Types of External Audit in the ERP environment



Audit type




Financial statements


How reliable is the data, used to prepare the Financial Statements


Tax Audit


Assessing how reliable is the  Tax calculation in SAP,


Internal Control System Audit


Assesement of the system configuration settings relevant to the ICS and Accuracy and design of Application controls in SAP, also the Effectivenes of the ICS.


Data Protection


Assesing the compliance with legal and regulatory compliance, such as restriction of access to spceific data and transactions (employees data, bank information)


Security Audit


Check focuses on the Authorisation and Security configuration of the system, of both Aplications and databases.



Event driven

Detective Audit procedure for with focus on possible cases of fraud. SOD


SAP Implementation Audit

Project driven / Project

Monitoring Project risk, Status reports during SAP Implementation


Post Implementation Audit of SAP system.

Initiative / Project

Review of implemented system, processes , procedures with focus on potential change requests and improvements.

Operational / Project

Change Management Audit

Initiative / Project

Assessing the processes in which the results of the configuration and development in SAP are documented , performed , tested and transported into the live environment.

Operational / Project

SAP Operations Audit

Initiative / Project

SLA (Service level agreements of the operations) Processes and administration in the SAP environment


Audit of the Organisation and Planning


Assesement of SAP Management, alignment of SAP road map and methodologies with the Planning and strategy in IT and business.


Software Selection and Evaluation


Assesement of the Quantitive Methods for software Evaluation ( Intangible factors, Risk).







Controls in Financial Accounting


1.    FI-GL Accounting

2.    FI-AP

3.    FI-AR

4.    FI-BL

5.    FI-AA


Controls in General Ledger Accounting

The principle of real time display of business transactions is realized by the fact that fiscal year is devided into posting periods, where the year can be mapped to a calendar year or shortened fiscal year. On the system side you have to configure the Fiscal year variant and the Posting Period variant which in fact correspond to calendar month. Usually, only ONE period can be open at any one time, maximum of two. Special periods are an exception, can set up to 4, but Period 12 must be closed when the Special periods are open for posting.


Check compliance with the principle of real time recording of business transactions as follows

1.     Overview of the Fiscal Year Variant T .Code.OB29 or  SE11 Table T009 (FYV) and assignment to Co. Code OB37 or Table T001


2.   Overview of Posting Periods

-          Check whether more than one posting periods is open at the same time.  OB52 or table T001B

-          Evaluate changes in Table T001B Program RSTBHIST

-          Ensure that Posting Periods for which Financial Statements have already been prepared are closed. ( Month end, Quarterly , Yearly closing)

-          Check changes to open posting periods RSTBHIST

-          Use Authorisation object to define which open and posting periods are allowed. Authorization object F_BKPF_BUP


3.   Financial Statement Version

-          Check accuracy of the assignment of the G/L accounts OB58 T011 & T011T

-          The amount of each document must balance to zero, with one debit and one credit. The Zero balance control” is build into the system.

-          Total of all accounting relevant transactions, the correct and complete assignment of the individual G/L accounts to the structure of these reports is an important prerequisite for the acuracy of the external financial reporting. Figure 1. Shows an example of financial Statement hierarchy maintained with transaction OB58

-          It is important to check that the Statements have the correct structure and that the accounts are assigned completely. It is the duty of the Auditor to asses the accuracy of the assignment of the G/L accounts

-          The unassigned G/L accounts are listed as such outside the Financial Statement hierarchy. They can indicate an incomplete financial statement versionan.

-          There can be an exception to the assignment of G/L accounts to the financial Stateemnt hierarchy, when mapping Parallel Accounting.


4.   GL Account Master data

-          Check of the Individual fields in G/L account master – Tables SKA1(G/L account data) or SKB1 (company code specific data) depending on how the GL accounts have been prepared.

-          Each field in the G/L master have an important control function, some functions have associated risks with them from ICS point of view.. Check the anaccuracy and the Plausability of the G/L account master record is very important in system audit.

-          Table SKA1 contains important control information for each G/L


-          Check correct Field status group, compare the Field Status Group with the Blueprint

-          Automated Posting Only field. If manual posting are not permited to an account the field must contain the valuue “X”.

-          SAP allows the protection of Important Master data objects individually. Table SKB1 (G/L master record company code) contains the Authorisation Group field. In this field is possible to assign authorisation groups to the individual accounts. These authorisation groups can be used to restrict access in user roles to specific accounts



5.   Check Transaction figures vs Accounting Reconciliation   – SAPF190  Month End procedure.

-          Check consistency with the accounting reconciliation - Program SAPF190 for “Classic G/L”, the comparative analysis.

-          In NEW GL use program TFC_COMPARE_VZ it executes the evaluation for each ledger.

-          DR/CR transaction figures of  - D, V, GL are consistent with the document posted and application index.(open items)

-          GL accounts are consistent with the DR/CR totals of the application index (Application index are used for accounts with Line item display & Open item management.


