Download Security Audit and Control Features SAP ERP 3rd Edition Icq Eng 1109 PDF

TitleSecurity Audit and Control Features SAP ERP 3rd Edition Icq Eng 1109
File Size1.4 MB
Total Pages134
Table of Contents
                            A. Prior Audit/Examination Report Follow-up
	1.1 Determine whether:
	Senior management has assigned responsibilities for information, its processing and its use
	User management is responsible for providing information that supports the entity’s objectives and policies
	Information systems management is responsible for providing the capabilities necessary for achievement of the defined information systems objectives and policies of the entity
	Senior management approves plans for development and acquisition of information systems
	There are procedures to ensure that the information system being developed or acquired meets user requirements
	There are procedures to ensure that information systems, programs and configuration changes are tested adequately prior to implementation
	All personnel involved in the system acquisition and configuration activities receive adequate training and supervision
	There are procedures to ensure that information systems are implemented/configured/upgraded in accordance with the established standards
	User management participates in the conversion of data from the existing system to the new system
	Final approval is obtained from user management prior to going live with a new information/upgraded system
	There are procedures to document and schedule all changes to information systems (including key ABAP programs)
	There are procedures to ensure that only authorized changes are initiated
	There are procedures to ensure that only authorized, tested and documented changes to information systems are accepted into the production client
	There are procedures to allow for and control emergency changes
	There are procedures for the approval, monitoring and control of the acquisition and upgrade of hardware and systems software
	There is a process for monitoring the volume of named and concurrent SAP ERP users to ensure that the license agreement is not being violated
	The organization structure, established by senior management, provides for an appropriate segregation of incompatible functions
	The database, application and presentation servers are located in a physically separate and protected environment (i.e., a data center)
	Emergency, backup and recovery plans are documented and tested on a regular basis to ensure that they remain current and operational
	Backup and recovery plans allow users of information systems to resume operations in the event of an interruption
	Application controls are designed with regard to any weaknesses in segregation, security, development and processing controls that may affect the information system
	Access to the Implementation Guide (IMG) during production has been restricted
	The production client settings have been flagged to not allow changes to programs and configuration
B. Preliminary Audit Steps
	1.1 The same background information obtained for the SAP ERP Basis Security audit plan is required for and relevant to the business cycles. In particular, the following information is important:
	Version and release of SAP ERP implemented
	Total number of named users (for comparison with logical access security testing results)
	Number of SAP instances and clients
	Accounting period, company codes and chart of accounts
	Identification of the components being used (Human Capital Management, Financials, Operations, Corporate Services)
	Whether the organization has created any locally developed ABAP programs or reports
	Details of the risk assessment approach taken in the organization to identify and prioritize risks
	Copies of the organization’s key security policies and standards
	1.2 Obtain details of the following:
	Organizational Management Model as it relates to sales/revenue activity, i.e., sales organization unit structure in SAP ERP and company sales organization chart (required when evaluating the results of access security control testing)
	An interview of the systems implementation team, if possible, and process design documentation for sales and distribution
	2.1 Develop a high-level process flow diagram and overall understanding of the Revenue processing cycle, including the following subprocesses:
	Maintain pricing/customer master data
	Sales order processing
	Invoice processing
	Payment receipt
	2.2 Assess the key risks, determine key controls or control weaknesses, and test controls (refer sample testing program below and chapter 4 for techniques for testing configurable controls and logical access security) regarding the following factors:
	The controls culture of the organization (e.g., a just-enough control philosophy)
	The need to exercise judgment to determine the key controls in the process and whether the controls structure is adequate (Any weaknesses in the control structure should be reported to executive management and resolved.)
C. DETAILED Audit Steps
1. Maintain customer/pricing master data.
	1.1 Changes made to master data are valid, complete, accurate and timely.
		1.1.1 Determine whether the following reports of changes to master data have been compared to authorized source documents and/or a manual log of requested changes to ensure they were input accurately and on a timely basis:
		1.1.2 Review organization policy and process design specifications regarding access to maintain master data. Test user access to create and maintain customer, material and pricing master data as follows:
		1.1.3 Determine whether the configurable control settings address the risks pertaining to the validity, completeness and accuracy of master data and whether they have been set in accordance with management intentions. View the settings online using the IMG as follows:
	1.2 Master data remain current and pertinent.
		1.2.1 Determine whether management runs the following reports, or equivalent, by master data type and confirm evidence of management’s review of the data for currency and ongoing pertinence:
		Customer master data—Run transaction code F.20
		Material master data—Run transaction code MMS3
		Pricing master data—Run transaction code VK13
		Transaction F.32 provides an overview of customers for which no credit limit has been entered. Check the output from transaction F.32 to confirm a credit limit has been set for customers in the range requiring a limit.
2. Sales Order Purchasing
	2.1. Sales orders are processed with valid prices and terms and processing is complete, accurate and timely.
		2.1.1. Determine whether the ability to create, change or delete sales orders, contracts, and delivery schedules is restricted to authorized personnel by testing access to the following transactions:
		Create (VA01)/Change (VA02) Sales Order
		Create (VA31)/Change (VA32) Delivery Schedules
		Create (VA41)/Change (VA42) Contracts
		2.1.2. Refer to master data integrity point 1.1.2.
		2.1.3. Refer to master data integrity point 1.1.3.
		2.1.4. Understand the policies and procedures regarding reconciliation of sales orders. Review operations activity at selected times and check for evidence that reconciliations are being performed.
	2.2. Orders are processed within approved customer credit limits.
		2.2.1. Determine whether the configurable control settings address the risks pertaining to the processing of orders outside customer credit limits and whether they have been set in accordance with management intentions. View the settings online using the IMG as follows:
		Transaction SPRO Menu Path—Financial Accounting > Accounts Receivable & Accounts Payable > Credit Management > Credit Control Account
		Execute transaction OVAK to show the type of credit check performed for the corresponding transaction types in order processing.
		Execute transaction OVA7 to determine whether a credit check is performed for appropriate document types being used.
		Execute transaction OVAD to show the credit groups that have been assigned to the delivery types being used.
		Execute transaction OVA8 to show an overview of defined credit checks for credit control areas.
	2.3. Order entry data are completely and accurately transferred to the shipping and invoicing activities.
		2.3.1. Obtain a full list of incomplete sales documents from the system using transaction V.00 (also accessible using transaction code SA38 and program RVAUFERR). Review items on the list with the appropriate operational management, and ascertain if there are legitimate reasons for the sales documents that remain incomplete.
3. Invoice Processing
	3.1. Controls are in place to prevent duplicate shipments or delay in the shipping of goods to customers.
		3.1.1. Generate the list of current system configuration settings relating to copy control between sales and shipping documents using transaction VTLA— Display Copying Control: Sales Document to Delivery Document. Select each combination of delivery type and sales document type, and click the Item button. Double-click on each item category, and verify that the entry for the indicator qty/value pos./neg. has been set to + (automatic update occurs between documents as deliveries are made for line items specified in the sales document). Depending on the volume of shipping and sales input manually it may also be necessary to verify a sample of shipping and sales input for accuracy.
		3.1.2. Determine whether the following shipping reports are used to assist in controlling the shipping process:
		Backlog—V.15
		Process Delivery Due List—VL04
		Outbound Deliveries for Picking—VL06
		Outbound Deliveries for Confirmation —VL06C
		Outbound Deliveries to be Loaded —VL06L
	3.2. Invoices are generated using authorized terms and prices and are accurately calculated and recorded.
		3.2.1. Display current system settings relating to invoice preparation online using the IMG: Transaction SPRO Menu Path—Sales and Distribution > Billing > Billing Documents.
		Determine whether the connection between source and target documents supports the accurate flow of billing details through the sales process and supports the accurate calculation and posting of invoice data.
	3.3. All goods shipped are invoiced, in a timely manner.
		3.3.1. Execute transaction VF04—Process Billing Due List. All goods/services that have not been invoiced, or that have been only partially invoiced, will appear on the list, sorted by invoice due date. Review the aging of items in the list. For items outstanding for more than one billing period, seek an explanation from management as to why the items have not been billed.
		3.3.2. Assess user access to picking lists, delivery notes and goods issues by testing access to the following transactions:
		3.3.3. Execute transaction VF03 Display Invoice and click on the expansion button next to the billing document field and select Billing Documents Still to Be Passed Onto Accounting. Obtain explanation for any invoices that appear in this list. Test user access to transactions to enter invoices and confirm this is consistent with staff job roles and management’s intentions.
	3.4. Credit notes and adjustments to accounts receivable are accurately calculated and recorded.
		3.4.1. Assess user access to sales order return and credit notes transactions as follows:
	3.5. Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance with organization policy and in a timely manner.
		3.5.1. View the sales document types configured by using transaction VOV8. Look for the entire sales document types that relate to sales order returns and credit requests. Double-click on one of these document types. In the General Control section of the screen, there is a reference mandatory field. Verify that the setting has been set to M. Repeat this for all of the other relevant document types. Discuss the reference field settings in place for the selected document types with management. Determine whether the configuration in place is set as management intended.
		3.5.2. Review the configuration settings for delivery and billing blocks online using the IMG as follows:
4. Payment Receipt
	4.1. Cash receipts are entered accurately, completely and in a timely manner.
		4.1.1. Take a sample of bank reconciliations and test for adequate clearance of reconciling items and approval by finance management.
		4.1.2. Determine whether the system has been configured to not allow processing of cash receipts outside of approved bank accounts. Execute transaction FI12 and ascertain to which bank accounts a cash receipt can be posted. Determine if this is consistent with management’s intentions.
		4.1.3. Use the transaction code F.21—Customer Open Items (also accessible using transaction code SA38 and program RFDEPL00) to review customer open items. The report lists each item and the amount owed. At the end of the listing, the total amount still to be collected is calculated. Transaction code S_ALR_87009956 - Customer Open.
	4.2. Cash receipts are valid and are not duplicated.
		4.2.1. Review the accounts receivable reconciliation and determine whether there are any amounts unallocated or any reconciling items. Determine the aging of these items and make inquiry of management as to the reasons for these items remaining unallocated or unreconciled.
	4.3. Cash discounts are calculated and recorded accurately.
		4.3.1. Review the settings in place for tolerance levels for allowable cash discounts and cash payment differences by the following transactions:
	4.4. Timely collection of cash receipts is monitored.
		4.3.1. As for 4.1.3, determine whether accounts receivable aging reports are reviewed regularly to ensure that the collection of payments is being performed in a timely manner.
A. Prior Audit/Examination Report Follow-up
	Senior management has assigned responsibilities for information, its processing and its use
	User management is responsible for providing information that supports the entity’s objectives and policies
	Information systems management is responsible for providing the capabilities necessary for achievement of the defined information systems objectives and policies of the entity
	Senior management approves plans for development and acquisition of information systems
	There are procedures to ensure that the information system being developed or acquired meets user requirements
	There are procedures to ensure that information systems, programs and configuration changes are tested adequately prior to implementation
	All personnel involved in the system acquisition and configuration activities receive adequate training and supervision
	There are procedures to ensure that information systems are implemented/configured/upgraded in accordance with the established standards
	User management participates in the conversion of data from the existing system to the new system
	Final approval is obtained from user management prior to going live with a new information/upgraded system
	There are procedures to document and schedule all changes to information systems (including key ABAP programs)
	There are procedures to ensure that only authorized changes are initiated
	There are procedures to ensure that only authorized, tested and documented changes to information systems are accepted into the production client
	There are procedures to allow for and control emergency changes
	There are procedures for the approval, monitoring and control of the acquisition and upgrade of hardware and systems software
	There is a process for monitoring the volume of named and concurrent SAP ERP users to ensure that the license agreement is not being violated
	The organization structure, established by senior management, provides for an appropriate segregation of incompatible functions
	The database, application and presentation servers are located in a physically separate and protected environment (i.e., a data center)
	Emergency, backup and recovery plans are documented and tested on a regular basis to ensure that they remain current and operational
	Backup and recovery plans allow users of information systems to resume operations in the event of an interruption
	Application controls are designed with regard to any weaknesses in segregation, security, development and processing controls that may affect the information system
	Access to the Implementation Guide (IMG) during production has been restricted
	The production client settings have been flagged to not allow changes to programs and configuration
B. Preliminary Audit Steps
	Version and release of SAP ERP implemented
	Total number of named users (for comparison with logical access security testing results)
	Number of SAP instances and clients
	Accounting period, company codes and chart of accounts
	Identification of the components being used (Human Capital Management, Financials, Operations, Corporate Services)
	Whether the organization has created any locally developed ABAP programs or reports
	Details of the risk assessment approach taken in the organization to identify and prioritize risks
	Copies of the organization’s key security policies and standards
	The Organizational Management Model as it relates to expenditure activity, i.e., purchasing organization unit structure in SAP ERP and purchasing/accounts payable organization chart (required when evaluating the results of access security control testing)
	An interview of the systems implementation team, if possible, and the process design documentation for materials management
	2.1 Develop a high-level process flow diagram and overall understanding of the Expenditure processing cycle, including the following subprocesses:
	Master data maintenance
	Purchasing
	Invoice processing
	Processing disbursements
	2.2 Assess the key risks, determine key controls or control weaknesses, and test controls (refer to sample testing program below and chapter IV for techniques for testing configurable controls and logical access security) regarding the following factors:
	The controls culture of the organization (e.g., a just-enough control philosophy)
	The need to exercise judgment to determine the key controls in the process and whether the controls structure is adequate (Any weaknesses in the control structure should be reported to executive management and resolved.)
C. Detailed Audit Steps
1. Master Data Maintenance
	1.1 Changes made to master data are valid, complete, accurate and timely.
	1.1.1 Determine whether the changes made to the master data are complete, accurate and timely. Using the specified transaction code or SA38, determine whether the following report of changes to master data are compared to authorized source documents and/or a manual log of requested changes to ensure that they were input accurately and on a timely basis:
	For vendor master data, use transaction code S_ALR_87010039 (also accessible through transaction code SA38 and program RFKABL00) to produce a list of master data changes.
	1.1.2 Determine whether access to create and change vendor pricing master data is restricted to a dedicated area and to authorized individuals. Review organization policy and process design specifications regarding access to maintain master data. Test user access by using transaction code SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002; refer to chapter 4 on how to test user access) to create and maintain vendor master data as follows:
	Finance entry—Transaction codes FK01 (Create), FK02 (Change), FK05 (Block/Unblock), FK06 (Delete)
	Purchasing entry—Transaction codes MK01 (Create), MK02 (Change), MK05 (Block/Unblock), MK06 (Delete)
	Centralized entry—Transaction codes XK01 (Create), XK02 (Change), XK05 (Block/Unblock), XK06 (Delete)
	Create info record—ME11
	Change info record—ME12
	Delete info record—ME15
	Create condition—MEK1
	Change condition—MEK2
	Create condition with reference—MEK4
	1.1.3 Determine whether the configurable control settings address the risks pertaining to the validity, completeness and accuracy of master data and whether they have been set in accordance with management intentions. View the settings online using transaction code OBD3 and ascertain whether account groups have been set up covering one-time vendor or other vendor accounts. For high-risk account groups such as one-time vendors, check whether authorization has been marked as a required field.
