Learn SAP from the Experts | The SAP PRESS Blog

Exploring the SAP Audit Information System

Written by SAP PRESS | Jun 21, 2023 1:00:00 PM

One of the best-kept secrets within SAP systems is Audit Information System (AIS).

 

Delivered as a standard part of SAP S/4HANA, AIS is essentially a portal, providing a centralized set of audit information and reports for IT audits and financial statement-oriented audits. Because it groups and collects audit-relevant information into a single area, AIS provides a good starting point for many SAP S/4HANA audits. Despite our (the author of the book this post comes from) depth of experience, we regularly use AIS as an additional sanity check on processes we haven’t examined recently to ensure we haven’t missed anything significant.

 

AIS functionality has been a part of the Basis system for decades. We have been told that AIS was developed by SAP in response to requests from external auditing firms for a tool able to easily find, evaluate, and download information from the SAP system. In the early days, while AIS allowed for some direct reporting out of SAP, it was primarily used for downloading data into flat files for analysis with specialized audit tools.

 

For many years after first being introduced, AIS seemed to be a tool used primarily by the large public accounting firms—many organizations did not even know that it was already part of their SAP systems. Around the introduction of SAP NetWeaver in the early 2000s, AIS underwent a fairly significant overhaul. SAP introduced a set of audit-centric security roles that provided access to AIS functions through the user menu. Some of the reports were cleaned up, and the new audit roles allowed data access to be restricted in a way that more closely aligns with auditor responsibilities. Unfortunately, AIS has not been maintained since that update, and we were actually surprised to see it still available in SAP S/4HANA. Having said that, while much of AIS is outdated, there are still key components that can provide high value today, particularly for those IT auditors new to auditing SAP S/4HANA.

 

We’ll explain how to access, navigate, and use AIS in the following sections.

 

Accessing the Audit Information System

In early versions of SAP, you used Transaction SECR to access AIS. After the AIS overhaul in the early 2000s, you can now obtain AIS functionality through a series of predefined roles within SAP S/4HANA. You can easily find these roles by searching on roles prefixed with “SAP_AUDITOR.” A composite security role, SAP_AUDITOR, grants access to all AIS functionality, and several dozen single roles (generally consisting of a role that contains just the user menu, and a separate role that contains the related authorizations) segregate AIS functionality at a more granular level. The figure below shows a subset of these AIS-specific roles.

 

 

When the original AIS roles were created, SAP intended them to allow the auditor to self-service and administer certain AIS settings (primarily related to yearly audit scoping) on their own. As such, some authorizations within AIS allow for more than simply display access. Most organizations choose to have the Basis team administer AIS, and thus the AIS roles (rather than being granted them without change) are typically copied into the organization’s namespace, and the authorizations updated. Fortunately, it’s easy to find the roles that need updating by querying table AGR_1251, filtered by the SAP_AUDITOR* roles having ACTVT field values of 01, 02, or 06. A large population of these issues can be eliminated by merely removing the SAP_AUDITOR_ADMIN_A single role from the SAP_AUDITOR composite.

 

As mentioned earlier, the AIS roles have not been updated by SAP in quite some time, so they will require some work (primarily around adding transactions that did not exist at the time AIS was last updated, which would include any audit-relevant transaction introduced by SAP S/4HANA). Typically, the SAP_AUDITOR* roles would be copied to a Z_ SAP_AUDITOR* (or a similar set of roles following the organization’s naming conventions), and updates would be made to these custom roles. Note that while some security administrators might argue that the audit role(s) should be created from scratch based on audit need, and we agree in theory, we often find that little attention is paid to designing proper audit roles during the implementation and thus auditors typically don’t have a properly designed role at the point they attempt their first SAP S/4HANA audit. We believe that the SAP_AUDITOR roles provide the best starting point (with proper modifications, as we’ve discussed), and thus are the easiest way to get the access you need to get started with your audit procedures.

 

Navigating the Audit Information System

Fundamentally, AIS segregates audit information into two primary categories: a system audit and business audit. The system audit deals primarily with SAP S/4HANA Basis configuration, security, transports and other details traditionally associated with an IT audit. The business audit sections are primarily geared toward settings and reports relevant to a financial statement audit. Many audit departments have historically segregated technical IT audits from financial or operational audits, although these days it’s not uncommon to have an integrated audit, performed by an individual auditor or a team, which covers all aspects.

