Audit Reporting

• Audits are conducted to express a true and fair view of a company’s

financial statements.
• Therefore, the auditor’s opinion expressed in the ultimate report is
based on the information reviewed and analyzed during the
verification of financial statements.
• Upon completing the report, the auditor may express one of the
following four opinions:
• Unqualified Opinion
• Qualified Opinion
• Disclaimer of Opinion
• Adverse Opinion
Unqualified Opinion
• An unqualified opinion is expressed when the auditor concludes that
the financial statements give a true and fair view in accordance with
the financial reporting framework used for the preparation and
presentation of the financial statements. It indicates that:
Qualified Opinion
• A qualified opinion is expressed when the auditor concludes that an
unqualified opinion cannot be expressed, but that the effect of any
disagreement with management is not so material and pervasive as to
require an adverse opinion, or the limitation of scope is not so
material and pervasive as to require a disclaimer of opinion.
• A qualified opinion should be expressed as being “subject to’” or
“except for” the effects of the matter to which the qualification
relates.
• Disclaimer of Opinion
A disclaimer of opinion is expressed when the possible effect of a
limitation on scope is so material and pervasive that the auditor has
not been able to obtain sufficient appropriate audit evidence and is,
therefore, unable to express an opinion on the financial statements.

• Adverse Opinion
An adverse opinion is expressed when the effect of a disagreement is
so material and pervasive to the financial statements that the auditor
concludes that a qualification of the report is not adequate to disclose
the misleading or incomplete nature of the financial statements.
Information Systems (IS) Audit
• Audits of Information Systems look at the overall infrastructure and
network of the organization and the controls that relate to the
security of the network and the systems that are maintained in
support of the goals of the University.
• They also include technical operations, data center operations,
project management procedures, and application controls.
• There are three basic kinds of IS Audits that may be performed:
General Controls Review
Application Controls Review
System Development Review
General Control review
• A review of the controls which govern the development, operation,
maintenance, and security of application systems in a particular
environment. This type of audit might involve reviewing a data center,
an operating system, a security software tool, or processes and
procedures (such as the procedure for controlling production program
changes), etc.
Application Control Review
• A review of controls for a specific application system. This would
involve an examination of the controls over the input, processing, and
output of system data. Data communications issues, program and
data security, system change control, and data quality issues are also
considered.
System Development Review
• A review of the development of a new application system. This
involves an evaluation of the development process as well as the
product. Consideration is also given to the general controls over a
new application, particularly if a new operating environment or
technical platform will be used.
Sufficient Appropriate Audit
Evidence
• Appropriateness is the measure of the quality of audit
evidence, i.e., its relevance and reliability.
• To be appropriate, audit evidence must be both relevant and
reliable in providing support for the conclusions on which the
auditor's opinion is based
• Application Controls Optimizes Cost of Testing
What are Application Controls?
• Application controls are those controls that pertain to the scope of
• individual processes or application systems.
• They include data edits, separation of business functions, balancing of processing
totals, transaction logging, and error reporting.

• They can be Embedded and/or Configurable

• Embedded – the application control is already part of or program/logic within the
application software (e.g. 2 or 3-way match capabilities).
• Configurable – the application control is performed depending on how the
application is setup/configured or workflow is designed (e.g. accounts payable
tolerance levels).
Not-So-Obvious Benefits of
Application Controls
• Many Application Controls are configured in a common table (e.g., 43 SAP
configurable controls in-scope for SOX are maintained in the same T030 table)
• Application Controls that are designed to validate and tolerate variances are
identified to GL account numbers
• ( i.e., 3-way matching, tolerances, purchase price variances)
• Changes to GL account numbers in the T030 table can be
• monitored for appropriate evidence:
• Whether business justification is sufficient
• Whether debit and credit are the same
• Whether the GL account used for the transaction complies with the Accounting & Finance
Manual description
• Whether the impact of the change is material to the period
Automating appropriateness testing

Evidence quality is increased by relating control-based

configuration AND substantive analytics
Appropriateness
Layers in Context

Monitor Change to T030 Velocity

Compare GL Account to
Accounting Standards
Compliance

Email question-set to Business

approver of change Justification

Trend the transaction flow Substantive

through the GL Account Expectations
Automating appropriateness
testing
Illustrate Velocity of change to T030

Monitor Change to T030 Velocity

Compare GL Account to
Accounting Standards Compliance

Email question-set to Approval and

approver of change Justification

Trend the transaction flow

through the GL Account Materiality
 Table T030 Changes recorded in FY
2016 Volume and Velocity of Change:
Most Change occurs in one instance in
March
450

TSG EMEA
400

TSG APJ
350

TSG AMS
300

No changes
250

LH1
200

Fusion EMEA
150

Fusion APJ
100

Fusion AMS
50

0
Nov 2015 Dec 2015 Jan 2016 Feb 2016 Mar 2016 Apr 2016 May Jun 2016 Jul 2016 Aug 2016 Sep 2016 Oct
2016
2016
Automating appropriateness
testing
Illustrate Compliance with AFM

Monitor Change to T030 Velocity

Compare GL Account to
Accounting Standards Compliance

Email question-set to Approval and

approver of change Justification

Trend the transaction flow

through the GL Account Materiality
Compliance check – i) Debit and Credit account
match ii) Compliant with
The value
AFM ‘Matched’ shows
f the group
I
account is
that the DR and available in AFM
Cr accounts are then we give
the same and the value of
unmatched value ‘Found’ else
would show that ‘Not Found’
they are not as
before.
Automating appropriateness
testing
Illustrate Business Justification

Monitor Change to T030 Velocity

Compare GL Account to
Accounting Standards Compliance

Email question-set to Approval and

approver of change Justification

Trend the transaction flow

through the GL Account Materiality
Illustration of the email sent requesting for Business
Justification
From: SAP SOX Table Changes
Sent: Monday, Aug 1, 2016 12:06 PM
To: R, Srividya <srividya.rajanna@hpe.com>; Rickett, Jade <jade.rickett@hpe.com>
Subject: Appropriateness Testing Monthly Reports

As required by the annual statutory audit by our auditors, EY, and for SOX, Internal Audit (IA) conducts appropriateness testing for SAP
applications. For this testing IA reviews all of the additions and/or changes to key tables, programs and configurations, via an internal application
called KPI.

In reviewing the table change activity for the month of July 2016, for T030, a change was noted and you were the transport creator.

Please provide the following information regarding the change:

1.High level description of the project/request that required the update(s)

2.The Request ID/Project Number and Project name

3. UAT sign off

4. The original documentation from the business that drove the request for
the direct change or the business contact who can provide the
information

Please not that obtaining this information is time-sensitive so the request will be escalated
after 3 days.

If you have any questions, please send an email to the SOX SAP Table Monitoring mailbox and someone will get back in touch.

Thank you for your assistance.

SOX SAP Table Monitoring Team .
Illustration of the email received with Business
Justification

15
Automating appropriateness
testing
Illustrate Materiality of the New GL Account data flow

Monitor Change to T030 Velocity

Compare GL Account to
Accounting Standards Compliance

Email question-set to Approval and

approver of change Justification

Trend the transaction flow

through the GL Account Materiality
Results from the Benchmark Report
• Substantive Analytical Procedures Related:
• 3 new accounts were identified in T030 table – 35560000, 34211300, 34219999
• Plotting the activity in those accounts for the FY16 is as given below:

Chart Title The following observations were made for

250000000
these 3 accounts:
1. The account no. 35560000 sees a
200000000 spike in the month of July and
emerging velocity.
150000000
2. The account no. 34211300
100000000
sees a
35560000 bigger balance in dollars:
50000000 Increased
0
34211300 velocity = increased risk
34219999 3. The account no. 34219999 is a inactive
account: on
Focusing as there are no transactions
appropriateness
or balances = risk is limited
enables the auditor to de-scope
testing.
Objectives of Application Controls
Objectives of Application Controls
• Input data is accurate, complete, authorized, and correct
• Data is processed in an acceptable time period
• Data stored is accurate and complete
• Outputs are accurate and complete
• A record is maintained to track the process of data from input
to storage and the eventual output
Control Types
Preventive

Manual Controls

IT Dependent Manual Controls

Application Controls

Note:
ITGC are pervasive IT controls around the environment supporting the
application.
Types of Application Controls

Type Description Examples

Input (Edit) Application checks data inputs to reduce risk of • Required data fields
Controls inappropriate data being inputted. • Specific data format on input
(Alpha vs. Numeric)

Output Controls Control around output of data from the application. • Financial reports are
Check to ensure output data is consistent with the data consistent with input data
entered. (e.g. GL, Sub-ledger).

Validations Application performs validation checks based on a test • Tolerance limits (Sales Order
against some rule that is defined in the system. customer credit limits)
• Two or Three-way match

Calculations The application automatically performs calculations • Asset depreciation

based on data provided. • Accounts receivable aging
• Pricing calculations

Authorizations / Application could perform checks on access rights to • Approval to post journal
Approvals ensure segregation of incompatible duties. It could also entries or for Purchase Order
check authorization levels to perform approval functions • Two approvals for check
etc. printing or wire transfers
Types of Application Controls?

Type Description Examples

Interfaces Controls around data that is being exchanged from one • Transfer of employee data
application to another. between HR and Payroll
systems.

Integrity Check Typically embedded in the application/database to • Checksums

Controls ensure that data is not altered or corrupted
during processing, transmission or storage.

Processing Provides automated means to help ensure processing • Job processing log reviews
Controls is complete and accurate.

Audit Trail of Data Provides audit trail of transaction to help management • Transaction log reviews
Transactions monitor and identify errors.
Application Controls vs. ITGC
ITGC IT Application Controls (ITAC)
Application controls relate to transactions and
ITGC apply to all the system components, processes, and data pertaining to each computer based
data present in an organization. application system and they are specific to each
individual application

Example Controls:
Example Control :
Logical Access controls over infrastructure, applications,
and data Edit checks
Program Change Management Validations
System development life cycle controls Calculations
Computer Operations Interfaces
Physical security controls over data centers Authorizations
Backup and recovery controls

A control test of one sample can be performed if

Testing of control is usually on a sample basis the Design has been assessed to be effective
Benefits of Application
Control
Reliability
 Once an application control is established, and there is little change to the application, database, or
supporting technology, the organization can rely on the application control until a change occurs.
 An application control will continue to operate more effectively if the general controls that have a
direct impact on its programmatic nature are operating effectively as well. As a result, the auditor will
be able to test the control once and not multiple times during the testing period.

Benchmarking
 If general controls that are used to monitor program changes, access to programs, and computer
operations are effective and continue to be tested on a regular basis, the auditor can conclude that
the application control is effective without having to repeat the previous year’s control test.
 Auditor should evaluate the appropriate use of benchmarking or an automated control by considering
how frequently the application changes. (If application changes frequently, auditor should not rely on
benchmarking)
Subsystem factoring to Application
Control
• Boundary Control
• Input Control
• Processing Control
• DBMS
• Output Control
• Overall Control
 • Data Entry Screen •Channel access Control
• Access Control
Communic
Boundary InputDesign • Topological Control
ation
• Cryptographic Control
Control • Batch Control •
Control
• Input validation ControlCommunication
Architecture Control

• Database access
Control • Report Design
Processing
Control to protect • Concurrency
Database OutputControl
Control integrity of OS Control
Control Control
•
• File Handling Audit Trail Control
control
Boundary Subsystem and Controls

• Objective
• The system has an authentic user
• The user gets authentic resources
• Users are allowed to employ resources only in restricted ways
Access Control