6.   Controls for Closing Operations  - Month end Year end

-          As a part of Closing activities, seriese of  programs that list changes to Master Data in FI-GL

-          Analysis of Changes to Master Data FI-GL as a part of Month End

-          There a series of programs that needs to be run which I have not listed on this document.

Changes to GL, Cancelled postings, Changes to Accounting documents.



7.   Reconciliation work in FI-GL

7.1       Balance confirmation – The main purpose of this report  is to address the risk of over valuation of receivables and under valuation of payables. Example of this being Organisations send confirmation letters to Customers and Vendors who then send the information to Auditors.


7.2       Comparing FI-GL and Sub ledgers –  further control procedures relate to the reconciliation of figures between the Sub-ledgers and the and G/L.


7.3       The following reconciliations would be helpful, RFSSLD00 (G/L Acocunting balances) and the results of program RFHABU00 ( General Ledger the Document file)


7.4       Reconciliation of the results of program RFKKBU00 (Open Item Account Balances and Audit trial from Document file) with program RFKSLD00


8.   Accuracy and Quality of Data in GL


8.1       Non- routine transactions – Entered by an Accountant in his own judgement.

8.2       Routine  - mass of theem usually generated automaticaly by SAP system.


9.   Accurate Account Determination – T. Code. FBKP (Maintain Accounting Configuration)  transaction can be used to check the Account Determination.

From ICS perespective one should checks the completenes and accuracy of the maintenance of the Account Determinations.


9.1       Automatic assignment of G/L accounts - Check groups


10.               Field Status Groups

10.1       In SAP to guarantee the required quality and completenes of data, SAP enables you to set up Transaction-specific Field  Status Group or Field-specific Group. For example when we enter G004 which has been set up to record postings in which expens accounts are used. The field status group ensures whenever posting is made the Cost centre is also entered, and is set up as required. This is important and essential for the transaction to also be taken into account in Controling.

10.2       As a part of audit you should check and analyse the defenition of Field statud groups. Transaction OBC44 or table (T004V) should be checked to ensure the “Entity“OBY6  has been assigned the correct group.

10.3       In addition SAP offers a program which can check the quality of the data controlled by the Field status groups in cross-module transactions. RM07CUFA. ( Field selection comparison: Movement type – G/L Account to check the consistency of the field groups fro accounts from MM and FI views


11.               Calculatig taxes for Manual Posting

ICS perespective the correct valuation and reportingof tax liabilities due to the state of tax authorities is very important. In SAP we can rely on the accuracy of the Advance returns for Tax on sale and Purchases program RFUMSV00, it presents the cumulative amount of tax at the end of the period.

11.1       The cumulative amounts comprise individual documents that are created when you enter various transactions.

11.2       The important transactions here are 

Invoice receipt – the tax is determined by the manual entry of the input tax code

Invoicing – The sales tax determination is defined separately in connection with the invoicing. It defines which tax rate is applied for the output tax.

The program RFUMSV10 takes data from the table BSET (Tax Data  Document Segment).

11.3       In SAP the Tax on Sales and Purchases is calculated automatically when we enter an invoice, however it is also posible to change it manually, the decisive factor is how the tax code selected is configured.

11.4       The Tac is calculated using the Base amount and the percentage rate, if there is deviation of more than one unit currency the system issues an error message for eac relevant line item. If in the  Tax Code there is no entry in the DEVIAION ERROR FIELD, a warning message appears instead and the user can continue  enteing the posting.

11.5       By using Table T007A or FTXP ( Maintain Tax Code )you can evaluate tax code to determin whether settingsin the Deviation Error field are appropriate, no entry  “Empty” means that you are not allowed to manually enter an amount different to the amount calculated by the system.


12.                        Validation & Substitution

In addition to the standard consistency checks, you can set u customer specific logical rules that check the accuracy, for example of data entered manually. Validation and Substitution can be use to strengthen the controls in Financial Accounting.

Some examples of Validation & Substitution are

·         To prevent the use of invalid business area

·         To exclude an individual combination of GL accounts

·         To favour useful entries in comment fields

·         To restrict the maximum amount for posting

Validation can also be used as an alternative to SAP authorization roles.

When setting up Validtion, there are three possible levels for checking the rules, on entry of data in the document header, in line item and when the document is saved. There are two ouutputs of a check, a warning message or an error message.

A warning is informative in nature, and from ICS view does not represent effective control.

13.                        Foreign Currencies

Foreign currencies can be entered on SAP based on the exchange rate defined in the system.  T Code. OC41 table TCURR

The system transalates the amount into the loacl currency assigned to the company code. The impact of incorrectly maintained exchange rate would be dramatic.

Fig.13.1 Foreign Currency



In SAP manually in we can maintain exchange rate able TCURR using T Code. SM30 as shown in Fig. 13.1

Fig. 13.2 Maintenance of Currency Exchange rates

There are two principle exchange rates depending on which exchange rate entry is maintained. As we can see above thouse are

-          Direct quotation

Is the cost of one unit of foreign currency given in units of local currency.

