Audit Information System

The Audit Information System (AIS) has been developed to provide internal and external auditors, Security Administrators and those with data protection and controlling responsibilities with a tool to assist in understanding and completing required tasks in the complex SAP environment.

The SAP Audit Information System (AIS) provides a centralized repository for reports, queries, and views of data that have a control implication. AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the production system on a real time basis.
AIS is currently focused on two key areas that are covered in more detail below:

  • Systems Audit; and
  • Business Audit.

AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching of comments, as well as allowing for tracking the audit’s progress.

AIS also has the capability to extract data into pre-defined formats appropriate for data.

Starting Audit
r3_ais_01

Transaction code SECR is used to access the AIS. The user can elect to enter:

  • Complete audit -When executed, this provides all tests and documentation available in the AIS system.
  • User defined audit - When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.

Once started the user is provided with a report tree structure that sets out all applicable documentation and tests that are executable. The reporting tree contains steps that include variants for each type of function. These can be centrally maintained to apply across multiple audit tasks.

Installation Check
The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants listed in AIS are currently available in the current system environment. The Installation check can be initiated through selecting Extras — Installation — Installation check from
transaction SECR.

r3_ais_02

Preparatory Tasks
In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the user to customize the audit to improve efficiency in completion of tasks.
The preparatory tasks within AIS are broken into three areas:

Area Description


AIS Customization

Allows for audit customization through the definition of variables and constants to be utilized in the audit process. This may include variables such as company codes which are then used in reporting.

Customize Financial Information System

Provides the user with functions relevant to the configuration and
extraction of financial information.

ABAP/4 Query including download

Provides access to logical database structure and information pertinent to
extracting data for analysis purposes.

Systems Audit
The "Systems Audit" is primarily used for administration and review of system activities, such as, security and change control. The users are provided with easy access to many of the standard SAP security and control reports and audit trails.

Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of security items to be considered which can be amended as required.

The System Audit functionality in AIS is broken down into the following key areas which include:

Area

Description

Systems Configuration

Allows the user to gain details of the environment and general set up of the SAP system.

Transport Group

Information relevant to change control processes, and system set-up.

Tables / Repository

Includes information regarding table configuration, change logging as well as table security.

Development / Customizing

Information relevant to background processing, including the graphical job schedule and access to the job overview.

Background Processing

Provides access to logs (system, access, database etc) as well as configuration settings pertinent to these logs.

System Logs

Provides access to information relevant to administration and security of the SAP system. This includes various reports on:
- User Security and Authorisations
- Profile Generator
- User administration such as users who have not logged into the system for a predefined period of time.

User Administration

Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport Management System, repository and table browser. It also provides comprehensive tools to review the security around user access.


Audit information system
Business Audit
The “Business Audit” functionality in AIS allows the auditor to produce financial statements and balance sheets, as well as perform general ledger, accounts payable and accounts receivable activities and queries.
For example, through the business audit functionality, auditors can perform and document their review of general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation accounts, as well as duplicate invoice reviews.

The Business Audit is broken into the following areas:

Area

Description

Organizational Overview

This area allows the user to familiarize with the enterprise structure that has been implemented into SAP.
Further, the user is provided with information about the financial structure of the organization including details on Account Determination and Special General Ledger.

Financial Statement Oriented Audit

The Financial Statement Oriented Audit provides the user with details of
Account reconciliation, Balance Sheet, Profit & Loss and other General Ledger related reports which can be used for financial analysis.

Process Oriented Audit

The Process Oriented Audit steps are broken down into the various areas of SAP including retail, procurement, production and sales and distribution. Areas of this section are at various levels of development.

When the audit begins, the present parameters and selection criteria are edited by using the “Preparatory Tasks” in the Business Audit menu. The auditor customizes the reporting tree to reflect the correct time period and organizational structure required for the audit. The use of these “variants” helps reduce the potential for adversely affecting system performance, by limiting the parameters for which the reports are run. Business Audit functionality is not generally considered to be comprehensive and many items included in the menu structure are not yet functional. This should be considered when utilizing AIS.

Customizing Audits
To make effective use of the AIS tool it is important to customize the audits and ensure that only relevant information is provided. All information provided in the complete audit can be partitioned into audit programs specific to the particular needs and scope of audit work to be completed.
This can be performed by selecting Audit Information System — Create/change view.
A new view can then be created where you can manually select from the tree structure the components that are to be displayed in this user defined view.

r3_ais_03
Following the customization and generation of an audit this can be accessed by selecting the user -defined audit that has been created.

Security
In order for a user to access configuration, data or other reports, relevant access must be provided to the user. The AIS provides links through to various reports and other information, and therefore, access provided to complete AIS tasks may vary between users in line with tasks the individual is to perform. The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation. In order for a user to be able to edit notes in AIS the user must have been provided with the following authorisation objects:


S_IMG_ACTV


Field

Value

PROJAUTH 900

Project for Audit: 900

ACTVT

02 Change activity

IMG_ACTIV

NOTE Edit notes

In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorizations must be provided: Authorisation for editing status information:
S_IMG_ACTV


Field

Value

PROJAUTH 900

Project for Audit: 900

ACTVT

02 Change activity

IMG_ACTIV

STAT Edit notes

Other security, which may be granted to the user in order to complete tasks, may include:

  • Authorization to view data in the IMG.
  • Authorization to display user and security information.
  • System administration and other system and performance monitoring functions.

• Change control authorizations.

No comments:

topics