1913 Control Testing in SAP - IT, Financial, and Operational Auditing

[
Control Testing in SAP

IT, Financial and Operational
Richard Fowler, CISA, CIA Larry Panayi, CISA Huntington Ingalls Northrop Grumman
[ Learning Points
Understand how to assess and test the SAP technology infrastructure Understand how to assess and test the SAP General Ledger and other financial reporting modules Understand how to assess and test SAP production, planning and procurement modules.
Real Experience. Real Advantage.
[ Return on Investment
Our basic assumption is that, if your organization is running SAP, then you are large enough, complex enough, or savvy enough to also have an internal audit function. Auditors need to know how to conduct a more effective application review of SAP, and should understand the infrastructure, key operations, and configuration. By ensuring that the auditors know how to properly focus on the key controls as they conduct audits in SAP, the business can be assured of minimizing the time needed to support the audit.
3
[ Best Practices
Audits of SAP are performed to provide assurance that the financial data is correct and that the organization can rely on the information and processing within SAP Learn a methodology for testing and specific test steps that can be used for any number of SAP audits, including but not limited to SOX testing, general computer control testing, application control testing, and financial report testing Use and modify sample audit programs to enhance SAP testing
4
[ Who We Are Huntington Ingalls

Over a century designing, building, overhauling and repairing ships for the U.S. Navy, the U.S. Coast Guard and world navies The nation's sole industrial designer, builder and refueler of nuclear-powered aircraft carriers One of only two companies capable of designing and building nuclear-powered submarines
Have built over 40 percent of the U.S. Navys current surface combatant fleet
ERP Used: SAP ECC 6.0 & ECC 5.0

5
[ Who We Are Northrop Grumman

Northrop Grumman Corporation (NYSE: NOC) is a leading global security company providing innovative systems, products and solutions in aerospace, electronics, information systems, and technical services to government and commercial customers worldwide.
ERP Used: SAP ECC 6.0

6
[ Agenda
SAP from a business perspective
What SAP does for the user community
SAP from a technology perspective

Typical landscape Business Impact and Risk
Auditing the business side COSO, IIA guidance

General ledgers, financial statements, billings Operations: production planning, procurement
Auditing the technology side ISACA, COBIT guidance

Application/General computing controls Configuration settings (IMG)
Developing the audit program Questions and comments

7
[ SAP from a business perspective

SAP can address almost every aspect of every business:
Financial Accounting (FI) Controlling (CO) Asset Management (AM) Materials Management (MM) Sales and Distribution (SD) Quality Management (QM) Plant Maintenance (PM) Human Resources (HR) Supply Chain Management (SCM) Customer Relationship Management (CRM) Governance, Risk & Compliance (GRC)
8

Which business areas rely on controls?
All of them, of course, but

Are those controls effective? Are they efficient? Are they warranted? SAP is configured out of the box to provide a good level of basic controls for the business user and management

Thats where the auditors come in, to test the controls
The tests should ensure that the controls are effective, that is, verify that they designed to actually mitigate risks The tests should also ensure that controls are efficient, that is, verify that they are actually mitigating the risks In some cases, auditors can identify excessive or redundant controls that can be eliminated Lets briefly go through how to test these controls
10

Dos Incorporate a top down approach Document what you do, why, and your conclusions Be specific about remediation timelines & responsibilities
And Donts Forget to document and retain test procedures Neglect testing tests of design and tests of effectiveness Fail to conclude on your findings
11
[ SAP from a business perspective - Finance

Identify Significant Accounts and Processes Document Processes & Controls Evaluate & Monitor
2011 Balance Sheets
Financial Implications
Analyze the controls efficiency and effectiveness
Financial Statements
Significant Accounts
Process Implications
Significant Processes
What can go WRONG?
Inherent and Key Business Risks
Managements Assertions
Internal Controls
And, of course, report
12

OK, so which accounts are significant?
Select them based on: Errors of importance * Size and composition (Acct Balances: FS10, F.08) High transaction volume (Line Items: F.42, FB09D, FBL1N) Transaction complexity Subjectivity in determining account balance Nature of the account (Suspense accounts, reserve accounts)
* Errors that individually or collectively could have a material effect on the financial statements Revenue Recognition (VF45, VF47), Goodwill Valuation (CX67)
13

With the accounts identified, lets see
What can go wrong?: Errors of importance Restatement, significant deficiencies Size and composition Inability to effectively analyze data High transaction volume Data noise, difficult to distinguish trends Transaction complexity Hidden errors Subjectivity in determining account balance Non-compliance with GAAP and/or IFRS Nature of the account Fraud
14

So what is in place to mitigate the risks?
Internal Controls: Errors of importance Management review, executive approval Size and composition SAP configuration High transaction volume SAP configuration Transaction complexity SAP configuration Subjectivity in determining account balance SAP configuration Nature of the account SAP configuration
And THATs what SAP does for the financial user.
15
[ SAP from a business perspective Material planning

Identify Material Needs Document Processes & Controls Evaluate & Monitor
Contract Specifications
Analyze the controls efficiency and effectiveness
Material Requirements
Scheduled Delivery
Material Requirements Planning
What can go WRONG?
Inventory on Hand
Work in Progress
Budget
Internal Controls
And, of course, report
16

So what are we concerned with in material procurement?
Key objectives: Material identification (MB51) Material need date (Part of PO, see ME23N) Inventory on hand (MB03) Warehouse availability (LS03) Matl req planning (MD04) Scrap / excess inventory (WAM03)
17

With the material processes identified, lets see
What can go wrong?: Material identification Wrong material, contract violation, liability Material need date Schedule delay Inventory on hand Excess material ordered Warehouse availability Lost material, insufficient storage space Matl req planning Shelf life expires, material not available Scrap / excess inventory Waste, unnecessary costs, fraud
18

So what is in place to mitigate the risks? Internal Controls: Material identification Engineering / management review Material need date Engineering / management review Inventory on hand SAP Configuration Warehouse availability SAP Configuration Matl req planning SAP Configuration Scrap / excess inventory SAP Configuration
And THATs what SAP does for the planning, procurement and material user.
19
[ Agenda




20
[ SAP from a technology perspective - Landscape

Ideally, in an SAP environment, a three-four system landscape exists. This consists of the Sandbox, Development, Quality Assurance and the Production Server. The objective of design is to enhance "configuration pipeline management".
21
[ SAP from a technology perspective - Business

Impact and Risk
Improper configuration of SAP could result in an inability for the enterprise to execute its critical processes. Risks resulting from ineffective or incorrect configurations or use of SAP could result in some of the following:
Disclosure of privileged information Single points of failure Low data quality Loss of physical assets Loss of intellectual property Loss of competitive advantage Loss of customer confidence Violation of regulatory requirements
22
[ Agenda




23
[ Auditing the business side COSO, IIA guidance
The COSO cube has been used as an auditing model since its initial release in 1993.
24
There is also a COSO model for use with organizations with an enterprise risk management framework.
25

Regardless of the model used, COSO recommends a risk-based approach to auditing. The IIA supports this approach, and has included it in their International Professional Practices Framework. There are proposed changes to both the COSO framework and the IPPF standards, but no significant changes to the audit approach or fieldwork standards.
26

GTAG 8, Auditing Application Controls, is provided by the IIA as guidance. It can be used to help map the key controls to the appropriate SAP tests. Designed for looking at application controls, the same approach can be used for manual controls, embedded controls, hybrid, etc.
27
[ Auditing the business side Financial

Going back to the Financial risks and controls, we had:
Errors of importance Management review, executive approval Size and composition SAP configuration High transaction vol. SAP configuration Transaction complexity SAP configuration Subjectivity in determining account balance SAP configuration Nature of the account SAP configuration
28

How can we test the effectiveness of the management reviews and executive approvals that prevent or detect errors of importance? Manual test obtain a sample of managements account reviews and verify
1. that the reviews are routinely performed 2. through inquiry what is being reviewed 3. that errors, when noted, are corrected
No, its not specific to SAP but we wanted to be complete.
29

How can we test the effectiveness of the SAP configuration that controls or limits account size and composition?
The IMG (t_code SPRO) has detailed configuration settings for a number of account types: G/L, A/R, A/P, bank accounts, asset accounts, lease accounts, retail ledger accounts, special purpose accounts, customer accounts, vendor accounts, material accounts, etc. There are a lot of types. The configuration settings can limit what transactions can be posted to an account (via the posting key), what roles can post or edit information (via permissions).
30

What if there are no configured limits to account size and composition?
We can use FS10N to get details of a single account, or F.08 to get a series of accounts. Download the results for separate periods to assess month-to-month changes (horizontal analysis) or year-to-year (vertical analysis). Determine by comparison whether the account has an unusual size (account balance greatly increased or decreased) based on other months and/or years.
31

How can we test the effectiveness of the SAP configuration that controls or limits account transaction volume?
As before, the IMG (t_code SPRO) has detailed configuration settings, particularly for automatic posting. If there are automatic postings or payments, review the configuration settings with the financial or accounting manager to understand the critical processes (theres probably a lot in OMR6). Use t_code F110 to review automatic payment parameters, and also t_code F822 to review automatic payment blocks.
32

How can we test the effectiveness of the SAP configuration that controls or limits account transaction complexity?
Again, the IMG (t_code SPRO) has detailed configuration settings, and here wed be looking for document types. Most account transactions will need only a limited number of document types. If there are no limits established, it will be easier for an incorrect transaction to be posted. To test the accounts document types, run FS10N or F.08 as before and download the data. Use Excel to find any odd or unusual document types, and in SAP drill down to see what they are for and whether they were posted properly. (You can usually get someone in Accounting to help with this determination.)
33

How can we test the effectiveness of the SAP configuration that controls or limits transaction amounts?
For a change, lets look at the IMG (t_code SPRO) for the detailed configuration settings, this time for tolerance limits (OMR6). Verify that there are limits established, especially for automatic payments (e.g., 3-way match). To test the tolerances, look at MRBR to see if there are any transactions that have been blocked or being outside the tolerance limits. Inquire as to how these issues are resolved, and look for documentation of cleared blocks in the past.
34

How can we test the effectiveness of the SAP configuration that controls or limits the type of account being used?
Finally, lets look at the IMG (t_code SPRO) for one more detailed configuration setting, this time for account groups (OBD4). Determine which accounts are associated with which account groups. To test the settings, determine what field(s) define the account group. Use FS10N or F.08 to verify that the fields for a given period either have or do not have the values established, and there you have it.
35
[ Auditing the business side Material planning

Going back to the material management risks and controls, we had: Material identification Material need date Inventory on hand Warehouse availability Matl req planning Scrap / excess inventory
Engineering / management review Engineering / management review SAP Configuration SAP Configuration SAP Configuration SAP Configuration
36

(We may go through these fast, or even skip them all, based on time.)
How can we test the effectiveness of managements reviews of material identification and/or material need dates?
Material is usually identified initially on a drawing before it is loaded into SAP or other production system to generate a Bill of Material. Drawings should all show the preparer and reviewer/approver. If there is a change management process in place, you can check the files to see if material changes are also approved and by whom. Material need dates are going to be based on several factors, such as economic ordering quantity, first assembly schedule date, labor resource availability, etc. Discuss with engineering and planning management how the first need date is established. Not very SAP dependent, but included for completeness.
37

How do we know what material is already in inventory?
We want to verify that material is not being ordered when its already available. Transaction MB52 is great for this. Transaction MB03 or IWBK can help. Look at a sample of recent material purchases. Note the need dates and the quantities, as well as any special requirements that may be included as part of the PO. Look up the material in SAP. MB52 will tell you how much is on hand now. With MB03, you can drill down to find material movements and where the material is located. With IWBK, you can get an overview of the availability of material. This will help you identify unnecessary orders or verify that the material planning is adequate.
38

How can we determine if the MRP process is functioning effectively?
MRP is part of the production planning module (PP), and involves capacity planning, cost estimates, resource planning, scheduling, bills of material, etc. This is a full audit by itself, not just an audit step. We can, however, spot check some attributes to see if there are issues. Transaction CS03 displays a bill of material (my company has modified this into a ZBOM transaction to suit our own requirements). CS15 lets us know where else similar material is being used. More detailed planning can be viewed using MCP1 to view SAPs operational analysis based on material, plant, work center and date ranges. We can assess the MRP controllers effectiveness using MCP5 (actually used for material analysis). MD05 displays the MRP list, which is also useful.
39

How can we assess processes to scrap excess material?
Material can be damaged, use-by dates can expire, specifications can be out of date all situations that make material unusable. Scrapping is a material movement, so transaction MIGO_GI (or MB1A) is used with movement type 501, 551, or 555. We can use MIGO_TR (or MB1B) to get a list of material meeting these movement types. There should be some documented local procedures that define specific requirements for scrapping material. After all, thats an avenue for fraud and we want to minimize that. Review the procedures and then sample the material listed from above. Verify that the requirements have been met.
40
[ Agenda




41
[ Auditing the technology side ISACA - COBIT

guidance
ISACA Controls Framework COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises. Utilizing COBIT as the control framework on which IT audit/assurance activities are based aligns IT audit/assurance with good practices as developed by the enterprise.
42

guidance
Application controls Controls embedded in financial and business applications to prevent or detect unauthorized transactions Controls to ensure the completeness, accuracy and validity of processing transactions Includes controls such as: Balancing control activity within the system Check digits Predefined data listings Data reasonableness tests Logic tests, range limits, etc.
43

guidance
General computer controls Controls to ensure the proper development and implementation of applications, the integrity of program and data files and of computer operations
Includes controls such as: Logical access over infrastructure, applications, and data System development life cycle Program change management Data center physical security System and data backup and recovery Computer operation
44

guidance
Automated testing of automated controls
SAP GRC Compliance Calibrator SAP Solution Manager Included SAP functions: SU22, SU24, SUIM, SE16N, SAP logs, SAP reports (eg, RSPARAM)
Third-party solutions for control testing

Approva BizRights ACL Direct Link I-DEAS Cognos WinShuttle
(there are others)
45

guidance
Changes to master data have been authorized
Customer master data, use tcode OV51 (also accessible using transaction code SA38 and program RFDABL00) to generate a list denoting the date and time of change, old and new values for fields, and details of the user who input the change
User access to create and maintain customer, material and pricing master data is appropriate
Customer master data - tcodes FD01/FD02/FD05/FD06 (Finance), VD01/VD02/VD05/VD06 (Sales), XD01/XD02/XD05/XD06/XD07/XD99 (Central) Material master data - tcodes MM01 (Create), MM02 (Change), MM06 (Delete) Pricing master data - tcodes VK11 and VK12
46

guidance
COBIT References PO4 Ensure there is an appropriate segregation of duties/ incompatible functions (SUIM, SE16, USOBT, AGR_USERS)
Basis administration Transport/import Develop program change Develop role change User security administration Change monitoring User testing Authorize change Perform change
47

guidance
COBIT References DS4, DS5, DS9, DS12 Access to information and information systems is authorized Information systems processing is protected physically from unauthorized access and from accidental or deliberate loss or damage Information processing can be recovered and resumed after operations have been interrupted Critical user activities can be maintained and recovered following interruption Configuration changes are made in the development environment and transported to production Changes to critical number ranges are controlled
48

guidance
COBIT References AI6, DS5, DS13, PO4 Access to system and customizing tables is narrowly restricted Application modifications are planned, tested and implemented in a phased manner Customized ABAP/4 programs are secured appropriately Batch processing operations are secured appropriately Critical and sensitive transaction codes are locked in production Strong password management for system users SAP Router is configured to act as a gateway to secure communications Remote access by software vendors is controlled adequately
49

guidance
COBIT References - DS5, PO2 SAP ERP Remote Function Call (RFC) and Common Programming InterfaceCommunications (CPI-C) are secured Technology infrastructure is configured to secure communications and operations in the SAP ERP environment
Firewall Secure Network Communications (SNC) Secure Store and Forward (SSF) mechanisms and digital signatures Workstation security Operating system and database security
50

guidance
COBIT References AI1, AI6, DS5, DS9, DS11, ME1, PO2 Superuser SAP* is properly secured Set system parameter (login/no_automatic_user_ sapstar) Default passwords for users DDIC, SAPCPIC and EarlyWatch been changed Powerful profiles is restricted (SAP_ALL, SAP_NEW) Logging & monitoring activities in place for use of powerful accounts and profiles Changes made to the data dictionary are authorized and reviewed regularly Log and trace files are appropriately configured and secured
51
[ Auditing the technology side Configuration (IMG)

Use transaction SPRO to view the IMG
Click the find button to search for key terms
52

You can then double click any item on the list and it will take you to the location within the IMG.
53

This is helpful when you want to document where a control is performed. When you try and execute the item, it will show you the tcode used. Information is helpful when discussing with auditee or IT persons. Another useful tool is Performance Assistance Provides notes about each configurable control.
54

The Performance Assistant provides you with more detailed information about the control to help you understand how it works.
Lots more info

55

Other IMG Configurations tcode SPRO
Customer Account Groups: Menu PathFinancial Accounting > Accounts Receivable & Accounts Payable > Customer Accounts > Master Data> Preparation for Creating Customer Master Data > Define Account Group With Screen Layout (Customers) Material Types: Menu PathLogistics General > Material Master > Basic Settings > Material Types > Define Attributes of Material Types Industry Sector: Menu PathLogistics General > Material Master > Field Selection > Define industry sectors and industry-sector specific field selection
56

Pricing condition types and records Menu PathSales and Distribution > Basic Functions > Pricing: and tcodes:
V-44 for material price condition record V-48 for price list type condition records V-52 for customer-specific condition type
Other configurable controls

3-Way Match
SE16 and tables LFM1 (verify GR-IV is checked) LFA1 (Global listing of vendors) Although a vendor shows in LFM1, it could be disabled globally in this table and is N/A
Invoice Payment Approval
57

PO Release Workflow
Obtain the PO release strategy table that are set for users based on their release level T16FS obtain the PO release strategy table defined for PO release amount for particular sectors.
JV Workflow
Approval Matrix Set Up used to determine if appropriate approvers for JV document is set up in SAP (JV user is not same as JV approver)
Tolerance Limits
SE16, T169G (can choose 1 or many company codes to view)
Automatic Posting
Identifies the various procedures that generate automatic postings to the GL Use Tcode OBYC (need business mgt. or SAP BASIS to execute)
58
[ Agenda




59
[ Developing the audit program

Having identified the key processes, inherent risks, internal controls, and potential test steps this applies for both the business side and the IT side it is pretty straightforward to build the audit program. Use whatever format is accepted in your organization: Word document Excel spreadsheet Risk & control report from TeamMate , Audit Leverage , MK Insight , or other audit management software SAP QM includes auditing transactions, but they are aligned more with lot sampling than internal auditing
60

IIA Standard 2201: Planning Considerations
In planning the engagement, internal auditors must consider:

The objectives of the activity being reviewed and the means by which the activity controls its performance; The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model
Note that weve gone over these items already.
61

ISACA Standard S5: Planning
Plan the IS audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards. Develop and document a risk-based audit approach. Obtain an understanding of the activity being audited. The knowledge required should be determined by the nature of the organization, its environment, risks and the objectives of the audit. Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the audit. Audit strategies, materiality levels and resources can then be developed.
Not a great deal of difference in planning an audit.
62

The audit program must include the test steps, naturally. It does not need to include a description of the control being tested, but thats nice to have as a reminder during the testing of what were looking for.
If you dont include the control, include a reference to where the control in documented. To meet the current (and proposed) standards in the audit profession, auditors must document their risk assessment process used in planning the audit. If not in the audit program itself, document the links from Process/Objective Risks Controls Audit Tests
63

Application Objectives Objective Risks Mitigating Controls Control Statement Test Plan Data is input without errors Typos in data input are not detected Edit checks Edit checks eliminate common typographic errors. Where possible, the application includes processes to validate financial values for reasonableness and approval limits; looks for proper formats and required fields; uses standardized input screens; verifies sequences (e.g., missing items), range checks, and check digits;and performs cross checks (e.g., where certain policies are only valid with certain premium table codes).
Duplicate record entry may not be detected
Record checks
Records are checked for key fields as part of data validation process to minimize duplicate data entry, including using fuzzy logic for close matches.
Data is input completely
Key fields are not entered
Field Verification
Key fields are mandatory entries, and the record cannot be stored with certain items incomplete or pending.
Some records are skipped / not entered
System checks
Cross system checks are used to ensure records are input in sequence
Data is input timely
Post-close data entry invalidates parts of periodic financial reporting
Validation checks
Post-closing data entries are permitted, but require management approval to assure the impact is known.
Late data entry changes impact of management reports
Field Verification
Late data entry is flagged in a special report to management.
64
65
[ Agenda




66
[ Questions & Comments
67
[ Key Learnings
Audits of SAP are performed to provide assurance that the financial data is correct and that the organization can rely on the information and processing within SAP Learn a methodology for testing and specific test steps that can be used for any number of SAP audits, including but not limited to SOX testing, general computer control testing, application control testing, and financial report testing Use and modify sample audit programs to enhance SAP testing
68
Thank you for participating.

Please remember to complete and return your evaluation form following this session. For ongoing education on this area of focus, visit the Year-Round Community page at www.asug.com/yrc
]
69
SESSION CODE: 1913
[ Appendix A Useful Transaction Codes, Tables,

and Reports
70
[ SAP Transaction Codes for Security and

Troubleshooting
User Maintenance: SU01 Maintain User (SU01D) SU02 Maintain Authorization Profiles SU03 Maintain Authorizations SU10 Mass changes to User Master SU12 Mass Changes to User Master Records SU20 Maintain Authorization Fields SU21 Maintain Authorization Objects SU50 Maintain User Defaults SU51 Maintain User Address SU52 Maintain User Parameters SU53 Display Check Values SU54 Maintain User Menu SU55 Start user menu SU56 Analyze user buffer (Security Check SUIM User Information System
71

Troubleshooting
Authorization Objects: SU22 Auth. object usage in transactions SU30 Total checks in the area of authorizations Table Security: SUCH Translatability CHECKs SUCU Table authorizations: Customizing Correction & Transport: SE09 Workbench Organizer SE10 Customizing Organizer Data Dictionary: SE11 ABAP/4 Dictionary Maintenance SE12 ABAP/4 Dictionary Display SE13 Maintain Technical Settings (Tables) SE14 Utilities for Dictionary Tables SE15 ABAP/4 Repository Information System SE85 ABAP/4 Dictionary Information System
72

Troubleshooting
Table Display and Maintenance: SE16 Data Browser SE17 General Table Display SM31 Table Maintenance Tracing a Transaction: SE30 ABAP/4 Runtime Analysis ST01 System Trace STAT User Activity at UNIX Level (this transaction is very slow) ABAP/4 Workbench: SE36 ABAP/4: Logical Databases SE37 ABAP/4 Function Modules SE38 ABAP/4 Program Development SE80 ABAP/4 Development Workbench SE81 SAP Application Hierarchy SE82 Customer Application Hierarchy SE84 ABAP/4 Repository Information System SE86 ABAP/4 Repository Information System
73

Troubleshooting
Transaction Maintenance: SE93 Maintain Transaction Codes SE43 Menu path with transaction codes (Main Menu is S000)
Knowledge and understanding of SAP R/3 basic system administration skills: SM21 System Log SE06 Set up Workbench Organizer SM04 Current Users on the Client Other Transactions: SU22 Authorization Objects used in Transaction Codes SU23 Load Tables in TAUTL SU24 Authorization Objects used in Transactions (Profile Generator) SU25 Copy Initial Defaults SU26 Compare Authorization Checks
74
[ Standard Security Reports-SA38

Program RSUSR000 RSUSR002 RSUSR003 RSUSR004 Objs. RSUSR005 RSUSR006 RSUSR007 RSUSR010 Object RSUSR020 RSUSR030 RSUSR040 RSUSR100 RSUSR101 RSUSR102 RSUSR400 RSPARAM RSCSAUTH RSABAUTH Short description Current Active Users Lists of Users According to Complex Selection Criteria Check the Passwords of Users SAP* and DDIC in all Clients Restrict User Values to the Following Simple Profiles and Auth. List of Users With Critical Authorizations List of User Master Records Locked Due to Incorrect Logon List Users Whose Address Data is Incomplete Transaction Lists According to Selection With User, Profile or List Profiles by Complex Selection Criteria List Authorizations According to Complex Selection Criteria List Authorization Objects by Complex Selection Criteria List Change Documents for Users List Change Documents for Profiles List Change Documents for Authorizations Test Environment Authorization Checks (SAP Systems Only) List system parameters (Tcode RZ11 or TU02) Maintain program/report authorization groups Transfers authorization groups from TRDIR to TPGP
75
[ Important Security Tables

DD02V List of Tables and Descriptions TSTC Transaction Listing TSTCA Values for Transaction Code Authorizations TSTCT Transactions with Description TACT Activities that can be Protected TACTT Activities that can be Protected with Descriptions TACTZ Authorization Objects and Valid Activities TBRG Authorization Objects and Authorization Groups TBRGT Auth Objects and Auth Groups with Descriptions TDDAT Table Authorization Groups TOBJ Authorization Objects TOBJC Authorization Object w Class assignment TOBJT Authorization Objects and Descriptions TOBC Authorization Object Classes TOBCT Authorization Object Classes and Descriptions TPGP ABAP/4 Authorization Groups TPGPT Long Texts for ABAP/4 Program Groups TRDIR System Table TRDIR, ABAP/4 Programs with Authorization TRDIRE System Tables w attributes TACTZ Valid Activities USOBT Transaction codes w Authorization Objects checked. Used with Profile Generator
76
[ Additional Useful Tables

User Master Tables USR01 User Master Records USR02 User ID and Passwords (includes last logon data) USR04 User Master Authorizations USR10 Authorization Profiles USR11 User Master Profiles and Descriptions USR12 User Master Authorization Values USR40 Non-permissible password values Change Logs USH02 Change history for logon data (inc. account lock indicator, User Flag. USH04 Change history for authorizations USH10 Change history for authorization profiles USH12 Change history for authorization values Authorization Tables UST04 User Masters (all Users with profiles) UST10C User Master: Composite Profiles UST10S User Master: Simple profiles UST12 User Master: Authorizations
77
[ Reviewing Technical Security Access Controls

Password Audit Steps: Using RSPARAM / RSPPARAM report (SA38) - determine PW control settings Login/password_Expiration Frequency of forced password change (default = 0 = off) Login/min_password Minimum password length (default = 3) Login/fails_to_user_lock Number of invalid password attempts before user is locked (default = 12) Login/failed_user_auto_unlock -- If user account is locked is it permanently locked until released by administrator or automatically unlocked at midnight (default = 1 = unlocked at midnight) Rdisp/gui_auto_logout User is logged off of SAP after a period of inactivity (default = 7200 seconds = 2 hours) Login/disable_multi_gui_login (default = 0 = multiple logons permitted) NOTE: if multi-login is disabled some users can still be permitted multiple logins via the login/multi_login_users setting where user-ids can be listed which can be permitted to logon multiple times
78
[ Reviewing Technical Security Access Controls

