Version 2 of zap Audit has been released, so over the next couple of weeks we are going to take a closer look at the multitude of new features it has to offer. In today’s article, we will examine the benefits of the new dashboard, including the “process house”, what exactly it is all about, and why many of our customers find it so useful. In addition, the new dashboard provides a quick overview of findings.
First impressions count
No, we haven’t mutated into a fashion blog over the Easter holidays, but, all the same, first impressions are rarely misleading, which is why we have completely overhauled the dashboard in zap Audit to give you a better impression of the underlying data. A new navigation bar is now located at the top of the dashboard. In the “Explore” area, you can currently switch directly to the audit. We have already planned a third section to make your life as auditors even easier. So you can look forward to seeing some new developments during the course of the year.
The process house is the core of the new dashboard and shows you – at a glance – in which process key findings have been identified.
A total of 135 indicators were processed in the project, and none failed or had missing data. In addition, it is immediately apparent that most of the findings in the cross-process processes were made using the grid search. As can be seen in the whitepaper on cross-process indicators, most of these are indicators from the process areas relating to authorizations or accounting. Another click on the process provides makes things even clearer:
11 of the posted indicators fall into the areas of authorizations and accounting. This is already enough to give us a pretty decent first impression of the indicators for the individual processes.
SAP documents as the object of investigation
The “Documents” tab contains various statistics on the distribution of documents, such as documents by document type or transaction code. In the example shown, the high number of “vendor invoices” with findings is particularly striking, although relatively few indicators in the area of purchasing are affected. This initially indicates structural problems in the area of purchasing, or a combination of e.g. indicators in the area of authorizations and vendor invoices. For example, if your company has a problem with the widespread use of superuser rights, the frequent posting of vendor invoices with a superuser would be a possible scenario. The following statistics show the number of documents by document type with the following findings:
In addition, a distribution over the fiscal year is displayed in the documents tab page. For example, if your company is subject to strong seasonal fluctuations and relatively large swings in untypical months, the results may be reason for further investigation.
In this test data set, April stands out in particular with a strong upward trend, followed by December with an above-average number of postings. Due to the lack of context, it is difficult to make a conclusive statement about the reasons for this phenomenon.
The SAP user caught in the cross-hairs of the grid search
Error 40 or, more likely: The error is sitting 40 cm in front of the monitor. A slight exaggeration perhaps, but the core statement frequently turns out to be correct.
There are two main types of user in SAP. On the one hand, those who work in dialog with the SAP interface and are therefore also referred to as dialog users (GUI users), and, on the other hand, technical users. Although these users cannot log on to the SAP GUI, such accounts are usually used by programmers and for the use of technical SAP interfaces (for example, the automatic import of data from previous systems). However, the present test system shows a completely different picture:
An unknown user type indicates that user master data has been deleted. According to Section 239 of the German Commercial Code (Handelsgesetzbuch – HGB), however, it is questionable whether this is permitted by law. The law in question is also known as the “prohibition on the amendment of entries (Radierverbot)” and states that records in the accounts may not be altered in such a way that the original content can no longer be determined. Deleting user master data is therefore a quick way of getting yourself onto very thin ice. The alternative and better solution is simply to lock users. This means that the user can no longer log in, but the master data is retained.
Note: SAP users are pseudonymized in zap Audit so that it is no longer possible to identify the actual person. The user “mmustermann” then becomes e.g. USER_1.
Are you interested in data analysis in SAP?
Then our new licensing model is just right for you. Company codes with less than 50,000 entries in the BKPF table can now have access to zap Audit free-of-charge. No costs are incurred and there is now absolutely nothing to stand in the way of you making use of our efficient data analysis. Click here for more information on the new licensing model: