Get SAP Audit Management Up and Running

Fast!
Marie-Luise Wagener
SAP SE
Agenda

 Overview of SAP Audit Management Solution

 Integration with SAP GRC Risk Management and Process Control

 Extensibility and enhancement options

 Best practices for an accelerated implementation

 Wrap-up

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 1

Overview of SAP Audit Management Solution
GRC – Governance, Risk and Compliance
Solution Overview

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3

SAP Audit Management Technical Overview
Synopsis

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4

User Interface

 Access to the solutions from desktops and

laptops is through an HTML5 (SAPUI5)
based shell. This UI is capable of also
invoking ABAP Web Dynpro applications.

 Outside of this main web-based UI, some

administrative tasks (such as Customizing
tasks and clean-up reports) are based on the
traditional SAP GUI technology.

 The communication of the front end

components to the back end, which is an
SAP NetWeaver® 7.4 application server, uses
the secure HTTPS protocol. The Web
applications are embedded in a shell that
ensures secure session management. All
clients and servers run within the firewall.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5

Integrated GRC Example – Fraud
Digital Compliance

Management
Enterprise Risk: Fraud
Risk Responses

Accept Avoid Transfer Control Reduce

Regulations
Process
Control

Process Process Risks Controls Policies

Procure to Pay Review of new Review of
Vendor Mgmt Fraudulent Security and
vendors and related uninvoiced good AP SOD Control
Invoice GPO Policy
AP Invoicing invoice support receipts

Access Risks Issue

Mitigate
Control
Access

User can
Access
enter vendor
& PO Violations
User can Monitor Access
enter invoices & Status
payments

Detection Audit

Management
Management
Fraud

Plan

Audit
Fraud Analysis Alert Execute

Report

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6

SAP Audit Management

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7

The Audit Management Lifecycle

Powered by SAP HANA, SAP Audit Management

provides a fully mobile enabled, end-to-end audit
management solution.
The audit department can use it to build audit plans,
prepare audits, analyze relevant information,
document result, form an audit opinion, communicate
results, and monitor progress.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8

Audit Phases

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9

Audit Phases (cont.)

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10

The Roles

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11

Roles and Responsibilities

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12

Roles and Responsibilities (cont.)

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13

The Role Mapping

The identity provider of an application role determines

the source of the users.

An application role is usually meaningful

when it is mapped to a PFCG role,
because user authorizations and menu
access derive from the relevant PFCG
roles.
Exception e.g., Action Responsible
In the object type settings the link to an audit object and
additional role settings (mandatory, multiple, auto
assignment and if displayed in team section and in which
sequence) have to be determined.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14

Identity Provider

If you use LDAP as the identity provider,

make sure that the LDAP server has been
correctly configured, and that respective
fields are mapped.
Check the box in the Cache column if you want the
system to cache user information from this identity
provider. Enabling this option allows faster loading of
user information in the front end.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15

Identity Provider (cont.)

USER_ID_ATTRIBUTES:
The user ID. If this entry is
not maintained, default value
OBJECTGUID is mapped to
the field.

USER_NAME_ATTRIBUTE:
The user name. If this entry
is not maintained, default
value CN is mapped to the
field.

USER_OBJECT_CLASS:
The object class of the user.
If this entry is not
maintained, default value
USER is mapped to the
field.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16

LDAP

Note:
The LDAP user information stored in SAP
Audit Management is not automatically
refreshed.
If the source information has changed,
you need to run program
GRCAUD_SYNC_USER_CACHE to
update the information.
It is recommend that you schedule a
background job to run the program
regularly to keep the user information up
to date.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17

SAP Audit Management

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18

Integration with SAP GRC Risk
Management and Process Control
Risk Register

The risk register is a central repository for

identified risks used in risk-based auditing.
In the risk register, risks are categorized by
different views.
SAP Audit Management has the following default
views:

Internal Audit (IA): Risks in this view can be

assigned to auditable items and audits for
auditing; when you create an audit plan, the risks
are also visible on the Risks tab.

Risk Management (RM): This view is used to

store imported risks from SAP GRC systems.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 20

Risk Register Customization
Maintain Number Range for Risk

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 21

Additional Number Range Customization

You have maintained the ID generation

setting for risks in View Cluster
GRCAUD_VC_IDM.
To use the standard setting, copy all
contents of the View Cluster from client 000.

You can further modify the identifiers

generated by this number range when
you define the patterns for ID
generation in the system.

For example, you can add the year or

another code to the generated ID, thus
allowing "00000000000000004711" to
be transformed to "2013-4711".

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 22

Risk Register Customization
Levels and Types

If you plan to import risks from

GRC Risk Management,
you may want to consider to
utilize the existing attributes to
support an aligned perspective.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 23

Controls

The Controls tile allows you to access the central

repository for storing controls imported from other systems
or proposed by the audit team.
Controls are categorized by different views. SAP Audit
Management has the following default views:

Internal Audit (IA): Controls in the IA view can be

assigned to audits for control assessment and testing.
Risk Management (RM): The RM view is used to store
imported controls from SAP GRC systems.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24

Controls Customization
Number Range

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25

Controls Customization
Attributes

If you plan to import controls from

GRC Process Control,
you may want to consider to
utilize the existing attributes to
support an aligned perspective.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 26

Controls Customization
Effectiveness

Rating of the control effectiveness as a

result of the control testing.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 27

Import
Connector Set Up

Please be aware that you have to create a RFC connection first!

Transaction SM59.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 28

Import
Master Data and Job

Please note:
Importing controls requires SAP
Process Control 10.1 SP06 or The import program creates copies of the objects under the
above, or you have applied SAP specified view.
Note 2004563 in SAP Process
Control. The system assigns a global ID to each item imported. If the
item already exists in the system, the program updates the
object with the latest information from the source system.
Importing risks requires SAP
Risk Management 10.1 SP06 or
above, or you have applied SAP SAP Audit Management delivers the program
Note 2028174 in SAP Risk GRCAUD_IMPORT_MD for importing master data from
Management. SAP Process Control and SAP Risk Management.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 29

Extensibility and enhancement options
The Extensibility Guide

http://help.sap.com/saphelp_fra110/helpdata/en/6b/f3815268ed224fe10000000a445394/content.htm?frameset=/en/a8/79f3534437783ae100
00000a44176d/frameset.htm&current_toc=/en/ab/ce1b52bd543c3ae10000000a441470/plain.htm&node_id=73&show_children=false

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 31

Custom Tile

Create z* BSP package that can also be utilized in the future:

Z_GRCAUD

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 32

Custom Tile (cont.)

Create respective files

and adapt coding to meet
your requirements

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 33

Custom Tile (cont.)

Additional adaptions

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 34

Custom Tile (cont.)

Page with Flow Logic Create the same entries underneath Z_GRCAUD in Pages with
Flow logic, including the respective code
These can also actually be tested.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 35

Custom Tile (cont.)

Create and activate in

SICF the respective BSP
and UI5 services

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 36

Custom Tile (cont.)

Update Launchpad in
LPD_CUST with
respective folder and
details

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 37

Custom Defined Fields

The solution allows you to use simple data It is possible to create custom fields for
types in creating custom defined fields. These four objects since SP04. These are:
are:
• Audit
• Integer Data Type: Used as a numeric field • Audit Finding
input • Auditable Item
• Audit Action
• Character Data Type: Used as a free text
field input

• Date Data Type: Used to capture a date

input type

All fields created under custom fields will be

displayed in a dedicated section of the
respective object for which the custom fields
are being created.

All fields will be optional input.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 38

Custom Defined Fields (cont.)

The process of creating a custom field is as 1. Identify the object requiring the custom defined field:
follows:
Audit – GRCAUD_AUDIT-> ROOT
1. Identify the object requiring the custom
defined field Auditable Item – GRCAUD_AUDITABLE_ITEM-> ROOT

2. Execute transaction BOBF in SAP Audit Audit Finding – GRCAUD_AUDIT-> FINDING

Management back-end and select from
the four objects available Audit Action – GRCAUD_ACTION-> ROOT

3. Append the data types to the structure of

the object identified

4. Save and Generate Object

5. Clear the system Cache.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 39

Custom Defined Fields (cont.)

