Philip Cao

Stay Hungry. Stay Foolish.

Guiding Auditors in an SAP Environment

3 min read


Enterprise resource planning (ERP) systems automate and integrate the majority of a company’s business processes, producing consistency. They do this by sharing common data and practices across an organization, leveraging one-time data entry, and providing access to information in real time. To help in this working environment, ISACA recently released a go-to reference book for auditors that they can dog-ear with sticky note flags sticking out of the top and return to year after year.

Since the 1990s, businesses have been managing their operations with ERPs, which have enabled centralized control over operations by implementing a common data model and integrated business processes. SAP has been a leader in ERP systems from the beginning and uses a process-driven approach to match business processes with application processes.

SAP’s core product is SAP ERP (also called Enterprise Core Component [ECC] 6.0). SAP ERP is configurable and integrated across modules. This creates a system that is flexible but also complex. Because of the complexity and variability of configuration across industries, many companies are starting to use automated tools to assist in tracking and monitoring compliance. Systems such as SAP Governance, Risk, and Compliance (GRC) are common in large organizations to monitor and manage on-going compliance. Information technology auditors are also finding that it takes an SAP-specific skillset to audit these systems. This knowledge is required to understand the risks and the controls that mitigate those risks.

The ISACA Security, Audit and Controls Features of SAP ERP 4th Edition brings together detailed information related to SAP ERP-specific risks, controls, and testing procedures. The handbook is separated into modules that cover the risk and controls, followed by testing procedures for both configuration and security. The book was designed as a long-term reference guide for auditors working in an SAP environment—a handbook written by auditors for auditors.

The 4th Edition provides an update of previous sections and adds sections for Finance, Controlling, Human Resources, and Security with a focus on SAP ECC 6.0. The handbook walks through each of these new sections in detail with the same methodology used to cover the other areas (risk, mitigating controls, and testing procedures). In addition, this latest version also comes with downloadable audit plans that are COBIT 5 compliant. It is nearly a completely new book!

The 4th edition was a great opportunity for Deloitte Advisory and ISACA work jointly to rewrite and build upon a great foundation to produce a new edition that refreshes and expands the scope of the original book.

Ben Fitts
Deloitte Advisory

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP.
Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.


Leave a Reply

Copyright © 2006-2022 Philip Hung Cao. All rights reserved