• Login IDs and Passwords

• Interrogation System
• Biometric system
• Terminal Restrictions – VPNs
• Temporal Restriction – Based on time
• Navigation Control – Admin vs User
• Concurrency Control
Example of Audit Trail (Access
Control)
• Identity of the user to be of the system
• Authentication of the information supplied
• Resource Requested
• Action Privileges requested
• Terminal Identifiers
• Start and Finish time
• Number of login attempts
• Resources provided/denied
• Action privileges allowed/denied
Input Control
• The input validation can be at different levels
• Field level
• Record level
• Batch level
• File level
Field Level Input Control
• Sequence Check – eg. Cheque payment
• Limit Check
• Range Check
• Set mapping - input data is validated against a set of rule – gender
• Master reference – ifsc code
• Size cheque
Record level Input control
• Reasonableness
• Valid signs – numeric
• Size of the record
• Sequence check
Batch level Input control
• Control Totals
• Transaction Types
• Batch Serial Number
• Hash totals
File level input control
• Internal level
• Generation Number
• Retention date
• Control totals
Benefits of Application Control
•Time and Cost Saving

• Application Controls take less time to test than Manual Controls

• Application controls are typically tested one time as long as the
general controls are effective and there are no changes to the
application
Linkage to SAP Application Control
– Each table relates to multiple application controls.
– When application controls change significantly (program
change), IA performs walkthrough.
• – Rates of change increasing increased SAP application
controls testing
Linkage to sensitive Access Reviews
– Month end close project:
– Systems scope includes: LH1, BW (the consolidation functionality), Equate, Compass (PJ1, P01, PN1), Velocity
– Sensitive Access for month end close activities (core GL functionality, open/close posting
• periods, foreign exchange rates)
– Utilizing GRC for SAP monitoring
– Also including sensitive IT access
Monitoring Procedures by Table
•– T030:
– Whether debit and credit are the same
– Whether the GL used for the transaction key matched the norms for the transaction key, as
• documented in the AFM description
– Whether EY has provided perspective on earlier the usage of the GL
– Whether the GL is appropriate or not based on the above criteria
– T169G and T043G
– Whether the tolerance limit configured is well within the limits in the sap instance
– Whether controllership approval exists (not for T043G)
– T049A: Whether the accounts that are configured in T049A are not Inventory, Revenue or any other inappropriate account.
– TTKAB: Whether the new entries were created using one of the existing 12 Balance Sheet series
– C001: Whether the Chart of Accounts, Sales Organizations and General Ledger accounts are consistent
Current state

– Systems reviewed: Velocity, US1, LH1, FI1, Fusion EMEA, Fusion Americas
– Transaction keys in scope include GBB, BSX, WRX, PRD, UMB, KON, FRL, SKE and UMB .

– Frequency of review:
– All changes reviewed monthly. SAP KPI Reports pulled monthly and analyzed; produces quarterly report to EY.

– Each T030 table entries is analyzed for the following:

– Whether business justification is there
– Whether debit and credit are the same
– Whether the GL used for the transaction key satisfies the AFM description
– Whether EY has approved earlier the usage of the GL
– Whether the GL is appropriate or not based on the above criteria
• You are the manager of a model bank that has decided to install a bill
payment and telephone system for its customers. The system will
allow the customers to call a number to enter the system, record the
bill payment transaction that they wish to make within the following
30 days and transfer funds between savings and checking accounts. A
voice feedback system will instruct the customers on how to complete
each step of the transaction. For example, record the date of payment
and the amount to be paid.’

• Because you are a senior Information system auditor of the model

bank, the manager of Information system department has asked you
to advise her on the access control that you think should exist in the
system. Prepare a brief report with you recommendation.
• Be sure how system will ensure
• It is dealing with a valid customer
• It is allowing customers to transfer funds to or from authorize
accounts only
• Customers donot overdraw from accounts
• Payments are made only to the creditors that the customer has
authorize to receive such payments