Determine who can alter number ranges TC = SPRO, SNRO Object = S_NUMBER Activities = 02 (chg), 11(chg), 13 (initialize), 17(maintain) Determine who can do table updates in production (should not be permitted) TC= SM30, SM31 Object = S_TABU_DIS, (client independent tables also require S_TABU_CLI ) Activity = 01, 02 Data Dictionary updates in production should not be permitted TC = SE11, SE15, SE16, SE38, SE80 Object = S_DEVELOP Activities = 01, 02, 06, 07
79
[ Reports RSUSR via AID, SA38, or SUIM

May need system administrator to run for you RSUSR002 provides a wide variety of profile review options RSUSR003 check passwords for SAP* and DDIC RSUSR005 , 009 list of users with critical authorizations (this report requires significant computer resources to run must update table SUKRI with authorizations to check) RSUSR006 locked users / unsuccessful login attempts RSUSR010 transactions executable by user, profile, authorization RSUSR060 where used lists RSUSR100, 101, 102 changes to UMR, profiles, authorizations RSUSR200 -- Users with original passwords, users not logged in for xx days, users who have not changed password in xx days
80
[ Reports RSUSR via AID, SA38, or SUIM Cont.

RSUSR002 as seen on previous slide can also be used to determine who has access to powerful BASIS transactions including: DBxx Database related transactions SCC4, SCC5 Client administration SE01-SE10 CTS / TMS commands SE11, SE12, SE13, SE14 Table structure maintenance SE15 Data Dictionary SE38 ABAP Editor SE93 Maintains transactions SM01 Lock / unlock transactions SM12 Lock entries SM30, SM31 Table Maintenance SM32 Updates Table USR40 with invalid passwords SM37 Displays and deletes processing job logsSM49 Execute external operating system commands SM52 Execute operating system commands SM59 Maintain Remote Function Calls destination definitions SM69 Maintain external commands SP01 Administer print spools SU01, SU02, SU03 Security Administration transactions
81
Thank you for participating.

Please remember to complete and return your evaluation form following this session. For ongoing education on this area of focus, visit the Year-Round Community page at www.asug.com/yrc
]
82
SESSION CODE: 1913

1913 Control Testing in SAP - IT, Financial, and Operational Auditing

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

1913 Control Testing in SAP - IT, Financial, and Operational Auditing

Transféré par

Droits d'auteur :

Formats disponibles

[

Control Testing in SAP

Real Experience. Real Advantage.

Real Experience. Real Advantage.

[ Who We Are Huntington Ingalls

ERP Used: SAP ECC 6.0 & ECC 5.0

Real Experience. Real Advantage.

[ Who We Are Northrop Grumman

ERP Used: SAP ECC 6.0

Real Experience. Real Advantage.

SAP from a technology perspective

Auditing the business side COSO, IIA guidance

Auditing the technology side ISACA, COBIT guidance

Developing the audit program Questions and comments

[ SAP from a business perspective

Real Experience. Real Advantage.

[ SAP from a business perspective

All of them, of course, but

Real Experience. Real Advantage.

[ SAP from a business perspective

Real Experience. Real Advantage.

[ SAP from a business perspective

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

2011 Balance Sheets

Analyze the controls efficiency and effectiveness

What can go WRONG?

Inherent and Key Business Risks

And, of course, report

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

Real Experience. Real Advantage.

[ SAP from a business perspective - Finance

And THATs what SAP does for the financial user.

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

Analyze the controls efficiency and effectiveness

Material Requirements Planning

What can go WRONG?

And, of course, report

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

Real Experience. Real Advantage.

[ SAP from a business perspective Material planning

Real Experience. Real Advantage.

SAP from a technology perspective

Auditing the business side COSO, IIA guidance

Auditing the technology side ISACA, COBIT guidance

Developing the audit program Questions and comments

[ SAP from a technology perspective - Landscape

Real Experience. Real Advantage.

[ SAP from a technology perspective - Business

Real Experience. Real Advantage.

SAP from a technology perspective

Auditing the business side COSO, IIA guidance

Auditing the technology side ISACA, COBIT guidance

Developing the audit program Questions and comments

[ Auditing the business side COSO, IIA guidance

[ Auditing the business side COSO, IIA guidance