Manfred Wolf wrote the Internal Audit Handbook

Manfred, why is internal auditing important to SAP?

In today’s global marketplace everything regarding processes, organizational structures, internal controls, risk management and financials must comply with external regulations that correspond with internal policies. Here at SAP we have 20-25 global policies in place – our industry has strict guidelines and regulations that all approximately 51,000 employees at SAP must adhere to, making the internal auditing role vitally responsible. Henning Kagermann and the chairman of SAP’s Audit Committee have given our internal audit team full power to conduct internal audits throughout the entire organization to ensure compliance.

What is unique about the “SAP Internal Handbook”?

We have the most useful information, and the highest quality of information on this topic. If you look at the SAP roadmap it is very simple and effective: planning, preparation, reporting, and follow-up, that’s it. Between every phase you have a quality gate. The beauty of it really is its simplicity. Also, SAP’s historical data provides us with a unique breadth of information, policies, growth, and infrastructure to draw from.

What inspired you to write this book?

A couple of years ago, after we created the Global Internal Audit Services (GIAS) roadmap we realized it was necessary to document the internal audit process. After a short while it became apparent that it would make sense to put this in a format to be published. In the European and German markets there aren’t too many books available that discuss the intricacies and processes of internal audits. What we were really looking to do was establish a framework so that we can continue to develop our internal audit position for the future. The responsibilities of the internal auditor have changed, and will continue to change, but the nuts and bolts we wanted to get down on paper.

How do you maintain objectivity while assessing your own company?

The GIAS annual audit plan is derived primarily from risk assessments performed right down to the entity level – like the customer, departments, and products. On a quarterly basis we review the audit plan and the capacity of each of our auditors, as well as their availability to the organizational structure. During the audit engagements the SAP internal audit team has quality checks. Independent parties are assessing not only SAP’s work but also assessing the quality and the content of each internal auditor.

What makes up a successful IA strategy?

Primarily people. The first internal audit team consisted of eight people with a direct report to the former F&A manager of SAP. Today at SAP we are a global organization with more than 30 staff members with reporting lines from places such as the Americas, Europe, and Singapore. The ongoing task for the management team is to continue to look for qualified candidates. In terms of our people development, we have created a very transparent career path. Candidates, once selected, come in as an internal auditor, after two years we promote them to senior auditor and after one more year of successful audits he or she is promoted to global auditor. This departmental structure allows a global auditor in the U.S. to confidently discuss details with a global auditor in Singapore or Germany ensuring operational consistency.

Why is the internal auditing process more important today than it was, say, ten years ago?

The complexity of regulations originating from inside the company and expectations placed on managers and organizations regarding compliance has increased exponentially over previous years. This relates to the Sarbanes-Oxley and the increased awareness globally of white collar crime and corruption. Internal audits have become a necessity to ensure a reliable environment of internal control. Without them there is a potential loss of trust and confidence at the shareholder level that no company can afford. And perhaps without knowing it also customers are relying on the work of the internal auditors to assess product development, quality assurance and ensure the overall sustainable functionality of all SAP software.

What are the biggest mistakes organizations make when initializing an internal audit?

Probably, the biggest mistake companies make with Internal Audit Departments is that they are inappropriately organized. I have seen cases where the internal auditor is directly reporting to other Board members than the CFO or is auditing a department that they helped organize. Ideally, for the reason of independence and objectivity, the Chief Audit Executive reports directly to the CEO and/or the Chairman of the Audit Committee, which ties perfectly into the SAP culture.

Find more information about the task of auditor in the century of globalization and virtual workplaces in the new issue of SAP Spectrum!