ANAO - SAP Audit Handbook

Security and Control Update
For
SAP R/3
Guide to Effective Control Handbook U p d a t e
Security and Control for SAP R/3 Handbook
Commonwealth of Australia 2004

ISSN 1036-7632 ISBN 0 642 80791 4 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth available from the Department of Communications, Information Technology and the Arts. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Intellectual Property Branch, Department of Communications, Information Technology and the Arts, GPO Box 2154, Canberra ACT 2601 or posted at <http://www.dcita.gov.au/cca> The Publications Manager, Australian National Audit Office, GPO Box 707, Canberra ACT 2601 Information about ANAO reports and activities can be found at the ANAO Internet address: http://www.anao.gov.au
Ackno w l e d g e m e n t
Appreciation is extended to PricewaterhouseCoopers who contributed significantly in developing and writing this handbook.
Disclai m e r
This handbook is not a recommendation of the SAP R/3 system, nor an endorsement of the SAP R/3, by the ANAO. Commonwealth Public Sector agencies are responsible for deciding whether SAP R/3 is suitable for their purposes and for implementing and testing SAP R/3. The Auditor-General, the ANAO, its officers and employees are not liable, without limitation, for any consequences incurred, or any loss or damage suffered by an agency or by any other person as a result of their reliance on the information contained in this handbook or resulting from their implementation or use of the SAP R/3 system, and to the maximum extent permitted by law, exclude all liability (including in negligence) in respect of the handbook or its use.
Design by GREY Worldwide
ii
Preface
Preface
SAP continues to be a predominant financial management information system in use within the Australian Government. Accordingly, the Australian National Audit Office (ANAO) has developed this better practice handbook update with significant assistance provided by PricewaterhouseCoopers. The original handbook was released by the ANAO in 1998, and this update reflects the changes made to SAP security and control since that time. Based on SAP R/3 release 4.6C, this update should be read in conjunction with the original handbook to gain a fuller appreciation and understanding of functional, as well as security and control issues, associated with the implementation and operation of SAP. This handbook update provides better practice controls that should be considered by Australian Government entities to assist in meeting their requirements for availability, integrity and confidentiality, and outlines: the significant risks associated with each functional enhancement; and the various control options that should be considered, broken down into the following categories. SAP customisation settings which should be considered in reducing and/or mitigating identified risks and delivering security and control best practices. User access security settings to be considered when designing and implementing security. Useful key control reports for review.
The adoption of the various control options will depend on how SAP R/3 is used within each entity and the level of acceptable risk adopted by that entity. Striving for absolute assurance is neither cost effective nor possible. Controls implemented should be commensurate with the nature of the business, the acceptable level of risk and program delivery.
Oliver Winder Acting Auditor-General 30 June 2004
iii
Security and Control for SAP R/3 Handbook Update
iv
Contents
Contents
Introduction .......................................................................................................................1 Basis and Cross Application Components (BC)...................................................... 34 Procurement to Payables (MM) ................................................................................. 52 Financial Accounting (FI) ............................................................................................ 64 Controlling (CO)..............................................................................................................70 Human Resources (HR) ................................................................................................ 86 Audit Information System (AIS) ................................................................................ 96
vi
Introduction
Introduction
Introduction
The original Security and Control for SAP R/3 Handbook, developed in 1998 was produced to provide good practice security and control guidelines when implementing and running SAP Version 3.1H. SAP has subsequently upgraded the R/3 system, through Versions 4.0, 4.5 and 4.6, with each version including many functional changes impacting security and controls. This handbook update is based on SAP R/3 Release 4.6C, outlining significant functional enhancements with relevant security and control considerations. This handbook should be read in conjunction with the original handbook to gain a full awareness and appreciation of functional and security and control issues within the core SAP components. The handbook outlines business risks associated with the implementation and operation of SAP, and provides better practice controls that should be considered by Australian Government entities that replicate control solutions deployed at organisations globally running SAP.
SAP Upgrades
There are a number of business and technology drivers that may influence an organisation's decision to upgrade SAP.
Business drivers
Strategic & operational changes Mergers & divestments E-business initiatives
Why Upgrade
Cost reduction
R/3
Competition
Greater efficiency
Business process functional enhancements
Technology improvements
Drivers for upgrading SAP are often focused on achieving greater efficiency through new functionality, or business process improvements, provided within new releases of SAP. A number of these enhancements are outlined in the sections of this document and should be considered by decision makers.
Technology drivers
MySAP.com product components New or extended functionality Improve user acceptance / satisfaction
Why Upgrade
Old versions no longer supported
R/3
Stabilise environment
Need to re-structure architecture
Update technologies
Reduce enhancements
Technology drivers for the upgrade of SAP are generally based around the need to maintain SAP support or to provide greater stability and ease of use for users and support teams.
Introduction
C o m p o n e n t s c o v e re d Component overview
Treasury
TR
Sales & distribution
SD
Financial accounting
FI
Controlling
CO
Investment management
IM
Project systems
PS
Client/Server
ABAP/4 BASIS COMPONENT CS
R/3
Materials management
MM
Asset accounting
AA
Real estate management
RE
Human resources
HR
Customer service ice
Office communications
OC
Training & event management
PE
Production planning
PP
Quality management
QM
Plant maintenance
PM
This handbook update covers the core SAP R/3 components commonly used by Australian Government entities. The components covered are consistent with those in the original handbook: Basis Component (BC); Materials Management (MM) in this handbook referred to as Procurement to Payables; Financial Accounting (FI): includes AA (Asset Accounting); Controlling (CO); and Human Resources (HR): includes PA (Personnel Administration) and PD (Personnel Development). This handbook update also provides an outline of the Audit Information System (AIS). Products such as BW (Business Warehouse), CRM (Customer Relationship Management), EBP (Enterprise Buyer Professional) and ESS (Employee Self Service) are run on separate copies of the SAP application. While these have been detailed in each applicable section of this handbook, they are not outlined in the above diagram.
H o w t o u s e t h e h a n d book update
The handbook update has been divided into seven sections as follows: Introduction Basis and Cross Application Components The various application components: Procurement to Payables (MM) Financial Accounting (FI) Controlling (CO) Human Resources (HR) Audit Information System (AIS) A Background Section is provided for each application component providing an overview of changes in the application component from SAP Version 3.1H to 4.6C. Also within are details of the coverage (sub-modules) of each application component section. A Functional Overview is given for each application component and sub-module covered by this handbook update. This overview outlines the core functionality of the sub-modules with relevant operational benefits and high-level control opportunities. Further detail is provided for each sub-module, including the following:
S I G N I F I C A N T R ISKS
For each sub-module, relevant business risks are provided which should be considered by all organisations. For each risk identified, various control options are provided across the following sections.
C O N F I G U R AT I ON HOT SPOTS
SAP customisation settings that should be considered in reducing and /or mitigating identified risks and delivering security and control best practices.
S E C U R I T Y C O NSIDERATIONS
User access security settings to be considered when designing and implementing security for this sub-module. Where available, sensitive high-risk SAP transaction codes are provided with a description of the functionality. Access to these transactions should be reviewed and appropriately restricted.
Introduction
U S E F U L R E P O RTS
Key control reports for each sub-module covered have been provided. Where available, the report transaction code or report code have been provided with a description of the benefit provided. Management should consider implementing procedures for the review of these reports, where appropriate. The following diagram is used throughout this handbook update to demonstrate how functionality, risks and control options relate. Risks can be mitigated through the implementation of one or a combination of control types, depending on organisational needs. These control types may be security related, specific control configurations, or through the development and review of control reports. This handbook provides good practice control options across security, configuration and reporting, which management should consider when implementing functionality or reviewing the SAP control environment.
Functionality
ns
de
at
io
Us
ef
ul
Security consi
re
por
ts
Significant risks
Co
nf
igu
ration
hot sp
ot
Security and Control for SAP R/3 Handbook update
Basis and cross application components

SECTION CONTENTS
Background ........................................................................................................................ .9 Environment .................................................................................................................... .10 SAP New Dimension Products ..................................................................................... .11 Security: User Security and the Profile Generator..................................................13
Functional Overview ............................................................................................................................................13 Significant Risks ....................................................................................................................................................13 Security Considerations ......................................................................................................................................14
Security: Derived Roles ..................................................................................................15

Functional Overview ............................................................................................................................................15 Significant Risks ....................................................................................................................................................15 Configuration Hot Spots ....................................................................................................................................16 Security Considerations ......................................................................................................................................16 Useful Reports ........................................................................................................................................................17
Security: Central User Administration .......................................................................18

Security: Personalised User Menus ............................................................................ .21

Functional Overview ............................................................................................................................................21 Significant Risks ....................................................................................................................................................21
Configuration Hot Spots ....................................................................................................................................21 Security Considerations ......................................................................................................................................21 Useful Reports ........................................................................................................................................................22
Transport Management System ...................................................................................23

Reporting...........................................................................................................................25
Functional Overview ............................................................................................................................................25 Significant Risks ....................................................................................................................................................25 Configuration Hot Spots ....................................................................................................................................25 Security Considerations ......................................................................................................................................25
InfoSet Query ...................................................................................................................26

SAP Business Warehouse (BW) ....................................................................................27

Functional Overview ............................................................................................................................................27 Significant Risks ....................................................................................................................................................27 Configuration Hot Spots ....................................................................................................................................27 Useful Reports ........................................................................................................................................................27
Mass Maintenance ..........................................................................................................28

Functional Overview ............................................................................................................................................28 Significant Risks ....................................................................................................................................................29 Security Considerations ......................................................................................................................................29 Useful Reports ........................................................................................................................................................30
Workflow .......................................................................................................................... .31

Functional Overview ............................................................................................................................................31 Significant Risks ....................................................................................................................................................32 Security Considerations ......................................................................................................................................32 Useful Reports ........................................................................................................................................................33

B a c k g ro u n d
An overview of the functionality, risks and controls of the SAP Basis module as at Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. The Basis module has undergone a number of changes since this release, with the main changes impacting on security and controls summarised below and detailed across the following Basis section.
Environment
With the advent of the SAP workplace and the ability to access SAP through an Internet browser, a wave of new SAP products has been developed, including Customer Relationship Management (CRM) and Supply Chain Management (SCM), each product requiring an underlying Basis module upon which to operate.
Security
A number of new security tools have been developed to assist in the configuration and maintenance of security in increasingly complex SAP environments. Tools considered in this section include the Profile Generator, Central User Administration, Derived Roles and Personalised Role Menus.
Transport Management Syst e m

As the SAP landscape has become more complex, so have change control mechanisms to manage changes. Since Release 3.1, a number of changes have taken place in the change control area; the most significant is the development of the Transport Management System (TMS).
Reporting
Reporting functionality within SAP has been enhanced significantly to provide greater ease of access to data. The development of new reporting tools has improved the way users can access and extract SAP data these include Infoset Queries and the SAP Business Warehouse (BW).
Workflow
SAP Workflow is a cross application component but should also be viewed in the context of each business process to which it has been applied. Workflow, as a concept, has been detailed within this section. As well, some specific applications are discussed in the relevant business process areas.
E n v i ro n m e n t
With the introduction of the SAP Web GUI (Graphical User Interface), more agencies are web or partially web enabling their SAP systems. Core functionality required by large volumes of users (e.g. Employee Self Service) is well suited to being delivered through a standard web browser. The following diagram illustrates how the introduction of the Web GUI has changed the SAP environment.
Changes in the SAP environment

