SOX Compliance in SAP: ITGC Controls

Why ITGC sets the tone for SoX in SAP

SoX section 404 holds management responsible for the design and operating effectiveness of internal controls over financial reporting. The external auditor opinion on the management assertion rests on the operating effectiveness of the IT general controls. If the ITGC do not pass testing the auditor cannot rely on automated application controls and must expand the substantive testing. The expansion increases audit cost, delays the filing, and exposes the customer to material weakness disclosure. The ITGC therefore set the tone for the SoX program in any SAP landscape.

This article documents the ITGC catalog, the design discipline, the testing approach, and the audit defensible SoX posture. Reference the SAP security audit pillar, the compliance framework pillar, and the SoX compliance expertise.

ITGC catalog

The ITGC catalog has four families. Change management covers the controls that govern how changes move from development through quality assurance to production. Access management covers the controls that govern who can do what in the production system. Computer operations covers the controls that govern job scheduling, backup, and recovery. Information security covers the controls that govern the technical security baseline including patching, password policy, and network exposure. The customer position is to maintain a documented control matrix that lists each control, the owner, the testing frequency, and the evidence source.

Reference the change management controls analysis, the user access review process, and the basis security analysis.

Design discipline

The design discipline rests on three principles. The control must address a specific risk that maps to a financial reporting assertion. The control must operate with a documented frequency and an identified owner. The control must produce evidence that an independent tester can review without sitting next to the operator. The three principles eliminate the legacy practice of writing control narratives that describe activity without documenting evidence. The customer position is to test every control against the three principles annually and to remediate any control that fails the principle test.

Reference the GRC implementation analysis, the role design methodology, and the SoD conflicts analysis.

Contemporaneous evidence captured at the time of control operation, not reconstructed during testing, is the single most leveraged SoX discipline. The discipline closes the gap between control narrative and testing exception.

Testing approach

The testing approach has two layers. Management testing through the SoX program team covers every control quarterly or semi annually depending on frequency. Auditor testing covers a sample of management tests through inquiry, observation, and reperformance. The customer position is to make management testing thorough enough that auditor reperformance produces no new exceptions. The discipline rests on three operating practices: testers are independent of operators, evidence is captured at the time of operation and not reconstructed, and exceptions are documented with a remediation plan and a re test date. Reference the license audit pillar (cross cluster reference for the named user testing that overlaps with access management ITGC), the audit trail configuration, and the table logging configuration.

Audit defensible SoX posture

The audit defensible SoX posture has five components. First, the documented ITGC catalog with the four families and a control matrix. Second, the design discipline applied to every control annually. Third, the testing approach with independent testers and contemporaneous evidence. Fourth, the deficiency tracker that records every test exception and the remediation status. Fifth, the annual management review that closes the loop on the operating effectiveness assertion. The five components together support the external auditor opinion and the SoX 404 management assertion.

The implementation detail is in our GRC implementation analysis, the firefighter id analysis, the compliance framework pillar, and the security audit pillar. The SoX compliance expertise documents the full senior advisor methodology.