Risks of Excessive Authorizations in an SAP-Based Environment (Part-2)

The pharmaceutical sector is considered a highly controlled & compliant environment. Many compliances and guidelines guide SAP Implementation in a pharmaceutical company. When SAP implementation is initiated, you also need to envisage audit aspects. The organizations concentrate mainly on stabilizing business processes and neglect this section at the time of implementation due to a lack of clarity of roles & authorizations.?

These controls are generally implemented after getting things stabilized and when auditors start giving their observations during a regulatory or statutory audit. This is a critical aspect. The project core team members need to identify all gaps well in advance and provide these details to the implementation partner to reduce compliance gaps.?

There are mainly two types of audits to meet compliance requirements:

1. Regulatory Audit:?

GMP (Good Manufacturing Practices) compliance using Computer System Validation (CSV) as per specified guidelines such as 21 CFR Part 11, Annex 11 & GAMP 5

2. Statutory Audit:?

Internal Financial Controls (IFC) & Company Level Control (CLC) as per Generally accepted accounting principles, or GAAP

?Internal audit is also an essential audit from the QMS perspective in the pharmaceutical industry. QMS team keeps on validating all aspects from a regulatory point of view to ensure that a system remains compliant for the entire life cycle. Some gaps are identified during these audits, and issues are addressed per the specified QMS guidelines.

Similarly, an internal audit is done on financial aspects, and new controls are introduced to reduce system risks.

?1. Regulatory Audit?

GMP (Good Manufacturing Practices) compliance using Computer System Validation

All modules that deal with the Batch management or GxP area remain part of this audit. Regulatory auditors do not cover financial aspects. Although testing, financial integration, and relevant transactions are also covered during the business process. The documentation covered under these modules covers all critical business processes in these modules.?

The following modules are covered under this aspect:

1. Production & Planning (PP)
2. Quality Management (QM)
3. Plant Maintenance (PM)
4. Material Management (MM)
5. Sales & Distribution(SD)

Any business process that directly impacts product quality, data integrity, and patient safety falls under this category. For example, proper audit trails, password complexity, electronic signature guidelines, data backup and restoration, business continuity planning, etc., are covered under this aspect as per 21 CFR Part 11 guidelines.?

Computer System Validation is done as per GAMP 5 guidelines, and change management is also tracked during the entire System life cycle. The Business Processes are appropriately documented with negative testing and controls to ensure that system doesn't deviate from the validated processes. When the SAP system is released for performing transactions, the system should be validated as per the actual user requirement specifications (URS). Without mapping the process and getting proper URS, no direct change should be done in a GxP system.?

When configuration/customization changes are done in the system, proper documentation is done, and the respective module user gives user acceptance testing (UAT) confirmation.?

As per GAMP 5 guidelines, a risk-based approach should be taken to evaluate the anticipated risk due to changes in the system. The risks are identified in all business processes, and risk mitigation is ensured during the execution of various test scripts and UAT. All user requirements are covered under different test scripts, and screenshots are taken to capture the business process and negative testing. Identified risks and RPN is compared with post-test script execution, and RPN is derived based on the evidence. The risk should be addressed in the system to meet user and compliance requirements.?

These documents are reviewed periodically by the QA team, and critical transactions are verified to ensure the validation state of the SAP environment.?

2. Statutory Audit –?

Internal Financial Controls (IFC) & Company Level Control (CLC) as per Generally accepted accounting principles, or GAAP

A statutory audit is a legally required review of the accuracy of a company's or government's financial statements and records. A statutory Audit is done annually by an external auditor to form an opinion on the company's financial statement, i.e., whether the organization is showing true and fair views of the company's affairs or not. In contrast, an Internal Audit is performed to detect and counteract inaccuracies and scams.

Clause (i) of Sub-section 3 of Section 143 of the Companies Act, 2013 ("the 2013 Act" or "the Act") requires the auditors' report to state whether the company has an adequate internal financial controls system in place and the operating effectiveness of such controls.?

