control testing in sap â€“ - asug.com

Control Testing in SAP – IT, Financial and Operational Richard Fowler, CISA, CIA Huntington Ingalls

Larry Panayi, CISA Northrop Grumman

[

Real Experience. Real Advantage.

[

2

Learning Points

Understand how to assess and test the SAP technology

infrastructure

Understand how to assess and test the SAP General

Ledger and other financial reporting modules

Understand how to assess and test SAP production,

planning and procurement modules.


[

3

Return on Investment

Our basic assumption is that, if your organization is

running SAP, then you are large enough, complex

enough, or savvy enough to also have an internal audit

function.

Auditors need to know how to conduct a more effective

application review of SAP, and should understand the

infrastructure, key operations, and configuration.

By ensuring that the auditors know how to properly focus

on the key controls as they conduct audits in SAP, the

business can be assured of minimizing the time needed to

support the audit.


[

4

Best Practices

Audits of SAP are performed to provide assurance that

the financial data is correct and that the organization can

rely on the information and processing within SAP

Learn a methodology for testing and specific test steps

that can be used for any number of SAP audits, including

but not limited to SOX testing, general computer control

testing, application control testing, and financial report

testing

Use and modify sample audit programs to enhance SAP

testing


[

5

Over a century designing, building,

overhauling and repairing ships for the

U.S. Navy, the U.S. Coast Guard and

world navies

The nation's sole industrial designer,

builder and refueler of nuclear-powered

aircraft carriers

One of only two companies capable of

designing and building nuclear-powered

submarines

Have built over 40 percent of the U.S.

Navy’s current surface combatant fleet

Who We Are – Huntington Ingalls

ERP Used: SAP ECC 6.0 & ECC 5.0


[ Who We Are – Northrop Grumman

6

Northrop Grumman Corporation (NYSE: NOC) is a leading global security

company providing innovative systems, products and solutions in

aerospace, electronics, information systems, and technical services to

government and commercial customers worldwide.

ERP Used: SAP ECC 6.0

http://www.northropgrumman.com/electronicsystems/index.html


[

7

Agenda

SAP from a business perspective

What SAP does for the user community

SAP from a technology perspective

Typical landscape

Business Impact and Risk

Auditing the business side – COSO, IIA guidance

General ledgers, financial statements, billings

Operations: production planning, procurement

Auditing the technology side – ISACA, COBIT guidance

Application/General computing controls

Configuration settings (IMG)

Developing the audit program

Questions and comments


[

8


SAP can address almost every aspect of every business:

• Financial Accounting (FI)

• Controlling (CO)

• Asset Management (AM)

• Materials Management (MM)

• Sales and Distribution (SD)

• Quality Management (QM)

• Plant Maintenance (PM)

• Human Resources (HR)

• Supply Chain Management (SCM)

• Customer Relationship Management (CRM)

• Governance, Risk & Compliance (GRC)


[

9


Which business areas rely on controls?

All of them, of course, but…

Are those controls effective?

Are they efficient?

Are they warranted?

SAP is configured “out of the box” to provide a good level

of basic controls for the business user and management


[

10


That’s where the auditors come in, to test the controls

The tests should ensure that the controls are effective,

that is, verify that they designed to actually mitigate risks

The tests should also ensure that controls are efficient,

that is, verify that they are actually mitigating the risks

In some cases, auditors can identify excessive or

redundant controls that can be eliminated

Let’s briefly go through how to test these controls


[

11


Do’s…

Incorporate a top down approach

Document what you do, why, and your conclusions

Be specific about remediation timelines & responsibilities

And Don’ts…

Forget to document and retain test procedures

Neglect testing tests of design and tests of effectiveness

Fail to conclude on your findings


[

12

SAP from a business perspective - Finance

Identify Significant Accounts and Processes Document Processes & Controls Evaluate & Monitor

2011

Balance

Sheets

Inherent and Key Business Risks

Financial Statements

Financial Implications

Process Implications

Significant Accounts

Management’s Assertions

Significant Processes

What can go WRONG?

