How do I get more value from my SAP system? This was the title of a study conducted by KPMG Audit, IT Advisory and Tax, of organizations using SAP. Besides questionnaires and interviews, a series of round tables were organized. The research included topics relating to the optimization of SAP, such as centralization, business process management, VAT and financial audit innovation. The study was published in December 2009 in a limited edition ([KPMG09]) for the organizations involved.
This article primarily discusses the views of KPMG in the field of AudIT Innovation. It will describe developments in organizations and the reaction of their auditors to them. Then it provides feedback on the survey results, along with a summary of the round-table discussions.
Vision of KPMG
The prevalent audit approach has not changed substantially in recent decades. Of course, we now use computers, and there are digital files, but the core of the approach is still based on separate investigation of each legal entity (whether for consolidated purposes or not) and, where applicable, local statutory obligations. This is in sharp contrast to developments that we now see in companies, which are increasingly concerned with standardizing and centralizing their primary businesses. In general, there are two trends in IT that an innovative IT-driven control approach makes possible:
Increased use of IT: Companies are increasingly employing IT systems in support of their primary processes. This now goes beyond simply keeping a record of accounts (purchasing, sales, and finance) in an ERP system. The increased use of IT involves automating accounting procedures. Nearly all companies now have web shops or other online portals through which they communicate with customers and suppliers.
Centralization of IT: Particularly in large companies, there is a clear tendency and desire to reduce the number of different IT systems. New techniques make it possible to integrate large parts of a company within one IT system. While, in the past, almost every operating company had a separate IT system, now there is sometimes only one or a limited number of IT systems. Usually, computing is organized by business unit (division, business group) or geographic region (Europe, Americas, Asia).
Of course, the business cases behind these IT trends are not motivated by any desire to provide the external auditor with an innovative approach to IT control. The aim of organizations in centralizing IT systems is primarily to save costs and to standardize the processes supported by IT. Specifically, we see two points that might lead to innovation in an audit approach:
Top down: When organizations have central IT systems, the audit approach can also be centrally organized. The idea is that testing is no longer performed bottom-up in each legal entity but top-down for each IT system. The more legal entities are included in the central IT system (homogeneous control environment), the greater the synergy gains in the audit approach.
IT-driven: Because more processes are supported by IT systems, the transactional flows in an organization (e.g. purchasing, sales) are tested using the IT system. This involves a combination of control-oriented approaches (testing application controls) and substantive procedures. More detail on this subject is provided in the frame.
The financial auditor tries to perform an efficient and effective financial audit. Centralized data and (financial) processes enable routine transactional processes to be audited more efficiently. The auditor will require less time for manual checking of these processes and can focus on non-routine items. The auditor’s use of operational transaction and process controls often shows that the organization needs the insight that they provide. If an organization starts to monitor these controls and make them available, there will not only be a positive and continuous impact on the organization’s internal control system, but the auditor will also be able to use the same techniques. This approach is called continuous monitoring or continuous improvement ([KPMG08]).
AudIT: a three-stage approach
Broadly speaking, the AudIT approach is mirrored in the specific state of development in a given organization. KPMG has developed a maturity model that represents the growth of this AudIT approach (see Figure 1).
Figure 1: Maturity model for AudIT approach
State 1: Multiple ERPs
The multiple ERP stage relates to organizations that have established a separate ERP or IT system for each country or each distinct corporation. It is often a limited IT control environment in which organizations do, in fact, implement general IT procedures, but little attention is given to automated controls within business processes. For audits of financial statements, the auditor often chooses a local substantive approach. The possibilities of working efficiently are limited, and there is a real risk of duplicating audit work in various countries. Ultimately the result may be suboptimal practice.
Stage 2: Central ERP
With cost reduction as a key incentive, many organizations have been centralizing their ERP systems. This often takes place in conjunction with the establishment of shared service centers. This centralization makes a top-down audit approach possible. There are fewer local procedures required for the execution of central processes, and insight is obtained centrally. Completeness of revenue can, for example, be centrally tested by determining if all sales orders in all countries have been properly carried out, invoiced and ultimately recorded in the accounts. Centrally verifying that (routine) transactions in the sales process are correctly and fully processed frees local auditors from having to execute any procedures concerning these items. The reduction in work might also entail a reduction in audit fees.
