anao - sap audit handbook
TRANSCRIPT
Security and Control Update
For SAP R/3
Guide to Effective Control – Handbook Update
© Commonwealth of Australia 2004ISSN 1036-7632ISBN 0 642 80791 4
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth available from the Department of Communications, Information Technology and the Arts. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Intellectual Property Branch, Department of Communications, Information Technology and the Arts, GPO Box 2154, Canberra ACT 2601 or posted at <http://www.dcita.gov.au/cca>
The Publications Manager,Australian National Audit Office,GPO Box 707,Canberra ACT 2601
Information about ANAO reports and activities can be found at the ANAO Internet address: http://www.anao.gov.au
AcknowledgementAppreciation is extended to PricewaterhouseCoopers who contributed significantly in developing and writing this handbook.
DisclaimerThis handbook is not a recommendation of the SAP R/3 system, nor an endorsement of the SAP R/3, by the ANAO. Commonwealth Public Sector agencies are responsible for deciding whether SAP R/3 is suitable for their purposes and for implementing and testing SAP R/3.
The Auditor-General, the ANAO, its officers and employees are not liable, without limitation, for any consequences incurred, or any loss or damage suffered by an agency or by any other person as a result of their reliance on the information contained in this handbook or resulting from their implementation or use of the SAP R/3 system, and to the maximum extent permitted by law, exclude all liability (including in negligence) in respect of the handbook or its use.
Design by GREY Worldwide
Security and Control for SAP R/3 Handbook
ii
PrefaceSAP continues to be a predominant financial management information system in use within the Australian
Government.
Accordingly, the Australian National Audit Office (ANAO) has developed this better practice handbook update
with significant assistance provided by PricewaterhouseCoopers. The original handbook was released by the
ANAO in 1998, and this update reflects the changes made to SAP security and control since that time.
Based on SAP R/3 release 4.6C, this update should be read in conjunction with the original handbook to gain a
fuller appreciation and understanding of functional, as well as security and control issues, associated with the
implementation and operation of SAP.
This handbook update provides better practice controls that should be considered by Australian Government
entities to assist in meeting their requirements for availability, integrity and confidentiality, and outlines:
• the significant risks associated with each functional enhancement; and
• the various control options that should be considered, broken down into the following categories.
– SAP customisation settings which should be considered in reducing and/or mitigating identified risks
and delivering security and control best practices.
– User access security settings to be considered when designing and implementing security.
– Useful key control reports for review.
The adoption of the various control options will depend on how SAP R/3 is used within each entity and the level
of acceptable risk adopted by that entity. Striving for absolute assurance is neither cost effective nor possible.
Controls implemented should be commensurate with the nature of the business, the acceptable level of risk and
program delivery.
Oliver WinderOliver Winder
Acting Auditor-General
30 June 2004
iii
Preface
Security and Control for SAP R/3 Handbook Update
iv
v
ContentsIntroduction .......................................................................................................................1
Basis and Cross Application Components (BC) ...................................................... 34
Procurement to Payables (MM) ................................................................................. 52
Financial Accounting (FI) ............................................................................................ 64
Controlling (CO) ..............................................................................................................70
Human Resources (HR) ................................................................................................ 86
Audit Information System (AIS) ................................................................................ 96
Contents
Security and Control for SAP R/3 Handbook Update
vi
Intr
od
uct
ion
Introduction
Security and Control for SAP R/3 Handbook Update
IntroductionThe original Security and Control for SAP R/3 Handbook, developed in 1998 was produced to provide good
practice security and control guidelines when implementing and running SAP Version 3.1H. SAP has subsequently
upgraded the R/3 system, through Versions 4.0, 4.5 and 4.6, with each version including many functional changes
impacting security and controls.
This handbook update is based on SAP R/3 Release 4.6C, outlining significant functional enhancements with
relevant security and control considerations. This handbook should be read in conjunction with the original
handbook to gain a full awareness and appreciation of functional and security and control issues within the
core SAP components.
The handbook outlines business risks associated with the implementation and operation of SAP, and provides better
practice controls that should be considered by Australian Government entities that replicate control solutions
deployed at organisations globally running SAP.
SAP Upgrades
There are a number of business and technology drivers that may influence an organisation's decision to
upgrade SAP.
