SAP is a very large and complex ERP system, forming the platform for multiple inter-related business processes for those companies which utilise it. It is comprised of thousands of configurable tables making it highly flexible, and has a complex integrated security function. Therefore, SAP is a challenging environment to audit, particularly for those with minimal technical knowledge or appreciation of the business processes that operate within the system. 

In order to gain maximum assurance from the system, the following 3 types of review would need to be performed (or they can be performed independently dependent upon the risks you wish to provide comfort over): 

• SAP Basis Review – covers access security (i.e. SAP authorisations) over sensitive system administration functions, configuration of security parameter settings and manual controls over system administration processes (e.g. user provisioning, change management etc)
• SAP Business Process Review – covers both configurable (e.g. tolerance settings) and manual controls (e.g. reconciliations) within the business process under review such as revenue & receivables, procure to pay etc
• SAP Segregation of Duties Review – covers both sensitive access and identification of incompatible duties within the business process under review.