Internal Controls And, of course, report

Analyze the controls’ efficiency and effectiveness


[

13


OK, so which accounts are significant?

Select them based on:

• Errors of importance *

• Size and composition (Acct Balances: FS10, F.08)

• High transaction volume (Line Items: F.42, FB09D, FBL1N)

• Transaction complexity

• Subjectivity in determining account balance

• Nature of the account (Suspense accounts, reserve accounts)

* Errors that individually or collectively could have a material effect on the financial

statements – Revenue Recognition (VF45, VF47), Goodwill Valuation (CX67)


[

14


With the accounts identified, let’s see…

What can go wrong?:

• Errors of importance Restatement, significant deficiencies

• Size and composition Inability to effectively analyze data

• High transaction volume Data noise, difficult to distinguish trends

• Transaction complexity Hidden errors

• Subjectivity in determining

account balance Non-compliance with GAAP and/or IFRS

• Nature of the account Fraud


[

15


So what is in place to mitigate the risks?

Internal Controls:

• Errors of importance Management review, executive approval

• Size and composition SAP configuration

• High transaction volume SAP configuration

• Transaction complexity SAP configuration


account balance SAP configuration

• Nature of the account SAP configuration

And THAT’s what SAP does for the financial user.


[

16

SAP from a business perspective – Material planning

Identify Material Needs Document Processes & Controls Evaluate & Monitor

Contract

Specifications

Inventory on Hand

Material Requirements

Scheduled Delivery

Work in Progress

Material Requirements Planning What can go

WRONG?

Internal Controls And, of course, report

Analyze the controls’ efficiency and effectiveness

Budget


[

17


So what are we concerned with in material procurement?

Key objectives:

• Material identification (MB51)

• Material need date (Part of PO, see ME23N)

• Inventory on hand (MB03)

• Warehouse availability (LS03)

• Mat’l req planning (MD04)

• Scrap / excess inventory (WAM03)


[

18


With the material processes identified, let’s see…

What can go wrong?:

• Material identification Wrong material, contract violation, liability

• Material need date Schedule delay

• Inventory on hand Excess material ordered

• Warehouse availability Lost material, insufficient storage space

• Mat’l req planning Shelf life expires, material not available

• Scrap / excess inventory Waste, unnecessary costs, fraud


[

19


So what is in place to mitigate the risks?

Internal Controls:

• Material identification Engineering / management review

• Material need date Engineering / management review

• Inventory on hand SAP Configuration

• Warehouse availability SAP Configuration

• Mat’l req planning SAP Configuration

• Scrap / excess inventory SAP Configuration

And THAT’s what SAP does for the planning, procurement

and material user.


[

20

Agenda




Typical landscape











[

21

SAP from a technology perspective - Landscape

Ideally, in an SAP environment, a three-four system

landscape exists. This consists of the Sandbox,

Development, Quality Assurance and the Production

Server.

The objective

of design is to

enhance

"configuration

pipeline

management".


[

22

SAP from a technology perspective - Business

Impact and Risk

Improper configuration of SAP could result in an inability

for the enterprise to execute its critical processes.

Risks resulting from ineffective or incorrect configurations

or use of SAP could result in some of the following:

Disclosure of privileged information

Single points of failure

Low data quality

Loss of physical assets

Loss of intellectual property

Loss of competitive advantage

Loss of customer confidence

Violation of regulatory requirements


[

23

Agenda




Typical landscape











[

24


The COSO cube has been used as an auditing model

since it’s initial release in 1993.


[

25


There is also a COSO model for use with organizations

with an enterprise risk management framework.


[

26


Regardless of the model used, COSO recommends a

risk-based approach to auditing.

The IIA supports this approach, and has included it in

their International Professional Practices Framework.

There are proposed changes to both the COSO

framework and the IPPF standards, but no significant

changes to the audit approach or fieldwork standards.


[

27


GTAG 8, Auditing

Application Controls, is

provided by the IIA as

guidance.

It can be used to help

map the key controls to

the appropriate SAP tests.

Designed for looking at

application controls, the

same approach can be

used for manual controls, embedded controls, hybrid, etc.


