A look at audit analytics with a lack of belonging in SAP?
What about audit analytics that cannot be assigned to any process, such as purchase-to-pay or order-to-cash, and are therefore often forgotten? We have developed a particular category for this, which is called “cross-process”. This blog article revolves around exactly these analyses. What audit questions are behind it, what does the GoBD have to do with it, and why is the definition of a weekend relative? Questions about questions, which we clarify in this article.
Why are there cross-process process analyses?
“Cross-process analyses” – sounds unspecific! Why is it not possible to assign data analyses or data indicators to a process such as purchase-to-pay or order-to-cash? The answer is pretty simple: analyses exist, that want to identify “generic” process weaknesses. For example, it is a general question whether you have recorded your accounting data promptly so that your accounting system is in order. It is irrelevant whether it is a document from the areas of purchasing, sales, or fixed assets and inventories. E.g. the prompt entry of documents is always a relevant “secondary virtue”. And of such there are many questions…
Classic analyses in this area are, for example:
- One-time accounts (CPD)
- Documents posted by users with high reversal rates
- Operations done by super users
- Segregation of duties
- FI documents posted during the weekend
- much more…
Many of them will probably look familiar to you. We have created a complete list of cross-process analysis that is also including all data analyses that are currently in a test phase (beta), such as ” Suspected profit-neutral revenue manipulation ” or ” Very rare offsetting account “:
But what does it have to do with the GoBD?
We have already explained parts of the answer here concerning the prompt recording of postings. But not only the timely record (item 46 on page 11) plays an essential role in the GoBD, as item 32 on page 9 clearly shows:
“The bookkeeping must be such that it can provide an expert third party with an overview of the business transactions and the situation of the company within a reasonable time. It must be possible to track the origin and processing of business transactions seamlessly (progressive and retrograde verifiability).”
Besides, there is point 58 on page 14, which refers to the principle of non-changeability, which we have already mentioned several times:
“A posting or recording must not be altered in such a way that the original content can no longer be ascertained. Nor may such alterations be made the nature of which leaves it uncertain whether they were made initially or subsequently (§ 146 paragraph 4 AO, § 239 paragraph 3 HGB).
As a result, you may notice pretty quick that the GoBD holds so some requirements at the bookkeeping duties ready and a variety of data analyses can be helpful, for example:
- Document number gap analysis
- Missing reversed document
- Documents without users
- FI documents with a long interval between posting and entry date
We have already successfully implemented these and more than 20 other analyses in zap Audit so that you do not have to worry about the technical details. You can find them in a single whitepaper here:
What about the postings during the weekend?
Having completed more than 600 projects successfully in the past years, we have learned one thing about postings during weekends: a definition of the weekend is ambiguous, as we already wrote in the article about weekend bookings and the Fraud Triangle that you can find here. Depending on the culture, business model, and other factors, working on weekends may not be of particular interest. It doesn’t seem unusual at first, but it is an opportunity for fraud. So the question arises as to whether there isn’t a more elegant or extended approach to finding eye-catching postings. You can use an outlier analysis like postings on other days than normally from zap audit. Let’s take a look at the description:
“A document is marked if it was posted on a day of the week that is rarely used for postings of this document type. Postings by system users are not marked (user type B: System User (Internal RFC and Background Processing) and C: Communication User (External RFC)).
For each document type, the corresponding weekday gets determined individually based on the posting volume. If the posting volume for a document type falls sharply on a weekday, this weekday is evaluated for a certain document type.”.
This approach offers you the opportunity to further analyze postings during weekends for suspicious postings in zap Audit.
What else belongs to the area of cross-process analyses?
In addition to the large number of analyses that I have already mentioned in the course of this article, a relevant category is still missing, including “segregation of duties” or “operations done by super users”: We are talking about analyses with the audit objective of access protection. Among them are well-known:
Based on our Financial Process Mining algorithm further analyses exist:
- A single user did the complete business process
- A single user did many transactions in business process
The latter marks documents where a user has carried out more than four different activities. For the complete list of indicators, please refer to the free download of our whitepaper: