Читать книгу Practical Guide to Auditing SAP Systems - Martin Metz - Страница 8

“Dear colleagues, today I received confirmation that we are going to be audited starting next week. Please make sure you put the current date on our documents!” To begin in the middle with the importance of audits: an audit is far more than the above sentence suggests.

The importance of the audit function can, for instance, be captured by concentrating on its role within the three lines of defense model, where it is essential and plays an extraordinary role.

The three lines of defense model describes the roles and tasks related to risk management across the company’s departments and external functions. The first line of defense is made up of business functions and owners, with an employee who is responsible for identifying and managing risks related to the activities performed. The second line of defense is responsible for risk management, setting rules, and issuing policies and standards. The third line of defense conducts the assurance work by evaluating the effectiveness and efficiency of the risk management, the control processes, and the governance. The assurance work falls under the role of internal auditors, which is where this book comes into play.

The three lines of defense—SAP Basis

The SAP Basis team is always eager to install new security patches as they plug security holes to recover the security posture of a company. Thereby, the Basis team is the first line of defense. It not only tries to preserve the integrity of its systems—it also follows the policy of vulnerability management, which requires close monitoring of security updates and quick installation of related patches. The risk and compliance departments, which created this policy and defined a binding standard, are the second line of defense. Once the Basis team has established its risk report and described how to manage vulnerabilities in the SAP system, the risk department evaluates and assesses this report. The audit department comes into play as the third line of defense. It is responsible for objectively assessing the effectiveness and efficiency of the risk management processes and controls. When the audit department chooses the vulnerability management process for an audit, it reviews the relevance of related policies and how the business complies with them. The testing of controls concerned with vulnerability management is part of this audit. Furthermore, the auditors advise the business on how to optimize the entire process and they track the completion of the measures agreed. In this case, the three-layered security structure mitigates the risk of adversaries exploiting vulnerabilities and jeopardizing the business achieving its objectives.

Figure 1.2 depicts the three lines of defense, their typical representatives, and their reporting lines.

Figure 1.2: Adapted model of the three lines of defense (Institute of Internal Auditors, IIA)

As shown in the example, the work of internal audit extends from monitoring risk management processes and compliance through control testing to internal consultancy and process optimization. Another objective of internal audit is to detect and thus prevent fraudulent activities.

KPMG’s Global Audit Committee Pulse survey confirms the actuality of these tasks and lists the most significant challenges and areas of concern to audit departments across the globe in 2017: in first place is the effectiveness of the risk management program, followed by legal/regulatory compliance and cybersecurity risks (https://bit.ly/2PLoX47, slide 15).

The latter is one of the top priorities for internal audit in 2017, alongside technology risks due to the increasing use of mobile and cloud technologies (https://bit.ly/2PLoX47, slide 18), which are also relevant to the use of SAP systems.

Contractual obligations might also be a reason for internal audits. In the case of a second-party audit, there is a contractual work relationship between an auditee (usually a vendor) and an auditor (the client). The client performs audits to evaluate the situation at the vendor, to identify risks, and to derive potential contractual adjustments.

Clients might even request audits without a contractual obligation by the vendor. A prominent example is the case of the shareholders of Volkswagen, who asked a special auditor to assess the details of the recent emissions scandal.

This situation is comparable to incident-based audits. A company might suffer from an incident and wants to conduct an internal audit to identify any evidence for the rationale of the incident, what led to the issues, and how to prevent it in the future. As the incident might be to the result of criminal acts, it is necessary to establish a chain of custody and make sure that the evidence collected can be submitted before the court.

Furthermore, you might want to audit an aspect of interest for none of the reasons above simply to improve organization, processes, or current projects.

Regardless of whether you are considering internal control systems, the three lines of defense model, or further reasons for an audit function, overall, organizations need an independent, objective party to ensure risk management, control processes, and governance. While external auditors focus on financial reporting, the internal audit department takes a broader look paired with internal knowledge. Internal audit is therefore vital to ensure that an organization works. IS audits are one of the most necessary means of performing assurance work. As today’s business processes depend heavily on the use of information systems, IS audits look at these applications and systems, their technology, settings, underlying infrastructure, network, and other aspects. Thus, IS audits are one component of internal audits with a focus on the information systems layer (see Figure 1.3).

Figure 1.3: The layers of an IS audit

To use an analogy, internal audits assess the processes and controls on a ship’s bridge, whereas IS audits take a more in-depth look at the ship’s engine room. Just as the processes on the deck require standards, so do the processes in the engine room.