	1.1.4 Determine whether a naming convention should be used for vendor names (e.g., as per letterhead) to minimize the risk of establishing duplicated vendor master records. Extract a list of vendor account names from table LFA1 (fields: NAME 1 = name, LIFNR = vendor number). Review a sample for compliance with the organization’s naming convention. View or search the list (using scan search software tools, if available) for potential duplicates.
	1.2 Inventory master data remain current and pertinent.
		1.2.1 Determine whether management periodically reviews master data to check their currency and ongoing pertinence, and whether the appropriate management displays or produces a list of vendors using report RFKKVZ00 or equivalent. Confirm evidence of management’s review of the data on a rotating basis for currency and ongoing pertinence.
2. Purchasing
	2.1 Purchase order entry and changes are valid, complete, accurate and timely.
		2.1.1 Determine whether purchase orders are handled with a valid process and terms and if processing is complete, accurate and timely. Determine whether the ability to create, change, or cancel purchase requisitions, purchase orders, and outline agreements (standing purchase orders) is restricted to authorized personnel by testing access to the following transactions:
		Create Purchase Requisition—ME51/ME51N
		Change Purchase Requisition—ME52/ME52N
		Release Purchase Requisition—ME54/ME54N
		Collective Release of Purchase Requisition—ME55
		Create Purchase Order, Vendor Known—ME21/ME21N
		Change Purchase Order—ME22/ME22N
		2.1.2 Determine whether the SAP ERP source list functionality allows specified materials to be purchased only from vendors included in the source list for the specified material. Through discussions with management, determine (types of) materials for which source lists should be available in the system. Also, determine (types of) materials for which a source list should not be present. Examine a selection of materials and view the corresponding source list using the following reports to corroborate the performance of the control activity in the appropriate accounting period:
		ME06 reports on all material items and whether they belong to a source list or not.
		ME0M shows all material items and any associated vendors (including historic data). To run ME0M, specify a material or a range of materials. Use the match code, click on the Search Help option and choose option J—material by material group—to get a list of materials.
		Select the previously mentioned sample of orders and check against source list reports to determine if specific materials have been procured with unlisted vendors.
		2.1.3 Determine whether the SAP ERP release strategy is used to authorize purchase orders, outline agreements (standing purchase orders) and unusual purchases (e.g., capital outlays). Obtain sufficient understanding of the system configuration to assess the adequacy of the release strategy as defined and implemented by the organization, as well as the function and effectiveness of established policies, procedures, standards and guidance. Execute the following transactions to obtain an understanding of the way the system has been configured:
		Release procedure: Purchase Orders—Transaction SPRO menu path: Materials Management > Purchasing > Purchase Order > Release Procedure for Purchase Orders > Define Release Procedure for Purchase Orders
		Requisitions (with classification)—Transaction SPRO menu path: Material Management > Purchasing > Purchase Requisitions > Release Procedure > Procedure with Classification > Set Up Procedure with Classification
		Click on Release Strategy. Select the strategies one by one, by double-clicking on the strategy. Note the release codes that are shown and check authorization (authorization objects M_BANF_FRG and M_EINK_FRG) for these release codes.
		Click on Classification. This will show the conditions under which the purchase document will be blocked. Ascertain if these conditions comply with management’s intentions.
		Release procedure Purchase Requisitions (without classification)— Transaction SPRO menu path: Material Management > Purchasing > Purchase Requisitions > Release Procedure > Set Up Procedure without Classification
		Click on Release Prerequisites. Note the release codes that are shown and check authorization for these release codes.
		Re-execute the above SPRO menu path and click on Determination of Release Strategy. This will show the conditions under which the purchase document will be blocked. Ascertain if these conditions comply with management’s intentions.
		Test user access to transactions for release strategies:
		Release Purchase Order—ME28
		Release Outline Agreement—ME35
		Release Purchase Requisition—ME54
		Collective Release of Purchase Requisitions—ME55
2.2 Goods are received only for valid purchase orders and goods receipts are recorded completely, accurately and in a timely manner.
	2.2.1 Determine whether goods (or materials or equipment) are received only when there are valid purchase orders, or if goods receipts are always recorded completely, accurately and in a timely manner.
	Determine whether an investigation takes place when receipts have no purchase order or exceed the purchase order quantity by more than an established amount. Does management review exception reports of goods not received on time for recorded purchases? Run transaction code VL10B (also accessible using transaction code SA38 and program RM06EM00) to produce a listing of purchase orders outstanding.
	2.2.2 Determine whether order entry data are transferred completely and accurately to the shipping and invoicing activities, and if the ability to input, change or cancel goods received transactions is restricted to authorized inbound logistics/raw materials personnel. Test user access to transactions for goods receipt as follows:
	Goods Receipt for Purchase Order —MB01
	Goods Receipts, Purchase Order
	Unknown—MB0A
	Goods Receipt for Production Order —MB31
	Other Goods Receipts—MB1C
	Cancel/Reverse Material Document —MBST
	2.3 Defective goods are returned to suppliers in a timely manner.
		2.3.1 Determine whether defective goods (or materials or equipment) are returned in a timely manner to suppliers, are adequately segregated from other goods in a quality assurance bonding area, and are regularly monitored (assigned a specific movement type, e.g., 122) to ensure timely return to suppliers, and whether credit is received in a timely manner. Ascertain from management the movement type used to block processing and for returning rejected goods to suppliers (e.g., movement type 122). Execute transaction MB51 with the appropriate movement type. Determine if there are any long-outstanding materials pending return to suppliers or receipt of appropriate credits.
3. Invoice Processing
	3.1.1 Determine whether amounts posted to accounts payable represent goods or services received; the ability to input, change, cancel or release vendor invoices for payment is restricted to authorized personnel; and the ability to input vendor invoices that do not have a purchase order and/or goods receipt is restricted to authorized personnel. Test user access to transactions for invoice processing:
	Enter Invoice—MRHR, MIRO, MR01
	Change Invoice—FB02
	Process Blocked Invoice—MR02
	Cancel Invoice—MR08
	Enter Credit Memo—MRHG
	3.2.1 Determine whether the SAP ERP software is configured to perform a three-way match. Transaction SPRO menu path: Materials Management > Purchasing > Purchase Order > Define Screen Layout at Document Level (Change View field selection at document level: Overview) by selecting ME21—Create Purchase Order and then selecting GR/IR Control. Determine whether GR/IR Control has been set globally to required entry. If the GR/IR Control indicator has not been set globally for all vendors, determine whether it has been set for particular vendors by displaying table LFM1, field name WEBRE, using transaction SE16. Where GR/IR Control has not been set, ascertain from management if there are any reasons.
	3.2.2 Determine whether the SAP ERP software is configured with quantity and price tolerance limits. Check tolerance limits for price variances and message settings for invoice verification (online matching) as follows:
	Variance settings: Execute transaction OMR6. The system will show an overview of the defined tolerance limits. Double-click on the entries that relate to the organization being audited. Check two entries: one for tolerance key PE (price) and one for tolerance key SE (discount).
	Message settings:
	3.2.3 Determine if GR/IR account balances using transaction code S_P6B_12000135 (also accessible using transaction code SA38 and program RM07MSAL) are executed and reviewed periodically. Check that there are appropriate procedures in place to investigate unmatched purchase orders. In particular, long-outstanding items should be followed up and cleared.
	3.2.4 Determine whether reports of outstanding purchase orders are reviewed regularly. Run the transaction code SA38 and program RM06EM00 to produce a listing of purchase orders outstanding and review long-outstanding items with management.
	3.2.5 Determine whether the SAP ERP software restricts the ability to modify the exchange rate table to authorized personnel, management approves values in the centrally maintained exchange rate table and the SAP ERP software automatically calculates foreign currency translations based on values in the centrally maintained exchange rate table. Determine whether management reviews a sample of changes to exchange rates above a certain percentage with regard to the volume and value of foreign currency transactions for the organization. Test user access to the exchange rates and the related authorization objects:
	Exchange rate via standard transaction—First, execute transaction SUCU. Click on Position. Enter value V_TCURR and press Enter. Note the value in the authorization group field. Then test user access to transaction code OB08, authorization object: S_TABU_DIS (Class Basis: Administration), field activity: value 02 and field authorization group: value noted with transaction SUCU.
	Exchange rate via view maintenance—First, execute transaction SUCU. Click on Position. Enter table name value V_T001R, click on Choose. Note the value in the authorization group field.
	Do the same for table V_TCURF. Then test user access to transaction codes as follows with authorization object: S_TABU_DIS (Class Basis: Administration), field activity: 02 and field authorization group: value noted with transaction SUCU:
	Maintain Table Rounding Units—OB90
	Maintain Table Foreign Currency Ratios—OBBS
	Table View Maintenance—SM30
	3.3.1 Determine whether the ability to input, change, cancel or release credit notes is restricted to authorized personnel. Test user access to post invoices directly to vendor accounts:
	Enter Credit Note—MRHG
	Enter Invoice—MRHR, MIRO, MR01
4. Processing Disbursements
	4.1.1 Determine whether disbursements are made only for goods and services received, and are calculated accurately, recorded and distributed to the appropriate suppliers in a timely manner. Determine whether management approves the SAP ERP payment run parameter specification. Test user access to transactions to process disbursements:
	Automatic Payment Transactions—F110S
	Parameters for Payment —F110
	Payment With Printout—F-58
	4.1.2 Test user access to blocked invoices :
	Change Document—FB02
	Change Line Items—FB09
	Block/Unblock Vendor (Centrally)—XK05
	Block/Unblock Vendor—FK05
A. Prior Audit/Examination Report Follow-up
	Senior management has assigned responsibilities for information, its processing and its use
	User management is responsible for providing information that supports the entity’s objectives and policies
	Information systems management is responsible for providing the capabilities necessary for achievement of the defined information systems objectives and policies of the entity
	Senior management approves plans for development and acquisition of information systems
	There are procedures to ensure that the information system being developed or acquired meets user requirements
	There are procedures to ensure that information systems, programs and configuration changes are tested adequately prior to implementation
	All personnel involved in the system acquisition and configuration activities receive adequate training and supervision
	There are procedures to ensure that information systems are implemented/configured/upgraded in accordance with the established standards
	User management participates in the conversion of data from the existing system to the new system
	Final approval is obtained from user management prior to going live with a new information/upgraded system
	There are procedures to document and schedule all changes to information systems (including key ABAP programs)
	There are procedures to ensure that only authorized changes are initiated
	There are procedures to ensure that only authorized, tested and documented changes to information systems are accepted into the production client
	There are procedures to allow for and control emergency changes
	There are procedures for the approval, monitoring and control of the acquisition and upgrade of hardware and systems software
	There is a process for monitoring the volume of named and concurrent SAP ERP users to ensure that the license agreement is not being violated
	The organization structure, established by senior management, provides for an appropriate segregation of incompatible functions
	The database, application and presentation servers are located in a physically separate and protected environment (i.e., a data center)
	Emergency, backup and recovery plans are documented and tested on a regular basis to ensure that they remain current and operational
	Backup and recovery plans allow users of information systems to resume operations in the event of an interruption
	Application controls are designed with regard to any weaknesses in segregation, security, development and processing controls that may affect the information system
	Access to the Implementation Guide (IMG) during production has been restricted
	The production client settings have been flagged to not allow changes to programs and configuration
	Version and release of SAP ERP implemented
	Total number of named users (for comparison with logical access security testing results)
	Number of SAP instances and clients
	Accounting period, company codes and chart of accounts
	Identification of the components being used (Human Capital Management, Financials, Operations, Corporate Services)
	Whether the organization has created any locally developed ABAP programs or reports
	Details of the risk assessment approach taken in the organization to identify and prioritize risks
	Copies of the organization’s key security policies and standards
	1.2 Obtain the following relevant business cycle details:
	2.1 Develop a high-level process flow diagram and overall understanding of the Inventory processing cycle, including the following subprocesses:
	Master data maintenance
	Raw materials management
	Producing and costing inventory
	Handling and shipping finished goods
	2.2 Assess the key risks, determine key controls or control weaknesses, and test controls (refer to detailed sample testing program below and chapter 4 for techniques for testing configurable controls and logical access security) regarding the following factors:
	The controls culture of the organization (e.g., a just-enough control philosophy)
	The need to exercise judgment to determine the key controls in the process and whether the controls structure is adequate (Any weaknesses in the control structure should be reported to executive management and resolved.)
C. Detailed Audit Steps
1. Master Data Maintenance
	1.1 Changes made to master data are valid, complete, accurate and timely.
		1.1.1 Take a sample of inventory file updates using transaction MB59, which allows users to perform a search on multiple materials by a particular range of dates and check back to authorized source documentation. Review the process for physical stock-takes to confirm the complete, accurate, valid and timely recording of stock differences.
		1.1.2 Review organization policy and process design specifications regarding access to maintain material master data. Test user access to the following transaction codes:
		Create Material—MM01
		Change Material—MM02
		Flag Material for Deletion—MM06
		1.1.3 Determine whether the configurable control settings address the risks pertaining to the validity, completeness and accuracy of master data and whether they have been set in accordance with management intentions. View the settings online using the IMG as follows:
		Material Types: Transaction SPRO Menu Path—Logistics General > Material Master > Basic Settings > Material Types > Define Attributes of Material Types
		Industry Sector: Transaction SPRO Menu Path—Logistics General > Material Master > Field Selection > Define industry sectors and industry-sector-specific field selection
		Default Price Types: Execute transaction OMW1 and determine whether default settings have been set for the price type for material records.
		Tolerances for physical inventory differences: Execute transaction OMJ2 and compare defined tolerances to organizational policy and judge for reasonableness.
	1.2 Inventory master data remain current and pertinent.
		1.2.1 Determine whether the appropriate management runs the materials list transaction code MM60, or equivalent, by material type and confirm evidence of management’s review of the data on a rotating basis for currency and ongoing pertinence.
	1.3 Settings or changes to the bill of materials or process order settlement rules are valid, complete, accurate and timely.
		1.3.1 Review organization policy and process design specifications regarding access to maintain bill of materials and process order settlement rules. Test user access to the following transaction codes:
		Create Material BOM—CS01
		Change Material BOM—CS02
		Make Mass Changes—CS20
		Change Single-layered BOM—CS72
		Change Multi-layered BOM—CS75
		Change settlement rules—COR2; Nondisplayable transaction code KOBK (refer to menu path: Logistics > Production Process > Process Order > Process Order > Display. Enter the process order number and press Enter then go to Header > Settlement Rule)
		1.3.2 Take a sample of BOM updates using transaction CS80 and check back to authorized source documentation.
2. Raw Materials Management
	2.1 Inventory is salable, usable and safeguarded adequately.
		2.1.1 Confirm that the distribution resource planning (DRP) process takes into account stock on hand, forecast requirements, economic order quantities and back orders. Execute transaction code MB5M and ascertain the reason for any old stock being held (shelf-life list). Use transaction MC46 to identify slow-moving items and MC50 for “dead” stock (i.e., stock that has not been used for a certain period of time). Test that managers are reviewing this information on a regular basis.
	2.2 Raw materials are received and accepted only with valid purchase orders and are recorded accurately and in a timely manner.
		2.2.1 Test that management executes the report of outstanding purchase orders using transaction ME2L (refer to Expenditure cycle 2.2.1) and follow up on any long-outstanding items.
		2.2.2 Review the reconciliation of the goods received/invoice received account (transaction code MB5S, refer to Expenditure cycle 3.2.3) and confirm that unmatched items have been investigated in a timely manner.
		2.2.3 Test user access to transactions for goods receipt (refer to Expenditure cycle 2.2.2) as follows:
		2.2.4 Test the controls over inventory stock takes (refer to 1.1.1).
	2.3 Defective raw materials are returned to suppliers in a timely manner.
		2.3.1 Ascertain from management the movement type used to block processing and for returning rejected goods to suppliers (e.g., movement type 122). Execute transaction MB51 with the appropriate movement type (refer to Expenditure cycle 2.3.1). Determine if there are any long-outstanding materials pending return to suppliers or receipt of appropriate credits.
3. Producing and Costing Inventory
	3.1 Transfers of materials to/from production, production costs and defective products/scrap are valid and recorded accurately, completely and in the appropriate period.
		3.1.1 Review the policy and procedures concerning the transfer of materials and confirm that the above controls are in place and operating. Test that inventory-in-transit accounts are regularly reviewed to ensure the accounts are cleared and reconciled. Confirm that default price types have been established for all materials (refer to 1.1.3).
		3.1.2 Test user access to BOMs (refer to 1.3.1).
		3.1.3 Test user access to issue goods (transaction code MB1A), post transfers between plants (transaction code MB1B) and move goods (transaction code MIGO).
		3.1.4 Test user access to create (transaction code CR01) or change (transaction code CR02) work centers.
4. Handling and Shipping Finished Goods
	4.1 Finished goods received from production are recorded completely and accurately in the appropriate period.
		4.1.1 Test inventory stock-take procedures (refer to 1.1.1).
		4.1.2 Test user access to change settlement rules (refer to 1.3.1).
	4.2 Goods returned by customers are accepted in accordance with the organization’s policies
		4.2.1 Review the policies and procedures for receiving inventory back into the warehouse. Review some returns of inventory and ensure that they are supported with adequate documentation from the quality inspector. Ascertain from management the movement type used for goods returned from customers. Execute transaction MB51 with the appropriate movement type. Determine if there are any long-outstanding materials pending return to inventory or provision of appropriate credits.
	4.3 Shipments are recorded accurately, in a timely manner and in the appropriate period.
		4.3.1 Test user access to Transfer Stock Between Plants (transaction code LT04) or Change Outbound Delivery (transaction code VL02N).
		4.3.2 Take a sample of the delivery due list and the Owed to Customer report and test for evidence of management action. Review settings, using transaction code OMWB, and confirm that accounts assignments are set to valid COGS accounts.
A. Prior Audit/Examination Report Follow-up
	1. Review prior report, if one exists, verify completion of any agreed-upon corrections and note remaining deficiencies.
	Senior management has assigned responsibilities for information, its processing and its use
	User management is responsible for providing information that supports the entity’s objectives and policies
	Information systems management is responsible for providing the capabilities necessary for achievement of the defined information systems objectives and policies of the entity
	Senior management approves plans for development and acquisition of information systems
	There are procedures to ensure that the information system being developed or acquired meets user requirements
	There are procedures to ensure that information systems, programs and configuration changes are tested adequately prior to implementation
	All personnel involved in the system acquisition and configuration activities receive adequate training and supervision
	There are procedures to ensure that information systems are implemented/configured/upgraded in accordance with the established standards
	User management participates in the conversion of data from the existing system to the new system
	Final approval is obtained from user management prior to going live with a new information/upgraded system
	There are procedures to document and schedule all changes to information systems (including key ABAP programs)
	There are procedures to ensure that only authorized changes are initiated
	There are procedures to ensure that only authorized, tested and documented changes to information systems are accepted into the production client
	There are procedures to allow for and control emergency changes
	There are procedures for the approval, monitoring and control of the acquisition and upgrade of hardware and systems software
	There is a process for monitoring the volume of named and concurrent SAP ERP users to ensure that the license agreement is not being violated
	The organization structure, established by senior management, provides for an appropriate segregation of incompatible functions
	The database, application and presentation servers are located in a physically separate and protected environment (i.e., a data center)
	Emergency, backup and recovery plans are documented and tested on a regular basis to ensure that they remain current and operational
	Backup and recovery plans allow users of information systems to resume operations in the event of an interruption
	Application controls are designed with regard to any weaknesses in segregation, security, development and processing controls that may affect the information system
	Access to the Implementation Guide (IMG) during production has been restricted
	The production client settings have been flagged to not allow changes to programs and configuration
B. Preliminary Audit Steps
	Operating system(s) and platforms
	Total number of named users (for comparison with limits specified in contract)
	Number of SAP ERP instances and clients
	Accounting period, company codes and chart of accounts
	Database management system used to store data for the SAP ERP system
	Location of the servers and the related LAN/WAN connections (need to verify security and controls, including environmental, surrounding the hardware and the network security controls surrounding the connectivity) and, if possible, copies of network topology diagrams
	List of business partners, related organizations and remote locations that are permitted to connect to the ERP environment
	Various means used to connect to the ERP environment (e.g., dial-up, remote access server, Internet transaction server) and the network diagram, if available
	2. In a standard SAP ERP configuration, confirm that separate systems for development, test and production are implemented.
	2.1 Determine whether:
	This approach was taken
	The instances are totally separate systems or are within the same system
	2.2 Determine whether the SAP production environment is connected to other SAP or non-SAP systems. If yes, obtain details as to the nature of connectivity, frequency of information transfers, and security and control measures surrounding these transfers (i.e., to ensure accuracy and completeness).
	3. Identify the components being used (Human Capital Management, Financials, Operations, Corporate Services).
	3.1 Identify whether the organization has implemented any of the following:
	Internet transaction server
	Any of the New Dimension products (e.g., Supply Chain Management, Customer Relationship Management, Business Intelligence)
	Audit Information System. If implemented, determine how it is used (i.e., only for annual audits or on a regular basis to monitor and report on security issues).
	3.2 Determine whether the organization makes use of any mySAP functionality. If yes, describe the functionality and purpose.
	3.3 Determine whether the organization has created any locally developed APAB/4 programs/reports or tables. If yes, determine how these programs/reports are used. Depending on the importance/extent of use, review and document the development and change management process surrounding the creation/modification of these programs/reports or tables.
	3.4 Obtain copies of the organization’s key security policies and standards. Highlight key areas of concern, including:
	Information security policy
	Sensitivity classification
	Logical and physical access control requirements
	Network security requirements, including requirements for encryption, firewalls, etc.
	Platform security requirements (e.g., configuration requirements)
	3.5 Obtain information regarding any awareness programs that have been delivered to staff on the key security policies and standards. Consider specifically the frequency of delivery and any statistics on the extent of coverage (i.e., what percentage of staff has received the awareness training).
	3.6 Maintain authorizations and profiles, for example:
	Have job roles, including the related transactions, been defined and documented?
	Do procedures for maintaining (creating/changing/deleting) roles exist and are they followed?
	3.7 Determine whether adequate access administration procedures exist in written form. Do any of the following procedures exist within the organization? If yes, document the process and comment on compliance with the policies and standards, and the adequacy of resulting documentation.
