Professional Documents
Culture Documents
SAP Audit Guide - Financial Accounting - Layer Seven Security
SAP Audit Guide - Financial Accounting - Layer Seven Security
Reporting Structure
Chart of Accounts
Journal Entry Posting
Period End Close
Foreign Currency Translation
Inter-company Transactions
Asset Management and Reporting
Cash Management
Reporting Structure
Financial
in multiple currencies.
Mark Master Record for Deletion in BusinessObjects Planning and Consolidation (BPC) and
FSP6 BusinessOne should be configured to block unbalanced
Chart/Accts
journal entries. In the former, this can be verified through
the JRN_BALANCE parameter. The parameter should be
Table B: GL Account Transactions
set to 1 (Journals need to be balanced). The default value is
0 (Journals need not be balanced). In the latter, the field for
Block Unbalanced Journal Entry should be checked in
Administration> System Initialization> Document Settings>
Journal Entry.
BPC should be configured to block
unbalanced journal entries through the
JRN_BALANCE parameter
4
Define Percentage Overhead Depreciation keys should be defined for each asset class.
S_ALR_87008275
(actual) The keys define the rules for calculating depreciation such
as straight line or declining balance. They also control the
AFAR Recalculating Values useful life of assets. Auditors should review the
configuration of all or a sample of depreciation keys
ABST2 Account Reconciliation
through transaction AFAMA (View Maint. for Deprec. Key
Method). Depreciation postings can be reviewed through
AJRW Fiscal Year Change
transactions AFBP and AR25. Transaction ABST displays
AJAB Year-end closing Asset Accounting the reconciliation between asset accounting and the
general ledger.
F.07 Carry Forward AP/AR Balances
If the SAP Project System (PS) is operating alongside FI-
FAGLGVTR Carry Forward GL Balances AA, the relevant availability controls should be reviewed in
PS. These regulate the thresholds for asset acquisitions in
FAGLF101 Regrouping Receivables/Payable excess of approved, budgeted amounts which, if
configured correctly, can be blocked altogether. This can
F.17 Balance Confirmation Receivable be performed through transaction OPS9 and the menu
path IMG> Project System> Costs> Budget> Define
F.18 Balance Confirmation Payable Tolerance Limits.
Foreign currency exchange ratios and rates are maintained Cash Management (CM) is component of SAP TR that is
through transactions OBBS and OB08. The underlying used to monitor payment flows and safeguard liquidity.
tables should be reviewed through these transactions to This component is used to perform bank reconciliations
ensure that ratios and rates are regularly and accurately and therefore should be a crucial element of an SAP
updated. financial audit. Management should regularly review
reports FF.6, FF67, FF7A and FF68 to monitor cash
SAP provides a variety of valuation methods and even transactions and ensure bank deposits and payments are
provides an option to create custom methods. Custom reflected in the relevant GL accounts. Note that FF67 can
valuations should be identified and examined very closely. be used to import and process bank statements in SAP.
This can be performed through transaction OB59 (foreign
currency valuation methods). Changes to banking master data should be identified
through transaction FI04 or report RFBKABL0 and traced
Automatic postings for foreign currency valuations should to supporting documents to test for authorization,
be analyzed via transaction OBA1. The assigned accounts accuracy and completeness.
are used to record realized/ unrealized gains and losses.
This should be followed by a review of foreign currency Also, access to critical CM transactions should be
rounding rules in transaction OB90. reviewed, including those listed in Table F, focusing on
authorization objects F_BNKA_BUK, S_TABU_DIS,
F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES,
F_BKPF_GSB, F_FDES_BUK, F_REGU_BUK,
F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02,
Inter-Company Transactions 06 and 17
9
Layer Seven Security
About Us
Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets
against internal and external threats and comply with industry and statutory reporting requirements. The
company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and
vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems.
Our consultants have an average of ten years of experience in field of SAP security and proficiency in
regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX.
Address Web
Westbury Corporate Centre www.layersevensecurity.com
Suite 101 Email
2275 Upper Middle Road info@layersevensecurity.com
Oakville, Ontario Telephone
L6H 0C3, Canada 1 888 995 0993
© Copyright Layer Seven Security 2011 - All rights reserved.
No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.
Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.