Answers

How do you manage your bank mandates / list of signatories?

Asked by Michael Anderson | April 19, 2010 in Auditing | Open

“Managing lists of bank accounts and signatories is typically the responsibility of the Treasury group. Unfortunately, the update of this information is normally a manual process and should involve all subsidiaries of the organization. Hopefully, this is performed at least quarterly so that the Corporate office is aware of the banking arrangements. Note: Policy may require Corporate approval of all new bank accounts and changes thereof to existing accounts thus keeping Corporate in the loop. Also, I have seen this control (i.e., Treasury updates list of bank accounts and signatories on a quarterly basis) included in the SOX 404 list of key controls thus providing monitoring of the effectiveness of the control. Hope this helps.......if you would like to discuss further, just let me know.”

How can I do cumulative totals in Excel?

Asked by anil arora | March 7, 2010 in Accounting | Open

Your public answer:

“You could also use pivot tables in Excel. These tables summarize all of the information in a given data set anyway you want. If you want to count the number of transactions in population or average value or simply sum to the totals. All of this is at your fingertips and the data can be manipulated in a matter of minutes. Hope this helps!”

Automated Controls and Automated Control Testing

Asked by Richard Fowler, CISA, CFE, CICA 2nd | March 8, 2010 in Auditing | Closed

Your public answer:

“Hi, In the example listed above, you are probably taking snapshots of the configuration to verify if the settings are correct (a very common audit procedure); more than likely your procedures require to only test this once or perhaps twice a year. Unfortunately, this approach is deficient as you are only taking a snapshot. If the configuration changes tomorrow and changed back the next day, how will you know? This where the use of a continuous monitoring (CM) / continuous auditing (CA) tool facilitates the audit process. In this example, snapshots are no longer necessary other than to perform the initial baseline. Subsequent to the baseline, the automated control will alert you anytime the 3 way match configuration changes, which will enable you to audit the change as it occurs (which in this instance should be rare). Automated controls can be used in a variety of ways ---> monitor changes parameters settings, changes to critical transaction access, segregation of duties conflicts (access and transaction perspective), specific data sets such as journal entries, invoice transactions, inventory returns, inventory adjustments, disbursements, new hires, terminations, etc. I could go on and on as there is really no limit as to what can be monitored. Quite frankly, if it is stored in database, it can be monitored. Hope this helps!”

SAP Transaction Code Explanations

Asked by Jim Kaplan CIA CFE 1st | June 19, 2008 in Auditing | Open

Your public answer:

“See my answer sent separately......but here is a recap: The quickest and easiest way is to ask the company's IT department. Even in our small company, we have several SAP IT analysts who are experts in the respective areas (MM, SD, FI modules, etc.). There is also a report (RBE report) that can easily be run to see who is actually running the transaction. You could just as easily run an access report to see who has access to the transaction as well. Then simply contact said person and ask them when and why they use this transaction. In our company, no one uses this transaction (no one assigned). In addition, our description for this transaction states to "maintain table T047M". Obviously, I do not know what data is maintained in this table but since no one has access, there is no issue. With regards to if a user can view/change/create the transaction, you need need to understand how security operates in a SAP environment. First, you have it at the transaction level but then you further assign access at the authorization object and activity level. Therefore, I suggest this person talk the security admin person there. As for the website, I am not aware of any. I simply follow the above steps (doesn't take too long) to gain an understanding of the transaction (what is it used for, who uses it and how is it locked down). I attached a security memo that we have written internally. Hope this helps.”