Identify Fraud Risks with Forensic Audit Queries

  • by Bryan Wilson, President, Acumen Control ERP, Inc.
  • January 15, 2008
Audit committees, management, investors, regulators, and external auditors expect your business process controls to be effective, efficient, and testable. See how to extend your GRC functionality to identify control exceptions in your SAP system by locating data in SAP tables and running forensic audit queries.

Out of the box, compliance solutions such as the SAP GRC technology foundation may not meet all of your unique business process control objectives. With an understanding of configuration settings, account mappings, security authorizations, and data structures, you can customize your system and extend your system controls to meet your specific business needs.

I’ll show you how to design forensic audit queries that identify control irregularities and detect fraud in the purchase-to-pay (P2P) process. Identifying the tables that store P2P data and understanding how certain fields affect the control environment allows you to design and implement effective and efficient forensic audit queries. Working with experienced IT personnel can help you understand which fields affect your control environment.

Deciding which transaction and master data fields are important to your control environment depends largely on your particular implementation and risk appetite. I currently use about 950 forensic audit queries across the SAP enterprise to help isolate master data control deficiencies; identify unauthorized or improper changes to transactions and master data; reconcile and age GR/IR accounts; confirm SAP calculation routines, such as depreciations; uncover fraudulent activity; control circumvention schemes; and isolate actual segregation of duty violations.

I’ll show you how to enhance your GRC implementation by extending its functionality to help monitor and detect control exceptions. I’ll explain how you can locate master and transactional data in SAP tables and then how to download this data to Microsoft Access, where you can design and develop forensic audit queries to help monitor for control deficiencies. First, I’ll go over the way some data in the SAP system is structured, which requires you to use forensic audit queries.

Bryan Wilson

Bryan Wilson is president of Acumen Control ERP, which specializes in SAP risk, advisory, and forensic audit services. With more than 20 years of experience in IT risk management, he has managed SAP R/3-enabled controls design and assessment teams for both KPMG LLP and Deloitte & Touche LLP. Bryan has advised audit committees, executive teams, and audit partners at several multi-national companies of the residual risks in their SAP R/3-supported business cycles. He also helped several multi-national clients re-engineer their SAP R/3 security architecture and re-architect business processes after internal control failures or fraud were identified. He currently helps clients assess their SAP control environments using his forensic audit queries, which clients can use to enhance their own off-the-shelf audit query tools. Bryan has a B.S. degree in computer science and is a Certified Public Accountant (CPA), Certified Information System Auditor (CISA), and an active member of the Association of Certified Fraud Examiners.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.