Due before class:
Complete (if you have not done so) this brief introductory student survey (help us all get to know you better)
Read the following in textbook Auditing and GRC Automation in SAP (AGAS) by Chuprunov, Maxim
- AGAS Chapter 1 (Legal Requirements in ICS Compliance)
- AGAS Chapter 2.1 (ICS in IT Environment – View of Accounting)
- AGAS Chapter 3 Section 3.1 only (ICS Content in SAP ERP) Note: Figure 3.2 in section 3.1.3
Review the lecture slides and notes for Business Process; Assertions
Optional (but Useful) Materials
Watch this Intro to Accounting video. I recommend watching if you have limited or forgotten knowledge of accounting principles and use. (Video’s Slides)
Watch (again) this training video of SAP system basics and navigation (8 minutes): SAP Navigation. I recommend watching while practicing in GBI Inc course SAP system.
Watch the recording of Week 1 class session (2016 version) about logging onto SAP.
Watch these extra videos if you want to understand more about an example internal control environment
Real World Control Failure Expectations [INDIVIDUAL]
- Start Wednesday-PM
- 5 to 7-minute individual student presentations
- Length = 3-5 slides
- Short and concise [no acronyms]
- Target audience = Executive management
Presentation Elements:
- Whats the business?
- Brief Summary [3 4 sentences]
- People, Process, & Technology [current state]
- e. Enron, WorldCom
- What went wrong?Whats the control failure?
- e. Fraud, Product Issues
- Whats the impact, i.e. Customers, Employees?
Finalize Real World Control Failure Assignments by End-Of-Day
Daily Quiz
Audits to:
- Standards
- Policies
- Procedures
- Baselines, OR
- Industry Best Practices
Scope:
- Purchasing: People, Process, & Technology
- Evidence Requested:
- Prior audit findings, recommendations and current status
- Org Charts
- Process Flows with control points listed
- System infrastructure:
- SAP instance
- Network
- Operating System
- Data Base
- Tailor Work Program to include all relevant controls
- Work program [steps: 1, 2, 3, etc.]
- Evidence Requested:
Schedule Client Interviews: [Consistent delivery of message to all auditees at one time]
Provides common direction/themes/delivery
- Purchasing Director/Manager
- IT Director/Manager
- CFO/Controller
- COO
- Operations Manager
- IT IA
- Chief Risk Officer [or designee]
Internal Audit Roles/Responsibilities
- Test control existence
- Assess overall control health
- Special Project, i.e. Control development
Chief Risk Officer [CRO] Roles/Responsibilities [10 12 years]
- Risk Appetite as designated by the business, i.e. Wealth Management [Merrill Lynch] = High Risk
- Develop Key controls
- Assess Key controls
- Maintain Governance, Risk & Compliance [GRC] Portal
- Identify Emerging Risks
- Cybersecurity
- Cloud Computing
- Privacy, i.e. PHI, Pii
- Payment Card industry [PCI]
- SOX 404
- Third-Party vendors
Corporate Strategy
- Overall Risk Appetite
- Controls Reliance:
- Low/Medium/High
Control Reliance Strategy [Value Creation How? Why?]
- Can IA rely on Risk Managements work [i.e. workpapers]