• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sample Deliverable   Report
 

Sample Deliverable Report

on

  • 1,715 views

 

Statistics

Views

Total Views
1,715
Views on SlideShare
1,715
Embed Views
0

Actions

Likes
0
Downloads
26
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sample Deliverable   Report Sample Deliverable Report Presentation Transcript

    • Table of ContentsI) EXECUTIVE SUMMARY ...................................................................................................................................................................................................................................... 4 A) INTRODUCTION ................................................................................................................................................................................................................................................. 4 B) SCOPE AND COVERAGE .................................................................................................................................................................................................................................... 4 C) APPROACH ....................................................................................................................................................................................................................................................... 4 D) STATUS OF CONTROLS AND RECOMMENDATIONS ............................................................................................................................................................................................... 6II) ANNEXURE ......................................................................................................................................................................................................................................................... 9 A) CONFIGURABLE CONTROLS .................................................................................................................................................................................................................... 10 i) ABC LTD. CONFIGURABLE CONTROLS ..........................................................................................................................................................................................................................11 a) Record to Report....................................................................................................................................................................................................................................................11 b) Acquire to Retire ....................................................................................................................................................................................................................................................14 c) Procure to Pay .......................................................................................................................................................................................................................................................17 d) Order to Cash ........................................................................................................................................................................................................................................................24 e) Inventory ................................................................................................................................................................................................................................................................27 ii) ADDITIONAL CONFIGURABLE CONTROLS ....................................................................................................................................................................................................................29 a) Record to Report....................................................................................................................................................................................................................................................29 b) Procure to Pay .......................................................................................................................................................................................................................................................29 c) Order to Cash .........................................................................................................................................................................................................................................................31 d) Inventory ................................................................................................................................................................................................................................................................33 iii) ADDITIONAL RECOMMENDATIONS ................................................................................................................................................................................................................................35 B) USER SECURITY ......................................................................................................................................................................................................................................... 38 i) OBSERVATION ....................................................................................................................................................................................................................................................................39 ii) ADDITIONAL RECOMMENDATIONS .................................................................................................................................................................................................................................40 C) SYSTEM SECURITY (BASIS) ...................................................................................................................................................................................................................... 43 i) OBSERVATIONS .................................................................................................................................................................................................................................................................44 ii) ADDITIONAL RECOMMENDATIONS .................................................................................................................................................................................................................................46 D) SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) AND DATA MIGRATION CUTOVER PROCEDURES .............................................................................................. 48 i) OBSERVATION ....................................................................................................................................................................................................................................................................49 ii) ADDITIONAL RECOMMENDATIONS .................................................................................................................................................................................................................................50
