THE PLAYBOOK · CHAPTER 1
SAP Tool Ecosystem for Internal Audit
What you already have. What you underutilize. What to build toward.
Key takeaways -- read this first
- Most audit functions in SAP S/4HANA environments have access to meaningful monitoring and governance capability they have never inventoried or activated.
- The right first question is not "what should we buy" -- it is "what do we already have that we are not using."
- The six tools here form a natural progression. Fiori Custom Queries require no additional license. BIS and GRC require activation. SAC and Signavio are the advanced layer.
- Tool adoption without data access is the most common reason audit technology investments fail to produce a return. The data access conversation runs parallel to -- not after -- the tool conversation.
Native tools
6 in SAP
In your environment
Approach
Inventory first
Before any new investment
Adoption
Staged
Each tool builds on the last
Reading time
20 min
SAP S/4HANA reference environment
This chapter uses SAP S/4HANA as its primary reference environment. The inventory-first approach and the tool categories covered here apply across ERP platforms. Oracle and Microsoft Dynamics environments include equivalent native capabilities in each category -- the tool names are different, the logic is the same.
The Inventory-First Framework
Before any procurement decision, audit functions need to complete five diagnostic steps. Most skip to step five and pay for it.
Step 1
What did you previously use, and why did it work?
Document the tools and procedures that functioned before the ERP transition. Understand the data sources they relied on, the access patterns they required, and the outputs they produced. This establishes the capability baseline to restore or exceed.
Step 2
What broke, and what specifically caused it?
Map the specific failures: data sources that changed structure, access pathways that were not migrated, procedures that assumed legacy system behavior. Generic answers ("ERP changed everything") are not sufficient. Specific answers enable targeted recovery.
Step 3
What does the current platform offer natively?
Conduct a formal inventory of native audit capability in the current ERP. In SAP S/4HANA, this includes Fiori Custom Queries, Business Integrity Screening, the GRC suite, SAP Analytics Cloud, and process mining via Signavio. Most functions have never formally catalogued what they have access to.
Step 4
What is licensed but dormant?
Identify capabilities included in the current license that have not been activated or deployed. GRC modules and BIS are frequently licensed and unused. SAP Analytics Cloud is often part of an enterprise agreement that audit has not claimed access to. Dormant capabilities are free capability.
Step 5
What are the genuine gaps?
Only after completing steps one through four does the fifth step produce a reliable answer. Genuine gaps are capabilities required to meet audit objectives that are not available natively and are not covered by existing tools. These are the only gaps that justify new procurement.
A gap identified before completing these steps is a hypothesis. A gap identified after is a justified business case.
The Six Native SAP Tools
These tools form a natural progression from no-license access through licensed but dormant capabilities to the advanced analytics layer.
Tool 1 -- No Additional License
SAP Fiori Custom Queries
Fiori Custom Queries provide direct, configured access to SAP transaction data through the browser interface. With appropriate read-only audit access, this is the fastest path to population-level data without any additional licensing or tool procurement. Use cases include accounts payable population pulls, general ledger transaction queries, purchase order analysis, and vendor master data review. The entry point for any audit function that does not yet have a dedicated analytics platform.
Tool 2 -- No Additional License
SAP Query and Report Writer
The SAP Query and Report Writer tools allow building structured queries against SAP data without requiring technical ABAP development. Ad hoc reports, scheduled extraction jobs, and cross-module joins are achievable with user-level access and basic configuration. Particularly useful for building repeatable extraction procedures that the team can run on a cycle without IT involvement.
Tool 3 -- Requires Activation
SAP Business Integrity Screening (BIS)
Business Integrity Screening is SAP's native anomaly detection module. It runs continuously against transaction data and flags exceptions based on configured rules across process areas including accounts payable, vendor management, procurement, and general ledger. BIS is frequently licensed as part of S/4HANA but not activated. Activation requires IT coordination for configuration and rule setup, but once deployed it provides near-real-time exception detection without ongoing query development.
→ BIS Configuration Guide: rules, thresholds, and what to hand IT for deployment
Tool 4 -- Requires Activation
SAP GRC Suite (Access Control, Process Control, Risk Management)
The GRC suite includes three components relevant to internal audit. Access Control automates SoD conflict detection and privileged access monitoring across SAP roles. Process Control provides continuous monitoring of financial and operational controls with workflow-based exception management. Risk Management enables risk assessment and treatment tracking integrated with the control environment. All three are commonly licensed and underutilized. Each requires configuration investment but provides sustainable automation that manual testing cannot replicate at scale.