[

28

Auditing the business side – Financial

Going back to the Financial risks and controls, we had:

• Errors of importance Management review, executive approval

• Size and composition SAP configuration

• High transaction vol. SAP configuration

• Transaction complexity SAP configuration


account balance SAP configuration

• Nature of the account SAP configuration


[

29


How can we test the effectiveness of the management

reviews and executive approvals that prevent or detect

errors of importance?

• Manual test – obtain a sample of management’s account

reviews and verify

1. that the reviews are routinely performed

2. through inquiry what is being reviewed

3. that errors, when noted, are corrected

No, it’s not specific to SAP – but we wanted to be complete.


[

30


How can we test the effectiveness of the SAP configuration

that controls or limits account size and composition?

The IMG (t_code SPRO) has detailed configuration settings for a

number of account types:

G/L, A/R, A/P, bank accounts, asset accounts, lease accounts, retail

ledger accounts, special purpose accounts, customer accounts,

vendor accounts, material accounts, etc. There are a lot of types.

The configuration settings can limit what transactions can be posted

to an account (via the posting key), what roles can post or edit

information (via permissions).


[

31


What if there are no configured limits to account size and

composition?

We can use FS10N to get details of a single account, or F.08 to get a

series of accounts. Download the results for separate periods to

assess month-to-month changes (horizontal analysis) or year-to-year

(vertical analysis).

Determine by comparison whether the account has an unusual size

(account balance greatly increased or decreased) based on other

months and/or years.


[

32



that controls or limits account transaction volume?

As before, the IMG (t_code SPRO) has detailed configuration settings,

particularly for automatic posting.

If there are automatic postings or payments, review the configuration

settings with the financial or accounting manager to understand the

critical processes (there’s probably a lot in OMR6).

Use t_code F110 to review automatic payment parameters, and also

t_code F822 to review automatic payment blocks.


[

33



that controls or limits account transaction complexity?

Again, the IMG (t_code SPRO) has detailed configuration settings, and

here we’d be looking for document types.

Most account transactions will need only a limited number of

document types. If there are no limits established, it will be easier for

an incorrect transaction to be posted.

To test the account’s document types, run FS10N or F.08 as before

and download the data. Use Excel to find any odd or unusual

document types, and in SAP drill down to see what they are for and

whether they were posted properly. (You can usually get someone in

Accounting to help with this determination.)


[

34



that controls or limits transaction amounts?

For a change, let’s look at the IMG (t_code SPRO) for the detailed

configuration settings, this time for tolerance limits (OMR6).

Verify that there are limits established, especially for automatic

payments (e.g., 3-way match).

To test the tolerances, look at MRBR to see if there are any

transactions that have been blocked or being outside the tolerance

limits. Inquire as to how these issues are resolved, and look for

documentation of cleared blocks in the past.


[

35



that controls or limits the type of account being used?

Finally, let’s look at the IMG (t_code SPRO) for one more detailed

configuration setting, this time for account groups (OBD4).

Determine which accounts are associated with which account groups.

To test the settings, determine what field(s) define the account group.

Use FS10N or F.08 to verify that the fields for a given period either

have or do not have the values established, and there you have it.


[

36

Auditing the business side – Material planning

Going back to the material management risks and controls,

we had:

• Material identification Engineering / management review

• Material need date Engineering / management review

• Inventory on hand SAP Configuration

• Warehouse availability SAP Configuration

• Mat’l req planning SAP Configuration

• Scrap / excess inventory SAP Configuration


[

37


(We may go through these fast, or even skip them all, based on time.)

How can we test the effectiveness of management’s reviews

of material identification and/or material need dates?

Material is usually identified initially on a drawing before it is loaded

into SAP or other production system to generate a Bill of Material.

Drawings should all show the preparer and reviewer/approver. If

there is a change management process in place, you can check the

files to see if material changes are also approved and by whom.

Material need dates are going to be based on several factors, such as

economic ordering quantity, first assembly schedule date, labor

resource availability, etc. Discuss with engineering and planning

management how the first need date is established.

Not very SAP dependent, but included for completeness.


[

38


How do we know what material is already in inventory?

We want to verify that material is not being ordered when it’s already

available. Transaction MB52 is great for this. Transaction MB03 or

IWBK can help.

Look at a sample of recent material purchases. Note the need dates

and the quantities, as well as any special requirements that may be

included as part of the PO.

Look up the material in SAP. MB52 will tell you how much is on hand

now. With MB03, you can drill down to find material movements and

where the material is located. With IWBK, you can get an overview of

the availability of material.

This will help you identify unnecessary orders or verify that the

material planning is adequate.


[

39


How can we determine if the MRP process is functioning

effectively?

MRP is part of the production planning module (PP), and involves

capacity planning, cost estimates, resource planning, scheduling, bills

of material, etc. This is a full audit by itself, not just an audit step.

We can, however, spot check some attributes to see if there are

issues. Transaction CS03 displays a bill of material (my company has

modified this into a ZBOM transaction to suit our own requirements). CS15

lets us know where else similar material is being used.

More detailed planning can be viewed using MCP1 to view SAP’s

operational analysis based on material, plant, work center and date

ranges. We can assess the MRP controller’s effectiveness using

MCP5 (actually used for material analysis). MD05 displays the MRP

list, which is also useful.


[

40


How can we assess processes to scrap excess material?

Material can be damaged, use-by dates can expire, specifications can

be out of date – all situations that make material unusable.

Scrapping is a material movement, so transaction MIGO_GI (or

MB1A) is used with movement type 501, 551, or 555. We can use

MIGO_TR (or MB1B) to get a list of material meeting these

movement types.

There should be some documented local procedures that define

specific requirements for scrapping material. After all, that’s an

avenue for fraud and we want to minimize that. Review the

procedures and then sample the material listed from above. Verify

that the requirements have been met.


[

41

Agenda




Typical landscape











[

42

Auditing the technology side – ISACA - COBIT

guidance

ISACA Controls Framework

COBIT is an IT governance framework and supporting

tool set that allows managers to bridge the gap among

control requirements, technical issues and business risks.

COBIT enables clear policy development and good

practice for IT control throughout enterprises.

Utilizing COBIT as the control framework on which IT

audit/assurance activities are based aligns IT

audit/assurance with good practices as developed by the

enterprise.


[

43


guidance

Application controls

Controls embedded in financial and business applications

to prevent or detect unauthorized transactions

Controls to ensure the completeness, accuracy and

validity of processing transactions

Includes controls such as:

Balancing control activity within the system

Check digits

Predefined data listings

Data reasonableness tests

Logic tests, range limits, etc.


[

44


guidance

General computer controls

Controls to ensure the proper development and

implementation of applications, the integrity of program

and data files and of computer operations

Includes controls such as:

Logical access over infrastructure, applications, and data

System development life cycle

Program change management

Data center physical security

System and data backup and recovery

Computer operation


[

45


guidance

Automated testing of automated controls

SAP GRC Compliance Calibrator

SAP Solution Manager

Included SAP functions: SU22, SU24, SUIM,

SE16N, SAP logs, SAP reports (eg, RSPARAM)

Third-party solutions for control testing (there are others)

Approva BizRights

ACL Direct Link

I-DEAS

Cognos

WinShuttle


[

46


guidance

Changes to master data have been authorized

Customer master data, use tcode OV51 (also accessible

using transaction code SA38 and program RFDABL00) to

generate a list denoting the date and time of change, old

and new values for fields, and details of the user who input

the change

User access to create and maintain customer, material

and pricing master data is appropriate

Customer master data - tcodes FD01/FD02/FD05/FD06

(Finance), VD01/VD02/VD05/VD06 (Sales),

XD01/XD02/XD05/XD06/XD07/XD99 (Central)

Material master data - tcodes MM01 (Create), MM02

(Change), MM06 (Delete)

Pricing master data - tcodes VK11 and VK12


[ Auditing the technology side – ISACA - COBIT

guidance

COBIT References – PO4

Ensure there is an appropriate segregation of duties/

incompatible functions (SUIM, SE16, USOBT, AGR_USERS)

Basis administration

Transport/import

Develop program change

Develop role change

User security administration

Change monitoring

User testing

Authorize change

Perform change

47



guidance

COBIT References – DS4, DS5, DS9, DS12

Access to information and information systems is authorized

Information systems processing is protected physically from

unauthorized access and from accidental or deliberate loss

or damage

Information processing can be recovered and resumed after

operations have been interrupted

Critical user activities can be maintained and recovered

following interruption

Configuration changes are made in the development

environment and transported to production

Changes to critical number ranges are controlled

48



guidance

COBIT References – AI6, DS5, DS13, PO4

Access to system and customizing tables is narrowly

restricted

Application modifications are planned, tested and

implemented in a phased manner

Customized ABAP/4 programs are secured appropriately

Batch processing operations are secured appropriately

Critical and sensitive transaction codes are locked in

production

Strong password management for system users

SAP Router is configured to act as a gateway to secure

communications

Remote access by software vendors is controlled adequately

49



guidance

COBIT References - DS5, PO2

SAP ERP Remote Function Call (RFC) and Common

Programming Interface—Communications (CPI-C) are

secured

Technology infrastructure is configured to secure

communications and operations in the SAP ERP

environment

Firewall

Secure Network Communications (SNC)

Secure Store and Forward (SSF) mechanisms and digital

signatures

Workstation security

Operating system and database security

50



guidance

COBIT References – AI1, AI6, DS5, DS9, DS11, ME1, PO2

Superuser SAP* is properly secured

Set system parameter (login/no_automatic_user_ sapstar)

Default passwords for users DDIC, SAPCPIC and

EarlyWatch been changed

Powerful profiles is restricted (SAP_ALL, SAP_NEW)

Logging & monitoring activities in place for use of powerful

accounts and profiles

Changes made to the data dictionary are authorized and

reviewed regularly

Log and trace files are appropriately configured and secured

51


[

52

Auditing the technology side – Configuration (IMG)

• Use transaction SPRO to view the IMG

• Click the find button to

search for key terms


[

53


• You can then double click any item on the list and it will take you to

the location within the IMG.


[

54


• This is helpful when you want to document where a control is

performed.

• When you try and

execute the item, it

will show you the

tcode used.

• Information is helpful

when discussing with

auditee or IT persons.

• Another useful tool is

“Performance Assistance”

Provides notes about

each configurable control.


[

55


The Performance

Assistant provides you

with more detailed

information about the

control to help you

understand how it works.

Lots

more info


[ Auditing the technology side – Configuration (IMG)

Other IMG Configurations – tcode SPRO

Customer Account Groups: Menu Path—Financial

Accounting > Accounts Receivable & Accounts Payable >

Customer Accounts > Master Data> Preparation for

Creating Customer Master Data > Define Account Group

With Screen Layout (Customers)

Material Types: Menu Path—Logistics General > Material

Master > Basic Settings > Material Types > Define

Attributes of Material Types

Industry Sector: Menu Path—Logistics General > Material

Master > Field Selection > Define industry sectors and

industry-sector specific field selection

56



Pricing condition types and records Menu Path—Sales and

Distribution > Basic Functions > Pricing: and tcodes:

V-44 for material price condition record

V-48 for price list type condition records

V-52 for customer-specific condition type

Other configurable controls

3-Way Match

SE16 and tables LFM1 (verify GR-IV is checked)

LFA1 (Global listing of vendors) – Although a vendor shows in

LFM1, it could be disabled globally in this table and is N/A

Invoice Payment Approval

57



PO Release Workflow

Obtain the PO release strategy table that are set for users

based on their release level

T16FS – obtain the PO release strategy table defined for PO

release amount for particular sectors.

JV Workflow

Approval Matrix Set Up – used to determine if appropriate

approvers for JV document is set up in SAP (JV user is not

same as JV approver)

Tolerance Limits

SE16, T169G (can choose 1 or many company codes to view)

Automatic Posting

Identifies the various procedures that generate automatic

postings to the GL

Use Tcode OBYC (need business mgt. or SAP BASIS to

execute)

58


[

59

Agenda




Typical landscape











[

60


Having identified the key processes, inherent risks,

internal controls, and potential test steps – this applies

for both the business side and the IT side – it is pretty

straightforward to build the audit program.

