Page 329 -
P. 329
Chapter 10 • Global, Ethics, and Security Management 287
BOX 10-1 SAP and SOX
Systems Applications and Products (SAP) provides software for businesses in every type of industry.
SAP is a major ERP provider, so when Sarbanes–Oxley sections 404 and 409 were introduced, they had
to think about their market force and their own company. SAP is a worldwide company that was started
in Germany. In a recent article, it was noted that as of July 15, 2006, overseas companies listed in the
United States had to be SOX 404 compliant. 31 SAP is a “software giant” that has a lot of activity in the
United States. Dirk Matzger, head of risk management at SAP Asia-Pacific, said in an interview that
SAP has been actively researching and working on becoming SOX 404 complaint since the regulations
first came about in 2002. They have involved process owners and have also chosen current employees to
champion the project and are in charge of SOX 404–related tasks. They are working on their company’s
internal controls and incorporating them with SAP’s risk management function. SAP currently has bian-
nual audits by their auditor, KPMG, on SOX 404 compliance. They expect these audits to benchmark
their progress in becoming compliant and hope to obtain first certification of compliance.
SAP is currently marketing their mySAP ERP Financials. They claim that “mySAP ERP
Financials software provides extensive capabilities to ensure continuous compliance with regulatory
mandates—enabling high governance standards and reducing IT and audit costs. Using mySAP ERP
Financials, you can manage the complex documenting, testing, mitigation, and sign-off procedures
associated with Sarbanes–Oxley sections 302, 404, and 409, as well as fast close and section 301 whistle-
blower requirements.” 32 Their software enables companies to manage their systems and financial
information while supporting the regulations of the SOX Act.
SOX IMPACT ON PRIVACY AND SECURITY Two key concerns for SOX are privacy and
security violations. Audits are done to a company’s ERP systems to test the privacy and secu-
rity levels of the system (e.g., who has access to what information and what internal controls
are involved in the ERP system?). The major areas of privacy include access to the system,
user ID and verification, evaluating configurations relating to business processes, change
management, and interfaces. 33 As discussed earlier, ERP systems integrate almost all business
functions into one system. It uses one database, one operating system, and so on. People who
have access to this system should have user IDs, passwords, and access controls. All users
should not be able to change financial information, personnel information, vendor informa-
tion, and the like. Most auditors get a list of users and what permission they have in the
system. They also check to see what process is used for user IDs and passwords: How often are
passwords changed? How complex are the user IDs? They also check on how easily changes
or modifications can be made to the system. Change management is something that should be
controlled by a limited number of experienced people in ERP software. Privacy and security
are extremely important with ERP systems.
Along with SOX requirements related to privacy and security violations, other government
entities also require companies to maintain certain standards of data integrity. The FDA requires
that computerized data be as “accurate, authentic, attributable, current, and legible” as paper
31 http://news.zdnet.com/2102-1009_22-6098931.html (accessed February 2001).
32 www.sap.com/solutions/business-suite/erp/financials/sox.epx (accessed February 2001).
33 www.isaca.org/Content/NavigationMenu/Students_and_Educators/IT_Audit_Basics/IT_Audit_Basics_Auditing_Security_
and_Privacy_in_ERP_Applications.htm (accessed February 2001).