Stage 3: Continuous monitoring
The third stage of the audit maturity model is identified as continuous monitoring. This is a logical continuation of the previous stage, as the task of generating various insights into business processes passes from the auditor to the organization itself. This shift often arises from the need of the organization to have a continuous view of its internal control status. Special tools are often used to accomplish this continuous monitoring. So-called “rules” are defined in these tools, which the ERP system continuously analyzes for possible violation of the relevant rule. These exceptions are then reported to the responsible employee for further follow up. For the example mentioned in the previous stage, this would mean that any exceptions to the completeness of revenue could be immediately resolved.
In addition to solving problems before they develop further consequences, this approach also provides insight into the quality of the processes and controls. Analyzing the causes of problems on an ongoing basis makes it possible to modify the system in response to the analytical results as they occur, and thereby prevent future recurrence of similar irregularities.
The AudIT approach in practice
There is currently a clear transition between the traditional audit approach (multi ERPs) and the future audit approach (central ERP and continuous monitoring). In the traditional approach, local teams simply run through each item on the balance sheet. The local results are analyzed by the business unit or process teams before being forwarded to the central team (see Figure 2).
Figure 2: Transition to AudIT approach
Future audits will make more use of centrally accessible SAP systems and either the manual or automated controls of a shared service center. An ERP-based audit approach is very efficient and effective. It is efficient because maximum use is made of automated controls and segregation of duties. Its effectiveness is due to the exposure of non-segregated duties and/or poorly functioning controls by means of data analysis with support from IT auditors.
The ERP-based audit approach focuses the audit explicitly on exceptions in routine processes. In addition, the financial audit and central teams will concentrate on non-routine processes such as valuations and analytical procedures. In extreme cases, the local teams will only verify the existence of assets and inventories. Besides efficiency gains, experience has shown that the AudIT approach creates more added value, enabling collaboration with the organization in identifying opportunities for business improvement.
Specific survey results
The interviews revealed that auditors were using the SAP system in performing audit procedures. Survey results (from a total of 31 organizations) also show that the organizations are at different stages of maturity (see Figure 3). For instance, most organizations are still using the multiple ERP approach (22). Most of them are already moving to centralized ERP, usually by means of centralization projects. Central ERPs are present in eight organizations. Only one organization is at an even higher stage of maturity, as it has implemented continuous monitoring. The potential for further optimization is certainly there.
Figure 3: Results of the survey on the AuditIT approach
It is interesting to note the variety of IT audit procedures performed by the auditors involved in these organizations. In general, it is possible to distinguish how the auditor uses the SAP system in the audit by focusing on the following:
- IT general controls (13 organizations)
Testing of the so-called IT general controls (ITGC) and segregation of the duties involved in the process. These controls result, however, in little to no direct increase in audit efficiency.
- IT application controls, in addition to ITGC (12 organizations)
The use of IT application controls (ITAC) places the emphasis on testing the SAP configuration controls in the business processes. Frequently mentioned examples are the three-way-match and automatic invoicing. These controls can increase audit efficiency. However, the gain is often limited because only one specific flow of transactions is tested.
- Data analysis, in addition to ITGC and ITAC (6 organizations)
The use of data analysis makes it possible to control all the transactions in the SAP management system. In reviewing paid invoices, an organization can use three-way and two-way matching to identify the ones that were registered outside tolerances or entered directly into the accounts, taking into account the segregation of duties. Only a limited number of exceptions should be investigated further, just enough to test the extent of the pollution and obtain substantive audit evidence (positive assurance).
The frame displays a detailed case study showing how data analysis of the procurement process can be used to effectively identify and assess residual risks.
