SAP User's Satisfaction Survey for Post Implementation Review (PIR)

In conducting a Post Implementation Review (PIR), the followings can be considered:

1. How satisfied are you with the system in supporting your business or operation needs?
Very unsatisfied
Unsatisfied
Neither satisfied nor unsatisfied
Satisfied
Very Satisfied

2. Usage of the system has reduced the time and effort of our business and operation activities
Strongly Disagree
Disagree
Neither Agree Nor Disagree
Agree
Strongly Agree

3. The system is operating as per our expectation
Strongly Disagree
Disagree
Neither Agree Nor Disagree
Agree
Strongly Agree

4. Suggestions to further improve the systems in supporting your business or operation activities (if any)?

5. In what area do you require additional systems training (if any)?


6. How useful is the information and reports provided by the systems?
No use at all / not using any report
Not useful
Fairly useful
Highly useful
Very useful

7. Is there any additional reports or information that you require (if any)?

8. Problems or difficulties encountered in using the system (if any)

9. Benefits achieved from the use of system, e.g. time savings, cost savings, better controls, etc.

10. Any specific business or operational requirement that is not provided by the systems implementation?

Overview of SAP

SAP is a German software company founded in 1972. SAP stands for:
 - Systeme, Anwendungen und Produkte in der Datenverarbeitung (in German)
- Systems, Applications and Products in Data Processing (in English)

History

1973 - SAP R/1 - Company’s first financial accounting software package

1979 - SAP R/2 - mainframe system

1992 - SAP R/3 - client server based system

2005 - SAP ERP Central Component (ECC)

SAP ECC Components

• SAP Financial 
• Financial Accounting : FI (AP, AR, GL)
• Controlling: CO (Mgt Accounting, Product Costing)
• SAP Logistics
• Materials Management: MM (PR, PO,GRN, Inventory Mgt)
• Sales & Distribution: SD 
• Production Planning: PP
• Quality Management : QM
• SAP BASIS
• ABAP report programming
• Security administration
• SAP HR 

SAP Related Audits

Generally the audit on SAP can be categorised into 3 major areas as listed below:

1)       General IT Controls Audit

Data Centre (Operations & Backup of SAP data)

SAP Disaster Recovery (Infrastructure and DR test)

Operating Systems security (e.g. AS/400 audit)

Helpdesk (SAP related request and Change Management)

Post Implementation Review (PIR) covering user satisfaction, achievement

2)       SAP Modules Audit (Operational & IT Audit)

MM module (procure to pay)

-          PR, PO, GRN (process & compliance with SOP/LOA)

-          Vendor Master Data

-          Material Master Data

-          Access and Reports

SD module (order to cash)

-          Customer Master Data

-          Credit Limit Management

-          SO, DO, Invoice, Collection

-          Access and Reports

FICO module

- AP

- AR

- GL

- FA (Assets Master Listing)

- Access and Reports

PP and QM module

-          MPS

-          MRP

-          Material Master Data (MRP and QM view)

-          Access and Reports

3)       Operational Audit Utilising SAP Data

Distribution/Logistic audit

-          On Time In Full (OTIF) of the Delivery

-          Returned Orders (reason – wrong delivery, wrong product picked)

-          Transportation Cost - Budget vs Actual Expenses (figure from FICO)

Inventory Management

-          Stock Reports

-          Stock Take

-          Slow Moving Stocks

-          Stock Write-Off (from FICO)

-          Short Expiry Products

-          Returned Orders (reason – expired, shelf life too near)

Sales & Marketing

-          Sales & Marketing Cost - Budget vs Actual Expenses (figure from FICO)

-          Profitability Analysis (By Product/salesman via COPA drilldown report)

-          Collection and Aging

-          Returned Orders (reason – slow off take, wrong order taken)

Procurement

-          Vendor Evaluation & Registration

-           PR

-          POs

-          GRN 

-          Invoice Receipt

Continuous auditing

Continuous auditing is the application of automated tools to provide assurance on financial and non-financial data within a company. Continuous auditing uses a set of tools to check whether a company’s financial information is handled correctly and if internal controls are functioning to prevent errors and fraud (Wikipedia).

According to ISACA, continuous auditing has been defined as a methodology or framework that enables auditors (external and internal) to provide written results on the subject matter using one or a series of reports issued simultaneously. The ability to report on events in a real-time or near real-time environment can provide significant benefits to the users of audit reports. Continuous auditing is therefore designed to enable auditors to report on subject matter within a much shorter timeframe than under the traditional model. Theoretically, in some environments it should be possible to decrease the reporting timeframe to provide almost instantaneous auditing.

http://www.youtube.com/watch?v=pzT1Y8cYp_g

CobiT: Helping to align IT with Business Strategy

Summary of CobiT, and how it impacts alignment of IT with Business Strategy, and uses performance measures.
K2 Performance Group
http://www.k2performancegroup.com

Security concerns regarding Cloud Computing

Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers.

Besides the benefits, there are risks associated with cloud computing, e.g.:-

User administration occurs over the Internet, if there is no encrypted line or secure line, communication over Internet happens in clear text.

Usage of browsers e.g. IE, Firefox may have vulnerabilities if not updated with latest security patches.

Auditors need to review the criticality of application data sent over the cloud, cloud vendor's policy on vulnerability and commitment to security breaches.

As per other outsourcing risk, auditor needs to determine whether an independent auditor's report or audit rights is included in the contract or service level agreement.

What is ITIL?

Information Technology Infrastructure Library is a set of concepts and techniques for describing, managing and documenting information technology (IT) services.

What is Cloud Computing

Confused about the term "Cloud Computing"? Want to be "with the times" when you talk about new technology buzzwords? This video boils down a section of Cloud Computing, that of Cloud Infrastructure and Cloud Hosting in a way that everyone can understand!

Audit Program for Auditing Small or Medium size Computer Operation (IT Operation)

1) Inventory

•Identify the hardware and operating systems in used.

•Determine if there is a contract for the hardware and operating systems support.

•Identify the vendor and services performed

2) Maintenance

•Is there a maintenance agreement on the computer equipment available? Ensure that maintenance is performed as scheduled in the agreement.

3) Computer Room Physical Security and operational controls

Assess the adequacy of physical and operational controls of the computer operations area including:-
a. Computer room housekeeping.
b. Computer room security.
c. Expansion possibilities.
d. Personnel safety.

Computer room housekeeping.

•Is the computer room maintained in an orderly manner? Ensure that paper supplies / boxes are neatly kept to minimize outbreak of fire from spreading.

•Are wires/cables neatly arranged to prevent tripping or accidental disconnection?

Computer room security.

•Is there a dedicated computer room to house the computer equipments e.g. server, network equipment, switch, hub, etc.?

•Are computer devices e.g. servers and cabling protected to prevent unauthorized access or interception?

•Are there any procedures for granting access to the computer room? Evaluate the effectiveness of the procedures.

•Is the door to the computer room always locked to prevent unauthorized access?

•Is there any physical access control system installed. Evaluate the adequacy of the system. Ensure that only authorized personnel are granted access to the computer room.


Operational controls
•Are there are any fire suppression systems installed in the computer room? Evaluate the adequacy of the system. Determine if staff are trained on its usage.

•How many fire extinguishers are available on the premise? Are the fire extinguishers serviced regularly?

•Is the operating environment conducive for a computer system to be operating at desired levels? Temperature and humidity should be controlled at tolerable levels to ensure optimum usage and protection of computer hardware/software.

•Is there an Uninterruptible Power Supply (UPS) available?

4) Backup

•Determine the frequency and type of backup performed e.g. system, data. Ensure that backup media are not exposed to environmental damage.

•Are backup media appropriately labeled to avoid confusion?

•Are backup media securely stored?

•Determine if data and program files are adequately retained and backed-up at off-site facilities.

5)Disaster Recovery

Review contingency plans to determine if management has provided for alternative processing for users in the event of loss or interruption of the main computer facility.

6)Insurance Coverage

Review the adequacy of insurance coverage for IT equipments i.e. :-
•Are all computer system related hardware are insured against damage or loss?
•If insured, obtain the insurance policy to ensure completeness and adequacy of the coverage

7)Software Licenses
•Are all software installed in the computers licensed copies?
•Account for the original software packages purchased.

8)Output control / Report printing

•How are outputs e.g. reports distributed to user departments? Controls should be in place to ensure all reports are distributed safely to user departments.

•Is there acknowledgement of receipt? Can these reports be intercepted without being noticed?

•Is there adequate control over the printing, storage and/or destruction of sensitive documents or reports? These documents should be shredded when no longer required. Observe whether such practice is enforced.

IT Policies

Policies are highlevel documents which represent the corporate philoshopy of an organization. For policies to be effective, it must be clear and concise.

Manage should review all policies periodically. Policies need to be updated to reflect new technology and significant changes in business processes. Policies formulated must enable the achievement of business objectives and controls implementation.

IS auditors should reach an understanding of policies as part of the audit process and should test these for compliance. Controls should flow from the policies and the IS auditors should use policies as a benchmarking for evaluating compliance. If policies hinder the achievement of business objectives, these must be reported for improvement.

Internet Security

Connection to Internet presents security issues. Organization must have adequate control to protect the data availability, confidentiality and integrity.

The company internal network should be separated from the external network (e.g. Internet). Typically a firewall separates an the internal network from the external network. Firewalls are an essential part of network security. They are used to protect the internal network from external threats that can compromise data, assets and resources—and even reputation.

Public and Private Network

During the application audit, determine whether the application data travels through public networks or private networks.

Public networks uses public telephone lines. This may be the most economical, but lower quality and security measures may be ineffective.The major concern in using public network for electronic data exchange is security. Unprotected data sent accross the Internet is susceptible to being viewed, copied or modified by unauthorised persons.

On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on to their destination with erroneous information. This kind of attack is also known as MiddleMan attack. For example, an intruder can modify an order placed to a supplier over an unsecured network, by, lets say, changing the order quantity from 10,000 to 10

Private line are dedicated facilities e.g. satellites or telephone lines, leased from a common carrier. No dial-up access is required and security is enhanced. Leased lines are expensive to setup and maintain. Businesses relied on private lease lines to link offices so that workers could share information over WAN (Wide Area Network) and providing high degree of privacy.

Another solution that is relatively less expensive to solve the security problem is via Virtual Private Network (VPN). Using VPN, a company can connect each offices or LAN to a Internet Service Provider (ISP) and routes data through Internet. The success of VPN depend on secure encryption that protect data while in transit on the Internet.