    • EXECUTIVE SUMMARY • Privileged User Access Review (Recommended as a pre go-live check)I) Executive Summary • Critical Transaction Access Review (Recommended as a pre go-live check) 3) System Security Review (BASIS):A) IntroductionABC Ltd. has embarked on an initiative to transition from legacy IT applications to • Critical Security Parameter Review - Direct changes to Production client, userSAP to align itself to the corporate systems and to gain process efficiencies authentication and table maintenance parametersutilizing SAP. The SAP implementation project name is ABC Ltd. which will beused throughout this report. In order to ensure a secured internal control • Security Table and Log Maintenance - Log enabling of critical security andenvironment for the new implementation, ABC Ltd. has engaged AGC to perform financial data tables as per leading practicesa Pre-Implementation Review encompassing Configurable Controls, System andUser Security, and the Systems Development Life Cycle (SDLC). This report • Password Controls - Compliance of SAP password parameters with ABCprovides a summary of the scope, approach, findings and recommendations of LTD. password standardsthis review. • Security Change Management Procedures - Transport Management System (TMS) security and parameter configuration for compliance with SDLCB) Scope and Coverage 4) Systems Development Life Cycle (SDLC) and Data Migration CutoverAGC performed a project assurance review of the ABC Ltd. SAP Implementation Procedures Review:project. This was not an audit and therefore we do not express an overall opinionor conclusion on the reliability or integrity of the system. The review was SDLC Review: Adherence to ABC LTD. IT Project Lifecycle Methodology/ASAPperformed “real-time” as the project was in progress therefore recommendations Implementation Methodology; Adherence to Checkpoint Reviewson overall internal control enhancements and risk mitigation were directed to theproject team as the system was being implemented. Project Governance Review:1) Configurable Controls Review: • Program Management Structure - Roles & Responsibilities (RACI matrix)• Evaluation of the existing configurable controls for their applicability, • Scope & Delivery Management - Deliverables tracking, Acceptance criteria existence, completeness and operating effectiveness. (QA/sign-offs), Scope Control, Change Management, Issue Tracking and Resolution• Propose and evaluate additional configurable control opportunities • Project Health Status Measurement, Monitoring & Reporting Procedures -2) User Security Review: Scope, Deliverables, Schedule, Cost, Risks, Issues• Segregation of Duties Review - Adequacy and Completeness of GRC rule C) Approach sets 1) Configurable Controls Review:• User Role Design - Review of appropriateness of user/role creation procedures; Sample validation of users/roles The existing configurable controls were evaluated for their applicability to ABC Ltd. and all the applicable controls were tested in the Development environment.SAP PRE-IMPLEMENTATION REVIEW REPORT Page 4 of 53 DRAFT FOR DISCUSSION
    • EXECUTIVE SUMMARYFurther, upon understanding the business processes, additional configurablecontrol opportunities were proposed to the ABC Ltd. project team. Uponconfirmation of the applicability/ feasibility of these controls, they were tested inthe Development environment to confirm they were properly designed andoperating effectively. All exceptions were discussed with the ABC Ltd. team forinclusion in the SAP configuration, as applicable.2) User Security Review:Segregation of Duties Review – The SAP GRC Access Control Rule sets werereviewed for adequacy and completeness. The review included rule sets andunderlying transaction codes.User Role Design – ABC’s procedures for designing user roles in SAP werereviewed for their alignment with leading practices and recommendations wereprovided to strengthen the controls.Privileged User Access Review and Critical Transaction Access Review – Sincethe user roles and users were not set up completely in the system at the time ofthis review, these are recommended to be included in the pre go-live checkprocedures3) System Security Review (BASIS):We reviewed the SAP Development environment for critical system security(BASIS) parameters, activations for log maintenance for security and financialdata tables, password controls in compliance with ABC LTD. standards andleading practices, and system change management procedures.4) SDLC and Data Migration Cutover Procedures Review:As a part of our review, we walked through the SDLC procedures and theircompliance with the ABC LTD. IT Project Lifecycle Methodology / ASAPimplementation methodology and project governance aspects related to scopeand delivery management, monitoring and reporting procedures for scope,deliverables, schedule, costs, risks and issues. We obtained the necessarydocumentation for the review from the ABC Ltd. project team and ABC LTD.PMO. Findings and recommendations were shared with the project team forconsideration.SAP PRE-IMPLEMENTATION REVIEW REPORT Page 5 of 53 DRAFT FOR DISCUSSION
    • EXECUTIVE SUMMARYD) Status of Controls and Recommendationsi) Configurable Controls Review ABC Ltd. configurable controls: Status of Control as on Report issue date Business Process Total Controls Initial Observations Business To be validated in a Compliant Requirement future assessment Record to Report 10 4 9 0 1 Acquire to Retire 6 4 6 0 0 Procure to Pay 19 14 14 0 5 Order to Cash 10 5 9 1 0 Inventory 3 3 3 0 0 TOTAL 48 30 41 1 6SAP PRE-IMPLEMENTATION REVIEW REPORT Page 6 of 53 DRAFT FOR DISCUSSION
    • EXECUTIVE SUMMARY Additional Configurable Controls: Total Status of Control as on Report issue date Control Applicable Control Not Applicable Business Process Recommended for ABC Ltd. for ABC Ltd. Business To be validated in a Controls Compliant Requirement future assessment Record to Report 3 3 0 1 0 2 Procure to Pay 8 5 3 5 0 0 Order to Cash 7 2 5 1 0 1 Inventory 2 1 1 1 0 0 TOTAL 20 11 9 8 0 3 Status Definitions Compliant Controls configured in SAP post recommendation Business Requirement Controls cannot be configured for valid business requirements To be validated in a future assessment Controls to be assessed on a future data after necessary changes made in SAP Additional Recommendations for Configurable Controls • We provided 7 high-level recommendations based on the trends we observed in ABC Ltd. and in alignment with the leading practices for similar scale SAP implementations.SAP PRE-IMPLEMENTATION REVIEW REPORT Page 7 of 53 DRAFT FOR DISCUSSION