Combining the above insights allows us to conclude that the manner in which auditors use IT audit procedures often depends on the maturity of an organization. A multiple ERP approach allows auditors to primarily focus on ITGC and segregation of duties. Practices supplemented by ITAC and data analysis are less commonly used at this level. It is nevertheless striking that, despite the multiple ERP approach, data analysis is still used in the audit approach. This suggests that the audit approach has developed in advance of the maturity of the organization. In such cases, the auditor has a better understanding of SAP processes than the organization does, so that added value is generated by the auditor even at this level of maturity.
As the maturity of the organization increases, the use of IT audit procedures is adjusted by the auditor. As a consequence, relatively greater focus comes to be placed on ITAC and data analysis.
In summary, it can be said that auditors use IT audit procedures to provide added value to the audit and the organization at all levels of maturity. The further centralization of the organization will also lead to continued modification of the approach and, consequently, greater optimization of the audit approach.
Results of round tables
The round-table discussions on June 17 and July 9, 2009 were opened by citing a practical case study of continuous monitoring by Philips Electronics. It revealed that successful continuous monitoring not only provides better and more effective control but also more transparent business processes that enable potential process improvements to be identified. The result is improved collaboration with local units. The message delivered to local units should therefore be, “we are coming to help you improve,” instead of, “we are imposing even more central monitoring.” Continuous monitoring and continuous improvement thus go hand in hand.
During the round-table discussions, it was noted that the old and new audit approaches are, in principle, the same but that technology now makes auditing cheaper and faster. As a result, there is time available to better examine and understand anomalies. Such investigation did not take place in the past. However, continuous monitoring can also be seen as continuous auditing; the auditor can provide input throughout the year so as to largely prevent surprises at the end of the year. This clearly provides more added value and distinguishes the new approach from the old.
This new approach was appealing to most of the participants. The centralization and harmonization of IT and shared service centers are still regarded as challenges. Many divisions continue to work in their own way (locally oriented). “Company-dependency should be eliminated.” Management must make decisions about this issue, and enforce and implement them throughout the organization.
When asked whether continuous monitoring is only relevant to SOx organizations, the participants answered with a resounding “no.” The argument that “the auditor requires it” does not appear to promote the growth of continuous monitoring. The main thrust must be that organizations are longing for a continuous process: “better control is a useful by-product.” When these organizations become more aware of their processes, it often turns out that “SAP is still not being fully used to the best advantage.”
Compliance and control often have a negative connotation. It is important to emphasize the positive side, so these elements are seen as providing added value. One participant gave the example of assigning employees more responsibilities within the organization once they have their processes demonstrably better under control. Better process management also provides better management and control information.
The participants had different views on whether the auditor should be involved in such programs. The process should be primarily borne by the organization and not an “exclusive” responsibility for the auditor. On the other hand, the auditor may be used as a challenger to ensure that the process continues to make satisfactory progress.
Also discussed was the question why standard SAP BW did not support continuous monitoring or could be easily updated with the addition of this function. SAP BW is, however, mainly used for displaying financial and aggregated data. SAP BW currently offers no standard functionality for reporting anomalies in operational business processes. SAP does have other tools available for monitoring business processes. For instance, SAP offers the Business Process Monitoring module of the SAP Solution Manager, in addition to the Governance, Risk and Compliance (GRC) “Process Control” tool. Besides SAP, there are other organizations that provide tools for monitoring business processes.
Centralization of organizations (e.g. by establishing shared service centers) and centralized ERP systems not only yields cost savings for the organizations in question, but may also enable a subsequent innovative step in the financial audit approach.
The survey results show that the maturity of the audit approach is often associated with the degree of centralization in organizations. The described “bucket approach” reveals, however, that added value may also be gained by organizations that are locally oriented.
During the round-table discussions, it became clear that these organizations expect the auditor to adopt a proactive stance. Ultimately, all participants agreed that the new audit approach is a joint effort achieved by making the necessary changes in the audit approach, SAP systems and the organization. Only then can the new approach yield added value for the audit and the organization.
Practical example of data analysis in the AudIT
The “KPMG Bucket Approach” explained
Many companies are striving to automate as many of their routine processes as possible. The accounting treatment of purchases and sales is an example of this type of routine process. During financial audits of these processes, maximum use could therefore be made of the controls in the process enforced by IT (applicative controls) and controls that are supported by IT (data analysis).