?The following modules are covered under this aspect:

• ?Finance & Controlling Module (FICO)
• Material Management (MM)
• Sales & Distribution(SD)
• Production & Planning (PP)

This audit ensures that all financial configurations and customizations have been done properly in the SAP environment and that the ERP system has no financial risks. In addition, this audit checks system risks from financial perspectives and unauthorized accesses that may lead to financial discrepancies. It is a thorough investigation of IT processes as well as financial controls.?

All modules that have an impact on financial aspects fall under this criterion. In addition to regular finance and account transactions, adequacy of controls over

the purchase of inventory and fixed assets and sale of goods and services, costing, sales, COGS, pricing, credit management, PR/PO approvals, DOA are checked during this audit. In addition, unauthorized access rights and system controls are reviewed and corrected to reduce system risks.

It is crucial to justify these processes with appropriate policies and procedures adopted by the company to ensure its business's orderly and efficient conduct. In addition, when a documented procedure is used, it helps safeguard the company's assets and prevent and detect fraud and other irregularities.

?The auditors of even unlisted companies must report on the adequacy and operating effectiveness of the internal financial controls over financial reporting.

?"Internal Control System" means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving

management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.

?An internal control system:

• Facilitates the effectiveness and efficiency of operations.
• Helps ensure the reliability of internal and external financial reporting.
• Assists compliance with laws and regulations.
• Helps safeguard the assets of the entity.

?In general, a system of internal control to be considered adequate should include the following components:

• Control & Compliant environment
• Risk assessment & mitigation
• Controls and checks activities
• Effective Management Information system and communication
• Continuous Monitoring & Periodic Reviews

?The company's internal controls cannot be considered adequate if one or more material weakness exists.?

?Documentation is considered the backbone of an audit. The auditor's work, the explanations are given to the auditor, and the conclusions arrived at are all evidenced by documentation. Poor documentation may depict poor performance in an audit. The auditor may have executed appropriate audit procedures; however, if there is no documentation to prove, it may put the question on the work done in case any material misstatement is reported. Improper and incomplete documentation, at times, may put the auditor in embarrassing situations.

?Common Controls and Compliances:

Unauthorized access rights are the most critical component in both audits. All critical transactions are reviewed that may impact product quality (Regulatory) or pricing (Statutory) due to any misuse. In addition, system controls, segregation of duties, unauthorized accesses, system controls, and administration settings are checked in both audit processes.?

Proper migration procedure, UAT documentation process, Configuration/ Customization details, change management process, changes in the production environment, client opening approvals process, emergency changes in Configurations, password complexities, database controls, handling of resigned employees, etc. are a few very important control points that are reviewed during the Audits. These aspects can be covered by creating proper IT Policies or SOPs. A periodic review of these aspects should also be mentioned in the document.?

These scenarios are very important because these activities may impact GMP or Financials aspects directly. Many controls can be activated at a transaction code level that may impact the internal controls in a business process.?

SAP allows these controls to be activated using either standard configurations or customizations as per the business requirement/logic. However, if controls are missing or customized as "Warning," the system doesn't restrict users from processing the transaction. This triggers the risk in the SAP environment and may lead to the processing of incorrect entries in the production environment.??

The critical transaction codes are identified in every module, and negative testing is performed to see anticipated risks in the SAP environment.?

Example:?

When a PO is created, the system shows various date fields such as Document Date, Delivery Date, etc. SAP System should not allow the following things:

• PO Document Creation Date should not be in past
• PO Delivery Date should not be in past
• PO Delivery Date should not be less than the PO Document Creation Date
• PO Release Date should not be in past
• PO Release Date should not be before PO Delivery Date & Document Creation Date
• GRN Date should not be before PO Document Date or Release Date?

There are so many other controls that can be activated to ensure that incorrect details are not entered into the system. So many controls can be activated just by activating some standard SAP attributes and activating a "Blank" or "Warning" message into an "Error." Proper testing needs to be done when any such attribute is activated. Some settings deactivate the system's flexibility and may add some extra burden to your team members.?

An extensive list of controls can be activated after understanding their impact. Much such control becomes part of this audit process. While implementing SAP, these controls should be made part of the SAP controls so that the IT team doesn't face any challenges while performing the audit.

Please share your comments and experience to provide your feedback on this topic.