	Procedures to add/change/delete user master records
	Procedures to handle temporary access requests
	Procedures to handle emergency access requests
	Procedures to remove users who have never logged into the system
	Procedures to automatically notify the administration staff when employees holding sensitive or critical positions leave the organization or change positions
	3.8 Obtain copies of the organization’s change management policies, processes and procedures, and change documentation. Consider specifically:
	Transport processes and procedures, including allowed transport paths
	Emergency change processes and procedures
	Development standards, including naming conventions, testing requirements and move- to-production requirements
	3.9 Determine whether the organization has a defined process for creating and maintaining clients. If yes, obtain copies and documentation related to the creation and maintenance of clients.
	3.10 Determine the organization’s approach to SAP Service Marketplace. Verify the extent of access permitted and processes used to request, approve, authenticate, grant, monitor and terminate SAP Service Marketplace access.
	4. Review outstanding audit findings, if any, from previous years. Assess impact on current audit.
	5. Identify the significant risks and determine the key controls.
	5.1 Obtain details of the risk assessment approach taken in the organization to identify and prioritize risks.
	5.2 Obtain copies of and review:
	Completed risk assessments impacting the SAP ERP environment
	Approved requests to deviate from security policies and standards
	Assess the impact of the above documents on the planning of the SAP ERP audit.
	5.3 In the case of a recent implementation/upgrade, obtain a copy of the security implementation plan. Assess whether the plan took into account the protection of critical objects within the organization and segregation of duties. Determine whether an appropriate naming convention (i.e., for profiles) has been developed to help security maintenance and to comply with required SAP ERP naming conventions.
C. Detailed AUDIT STEPS
1. Application Installation (Implementation Guide and Organizational Model)
	Maintain Number Range Intervals—02
	Change Number Range Status—11
	Initialize Number Levels—13
	Maintain Number Range Objects for all Number Range Objects—17
	1.2.2 By using transaction code SE16, browse table TDDAT. In the table name field enter Z* and then Y* to identify all of the custom tables. Determine those tables that have &NC& within the authorization group field. Assess whether these settings (&NC&) are appropriate.
	1.2.3 Test access to modify critical tables via the objects S_TABU_DIS (value 02) and transaction codes SM31 or SM30. If the table is cross-client, the user master record must contain a third object, S _TABU_CLI (value X). Use transaction code SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002) to check for these restrictions.
	Test access to update tables with authorization group SS, as no one should have update access to this critical systems table.
2. Application Development (ABAP/4 Workbench and Transport System)
	2.1 Application modifications are planned, tested and implemented in a phased manner.
		2.1.1 Determine the system landscape and client strategy, and review the change control policies and procedures (including documentation) to transport objects between environments. Work with the Basis/Transport Administrator to obtain a random sample of transports and trace back to documentation. Ensure that authorization for the transport was obtained and confirm that the specified transport path was followed. For emergency changes, ensure that the specified emergency process was followed. Confirm that appropriate authorizations were obtained and documentation was subsequently completed.
		Review the System Change option and confirm it has been set to No Changes Allowed (refer to 1.1.2 above). Review segregation of duties with respect to creating and releasing change requests. Test user access to authorization object S_TRANSPRT and ACTVT; expect 03 and any transport type (TTYPE). Assess the appropriateness of such access in comparison with the users’ job functions.
	2.2 Customized ABAP/4 programs are secured appropriately.
		2.2.1 To identify customized programs that have not been assigned to an authorization group, enter transaction code SE16. Browse the table TRDIR and enter the values of Z* and then Y* in the program name field. This will produce a list of all customized programs, assuming that the organization has followed standard naming convention when customizing programs. Filter this list for programs that do not have a value in the authorization group field (SECU). Concentrate the investigation on users who have SE38, SA38, SE80 and SE37 transaction codes. These users automatically have access to run many of these programs.
		2.2.2 From this list, select a representative sample of customized programs and check the source code to see whether an authority-check statement has been included. Use transaction code SA38 and run the ABAP/4 program RSABAPSC with the appropriate program name and authority check in the ABAP/4 language commands selection field to display the authority-check statements for each of the sampled programs. Note that the results may include other programs called by the sampled programs with the appropriate authority-check statements. Confirm the results of the test with management.
		2.2.3 Review and assess the value for the parameters below (use RSPARAM report):
		Auth/no_check_in_some_cases (Can be either Y or N. If set to the recommended value of Y [permit authorization checks], monitor the content of SU24 carefully to make sure that these entries are set appropriately.)
		Auth/rfc_authority_check (recommend set to 2 to permit full checking)
		2.2.4 Use transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002) to test the number of users who have access to execute all programs independent of the authorization group assigned. Enter the authorization object S_PROGRAM with the activity value of SUBMIT or BTCSUBMIT and the authorization object S_TCODE with a transaction code of SA38, SE37, SE38 or SE80.
		2.2.5 Review the policy, procedures and criteria for establishing program authorization groups, assigning the ABAP/4 programs to groups and including authority-check statements in programs. Compare the results from testing to established policies, procedures, standards and guidance (note that organizations may use additional transactions, tables, authorization objects, ABAP/4 programs, and reports to control their systems).
	2.3 The creation or modification of programs is performed in the development system and migrated through the test system to production.
		2.3.1 To produce a list of users who have access to develop programs in the production system, execute transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002) with the authorization object S_DEVELOP, the activity values of 01, 02 or 06. ABAP/4 programs that are not assigned to an authorization group may be changed by any user with authorization for object S_DEVELOP, depending on whether the user has been assigned a developer’s key and the correct object keys.
	2.4 Access for making changes to the dictionary is restricted to authorized individuals.
		2.4.1 Execute transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002). Review users with the following authorization to determine whether they are appropriate: Data dictionary object: S_DEVELOP with any of the activity values 01, 02, 06, 07 and access to any of the transaction codes SE11, SE12, SE15, SE16, SE37, SE38, SE80
	2.5 Access to modify and develop queries is restricted.
		2.5.1 Using transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002), enter the authorization object S_QUERY with activity value 02 and transaction code:
		SQ01 to identify all users who can create and maintain queries. In addition, use the authorization object S_QUERY with activity value 23 and transaction codes
		SQ02 or SQ03 to produce a report identifying all users who can maintain functional areas and user groups. Review the lists with management for reasonableness.
	2.6 Relevant company codes are set to Productive in the production environment.
		2.6.1 Transaction code OBR3 contains a list of company codes and whether they have been set to Productive. This information is also available in table T001 and can be viewed using transaction code SE16. Perform a review of this list. In instances where company codes have not been set to Productive, investigate the reasons with management.
3. Application Operations (Computing Center Management System)
	3.1 The Computing Center Management System (CCMS) is configured appropriately.
		3.1.1 To ensure that the CCMS displays meaningful data, determine via inquiry whether transaction RZ04 was used to set up operations modes, instances and timetables.
		3.1.2 Determine how the organization is monitoring its SAP ERP system. Understand the policies, procedures, standards and guidance regarding the execution of SAPSTART and STOPSAP programs or their equivalent in the organization’s environment. Check that only authorized personnel may execute these programs.
		3.1.3 Generate a list of users with the ability to access the Alert Monitor by performing online access authorization testing for these authorization objects S_RZL_ADM, activity values 01 (administrator) and 03 (display) and transaction code, value AL01 (if a 3.x system) or RZ20 (if a 4.x system or SAP ECC system).
	3.2 Batch processing operations are secured appropriately.
		3.2.1 Obtain a list of batch users by executing transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002) with the following authorizations:
		Batch input: transaction code—SM35, authorization object—S_BDC_MONI, field: BDCAKTI, value: DELE, FREE, LOCK, REOG and field: BDCGROUP, value: *
		Batch administration: transaction code— SM36/SM37, authorization object—S_BTCH _ADM, field: BTCADMIN, value: Y
		Batch scheduling: transaction code—
		SM36, authorization object—S_BTCH _JOB, field: JOBACTION, value: DELE, RELE, authorization object—S_BTCH_NAM, value: *
		Batch processing: transaction code—SM37, authorization object—S_BTCH _JOB, field: JOBACTION, value: DELE, RELE, PLAN, authorization object—S_BTCH_NAM, value: *
		Event triggering: transaction code—SM64, authorization object—S_BTCH _ADM, field: BTCADMIN, value: Y
		3.2.2 Determine by corroborative inquiry that upload programs have been removed from the production environment as appropriate.
	3.3 Default system parameter settings are reviewed and configured to suit the organization’s environment.
		3.3.1 Obtain a printout of the values of the following key parameters (run report RSPARAM via transaction code SA38 on each instance, as appropriate) and compare to the requirements as set out in the policies and standards in figure 12.9.
		Confirm that the system profile parameter files and default.pfl are protected from unauthorized access. Confirm that there is a mechanism/process to ensure that the profiles are regularly checked to ascertain that they have not been changed inappropriately. Obtain any related change documentation and ensure that:
		The documentation is authorized.
		Related log entries reflect the expected changes.
		A current printout of the RSUSR006 report is obtained and reviewed for unusual items or trends.
		Determine whether management has a process for frequent monitoring of unsuccessful login attempts and/or locked users via a review of this report. If yes, obtain details on the following frequency of monitoring.
		Review a reasonable sample of previously followed-up reports and assess the appropriateness of the follow-up on unusual findings. Run transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002).
		Review and follow up on:
		Users with original passwords
		Users who have not logged in during the last 60 days
		Users who have not changed their passwords in the last 60 days (or any duration that is appropriate for the organization)
		Obtain a sample of user master records in the production environment and work with the authorization security administrator and the job descriptions to assess segregation of duties (refer to chapter 4 for more guidance) and the appropriateness of the access granted.
		3.3.2 Execute transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002) with the transaction code SM01 to provide a list of all users who have access to lock or unlock transaction codes in the system. Review and confirm this list with management to ensure that only authorized users have access.
		3.3.3 Enter transaction code SM01 to display a list of transaction codes with a check box beside them. A cross in the check box indicates that the transaction code has been locked. Review sensitive transaction codes to ensure that they have been locked from user access. Such transaction codes include but are not limited to:
		SCC5—Client Delete
		SCC1—Client Copy (may overwrite the production client)
		SM49—Execute Logical Commands (may allow pass-through to operating system)
		SM69—Execute Logical Commands (may allow pass-through to operating system)
	3.4 Users are prevented from logging in with trivial or easily guessable passwords.
		3.4.1 Based on the review of the key security policies, determine whether there are any character combinations (apart from the SAP ERP standards) that the policy has prohibited from use. If yes, obtain a printout of the contents of table USR40 and confirm that the list of “illegal” words is contained therein.
	3.5 SAP Router is configured to act as a gateway to secure communications into and out of the SAP ERP environment.
		3.5.1 Discuss with the operating system administrators the procedures surrounding changes to SAP Router and the procedures surrounding restarting SAP Router when it goes down.
		3.5.2 Obtain a list of individuals with view and/or change access to the SAP Router binary. Review the list with key management and assess the appropriateness of the segregation of duties.
		3.5.3 Request an extract of the SAP Router permissions table (for example, execute the UNIX command SAP router –L <path>) from the operating system administrator. Review the permissions table with the operating systems administrator. Compare with the network diagram to assess the appropriateness of the IP addresses and with change control documentation to confirm that management has appropriately authorized changes.
		3.5.4 If logging is active, ascertain the frequency with which the logs are reviewed and followed up.
		3.5.5 Obtain a reasonable sample of the logs and review them with the operating systems administrator.
	3.6 Remote access by software vendors is controlled adequately.
		3.6.1 Determine the organization’s approach to SAP Service Marketplace. Verify the extent of access permitted and the processes used to request, approve, authenticate, grant, monitor and terminate SAP Service Marketplace access. Check that changes are subject to normal testing and migration controls.
		3.6.2 Obtain a list of SAP Service Marketplace users on the production client. Enter transaction code OSS1 using the client’s administrator ID. Click on the SAPNET icon followed by the Administration icon. Perform an authorization analysis by authorization object view. This will provide a list of all users assigned to the SAP Service Marketplace by authorization object. In particular, review for reasonableness with management the users who have been assigned to administration authorization and open service connections.
	3.7 SAP ERP Remote Function Call (RFC) and Common Programming Interface—Communications (CPI-C) are secured.
		3.7.1 Ascertain whether the login information (dialog and/or nondialog users) is stored and reviewed. Obtain a representative sample and review to ensure that dialog users are appropriate (i.e., valid employees with authorization) and that nondialog user IDs are appropriate. To do this, execute transaction code SM59. This will display the table RFCDES, which controls the communication between systems. The table lists the RFC destinations, which will include all SAP ERP connections that are on the system. Expand each of the SAP ERP connections and double-click on each connection to verify that no dialog user ID is listed with its password.
		3.7.2 Determine whether these systems are protected with the appropriate network measures (e.g., SAP Router/firewall/ routers).
		3.7.3 Assess the strength/adequacy (i.e., robustness) of password measures to authenticate RFC connections.
		3.7.4 Confirm with the SAP ERP security authorization manager that authority checks are included in functional modules called via RFC.
		3.7.5 Via transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002), identify users who have access to transaction code SM59. Assess whether this access is appropriate (work with user access management).
		3.7.6 If using release 4.0 or higher, ascertain whether SNC protection has been applied to RFC calls. If yes, cross-reference to SNC documentation and testing performed earlier.
		3.8.1 Firewall
		3.8.2 Secure Network Communications (SNC)
		3.8.3 Secure Store and Forward (SSF) Mechanisms and Digital Signatures
		Ascertain whether the organization uses hardware- or software-based keys.
		Describe the controls surrounding issuance and changing of the public and private keys.
		Ascertain whether the organization uses self-signed certificates or CA-signed certificates.
		3.8.4 Workstation Security
		Users are able to bypass screen saver/power-on passwords.
		Screen savers activate automatically or are (as a rule) activated by users when they leave their work areas.
		Virus scanners are used on the network and/or workstations.
		Virus signatures are kept up to date.
		There is a procedure for disseminating virus education to users.
		Are the workstations in secure/restricted areas?
		How is the area secured (e.g., security cards, keys, combination locks)?
		Do individuals circumvent these controls (i.e., piggyback at entrance, prop open the door)?
		3.8.5 Operating System and Database Security
4. Application Security (Profile Generator and Security Administration)
	4.1.1 Determine whether the system administrator tasks are segregated into the following administrator functions by generating user lists for the following authorizations using transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002):
	For the Profile Generator:
	Create and change roles—Used to define and update roles. Use authorization S_USER_AGR with authorization field values of 01 and 02. Test this in conjunction with transaction code PFCG.
	Transport roles—Used to transport or activate roles to/in production. Use authorization S_USER_AGR with authorization field value of 21. Test this in conjunction with transaction code PFCG.
	Assign roles/profiles to user master records—Used to assign or transfer roles/profiles into the user master records for the relevant users. Use authorization S_USER_AGR with authorization field value of 02 and authorization S_USER_GRP with authorization field value of 22. Test this in conjunction with transaction code PFCG. Also test the manual maintenance of roles/profiles (SU02/SU03) in use prior to PFCG.
	Authorization Maintenance: Use authorization S_USER_AUT with authorization field value 01, 02, 07, 22. Test this in conjunction with transaction SU03.
