1913 Control Testing in SAP - IT, Financial, and Operational Auditing

[
Control Testing in SAP

IT, Financial and Operational
Richard Fowler, CISA, CIA
Larry Panayi, CISA
Huntington Ingalls
Northrop Grumman
[ Learning Points
Understand how to assess and test the SAP technology
infrastructure
Understand how to assess and test the SAP General
Ledger and other financial reporting modules
Understand how to assess and test SAP production,
planning and procurement modules.
Real Experience. Real Advantage.
[ Return on Investment
Our basic assumption is that, if your organization is
running SAP, then you are large enough, complex
enough, or savvy enough to also have an internal audit
function.
Auditors need to know how to conduct a more effective
application review of SAP, and should understand the
infrastructure, key operations, and configuration.
By ensuring that the auditors know how to properly focus
on the key controls as they conduct audits in SAP, the
business can be assured of minimizing the time needed to
support the audit.
[ Best Practices
Audits of SAP are performed to provide assurance that
the financial data is correct and that the organization can
rely on the information and processing within SAP
Learn a methodology for testing and specific test steps
that can be used for any number of SAP audits, including
but not limited to SOX testing, general computer control
testing, application control testing, and financial report
testing
Use and modify sample audit programs to enhance SAP
testing
[ Who We Are Huntington Ingalls

Over a century designing, building,
overhauling and repairing ships for the
U.S. Navy, the U.S. Coast Guard and
world navies
The nation's sole industrial designer,
builder and refueler of nuclear-powered
aircraft carriers
One of only two companies capable of
designing and building nuclear-powered
submarines
Have built over 40 percent of the U.S.

Navys current surface combatant fleet
ERP Used: SAP ECC 6.0 & ECC 5.0

5
[ Who We Are Northrop Grumman

Northrop Grumman Corporation (NYSE: NOC) is a leading global security
company providing innovative systems, products and solutions in
aerospace, electronics, information systems, and technical services to
government and commercial customers worldwide.
ERP Used: SAP ECC 6.0

6
[ Agenda
SAP from a business perspective
What SAP does for the user community
SAP from a technology perspective

Typical landscape
Business Impact and Risk
Auditing the business side COSO, IIA guidance

General ledgers, financial statements, billings
Operations: production planning, procurement
Auditing the technology side ISACA, COBIT guidance

Application/General computing controls
Configuration settings (IMG)
Developing the audit program

Questions and comments
[ SAP from a business perspective

SAP can address almost every aspect of every business:
Financial Accounting (FI)

Controlling (CO)
Asset Management (AM)
Materials Management (MM)
Sales and Distribution (SD)
Quality Management (QM)
Plant Maintenance (PM)
Human Resources (HR)
Supply Chain Management (SCM)
Customer Relationship Management (CRM)
Governance, Risk & Compliance (GRC)

Which business areas rely on controls?
All of them, of course, but

Are those controls effective?
Are they efficient?
Are they warranted?
SAP is configured out of the box to provide a good level
of basic controls for the business user and management

Thats where the auditors come in, to test the controls
The tests should ensure that the controls are effective,

that is, verify that they designed to actually mitigate risks
The tests should also ensure that controls are efficient,
that is, verify that they are actually mitigating the risks
In some cases, auditors can identify excessive or
redundant controls that can be eliminated
Lets briefly go through how to test these controls
10

Dos
Incorporate a top down approach
Document what you do, why, and your conclusions
Be specific about remediation timelines & responsibilities
And Donts
Forget to document and retain test procedures
Neglect testing tests of design and tests of effectiveness
Fail to conclude on your findings
11
[ SAP from a business perspective - Finance

Identify Significant Accounts and Processes
2011
Balance
Sheets
Document Processes & Controls
Analyze the controls

efficiency and
effectiveness
Financial
Implications
Financial
Statements
Significant
Accounts
Process
Implications
Inherent and Key

Business Risks
Significant
Processes
What can go
WRONG?
Managements
Assertions
Internal Controls
Evaluate & Monitor
And, of course, report
12

OK, so which accounts are significant?
Select them based on:

Errors of importance
*
Size and composition
(Acct Balances: FS10, F.08)
High transaction volume (Line Items: F.42, FB09D, FBL1N)
Transaction complexity
Subjectivity in determining account balance
Nature of the account
(Suspense accounts, reserve accounts)
* Errors that individually or collectively could have a material effect on the financial
statements Revenue Recognition (VF45, VF47), Goodwill Valuation (CX67)
13

With the accounts identified, lets see
What can go wrong?:

Restatement, significant deficiencies
Inability to effectively analyze data
High transaction volume Data noise, difficult to distinguish trends
Transaction complexity Hidden errors
Subjectivity in determining
account balance
Non-compliance with GAAP and/or IFRS
Fraud
14

So what is in place to mitigate the risks?
Internal Controls:
Management review, executive approval
SAP configuration
High transaction volume SAP configuration
Transaction complexity SAP configuration
account balance
SAP configuration
SAP configuration
And THATs what SAP does for the financial user.
15
[ SAP from a business perspective Material planning

Identify Material Needs
Document Processes & Controls
Evaluate & Monitor
Analyze the controls

efficiency and
effectiveness
Contract
Specifications
Material
Requirements
Inventory
on Hand
Scheduled
Delivery
Work in
Progress
Material Requirements
Planning
What can go
WRONG?
Budget
Internal Controls
And, of course, report
16

So what are we concerned with in material procurement?
Key objectives:
Material identification
(MB51)
Material need date
(Part of PO, see ME23N)
Inventory on hand
(MB03)
Warehouse availability (LS03)
Matl req planning
(MD04)
Scrap / excess inventory (WAM03)
17

With the material processes identified, lets see
What can go wrong?:

Wrong material, contract violation, liability
Material need date
Schedule delay
Inventory on hand
Excess material ordered
Warehouse availability Lost material, insufficient storage space
Matl req planning
Shelf life expires, material not available
Scrap / excess inventory Waste, unnecessary costs, fraud
18

So what is in place to mitigate the risks?
Internal Controls:
Engineering / management review
Material need date
Inventory on hand
SAP Configuration
Warehouse availability SAP Configuration
Matl req planning
SAP Configuration
Scrap / excess inventory SAP Configuration
And THATs what SAP does for the planning, procurement

and material user.
19
[ Agenda

Typical landscape



20
[ SAP from a technology perspective - Landscape

Ideally, in an SAP environment, a three-four system
landscape exists. This consists of the Sandbox,
Development, Quality Assurance and the Production
Server.
The objective
of design is to
enhance
"configuration
pipeline
management".
21
[ SAP from a technology perspective - Business

Impact and Risk
Improper configuration of SAP could result in an inability
for the enterprise to execute its critical processes.
Risks resulting from ineffective or incorrect configurations
or use of SAP could result in some of the following:
Disclosure of privileged information

Single points of failure
Low data quality
Loss of physical assets
Loss of intellectual property
Loss of competitive advantage
Loss of customer confidence
Violation of regulatory requirements
22
[ Agenda

Typical landscape



23
[ Auditing the business side COSO, IIA guidance
The COSO cube has been used as an auditing model

since its initial release in 1993.
24
There is also a COSO model for use with organizations

with an enterprise risk management framework.
25

Regardless of the model used, COSO recommends a
risk-based approach to auditing.
The IIA supports this approach, and has included it in
their International Professional Practices Framework.
There are proposed changes to both the COSO
framework and the IPPF standards, but no significant
changes to the audit approach or fieldwork standards.
26

GTAG 8, Auditing
Application Controls, is
provided by the IIA as
guidance.
It can be used to help
map the key controls to
the appropriate SAP tests.
Designed for looking at
application controls, the
same approach can be
used for manual controls, embedded controls, hybrid, etc.
27
[ Auditing the business side Financial

Going back to the Financial risks and controls, we had:
Errors of importance Management review, executive approval

Size and composition SAP configuration
High transaction vol. SAP configuration
Transaction complexity SAP configuration
account balance
SAP configuration
Nature of the account SAP configuration
28

How can we test the effectiveness of the management
reviews and executive approvals that prevent or detect
errors of importance?
Manual test obtain a sample of managements account
reviews and verify
1. that the reviews are routinely performed
2. through inquiry what is being reviewed
3. that errors, when noted, are corrected
No, its not specific to SAP but we wanted to be complete.
29

How can we test the effectiveness of the SAP configuration
that controls or limits account size and composition?
The IMG (t_code SPRO) has detailed configuration settings for a
number of account types:
G/L, A/R, A/P, bank accounts, asset accounts, lease accounts, retail
ledger accounts, special purpose accounts, customer accounts,
vendor accounts, material accounts, etc. There are a lot of types.
The configuration settings can limit what transactions can be posted
to an account (via the posting key), what roles can post or edit
information (via permissions).
30

What if there are no configured limits to account size and
composition?
We can use FS10N to get details of a single account, or F.08 to get a
series of accounts. Download the results for separate periods to
assess month-to-month changes (horizontal analysis) or year-to-year
(vertical analysis).
Determine by comparison whether the account has an unusual size
(account balance greatly increased or decreased) based on other
months and/or years.
31

that controls or limits account transaction volume?
As before, the IMG (t_code SPRO) has detailed configuration settings,
particularly for automatic posting.
If there are automatic postings or payments, review the configuration
settings with the financial or accounting manager to understand the
critical processes (theres probably a lot in OMR6).
Use t_code F110 to review automatic payment parameters, and also
t_code F822 to review automatic payment blocks.
32

that controls or limits account transaction complexity?
Again, the IMG (t_code SPRO) has detailed configuration settings, and
here wed be looking for document types.
Most account transactions will need only a limited number of
document types. If there are no limits established, it will be easier for
an incorrect transaction to be posted.
To test the accounts document types, run FS10N or F.08 as before
and download the data. Use Excel to find any odd or unusual
document types, and in SAP drill down to see what they are for and
whether they were posted properly. (You can usually get someone in
Accounting to help with this determination.)
33

that controls or limits transaction amounts?
For a change, lets look at the IMG (t_code SPRO) for the detailed
configuration settings, this time for tolerance limits (OMR6).
Verify that there are limits established, especially for automatic
payments (e.g., 3-way match).
To test the tolerances, look at MRBR to see if there are any
transactions that have been blocked or being outside the tolerance
limits. Inquire as to how these issues are resolved, and look for
documentation of cleared blocks in the past.
34

that controls or limits the type of account being used?
Finally, lets look at the IMG (t_code SPRO) for one more detailed
configuration setting, this time for account groups (OBD4).
Determine which accounts are associated with which account groups.
To test the settings, determine what field(s) define the account group.
Use FS10N or F.08 to verify that the fields for a given period either
have or do not have the values established, and there you have it.
35
[ Auditing the business side Material planning

Going back to the material management risks and controls,
we had:
Material need date
Inventory on hand
Warehouse availability
Matl req planning
Scrap / excess inventory

SAP Configuration
SAP Configuration
SAP Configuration
SAP Configuration
36

(We may go through these fast, or even skip them all, based on time.)
How can we test the effectiveness of managements reviews

of material identification and/or material need dates?
Material is usually identified initially on a drawing before it is loaded
into SAP or other production system to generate a Bill of Material.
Drawings should all show the preparer and reviewer/approver. If
there is a change management process in place, you can check the
files to see if material changes are also approved and by whom.
Material need dates are going to be based on several factors, such as
economic ordering quantity, first assembly schedule date, labor
resource availability, etc. Discuss with engineering and planning
management how the first need date is established.
Not very SAP dependent, but included for completeness.
37

How do we know what material is already in inventory?
We want to verify that material is not being ordered when its already
available. Transaction MB52 is great for this. Transaction MB03 or
IWBK can help.
Look at a sample of recent material purchases. Note the need dates
and the quantities, as well as any special requirements that may be
included as part of the PO.
Look up the material in SAP. MB52 will tell you how much is on hand
now. With MB03, you can drill down to find material movements and
where the material is located. With IWBK, you can get an overview of
the availability of material.
This will help you identify unnecessary orders or verify that the
material planning is adequate.
38

How can we determine if the MRP process is functioning
effectively?
MRP is part of the production planning module (PP), and involves
capacity planning, cost estimates, resource planning, scheduling, bills
of material, etc. This is a full audit by itself, not just an audit step.
We can, however, spot check some attributes to see if there are
issues. Transaction CS03 displays a bill of material (my company has
modified this into a ZBOM transaction to suit our own requirements). CS15
lets us know where else similar material is being used.
More detailed planning can be viewed using MCP1 to view SAPs
operational analysis based on material, plant, work center and date
ranges. We can assess the MRP controllers effectiveness using
MCP5 (actually used for material analysis). MD05 displays the MRP
list, which is also useful.
39

How can we assess processes to scrap excess material?
Material can be damaged, use-by dates can expire, specifications can
be out of date all situations that make material unusable.
Scrapping is a material movement, so transaction MIGO_GI (or
MB1A) is used with movement type 501, 551, or 555. We can use
MIGO_TR (or MB1B) to get a list of material meeting these
movement types.
There should be some documented local procedures that define
specific requirements for scrapping material. After all, thats an
avenue for fraud and we want to minimize that. Review the
procedures and then sample the material listed from above. Verify
that the requirements have been met.
40
[ Agenda

Typical landscape



41
[ Auditing the technology side ISACA - COBIT

guidance
ISACA Controls Framework
COBIT is an IT governance framework and supporting
tool set that allows managers to bridge the gap among
control requirements, technical issues and business risks.
COBIT enables clear policy development and good
practice for IT control throughout enterprises.
Utilizing COBIT as the control framework on which IT
audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the
enterprise.
42

guidance
Application controls
Controls embedded in financial and business applications
to prevent or detect unauthorized transactions
Controls to ensure the completeness, accuracy and
validity of processing transactions
Includes controls such as:
Balancing control activity within the system
Check digits
Predefined data listings
Data reasonableness tests
Logic tests, range limits, etc.
43

guidance
General computer controls
Controls to ensure the proper development and
implementation of applications, the integrity of program
and data files and of computer operations
Includes controls such as:

Logical access over infrastructure, applications, and data
System development life cycle
Program change management
Data center physical security
System and data backup and recovery
Computer operation
44

guidance
Automated testing of automated controls
SAP GRC Compliance Calibrator
SAP Solution Manager
Included SAP functions: SU22, SU24, SUIM,
SE16N, SAP logs, SAP reports (eg, RSPARAM)
Third-party solutions for control testing
(there are others)
Approva BizRights
ACL Direct Link
I-DEAS
Cognos
WinShuttle
45

guidance
Changes to master data have been authorized
Customer master data, use tcode OV51 (also accessible
using transaction code SA38 and program RFDABL00) to
generate a list denoting the date and time of change, old
and new values for fields, and details of the user who input
the change
User access to create and maintain customer, material

and pricing master data is appropriate
Customer master data - tcodes FD01/FD02/FD05/FD06
(Finance), VD01/VD02/VD05/VD06 (Sales),
XD01/XD02/XD05/XD06/XD07/XD99 (Central)
Material master data - tcodes MM01 (Create), MM02
(Change), MM06 (Delete)
Pricing master data - tcodes VK11 and VK12
46

guidance
COBIT References PO4
Ensure there is an appropriate segregation of duties/
incompatible functions (SUIM, SE16, USOBT, AGR_USERS)
Basis administration
Transport/import
Develop program change
Develop role change
User security administration
Change monitoring
User testing
Authorize change
Perform change
47

guidance
COBIT References DS4, DS5, DS9, DS12
Access to information and information systems is authorized
Information systems processing is protected physically from
unauthorized access and from accidental or deliberate loss
or damage
Information processing can be recovered and resumed after
operations have been interrupted
Critical user activities can be maintained and recovered
following interruption
Configuration changes are made in the development
environment and transported to production
Changes to critical number ranges are controlled
48

guidance
COBIT References AI6, DS5, DS13, PO4
Access to system and customizing tables is narrowly
restricted
Application modifications are planned, tested and
implemented in a phased manner
Customized ABAP/4 programs are secured appropriately
Batch processing operations are secured appropriately
Critical and sensitive transaction codes are locked in
production
Strong password management for system users
SAP Router is configured to act as a gateway to secure
communications
Remote access by software vendors is controlled adequately
49

guidance
COBIT References - DS5, PO2
SAP ERP Remote Function Call (RFC) and Common
Programming InterfaceCommunications (CPI-C) are
secured
Technology infrastructure is configured to secure
communications and operations in the SAP ERP
environment
Firewall
Secure Network Communications (SNC)
Secure Store and Forward (SSF) mechanisms and digital
signatures
Workstation security
Operating system and database security
50

guidance
COBIT References AI1, AI6, DS5, DS9, DS11, ME1, PO2
Superuser SAP* is properly secured
Set system parameter (login/no_automatic_user_ sapstar)
Default passwords for users DDIC, SAPCPIC and
EarlyWatch been changed
Powerful profiles is restricted (SAP_ALL, SAP_NEW)
Logging & monitoring activities in place for use of powerful
accounts and profiles
Changes made to the data dictionary are authorized and
reviewed regularly
Log and trace files are appropriately configured and secured
51
[ Auditing the technology side Configuration (IMG)

Use transaction SPRO to view the IMG
Click the find button to

search for key terms
52

You can then double click any item on the list and it will take you to
the location within the IMG.
53

This is helpful when you want to document where a control is
performed.
When you try and
execute the item, it
will show you the
tcode used.
Information is helpful
when discussing with
auditee or IT persons.
Another useful tool is
Performance Assistance
Provides notes about
each configurable control.
54
The Performance
Assistant provides you
with more detailed
information about the
control to help you
understand how it works.
Lots
more info
55

Other IMG Configurations tcode SPRO
Customer Account Groups: Menu PathFinancial
Accounting > Accounts Receivable & Accounts Payable >
Customer Accounts > Master Data> Preparation for
Creating Customer Master Data > Define Account Group
With Screen Layout (Customers)
Material Types: Menu PathLogistics General > Material
Master > Basic Settings > Material Types > Define
Attributes of Material Types
Industry Sector: Menu PathLogistics General > Material
Master > Field Selection > Define industry sectors and
industry-sector specific field selection
56

Pricing condition types and records Menu PathSales and
Distribution > Basic Functions > Pricing: and tcodes:
V-44 for material price condition record
V-48 for price list type condition records
V-52 for customer-specific condition type
Other configurable controls

3-Way Match
SE16 and tables LFM1 (verify GR-IV is checked)
LFA1 (Global listing of vendors) Although a vendor shows in
LFM1, it could be disabled globally in this table and is N/A
Invoice Payment Approval
57

PO Release Workflow
Obtain the PO release strategy table that are set for users
based on their release level
T16FS obtain the PO release strategy table defined for PO
release amount for particular sectors.
JV Workflow
Approval Matrix Set Up used to determine if appropriate
approvers for JV document is set up in SAP (JV user is not
same as JV approver)
Tolerance Limits
SE16, T169G (can choose 1 or many company codes to view)
Automatic Posting
Identifies the various procedures that generate automatic
postings to the GL
Use Tcode OBYC (need business mgt. or SAP BASIS to
execute)
58
[ Agenda

Typical landscape



59
[ Developing the audit program

Having identified the key processes, inherent risks,
internal controls, and potential test steps this applies
for both the business side and the IT side it is pretty
straightforward to build the audit program.
Use whatever format is accepted in your organization:
Word document
Excel spreadsheet
Risk & control report from TeamMate , Audit Leverage ,
MK Insight , or other audit management software

SAP QM includes auditing transactions, but they are
aligned more with lot sampling than internal auditing
60

IIA Standard 2201: Planning Considerations
In planning the engagement, internal auditors must

consider:
The objectives of the activity being reviewed and the means by which the
activity controls its performance;
The significant risks to the activity, its objectives, resources, and operations
and the means by which the potential impact of risk is kept to an acceptable
level;
The adequacy and effectiveness of the activity's risk management and
control processes compared to a relevant control framework or model
Note that weve gone over these items already.
61

ISACA Standard S5: Planning
Plan the IS audit coverage to address the audit objectives and
comply with applicable laws and professional auditing standards.
Develop and document a risk-based audit approach.
Obtain an understanding of the activity being audited. The
knowledge required should be determined by the nature of the
organization, its environment, risks and the objectives of the audit.
Perform a risk assessment to provide reasonable assurance that all
material items will be adequately covered during the audit. Audit
strategies, materiality levels and resources can then be developed.
Not a great deal of difference in planning an audit.
62

The audit program must include the test steps, naturally.
It does not need to include a description of the control
being tested, but thats nice to have as a reminder during
the testing of what were looking for.
If you dont include the control, include a reference to
where the control in documented.
To meet the current (and proposed) standards in the audit
profession, auditors must document their risk assessment
process used in planning the audit.
If not in the audit program itself, document the links from
Process/Objective Risks Controls Audit Tests
63

Application Objectives
Data is input without

errors
Data is input completely
Data is input timely
Objective Risks
Mitigating Controls
Control Statement
Typos in data input are not

detected
Edit checks
Edit checks eliminate common typographic errors. Where possible, the application
includes processes to validate financial values for reasonableness and approval
limits; looks for proper formats and required fields; uses standardized input screens;
verifies sequences (e.g., missing items), range checks, and check digits;and performs
cross checks (e.g., where certain policies are only valid with certain premium table
codes).
Duplicate record entry may

not be detected
Record checks
Records are checked for key fields as part of data validation process to minimize
duplicate data entry, including using fuzzy logic for close matches.
Key fields are not entered
Field Verification
Key fields are mandatory entries, and the record cannot be stored with certain items
incomplete or pending.
Some records are skipped /

not entered
System checks
Cross system checks are used to ensure records are input in sequence
Post-close data entry

invalidates parts of periodic
financial reporting
Validation checks
Post-closing data entries are permitted, but require management approval to assure
the impact is known.
Late data entry changes

impact of management
reports
Field Verification
Late data entry is flagged in a special report to management.
Test Plan
64
65
[ Agenda

Typical landscape



66
[ Questions & Comments
67
[ Key Learnings
Audits of SAP are performed to provide assurance that
the financial data is correct and that the organization can
rely on the information and processing within SAP
Learn a methodology for testing and specific test steps
that can be used for any number of SAP audits, including
but not limited to SOX testing, general computer control
testing, application control testing, and financial report
testing
Use and modify sample audit programs to enhance SAP
testing
68
Thank you for participating.

Please remember to complete and return your
evaluation form following this session.
For ongoing education on this area of focus, visit the
Year-Round Community page at www.asug.com/yrc
SESSION CODE:
1913
69
[ Appendix A Useful Transaction Codes, Tables,

and Reports
70
[ SAP Transaction Codes for Security and

Troubleshooting
User Maintenance:
SU01
Maintain User (SU01D)
SU02
Maintain Authorization Profiles
SU03
Maintain Authorizations
SU10
Mass changes to User Master
SU12
Mass Changes to User Master Records
SU20
Maintain Authorization Fields
SU21
Maintain Authorization Objects
SU50
Maintain User Defaults
SU51
Maintain User Address
SU52
Maintain User Parameters
SU53
Display Check Values
SU54
Maintain User Menu
SU55
Start user menu
SU56
Analyze user buffer (Security Check
SUIM
User Information System
71

Troubleshooting
Authorization Objects:
SU22
Auth. object usage in transactions
SU30
Total checks in the area of authorizations
Table Security:
SUCH
Translatability CHECKs
SUCU
Table authorizations: Customizing
Correction & Transport:

SE09 Workbench Organizer
SE10 Customizing Organizer
Data Dictionary:
SE11 ABAP/4 Dictionary Maintenance
SE12 ABAP/4 Dictionary Display
SE13 Maintain Technical Settings (Tables)
SE14 Utilities for Dictionary Tables
SE15 ABAP/4 Repository Information System
SE85 ABAP/4 Dictionary Information System
72

Troubleshooting
Table Display and Maintenance:
SE16 Data Browser
SE17 General Table Display
SM31 Table Maintenance
Tracing a Transaction:
SE30 ABAP/4 Runtime Analysis
ST01 System Trace
STAT User Activity at UNIX Level (this transaction is very slow)
ABAP/4 Workbench:
SE36 ABAP/4: Logical Databases
SE37 ABAP/4 Function Modules
SE38 ABAP/4 Program Development
SE80 ABAP/4 Development Workbench
SE81 SAP Application Hierarchy
SE82 Customer Application Hierarchy
73

Troubleshooting
Transaction Maintenance:
SE93 Maintain Transaction Codes
SE43 Menu path with transaction codes (Main Menu is S000)
Knowledge and understanding of SAP R/3 basic system administration skills:
SM21 System Log
SE06 Set up Workbench Organizer
SM04 Current Users on the Client
Other Transactions:
SU22 Authorization Objects used in Transaction Codes
SU23 Load Tables in TAUTL
SU24 Authorization Objects used in Transactions (Profile Generator)
SU25 Copy Initial Defaults
SU26 Compare Authorization Checks
74
[ Standard Security Reports-SA38
Program
RSUSR000
RSUSR002
RSUSR003
RSUSR004
Objs.
RSUSR005
RSUSR006
RSUSR007
RSUSR010
Object
RSUSR020
RSUSR030
RSUSR040
RSUSR100
RSUSR101
RSUSR102
RSUSR400
RSPARAM
RSCSAUTH
RSABAUTH
Short description
Current Active Users
Lists of Users According to Complex Selection Criteria
Check the Passwords of Users SAP* and DDIC in all Clients
Restrict User Values to the Following Simple Profiles and Auth.
List of Users With Critical Authorizations
List of User Master Records Locked Due to Incorrect Logon
List Users Whose Address Data is Incomplete
Transaction Lists According to Selection With User, Profile or
List Profiles by Complex Selection Criteria
List Authorizations According to Complex Selection Criteria
List Authorization Objects by Complex Selection Criteria
List Change Documents for Users
List Change Documents for Profiles
List Change Documents for Authorizations
Test Environment Authorization Checks (SAP Systems Only)
List system parameters (Tcode RZ11 or TU02)
Maintain program/report authorization groups
Transfers authorization groups from TRDIR to TPGP
75
[ Important Security Tables
DD02V
List of Tables and Descriptions
TSTC
Transaction Listing
TSTCA
Values for Transaction Code Authorizations
TSTCT
Transactions with Description
TACT
Activities that can be Protected
TACTT
Activities that can be Protected with Descriptions
TACTZ
Authorization Objects and Valid Activities
TBRG
Authorization Objects and Authorization Groups
TBRGT
Auth Objects and Auth Groups with Descriptions
TDDAT
Table Authorization Groups
TOBJ
Authorization Objects
TOBJC
Authorization Object w Class assignment
TOBJT
Authorization Objects and Descriptions
TOBC
Authorization Object Classes
TOBCT
Authorization Object Classes and Descriptions
TPGP
ABAP/4 Authorization Groups
TPGPT
Long Texts for ABAP/4 Program Groups
TRDIR
System Table TRDIR, ABAP/4 Programs with Authorization
TRDIRE
System Tables w attributes
TACTZ
Valid Activities
USOBT
Transaction codes w Authorization Objects checked. Used with
Profile Generator
76
[ Additional Useful Tables

User Master Tables
USR01
User Master Records
USR02
User ID and Passwords (includes last logon data)
USR04
User Master Authorizations
USR10
Authorization Profiles
USR11
User Master Profiles and Descriptions
USR12
User Master Authorization Values
USR40
Non-permissible password values
Change Logs
USH02
Change history for logon data (inc. account lock
indicator, User Flag.
USH04
Change history for authorizations
USH10
Change history for authorization profiles
USH12
Change history for authorization values
Authorization Tables
UST04
User Masters (all Users with profiles)
UST10C
User Master: Composite Profiles
UST10S
User Master: Simple profiles
UST12
User Master: Authorizations
77
[ Reviewing Technical Security Access Controls
Password Audit Steps:
Using RSPARAM / RSPPARAM report (SA38) - determine PW control

settings
Login/password_Expiration Frequency of forced password change
(default = 0 = off)
Login/min_password Minimum password length (default = 3)
Login/fails_to_user_lock Number of invalid password attempts before
user is locked (default = 12)
Login/failed_user_auto_unlock -- If user account is locked is it
permanently locked until released by administrator or automatically
unlocked at midnight
(default = 1 = unlocked at midnight)
Rdisp/gui_auto_logout User is logged off of SAP after a period of
inactivity
(default = 7200 seconds = 2 hours)
Login/disable_multi_gui_login (default = 0 = multiple logons permitted)
NOTE: if multi-login is disabled some users can still be permitted multiple
logins via the login/multi_login_users setting where user-ids can be
listed which can be permitted to logon multiple times
78
[ Reviewing Technical Security Access Controls

Determine who can alter number ranges
TC = SPRO, SNRO
Object = S_NUMBER
Activities = 02 (chg), 11(chg), 13 (initialize), 17(maintain)
Determine who can do table updates in production (should not be
permitted)
TC= SM30, SM31
Object = S_TABU_DIS, (client independent tables also require
S_TABU_CLI )
Activity = 01, 02
Data Dictionary updates in production should not be permitted
TC = SE11, SE15, SE16, SE38, SE80
Object = S_DEVELOP
Activities = 01, 02, 06, 07
79
[ Reports RSUSR via AID, SA38, or SUIM

May need system administrator to run for you
RSUSR002 provides a wide variety of profile review options
RSUSR003 check passwords for SAP* and DDIC
RSUSR005 , 009 list of users with critical authorizations (this
report requires significant computer resources to run must
update table SUKRI with authorizations to check)
RSUSR006 locked users / unsuccessful login attempts
RSUSR010 transactions executable by user, profile,
authorization
RSUSR060 where used lists
RSUSR100, 101, 102 changes to UMR, profiles,
authorizations
RSUSR200 -- Users with original passwords, users not logged
in for xx days, users who have not changed password in xx
days
80
[ Reports RSUSR via AID, SA38, or SUIM Cont.
RSUSR002 as seen on previous slide can also be used to determine

who has access to powerful BASIS transactions including:
DBxx Database related transactions

SCC4, SCC5 Client administration
SE01-SE10 CTS / TMS commands
SE11, SE12, SE13, SE14 Table structure maintenance
SE15 Data Dictionary
SE38 ABAP Editor
SE93 Maintains transactions
SM01 Lock / unlock transactions
SM12 Lock entries
SM30, SM31 Table Maintenance
SM32 Updates Table USR40 with invalid passwords
SM37 Displays and deletes processing job logsSM49 Execute
external operating system commands
SM52 Execute operating system commands
SM59 Maintain Remote Function Calls destination definitions
SM69 Maintain external commands
SP01 Administer print spools
SU01, SU02, SU03 Security Administration transactions
81
Thank you for participating.

Please remember to complete and return your
evaluation form following this session.
For ongoing education on this area of focus, visit the
Year-Round Community page at www.asug.com/yrc
SESSION CODE:
1913
82

1913 Control Testing in SAP - IT, Financial, and Operational Auditing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1913 Control Testing in SAP - IT, Financial, and Operational Auditing

Uploaded by

Copyright:

Available Formats

[

Control Testing in SAP

Real Experience. Real Advantage.

Real Experience. Real Advantage.

[ Who We Are Huntington Ingalls

Have built over 40 percent of the U.S.

ERP Used: SAP ECC 6.0 & ECC 5.0

Real Experience. Real Advantage.

[ Who We Are Northrop Grumman

ERP Used: SAP ECC 6.0

Real Experience. Real Advantage.

SAP from a technology perspective

Auditing the business side COSO, IIA guidance

Auditing the technology side ISACA, COBIT guidance

Developing the audit program

[ SAP from a business perspective

Financial Accounting (FI)

Real Experience. Real Advantage.

[ SAP from a business perspective

All of them, of course, but

Real Experience. Real Advantage.

[ SAP from a business perspective

The tests should ensure that the controls are effective,

Real Experience. Real Advantage.

[ SAP from a business perspective

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

Document Processes & Controls

Analyze the controls

Inherent and Key

Real Experience. Real Advantage.

Evaluate & Monitor

And, of course, report

[ SAP from a business perspective - Finance

Select them based on:

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

What can go wrong?:

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

And THATs what SAP does for the financial user.

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

Document Processes & Controls

Evaluate & Monitor

Analyze the controls

Real Experience. Real Advantage.

And, of course, report

[ SAP from a business perspective Material planning

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

What can go wrong?:

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

And THATs what SAP does for the planning, procurement

Real Experience. Real Advantage.

SAP from a technology perspective

Auditing the business side COSO, IIA guidance

Auditing the technology side ISACA, COBIT guidance

Developing the audit program

[ SAP from a technology perspective - Landscape

Real Experience. Real Advantage.

[ SAP from a technology perspective - Business