1
Introduction
Business drivers
Why Upgrade
R/3
Strategic &operational
changes
Cost reduction
BusinessBusinessprocess
functionalenhancements
Mergers &divestments
E-businessinitiativesinitiatives
Greaterefficiency
TechnologyTechnologyimprovements
Competition
Security and Control for SAP R/3 Handbook Update
2
Drivers for upgrading SAP are often focused on achieving greater efficiency through new functionality, or
business process improvements, provided within new releases of SAP. A number of these enhancements are
outlined in the sections of this document and should be considered by decision makers.
Technology drivers for the upgrade of SAP are generally based around the need to maintain SAP support or to
provide greater stability and ease of use for users and support teams.
Technology drivers
Why Upgrade
R/3
MySAP.comproduct
components
Old versionsno longersupported
UpdateUpdatetechnologies
New or extended
functionalityImprove useracceptance /acceptance /satisfactionsatisfaction
Need to re-structure architecture
ReduceReduceenhancements
Stabiliseenvironment
Components covered
This handbook update covers the core SAP R/3 components commonly used by Australian Government entities.
The components covered are consistent with those in the original handbook:
• Basis Component (BC);
• Materials Management (MM) in this handbook referred to as ‘Procurement to Payables’;
• Financial Accounting (FI): includes AA (Asset Accounting);
• Controlling (CO); and
• Human Resources (HR): includes PA (Personnel Administration) and PD (Personnel Development).
This handbook update also provides an outline of the Audit Information System (AIS).
Products such as BW (Business Warehouse), CRM (Customer Relationship Management), EBP (Enterprise Buyer
Professional) and ESS (Employee Self Service) are run on separate copies of the SAP application. While these have
been detailed in each applicable section of this handbook, they are not outlined in the above diagram.
3
Introduction
Component overview
SDSales &
distribution
PPProduction planning
QMQuality
management
PMPMPlant
maintenance
R/3Client/Server
ABAP/4 BASIS COMPONENT
FIFinancial
accounting COControllingControllingTR
Treasury
OCOffice
communicationscommunications
AAAsset
accounting
MMMaterials
management
HRHuman
resources
IMInvestment
managementmanagement
PSProject systems
REReal estate
management
CSCustomer
serviceice
PETraining & event Training & event Training & event
management
How to use the handbook update
The handbook update has been divided into seven sections as follows:
• Introduction
• Basis and Cross Application Components
• The various application components:
– Procurement to Payables (MM)
– Financial Accounting (FI)
– Controlling (CO)
– Human Resources (HR)
• Audit Information System (AIS)
A Background Section is provided for each application component providing an overview of changes in the
application component from SAP Version 3.1H to 4.6C. Also within are details of the coverage (sub-modules) of
each application component section.
A Functional Overview is given for each application component and sub-module covered by this handbook
update. This overview outlines the core functionality of the sub-modules with relevant operational benefits and
high-level control opportunities.
Further detail is provided for each sub-module, including the following:
SIGNIFICANT RISKS
For each sub-module, relevant business risks are provided which should be considered by
all organisations. For each risk identified, various control options are provided across the
following sections.
CONFIGURATION “HOT SPOTS”
SAP customisation settings that should be considered in reducing and /or mitigating identified
risks and delivering security and control best practices.
SECURITY CONSIDERATIONS
User access security settings to be considered when designing and implementing security
for this sub-module. Where available, sensitive high-risk SAP transaction codes are provided
with a description of the functionality. Access to these transactions should be reviewed and
appropriately restricted.
Security and Control for SAP R/3 Handbook Update
4
USEFUL REPORTS
Key control reports for each sub-module covered have been provided. Where available, the
report transaction code or report code have been provided with a description of the benefit
provided. Management should consider implementing procedures for the review of these
reports, where appropriate.
The following diagram is used throughout this handbook update to demonstrate how functionality, risks
and control options relate. Risks can be mitigated through the implementation of one or a combination of
control types, depending on organisational needs. These control types may be security related, specific control
configurations, or through the development and review of control reports. This handbook provides good
practice control options across security, configuration and reporting, which management should consider when
implementing functionality or reviewing the SAP control environment.
