The Audit Information System (AIS) has been developed to provide internal and external auditors, Security Administrators and those with data protection and controlling responsibilities with a tool to assist in understanding and completing required tasks in the complex SAP environment.
The SAP Audit Information System (AIS) provides a centralized repository for reports, queries, and views of data that have a control implication. AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the production system on a real time basis.
AIS is currently focused on two key areas that are covered in more detail below:
- Systems Audit; and
- Business Audit.
AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching of comments, as well as allowing for tracking the audit’s progress.
AIS also has the capability to extract data into pre-defined formats appropriate for data.
Starting Audit
Transaction code SECR is used to access the AIS. The user can elect to enter:
- Complete audit -When executed, this provides all tests and documentation available in the AIS system.
- User defined audit - When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.
Once started the user is provided with a report tree structure that sets out all applicable documentation and tests that are executable. The reporting tree contains steps that include variants for each type of function. These can be centrally maintained to apply across multiple audit tasks.
Installation Check
The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants listed in AIS are currently available in the current system environment. The Installation check can be initiated through selecting Extras — Installation — Installation check from
transaction SECR.
Preparatory Tasks
In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the user to customize the audit to improve efficiency in completion of tasks.
The preparatory tasks within AIS are broken into three areas:
Area Description
AIS Customization | Allows for audit customization through the definition of variables and constants to be utilized in the audit process. This may include variables such as company codes which are then used in reporting. |
Customize Financial Information System
| Provides the user with functions relevant to the configuration and |
ABAP/4 Query including download | Provides access to logical database structure and information pertinent to |
Systems Audit
The "Systems Audit" is primarily used for administration and review of system activities, such as, security and change control. The users are provided with easy access to many of the standard SAP security and control reports and audit trails.
Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of security items to be considered which can be amended as required.
The System Audit functionality in AIS is broken down into the following key areas which include:
Area | Description |
Systems Configuration | Allows the user to gain details of the environment and general set up of the SAP system. |
Transport Group | Information relevant to change control processes, and system set-up. |
Tables / Repository | Includes information regarding table configuration, change logging as well as table security. |
Development / Customizing | Information relevant to background processing, including the graphical job schedule and access to the job overview. |
Background Processing | Provides access to logs (system, access, database etc) as well as configuration settings pertinent to these logs. |
System Logs | Provides access to information relevant to administration and security of the SAP system. This includes various reports on: |
User Administration |
|
Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport Management System, repository and table browser. It also provides comprehensive tools to review the security around user access.
Audit information system
Business Audit
The “Business Audit” functionality in AIS allows the auditor to produce financial statements and balance sheets, as well as perform general ledger, accounts payable and accounts receivable activities and queries.
For example, through the business audit functionality, auditors can perform and document their review of general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation accounts, as well as duplicate invoice reviews.
The Business Audit is broken into the following areas:
Area | Description |
Organizational Overview | This area allows the user to familiarize with the enterprise structure that has been implemented into SAP. |
Financial Statement Oriented Audit | The Financial Statement Oriented Audit provides the user with details of |
Process Oriented Audit | The Process Oriented Audit steps are broken down into the various areas of SAP including retail, procurement, production and sales and distribution. Areas of this section are at various levels of development. |
When the audit begins, the present parameters and selection criteria are edited by using the “Preparatory Tasks” in the Business Audit menu. The auditor customizes the reporting tree to reflect the correct time period and organizational structure required for the audit. The use of these “variants” helps reduce the potential for adversely affecting system performance, by limiting the parameters for which the reports are run. Business Audit functionality is not generally considered to be comprehensive and many items included in the menu structure are not yet functional. This should be considered when utilizing AIS.
Customizing Audits
To make effective use of the AIS tool it is important to customize the audits and ensure that only relevant information is provided. All information provided in the complete audit can be partitioned into audit programs specific to the particular needs and scope of audit work to be completed.
This can be performed by selecting Audit Information System — Create/change view.
A new view can then be created where you can manually select from the tree structure the components that are to be displayed in this user defined view.
Following the customization and generation of an audit this can be accessed by selecting the user -defined audit that has been created.
Security
In order for a user to access configuration, data or other reports, relevant access must be provided to the user. The AIS provides links through to various reports and other information, and therefore, access provided to complete AIS tasks may vary between users in line with tasks the individual is to perform. The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation. In order for a user to be able to edit notes in AIS the user must have been provided with the following authorisation objects:
S_IMG_ACTV
Field | Value |
PROJAUTH 900 | Project for Audit: 900 |
ACTVT | 02 Change activity |
IMG_ACTIV | NOTE Edit notes |
In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorizations must be provided: Authorisation for editing status information:
S_IMG_ACTV
Field | Value |
PROJAUTH 900 | Project for Audit: 900 |
ACTVT | 02 Change activity |
IMG_ACTIV | STAT Edit notes |
Other security, which may be granted to the user in order to complete tasks, may include:
- Authorization to view data in the IMG.
- Authorization to display user and security information.
- System administration and other system and performance monitoring functions.
• Change control authorizations.
No comments:
Post a Comment