BASIS release to 4.6C SEP enterprise (after 4.6c)
Database server (UNIX or NT)
Database server (UNIX or NT)
Application server
SAP Web application server

Application server J2EE Web server
SAP GUI
SAP-ITS application gate SAP-ITS Web gate SAP GUI
Presentation layer (Client PC)
Presentation layer (Web browser on client PC)
Presentation layer (Client PC)
Presentation layer (Web browser on client PC)
The underlying SAP three tier environment remains largely unchanged from Version 3.1H for the SAP 4.5A 4.6C environment. The primary change is the addition of the SAP Internet Transaction Server (ITS) enabling web connectivity and the delivery of SAP content through the Web. Similar to the original SAP R/3 environment, the core three tier design of database, application and presentation layers remains. In previous SAP versions, communication between the application layer of SAP and the presentation layer or client PC would take place using software installed on the client PC the SAP GUI. The development of the Internet Transaction Server (ITS) has allowed presentation of SAP content through a standard Web browser. While high volume users will still access SAP using the SAP GUI installed on their machine, the ITS allows SAP functionality to be extended to a wider user community, with low volume processing, such as Employee Self Service, being delivered through a standard Internet browser.
10
The SAP R/3 Enterprise Environment has changed the original SAP R/3 environment to incorporate web interactivity with the underlying SAP application server. This has resulted in the SAP Web Application Server, an application server capable of hosting java based web applications, as well as performing all of the functions previously performed by the SAP Application Server. Incorporating a Java web server into the SAP Web Application Server, SAP can now deliver SAP content directly to the Web Browser, without the need for the Internet Transaction Server.
S A P N e w D i m e n s i o n Products
The SAP 4.6C environment builds on the existing R/3 environment to incorporate a number of new SAP products aimed at streamlining business processes and adding new functionality to the core R/3 product.
New dimension products
Sales & distribution SAP sales
SD
FI
Materials management anagement
MM
SAP CRM
SAP marketing Info DB SAP service ervice SAP B2B procurement
Controlling
CO
Production planning
PP
SAP strategic enterprise management
BW SAP APO
SAP SCM
SAP logistics execution systems execut
Fixed assets management
AM
SAP BI
Quality management
QM
Project system
PS
Plant management
PM
Human resources
HR
Industry solutions
IS
Workflow
WF
Key: BW SAP CRM SAP SCM SAP BI SAP APO Business Warehouse Customer Relationship Management Supply Chain Management Business Intelligence Advanced Planning and Optimisation
11
A feature of the SAP New Dimension products is that they each reside on a separate SAP installation (instance). Each product can be implemented independently, each requiring a separate SAP Basis installation. Basis settings and parameters must be configured for each of the New Dimension implementations as well as the core R/3 implementation. SAPs suite of New Dimension products can be divided into the following categories:
Business Intelligence
The core product in the Business Intelligence suite is SAP Strategic Enterprise Management (SEM). SAPSEM allows management to take a holistic view of the organisation, providing them with the data they need to make strategic decisions. SAPSEM consolidates business data, as extracted from the core SAP system, using the BW reporting tool. SAPSEM supports management processes in an integrated way, which means top-down translation of enterprise strategy into business unit, product and support centre targets, as well as bottom-up performance monitoring and related decision support.
Customer Relationship Man a g e m e n t

SAP Customer Relationship Management (CRM) enhances the core SAP Sales and Distribution module to provide solutions for Customer Interaction, Marketing and Mobile Salespersons. SAPCRM manages customer relationships by providing employees with information on trading history and contacts with business customers in order to support sales activities.
Supply Chain Management

The core products in the Supply Chain Management suite are SAP Advanced Planning Optimiser (APO) and SAP Enterprise Buyer Professional (EBP, formerly SAP B2B). SAPAPO is a supply network-planning tool designed to enable production-based organisations to effectively manage their supply networks. SAPEBP is an electronic procurement solution designed to automate the procurement process to the point of purchase order creation. SAPEBP allows employees to browse pre-approved vendor catalogues and select items to be ordered raising a requisition for approval. On approval of the requisition by the appropriate manager, a purchase order is automatically created in the core R/3 system.
12
S e c u r i t y : U s e r S e c u r i ty and the Profile Generator