Data analysis is a monitoring control of a detective nature, focused on all data processing in a given period (also known as “substantive testing”). This method of analysis provides insight into the situations where peculiarities in operations occur, defining their materiality in euros or indicating that further investigation is required. The applicative controls are therefore preconditions and preventive in nature. To illustrate the power of data analysis, a concrete example for the procurement process is elaborated below.
Fact-based auditing of the procurement process
Various workflows are distinguishable in the procurement process, each with its own risk. Identification of these risks results in the formulation of control objectives mainly focused on appropriate, timely and complete processing of goods received, invoices and payments.
Figure 4: Process control in the procurement process on the basis of risk profiles for each flow
Partly due to the separation of duties in this process and the supporting applicative control, each workflow has its own residual risk. Combining the workflow with the subject of the study (goods received, invoices and/or payments) creates “buckets” of residual risks, each requiring its own investigation. At KPMG, this approach is known as the “Bucket Approach”. Figure 5 uses an example situation to further classify the “buckets” and the residual risks. The strength of this approach lies in the completeness with which all invoices and payments are evaluated. In this way, attention is not only paid to the material exceptions but support is also derived from the “positive assurance” resulting from a conclusion of the procurement process based on three-way and two-way-matches.
Figure 5: Process control based on data analysis
In this example, ninety percent of the invoices with a value of fifty percent of the total procurement flow are directly entered and not linked to an order. No use is therefore made of the power of a control based on three-way and two-way matching. Apart from the increased internal control risk, manually approving all these invoices before making payment is extremely labor intensive.
Another noteworthy bucket is “blocked invoices,” having an acceptable final state with regard to materiality defined in euros and quantity. When entered into SAP, purchase invoices may be blocked for payment if the set tolerance limits on two-or three-way-matches are not met. In addition, invoices can also be manually blocked for payment. Further investigation of the “blocked invoices” in this example has led to the following conclusions:
- The tolerance limits in SAP for maximum deviation from the amount of the placed order were set at one percent or € 50 per invoice.
- 844 invoices matched with purchase orders (and a total value of € 89,908,445) were mistakenly blocked for payment and later made payable. A total of 4,090 purchase invoices matched with purchase orders were processed, implying that 21 percent of invoices were blocked for payment.
Figure 6: Purchasing / Accounts Payable: two- / three-way matching exceeding tolerance (blocked invoices)
The issue confronting the organization was that the automatic authorization of invoices may result in unwanted financial losses, while the manual approval of invoices outside SAP is a disproportionately inefficient manner of processing invoices.
In the situation of the example, it was advisable to investigate the causes of blocked invoices and determine if it was possible to further reduce their number by, for example, promptly recording receipt of goods or adjusting tolerances.
Another discussion in financial auditing concerns the impact of segregation-of-duties conflicts (SOD conflicts). Data analysis can, for example, indicate the extent of any such conflicts involving receipt of invoices and their payment (see Figure 7).
Figure 7: Segregation-of-duties conflicts (also known as SOD conflicts) involving invoices
- Sixteen percent of purchases (€ 3,284,000) were implicated in SOD conflicts involving receipt of an invoice and the release of the same invoice for payment.
Non-segregation of the two duties may result in unwanted payment authorizations for invoices and subsequent financial losses. The financial transactions pertaining to SOD conflicts should be evaluated in terms of their undesirability. In addition, SAP segregation of duties involving the registration and release of invoices must be consistently implemented.
These examples illustrate, in a fact-based manner, that both internal control and the efficiency with which accounts are kept can be clearly improved.
Implementing such improvement would lead to a very specific and efficient centralized approach, generating a great deal of added value in the form of recommendations for specific process improvements. In this way, the knife cuts both ways.
[KPMG08] Governance, Risk, and Compliance Driving Value through Controls Monitoring, KPMG IT Advisory, 2008.
[KPMG09] Consolideren of Excelleren, ‘Hoe haal ik meer waarde uit mijn SAP-systeem?’, KPMG IT Advisory, December 2009.