SAP Audit Guide

for Financial Accounting

 This audit guide is designed to assist the
review of financial reporting processes that
rely upon automated functions in SAP
systems.

The specific areas examined in this guide are relevant

configurables, transactions, authorizations and reports
in the General Ledger (GL), Asset Accounting (AA) and
Bank Accounting (BA) components of the SAP
Financial Accounting module.

The guide provides instructions for assessing SAP

application-level controls in the following areas of
financial statement audits:

Reporting Structure
Chart of Accounts
Journal Entry Posting
Period End Close
Foreign Currency Translation
Inter-company Transactions
Asset Management and Reporting
Cash Management

The guide is delivered using clear, non-technical terms

to enable financial and operational auditors to
successfully navigate the complexities of SAP security.
Other volumes of this guide deal with SAP controls in
areas such as Revenue, Inventory, Expenditure, Human
Resources and Basis.

Reporting Structure

The financial reporting structure in SAP is determined

by the organization of reporting units known as
company codes. There can be multiple company
codes within organizations with each code
corresponding to a unique economic entity.

Reporting entities in differing countries should have

unique company codes since they may be subject to
divergent accounting and tax requirements. Each
company code has one domestic currency and up to
two additional currencies to support financial reporting

Financial
in multiple currencies.

Company codes must be set to productive to prevent

the deletion of transactional data. This can be verified

Accounting through transaction code OBR3 or Table T001 through

transaction SE16.
SAP Audit Guide
 2
The company code structure should correspond to the
TRANSACTION DESCRIPTION
legal reporting requirements of the company under review.
The appropriateness of the structure should be reviewed Assign Company Code to a Fiscal
through the menu path IMG> Enterprise Structure> OB37
Year Variant
Financial Accounting> Define Company, transaction OX15
or table T880 (note that IMG can be accessed through Assign Posting Period Variants to
transaction SPRO). OBB9
Company Code
Relevant global parameters in IMG should also be
reviewed. This includes areas such as Country Keys, OKBD Define Functional Area
Currencies, Controlling Areas, Credit Control Areas, Fiscal OXO3 Define Business Area
Year Variants, Sales and Purchasing Organisations,
Business Areas and Plants, and Cost and Profit Centers
FM_FUNCTION Define Functional Area
(IMG> Enterprise Structure> Financial Accounting> Global
Settings> Company Code> Global Parameters).
OXO6 Maintain Controlling Area
Access to transactions such as OXO2 (edit company code)
and EC01 (copy, delete and check company code) and the KEP8 Create Operating Concern
client configuration table T001 should be based on role
requirements. Other critical transaction codes are listed in Table A: Company Code Transactions
the Table A.

TRANSACTION DESCRIPTION Chart of Accounts

OX16 Assign Company Code to Company The chart of accounts is the container for General Ledger
(GL) accounts and the basis for journal entry posting and
Assign Company Code to Credit
OB38 financial reporting. Chart of Accounts can be company
Control Area code specific or cover multiple companies in a single SAP
client. GL accounts are assigned to specific groups
Assign Company Code to Financial
OF18 determined by account type. The field status for account
Management Area information and the numbering interval is determined at the
group level.
Assign Company Code to
OX19
Controlling Area The configuration of all or a sample of account groups
should be reviewed to assess which fields are required,
OX18 Assign Plant to Company Code optional, displayed or suppressed during the creation of a
new account and to ensure that account numbering follows
Assign Sales Organization to a logical and consistent policy. This can be performed
OVX3
Company Code through the menu path General Ledger Accounting> G/L
Accounts> Master Data> Preparations> Define Account
Assign Purchasing Organization to Group or transaction OBD4.
OX01
Company Code The structure of the Chart of Accounts should also be
reviewed through transaction FSP3 to assess account
Assignment of Personnel Area to
OH05 groupings and identify the appropriate use of control
Company Code accounts for AP and AR. The latter are known as
reconciliation accounts and are updated automatically. In
OBB5 Cross-System Company Codes
other words, SAP does not allow manual journal postings
against such accounts. This can be performed through
OBY6 Enter Global Parameters
transactions KALE and OK17.
 3
Changes to the chart of accounts should be identified
through report RFSABL00, accessible through transaction
SA38. Alternatively, changes can be isolated through
transactions FS04, FSP4 and FSS4. A sample of changes
should be examined for evidence of approval,
documentation and testing.
Access to SAP functions that enable users to create,
modify or delete GL accounts should be restricted and
based on business need. This should include transactions
in Table B with authorization objects F_SKA1_KTP and
F_SKA1_BUK and activity levels 01 (create), 02 (change),
05 (block) or 06 (mark for deletion).
Journal Entry Posting
SAP is preconfigured with hundreds of document types for
purchase orders, customer invoices, good receipts and
many other transactions. Each document type has a
unique 2 or 3 letter identifier and a specific numbering
range. Particular attention should be paid to the GL
account assignments for SAP documents since
transactional data is automatically posted by the system
based on the assignments defined in the system
configuration. These should be reviewed through
transactions OBA7 (Define Document Types) and OB41
(Posting Keys). Samples selected for review should include
custom documents which are more likely to have
assignment errors than standard SAP documents.

Monetary limits for journal entries, cash discounts, payment

TRANSACTION DESCRIPTION
or receipts differences should be defined for document
types. These can vary by company code and employee
FS01 Create Master Record group. Tolerance levels should be reviewed through
transactions OBA4 and OB57. This should include clearing
FS02 Change Master Record
procedures for critical accounts such as GR/IR.
FS00 G/L Acct Master Record Maintenance SAP should also be configured to control posting to prior
periods even though the system is capable of keeping
FS05 Block Master Record
open multiple periods at the same time. This is performed
FS06 Mark Master Record for Deletion through rules defined in Posting Period Variants, part of the
Financial Accounting Global Settings. Note that back
FSS1 Create Master Record in Company posting settings in Logistics can also be configured to allow
Code posting to prior periods. Both of these areas should be
G/L Acct Master Record in Chart/ reviewed in the IMG.
FSS2
Accts
SAP Business Workflow is used by many companies to
Create G/L Acct Master Record in review values and account assignments prior to posting
FSP0
Chart/Accts journal entries. If enabled, the relevant settings for workflow
variants, company codes, and approval paths and groups
FSP1 Cross-System Company Codes should be examined under Financial Accounting Global
Settings> Document> Document Parking. This should
FSP2 Change G/L Acct Master Record in include a review of fields that would cause a release to be
Chart/Accts revoked if changed after approval, which would lead to the
FSP5 Block Master Record in Chart / Accts restart of the release procedure.

Mark Master Record for Deletion in BusinessObjects Planning and Consolidation (BPC) and
FSP6 BusinessOne should be configured to block unbalanced
Chart/Accts
journal entries. In the former, this can be verified through
the JRN_BALANCE parameter. The parameter should be
Table B: GL Account Transactions
set to 1 (Journals need to be balanced). The default value is
0 (Journals need not be balanced). In the latter, the field for
Block Unbalanced Journal Entry should be checked in
Administration> System Initialization> Document Settings>
Journal Entry.
 BPC should be configured to block
unbalanced journal entries through the
JRN_BALANCE parameter
4

The ability to create, change, delete and reverse journal

TRANSACTION DESCRIPTION
entries should be restricted to authorized employees. This
includes transactions in Table C with authorization objects FB08 Reverse Document
with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and
BLA and activity levels 01 (create/ enter), 02 (change), 06 FB02/ FB09 Change Document
(delete) and 77 (pre-enter/ park). FBL4 Change G/L Account Line Items

TRANSACTION DESCRIPTION F-03/ FB1S Clear G/L Account

F-02 Enter G/L Account Posting FBV1 Park Document

F-21/ F-42 Enter Transfer Posting
FBV2 Change Parked Document
FB01/ FBR2 Post Document
FBV4 Change Parked Document Header
FB05 Post with Clearing
FBD1 Enter Recurring Entry
FB11 Post Held Document
FBD2 Change Recurring Entry
FB21 Enter Statistical Posting

FB50 G/L Account Posting F.14 Execute Recurring Entry

FBV0/ FBVB Post Parked Document F.56 Delete Recurring Entry

FBR1 Post with Reference Document

Table C: Journal Entry Transactions
Reverse Accrual Deferral Document
F.81
Code

FB08 Reverse Document

F.80 Mass Reversal of Documents

 5

Period End Close

TRANSACTION DESCRIPTION
The period end close process extends across many
different SAP applications including SD, MM and PP. FBD1 Enter Recurring Document
However, the majority of steps are performed within the FI
and CO area. Audit procedures for the process should be F-03 Manual Clearing General Ledger
tuned for each specific client since the process varies
between organisations. As a guide, Table D lists the SAP Manual Clearing Accounts
F-32
transactions commonly used during the period end close Receivable
process in sequential order.
F-44 Manual Clearing Accounts Payable
Together with the transactions listed in Table D, user
access to SAP functions that control the opening and FB50 Post Adjustment Entries
closing of financial periods should be tightly controlled.
This should include transaction OB52 (opening and
FAGL_FC_VAL Foreign Currency Revaluation
closing FI posting periods) and OBBP (define variants for
open posting periods) with authorization object
Order Settlement (Asset Under
S_TABU_DIS and activity level 02 (change). AIAB
Construction)
AFAB Depreciation Run
TRANSACTION DESCRIPTION
ASKBN Periodic Asset Posting
S_BCE_680001
Update Exchange Ranges
74 FB50 Automatic GR/IR Clearing

VL10/ VL10A Ensure Movements are complete KSA3 Accrual Calculation

Record Purchase Order related AP MRN0 Stock Valuation

MIRO
Transactions
CK11N Inventory costing
MRBR Release Blocked Invoices
CK24 Price Update

Release Billing Documents for FB50 Stock value adjustment

VXF3
Accounting
Create Intrastat / Extrastat periodic
ENGR
MMPV Open Period for Material Master declaration
Records
OB52 Open and Close Posting Periods S_ALR_870123 Advance Return for Tax on Sales/
57 Purchases
CJ8G Calculation of Work In Process
(WIP) FB41 Post Tax Payable
Prod. and Process Order Variance
KKS1
Calculation F.52 Balance Interest Calculation

CO88 Settlement PP Order

Table D: Period End Close Transactions
CO02 PP Order (close)
 6

Asset Management and Reporting

TRANSACTION DESCRIPTION
The Financial Accounting Asset Accounting (FI-AA)
component is responsible for managing fixed assets in
S_ALR_87012289 Compact Document Journal
SAP ERP. It serves as a subsidiary ledger to the FI GL,
S_ALR_87012287 Document Journal providing detailed information on transactions involving
fixed assets. AA integrates directly with other FI
FF7A Cash Position & Liquidity Forecast components such as Materials Management (MM) and
Plant Maintenance (PM) and manages assets reporting
OB52 Open and Close Posting Periods from acquisition to disposal or retirement. The component
KE30 Run Profitability Report also tracks, depreciates and reports upon leased assets
and assets under construction.
S_ALR_87012284 Financial Statements
Asset classes in SAP should be configured in line with
S_ALR_87005830 Controlling Maintain Versions country-specific requirements. Therefore, asset classes
and the associated descriptions should be reviewed
CK40N Costing Run through transaction OAOA (define asset classes).

Define Percentage Overhead Depreciation keys should be defined for each asset class.
S_ALR_87008275
(actual) The keys define the rules for calculating depreciation such
as straight line or declining balance. They also control the
AFAR Recalculating Values useful life of assets. Auditors should review the
configuration of all or a sample of depreciation keys
ABST2 Account Reconciliation
through transaction AFAMA (View Maint. for Deprec. Key
Method). Depreciation postings can be reviewed through
AJRW Fiscal Year Change
transactions AFBP and AR25. Transaction ABST displays
AJAB Year-end closing Asset Accounting the reconciliation between asset accounting and the
general ledger.
F.07 Carry Forward AP/AR Balances
If the SAP Project System (PS) is operating alongside FI-
FAGLGVTR Carry Forward GL Balances AA, the relevant availability controls should be reviewed in
PS. These regulate the thresholds for asset acquisitions in
FAGLF101 Regrouping Receivables/Payable excess of approved, budgeted amounts which, if
configured correctly, can be blocked altogether. This can
F.17 Balance Confirmation Receivable be performed through transaction OPS9 and the menu
path IMG> Project System> Costs> Budget> Define
F.18 Balance Confirmation Payable Tolerance Limits.

An audit of FI-AA should include a review of user access to

OB52 Close previous account period transaction codes that provide the ability to change AA
master data including asset groups and depreciation
S_ALR_87012284 Financial Statements tables, as well as acquire, depreciate and dispose fixed
assets. These are listed in Table E. The review should
focus on authorization objects A_A_VIEW, A_S_ANLKL,
S_ALR_87012287 Document Journal
A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK,
S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02
Table D: Period End Close Transactions cont.
and 06.
 TRANSACTION DESCRIPTION