Functional Overview
From SAP Release 3.1G, SAP has continued to develop the Profile Generator to allow quicker development of authorisation profiles. All authorisations should now be created using the Profile Generator, as most new functionality relies upon the assignment of roles to users rather than authorisation profiles. It should be noted that assigning a role to a user will automatically assign the corresponding profile. Benefits provided through the use of the profile generator to define authorisation profiles include: reduced complexity and ease of use; and simplification of role and profile administration. With SAP Release 4.6C, there are now over 100 standard delivered roles or role templates. These can be used as a basis for the definition of customer specific roles, and will often contain the majority of transactions required for a particular function. Care should, however, be taken when using these roles. Being generic, they will often contain more access than required, and will not contain any organisational restrictions. A further enhancement has been the development of the password generator functionality in transaction SU01. This allows the security administrator to generate a random password for user accounts rather than a password which may be easily guessed. Mass maintenance of user access security design and structure can now be performed in the profile generator, which will significantly improve efficiency and accuracy of changes being made to a large number of records. When in the menu tab of the profile generator, transaction code names can be toggled on/off by selecting the magnifying glass icon in the top right of the tab.
S I G N I F I C A N T RISKS
Unauthorised, or inappropriate, changes to user security resulting in excessive access, or users not having access to perform functions. Authorisation values may be inaccurately defined, granting inappropriate access to users. SAP standard delivered roles if allocated without configuration may not provide adequate organisational restrictions, or may contain transactions that the organisation has deemed to be segregation of duties conflicts. Passwords provided to users by security administration staff are standard, or easily guessable, resulting in unauthorised users gaining access to the SAP system.
13
Authorisations where a * value has been given should be reviewed to establish if appropriate. Where possible * values should be limited and be replaced with specific values. As with access to all user administration functionality, access to role maintenance activities should be controlled. Access should be restricted to the following transactions which provide users with access to role and profile maintenance activities:
Tcode PFCG SU01
Name Profile Generator Maintain User
Description Tool for maintenance of roles and profiles. Used for the creation and maintenance of User Master Records including password resetting by system administrators.
SU02
Profile Maintenance Tool for the direct maintenance of profiles (not recommended in version 4.0A or above, should be performed in the profile generator).
SU03
Authorisation Maintenance
Tool for the direct maintenance of authorisations (not recommended in version 4.0A or above).
SAP standard roles, where utilised, should be used as a basis for the establishment of roles and should be checked for adequacy within the context of the security and control environment.
SAP standard roles should be reviewed for transactions that your organisation has deemed segregation of duties conflicts.
Security administers should use the password generation facility in transaction SU01 when a user account is created or requires a password change. This will ensure that passwords are random and not easily guessable.
14
S e c u r i t y : D e r i v e d R o l es
Functional Overview
The Profile Generator controls the creation of variants for different business units or departments within an organisation. This has resulted in the concepts of Responsibilities (Version 4.0B), Hierarchical Activity Groups (Version 4.5A) and more recently Derived Roles (Version 4.6A). All are conceptually similar in that they allow the security administrator to define a set of common transactions from which variant profiles can be created containing different organisational restrictions. It should be noted that the use of Derived Roles can significantly reduce the resource required for security role maintenance. These can be further explained using the following diagram:
Derived roles
MASTER ROLE
All company codes All cost centres
Derived Role A
Derived Role B
CHILD ROLE
Business unit (BU) 'A' ROLE BU 'A' Company codes BU 'A' Cost centres
CHILD ROLE
Business unit (BU) 'B' ROLE BU 'B' Company codes BU 'B' Cost centres
Derived Roles are inappropriately configured resulting in inappropriate user access. Due to limitations of organisational data that can be derived, there are certain situations where Derived Roles cannot be used. Only security administration staff should have access to the Profile Generator (transaction PFCG) where Derived Roles are maintained. Where Derived Roles have been defined, the master role should not be assigned to end users as this will normally contain access to all organisational data.
15
Ensure that naming conventions have been appropriately defined which clearly identify master and child roles. Where Derived Roles are used and all data (with the exception of organisational data) is to be derived down to the child role, child roles should not be directly maintained. All changes to the child role will be overwritten the next time information is derived from the master role.
Access to role administration should be tightly controlled and restricted to only relevant user administration staff. Access to the following transactions should be restricted: Tcode OY21, GCE2, O002, OBZ8, OD03, OIBP, OMDM, OMEI, OMM0, OMSO, OMWG, OOPR, OP15, OPCB, OPE9, OPJ1 Name Profile Maintenance Description These transactions all allow direct access to profile maintenance.
16
Report Transaction S_BCE_68001425 Name Roles by complex selection criteria S_BCE_68001418 Roles by role name Description Interrogation of roles in the system by a number of different criteria. Interrogation of roles in the system by role name. S_BCE_68001419 Roles by user assignment Interrogation of roles in the system by user assignment. S_BCE_68001420 Roles by transaction assignment S_BCE_68001421 Interrogation of roles in the system by transaction assignment.
Roles by profile assignment Interrogation of roles in the by profile system assignment.
S_BCE_68001422
Roles by authorisation object
Interrogation of roles in the system by authorisation object. Interrogation of roles in the system by authorisation values. Interrogation of roles in the system by change date.
S_BCE_68001423
Roles by authorisation values
S_BCE_68001424
Roles by change date
17
S e c u r i t y : C e n t r a l U s e r Administration
Functional Overview
With the advent of the SAP Workplace and various other new component systems, the SAP landscape has become significantly more complex than the original R/3 system. As a result, user administration has become more complex. Central User Administration (CUA) addresses the difficulties of user administration by allowing all user administration activities to be performed from a central system. CUA is available from SAP Versions 4.5A and above, and recent versions of the Web Application Server (6.2), and can significantly reduce the resource required for user maintenance. CUA does not cater for single-sign on or for the syncronisation of passwords across each SAP system. The following diagram illustrates the CUA concept. Communication between systems is achieved using SAP Application Linked Enabling (ALE). ALE is SAPs process that provides for the exchange of data between SAP systems.
CENTRAL SYSTEM
SAP R/3 4.5A or higher
ALE
ALE
ALE
SAP EBP SYSTEM
SAP CRM SYSTEM
SAP R/3 SYSTEM
Key: SAP EBP SAP CRM Enterprise Buyer Professional Customer Relationship Management
18
CUA configuration and ALE landscape may not be configured correctly resulting in failure of systems to interface effectively. Access to CUA functions may not be adequately secured resulting in unauthorised changes to users access rights. Access to Application Link Enabling (ALE) configuration may not be adequately secured. CUA error and distribution logs may not be reviewed and followed up on a timely basis.
Patches from SAP must be applied to install and run CUA. Field selection configuration should be performed in transaction SCUM User Distribution Field Selection to define the system (local or global) in which each item of user master data and security is maintained. Through this transaction, configuration of user locks is performed to define their operation.
Access to the configuration of Central User Administration (CUA) transactions should be controlled. Consideration should be given to restricting access to only relevant user administration staff to the following CUA Maintenance transactions.
Tcode SALE
Name Display ALE Customising
Description Used to configure the ALE environment for CUA. This transaction also allows access other ALE and Remote Function Call (RFC) configuration.
SCUA
Central User Administration
Transaction used to maintain the CUA landscape.
SCUL
Central User Management Log
Transaction used to view CUA audit and error logs.
SCUM
Central User Administration
Transaction used to define field distribution for CUA.
19
Report / Transaction SCUL Name Central User Management Log Description This transaction reports on CUA errors and audit log.
20
S e c u r i t y : P e r s o n a l i s e d User Menus
Functional Overview
SAP Version 4.6 and the first release of mySAP.com Workplace, saw a move towards personalisation within the SAP environment. SAP menus can now be personalised for each role. When these roles are assigned to a user and combined with other roles containing personalised menus, the user is presented with a menu structure unique to their individual role assignments.
Folder structures within the SAP menu structure (see above) are created which do not reflect the actual business structure. It is important to ensure that these are developed in consultation with the business, and do not take on a technical focus.
User menu configuration should be such that menus are efficient in use. Table SSM_CUST contains settings which affect the user menus including whether folders should be condensed, duplicate transactions should be deleted or the whether the menus should be sorted.
In addition to controlling access to the Profile Generator (transaction PFCG), access should also be controlled to the maintenance of table SSM_CUST.
21
Report Transaction SURL_LAUNCHPAD_TEST Name Test Launchpad Generation Description When the Workplace has been implemented this report can be used to test the contents of a users launchpad including personalised user menu entries.
22
Tr a n s p o r t M a n a g e m e nt System
Functional Overview
With the release of Version 4.0, SAP introduced the Transport Management System (TMS) that centralised the configuration for the Change and Transport System (CTS) for all R/3 systems. TMS gives the SAP Administrator the ability to manage all SAP change requests from a centralised location (i.e. from one SAP client). It also allows pre-defined transport routes to be configured, minimising human error in the import and export of transportable objects. A key feature of the TMS is that it has allowed for the management of change queues from within the R/3 system and has removed the need to have deep UNIX / Windows skills for day to day SAP Administration (although these skills are still required for the administration of the underlying database). The introduction of TMS allows for greater control over the SAP system account and has lead to configuration of a simplified SAP landscape. TMS has replaced the need to use transaction SE06 and previously configured CTS tables.
Administration functions such as client copies are not restricted to authorised personnel and are performed inappropriately. Programs in production have not gone through appropriate change approval process. Developers make changes (and test changes) directly in programs in the production system (in non emergency situations). Changes should go through the normal domain transport route.
Transaction STMS now controls the movement of objects from one SAP system to another, replacing functionality in transactions SE06.
23
Access to the following transport management transactions should be restricted to authorised Basis team users only. Tcode SCC1, SCC4 Name Client Administration Description Transactions SCC1 and SCC4 allow users to create a client (SCC1) and copy data from an existing client to a target client (SCC4). In addition there are other copy transactions (SCCX) that perform functions such as copying user files that should be protected and should be restricted. SE10 Transport Organiser This transaction is used by system configuration staff to manage verify transport requests. SE11 ABAP Dictionary This transaction is used by developers to manage and release their transport requests. STMS Transport Management System Transaction STMS now controls the movement of objects from one SAP system to another, (previously performed within transactions SE06).
Both Transport logs and Action logs are available through the Transport Organiser. These can be used to provide an audit trail of transport activity.
24
Reporting
F unctional Ove rvi ew
With the advent of personalised roles, reporting security has changed significantly. In previous versions of SAP, reports were secured by attaching them to a report tree. Report trees were then allocated to users to ensure users could only access approved reports. Since folders can be specified in individual roles, personalised roles effectively make reporting trees redundant. In order to make the allocation of reports to roles easier, SAP have therefore assigned a large number of standard SAP reports to transaction codes. Although report trees can still be displayed through most Web GUI configurations, it may be more appropriate to assign reports through personalised roles, and remove report trees altogether.
Although transaction codes have now been assigned to SAP standard reports, the authorisation objects checked by these reports have not been attached to these transaction codes. In order to allocate reports to end-users, it is therefore still necessary to establish the required authorisation objects through testing and allocate these to the appropriate roles.
All reports and programs developed should contain appropriate authorisation checks to ensure that only authorised users are able to execute them.
Reports which do not contain adequate authorisation object security will be accessible to any user who has access to the transaction code required to start the report. Where users are configured with access to all transaction codes, through the application of a * in the S_TCODE object, or value that contains a * (for example S*), there is an increased risk that reports or programs may be accessed inappropriately.
25
InfoSet Query
Functional Overview
The InfoSet Query (InfoSet replaces the term functional area) functionality has been provided to allow users greater flexibility in reporting across all areas of the SAP system. InfoSet Query has been developed from the HR ad-hoc query reporting which was developed in prior versions of SAP. InfoSet Query has been developed to provide users the tools necessary to quickly develop, and run data queries.
Unauthorised access to sensitive and confidential data, including HR data.
Consideration should be given to logging reporting performed using InfoSet Query. In order for logging to be available, it is necessary to configure this. Configuration of InfoSet logging can be maintained through the IMG (Basis Components-SAP-Query-LoggingDetermine Infosets for Logging)
Access to perform InfoSet Queries is defined using roles or SAP Query user groups. These can be configured to restrict access to relevant and appropriate InfoSets. Procedures should be defined for the periodic review of InfoSet Query log data. This data is recorded in the Query Logging table (AQPROT). Consideration should be given to restricting access to the following transactions that provide the user with access to the Infoset Query.
Tcode S_PH0_48000513 SQ01
Name Ad Hoc Query Query from User Group: Initial Screen
Description Ad-hoc queries on various data sets. Used for the creation, change, deletion and execution of InfoSets Queries. Used for the creation, change, deletion and execution of InfoSets Queries.
SQ02
InfoSet: Initial Screen
SQ03
User Groups: Initial Screen
Used in the allocation of user groups to roles or users.
26
S A P B u s i n e s s Wa re h o use (BW)
Functional Overview
The SAP Business Warehouse is SAPs data warehousing solution and available to support SAP core functionality. A Data Warehouse stores data in a format optimised for reporting in a separate system from the operational system(s) that collect the transactional data. This allows the operational system (SAP R/3) to get on with the real-time data processing, whilst the data warehouse (SAPBW) caters for the resource intensive reporting requirements. SAPBW includes the tools required to extract, standardise and maintain the data and to produce the reports. As a Data Warehousing solution, SAPBW is designed to work with any data source, not just SAP systems.
Unauthorised access to sensitive and confidential data through the BW system.
In BW field level authorisations will not be checked unless switched on. A user may therefore be able to see data in the BW system for which they are not authorised in the R/3 system. Important fields (characteristics) should be checked to ensure they are defined as authorisation relevant. Reporting objects should be linked to infocubes where authorisation checks are required. Where checks are required, authorisations should then be created for those infocubes and assigned to appropriate users.
Report RSSM Name Authorisation Check Log report Description Allows monitoring of the resolution of authorisation errors.
27
Mass Maintenance
Functional Overview
Mass Maintenance functionality has been developed as an effective tool to maintain large amounts of data . For example, the Mass Maintenance functions allow a user to change data in a large number of purchase orders or requisitions through the execution of a transaction. Mass maintenance functions are supported for a number of documents including: - Material Master - General Ledger Records - Purchasing Info Records - Vendor Master - Purchase Orders and Purchase Requisitions - User Master Users can operate the Mass Maintenance tool in dialog, background or a combination of both. The process can be summarised as follows:
Document mass maintenance

1. Select object to be changed
2. Select records to be changed
3. Select table and field to be changed
4. Specify change and execute
28
Inappropriate or unauthorised change may be made to large amounts of data. System performance may be impacted by the execution of large Mass Maintenance activities.
Due to the increased risk associated with providing a user with the ability to maintain and change large amounts of data simultaneously, access to the following key transactions should be restricted to key experienced staff with authority to make changes: Tcode XK99 Name Mass maintenance, vendor master MSJ1 Mass Maintenance in the Background MM17 Mass Maintenance: Indus. Material Master MM46 Mass Maintenance: Retail Material Master FMMI Mass Maintenance of Open Intervals WTAD_VKHM_ MAINTAIN IMAM Mass Maintenance Materials/Adds. Mass maintenance of appropriation requests KE55 Mass Maintenance Profit Centre Master Data KE56, KE57 ECPCA: Mass Maintenance Company Code Assignment MASSOBJ Maintain Mass Maintenance Objects Description Used to change one or more vendors simultaneously. Used to change one or more item via background processing. Used to change one or more Material Master records simultaneously. Used to change one or more Retail Material Master records simultaneously. Used to change one or more Open Intervals simultaneously. Used to change one or more Material Master records simultaneously. Used to change one or more appropriate requests simultaneously. Used to change one or more Profit Centres Master records simultaneously. Used to change one or more Company Codes assignments simultaneously. Used to change one or more objects simultaneously.
Continued on the next page
29
Continued from previous page
Tcode OB_GLACC11, OB_GLACC12, OB_GLACC13 QI05, QI06
Name G/L acct record: Mass maintenance
Description Used to change one or more G/L records simultaneously.
QM Mass maintenance
Used to change one or more QM Procurement keys simultaneously.
SOY1
SAPoffice: Mass Maintenance Users
Used to change one or more users simultaneously. Used to change one or more users simultaneously.
SU10
User Mass Maintenance
WB30
Mass maintenance MG to plant
Used to change one or more Plants or Material Groups simultaneously. Used to change one or more customers master records simultaneously.
XD99
Customer master mass maintenance
Access should also be segregated from a users ability to delete the mass maintenance logs that are generated when a user executes mass maintenance transactions.
Tcode MSL2
Name Delete Mass Maintenance Logs
Description Allows for the deletion of the mass maintenance log a key audit trail in the performance of Mass Maintenance.
Procedures should be implemented for review of the Mass Maintenance log on a periodic basis to ensure inappropriate mass maintenance actions are not occurring. TCode MSL1 Name Mass Maintenance Log Description Provides access to an audit trail of mass maintenance activity performed.
30
Wo r k f l o w
Functional Overview
Workflow has become a feature of many SAP implementations where repetitive and often manual business processes can be automated to achieve efficiency gains. Through automated routing of transactions, Workflow is particularly suited to notification and approval tasks. Human Resources processes such as ESS (Employee Self Service), Time Management and the Managers Desktop in particular make extensive use of Workflow for the approval of tasks such as leave requests or the completion of staff appraisals. Deadline Monitoring can be incorporated in the design of workflows to issue reminders for items that have not been actioned within a reasonable timeframe, or to escalate unactioned workflow items for the attention of others. In addition, the Workflow administrator should review for slow moving, unprocessed or erroneous transactions. These transactions can result in business dissatisfaction or inefficient business processes and should be carefully monitored and resolved as required. Below is an example of the use of Workflow in the Purchase Requisition (PR) creation and approval process.
Workflow example
Triggering event PR raised over $5000
User task PR sent to requester's manager for approval
Until loop step Wait for approval
Deadline monitoring Performed to identify exceptions, issue reminder or escalate to next level approver
Decision approved
Decision rejected
Workflow result SAP PO automatically created
Workflow result Requester notified of rejection and reason
31
Rules for the system selecting an approver, or delegate of an approver are not correctly defined. This is particularly an issue when the process is driven by the organisational structure. Managers do not review workflow tasks and respond on a timely basis resulting in user dissatisfaction and inefficient business processes. Routing of transactions may not be fully defined resulting in unprocessed items. Deadline Monitoring processes are not put in place to monitor Workflow transactions.
Access to the following Workflow related transactions should be restricted to authorised users only. Tcode SWXX Name Workflow related transactions Description Workflow transactions are prefixed with SW. These transactions should be restricted to Workflow administration staff. Access should also be restricted to any alternative or client developed Workflow based transactions based on the level of implementation of workflow performed.
32
The following reports can be used in the administration of workflow: Report Transaction PFTC_DIS Name Display Task Description Allows the display of workflow templates and configuration (incl. the graphical workflow representation in the workflow builder). SWI1 Selection report for Work Items Displays work items and their current statuses. Allows the selection and display of individual work items. SWI2_ADM1 Workflow Items without Agents SWI2_DEAD Workflow Items with monitored Deadlines SWI2_DIAG Diagnosis of Workflows with Errors Error analysis and diagnosis. Allows the monitoring of workflow items without appropriate user assignments. Allows you to monitor workflow deadlines.
33
34
Procurement to payables
SECTION CONTENTS
Background .......................................................................................................................37 Enterprise Buyer Professional (EBP) ...........................................................................38

Vendor Field Groups .......................................................................................................43

Dual Control for Changes to Master Records ..........................................................44

Blanket Purchase Orders ...............................................................................................46

35
Useful Reports ........................................................................................................................................................47
Logistics Invoice Verification........................................................................................48

Automatic PO Creation .................................................................................................. 51

36
B a c k g ro u n d
An overview of the functionality and risks and controls of the procurement to payables component as at Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. This functionality has undergone a number of changes since this release; these changes have been implemented to improve efficiency and controls within the procurement to payables processes and are detailed across the following sections:
Enterprise Buyer Profession a l ( E B P )

EBP has been developed to increase efficiency in the procurement process. This is achieved through the use of on-line catalogues containing approved vendors and goods where a users can request the supply of goods through a shopping basket process.
Vendor Master Data

While vendor master data in itself has not changed significantly in Version 4.6C, the controls and methods surrounding securing vendor master data has been improved. Improvements have included the introduction of vendor field groups and authorisation of changes made to sensitive vendor fields.
Blanket Purchase Orders (PO s )

With Release 4.0A of SAP it has become possible to create POs with a value limit and a validity period instead of a delivery date, making it possible to create a Blanket POs rather than having to create a PO for each requirement when purchasing goods to be consumed immediately.
Logistics Invoice Verificatio n ( L I V )

While LIV has been available in SAP since Release 3.0A, a number of enhancements have been made to LIV processes.
Automatic PO Creation
On entry of a goods receipt for which a PO has not been created, it is possible to configure the SAP system so that these POs are automatically created.
Mass Maintenance of Maste r D a t a

Functionality has been implemented to allow for Mass Maintenance of master data including Material and Vendor Master records. Details of Mass Maintenance functionality have been provided in the Basis and Cross Application components section of this handbook.
37
E n t e rp r i s e B u y e r P ro fessional (EBP)
Functional Overview
EBP (previously BBP) was developed to allow users to purchase predefined products from approved vendors using an on-line catalogue. Users browse through the on-line catalogue selecting products and required quantities that are then put into a user's Shopping Cart. The EBP process is summarised using the following diagram:
Enterprise buyer professional

Requester selects goods from catalogue and places in 'shopping trolley'
Goods are received by requester
Requester submits 'shopping trolley' and Workflow routes to delegate or approver
Requester enter goods receipt into EBP
Delegate or approver receives and approves or rejects request via Workflow
Invoice received from supplier or generated through evaluated receipts settlement
On approval purchase order is created
Three way match performed and payment made
Processing performed in:
EBP system
EBP or Core R/3 system
Core R/3 system
Catalogues available to users may be internal or external. Where external catalogues are available, the approved vendors can maintain these. EBP users do not enter prices or material descriptions as these are selected from the catalogue. Most header information for the order is automatically populated by EBP (e.g. delivery date which is populated through the use of the Vendor Info Record and Vendor is automatic from the catalogue). The EBP user specifies the deliver-to address from a list of pre-defined configured deliver-to addresses. The EBP system resides on a separate SAP installation to the core SAP system and therefore requires a separate SAP Basis installation. This means that Basis settings and parameters should also be correctly configured to appropriately control the EBP environment.
38
Approval processes and Workflow are not appropriately defined resulting in unauthorised procurement of goods. Limits for shopping trolley, approval levels or minimum value of shopping trolleys not requiring approval may not be correctly configured resulting in inappropriate procurement of goods. Changes to shopping trolleys may be executed following approval resulting in nonauthorised procurement of goods. Invoices can be entered via EBP resulting in increased risk of inappropriate access or segregation of duties risks.
Back end interfacing systems should be defined to ensure that data is interfaced appropriately. This will generally mean defining the interface between the EBP system and the core R/3 system. Fields, or attributes, to appear on EBP screens should be defined. This will include defining the user groups and activities that can be performed for each of the fields (for example, define that the requester can change the deliver-to address). Key fields to be completed should be configured as mandatory to ensure all relevant information is captured. This will ensure that data is available to create relevant purchasing documents. Product catalogues should be configured to ensure that users are able to appropriately select from approved internal or external sources. Workflow should be configured to ensure appropriate approval processes are triggered when an EBP transaction is executed. Deliver-to-addresses should be configured to ensure goods are only delivered to approved delivery points. Appropriate delegation limits should be configured for EBP transactions. For example, consideration should be given to the configuration of the following through Workflow events.
39
Continued from previous page
Condition No Approval
Example Where shopping trolleys are less than an approved amount, the Workflow may be configured so that No Approval is required. Limits should be applied in line with delegation policy.
Single Approval
Where shopping trolley is greater than the No Approval limit, manager approval should be required and configured through Workflow. This should ideally be driven from the organisational structure.
Double Approval
Consideration should be given to the application of a Double Approval step where the value of purchase is above a specified amount. In this case a line manager and a higher-level manager would approve.
High-risk material groups should be configured to require approval regardless of the dollar value of the goods provided. This may improve controls with regard to certain materials that are at particular risk of inappropriate purchase.
Output from the execution of EBP transactions should be configured. For example, POs may be automatically generated following the entry and approval of an EBP transaction. Alternatively, purchase requisitions may be generated and require a Purchasing Officer to create the PO.
Payment terms configured in the EBP system should correspond with those defined in the core SAP system to ensure that there are no inconsistencies.
40
The EBP system resides on a separate instance of SAP and interfaces with a core SAP system. The EBP system Basis components should be appropriately configured and secured. Consideration should be given to configuration of Personalisation settings at an individual or role level. These may include the following: Personalisation Object Key BBP_APPROVAL_LIMIT BBP_SPENDING_LIMIT BBP_WFL_SECURITY_BADI Description Highest value of shopping cart that can be approved Value above which approval is necessary Specifies whether change can be made or what actions should be taken when changes are made to a shopping cart during the approval process. Consideration should be given to forcing the approval process to re-start when changes are made. EBP administration transactions as well as EBP end user transactions should be appropriately restricted. These include, but are not limited to: Tcode BBPAT03 BBPAT04 Name Create User Description EBP transaction used to create a user ID.
Forgotten User ID/Password EBP transaction to request / apply for password and user ID.
BBPAT05
Change User Data
Transaction used to change or display EBP user details.
BBPIV01, BBPIV02, BBPIV03 BBPPU07
Entry of Invoice
EBP transactions used to enter invoices.
Access to the Managers Inbox
EBP transaction used to access the Manager's Inbox and related information.
BBP_BW_SC3 BBP_BW_SC4
Shopping Carts per product Business Warehouse reports used to display or per Cost Center summarised shopping cart information.
41
USEFUL REPORTS
EBP is an extension of existing procurement functionality and, as such, core SAP reports applicable to procurement are equally applicable to EBP processes. Workflow is key to successful operation of EBP. Work items may be left in error or not resolved resulting in failure of the EBP process. Processes should be put in place for the running of control reports to ensure that all transactions are processed appropriately. Consideration should also be given to reviewing reports detailing catalogue content changes for all external catalogues to ensure these are appropriate.
42
Ve n d o r F i e l d G ro u p s
F unctional Ove rvi ew
As of Version 3.1H of SAP, field groups have been implemented to improve controls over changes to vendor (and customer) master records. Vendor field groups can be used to restrict the access of a user to a subsection of fields within the vendor master records. Field groups are an effective way of restricting access to maintain highly sensitive master data (including bank details) from other general data (such as phone numbers) which a larger group of users may require access to maintain. Dual control can be used for both customer and vendor master records to improve controls over key fields. When a change is made to a sensitive field the SAP system can be configured to require release of a change made.
Details of risks associated with the vendor master data are provided on Page 21 of the Security and Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include: Unauthorised changes to vendor master data details may result in inappropriate payment.
Vendor fields groups, should be appropriately defined. This is generally best executed by defining logical sets of fields (i.e. segregation of address and payment information into different vendor field groups.).
Access to maintain field groups, including assignment of fields to field groups, should be restricted. Users should be assigned appropriate field group authorisations based on authorisation object F_LFA1_GRP Vendor: Account Group Authorisation. This object is used to specify which activities are permitted for the individual account groups.
43
D u a l C o n t ro l f o r C h a nges to Master Records

Functional Overview
Dual Control has been provided to have greater control over changes to sensitive data. When configured, the Dual Control functionality creates segregation between the changing and approval of changes to sensitive fields. This is applicable to both the vendor and customer master records.
Details of risks associated with the Vendor Master are provided on Page 21 of the Security and Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include: Unauthorised changes to vendor master details may result in inappropriate payment.
Fields that require dual control must be configured as sensitive fields. When configured, each change to the field is subject to an independent confirmation. It should be noted that a user cannot confirm their own changes. Processes for the confirmation of changes should be configured. This is can be performed through workflow events or through manual processes.
Access to define sensitive fields should be appropriately restricted to ensure that fields are not inappropriately removed from the sensitive fields table. Access to the following confirmation transactions should be appropriately restricted to relevant purchasing staff. This includes: Tcode FK08 Name Confirm Vendor Changes Individually FK09 Confirm Vendor Changes List Description Used to confirm or approve vendor changes that are made. Used to list vendor changes that require confirmation. FD08 Confirm Customer Changes Individually FD09 Confirm Customer Changes List Used to confirm or approve customer changes that are made. Used to list customer changes that require confirmation.
44
Lists of changes that are waiting to be confirmed can be generated using transaction FK09 (Vendor Changes List) and FD09 (Customer Changes List).
45
B l a n k e t P u rc h a s e O rd ers
Functional Overview
Up until Release 4.0A, a Purchase Order (PO) would generally need to be created for each requirement, including orders placed for goods that were to be consumed immediately. The PO served as the basis for the creation of the goods receipt (if required) and for the invoice verification process. As of Release 4.0A, Blanket POs have made it possible to create a PO with a value limit and a validity period instead of a delivery date. These documents are created with a document type FO and an item category of B Limit. The benefits of utilising the Blanket PO is that it allows a user to procure various materials or services from vendors in cases where the creation and processing of individual POs is not deemed economical. Blanket POs would generally be utilised for low value, high use items for which this process is deemed appropriate. It should be noted that in order to utilise Blanket POs, Logistics Invoice Verification (LIV) must be used.
No goods receipt or entry and acceptance of services is required with Blanket Purchase Orders. Invoices are posted directly with reference to the order which may result in bypass of purchasing controls.
Tolerances specific to Blanket Purchase Orders should be correctly configured to ensure that when an invoice exceeds these limits these will be appropriately blocked for review. Tolerances to be configured include: Tolerance Code LA Tolerance Name Amount of Blanket Purchase Order Tolerance Description Determines if the value limit of the Blanket Purchase Order has been exceeded by the processed invoices and blocks any invoices which will exceed the PO value. An upper percentage or absolute tolerances may be defined. LD Blanket Purchase Order time limit exceeded Determines whether the posting date of the invoices is within the configured tolerance of the Blanket Purchase Orders valid time. The system compares the number of days outside the Blanket Purchase Orders validity date with a configured absolute upper limit.
46
SECURITY CONSIDERATIONS
Access should be restricted to be able to create or change Blanket Purchase Orders due to the increased risks associated with this. This may be performed by restricting users access to document type FO. Access should be restricted to transactions which can be used to create purchase orders including: TCode ME21, ME21N ME22, ME22N MEMASSPO Name Create Purchase Order Change Purchase Order Mass Change of Purchase Orders MEPO Purchase Order Description Transactions used to create POs. Transactions used to change existing POs. Allows a user to update a large number of POs simultaneously. Enjoy transaction used to create and change PO documents.
While there are no Blanket Purchase Order specific SAP delivered standard reports, management should consider developing reporting to identify the following: Blanket POs that have expired or are about to expire and require re-assessment and potentially recreation. Blanket POs that have been created to ensure that these are appropriate and approved. This may be produced by using standard reports, however, configure these based on the Blanket PO document type.
47
L o g i s t i c s I n v o i c e Ve r i fication
Functional Overview
Logistics Invoice Verification (LIV) has undergone a number of enhancements up to Version 4.6C of SAP. LIV is part of the Materials Management component and is used to complete the procurement process. LIV has been developed based on the conventional invoice verification processes and as such, this section should be read in conjunction with page 39 of the Security and Control for SAP R/3 handbook Procurement to Payables section. Functions of the conventional invoice verification processes are available through LIV, however these separate components may continue to be run in tandem. LIV provides additional functionality that was not available in the conventional invoice verification processes, including the disbursement of information to the Materials Management and Finance components. Additional functionality has been developed by SAP for the LIV process, which includes but is not limited to the following: Invoices can be verified on-line or in the background. Multiple account assignments or multiple company codes for posting can be used. The system can be automatically configured to post a credit memo for the difference between the value of the invoice and the value for which the system expected an invoice. This can be particularly useful for vendors who consistently over-charge. Workflow can be integrated into the invoice process to aid in the resolution of blocked invoices.
Significant risks associated with LIV are detailed in the Security and Controls for SAP R/3 Handbook page 40 that discusses the invoice verification process. These include the following: Invoices may not match the corresponding purchase order and/or goods receipt. However, they may still be processed for payment. Invoices may be processed that do not relate to a valid purchase order in the system.
48
LIV invoices can be processed in the background. Where background processing occurs, the system can be configured to assign the status of Verified as correct or Completed on a Company Code by Company Code basis. Consideration should be given to configuring the background-processed invoices as Verified as correct so that these invoices can then, following review be marked as Completed. Tolerance groups can be configured for individual vendors using tolerance groups (Transaction OMRX). Tolerance groups define the way the system reacts as a result of positive or negative invoice differences. Tolerance groups defined can be assigned to each vendor in the vendor master record and can be effective in reducing processing time where vendors consistently over charge. This is achieved by configuring the system to treat variances received appropriately. Where invoices are blocked, Workflow events can be triggered. Typically the blocking of an invoice will trigger a Workflow item to the buyer where they can change the PO, release of the invoice items or flag the invoice as in dispute.
S E C U R I T Y C O N SIDERATIONS
With the introduction of LIV, a number of new transactions have been created which should be appropriately restricted. Consideration should be given to restricting access to the following key LIV transactions: Tcode MIRO MIR7 Name Enter Invoice Park Invoice Description Enjoy transaction used to process invoices. Used to Park invoices where Park and Post functionality is utilised. MIRA Enter Invoices for Invoice Processes invoices for verification via background
Verification in the Background processing. MR8M MRBR Cancel Invoice Document Release Blocked Invoices Used to cancel invoice documents. Allows the user to release blocked invoices for processing and payment. MIR6 Invoice Overview Provides for analysis of invoices by various selection criteria. MR90 Output Messages Allows for viewing output documents generated from SAP.
continued on the next page
49
continued on the next page
Tcode MRRL
Name Evaluated Receipt Settlement (ERS)
Description Provides for automatic settlement for ERS transactions. Automatically settles withdrawals from consignment and pipeline. Provides for settlement automatically based on the invoicing plan.
MRKO
Consignment and Pipeline Settlement
MRIS
Invoicing Plan Settlement
MRNB
Revaluation
Used to re-value purchases based on retrospective changes.
MRA1 MRA2
Create Archive Delete Documents
Allows for the archiving of documents. Allows for the deletion of documents.
As with all invoice processes, consideration should be given to restricting access to invoice verification functions by company code and plant.
Access to the authorisation object Invoices: Blocking reasons should also be restricted to ensure that only authorised users are able to release blocked invoices. It is critical that the releasing function be segregated from invoice entry, to ensure that the approval processes are not compromised.
50
A u t o m a t i c P O C re a t i on
Functional Overview
Release 4.0A enables the SAP system to be configured to automatically create a Purchase Order (PO) during the Goods Receipt (GR) process. In order for this process to occur, standing data must be created as SAP valuates the GR at the price defined in the Purchasing Info Record.
Automatic creation of POs at the point of GR results in bypass of purchase order controls (e.g. electronic approval).
In order for this to occur each plant must be assigned to a purchasing organisation so that the system can determine the purchasing info records. SAP can be configured to automatically create a PO for certain pre-defined movement types.
Where automatic creation of a GR is available, access to process Goods Receipts should be restricted to appropriate staff.
Tcode MB01
Name Post Goods Receipt for PO
Description Transaction used to process a Goods Receipt where a PO is available.
MB0A
Post Goods Receipt for PO
Transaction used to process a Goods Receipt where a PO is available.
MB1C
Other Goods Receipts
Allows for the processing of Goods Receipt other than by reference to a PO.
51
While there are no specific SAP delivered standard reports with regard to automatically created POs, consideration should be given to developing reports to identify POs created to ensure that these are approved and generated in line with business process requirements.
52
SECTION CONTENTS
Background .......................................................................................................................55 General Ledger .................................................................................................................56
Asset Accounting ........................................................................................................... .61

53
54
B a c k g ro u n d
An overview of the functionality, risks and controls of the Financial Accounting module as at Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. The Financial Accounting module of SAP has undergone a number of changes since Version 3.1H. Whilst many of these changes do not have a significant controls impact, there are a number where additional control functionality has been made available through enhancements. These are detailed in the following subsections:
General Ledger
Since the General Ledger forms the core of the SAP financials package, very few significant changes have been applied to this area. However, a number of additional inherent and configurable controls have been added to enhance the control environment. Key changes to the General Ledger area include the addition of true reversal functionality simplifying reversal postings and the inclusion of a cash journal to enhance control over cash management activities.
Asset Accounting
Significant enhancements have been made around the Asset Accounting module. These have resulted in improved asset management functionality. A key change in the Asset Management module is the introduction of the Asset Explorer for improved asset reporting.
55
General Ledger
Functional Overview
A number of changes and enhancements have been made to the General Ledger since Release 3.1H. These changes are outlined below: True Document Reversals and Negative Postings As of Release 4.0A, reverse postings and adjustment postings can be indicated as negative postings. Negative postings reduce transaction figures in customer, vendor, and G/L accounts without having to reverse the document by posting a reversal document. This type of reversal is called a true reversal. The true reversal functionality allows reversal postings to be traced back to original documents. This improves accuracy of document reversals since these can now reference the original document. Reversal Reason Codes In SAP Release 4.5B, reversal reason codes have been made mandatory fields. A number of default reversal reason codes have been configured in SAP as standard, however additional codes may be configured. Mandatory requirement for reversal reason codes adds additional control over the reversal of documents and provides enhanced audit trail over the reversal of documents. Distributing Exchange Rates using ALE As of SAP Release 4.5A, it is now possible to distribute exchange rates between SAP systems using Application Link Enabling (ALE) technology. This improves controls over exchange rates ensuring these are consistent across SAP systems and improves ease of maintenance. Cash Sub-Journals The cash journal is a bank accounting sub ledger available for the management and reporting of cash positions. The cash journal can be used independently of other posting transactions allowing more flexibility and accuracy in cash management reporting. The benefit of the cash journal is that opening and closing balances, as well as receipts and payments balances are automatically calculated and displayed. The cash journal would also allow an agency to run more than one cash journal per company code and to run separate cash journals for each currency. Alternative Payment Currency Prior to 4.5A, payments in alternative currency could only be created and posted manually. As of 4.5A, it is possible to enter a payment currency (which can differ to the standard currency of the document) for open items to be paid automatically by the payment run. Users can specify an amount equal to the gross amount of the item in the payment currency. The payment currency is supported in both Accounts Payable and Accounts Receivable. This facility reduces the risk of errors through removal of manual currency calculations.
56
Editing G/L Account Master Records The screen layout for G/L account master records has been reorganized to allow for G/L account master records to be edited from the data screen. Mass maintenance functionality is also available for G/L account master records to improve efficiency and accuracy (refer to Basis and Cross Application Components of this handbook update for more detail). G/L Account Clearing Tolerances As of 4.6A, tolerances for G/L account clearing have been extended. These tolerances, which are defined for a user and an account, are used to determine whether the system will issue error messages to the user or post the differences automatically. These tolerances can be used to further restrict general tolerances that are in place for particular users or G/L accounts as required. New Banking Interfaces Since Release 4.5, new interfaces are available relating to Electronic Funds Transfer (EFT) and banking across GL, AR and AP. These interfaces provide enhancements to electronic banking functionality allowing analysis of notes to payees, the creation of custom electronic banking methods and the determination of business partners from remittance advices. The new functionality also enables central check routines and alternative check algorithms to be used when the system checks banking attributes. Extension of standard banking interface controls providing greater flexibility in control procedures around bank interfaces. It also allows for automatic checking of banking attributes using appropriate check routines and/or algorithms. Requesting G/L Account Master Data Changes via the Internet/Intranet As of SAP Release 4.6C, it is possible to configure requests for master data changes to be sent via the Intranet/ Internet. The requester can request the creation, change, delete, or lock to G/L Account master data. In this scenario a user will fill out a request form for the master data change in the Intranet/Internet. In the form, the requester describes the reason for the request and submits to the responsible processor or processing group. The processor or processing group then receives the request in their inbox or Workflow inbox in the SAP R/3 System. The request form can be accessed from there, as can the transactions needed for processing master data. This provides an improved audit trail and control over changes to G/L account master data. Foreign Currency Postings For documents posted in foreign currency, it is now possible to post the rounding differences to a separate revenue/expense account. This allows for greater control over variances providing standardisation and efficiency in the handling of rounding errors.
57
Risks and controls as defined on page 72 of the Security and Control for SAP R/3 Handbook remain relevant. Additional risks relevant to the new functionality include: Inappropriate document reversal processes are implemented. Inappropriate changes are made to General Ledger master data or the Chart of Accounts through the use of mass maintenance functions.
Consideration should be given to whether negative postings are permitted for each company code. Where true document reversals and negative postings are appropriate, reversal reasons should be reviewed and configured to ensure they are in line with business requirements and provide appropriate reasons for analysis purposes. In order to effectively use cash sub-journals these should be appropriately configured. This will include: creating appropriate GL accounts for the Cash Journal; defining appropriate document types for Cash Journal documents; and defining appropriate number range intervals for Cash Journal documents. Where required, alternative payment currencies should be configured. This will include: maintaining automatic account assignments for payment differences arising during payment; and defining appropriate accounts including clearing accounts for instances where payment differences occur as a result of payment currency. Where processes have been implemented for the request of G/L Account Master Data changes via the Internet/Intranet, appropriate approvals through Workflow should be configured.
58
New GL authorisation objects have been provided and should be taken into consideration when defining security. Authorisation Object F_RQRSVIEW Description Bank Ledger: Viewer for Request Response Messages
Existing roles should be reviewed to establish whether or not the new authorisation objects should be added.
Consideration should be given to the removal of access to legacy transactions. Further, access to the following transactions should be restricted to relevant finance / accounting staff:
Tcode GP12N FS10N FD10N FK10N
Name Planning G/L Account Balance
Description Enjoy transaction version of transaction GP12. Enjoy transaction versions of FS10, FD10 and FK10.
FBL1NFBL6N Vendor Line Items FB60 Invoice Data Entry Invoice/Credit Fast Entry FB50 G/L Posting
Enjoy transaction versions of FBL1FBL6. Update of previously used F43 and FB10.
Update of previously used F02 transaction.
59
Improvements have been made in reporting of line items where a negative posting to an account has taken place. To make the deriving of balances from the line item amounts easier, negative postings are marked with a minus sign behind the posting key (or with a special G/L indicator where necessary). This enhancement is aimed at eliminating errors by making balances and line item reports easier to read and interpret.
60
Asset Accounting
Functional Overview
A number of changes have been implemented to enhance functionality around Asset Accounting. Custom Defined Fields Asset number ranges which were previously assigned only by asset class can now be further defined based on other fields in the asset master record, such as location and cost centre. Wizard for Creating Asset Classes from G/L Accounts Up to now, it has been possible to create asset classes from an asset G/L account using the asset class generator. An on-screen help wizard is now available to automate this process. Previously, it was possible to create two different asset classes with the same name when using the asset class generator. The system now prevents this from happening and assists in ensuring completeness and accuracy of data input. Creating Assets from Purchase Orders and Purchase Requisitions Since SAP Release 4.5A, an asset can be created from the purchase order and purchase requisition creation transactions, where Materials Management is being used. Asset master data information is entered through dialog boxes and directly in to the asset master data transactions. The user therefore requires appropriate access to create assets in order to utilize this functionality. Where assets are not created appropriately, these are identifiable through the incomplete asset reporting processes which were previously available in SAP. Intercompany Asset Transfers With Release 4.0A, when assets are to be transferred between companies within a single SAP instance, the system enables a user to post completely from the sending company code. The system automatically performs receiving and asset creation if necessary in the receiving company code. Please note, however, that this function is only available for transfers within a single client. Transfers between clients or systems must be posted in two steps (retirement and acquisition). Multiple Asset Creation Multiple assets can be created in one transaction provided they have identical asset classes and company codes. When saved, a range of main or sub numbers and individual descriptions are assigned. Previously, a user would need to create assets one-by-one, copy assets or create all assets as one asset in a group asset. Asset Value Date The Asset Value Date is the date used when posting asset transactions and has a direct influence on the depreciation calculations. Previously, the rules for determining the asset value date for Asset Accounting transactions were hard coded in SAP however functionality is now available to configure these dates. While Asset Value Date customisation provides additional flexibility in calculating asset values, this may lead to inaccurate asset value dates and values being applied.
61
S I G N I F I C A N T RISKS
Risks and controls as defined on page 94 of the Security and Control for SAP R/3 Handbook remain relevant. Additional risks relevant to the new functionality include the following: Asset Value Dates may be customised incorrectly resulting in inaccurate depreciation calculation. Asset master records may not be set up correctly or may not contain all necessary data.
Asset Value Dates should not be configured unless required. If configuring of Asset Value Dates is necessary, care should be taken to ensure these are in line with business and accounting requirements.
New Asset Accounting authorisation objects have been provided and should be taken into consideration when defining security. Authorisation Object A_S_KOSTL Description Asset Master Record Maintenance: Company Code/Cost Centre This authorisation object allows the restriction of users to maintain asset master records for a particular cost centre or company code. Existing roles should be reviewed to establish whether or not the new authorisation objects should be added. Consideration should be given to removal of access to obsolete transactions. Further, access to the following transaction should be restricted to only relevant Finance / Asset Accounting staff: Tcode AW01N Name Asset Explorer Description Provides access to many asset accounting functions.
62
USEF UL REPORTS
The Asset Explorer provides information on posted and planned asset values. This tool, accessed through transaction AW01N provides access to functions available in the previous asset value display transaction, however has extended this to provide improved access to and display of asset information such as depreciation areas, asset master data and current year transactions. The Asset Explorer also provides functions for printing the values as required. Another change in reporting applicable to Asset accounting is the change from program RASKBU00 for periodic posting of changes to asset values in a depreciation area, to a new program RAPERB00. In Version 4.6C, report RASKBU00 no longer exists.
63
64
Controlling
Controlling
Controlling
SECTION CONTENTS
Background .......................................................................................................................66 Controlling ........................................................................................................................66
65
B a c k g ro u n d
An overview of the functionality, risks and controls of the Controlling (CO) module as at Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. The Controlling module has undergone a number of enhancements and changes since this release; this has included the introduction of master data enhancements and an alternative CO authorisation concept. This section outlines the significant changes that have taken place in the controlling module since 3.1H and the impact that this has had on security and controls.
C o n t ro l l i n g
Functional Overview
A number of changes and enhancements have been made to the CO Module since Release 3.1H. These changes are outlined below: Parked Documents in Controlling From Release 4.6A, the system now creates corresponding CO documents for parked documents from Financial Accounting and Materials Management components. This enables CO postings to be parked and posted creating a segregation and approval process New CO Master Data enhancements for Master Data As of Release 4.0A, it is possible to add additional master data fields for cost elements, cost centres, activity types, and business processes. SAP allows the maintenance of these new fields within the original master data processing locations. When adding these master data fields, consideration should be given to the nature of this information and whether additional custom security checks for these fields should be used. Requesting of Controlling Master Data Changes via the Internet/Intranet As of SAP Release 4.6C, it is possible to put approval processes for master data changes in place via the Intranet/ Internet. The process for approval of these changes can be configured by workflow or other means. Implementation of this approval process can provide an audit trail of reasons for changes to Controlling master data and ensure that changes to Controlling master data will always have appropriate approvals. Deletion of Controlling Master Data A test run function is available to check whether master data selected for deletion has any dependencies that may cause issues, should the deletion process take place. The test run completes extensive checks of dependent data; reporting on data that might be affected by the proposed deletion(s), and preventing deletion where dependent data is present.
66
Controlling
Managers Desktop As of Release 4.6A, Controlling reporting has been integrated into the Managers Desktop. (For more detail on the Managers Desktop, see the Human Resources section of this handbook update). New Reconciliation Account Field in Line Items As of Release 4.0A, line items in the reconciliation ledger have been extended to include a field for G/L account. This field records the G/L account to which the reconciliation posting was made in Financial Accounting. This can be the account corresponding to the cost element or an adjustment account. Utilising this functionality can improve reconciliation ledger reporting.
As detailed on page 110 of the Security and Control for SAP R/3 Handbook, the significant risk associated with the Controlling component is that transaction postings in the SAP application modules may not update the Controlling module if the central interface is not appropriately configured.
If reconciliation line items currently exist which do not have the Reconciliation Account Field completed it will be necessary to obtain values and fill in the account field. This can be achieved by executing the program RKAKALX2.
From Release 4.0, the authorisation concept for controlling has been revisited. This has resulted in the introduction of two new authorisation fields against which users can be checked: COOM Responsibility Area: A responsibility area is composed of a standard hierarchy using the controlling objects cost centre, order, profit centre and business process. CO_ACTION Controlling Action: Each transaction in the Controlling module creates both an activity (e.g. create or change) and a CO Action. The new CO authorisation objects check the CO Action and therefore allows greater flexibility in the authorisation of the Controlling module. The following new authorisation objects have been provided for the Controlling module. Consideration should be given to restricting access to relevant finance / accounting staff:
67
Continued from the previous page
Authorisation Object K_CCA K_ORDER K_ABC K_ZBASSL K_ZKALSM K_ZENTSL K_KMOB_DCT K_ZZUSSL K_ZSCHL K_PEP K_ML_MTART K_ML_VA K_MLPR_VA K_SUM_CO K_TEMPL K_CSKS K_PCAS_PRC K_PCA K_ML_MGV
Description General Authorisation Object for Cost Centre Accounting General Authorisation Object for Internal Orders General Authorisation Object for Business Processes Calculation base Costing sheet Credit Document Type for Manual Funds Reservation Overhead Overhead key Authorisation Object for PeriodEnd Partner Material Ledger: Material Type CO Material Ledger: Valuation Area Material Price Change: Valuation Area General CO Summarization Without Classification Auth. Template (ABCallocation, formula planning) Cost Centre Master Profit Centres Responsibility Area, Profit Centre Material Ledger: Master Data of the Quantity Struct
As of Release 4.6A, a new authorisation check for company code takes place when CO/FI (Controlling / Financial Accounting) reconciliation postings are made (transaction KALC). The authorisation object F_BKPF_BUK is not checked by this transaction, confirming the users authorisation to post reconciliations for the proposed company code(s). Consideration should be given to adding the authorisation object F_BKPF_BUK to any roles containing transaction KALC and applying appropriate company code values.
68
Controlling
As stated in the Security and Control for SAP R/3 Handbook page 113, there are numerous reports available via the controlling component. A number of reports have been added that should be considered by management for review, which includes but is not limited to the following: Cost Flow Overview Report has been added which reports on cost behaviour in controlling and reconciliation postings. Profitability Analysis Line Item Reports which has been created to enhance existing profitability analysis functionality. Further, a number of previously available reports have been altered to utilise the ABAP List Viewer that provides greater flexibility in reporting, data extraction and analysis.
69
70
Human resources
Human resources
Human resources
SECTION CONTENTS
Background .......................................................................................................................73 Employee Self Service ....................................................................................................74
The Managers Desktop ..................................................................................................77

Compensation Management.........................................................................................80
Cross Application Timesheets and Time Management ..........................................82

Significant Risks ....................................................................................................................................................82 Configuration Hot Spots ....................................................................................................................................82 Security Considerations ......................................................................................................................................83 Useful Reports ........................................................................................................................................................84
Other Key Changes Since Version 3.1H .....................................................................85

Ad Hoc Query .........................................................................................................................................................85
71
Benefits ....................................................................................................................................................................85 Significant Risks ....................................................................................................................................................85 Security Considerations ......................................................................................................................................85 Useful Reports ........................................................................................................................................................86
72
Human resources
B a c k g ro u n d
An overview of the functionality, risks and controls of the Human Resources (HR) module as at Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. The components of HR have undergone significant changes from Version 3.1H, making it possible to split functionality into small units and extend integration between components. The main components of HR in Version 4.6 include:
Personnel Management
The sub-modules, formerly known as Personnel Administration (HRPA) and Personnel Planning and Development (HRPD), have been combined.
Personal Time Management

This is used in the planning, recording and valuation of employees work performed and absence times.
Payroll Accounting
This provides a number of work processes including the generation of payroll results and remuneration statements, bank transfers and cheque payments. In addition to the changes in the structure of the HR module, a number of functional enhancements have been developed impacting the overall controls environment. These are detailed below and should be considered in conjunction with those outlined in the previous handbook. Significant changes include the introduction of ESS (Employee Self Service) and the Managers Desktop that provide for the decentralisation of HR functions leading to increased risks and control requirements.
73
Employee Self Service

Functional Overview
SAP Employee Self Service (ESS) has been developed to provide real-time access and data maintenance capabilities to employees. This allows for a reduction in central administration through the assignment of many data entry and related customer service activities to employees that were previously performed by an organisations HR, Payroll, Benefits, and Travel Departments. Activities performed in ESS may include: entry of time sheet information; entry of leave requests; maintenance of personnel information; display of pay slips by employees; and salary packaging. ESS enables employees to view, create, and maintain data through a web browser. ESS can provide a powerful employee information and service portal through an intranet. Functionality can be integrated with other employee tasks including: email; employee directory; calendar; and workflow work items. ESS includes core HR capabilities, but also offers logistical, financial and office functionality through its integration with the SAP database ensuring consistency and integrity of data. ESS functionality can be integrated with the Managers Desktop to implement effective approval processes. This is generally configured using Workflow.
ESS provides many HR display and update capabilities to all employees in an organisation. This creates additional security and privacy risks including: Excessive access to sensitive HR data. Unauthorised access to confidential HR data. Access to maintain sensitive infotypes, which should be restricted to the HR department. Inaccurate update of HR employee master data.
It is vital that employees are restricted to their own records and appropriate info types.
74
Human resources
Key ESS data should be defined as required entry in the system to ensure all necessary information is captured. There is an increased need to log changes to sensitive infotypes to ensure they are included in the Logged Changes in Infotypes audit report. Structural authorisation profiles should be defined and assigned to users ensuring access is appropriately restricted to appropriate organisational units. All SAP users must be assigned to an ESS user through infotype 0105 to ensure they are able to only access relevant and appropriate information.
Structural authorisations are not new, however, they are of greater importance where an ESS HR structure is implemented. Increased control through PD Authority Profiles is critical to the security of employee data. These authorisations define which objects in the organisational plan a user is permitted to access, for example: Organisational units Qualifications and requirements Business events Structural authorisation profiles define which activities (create, change or display) a user is permitted to execute within each of these objects. A users access to HR data and functionality is made up of traditional SAP authorisations and the HR structural authorisation providing an additional level of security. Users should be assigned to an appropriately restricted structural authorisation. Users should not be assigned the PD_ALL authorisation that allows access to all employees. With the implementation of ESS, there is a need to restrict users access to their own employee master record. This is restricted through the HR: Master data Check personnel number (P_PERNR) authorisation object. A user can be restricted from accessing their own record or restricted to updating only their own record, using the P_PERNR object. Where the P_PERNR object is not applied a user has access to all employee information. This may be applied on an infotype by infotype basis. Consideration should be given to implementing procedures to control/govern the access of HR users who are also ESS users, as failure to correctly configure P_PERNR for sensitive infotypes may result in HR users having access to inappropriately update their own data.
75
SAP User Master Records (UMR) must be assigned to an employee record in order for structural authorisations to operate. Where a UMR has not been assigned to an employee record, the user is not restricted by a structural authorisation.
Access should be restricted to only relevant HR staff to the following ESS and structural authorisation related sensitive transactions:
Tcode OOSP
Name Change View Authorisation Profile: Overview
Description Maintain the content of an authorisation profile Allocate a user to a structural authorisation profile Administer ESS users (create, change, delete, password administration etc)
OOSB
Change View User Authorisations: Overview
HRUSER
Set up and maintain ESS user
Organisations often authenticate users access to ESS based on network account authentication. Where this is the case, ESS users do not log into the SAP system and the default passwords may remain unchanged, increasing the risk of unauthorised access.
A number of key control reports are available to assist in the administration of structural authorisations and ESS. Report Code ESS_USERCOMPARE Name Reconcile User Master with HR Master Description Reconciliation report listing users not allocated to an employee record. ESS_SEL_PERNR_VIA_PNP and ESS_SEL_PERNR_ VIA_PCH Choose Personnel Numbers Various analyses over ESS users.
76
Human resources
T h e M a n a g e r s D e s k t op
Functional Overview
The Managers Desktop was released in Version 4.5 to allow managers immediate access to relevant HR, Financial Accounting and Controlling data. It allows all functional managers to perform administrative tasks for their area of responsibility that may previously have been centralised. The Managers Desktop provides up-to-date information through integrated reports allowing greater management control over personnel. The Managers Desktop provides a number of Themes which break down the activities which can be performed in this application including: Theme Employee Theme Description Employee information reports, including: Organisation Entry and approval of travel requirements Education and training data Creation of appraisals
Planning and administration reports: Organisation maintenance Transfers processing Cost centre accounting functions Compensation Management
Costs and Budget
Recruitment Special Areas Workflow Inbox
Records of decisions related to employee recruitment Integrated web browser allows access to Intranet and Internet pages Facilitates integration with ESS and approval activities such as: Leave requests and time sheets Expenses
77
The organisational plan (organisational structure) is not accurately defined or maintained resulting in: Manager access to employees outside their responsibility; Managers not having access to their employees; and Transactions not properly routed for approval. Unauthorised approval of time, expense or other employee data. Unauthorised updates / changes to HR data. Poor controls regarding delegation of responsibilities result in excessive access. Transactions not approved in a timely manner.
In order for the Managers Desktop to work it is important the organisational plan be accurately defined, including the assignment of employees to positions. Incorrect allocation of employees to positions will result in Managers gaining inappropriate access to HR data. In order for a user to utilise the Managers Desktop the user must be the holder of a chief position within the organisational chart. The system uses the chief position indicator to determine the organisational units managed directly and indirectly by the position holder. Managers Desktop Themes which grant access to various components of the Managers Desktop functionality must be configured to appropriately restrict information.
Access to the following sensitive transactions should be restricted to relevant managers: Name Managers Desktop Description Transaction provides access to the Managers Desktop. Appropriate controls should be implemented for the temporary delegation of system access and removal of this system access. Tcode PPMDT
78
Human resources
As detailed in page 123 of the Security and Control for SAP R/3 Handbook, the Logged Changes in Infotype Data report should be run on a regular basis to review changes made to key infotypes to ensure they are appropriate. Controls for the review and clearing of workflow items which are not actioned in a timely manner should be implemented. This should include implementation of appropriate deadline monitoring and escalation procedures. Refer to the Basis and Cross Application Components section within this handbook update for further details.
79
C o m p e n s a t i o n M a n a g ement
Functional Overview
Compensation Management is a new component within SAP available from Release 4.0A. The Compensation Management component administers compensation policies for an organisation. Compensation Management can be integrated with the Managers Desktop and can be used as an effective tool to plan and perform compensation adjustments to individuals, employee groups, or based on other organisational breakdowns.
Unauthorised / inaccurate update of compensation data resulting in over, or under, compensation to employees. Inappropriate approval processes configured resulting in inappropriate compensation adjustments being applied. Unauthorised access to sensitive and confidential compensation data.
Compensation areas need to be defined as appropriate groupings of employees for compensation administration. Appropriate features of employees should be selected to ensure that employees fall into the correct Compensation areas or eligibility groups. Compensation administration views should be configured to ensure that only appropriate employee information is displayed through compensation administration function. Workflow and the organisational structure should be configured to ensure that compensation adjustments are subject to appropriate approval processes.
80
Human resources
Access to the following Compensation Management sensitive transactions should be restricted to only relevant senior HR staff: Tcode HRCMP0001C Name Compensation adjustment change Salary Review HRCMP0080 HRCMP0081 Total Compensation statement display Print Total Compensation statement Description Adjustment of employee compensation. Total compensation statements. Printing of total compensation statements. HRCMP0060C Granting Employee Awards: Change Allocate long-term incentive awards such as stock options, restricted stock, and performance units to employees.
There are several reports available to assist in controlling Compensation Management that should be reviewed on a regular basis by relevant senior HR staff to monitor employee compensation. Report Name Description To identify whether employees salaries are within appropriate salary bands. S_AHR_61018798 Compare Actual Basic Salaries and Planned Compensation Report of employee base salaries compared to the compensation assigned to the job or position.
S_AHR_61018799 Compa (Comparison) -Ratio Analysis
81
C ro s s A p p l i c a t i o n T i mesheets and Time Management

Time Management has been enhanced from earlier releases and provides processes supporting the planning and recording of employee work. A significant change in Time Management is Cross Application Timesheet (CAT) functionality that was introduced in Version 4.0A of SAP R/3 and provides a standard interface for recording time across components of SAP. CAT combines existing SAP time recording functions into a single process and provides information to other components including, internal activity allocation for Controlling and Personnel Time Management for attendances and absences.
Inaccurate entry of timesheet data resulting in incorrect payment to employees. Duplicate processing of data through interfacing components. Entry or approval of time data does not occur in a timely manner.
Data entry profiles determine the data entry process and the layout of the time sheet. Consideration should be given to the following configurations affecting users entering time sheet data: Setting Profile Changeable With Target Hours Totals Line Clock Times Release on Saving On saving time information consideration should be given to whether it is automatically or manually released. Approval Required Workflow configured to ensure time data is subject to appropriate approvals. No Changes After Approval Highlight Rejected Records Time Settings Should be configured to ensure time data is displayed on the data entry screen after approval and cannot be changed. Can be configured to show user records that have been rejected by approvers, highlighting the need for further action. Time settings should be configured based on the standard working week. This will include defining the number of periods a user can view and change, (past and future). Description Allows a user with access to a profile to change profile settings. Available details which can be included on the face of the timesheet.
82
Human resources
Setting Personnel Selection Default Values Data Entry Checks
Description Defines the profile selection criteria for personnel time data entry. Time sheets can be configured to display default values when accessed. Data entry checks can be configured to improve the quality and completeness of data entry. Consideration should be given to applying validation tolerances to reduce inaccurate time sheet entry.
For Users with HR
The system can be configured to give an error or warning message when interfacing errors occur between CAT and HR.
Workflow Approval
A Workflow approval procedure can be configured which will be initiated on completion of time sheet entry.
Field selections should be configured as required, input, display, hidden or highlighted in the user screens.
Overtime compensation types should be appropriately defined to ensure that where overtime is entered it is accurately accounted for.
Rejection reasons should be configured and provide enough detail to the user to take the appropriate action to resolve time sheet errors.
Configuration can be applied to take an appropriate action to rectify overlapping time records.
In order to enter time data a user must call the time sheet with a data entry profile. The data entry profile determines the data entry process and the layout of the time sheet. Consideration should be given to segregating the entering of time sheet information and the approval of time sheets. Workflow approval processes should be implemented to control this. Access should be restricted to the following Time Management sensitive transactions; approval of time sheets should be restricted to relevant functional managers and/or HR staff: Tcode CAT2, CAT3 CAPS CAT4 Name Time Sheet: Initial Screen Time Sheet: Approve Times (Select by Master Data) Time Sheet: Approve Times (Selection by Org. Assignment) CAPP Time Sheet: Approve Times Approve time sheets.
Description Enter time sheet details. Approve time sheets. Approve time sheets.
83
Tcode PP61 PA61 PA70
Name Change Shift Plan: Entry Screen Maintain Time Data Fast Entry
Description Amendment of shift plans. Entry of time data into SAP. Entry of time data into SAP.
Controls for the review and clearing of workflow items which are not actioned in a timely manner should be implemented. This should include implementation of appropriate deadline monitoring and escalation procedures. Refer to the Basis and Cross Application Components section for further details.
84
Human resources
O t h e r K e y C h a n g e s S ince Version 3.1H