-          Indirect quotation

Indirect quotation is the cost of one unit of local currency  given in units of foreign currency. The price in the “To” currency to be paid for one of the “From” currency.


For instance, USA citisen intends to buy/sell British pounds, it means exchange rates expressed in British pounds per unit of US dollar.

Note Note

Your local currency is EUR:

- Direct exchange rate: 1USD = 0.92819 EUR

- Indirect exchange rate: 1EUR = 1.08238 USD


Manual Maintennce should be an exception, companies usally import the exchange rate on a  daily basis. 

Maintenance of exchange rates is associated with high risk and therefore deserves special attention.

The following procedures should be carried out

1.      Conduct interview and analysis to establish the procedure for the maintenance of exchange rate, the role authorised to perform the task.

2.      Check if the file being imported is stored in a secure loaction, and sufficiently protected.

3.      Check the scope of the Authorization for the maintenance of the exchange rates.


SAP has built-in control in the logic for table TCURR, the date has been encryppted to make direct table maintenance difficult.


13.1       Currency Translation Ratio

Risks of Foreign currency transaction errors

Verify that accurate values of foreign currency transactions are being used. [ Related tcodes: OBBS, OB08, OB59, OBA1, OB90 ]



13.2       Maximum Foreign Currency Difference

Further controls is very important in SAP, when you enter a document, you can correct the exchange rate manually. To restrict the scope of such correction, further controls by SAP are offered, such as Tolerance for foreign currency differences. There are two options,

Tolerance limit per company code

Tolerance limit per currency pair


If the system exceeds a defined tolerance limit (%), the system generates an error message. To set up an error message if tolerance limit exceeded, T Code OBA5, sellect application area F5, and message 212.

Click NEW, select message No: 212 from the list.


 To check the foreign currency differences are treated correctly, the following steps are performed.

1.      Check Table T001 to check whether the maximum tolerance limit is set up for relevant company code, and whether the amount is appropriate. Fig.13.2


2.      Use table TCURD – to check the maximum exchange rate deviations are defined for currency pairs (cross-company code for all pairs).


14.                        Completeness of Processing in General Ledger Accounting


14.1       Document Parking

It would be helpful if necessary control is implemented to meet the SOD principle during Document posting. For instance, First person can enter document but not poste them, only park them. The Second person checked the documents and than posts them.


Parking of documents can be controled technically by means of amount. SAP system contains number of workflow models for document parking : A framework workflow (WS10000051) and five sub-workflows. Various workflows can be set, most month end actvities can be set to start a work flow-based procedure,  posting parked document is only one of them.  In addition to the SOD principle above, amount-based restriction can be implemented on user level using Tolerance groups.


To create work flow, T Code. SWDD

Fig 14.1 Workflow builder


Recommended Audit procedures,

1.      Check if Organisation is using the Document Parking, and if SOD principle has been meet.

2.      If relevant, check the Control strategy and ICS has been implemented correctly.


Fig. 14.2 IMG Work-flow document parking


Document parking control not only can improve the system, but is associated with risk, in reallity this is a document for which additional information is required. Parked documents do not affect the GL Balance as is not a posted document, and so the corresponding business transactions has no been entered for accounting purpose. This means as a part of Period End Closing execute program RFPUEB00 (Parked Documents ) or RFTMPBEL ( Incomplete Documents) or  T code . FBV3 should be run and Parked Documents reviewed and posted.

FBV5 ŕ Environment ŕ Multiple Display - Document Changes of Parked Document- Auditors would  be interested to see a list of changes to different documents, External, Recurring,Parked. Display of Changed Documents control, is pre-configured in the standard sysyem, to strenghten the control companies can decide on which additional fields to control and monitor.

Further risk arising from Deletion of Parked Documents ( T Code. FBV0ŕ Enterŕ Menu), which leave gaps in the document number assignment. Therefore the, use of Parked Documents result in additional document requirements and raises awareness amongst Auditors.


15.             Recurring Entries

Unexpected recurring journal entry including complex intercomany transactions

This is extremely risky for all industries. Monitoring control should be in place

Recurring entry schedule changes, resulting in erroneous or skipped postings.

Changes to the Run schedule of the recurring journal entry postings, they need to be closely examined.


T Code. F.15  List Recurring Entries
















Controls In Accounts Payable


























NB: Since SAP processes are quite complex, every process can be an independent audit.

One Item several topis

One single item on the Financial statement can have nummber of related topics which can be important. For example Current liabilities - Vendor,

§  Inspection of the Vendor Master Data

§  Invoice Verification Proces

§  Clearing of GR/IR account

§  Correspondance

§  Asquisition and retirement of assets

§  Integration with other functions, Financial , Sales, HR

§  IF HR relevant Vendor, compliance with protection of data.


Auditors place great emphasis on Detective and Preventative controls, if Auditors are satisfied the process is in line with , financial reporting Standards, Legal and regulatory requirements, Operational activities are effective and efficient, Assets and Information is safeguarded it is highly inlikely transactional data will be examined, perhaps just a random sample of few transactions per process.