 

Once you have been assigned an appropriate AIS role, you can begin navigating AIS through the user menu, as shown in the next figure. In this example, the user has access to the entire AIS through a copy of the composite role SAP_AUDITOR. If a single role had been granted rather than the composite role, such as SAP_AUDITOR_BA_EC_CS, then they would only be allowed to see relevant portions of the menu.

 

 

AIS does not really provide any new functionality. Each of the programs, transactions, and reports available in AIS are generally accessible through other areas of the system and can conceivably be granted without using AIS as the starting point. The main advantage of AIS is that it consolidates these functions in a single place and organizes the options in way that is logical to most auditors. As such, it’s a great reference to assist in planning an audit and making sure your audit program uses appropriate transactions and reports.

 

For example, the next figure shows the AIS menu expanded to show some of the options. An IT auditor planning an audit of the system development and change control process might find the transactions in the Tools folder of the Transport Network section of the AIS System Audit to be particularly helpful. It’s possible that the auditor is familiar with Transaction STMS and the transport system in general but may not have been aware of these transactions used for searching transport requests for different characteristics.

 

 

Using the Audit Information System for Your Audit

As mentioned, one of the best uses of AIS is to help learn about the transactions or reports that might be useful for your audit. In fact, if you pay close attention to the previous figure, you’ll note a Top 10 Security Reports folder. There are other top 10 folders throughout the AIS menu, and in addition to security:

  • General ledger reports
  • Receivables reports
  • Payables reports (technically only nine reports, even though the folder says it’s the top 10)

Keep in mind that there are other newer reports these days in SAP S/4HANA that replace some of the reports listed in AIS, but a slightly outdated starting point is better than no starting point at all.

 

If your security team wants to do a more thorough review of what AIS grants and is thus hesitant to give you access right away, there may be a compromise that allows you the benefit of navigating the AIS menu (something we’ve discussed as one of the biggest values of AIS), without the risk of you being able to do something they haven’t fully vetted. SAP created the AIS roles in an interesting way. Specifically, most of the single roles have been broken into two parts: one role that contains only the menu (but no authorizations for the contents of the menu), and one role that contains only the authorizations. So, if you’re granted the AIS menu roles but not the authorization roles, you can navigate the menu, find transactions you may want to include in your audit and request those separately while the full AIS role is being evaluated. Referring to the first figure in this post, in cases where the single role names are the same except for a *_A suffix, those with the *_A suffix contain the authorizations, and those without contain the menu.

 

Since SAP is no longer investing in AIS, we do want to be realistic about its use. Beyond using the AIS menus to help identify useful transactions, most financial or operational auditors will likely find limited value (with IT auditors finding much greater value, and for reasons we’ll discuss in the next paragraph). Because SAP S/4HANA has introduced so many new or modified features, particularly related to the Universal Journal, the Material Ledger, and business partner integration, many of the reports listed in the AIS Business Audit folder have been replaced by better ones in SAP S/4HANA.

 

For those of you in organizations still running SAP ERP or even SAP R/3, AIS has more use for a financial or operational audit by eliminating the need to continually enter report parameters consistent with your audit scope. Many of the AIS financial reports are variation of standard SAP reports that call a variant you define once, which then runs those reports prepopulated with your audit scope (e.g., company codes, invoice number ranges, reporting year, cutoff period, etc.). This variant and other straightforward setup procedures can be accessed via AIS Menu > AIS Administration > Preparatory Work (Business Audit) > Selection Variable.

 

IT auditors operating in SAP S/4HANA environments will find AIS to be useful beyond just the insight that can be gained from the AIS menu. Most transactions in the AIS Menu > System Audit folder are still relevant today. That’s because many of the core IT audit-related risks associated with the Basis system still exist in SAP S/4HANA. Like our earlier discussion, you will still need to include SAP S/4HANA-specific risks that would not be in AIS since they were introduced after the last major AIS release. Despite its weaknesses, however, AIS is still a powerful tool and a great starting point for an SAP S/4HANA audit.

 

Editor’s note: This post has been adapted from a section of the book Auditing SAP S/4HANA by Steve Biskie.