cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NetWeaver Audit Management

Former Member

on ‎10-04-2012 9:37 PM

0 Kudos

Hello Colleagues,

I am looking for documentation to support the integration or output of Audit Information System (AIS) with NW Audit Management.  There are two possible uses:

  1. The first is when the audit is occurring, internal auditors look at things like AIS and GRC AC/PC to see whether unauthorized / proper use of the system has occurred.  In some cases these “penetration attempts” to the system by unauthorized users is helpful in determining relative process risk to the business area considered. 
  2. The second is when the audit white papers and report documents are stored in NW Audit Management.  We need to design into this correct GRC AC/PC so that - for example - directors can only view certain levels of audit documents (another example, brown working papers should only be allowed for the audit team, specifically the audit team assigned to the audit not the entire department).  In addition when these records are stored “in the system” we need to know where and if there is a document record log stored in AIS that will illustrate use of the documents (if possible).

If anyone has shared experience I would appreciate your posting or contact me directly at wnewman@newportconsgroup.com

Many thanks!

Bill

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎06-23-2014 11:05 AM
0 Kudos

Hi William,

We are required to implement Audit Management Process (external and internal), and we're not going to use the Internal Audit Management (IAM) add-on tool in our GRC 10.1 system.

As I understand, Audit Planning and Follow Up can be done in IAM tool. Rest of the processes viz. Preparation, Execution and Reporting are within Netweaver Audit Management (NAM) itself.

As such, could you please provide me with any documentation on how NAM covers the audit processes?

Thank you,

Sagar

Show replies
Show replies
Former Member
‎07-11-2014 1:30 PM
0 Kudos

This message was moderated.

Former Member
‎10-26-2012 1:44 PM
0 Kudos

Hello Delorso,

Thank you for the post.  There are indeed several different functions inside SAP that can address audit needs.  Some talk to each other, others don't.  Here is what I have found.

  • Audit Information Systems (AIS) as part of SAP Business Suite is used for the tracking of successful or unsuccessful transaction execution.  It in and of itself is not the audit management records system, but is a useful environment to gather systems effectiveness information from the operations.
  • GRC Internal Audit Management I believe you are referring to is the access control log from successful or unsuccessful attempts to access the system components based on GRC Access Controls or GRC Process Controls.  Whereas AIS documents the effectiveness of the transactions, GRC "IAM" (again not sure as to product or function name) logs the security controls and user attempts to gain access to a system component.  This part is important for system profile management as well as proof of segregation of duties under SOX compliance.
  • NW Audit Management (you call it "NAM") is a records management environment used to store audit documents (controlled or non-controlled) based on standards such as the Institute of Internal Auditing (IIA) and other groups.  This is the environment where an auditor establishes a plan, program and activities within a program (SAP calls these question lists and as usual vocabulary differs from industry and organization).

Just so you know none of these systems actually integrate together out of the box.  We are looking at options to pull audit planning information from SAP HR-OM automatically through the use of a BADI routine to pre-populate certain key audit fields in "NAM" when the audit program is begin developed.  But otherwise "IAM" and "AIS" are stand-alone environments.  Theoretically you can build in triggers and routines to automate the risk events in "NAM" based on system events in AIS or "IAM", but that is really a "state of nirvana." I haven't heard of anyone ever investing the funding and time to get to that end state.

Hopefully this helps. DM me if you need more information or if you would like to set up an initial consultation on the topic.

Regards,

Bill

Show replies
Show replies
Former Member
‎04-22-2015 12:59 PM
0 Kudos

Hi William,

I have always trying to figure out how AIS and Audit Management (NAM) could have some kind of integration.

The audit execution work such as audit sampling of transaction schedules/reports upon which audit perform tests such as verifying authenticity of user authorisations, limitation tests for the user in terms of amounts time frame and so on is carried out with the AIS tool.

When it comes to documenting the audit findings these are done in the reports in Audit Management. Moreover even the Audit plans, the audit questions and risk rating of audits is carried out in Audit Management. Can't they surely be some integration between the two functionalities SAP can come up.

And with the improved SAP GRC suite which is now including Fraud Management and Audit Management under the assurance & compliance software the audit management has really been enhanced and made more useful for auditors but again not integration with AIS.

It is a challenge (from practical experience) with clients who activate AIS but find that the audit office tasks are housed independently under in the Cross Application component for SAP ERP ECC 6.0 as Audit Management. In fact 3 clients I worked on opted to go for TeamMate Audit Software after noting this separation.

I have  implemented Netweaver Audit Management and done AIS activation on a number of clients; am yet to have a practical experience on the new GRC Audit Management which is integrated with Fraud Management and Risk Management. What advice can give me on how different it is on configuration?

Former Member
‎10-24-2012 1:10 AM
0 Kudos

We are slugging through this via a training IDES environment and - happy to report - most of these questions have been answered.  Message me if you find yourself working with Audit Management and will be happy to share.

Show replies
Show replies
Former Member
‎10-25-2012 11:06 PM
0 Kudos

Hi William, you know im very glad i found your post.

You know im trying to get a better understanding of this SAP Audit tools and first of all, i was wondering how this three components work together or what is the integration point between them, if there is any.

- GRC Internal Audit Management (IAM)

- Netweaver Audit Management (NAM)

- Audit Information System (AIS)

Thanks very much

Ask a Question