Ad Hoc Query
To provide greater reporting flexibility and functionality, SAP developed the Ad Hoc Query functionality which has since been extended in Version 4.6C, to integrate with other application areas and been renamed InfoSet Queries. This functionality has been further documented in the Basis and Cross Application Components section of this handbook update.
Benefits
Benefits functionality has been enhanced from earlier SAP R/3 releases. The Benefits component can be used to develop benefits packages for employees and provides easy access to benefits related information for administrative staff, executives and employees.
Users have the ability to allocate benefits inappropriately to an employee. Inaccurate calculation and reporting of employee benefits.
Access should be given and restricted to only relevant HR staff to the following sensitive transactions including: Transaction Code HRBEN0001 Name Enrolment Description To enrol employees, or make changes to benefit elections. HRBEN00ADJRSN Mass Generation of Adjustment Reasons To perform mass maintenance.
85
Security and Control for SAP R/3 Handbook
There are several reports available to assist in controlling Benefits; consideration should be given to reviewing these reports on a regular basis. Report ABAP ID RPLBEN09 Name Changes in Eligibility Description Provides a list of employees who are no longer eligible for a benefit plan in which they are participating with reasons. RPLBEN08 Changes in benefit elections Provides a list of deviations from system allocated default values in an employees general benefits data. RPLBEN13 Change in default information RPLBEN18 Contribution limit check Provides a list of deviations from system general benefits data (Infotype 0171). Provides employee contributions that are not within defined contribution limits on a key date.
values from general benefits allocated default values in an employees
86
Audit information system

SECTION CONTENTS
Background .......................................................................................................................89 Using Audit Information System .................................................................................90
Starting an Audit ..................................................................................................................................................90 Installation Check .................................................................................................................................................91 Preparatory Tasks ..................................................................................................................................................91 Systems Audit.........................................................................................................................................................92 Business Audit ........................................................................................................................................................93 Customising Audits...............................................................................................................................................94 Security Considerations ......................................................................................................................................95
87
88

B a c k g ro u n d
The Audit Information System (AIS) has been developed to provide internal and external auditors, Security Administrators and those with data protection and controlling responsibilities with a tool to assist in understanding and completing required tasks in the complex SAP environment. The SAP Audit Information System (AIS) provides a centralised repository for reports, queries, and views of data that have a control implication. AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the production system on a real time basis. AIS is currently focused on two key areas that are covered in more detail below: Systems Audit; and Business Audit. SAP has suggested that AIS functionality will be further developed to include other components, including Materials Management (MM) and Sales and Distribution (SD). AIS consists of an Audit Report Tree, which provides a facility to access and document audit steps within a SAP system, and download audit and additional related data to other programs for reporting or additional analysis. The structure of the reporting tree menu is designed by SAP to reflect the procedures followed when conducting an audit. AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching of comments, as well as allowing for tracking the audits progress. AIS also has the capability to extract data into pre-defined formats appropriate for data.
89
U s i n g A u d i t I n f o r m a t ion System
Starting an Audit
Transaction code SECR is used to access the AIS. The user can elect to enter: Complete audit When executed, this provides all tests and documentation available in the AIS system. User defined audit When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.
90
Once started the user is provided with a report tree structure that sets out all applicable documentation and tests that are executable. The reporting tree contains steps that include variants for each type of function. These can be centrally maintained to apply across multiple audit tasks.
Installation Check
The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants listed in AIS are currently available in the current system environment. The Installation check can be initiated through selecting Extras Installation Installation check from transaction SECR.
Preparatory Tasks
In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the user to customise the audit to improve efficiency in completion of tasks. The preparatory tasks within AIS are broken into three areas: Area AIS Customisation Description Allows for audit customisation through the definition of variables and constants to be utilised in the audit process. This may include variables such as company codes which are then used in reporting. Customise Financial Information System ABAP/4 Query including download Provides the user with functions relevant to the configuration and extraction of financial information. Provides access to logical database structure and information pertinent to extracting data for analysis purposes.
91
Systems Audit
The "Systems Audit" is primarily used for administration and review of system activities, such as, security and change control. The users are provided with easy access to many of the standard SAP security and control reports and audit trails. Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of security items to be considered which can be amended as required. The System Audit functionality in AIS is broken down into the following key areas which include: Area Systems Configuration Description Allows the user to gain details of the environment and general set up of the SAP system. Transport Group Tables / Repository Information relevant to change control processes, and system set-up. Includes information regarding table configuration, change logging as well as table security. Development / Customising Information with regard to development processes including change control, blocked transactions and report security. Background Processing Information relevant to background processing, including the graphical job schedule and access to the job overview. System Logs Provides access to logs (system, access, database etc) as well as configuration settings pertinent to these logs. User Administration Provides access to information relevant to administration and security of the SAP system. This includes various reports on: - User Security and Authorisations - Profile Generator - User administration such as users who have not logged into the system for a predefined period of time. Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport Management System, repository and table browser. It also provides comprehensive tools to review the security around user access.
92
Business Audit
The Business Audit functionality in AIS allows the auditor to produce financial statements and balance sheets, as well as perform general ledger, accounts payable and accounts receivable activities and queries. For example, through the business audit functionality, auditors can perform and document their review of general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation accounts, as well as duplicate invoice reviews. The Business Audit is broken into the following areas: Area Organisational Overview Description This area allows the user to familiarise with the enterprise structure that has been implemented into SAP. Further, the user is provided with information about the financial structure of the organisation including details on Account Determination and Special General Ledger. Financial Statement Oriented Audit The Financial Statement Oriented Audit provides the user with details of Account reconciliation, Balance Sheet, Profit & Loss and other General Ledger related reports which can be used for financial analysis. Process Oriented Audit The Process Oriented Audit steps are broken down into the various areas of SAP including retail, procurement, production and sales and distribution. Areas of this section are at various levels of development. When the audit begins, the present parameters and selection criteria are edited by using the Preparatory Tasks in the Business Audit menu. The auditor customises the reporting tree to reflect the correct time period and organisational structure required for the audit. The use of these variants helps reduce the potential for adversely affecting system performance, by limiting the parameters for which the reports are run. Business Audit functionality is not generally considered to be comprehensive and many items included in the menu structure are not yet functional. This should be considered when utilising AIS.
93
Customising Audits
To make effective use of the AIS tool it is important to customise the audits and ensure that only relevant information is provided. All information provided in the complete audit can be partitioned into audit programs specific to the particular needs and scope of audit work to be completed. This can be performed by selecting Audit Information System Create/change view. A new view can then be created where you can manually select from the tree structure the components that are to be displayed in this user defined view.
Following the customisation and generation of an audit this can be accessed by selecting the user-defined audit that has been created.
94
Security Considerations
In order for a user to access configuration, data or other reports, relevant access must be provided to the user. The AIS provides links through to various reports and other information, and therefore, access provided to complete AIS tasks may vary between users in line with tasks the individual is to perform. The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation. In order for a user to be able to edit notes in AIS the user must have been provided with the following authorisation objects: S_IMG_ACTV Field PROJAUTH 900 ACTVT IMG_ACTIV Value Project for Audit: 900 02 Change activity NOTE Edit notes
In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorisations must be provided: Authorisation for editing status information: S_IMG_ACTV Field PROJAUTH 900 ACTVT IMG_ACTIV Value Project for Audit: 900 02 Change activity STAT Edit status
Other security, which may be granted to the user in order to complete tasks, may include: Authorisation to view data in the IMG. Authorisation to display user and security information. System administration and other system and performance monitoring functions. Change control authorisations.
95
96

ANAO - SAP Audit Handbook

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ANAO - SAP Audit Handbook

Transféré par

Droits d'auteur :

Formats disponibles

Security and Control Update

Guide to Effective Control Handbook U p d a t e

Security and Control for SAP R/3 Handbook

Commonwealth of Australia 2004

Design by GREY Worldwide

Oliver Winder Acting Auditor-General 30 June 2004

Security and Control for SAP R/3 Handbook Update

Security and Control for SAP R/3 Handbook Update

Security and Control for SAP R/3 Handbook Update

Business process functional enhancements

Security and Control for SAP R/3 Handbook Update

Need to re-structure architecture

Sales & distribution

Real estate management

Customer service ice

Training & event management

Security and Control for SAP R/3 Handbook Update

Security and Control for SAP R/3 Handbook update

Basis and cross application components

Security and Control for SAP R/3 Handbook Update

Basis and cross application components

Basis and cross application components

Security: Derived Roles ..................................................................................................15

Security: Central User Administration .......................................................................18

Security: Personalised User Menus ............................................................................ .21

Security and Control for SAP R/3 Handbook Update

Transport Management System ...................................................................................23

InfoSet Query ...................................................................................................................26

SAP Business Warehouse (BW) ....................................................................................27

Mass Maintenance ..........................................................................................................28

Workflow .......................................................................................................................... .31

Basis and cross application components

Basis and cross application components

Transport Management Syst e m

Security and Control for SAP R/3 Handbook Update

Changes in the SAP environment

Database server (UNIX or NT)

Database server (UNIX or NT)

SAP Web application server

SAP-ITS application gate SAP-ITS Web gate SAP GUI

Presentation layer (Client PC)

Presentation layer (Web browser on client PC)

Presentation layer (Client PC)

Presentation layer (Web browser on client PC)

Basis and cross application components

New dimension products

Sales & distribution SAP sales

Materials management anagement

SAP strategic enterprise management

Fixed assets management

Security and Control for SAP R/3 Handbook Update

Customer Relationship Man a g e m e n t

Supply Chain Management

Basis and cross application components

S e c u r i t y : U s e r S e c u r i ty and the Profile Generator

Security and Control for SAP R/3 Handbook Update

Tcode PFCG SU01

Name Profile Generator Maintain User

Basis and cross application components

Security and Control for SAP R/3 Handbook Update

Basis and cross application components

Roles by profile assignment Interrogation of roles in the by profile system assignment.

Roles by authorisation object