Execute BOBF transaction code in backend

system to navigate to the Business Object
customizing.

To navigate to the object desired for custom

field creation:

1. Go to Business Process Objects and

select from

a. GRCAUD_AUDIT
b. GRCAUD_AUDITABLE_ITEM
c. GRCAUD_ACTION

2. Go to Node Elements and select ROOT

Please note:
For Audit Finding, select FINDING in this step
instead of ROOT.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 40

Custom Defined Fields (cont.)

Navigate to the
Extension Include field and
drill down to append the
structure

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 41

Custom Defined Fields (cont.)

Navigate to “Goto  Append Structure” to add

the custom fields to the structure.
Here you can add the new fields to the
structure.

Enter a short description for the append

structure, and the following fields under the
Components tab.

Component: Enter a name in customer

namespace for the component (with a prefix Z,
e.g., Ztest)
Typing Method: Choose Types in the drop-
down list
Component Type: Enter the data element
name you have previously created, or use F4
search help to use our delivered data element
like: grcaud_date or grcaud_name

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 42

Custom Defined Fields (cont.)

Practical Example:

Four additional Custom Defined Fields

(CDFs) are requested for the Action.
 Organization (field referring to the
available organizations)

 Actual Due Date (Date field)

 Action Status (Dropdown for the

reporting: In Study, Planned,
Completed or Risk Accepted)

 Follow up required (Dropdown:

Yes/No)

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 43

Custom Defined Fields (cont.)

Creation of new elements

in SE11.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 44

Custom Defined Fields (cont.)

Clear cache:

Use SPRO  SAP Reference IMG 

SAP NetWeaver  Gateway OData
Chanel  Administration  Cache
Setting  Metadata  Clear Cache

Choose Execute

Also another cache to clear:

Use SPRO  SAP Reference

IMGSAP NetWeaver Gateway
Service Enablement  Back-end OData
Channel  Support Utilities Clear
Cache

Transactions:
/n/iwfnd/cache_cleanup
/n/iwbep/cache_cleanup

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 45

Multiple Level Approval

It is recommended not to change SAP

delivered schemas, so it is advisable to add
a copy of an existing schema you want to
adjust.

For multi-level approvals, we will copy from

the AUDIT object type schema and copy all
dependent entries and the select the
schema and double-click the status
transition sub dialog.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 46

Multiple Level Approval (cont.)

Select an entry with one of the following

action names e.g., and double-click
the Agent subdialog.

APPROVE_WORK_PROGRAM

APPROVE_DRAFT_REPORT

APPROVE_FINAL_REPORT

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 47

Multiple Level Approval (cont.)

Choose New Entries and enter the following

data:

In the Role field, enter the application role that

you want to add as the approver. This could also
be a custom role.

Leave the Type field blank.

In the Level field, enter a number to specify the

approval level for the role.

ZCRR level 0 – first one to approve

You must enter consecutive natural numbers in
the Level field for multiple approvers, starting AUD_MGR level1 – second one to approve.
from number 0. The application role with level 0
is the first to receive the object, followed by level
1, level 2, and so on. The lower level approvers
are not able to see the object in their tiles until
the preceding approver has approved.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 48

Multiple Level Approval (cont.)

To authorize the roles to perform the approval

actions, you need to add them to the relevant
scenarios. To do so:

Go to transaction SM34, enter view

cluster GRCAUD_VC_SCEN, and
choose Maintain.

Depending on the object type, choose one of the

following scenarios and double-click the Role sub-
dialog:

approveAuditReport

approveWorkProgram

Choose New Entries and add the roles to the list.

Save the changes.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 49

Multiple Level Approval (cont.)

To allow the roles to reject the object, go back to

the Status Transition dialog, select the entry with
the following actions, and double-click
the Agent sub dialog:

REJECT_WORK_PROGRAM

REJECT_DRAFT_REPORT

REJECT_FINAL_REPORT

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 50

Multiple Level Approval (cont.)

Choose New Entries and enter the following data:

In the Role field, enter the application role you

have set as the approver in the previous steps.

Leave the Type field blank.

In the Level field, enter 0.

