Security, Audit and Control Features SAP ERP, 3rd Edition - Softcover

Review

Security, Audit and Control Features SAP ERP, 3rd Edition, is a "must have" for any finance, operational or IT auditor or risk management, IT security or compliance professional, especially those beginning their work in an SAP environment. It is also an excellent reference for experienced SAP auditors and other experts and those IT and business managers responsible for SAP control processes. Through study and application of the "how-to" control and audit activities found in the third edition, even the new SAP auditor will have the potential to quickly rise to SAP best practices audit and control standards.

There are five broad topic areas within Security, Audit and Control Features SAP ERP, 3rd Edition:

• The preparatory section (chapters 1 to 4) includes an introduction to enterprise resource planning (ERP) system fundamentals and SAP's ERP system basics, followed by recommended risk management and audit methods. These chapters provide a necessary foundation for any SAP audit professional.
• The business cycle section (chapters 5 to 10) consists of a general overview of the SAP revenue, expenditure and inventory business cycle processes, including activity flows and controls. This section also includes audit considerations: risk, controls and detailed testing steps. The business cycle chapters provide the necessary knowledge base for both finance and IT auditors in understanding SAP ERP. The auditing chapters provide substantial information outlining risk, key controls and detailed testing guidance.
• The IT auditing section (chapters 11 and 12) lays the foundation for system administration (SAP Basis administration), describes in detail the risks and controls central to SAP system administration, and details techniques any auditor could follow when testing control effectiveness. This chapter shows the IT auditor not only how to effectively test Basis controls but also how to identify additional custom-developed objects that may require testing. Although the IT auditing section contains information necessary to perform the SAP production system IT audit, auditing the technical client used to implement system patches, updates and upgrades is not addressed.
• The last two chapters (13 and 14) describe ERP system control concerns; SAP tools that address governance, risk and compliance; future ERP and SAP directions; and other discussions relevant to auditing SAP. Though audit guidance in these chapters applies specifically to the SAP tool set, the audit considerations could easily be applied to any of the provisioning tools.
• Finally, Security, Audit and Control Features SAP ERP, 3rd Edition, concludes with appendices including:
  Audit programs with detailed audit task work steps and a COBIT cross-reference
  Internal control questionnaires for the three business cycles and Basis
  Recommended SAP transactions to be locked and tables to be logged and reviewed

In conclusion, the third edition is required reading for any SAP audit, control, risk or security professional. For many, this book will become a well-worn reference, guiding them through their daily SAP ERP tasks. For others, it will remain a one-time or occasional read to enhance their basic understanding of SAP ERP. The third edition surpasses earlier versions in the presentation of SAP ERP control fundamentals and audit best practices. This text is a necessity for the bookshelf of any SAP ERP audit or control department.