Two SAP-Enabled R2P Process Controls for Sarbanes-Oxley Compliance

  • by Bryan Wilson, President, Acumen Control ERP, Inc.
  • November 1, 2003
Requisition-to-pay (R2P) is a key operational process that auditors for Sarbanes-Oxley Act compliance will expect to see controls. Fortunately, R/3 Materials Management (MM) has a number of configuration controls that you can use for this purpose. The author explains two, recording purchase requisitions and releasing purchase requisitions, and shows how you might use them in your compliance efforts.

The Sarbanes-Oxley Act of 2002 requires that companies have controls in place for important business processes. A key process on the operational side is the requisition-to-pay (R2P) business cycle. You can use SAP-enabled controls at several points in the R2P process. I'll describe how you might implement two: recording a purchase requisition and releasing a purchase requisition. Both are R/3 MM configuration controls applicable to all releases of R/3. First, let me provide a quick overview of the R2P business cycle.

The R2P business cycle shown in Figure 1 involves several departments, SAP R/3 modules, and events. The diagram also illustrates common cycle events that trigger financially relevant transactions. The typical R2P transaction flow begins when a user or an external activity (e.g., MRP or SD) requires the company to purchase goods or services. The R/3 requisition is entered via ME51 (Create Purchase Requisition). The R/3 requisition is typically held for formal release (i.e., authorization) via ME54 (Release Purchase Requisition), which is dependent upon your configuration in the IMG

If your company uses the new ENJOY transaction codes, substitute them for the transaction codes identified.

Bryan Wilson

Bryan Wilson is president of Acumen Control ERP, which specializes in SAP risk, advisory, and forensic audit services. With more than 20 years of experience in IT risk management, he has managed SAP R/3-enabled controls design and assessment teams for both KPMG LLP and Deloitte & Touche LLP. Bryan has advised audit committees, executive teams, and audit partners at several multi-national companies of the residual risks in their SAP R/3-supported business cycles. He also helped several multi-national clients re-engineer their SAP R/3 security architecture and re-architect business processes after internal control failures or fraud were identified. He currently helps clients assess their SAP control environments using his forensic audit queries, which clients can use to enhance their own off-the-shelf audit query tools. Bryan has a B.S. degree in computer science and is a Certified Public Accountant (CPA), Certified Information System Auditor (CISA), and an active member of the Association of Certified Fraud Examiners.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.