Sarbanes–Oxley: Seven Steps to Ensure Your Internal Controls Cover Your Risk

  • by Taylor Erickson, Manager, BearingPoint, Inc.
  • September 15, 2003
As the deadlines approach, does your SAP financials team have a plan in place for compliance with the Sarbanes–Oxley Act (SOA) of 2002? No? That's not unusual, as many companies are struggling to learn what system and process changes the Act will require. But where do you begin this learning process? The author provides a seven-step method to assess how your FI/CO system measures up.

Those of you who are grappling with Sarbanes–Oxley Act1 (SOA) compliance have to be asking, “How do we ensure that internal controls are where they are supposed to be within our R/3 system?” Consider these two examples:

Example 1:  For several years, one of my clients relied on a series of custom ABAP reports that looped on the pricing conditions contained in billing documents (table KONV). Decisions regarding pricing, discounting, rebates, freight, and postage were formed by the information in these reports. Unfortunately, there was an inconsistency between the logic contained in the reports and the configuration of the pricing procedure. Problems arose when there were duplicate pricing conditions — for example, two or more PR00 prices:

PR00 $1,000

PR00 $0

The logic in the ABAP reports retrieved the first value, in this case $1,000. However, typical SAP pricing configuration takes the “bottom” (i.e., last sequential) condition, in this case $0. As a result, the client analyzed and reported data that was inconsistent with the actual transactions that took place, and the values in accounting.

Example 2:  A large multi-national company relied on a custom program to consolidate line items on an invoice printout. However, discrepancies between ABAP logic and pricing configuration caused some invoices to be processed that did not reconcile with accounts receivable. Rather than spend the time and resources to re-bill all the customers at the correct amount—and to avoid an embarrassing admission—the customer wrote off the difference as a loss.

Taylor Erickson

Taylor Erickson has more than 12 years of experience with ERP systems. He has worked with SAP for eight years, specializing in SD/SCM, reporting, and compliance. Taylor is a member of the Institute of Internal Auditors and has facilitated global SAP system implementations and trained numerous SAP customers. He is currently a manager at BearingPoint. Prior to that, he was a consultant for SAP America, and later, practice director of corporate compliance and security for Virtuoso, LLC, an SAP FI/CO consultancy. His latest research is on the effects that Sarbanes-Oxley will have on IT departments running SAP, and leveraging existing R/3 functionality to achieve compliance.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.