Benchmark SAP Application Controls to Increase Testing and Documentation Efficiency

  • by Richard Castle, Executive Director, Ernst & Young LLP
  • March 15, 2008
See how to use your SAP system’s table logging functionality to support a benchmarking strategy for application controls.
Key Concept

On the technical side, many companies are confused about the impact table logging might have on performance. They confuse database-level table logging with application-level table logging and the performance impact of logging master and transactional data (large volumes) with the impact of logging configuration data (low volume). The SAP system performs application table logging, while the relational database software independent of the SAP system performs database-level table logging.

Application controls benchmarking is a strategy that you can use to extend the benefits of certain tests of application controls — automated controls enabled through a program or configuration — into subsequent audit periods. Application controls benchmarking is based on the premise that a computer continues to perform a given procedure (e.g., aging of accounts receivable, edit test) in exactly the same way until someone changes the program. If you verify that a given program or configuration that executes an automated control has not changed since it was last tested, you may choose to not repeat specified testing procedures in a subsequent period, but rather rely on the testing that was performed in conjunction with the benchmark. The benchmarking period might extend, for example, until someone applies a major upgrade to the SAP software or actual changes to the program or configuration.

I am surprised that more companies are not seeking out a benchmarking strategy to reduce their cost of compliance with Sarbanes-Oxley. If a company has a 50/50 mix of application controls and manual controls and spends $2 million a year to test and document controls, a benchmarking strategy could potentially reduce that cost by a fourth to a half.

One approach to implementing a benchmarking strategy is to use the table logging capabilities within the SAP system, which you perform at the application level instead of the database level. SAP table logging records any field level changes that you apply to the contents of the table. The change logs identify the time and date of the change, the user who applied the change, and the before-and-after values associated with the field level change.

Richard Castle

Richard Castle is an executive director in Ernst & Young’s Risk and Advisory Services practice. He has more than 24 years of experience in information systems, project management, and related operations. Richard directs SAP Risk Advisory Services for the Midwest and specializes in providing SAP quality and internal controls solutions for Fortune 1000 companies. Richard is a Certified Information Security Manager (CISM) and is a member of the Information Systems Audit and Control Association (ISACA).

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.