Exercise in Chapter 26

1. You are asked to perform an audit of an ERP implementation in

your company. Design an audit program for reviewing key steps or
control points in this process.
An Audit/Review of the Planning and Acquisition of an ERP

Planning and Organization

PO1 Define a strategic IT plan

PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT organization and relationships
PO5 Manage the IT investment
PO6 Communicate management aims and direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risks
PO10 Manage projects
PO11 Manage quality

Acquisition and Implementation

AI1 Identify solutions

AI2 Acquire and maintain application software
AI3 Acquire and maintain technology architecture
AI4 Develop and maintain IT procedures

2. Develop an audit program to validate the security controls

implemented in SAP ERP.

Step 1 assess & evaluate

First, we work with you to assess the current status of SOD conflicts as well as evaluate
the maturity level of access and security controls.

Step 2 plan & design

Depending on the results of the assessment, we can assist you in establishing an SOD
program and creating control & risk awareness in the organization; re-design internal
controls to better support SOD program and adjust IT processes to achieve synergy
between IT department and business personnel.
Step 3 implement & remediate
During the implementation phase, our team of experts updates and documents
procedures and controls assuring that the user access management and SOD
processes are well established. We develop the SOD matrix and assist you in clean-
up activities (remediation). For IT related processes we streamline the processes
for user access management; if required, we provide assistance in automating them.

Whenever the tools are needed, our team selects the proper technology solution
adjusted to your needs.
Step 4 monitor & operate