- Transforming an ERP system into S/4HANA raises procedural and organizational questions.
- The added value of involving the internal audit department lies in an independent project assessment.
- With its expertise, Internal Audit can successfully contribute in four areas: master data management, processes, authorization concepts, as well as the set-up of analysis and automated controls.
Transforming the ERP system to SAP S/4HANA causes not only technical but also process-related and organizational challenges. However, experience from system transformations of the past few years shows that in many cases, the technical implementation is the top priority, but important process and organizational issues are sometimes not addressed at all or only addressed marginally due to time pressure and limited resources.
This can lead to considerable problems after the completion and go-live of the project, both in the areas of workflows as well as the internal control system (ICS) and compliance. This is where the internal audit department can make an important contribution to S/4HANA transformation projects by providing recommendations based on an independent assessment.
Internal Audit: independent but supportive
One thing has to be clear: the internal audit department has to remain independent and objective. This independence must also be preserved when accompanying consulting mandates. This can be ensured by appropriate mechanisms (e.g. by using different audit and project teams, cooling off periods). Nevertheless, these mechanisms should not prevent companies from making use of the value-adding expertise and experience of Internal Audit in complex projects.
In which processes and organizational issues can Internal Audit support and accompany an SAP S/4HANA transformation in its preparatory period and whilst it is going on?
Four areas come to mind:
1. Master data and internally developed transactions
Master data (customers, suppliers, materials, etc.) form the basis for all transactions and activities within SAP S/4HANA. How well these can be processed in the ERP depends largely on the quality of the master data.
Duplicates, e.g. in the supplier and customer master, but also inconsistent master data - for example different or incorrect payment terms - lead to inefficiencies and interruptions in the workflows; manual workarounds may be necessary. The internal audit department can generate added value by analyzing the master data in order to point out possible inconsistencies and to initiate the corresponding clean-up activities.
Many companies use so-called Z transactions. These are developed in-house. It therefore stands to reason that Internal Audit is the best department to provide an overview of these transactions, giving an idea of where and why they were used.
Since Z-transactions can usually not be transferred to S/4HANA, the question then arises as to whether the respective processes can also be handled in the standard SAP. This should be clarified before the transformation between the affected departments and IT. However, Internal Audit can make recommendations in this regard in the form of an audit report.
2. New processes
The new processes in SAP S/4HANA raise questions regarding appropriate controls. For example, individual reconciliation processes (GR/IR clearing accounts, etc.) are fully automated. Internal Audit can identify possible deficits and at the same time make recommendations for suitable audit mechanisms, which focus on IT Application Controls (e.g. controls in the area of data processing, transaction and accounting controls, etc.) and IT General Controls (e.g. controls in the area of change management, control of access to data and programs, etc.). The actual implementation and development of the solution is not within the remit of internal audit.
Another innovation in S/4HANA is how supplier and customer master data is created: in the future, this data will be created or changed using a standard transaction. This approach promotes a certain centralization of master data management. This may lead to changes in the process organization, such as the bundling of tasks within a shared service center. Internal Audit can make concrete best-practice recommendations in cooperation with specialists when setting up the process-related changes and adjustments.
3. Authorization concept
When considering new transactions and processes in S/4HANA, Segregation of Duties (SoD) conflicts and critical authorization combinations should be reassessed and, if necessary, revised. Here, too, Internal Audit can offer risk-oriented assistance. By reviewing authorization conflicts and critical combinations, weaknesses can be identified before the new authorization concept is implemented.