Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors fr...”
– Norman Ralph Augustine –
1.1. Legal and Regulatory Requirements – Local GAAP
The IT-Audit procedures described in this blog posts are intended as a guidance for an IT-Auditor familiar with both, SAP ERP systems and with knowledge of the legal requirements for IT-Audits as part of the annual year-end audit. This is a prerequisite to understand the blog posts.
The blog posts are neither legally binding nor a mandatory guideline or standard and solely serve as an orientational guidance. Any responsibility for the type, scope, and results of external and internal audits remains with the auditor. It is also the auditor's responsibility to define the selected key audit areas in accordance with relevant regulations and standards.
Generally, when conducting IT-Audits as part of the annual year-end audit, certain provisions and guidelines apply. As an example, here are some applicable German guidelines:
Statutory commercial and tax law provisions (§§ 238 et seq. German Commercial Code (Handelsgesetzbuch, "HGB") and §§ 140 - 148 German Fiscal Code (Abgabenordnung, "AO"));
Similar guidelines and standards are in place for most countries. In addition to the general audit guidelines, specific requirements for software operated in the cloud apply. Furthermore, multiple frameworks try to address cloud risks, among them are, as an example, CSA Cloud Controls Matrix, ISO 27001, COBIT 5, Consensus Assessments Initiative Questionnaire (CAIQ), Payment Card Industry Data Security Standard (PCI-DSS), National Institute of Standards in Technology (NIST) 800-53 and – as mentioned above - IDW RS FAIT 5. The following figure illustrates how IDW RS FAIT 5 accounts for different complexity levels of IT outsourcing:
Besides the type of outsourcing, IDW RS FAIT 5 also classifies outsourcing projects by the underlying provider model:
Furthermore, IDW RS FAIT 5 defines four phases of an outsourcing projects and the corresponding requirements for each phase. Lifecycle according to IDW RS FAIT 5:
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.
Or contact us on LinkedIn.
Your feedback
Feel free to share your feedback and thoughts in the comment section below.
This blog is written by:
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification. | |
Florian Eller (SAP) – Product Management SAP S/4HANA Security Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security. | |
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing. | |
Patrick Boch (SAP) – Product Management SAP S/4HANA Security Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade. | |
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance) Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. | |
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance) Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
4 | |
4 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 |