For many companies using SAP (if not all of them) it is absolutely normal to 'undergo' inspections by external entities. Especially for the auditing of balance sheet data.
A common practice is to enable everything to the auditors. And from the perspective of maximum transparency it could certainly make sense. But is it possible to evaluate or reason differently? Continue reading...
For example, in the case of a financial audit or a financial statement audit (Financial Audit) third-party companies must have access to the company's information system to view financial data.
In the case of SAP systems, where it is possible, especially in the ERP system, to very precisely define authorizations (and thus technical permissions), there can be multiple ways.
Clearly it is also necessary to assess what type of audit is being conducted. Are we talking about an IT audit (perhaps to audit ITGC Controls) or a business audit? Or even other types of audits e.g. GxP etcc?
From the most permissive to the most stringent.
Some aspects and reasoning of this type could also apply to different scenarios such as, for example, system carve-outs.
This specific scenario could be addressed by a specific German regulation (German tax reduction law StSenkG). The "translation" of the regulation into SAP, is described in section 5 of the following document produced by the German SAP group, i.e., it is shown how to implement it in SAP.
The document, however, is no longer accessible on the German DSAG group's disto.
But you can find the description of the feature on the SAP Help site ( click here).
This feature is therefore designed to segregate access to auditors (a limited number of users) and on certain activities, so it may not be applicable in all such cases.
What are the steps to test it?
A specific error is shown. Unlike the query made on the year 2017 where various information can be retrieved.
For further information, consult the following OSS notes:
The aspects related to budget certification require that the technical configuration logics (e.g., roles, profiles, authorizations, and configurations) of the system also be handled in the correct way.
How applicable might this functionality really be in contexts other than the countries covered by the legislation? Probably not much, although it is related to a small group of users (that of external auditors primarily).