	User Maintenance: Use authorization S_USER_PRO with authorization field value 01, 02, 07, 22. Test this in conjunction with transaction SU02.
	For user master maintenance:
	Create/change/lock/delete changes: Use authorization object S_USER_GRP with authorization field values of 01, 02, 05, 06. Test this in conjunction with transaction code SU01.
	Assign roles/profiles to user master records: Use authorization S_USER_AGR with authorization field value of 02, and authorization S_USER_GRP with authorization field value 22 and 02.
	4.1.2 Test user access to effect mass changes to user master records authorization objects S_USER_GRP and S_USER_ PRO with authorization field values of 01, 02, 05 and 06, and transaction codes SU10 (Delete/Add a Profile for All Users) and SU12 (Delete All Users).
	4.2.1 Select a random sample of authorized change documentation that pertains to changes to user master records. Run SUIM > Change Documents > For Users (also accessible through transaction code SA38 and program RSUSR100) and assess whether the changes made are as documented.
	4.2.2. Select a random sample of authorized change documentation that pertains to changes to profiles. Run SUIM > Change Documents > For Profiles (also accessible through transaction code SA38 and program RSUSR101) and assess whether the changes made are as documented.
	4.2.3 Select a random sample of authorized change documentation that pertains to changes to authorizations. Run SUIM > Change Documents > For Authorizations (also accessible through transaction code SA38 and program RSUSR102) and assess whether the changes made are as documented.
	4.3.1 To determine whether the SAP* user has been locked, execute transaction SA38 (reporting) with transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002). Enter SAP* in the user field and press F8. Verify that the SAP* group field says SUPER. Click twice on the Other View button. The user status field for SAP* should say locked.
	4.3.2 For SAP*, run transaction code SA38 and program RSUSR003 to confirm that:
	The ID has been deactivated in all clients and a new superuser created.
	The password has been changed from the default (i.e., not trivial).
	4.4.1 To test whether the default password has been changed for DDIC, SAPCPIC and EarlyWatch, execute the SAP ERP report RSUSR003 and determine if the default passwords have been changed. To determine whether the SAPCPIC and EarlyWatch users have been locked, execute transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002). Enter the user name in the user field and press F8. Verify that the group field says SUPER. Click twice on the Other View button. The user status field should say locked.
	4.5.1 Review for appropriateness users assigned the privileged profiles of SAP_ALL and SAP_NEW. Users who have been assigned these superuser profiles/roles should be assigned to user group super or equivalent, which should be maintained by a limited number of Basis personnel only.
	S_A.SYSTEM (System administration authorizations)
	S_RZL_ADMIN (CCMS administration authorizations)
	S_USER_ALL (All user administration authorizations)
	S_A.USER and S_A.ADMIN (used to administer user master record authorizations)
	Check the user list identified by this test to ascertain whether individuals who have access to the previously mentioned functionality require this access, based on their job responsibilities and established policies, procedures, standards and guidance.
	4.6.1 Identify the system administrators within the enterprise and determine to which user groups their user IDs belong. Using transaction SUIM > Users > Users by Complex Selection Criteria (also accessible using transaction code SA38 and program RSUSR002), review the system for users with the authorization object S_USER_AGR (Profile Generator environment) with the activity values 01, 02, 21 and 22, and transaction code PFCG or the authorization object S_USER_GRP (manual maintenance) with the activity values of 01, 02, 05 and 06 and the transaction code SU01. The authorization field user group in user master maintenance should be similar to one of the values identified above. This would usually be the group SUPER or ITO-SYSTEM.
	4.7.1 Because all organizations are structured differently and have different requirements, initial discussions with the organization should be conducted to obtain an understanding of the organization’s structure and configuration requirements for CUA. To test whether CUA has been configured appropriately, execute the transaction codes SALE, SCUA and SCUM and review the appropriateness of the configured settings for the organization.
	4.8.1 Review security procedures created by management that identify what tables are being logged and how often these logs are reviewed by management. For changes to be logged, the system profile parameter rec/client needs to be activated. Check this by reviewing the report RSPARAM and ensuring that the value for this parameter is set to ALL or to the client numbers that will have table logging enabled. Enter transaction code SE16 and enter table TPROT as the object name along with an X in the PROTFLAG field. This will identify tables that have their changes logged. Run report RSTBPROT (table log) or RSTBHIST (table change analysis), which lists all changes to tables that have log data changes activated in their technical settings for the period specified. Take a representative sample of changes to these tables and compare these to the original supporting information/documentation. Obtain explanations for any changes for which supporting information or documentation is not available.
	4.9.1 Understand management’s policies and procedures regarding the review of data dictionary reports. Assess the adequacy of such policies, procedures, standards and guidance, taking into account the:
	Frequency with which the review is performed
	Level of detail in the reports
	Other independent data to which management compares the reports
	Likelihood that the person performing the review will be able to identify exception items
	Nature of exception items that they can be expected to identify
	4.10.1 S_ADMI_FCD is an extremely powerful security object that grants access to several critical Basis Administration functions, as well as some functional user functions (such as spool). It should be assigned with great care, and with only the discrete values needed by users.
	NADM: Network administration (SM54, SM55, SM58, SM59). Only Basis group.
	PADM: Process administration (SM50, SM51, SM04); intercept background job (debugging function in background job administration, transaction SM37). Only Basis group.
	SM02: Authorization to create, change and delete system messages
	UADM: Update administration (SM13)
	T000: Create new client (SCC4)
	TLCK: Lock/unlock transaction (SM01)
	MEMO: Set SAP memory management quota using report RSMEMORY.
	COLA: Administration of OLE automation servers and controls
	4.11.1 For Security Audit log, using release 4.0 or higher:
	Confirm that the Security Audit log has been activated by running the report RSPARAM and confirming the following parameter values:
	– Rsau/enable (activates logging on to application server; if the value is 0, it is not active)
	– Rsau/local/file (specifies the location of the log; confirms that it is appropriately located)
	– Rsau/max_diskspace/local (specifies the maximum size of the log; confirms that the size is adequate for the organization)
	Obtain a listing of events that are logged (can be done via SM20). Review for appropriateness and link to required logging that may be specified in the security policies and standards.
	Determine the frequency and thoroughness of the review of the logs.
	If possible, obtain a representative sample of the logs and assess the adequacy of the follow-up process and review for unusual items.
	4.11.2 Review the system log:
	Run the report RSPARAM and review the following parameter values to obtain the locations of the log files:
	– Rslg/local/file (specifies the location of the local log on the application server; default: /usr/sap/<SID>/D20/log/SLOG<SAP_instance_#>)
	– Rslg/collect_daemon/host (specifies the application server that maintains the central log; default: <hostname of main instance>)
	– Rslg/central/file (specifies the location of the active file for the central log on the application server; default: /usr/sap/<SID>/SYS/global/SLOGJ)
	– Rslg/central/old_file (specifies the location of the old file for the central log on the application server; default: /usr/sap/<SID>/SYS/global/SLOGJO)
	– Rslg/max_diskspace/local (specifies the maximum length of the local log; default: 0.5 MB)
	– Rslg/max_diskspace/central (specifies the maximum length of the central log; default: 2 MB)
	– Rstr/file (the absolute pathname of the trace file: the trace filename is TRACE<SAP ERP system number>)
	Obtain a listing of events that are logged (can be done via SM21). Review for appropriateness (including the size of each local and central log file) and link to required logging, which may be specified in the security policies and standards.
	Determine the frequency and thoroughness of the review of the logs.
	If possible, obtain a representative sample of the logs and assess the adequacy of the follow-up process and review for unusual items.
	Work with the operating system administrator to determine who has permissions to these files. Ensure that the access is appropriate.
                        

Similer Documents