Simple, intuitive, streamlined. That’s our impression, from our implementation experiences with SAP Audit Management, one of the most innovative solutions SAP is currently offering. Thanks to the latest SAP Fiori and HANA technologies, the system offers high usability and flexibility to end users.
Why move from Excel to SAP Audit Management?
Auditing with Excel comes with a high degree of manual effort. Data and processes are managed via Microsoft Office products, emails, local and shared drives. This is not considered a state-of-the-art approach to running an audit department– from annual audit planning, execution to reporting and remediation. In contrast, SAP Audit Management comes with all necessary modules to plan, perform and report audits with high potential to automate and streamline tasks in one place. Each audit activity is represented as its own Fiori application, delivering a clean look and feel to help auditors through the processes. All data is saved in a typical SAP manner: auditable, logged and combined with a flexible and secure user and authorization concept. This makes it easy to handle critical topics like data security and privacy.
Based on its modular structure, SAP Audit Management can be considered for any audit or audit-related topic: business, processes, environmental, health, security or IT. The functionality is extendable to other SAP tools by leveraging pre-configured interfaces. This makes it easy to use data and information from other three lines of defense functions, and to leverage other SAP GRC products such as Risk Management and Process Control. Furthermore, SAP Audit Management includes Fiori apps, providing simple dashboarding and reporting functionality. When it comes to customer-centric dashboards, leveraging any business intelligence technology, SAP Audit Management provides pre-configured data sets to extract data to these systems. With out-of-the-box interfaces, it is possible to enhance the system with the following functionalities of other SAP applications:
SAP GRC Risk Management and Process Control leverages data such as the organizational structure, risk register and assigned measures, as well as internal control data such as process risks and associated controls. The intention for the integration is risk-based audit scoping and establishing a holistic audit universe for yearly audit planning.
SAP Business Integrity Screening for SAP S/4HANA is a solution for detecting, investigating, and analyzing irregularities in data. It can be used preventively, for example to prevent fraud cases within vast amounts of data. This solution is part of SAP Assurance and Compliance Software for SAP S/4HANA.
SAP Analytics Cloud is a comprehensive cloud solution offered as Software as a Service (SaaS) for business intelligence (BI), planning and predictive analytics. It is based on the SAP Cloud Platform and provides a unified and secure public cloud environment to help optimize data-driven decision-making. It allows users to create and share rich reporting. Audit management data can also be combined with third-party information to increase the storytelling.
On a recent SAP Audit Management engagement, we supported one of Europe’s leading online fashion and lifestyle platforms. The scope of the project was to implement SAP Audit Management for the company’s Health, Safety, Security and Environment (HSSE) and Quality Standards and Audits (QS&A) departments. The goal and motivation for both audit functions were to implement a standardized system considering the company’s ambitious growth goals. Our objectives included:
Solution and implementation approach
We developed a standardized structure of the overall audit process for both departments, based on our implementation approach, starting with yearly planning and audit scheduling, assigning staff to the audits, as well as preparing the audit by leveraging pre-defined and standardized work programs. The established work program for each audit function was evaluated using a questionnaire grouped by scope. All questions were answered by employees, who ranked the functions within a range from “no issues” to “severe deficiencies.” In case of deficiencies, the system required the user to document a finding that would be remediated by one or more action items through simple upload of evidence into Audit Management. Based on the selected answer and a weighting of the question, an overall audit score was calculated. After conducting the audit, a management audit report was generated containing key highlights based on the identified findings and their severity, and as a result calculated an overall audit rating. To report on identified findings and associated action items, there is reporting functionality that can be leveraged in preparation for quarterly audit committee reports.
The implementation timeline based on our implementation approach was four months – from the project initiation to the business requirement and design phase where we agreed on the system configuration. After successful user acceptance testing, the system went live and the first HSSE audit was completed with hyper care support from our side within two weeks’ time.
Challenges along the way
As can always be expected, challenges were encountered, including:
- The project’s goal was to bring two audit functions into one system, so consolidation of audit approaches and processes was necessary. Some of the implementation prep work was done upfront by the client but to ensure consistency, the standardization of governance and processes was part of project and, in some cases, a challenge.
- From a technical perspective, we had to extend the system for two required functionalities:
- As mentioned before, the client established the overall audit rating and score. This score is based on each individual question and the selected answer. All questions had to be summed up and aggregated to come to the final scoring. Based on the SAP HANA database technology, these calculation schemes were easily adapted and brought into the application.
- Secondly, the audit report configuration was not able to consider all data contained in the system. Thus, interfaces were programmed to consider, e.g., each question and its result to be automatically be integrated into the audit report.
Overall, the project was delivered on time and on budget, always a win for both the client and Protiviti.
Modern architecture and state-of the art technology
From a technical perspective, the SAP Audit Management system comes with state-of-the-art technologies from SAP including SAP HANA and FIORI applications. It also makes the connection to third-party applications much easier, so that reports and information from the system can be easily processed by tools such as SAP Analytics Cloud, Microsoft Power BI, Excel and others.
We were able to develop the additions mentioned earlier in a fast and cost-effective way.
What does an Audit Management implementation look like?
Orientation and preparation
In this phase, we get to know the company and its processes to optimally align requirements and goals of the project in a roadmap. The goal is a defined approach in the form of a project plan with clear project goals that meet the needs and requirements of the organization and provide clear added value.
Presentation and provision of the system landscape (Tiers 2 and 3). The goal is to establish an executable SAP GRC system landscape that will be available during workshops in order to discuss the requirements directly on the system and later, implement adjustments in the form of configuration.
Discover, design and implementation
During workshops, we define requirements for master data objects, the user experience, workflows, roles and authorizations. Workshops are structured according to subject areas and are then implemented directly in the system. The goal is to complete the previous cycle before the start of a new workshop.
Migration of existing data from third-party systems or from manual entry. This includes formatting and aggregation so the data can be transferred to the SAP GRC format.
Training and handover
We place particular emphasis on a full handover that describes all aspects of customizing and configuration and provides staff with sustainable support in dealing with future challenges. Training is provided for users from the relevant departments as well as for technical managers.
Release and go-live
Transport of the configuration to the production system. Final acceptance and functional test with the responsible persons from the specialist departments and handover of the finished system into productive operation.
Operate and hypercare
Stabilization of system operations after go-live in the form of monitoring the relevant system components and high availability for issues in productive operation, whether from end users or IT operations.
Future outlook and development
Outlook on future topics and observations identified in the scope of the project that will prepare the company for the future and bring it to the next level. We are at your side as a reliable and trustworthy partner.
With SAP Audit Management, audits can be performed in established SAP infrastructures, with all the strengths that SAP systems bring, making concerns regarding the integrity and traceability of audit information (which are common in Excel environments), a thing of the past. In addition, the system comes with various functions to support the integration into existing SAP infrastructures and their processes, so that synergies can be leveraged, and the audit activity can be further digitalized and automated across the principle of three lines of defense.