Audit Work Paper
By: meiling2 • May 15, 2019 • Course Note • 1,782 Words (8 Pages) • 855 Views
A1.1 Ask the management to obtain and review policies and procedures used by the SAP approver regarding SAP Account Request form and ensure they are properly detailed and approved.
- On December 1st, I obtained a copy of PPI_Corporate security policies and which was updated on 11/1/2016. The document was obtained by the IT personnel management. The copy of the document contained a detailed instruction over the authorization process. It provided an instruction on approving new user account request forms and requesting update user accounts.
- The policy document has been attached as evidence A1.1
- BB
A1.2 Select one sample Account Request Form and work with the control team to perform a walkthrough of the process from SAP system to IT system.
- On December 15th, I selected one sample of SAP account request form from the SAP manager. I worked with the control team to perform a walkthrough of the sample account request form. I observed that it was a complete form that authorized by David Lopez and had an authorized access assignment.
- BB
A1.3 Use the sample size of 10 Account Request Forms on new user accounts to check if all account request forms are appropriately reviewed and approved by the appropriate authorized approver and authorized access assignment prior to being introduced into IT system.
- On December 20th, I determined to review all 10 new user account request forms. These forms were provided by one of the SAP managers.
- I checked all new users account request forms along with signature by the authorized approver in each department. All request form had properly authorized by appropriate approvers. The user named Micah Cammai could access to Profile_GeneralAccounting and Profile_Adjusting entries. ISSUE NOTED in Audit Findings Document.
- I observed that the new user named Adam O’Toole could not have access to the Profile_ManageInventory in line with his job responsibility. ISSUE NOTED in Audit Finding Document.
- The SAP account request forms has been attached as evidence A1.3.
- BB
A2.1 Ask the management to obtain and review policies and standard used by SAP approver regarding SAP account change forms. Ensure that they are properly detailed.
- On December 1st, I obtained a copy of PPI_Corporate security policies and standards to review user account change forms which was updated on 11/1/2016. The document was obtained by the IT personnel. The copy of the document contained a detailed standard over the authorization process on the change forms.
- The policy document has been attached as evidence A2.1
- BB
A2.2 Choose a sample of account change request form and work with the control team to perform a walkthrough of the process from SAP system to IT system.
- On December 15th, I selected one sample of SAP account change form from the SAP manager. I worked with the control team to perform a walkthrough of the sample account change form. I observed that it was a complete form that authorized by Jerry Misouk and had an authorized access assignment.
- BB
A2.3 Use 3 samples of Account Change Request Forms to validate if all account request forms are appropriately reviewed and approved by the appropriate authorized approver and authorized access assignment prior to being introduced into IT system.
- On December 20th, I decided to go through 3 samples of SAP account change forms. I obtained these forms from one of the SAP managers. I verified that the sample change forms were properly authorized and had appropriate access assignment in line with employees’ job responsibilities.
- BB
B1.1 Ask the employee who has an authorized access to sensitive profiles to obtain and review these profiles. Document the results.
- At the end of November, I obtained a list of sensitive profiles that could be assigned to employees. The following was identified:
Profile Name | Description of access rights |
Profile_Adjusting Entries | |
Profile_ClosePeriod | |
Profile_ITOerations | |
Profile_Payroll | |
Profile_ITSecurity | |
Profile_SysAdmin |
- Information gathered is attached as evidence B1.1.
- BBoe
B1.2 Select the sensitive profiles and review users who can access to these sensitive profiles. Ensure that each user have access rights based on job responsibility. Document the results and mark any related issue.
- I determined to review all user accounts who had sensitive profiles access rights.
- On November 30th, I observed the SAP manager log into the SAP user account listing. I documented a listing all user IDs. And all user IDs were followed by their last name, first name, and assigned access rights. I picked out all users with sensitive access rights and compared the ids and user names with lists from Human Resources regarding employee titles. The chart analyzing user IDs is presented below.
- ISSUE NOTED: The user ID alinder belongs to user Anne Linder. This person takes on fixed asset responsibility and does not need access to Profile_SysAdmin; the user ID cbuncker belongs to user Cara Buncker. This person takes charge of payroll responsibility and does not need access to the Profile_SysAdmin; The user ID Ichang belongs to the user Lucas Chang, this person is a compensation analyst and does not need access to Profile_ClosePeriod; The user ID mwilliams belongs to user Maggie Williams. This person is a recruiter and does not need a access to the Profile_Adjusting Entries.
- BB
C1.1 Ask HR department to obtain and review policies or procedures related to the employee termination process.
- On December 25th, I obtained a copy of PPI_Corporate security policies and standards to review terminated SAP account policy which was updated on 11/1/2016. The document was obtained by the IT personnel management. It provided a brief instruction on the overall termination request. The policy or standard did not address any procedures for termination steps. ISSUE NOTED in Audit Findings Document.
- The policy document has been attached as evidence C1.1.
- BB
C1.2 Select one sample from the termination list and trace the termination procedure from beginning to the end.
- On December 25th, I reviewed a HR termination list which was obtained from the HR Department of Pamela’s Plant Inc. I went through the detailed information in the HR termination list to verify that necessary information such as date of termination of each employee were accurate and reliable. I observed that there were 11 users terminated throughout the year 2016.
- The HR Termination List has been attached as evidence C1.2.
- BB
C1.3 Check the date of termination in the sample termination list and compare the certain terminated employee names to that of SAP user account listing. Verify that the accounts for all terminated employees have been disabled or removed from the systems.
- On December 25th, I observed that there were 11 users terminated throughout the year 2016 in the HR termination list and these users should had been removed in the SAP user account listing.
- I documented the result of this procedure. The spreadsheet is shown below:
- ISSUE NOTED: The user ID lpatelli belongs to user Patelli Lorenzo. This person terminated the user account on 2/20/16 and should not have an authorized access to Profile_RunReports.
- BB
D1.1 Ask the managers about the monitoring process. Also obtain and review existing user accounts to determine whether there were any inappropriate access rights over these accounts.
...