AS01 Create an Asset

AS02 Modify Asset

AS05 Block Asset Master Record

AS06 Delete Asset

ABZE Acquisition from in-house

production
ABZK Acquisition from purchase w.
vendor
F-90 Acquisition w/ Vendor

ABZV Acquisition from clearing Account

Asset Acquisition from affiliated

ABZP
company
AS21 Create an asset group

AS22 Modify Asset

AS25 Block group asset

AS26 Delete an asset group

ABZU Asset write-up

ABZS Asset write-up

ABMA Asset manually depreciate

AFAB/ AFABN Post depreciation

ABAV/ ABAVN Retire by scrapping

ABAO/ ABAON Asset Sale Without Customer

Asset Retire from Sale with

ABAD
Customer

ABANK Retire with cost

AR31 Asset mass retirement Availability

OAP1 Create chart of depreciation
controls should
OA52 Close previous account period

OAP2 Change chart of depreciation

block asset
Table E: Asset Accounting Transactions
acquisitions in
excess of
budget 7
 8

Foreign Currency Translation Cash Management

Foreign currency exchange ratios and rates are maintained
through transactions OBBS and OB08. The underlying
tables should be reviewed through these transactions to
ensure that ratios and rates are regularly and accurately
updated.
SAP provides a variety of valuation methods and even
provides an option to create custom methods. Custom
valuations should be identified and examined very closely.
This can be performed through transaction OB59 (foreign
currency valuation methods).
Automatic postings for foreign currency valuations should
be analyzed via transaction OBA1. The assigned accounts
are used to record realized/ unrealized gains and losses.
This should be followed by a review of foreign currency
rounding rules in transaction OB90.
Inter-Company Transactions
Cash Management (CM) is component of SAP TR that is
used to monitor payment flows and safeguard liquidity.
This component is used to perform bank reconciliations
and therefore should be a crucial element of an SAP
financial audit. Management should regularly review
reports FF.6, FF67, FF7A and FF68 to monitor cash
transactions and ensure bank deposits and payments are
reflected in the relevant GL accounts. Note that FF67 can
be used to import and process bank statements in SAP.
Changes to banking master data should be identified
through transaction FI04 or report RFBKABL0 and traced
to supporting documents to test for authorization,
accuracy and completeness.
Also, access to critical CM transactions should be
reviewed, including those listed in Table F, focusing on
authorization objects F_BNKA_BUK, S_TABU_DIS,
F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES,
F_BKPF_GSB, F_FDES_BUK, F_REGU_BUK,
F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02,
06 and 17

Inter-company reconciliation is often a bottleneck in the

financial close process. As a result, some SAP clients have
migrated to the Web-based BusinessObjects Inter-
company application. This significantly improves the speed
and accuracy of identifying, matching and eliminating
related party transactions. However, the majority of
organizations continue to rely upon a manual process.

Related parties are treated as trading partners in SAP and

are defined through IMG > Enterprise Structure > Definition
> Financial Accounting > Define Company. Once
configured, SAP will post documents such as invoices,
payments, receipts and asset transfers between related
parties to designated inter-company accounts. Inter-
company clearing accounts should be identified using
transaction OBYA. All such accounts should be reviewed
against the relevant financial statement assertions.
 TRANSACTION DESCRIPTION

FI12 Change House Banks/Bank

Accounts
FI01 Change Master Record

FI02 Change Bank

FI06 Set Flag to Delete Bank

FF67 Manual Bank Statement

FF_5 Import Electronic Bank

Statement
Post-process Electronic Bank
FEBA
Statement

FLB2 Import Lock box Data

FLB1 Post-processing Lock box Data

F-28 Incoming Payments

FB05 Post payment with clearing

FRFT Set Up Repetitive Wire

FI10 Parameters for Automatic

Payment
FF/4 Import electronic check deposit
list
FFB4 Import electronic check deposit
list
FF/5 Post electronic check deposit
list
FFB5 Post electronic check deposit
FF68 list
Manual Check Deposit
Transaction
FCHG Reset cashing/extract data

FF63 Create Planning Memo Record

FCHX Check Extract Creation

FCHG Delete cashing/extract data

Table F: Cash Management Transactions

9
 Layer Seven Security

About Us

Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets
against internal and external threats and comply with industry and statutory reporting requirements. The
company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and
vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems.

Our consultants have an average of ten years of experience in field of SAP security and proficiency in
regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX.

The company is privately owned and headquartered in Toronto, Canada.

Address Web
Westbury Corporate Centre www.layersevensecurity.com
Suite 101 Email
2275 Upper Middle Road info@layersevensecurity.com
Oakville, Ontario Telephone
L6H 0C3, Canada 1 888 995 0993
© Copyright Layer Seven Security 2011 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.

Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.