The barriers to connecting to any ERP system are as much human as they are mechanical, but they are not insurmountable. Let’s start with the human aspect. Many IT departments are, understandably, fiercely protective of any 3rd party products connecting to an SAP® environment. The concern lies primarily with performance, security and predictability. They may insist that Audit has to connect to a staging area or a data warehouse instead, rather than getting the story of fraud, error and abuse straight from the horse’s mouth.
This is a reasonable compromise, but only if it can be guaranteed that the ERP data is faithfully and accurately represented there. Beware – this is rarely the case: the Director of Internal Controls at a multi-billion dollar food retailer recently told me that they had just completed an exercise where they wanted to ensure that their data warehouse contained a faithful replication of data from their multiple SAP systems. The purpose, she said, was to provide assurance around data quality and a need to gauge how accurate their financial reporting, forecasting and KPIs are. They used ACL™ Analytics to perform this comparison, looking at all vendor purchasing transactions in the data warehouse against what was in their instances of SAP ERP. They found that over 2,500 vendor records were missing from the data warehouse (if you extrapolate this out to account for related transactions – eg: POs, Invoicing and more – it means that potentially millions of transactions never made it to the DW).
How accurate is their business reporting? Not very. For an accurate picture of fraud, error and abuse, always read directly from the ERP, since that’s where the perpetrators are committing it.
So what about the technical bit? Direct Link™ is a certified SAP add-on that allows connectivity to the real story in the data, while providing assurance around ERP performance and data security. While audit retains independence around data access, it is still measurable by IT. In combination with an Analytics Exchange™ server, Direct Link provides the business with a consistent, predictable and quality-assured method of extracting relevant data to a safe place for users to analyze manually, combine with non-SAP data, and schedule analytics to perform continuous monitoring on a copy of the data. This doesn’t mean replicating huge tables for users to pour over – we’re just talking about enough data to satisfy the requirements of the test. A simple example: The business wants to test for any evidence of phantom vendor payments once per week. This may involve a scheduled import of the last 7 days of payment transactions, vendors that are referred to in those transactions, and an employee master file to then compare same and similar information (e.g. bank accounts, addresses, and so on).
In this model, safeguards are as follows:
Finally, now that we have assurance that audit is not bringing an entire ERP platform to its knees, has read-only access and does not require any extra layer of 3rd-party security, the business has the freedom to ask any question of the data that they can verbalize. Data is gold. Mine it and make it work for you.
(Source: ACL Blog)