Tool 5 -- Advanced Layer
SAP Analytics Cloud (SAC)
SAP Analytics Cloud is the enterprise analytics and visualization platform that connects directly to S/4HANA data models. For internal audit, SAC enables dashboard-level oversight of monitoring results, trend analysis across exception categories, and executive reporting that connects audit activity to risk indicators. Requires analytics skill investment to deploy effectively. Most valuable after Fiori and BIS are operational and the function has a dataset of monitoring results to visualize and analyze.
Tool 6 -- Advanced Layer
SAP Signavio (Process Mining)
Signavio provides process mining capability -- reconstructing actual process flows from SAP event logs and comparing them against designed control flows. For audit, this enables identification of process bypasses, unauthorized sequence deviations, and systematic control circumvention at a level of detail that exception-based monitoring cannot surface. This is the most analytically sophisticated capability in the native SAP ecosystem and should be deployed after foundational monitoring is operational.
Turning the Inventory Into a Decision
Start here
No-license tools first
Fiori Custom Queries and the Query and Report Writer require no additional licensing. They require only proper read-only access configuration. If the function cannot run a population-level AP query through Fiori today, that is the first problem to solve -- not a procurement decision.
Before buying
Identify licensed-but-dormant
BIS and the GRC modules are frequently included in existing S/4HANA licensing. Confirm with IT and procurement whether these are licensed before evaluating alternatives. Activating a licensed module typically requires IT configuration effort -- not budget approval. This is a resourcing conversation, not a procurement conversation.
Genuine gaps only
Build the case for what is new
After completing the no-license and dormant capability steps, identify what capability is genuinely absent. The gap that remains -- if any -- is the only justified basis for new procurement. A business case built after completing this sequence is credible. One built before it is a preference.
Starting the IT Conversation
The inventory steps above require information that lives with IT -- licensing records, module activation status, and role configuration capability. Most audit functions have never formally asked. The templates below are pre-drafted to make that first conversation specific and efficient. Each one can be copied and sent directly or adapted for your organization's communication norms.
SAP Fiori and Query Access Request
Use this to establish what Fiori analytical apps are available and request read-only audit access.
Subject: Internal Audit -- SAP Fiori Access Assessment and Read-Only Access Request Hi [Name], I am reaching out on behalf of the Internal Audit function to better understand our current access to SAP Fiori analytical apps and to initiate a conversation about read-only audit access configuration. Specifically, I would appreciate your help answering the following: 1. FIORI APP AVAILABILITY - Which Fiori analytical apps are currently activated in our S/4HANA environment? - Are the following standard apps available: Manage Journal Entries (F0718), Supplier Invoice List, Manage Purchase Orders, Manage Supplier Invoices, Sales Order Fulfillment, Display Billing Documents? - Is there a Fiori app catalog or tile catalog we can review? 2. CUSTOM ANALYTICAL QUERIES - Is the Custom Analytical Queries app (F1572) activated? - Can Internal Audit be granted access to build and run custom queries against CDS views? - What approval process is required for access to specific CDS data models? 3. QUERY AND REPORT WRITER - Are SAP Query (SQ01/SQ02) and Report Writer tools available? - Can Internal Audit be granted user-level access to build ad hoc queries without ABAP development? 4. READ-ONLY ROLE CONFIGURATION - What is the process for assigning read-only display roles to audit users? - Which authorization objects control display access to the FI, MM, and SD transaction data we need? - Is there an existing audit display role, or would one need to be created? Our goal is to establish direct, read-only access to transaction data for audit purposes, consistent with IIA 2024 Standards (Standard 6.2 -- unrestricted access). We are not requesting write access or the ability to modify any records. I am happy to schedule a working session to walk through this together. Please let me know your availability. Thank you, [Your name] [Title] Internal Audit
BIS and GRC Licensing and Activation Inquiry
Use this to determine whether BIS and GRC modules are already licensed and what activation would require.
Subject: Internal Audit -- BIS and GRC Module Licensing and Activation Inquiry Hi [Name], I am reaching out from Internal Audit to understand the current licensing and activation status of several SAP modules that are relevant to our audit monitoring program. Could you help us answer the following? 1. BUSINESS INTEGRITY SCREENING (BIS) - Is SAP Business Integrity Screening (FRA -- Fraud Management / Business Integrity Screening) included in our current S/4HANA license? - If licensed, is it currently activated and configured? - If not activated, what would activation require in terms of IT effort, configuration time, and any additional cost? - Who would own the BIS configuration on the IT side? 2. SAP GRC -- ACCESS CONTROL - Is SAP GRC Access Control licensed in our environment? - Is it currently active and connected to our S/4HANA system? - If not active, what is the activation path and estimated effort? - Is there a current SoD rule set configured, or would that need to be built? 3. SAP GRC -- PROCESS CONTROL - Is SAP GRC Process Control licensed? - Is it deployed for any current use (SOX, operational controls)? - Could Internal Audit gain read access to existing control monitoring data? 4. SAP ANALYTICS CLOUD (SAC) - Does our organization have SAC licenses, either standalone or as part of an enterprise agreement? - If yes, could Internal Audit obtain user licenses and connect to S/4HANA live data models? We are not asking IT to build anything at this stage -- we are trying to understand what is available before making any investment decisions. If it would be helpful, I am happy to schedule a brief call to discuss. Thank you, [Your name] [Title] Internal Audit
Cross-Platform AP Data Access Request
Use this when AP activity spans multiple systems and a complete duplicate payment test requires a cross-platform dataset.
Subject: Internal Audit -- Accounts Payable Data Access Request (Cross-Platform) Hi [Name], Internal Audit is planning a review of accounts payable activity and duplicate payment risk. Because AP transactions flow through multiple platforms in our environment, a complete population-level test requires data from each system. We are requesting read-only access to or a structured data extract from the following: 1. SAP (ERP-processed invoices) - Table: BSEG / RBKP or equivalent S/4HANA view - Fields needed: Vendor number, invoice number, invoice date, posting date, amount, document number, company code, payment document - Period: [specify -- e.g., last 24 months] 2. CONCUR (T&E and employee expense transactions) - Transaction-level expense report data including: employee ID, vendor/payee, amount, expense date, payment date, expense report number - Period: [specify] 3. BANKING PLATFORM / CARD MANAGEMENT (P-card and merchandise card transactions) - Transaction-level data including: cardholder, merchant, amount, transaction date, card number (masked), approval reference - Period: [specify] The objective is to perform a cross-platform duplicate payment analysis -- identifying instances where the same payee, amount, and approximate date appear in more than one system, which would not be detectable by testing any single platform in isolation. We are not requesting access to configure, modify, or process any transactions. This is a read-only analytical exercise. If a full data extract is not feasible, we would like to discuss what structured output each system can produce for this purpose, and whether a third-party cross-platform analysis tool (such as Detect by Oversight or equivalent) could be connected to the relevant data sources. Please let me know who the appropriate contacts are for each system and the best path forward. Thank you, [Your name] [Title] Internal Audit
How the Tools Connect
The six tools are not independent options -- they are a progression. Each stage builds the capability the next requires.
Fiori and Query tools establish data access fluency and population-level query capability. BIS leverages that data access to run automated anomaly detection. GRC modules extend monitoring into controls and access governance. SAC builds the analytics and visualization layer on top of monitoring output. Signavio reconstructs process flows from the transaction data the other tools rely on.
| Tool | Primary Capability | License Requirement | Typical Entry Point | Audit Audience |
|---|---|---|---|---|
| Fiori Custom Queries | Population data access and extraction | No additional license | Read-only access configuration | All audit staff |
| Query / Report Writer | Scheduled extraction and ad hoc queries | No additional license | User configuration, no IT dev required | Analytics-capable staff |
| Business Integrity Screening | Real-time anomaly detection | Frequently licensed, requires activation | IT configuration and rule setup | Methodology and data strategy lead |
| GRC Suite | SoD monitoring, controls testing, risk tracking | Frequently licensed, requires activation | IT/GRC team configuration | IT audit and methodology lead |
| SAP Analytics Cloud | Visualization and trend analysis | Separate license or enterprise agreement | Existing monitoring dataset required | Audit leadership and analytics staff |
| Signavio | Process mining and control deviation detection | Separate license | Requires mature data access and analytics baseline | Advanced analytics practitioners |
The full use case library organized by SAP module -- what to monitor and how