frameworkdoes not exist, the chief audit exe cutive uses his/her own judgmentof risks after consultation withsenior management and the board.” Engagement planningStandard 2200 guides as follows:“Internal auditors must develop anddocument a plan for each engage ment, including the engagement’sobjectives, scope, timing, andresource allocations.”3 Performance of the engagementStandard 2300 applies: “Internalauditors must identify, analyze, evalu ate, and document sufficient informa tion to achieve the engagement’sobjectives.”4 Communicating the results ofthe engagementStandard 2410 explains the criteriafor effective communications:“Communications must include theengagement’s objectives and scopeas well as applicable conclusions,recommendations, and action plans.”5 Department administration,which includes:– Managing resources such asbudget, headcount, and staffdevelopment– Monitoring the actions taken bymanagement in response to issuesidentified in internal audit reports– Reporting progress against plan tothe board and executive manage ment, and the general effective nessof the internal audit function– Performing quality assuranceA growing number of internal auditdepartments have implemented a formof continuous auditing. We believethere is significantly more value in acontin u ous risk and controls assur anceapproach than in testing of controlsalone.6 Furthermore, the replacementover time of traditional audit projectswith a more continuous form of assess ment and testing changes the auditlifecycle. However, the great majority ofinternal audit departments are using amore traditional, project-based, internalaudit plan. How SAP products meetboth project-based and continuousauditing needs is discussed in this paper.International Standards for the Professional Practice of Internal Auditing [Standards], The Institute of Internal Auditors, October 2008.Ibid.Ibid.Ibid.In fact, we believe it is the way of the future for internal audit. For more information, see A Look into the Future: The Next Evolution of Internal Audit,SAP AG, April 2004. It is available at ernance-risk-compliance/brochures.SAP Thought Leadership – Internal Audit Requirements and SAP Solutions5

Risk Assessment and Develop ment of the Overall Audit PlanMost internal audit departments devel op at least an annual plan followingan assessment of the risks facing theorga nization. Leading companies havemore frequent updates to their plans, toensure their activities remain focusedon the organization’s more significantrisks.7The interpretation of Standard 2010states, “The chief audit executive takesinto account the organization’s risk man agement framework, including usingrisk appetite levels set by managementfor the different activities or parts ofthe organization.”8The value for the practitioner is greatestwhen the internal audit risk assessmentis derived from the enterprise risk man agement process. There is no need forinternal audit to perform a redundant riskassessment when it can use the enter prise assessment. The argument thatmanagement’s risk assessment processis not acceptable is overcome wheninternal audit works with manage mentto bring it up to acceptable levels – asrequired by IIA Standard 2120: “Theinternal audit activity must evalu atethe effectiveness and contribute to theimprovement of risk managementprocesses.”9The SAP BusinessObjects RiskManagement application enables anorganization to develop and maintain anenterprise-wide risk management pro gram. The enterprise assessment ofrisks can then be used by the internalaudit function to select which risks willbe addressed in the audit plan. Auditmanagement functionality in the SAPNetWeaver technology platform can beused to manage the internal audit plan.For example, the internal audit depart ment at company ABZ has a risk-basedaudit approach. The internal auditdepart ment identifies the more signifi cant risks facing the company frommanagement’s risk assessment pro gramand builds the audit plan to addressthese risks. Internal audit selects therisks from SAP BusinessObjects RiskManagement and builds the audit planusing audit management functionalityin SAP NetWeaver.There are a number of ways that indi vidual audit projects can be linked backto organizational risks. One option isto structure the hierarchy of the auditplan so that the projects are organizedby risk area. Another is to take advan tage of the customization features inaudit management functionality in SAPNetWeaver. Each audit can be assignedan audit type, such as IT, operational, orcompliance, which identifies the enter prise risk areas the audit addresses.Perhaps the simplest is the approachtaken by ABZ: the first step in the auditprogram is to identify the scope andobjectives of the audit. This includesdefining the enterprise risks to beaddressed.7. Escalating the role of internal audit, Ernst & Young’s 2008 Global Internal Audit Survey, reports, “Leading companies periodically refresh their risk as sessments and update the internal audit plan throughout the year to address the impact an ever-changing business environment has on the risk profileof the organization.”8. Op cit, International Standards for the Professional Practice of Internal Auditing.9. Ibid.6SAP Thought Leadership – Internal Audit Requirements and SAP Solutions