SAP is a very large and complex ERP system, forming the platform for multiple inter-related business processes for those companies which utilise it. It is comprised of thousands of configurable tables making it highly flexible, and has a complex integrated security function. In summary, SAP is a challenging environment to audit.

The role of Internal Audit, whether an internal department or outsourced, is to provide assurance that an organisation’s risk management, governance and internal controls are operating effectively. These responsibilities and concerns stretch far wider than purely financial risks, taking interest in the following risks to the organisation:

  • Strategic growth
  • Reputational
  • Corporate responsibility
  • Operational

In addition, as well as performing assurance activities, the Internal Audit team also performs consulting services by advising management how they can improve their current processes in order to accomplish its objectives. This is where real value is provided by the Internal Audit function.

Performing such an array of tasks means having a broad set of skills and knowledge is essential. This makes it very difficult to acquire and develop the specific skills, understanding and experience to effectively audit an SAP system.


Turnkey Consulting provide the necessary support for your SAP audit related activities to ensure a trusted, reliable and experienced organisation perform the detailed reviews, leaving you to focus on the value-add side of Internal Audit.

With extensive audit, controls and implementation experience, our consultants apply the latest proven audit methodologies to identify key risk areas in your SAP control environment. We quickly identify the current levels of security in your SAP system and assess how that compares to both internal policies and security good practice. In addition, we also have the in-house knowledge to evaluate the controls embedded into those business processes supported by your SAP system.

We do not issue blanket best practice recommendations as we recognise that every organisation is unique with different risks, concerns and desired levels of control. Instead we make recommendations that take into account the industry, size and nature of your organisation, as well as any compensating controls which might serve to mitigate risk.

Although we will manage the end-to-end process, a continuous engagement model ensures key stakeholders receive regular updates throughout the review and are able to provide input on any issues encountered prior to delivery of a final report.