Benefits of Internal Audit Involvement in SAP S/4HANA and SAP RISE Implementations

What are the benefits of internal audit involvement in SAP S/4HANA and SAP RISE implementations?

As more companies embark on their transformation to SAP S/4HANA and SAP RISE, a key contributor many see are Internal Audit (IA) controls support resources within the project. This role can be in the form of a part-time or full-time member, depending on the project size. And while it may initially be believed that including IA will slow down the process, the benefits usually greatly outweigh any negatives.

Projects should demand skilled SAP audit resources that will add value. When dedicated teams and steering committees evaluate the cost of including IA on their SAP projects, they should consider the following key benefits:

Independent Risk Assessment

• Communicates clear, independent project progress to the board and upper management
• Helps protect the investment of the SAP S4/HANA and SAP RISE projects
• Helps to enhance documentation quality and organization; e.g., the project might be on increased alert to ensure documentation is in order if there’s a chance IA may be reviewing
• Assists with communication surrounding the external audit

Our recommended approach is to follow projects throughout their lifecycle. This allows for better communication and education of auditor expectations, limits “surprises” and minimizes exceptions after the SAP go-live. Post implementation reviews still provide value, but preventing risks and issues prior to an audit is in the best interest of the project and the company implementing SAP.

Compliance

• Ensures Sarbanes-Oxley (SOX) application controls are included in the testing plan
• Tests existing application controls within the User Acceptance Testing (UAT) phase
• Ensures that SOX IT general controls (ITGC) and business process controls frameworks are updated
• Ensures the SAP SOC 1 report is evaluated and documented

System Development (SDLC) Practices

• Ensures sound SDLC project practices are being followed, including but not limited to:
  • The company’s SDLC policy requirements
  • Project plan
  • Design documentation
  • Strategy documentation
  • Test plans and results
  • Security
  • Data reconciliations

User Acceptance Testing

• Validates that production security roles are being used in the UAT phase
• Ensures that the UAT scope includes all key areas
• Ensure that proper business resources are involved with UAT testing
• Ensure that high-risk issues were closed prior to go-live and/or the proper mitigating controls are documented and operational
• Validates that UAT is completed and failed tests are remediated and retested
• Validates that there is a centralized issue log, and high-risk issues are fixed and retested prior to production go-live
• Go-live is formally approved

Data Reconciliation

• A data reconciliation strategy is in place that documents which data objects will be reconciled between the legacy application(s) and SAP S/4HANA/SAP RISE; this is a must to validate the completeness and accuracy of data being transferred to the new SAP environment
• Data reconciliations were completed within a reasonable time after go-live; typically, data reconciliations should be completed one month after go-live; any data differences should be explained and supported, and the overall reconciliations are formally approved
• Communicates expectations and provides an independent assessment of the data reconciliations and the Information Produced by the Entity (IPE) parameters requirements for data reconciliations; IPE parameters are required to understand when the reports were generated, what applications the reports come from and how the reports were generated to validate the completeness and accuracy of the data

Security

• SAP GRC ruleset was updated
• SAP roles changes were approved
• Obsolete transactions were removed from SAP custom roles and from the SAP GRC ruleset

Continuous Improvement

• Improve project control practices
• New functionality to be considered in a future project
• New application controls are being considered for SOX testing

If you have any questions about internal audit involvement in SAP S/4HANA and SAP RISE Implementations, contact our team at [email protected].

About Schneider Downs Audit and Assurance Services

Schneider Downs’ engagement teams are hand-selected by our shareholders based on skill sets and experience and are available around the clock for consultation. Each attestation engagement is subject to our comprehensive quality control and risk management system, providing an independent review of audit opinions, related financial statements and significant underlying working papers, to ensure that the highest levels of professional standards are met.

To learn more, visit our dedicated Audit and Assurance page.