Set level 0 for all roles.

This ensures that the object is sent back to the
submitter after it is rejected by any one of the
approvers.

Please note:
Feature also supported for Notifications.
Empty Level field is treated as 0.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 51

Import of Organizations

It is possible to import the organizational

structure from GRC system. To keep the
structure up to date the job should be scheduled
on a regular basis.

Program name:

GRCAUD_IMPORT_ORG

S_CON: Select the GRC connector

S_GROUP: Select the organization group

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 52

Enhancement Auditable Item Number Range
1. 2.

Register ID ZADTB with class zcl_grcaud_ideg_adtbl_id

in table GRCAUD_C_IDEG

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 53

Enhancement Auditable Item Number Range (cont.)
3. 4.

Update same cluster with object type and 4

digits

Update cluster:
GRCAUD_VC_IDM with ADTBL as object type and ID
expression ZADTB

Result

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 54

Custom Field Labels

In general there are three steps required:

1. Create BSP application with .properties

file that contains the new labels

2. Create new service in SICF for the BSP

application

3. Update Launchpad in LPD_CUST

As an example we change the label from

“Audit Scope” to “Audit Description”

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 55

Custom Field Labels (cont.)

1. Create BSP application with .properties file

that contains the new labels

Open the ABAP Workbench (SE80) and create

a new BSP application

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 56

Custom Field Labels (cont.)

1. Create BSP application with .properties file

that contains the new labels

Create a new Page for the BSP Application

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 57

Custom Field Labels (cont.)

1. Create BSP application with .properties

file that contains the new labels

Enter new labels for the fields that need to be

changed

You can refer to the technical field names to

the properties file in BSP Application
GRCAUD:
“WebContent/resources/i18n/i18n.properties”
#XFLD, 30: general scope of audit – Comment
LABEL_AUDIT_SCOPE – Technical field name
Audit Description – Custom field label

Save the text and activate the application.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 58

Custom Field Labels (cont.)

2. Create new service in SICF for the BSP

application

Open transaction SICF and create a new service

with BSP Application Name under the following
node:

/default_host/sap/bc/ui5_ui5/sap/

Please do not forget to

activate the service!

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 59

Custom Field Labels (cont.)

3. Update Launchpad in LPD_CUST

Open Instance “AUD” in transaction LPD_CUST,

expand the node
“Audit Management > Scenarios” and double-
click on the properties file

Change the URL to the properties file

created in step 1

The path consists of

the BSP Application Name and the
path of properties file

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 60

Custom Field Labels (cont.)

Now refresh your browser

cache and you can see the
updated field label In front
end

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 61

Additional Little Tips

No BC Sets
Please bear in mind that the customizing is
copied from client 000, and that with Support
Pack upgrades the respective delta has to be
imported as well.

/UI5/RESET_CACHEBUSTER
The browser cache is deleted automatically
and periodically. This report allows you to
reset the cache immediately.

Notifications
Notifications can be copied from client 000,
can be customized in SO10, and then
transported via RSTXTRAN.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 62

Best Practices for an accelerated
implementation
Understand the SAP Audit Management Data Model

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 64

How to Get There …

Ensure a comprehensive understanding of the solution Conduct a Conceptual Design workshop

Understand the business requirement specifics Conduct a Business Blueprint workshop

Prepare the Business Blueprint Consider time and material for “homework”

Stick to the standard Manage expectations and work on solutions considering the data model

Smooth implementation Invest in Training and Testing

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 65

Wrap-Up
Where to Find More Information

 SAP Audit Management Application Guide – http://help.sap.com/audit

 Release Note for Installation*: 1886295

 SAP Software Developer Network (SDN) – http://sdn.sap.com

 SAP Service Marketplace – http://service.sap.com *

 SAP Product Availability Matrix (PAM)* – http://service.sap.com/PAM *

 SAP PartnerEdge Portal – https://partneredge.sap.com/en/welcome.html

 Free trial of SAP Audit Management: www.sapappcenter.com/p/3529

* Requires login credentials to the SAP Service Marketplace

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 67

7 Key Points to Take Home

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 68

Thank You!
© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 70

Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.