Use whatever format is accepted in your organization:

Word document

Excel spreadsheet

Risk & control report from TeamMate®, Audit Leverage®,

MK Insight®, or other audit management software

SAP QM includes auditing transactions, but they are

aligned more with lot sampling than internal auditing


[

61


IIA Standard 2201: Planning Considerations

In planning the engagement, internal auditors must

consider: The objectives of the activity being reviewed and the means by which the

activity controls its performance;

The significant risks to the activity, its objectives, resources, and operations

and the means by which the potential impact of risk is kept to an acceptable

level;

The adequacy and effectiveness of the activity's risk management and

control processes compared to a relevant control framework or model

Note that we’ve gone over these items already.


[

62


ISACA Standard S5: Planning

Plan the IS audit coverage to address the audit objectives and

comply with applicable laws and professional auditing standards.

Develop and document a risk-based audit approach.

Obtain an understanding of the activity being audited. The

knowledge required should be determined by the nature of the

organization, its environment, risks and the objectives of the audit.

Perform a risk assessment to provide reasonable assurance that all

material items will be adequately covered during the audit. Audit

strategies, materiality levels and resources can then be developed.

Not a great deal of difference in planning an audit.


[

63


The audit program must include the test steps, naturally.

It does not need to include a description of the control

being tested, but that’s nice to have as a reminder during

the testing of what we’re looking for.

If you don’t include the control, include a reference to

where the control in documented.

To meet the current (and proposed) standards in the audit

profession, auditors must document their risk assessment

process used in planning the audit.

If not in the audit program itself, document the links from

Process/Objective Risks Controls Audit Tests


[

64


Application Objectives Objective Risks Mitigating Controls Control Statement Test Plan

Data is input without

errors Typos in data input are not detected

Edit checks Edit checks eliminate common typographic errors. Where possible, the application includes processes to validate financial values for reasonableness and approval limits; looks for proper formats and required fields; uses standardized input screens; verifies sequences (e.g., missing items), range checks, and check digits;and performs cross checks (e.g., where certain policies are only valid with certain premium table codes).

Duplicate record entry may not be detected

Record checks Records are checked for key fields as part of data validation process to minimize duplicate data entry, including using fuzzy logic for close matches.

Data is input completely Key fields are not entered Field Verification Key fields are mandatory entries, and the record cannot be stored with certain items incomplete or pending.

Some records are skipped / not entered

System checks Cross system checks are used to ensure records are input in sequence

Data is input timely Post-close data entry invalidates parts of periodic financial reporting

Validation checks Post-closing data entries are permitted, but require management approval to assure the impact is known.

Late data entry changes impact of management reports

Field Verification Late data entry is flagged in a special report to management.


[

65



[

66

Agenda




Typical landscape











[

67

Questions & Comments


[

68

Key Learnings

Audits of SAP are performed to provide assurance that

the financial data is correct and that the organization can

rely on the information and processing within SAP

Learn a methodology for testing and specific test steps

that can be used for any number of SAP audits, including

but not limited to SOX testing, general computer control

testing, application control testing, and financial report

testing

Use and modify sample audit programs to enhance SAP

testing


[

69

[

] Thank you for participating.

SESSION CODE:

1913

Please remember to complete and return your

evaluation form following this session.