5
Introduction
Functionality
Significantrisks
Se
curi
tyco
nsi
der
ations Useful
rep
orts
Configurationhotspots
Security and Control for SAP R/3 Handbook update
6
Bas
is a
nd
cro
ss
app
licat
ion
co
mp
on
ents
Basis and cross application components
Security and Control for SAP R/3 Handbook Update
7
Basis and cross application components
Basis and cross application components
SECTION CONTENTS
Background ........................................................................................................................ .9
Environment .................................................................................................................... .10
SAP New Dimension Products ..................................................................................... .11
Security: User Security and the Profile Generator ................................................. .13
Functional Overview ............................................................................................................................................13
Significant Risks ....................................................................................................................................................13
Security Considerations ......................................................................................................................................14
Security: Derived Roles ................................................................................................. .15
Functional Overview ............................................................................................................................................15
Significant Risks ....................................................................................................................................................15
Configuration Hot Spots ....................................................................................................................................16
Security Considerations ......................................................................................................................................16
Useful Reports ........................................................................................................................................................17
Security: Central User Administration ...................................................................... .18
Functional Overview ............................................................................................................................................18
Significant Risks ....................................................................................................................................................19
Configuration Hot Spots ....................................................................................................................................19
Security Considerations ......................................................................................................................................19
Useful Reports ........................................................................................................................................................20
Security: Personalised User Menus ............................................................................ .21
Functional Overview ........................................................................................................................................... .21
Significant Risks ................................................................................................................................................... .21
Security and Control for SAP R/3 Handbook Update
8
Configuration Hot Spots ................................................................................................................................... .21
Security Considerations ..................................................................................................................................... .21
Useful Reports ........................................................................................................................................................22
Transport Management System .................................................................................. .23
Functional Overview ............................................................................................................................................23
Significant Risks ....................................................................................................................................................23
Configuration Hot Spots ....................................................................................................................................23
Security Considerations ......................................................................................................................................24
Useful Reports ........................................................................................................................................................24
Reporting .......................................................................................................................... .25
Functional Overview ............................................................................................................................................25
Significant Risks ....................................................................................................................................................25
Configuration Hot Spots ....................................................................................................................................25
Security Considerations ......................................................................................................................................25
InfoSet Query .................................................................................................................. .26
Functional Overview ............................................................................................................................................26
Significant Risks ....................................................................................................................................................26
Configuration Hot Spots ....................................................................................................................................26
Security Considerations ......................................................................................................................................26
SAP Business Warehouse (BW) ................................................................................... .27
Functional Overview ............................................................................................................................................27
Significant Risks ....................................................................................................................................................27
Configuration Hot Spots ....................................................................................................................................27
Useful Reports ........................................................................................................................................................27
Mass Maintenance ......................................................................................................... .28
Functional Overview ............................................................................................................................................28
Significant Risks ....................................................................................................................................................29
Security Considerations ......................................................................................................................................29
Useful Reports ........................................................................................................................................................30
Workflow .......................................................................................................................... .31
Functional Overview ........................................................................................................................................... .31
Significant Risks ....................................................................................................................................................32
Security Considerations ......................................................................................................................................32
Useful Reports ........................................................................................................................................................33
9
Basis and cross application components
Basis and cross application componentsBackground
An overview of the functionality, risks and controls of the SAP Basis module as at Version 3.1H is covered
within the full Better Practice Handbook for SAP R/3. The Basis module has undergone a number of changes
since this release, with the main changes impacting on security and controls summarised below and detailed
across the following Basis section.
Environment
With the advent of the SAP workplace and the ability to access SAP through an Internet browser, a wave of
new SAP products has been developed, including Customer Relationship Management (CRM) and Supply Chain
Management (SCM), each product requiring an underlying Basis module upon which to operate.
Security
A number of new security tools have been developed to assist in the configuration and maintenance of security
in increasingly complex SAP environments. Tools considered in this section include the Profile Generator, Central
User Administration, Derived Roles and Personalised Role Menus.
Transport Management System
As the SAP landscape has become more complex, so have change control mechanisms to manage changes.
Since Release 3.1, a number of changes have taken place in the change control area; the most significant is the
development of the Transport Management System (TMS).
Reporting
Reporting functionality within SAP has been enhanced significantly to provide greater ease of access to data.
The development of new reporting tools has improved the way users can access and extract SAP data — these
include Infoset Queries and the SAP Business Warehouse (BW).
Workflow
SAP Workflow is a cross application component but should also be viewed in the context of each business
process to which it has been applied. Workflow, as a concept, has been detailed within this section. As well, some
specific applications are discussed in the relevant business process areas.
9
Basis and cross application components
Environment
With the introduction of the SAP Web GUI (Graphical User Interface), more agencies are web or partially web
enabling their SAP systems. Core functionality required by large volumes of users (e.g. Employee Self Service) is
well suited to being delivered through a standard web browser.
The following diagram illustrates how the introduction of the Web GUI has changed the SAP environment.
The underlying SAP three tier environment remains largely unchanged from Version 3.1H for the SAP 4.5A – 4.6C
environment. The primary change is the addition of the SAP Internet Transaction Server (ITS) enabling web
connectivity and the delivery of SAP content through the Web.
Similar to the original SAP R/3 environment, the core three tier design of database, application and presentation
layers remains. In previous SAP versions, communication between the application layer of SAP and the
presentation layer or client PC would take place using software installed on the client PC — the SAP GUI.
The development of the Internet Transaction Server (ITS) has allowed presentation of SAP content through
a standard Web browser.
While high volume users will still access SAP using the SAP GUI installed on their machine, the ITS allows
SAP functionality to be extended to a wider user community, with low volume processing, such as Employee
Self Service, being delivered through a standard Internet browser.
Security and Control for SAP R/3 Handbook Update
10
Changes in the SAP environment
BASIS release to 4.6C
Database server(UNIX or NT)
Applicationserver
SEP enterprise (after 4.6c)
Database server(UNIX or NT)
SAP Web application server
Application server
J2EEWeb server
SAP GUI
Presentation layer
(Client PC)
Presentation layer (Webbrowser on client PC)
SAP GUI
Presentation layer
(Client PC)
SAP-ITSapplication
gate
SAP-ITSWeb gate
Presentation layer(Web
browser on client PC)
The SAP R/3 Enterprise Environment has changed the original SAP R/3 environment to incorporate web
interactivity with the underlying SAP application server. This has resulted in the SAP Web Application Server,
an application server capable of hosting java based web applications, as well as performing all of the functions
previously performed by the SAP Application Server.
Incorporating a Java web server into the SAP Web Application Server, SAP can now deliver SAP content directly
to the Web Browser, without the need for the Internet Transaction Server.
SAP New Dimension Products
The SAP 4.6C environment builds on the existing R/3 environment to incorporate a number of new SAP products
aimed at streamlining business processes and adding new functionality to the core R/3 product.
Key:
BW Business Warehouse
SAP CRM Customer Relationship Management
SAP SCM Supply Chain Management
SAP BI Business Intelligence
SAP APO Advanced Planning and Optimisation
11
Basis and cross application components
SDSDSales &
distributiondistribution
FIFinancial
accounting
New dimension products
MMMaterials
managementanagementanagement
PPProductionplanning
QMQuality
managementmanagement
PMPlant
management HRHuman
resources
COControlling
AMFixed assets
management
PSProjectsystemsystem
WFWorkflowIS
Industry solutions
SAP sales
SAP marketingSAP marketingSAP marketingSAP marketing SAP SAP SAP serviceervice
Info DBInfo DB
SAPAPO
SAP logisticsexecutexecution systems
SAP strategic SAP strategic enterprise enterprise
management
SAP SAP B2Bprocurementprocurement
BW
SAP CRM
SAP SCM
SAP BI
A feature of the SAP ‘New Dimension’ products is that they each reside on a separate SAP installation (instance).
Each product can be implemented independently, each requiring a separate SAP Basis installation. Basis settings
and parameters must be configured for each of the ‘New Dimension’ implementations as well as the core R/3
implementation.
SAP’s suite of ‘New Dimension’ products can be divided into the following categories:
Business Intel l igence
The core product in the Business Intelligence suite is SAP Strategic Enterprise Management (SEM). SAP–SEM
allows management to take a holistic view of the organisation, providing them with the data they need to make
strategic decisions. SAP–SEM consolidates business data, as extracted from the core SAP system, using the BW
reporting tool.
SAP–SEM supports management processes in an integrated way, which means top-down translation of enterprise
strategy into business unit, product and support centre targets, as well as bottom-up performance monitoring
and related decision support.
Customer Relationship Management
SAP Customer Relationship Management (CRM) enhances the core SAP Sales and Distribution module to provide
solutions for Customer Interaction, Marketing and Mobile Salespersons.
SAP–CRM manages customer relationships by providing employees with information on trading history and
contacts with business customers in order to support sales activities.
Supply Chain Management
The core products in the Supply Chain Management suite are SAP Advanced Planning Optimiser (APO) and SAP
Enterprise Buyer Professional (EBP, formerly SAP B2B).
SAP–APO is a supply network-planning tool designed to enable production-based organisations to effectively
manage their supply networks.
SAP–EBP is an electronic procurement solution designed to automate the procurement process to the point of
purchase order creation. SAP–EBP allows employees to browse pre-approved vendor catalogues and select items
to be ordered raising a requisition for approval. On approval of the requisition by the appropriate manager,
a purchase order is automatically created in the core R/3 system.
Security and Control for SAP R/3 Handbook Update
12
Security: User Security and the Profi le Generator
Functional Overview
From SAP Release 3.1G, SAP has continued to develop the Profile Generator to allow quicker development
of authorisation profiles. All authorisations should now be created using the Profile Generator, as most new
functionality relies upon the assignment of roles to users rather than authorisation profiles. It should be noted
that assigning a role to a user will automatically assign the corresponding profile.
Benefits provided through the use of the profile generator to define authorisation profiles include:
• reduced complexity and ease of use; and
• simplification of role and profile administration.
With SAP Release 4.6C, there are now over 100 standard delivered roles or role templates. These can be used as
a basis for the definition of customer specific roles, and will often contain the majority of transactions required
for a particular function.
Care should, however, be taken when using these roles. Being generic, they will often contain more access
than required, and will not contain any organisational restrictions.
A further enhancement has been the development of the password generator functionality in transaction SU01.
This allows the security administrator to generate a random password for user accounts rather than a password
which may be easily guessed.
Mass maintenance of user access security design and structure can now be performed in the profile generator,
which will significantly improve efficiency and accuracy of changes being made to a large number of records.
When in the menu tab of the profile generator, transaction code names can be toggled on/off by selecting the
magnifying glass icon in the top right of the tab.
SIGNIFICANT RISKS
• Unauthorised, or inappropriate, changes to user security resulting in excessive access, or
users not having access to perform functions.
• Authorisation values may be inaccurately defined, granting inappropriate access to users.
• SAP standard delivered roles if allocated without configuration may not provide adequate
organisational restrictions, or may contain transactions that the organisation has deemed
to be segregation of duties conflicts.
• Passwords provided to users by security administration staff are standard, or easily
guessable, resulting in unauthorised users gaining access to the SAP system.
13
Basis and cross application components
SECURITY CONSIDERATIONS
• Authorisations where a ‘*‘ value has been given should be reviewed to establish if
appropriate. Where possible ‘*’ values should be limited and be replaced with specific
values.
• As with access to all user administration functionality, access to role maintenance
activities should be controlled. Access should be restricted to the following transactions
which provide users with access to role and profile maintenance activities:
Tcode Name Description
PFCG Profile Generator Tool for maintenance of roles and profiles.
SU01 Maintain User Used for the creation and maintenance of User Master
Records including password resetting by system
administrators.
SU02 Profile Maintenance Tool for the direct maintenance of profiles (not
recommended in version 4.0A or above, should be
performed in the profile generator).
SU03 Authorisation Tool for the direct maintenance of authorisations
Maintenance (not recommended in version 4.0A or above).
• SAP standard roles, where utilised, should be used as a basis for the establishment of
roles and should be checked for adequacy within the context of the security and control
environment.
• SAP standard roles should be reviewed for transactions that your organisation has deemed
segregation of duties conflicts.
• Security administers should use the password generation facility in transaction SU01
when a user account is created or requires a password change. This will ensure that
passwords are random and not easily guessable.
Security and Control for SAP R/3 Handbook Update
14
Security: Derived Roles
Functional Overview
The Profile Generator controls the creation of variants for different business units or departments within an
organisation. This has resulted in the concepts of Responsibilities (Version 4.0B), Hierarchical Activity Groups
(Version 4.5A) and more recently Derived Roles (Version 4.6A). All are conceptually similar in that they allow
the security administrator to define a set of common transactions from which variant profiles can be created
containing different organisational restrictions.
It should be noted that the use of Derived Roles can significantly reduce the resource required for security role
maintenance. These can be further explained using the following diagram:
SIGNIFICANT RISKS
• Derived Roles are inappropriately configured resulting in inappropriate user access. Due to
limitations of organisational data that can be derived, there are certain situations where
Derived Roles cannot be used.
• Only security administration staff should have access to the Profile Generator (transaction
PFCG) where Derived Roles are maintained.
• Where Derived Roles have been defined, the master role should not be assigned to end
users as this will normally contain access to all organisational data.
15
Basis and cross application components
Derived roles
MASTER ROLEAll company codes
All cost centres
CHILD ROLEBusiness unit (BU) 'A' ROLE
BU 'A' Company codesBU 'A' Cost centres
CHILD ROLEBusiness unit (BU) 'B' ROLE
BU 'B' Company codesBU 'B' