Avoid Audit Problems by Building Controls as Part of Your Implementation Life Cycle

  • by Steve Biskie, Managing Director, High Water Advisors
  • February 15, 2009
To have an efficient and effective control design process, certain risk and control activities need to occur during the implementation process. These activities reduce the potential for audit issues and minimize future rework. By following this strategy you significantly increase the likelihood of having a successful implementation and a pain-free audit.
Key Concept

Controls are specific actions that management intentionally builds into a process to either prevent bad things from occurring or detect them quickly (in time to mitigate their consequences) if they do. Controls may be manual processes, such as a quality review of an employee's work product, or system-enabled, such as tolerances configured within the SAP system, that prevent transactions from exceeding specified thresholds. The SAP system contains many configurable control options that, to be effective, must be tailored to your specific business situation during the implementation process. Failure to consider what controls should be enabled to mitigate each of your business risks can result in costly rework and expose your organization to unaddressed problems after your SAP system go-live.

The way that you manage your SAP implementation or upgrade can have a profound impact on your ability to successfully pass an audit. More importantly, it can affect the long-term success of your initiative for good or for ill.

In my experience as an auditor, one of the biggest risks I’ve seen in organizations that attempt to do the right thing and design effective controls is that they start too late. By sequencing key activities early in the implementation life cycle, you can create a foundation that supports internal control design in an efficient, effective, and relevant way.

SAP project managers and implementation team members are likely to benefit most from this article. The activities I discuss relate to specific actions that the implementation team should take during the SAP implementation process to reduce the potential for audit issues and minimize future rework.

First, I map the typical control design process to a standard implementation life cycle. Next, I walk you through each phase of the implementation life cycle and share typical risk and control activities that you should conduct during that phase. In addition, I share some of the most common issues I’ve seen at organizations I’ve audited.

Steve Biskie

Steve Biskie has been working with SAP ERP systems for more than two decades, and is considered an international expert in SAP audit issues, risk management, and GRC. He was an expert reviewer for the book Security, Audit, and Control Features: SAP ERP (3rd Edition), and the author of Surviving an SAP Audit.

Steve will be presenting at the upcoming SAPinsider GRC 2017 conference, June 14-16, 2017, in Amsterdam. For information on the event, click here


See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.