For ongoing education on this area of focus, visit the

Year-Round Community page at www.asug.com/yrc


[

70

Appendix A – Useful Transaction Codes, Tables,

and Reports


[

71

SAP Transaction Codes for Security and

Troubleshooting

User Maintenance:

SU01 Maintain User (SU01D)

SU02 Maintain Authorization Profiles

SU03 Maintain Authorizations

SU10 Mass changes to User Master

SU12 Mass Changes to User Master Records

SU20 Maintain Authorization Fields

SU21 Maintain Authorization Objects

SU50 Maintain User Defaults

SU51 Maintain User Address

SU52 Maintain User Parameters

SU53 Display Check Values

SU54 Maintain User Menu

SU55 Start user menu

SU56 Analyze user buffer (Security Check

SUIM User Information System


[

72


Troubleshooting

Authorization Objects:

SU22 Auth. object usage in transactions

SU30 Total checks in the area of authorizations

Table Security:

SUCH Translatability CHECKs

SUCU Table authorizations: Customizing

Correction & Transport:

SE09 Workbench Organizer

SE10 Customizing Organizer

Data Dictionary:

SE11 ABAP/4 Dictionary Maintenance

SE12 ABAP/4 Dictionary Display

SE13 Maintain Technical Settings (Tables)

SE14 Utilities for Dictionary Tables

SE15 ABAP/4 Repository Information System

SE85 ABAP/4 Dictionary Information System


[

73


Troubleshooting Table Display and Maintenance:

SE16 Data Browser

SE17 General Table Display

SM31 Table Maintenance

Tracing a Transaction:

SE30 ABAP/4 Runtime Analysis

ST01 System Trace

STAT User Activity at UNIX Level (this transaction is very slow)

ABAP/4 Workbench:

SE36 ABAP/4: Logical Databases

SE37 ABAP/4 Function Modules

SE38 ABAP/4 Program Development

SE80 ABAP/4 Development Workbench

SE81 SAP Application Hierarchy

SE82 Customer Application Hierarchy




[

74


Troubleshooting

Transaction Maintenance:

SE93 Maintain Transaction Codes

SE43 Menu path with transaction codes (Main Menu is S000)

Knowledge and understanding of SAP R/3 basic system administration skills:

SM21 System Log

SE06 Set up Workbench Organizer

SM04 Current Users on the Client

Other Transactions:

SU22 Authorization Objects used in Transaction Codes

SU23 Load Tables in TAUTL

SU24 Authorization Objects used in Transactions (Profile Generator)

SU25 Copy Initial Defaults

SU26 Compare Authorization Checks


[

75

Standard Security Reports-SA38

Program Short description

RSUSR000 Current Active Users

RSUSR002 Lists of Users According to Complex Selection Criteria

RSUSR003 Check the Passwords of Users SAP* and DDIC in all Clients

RSUSR004 Restrict User Values to the Following Simple Profiles and Auth. Objs.

RSUSR005 List of Users With Critical Authorizations

RSUSR006 List of User Master Records Locked Due to Incorrect Logon

RSUSR007 List Users Whose Address Data is Incomplete

RSUSR010 Transaction Lists According to Selection With User, Profile or Object

RSUSR020 List Profiles by Complex Selection Criteria

RSUSR030 List Authorizations According to Complex Selection Criteria

RSUSR040 List Authorization Objects by Complex Selection Criteria

RSUSR100 List Change Documents for Users

RSUSR101 List Change Documents for Profiles

RSUSR102 List Change Documents for Authorizations

RSUSR400 Test Environment Authorization Checks (SAP Systems Only)

RSPARAM List system parameters (Tcode RZ11 or TU02)

RSCSAUTH Maintain program/report authorization groups

RSABAUTH Transfers authorization groups from TRDIR to TPGP


[ Important Security Tables

76

DD02V List of Tables and Descriptions

TSTC Transaction Listing

TSTCA Values for Transaction Code Authorizations

TSTCT Transactions with Description

TACT Activities that can be Protected

TACTT Activities that can be Protected with Descriptions

TACTZ Authorization Objects and Valid Activities

TBRG Authorization Objects and Authorization Groups

TBRGT Auth Objects and Auth Groups with Descriptions

TDDAT Table Authorization Groups

TOBJ Authorization Objects

TOBJC Authorization Object w Class assignment

TOBJT Authorization Objects and Descriptions

TOBC Authorization Object Classes

TOBCT Authorization Object Classes and Descriptions

TPGP ABAP/4 Authorization Groups

TPGPT Long Texts for ABAP/4 Program Groups

TRDIR System Table TRDIR, ABAP/4 Programs with Authorization

TRDIRE System Tables w attributes

TACTZ Valid Activities

USOBT Transaction codes w Authorization Objects checked. Used with Profile Generator


[ Additional Useful Tables

77

User Master Tables

USR01 User Master Records

USR02 User ID and Passwords (includes last logon data)

USR04 User Master Authorizations

USR10 Authorization Profiles

USR11 User Master Profiles and Descriptions

USR12 User Master Authorization Values

USR40 Non-permissible password values

Change Logs

USH02 Change history for logon data (inc. account lock indicator, User Flag.

USH04 Change history for authorizations

USH10 Change history for authorization profiles

USH12 Change history for authorization values

Authorization Tables

UST04 User Masters (all Users with profiles)

UST10C User Master: Composite Profiles

UST10S User Master: Simple profiles

UST12 User Master: Authorizations


[ Reviewing Technical Security Access Controls

78

Password Audit Steps:

Using RSPARAM / RSPPARAM report (SA38) - determine PW control settings

Login/password_Expiration – Frequency of forced password change (default = 0 = off)

Login/min_password – Minimum password length (default = 3)

Login/fails_to_user_lock – Number of invalid password attempts before user is locked (default = 12)

Login/failed_user_auto_unlock -- If user account is locked – is it permanently locked until released by administrator or automatically unlocked at midnight (default = 1 = unlocked at midnight)

Rdisp/gui_auto_logout – User is logged off of SAP after a period of inactivity (default = 7200 seconds = 2 hours)

Login/disable_multi_gui_login – (default = 0 = multiple logons permitted)

NOTE: if multi-login is disabled some users can still be permitted multiple logins via the “login/multi_login_users” setting where user-ids can be listed which can be permitted to logon multiple times


[

79

Determine who can alter number ranges

TC = SPRO, SNRO

Object = S_NUMBER

Activities = 02 (chg), 11(chg), 13 (initialize), 17(maintain)

Determine who can do table updates in production (should not be permitted)

TC= SM30, SM31

Object = S_TABU_DIS, (client independent tables also require S_TABU_CLI )

Activity = 01, 02

Data Dictionary updates in production should not be permitted

TC = SE11, SE15, SE16, SE38, SE80

Object = S_DEVELOP

Activities = 01, 02, 06, 07

Reviewing Technical Security Access Controls


[ Reports – RSUSR via AID, SA38, or SUIM

80

May need system administrator to run for you

RSUSR002 – provides a wide variety of profile review options

RSUSR003 – check passwords for SAP* and DDIC

RSUSR005 , 009 – list of users with critical authorizations (this report requires significant computer resources to run – must update table SUKRI with authorizations to check)

RSUSR006 – locked users / unsuccessful login attempts

RSUSR010 – transactions executable by user, profile, authorization

RSUSR060 – where used lists

RSUSR100, 101, 102 – changes to UMR, profiles, authorizations

RSUSR200 -- Users with original passwords, users not logged in for xx days, users who have not changed password in xx days


[ Reports – RSUSR via AID, SA38, or SUIM Cont.

81

RSUSR002 – as seen on previous slide can also be used to determine who has access to powerful BASIS transactions including:

DBxx – Database related transactions

SCC4, SCC5 – Client administration

SE01-SE10 – CTS / TMS commands

SE11, SE12, SE13, SE14 – Table structure maintenance

SE15 – Data Dictionary

SE38 – ABAP Editor

SE93 – Maintains transactions

SM01 – Lock / unlock transactions

SM12 – Lock entries

SM30, SM31 – Table Maintenance

SM32 – Updates Table USR40 with invalid passwords

SM37 – Displays and deletes processing job logsSM49 – Execute external operating system commands

SM52 – Execute operating system commands

SM59 – Maintain Remote Function Calls destination definitions

SM69 – Maintain external commands

SP01 – Administer print spools

SU01, SU02, SU03 – Security Administration transactions


[

82

[

] Thank you for participating.

SESSION CODE:

1913

Please remember to complete and return your

evaluation form following this session.

For ongoing education on this area of focus, visit the

Year-Round Community page at www.asug.com/yrc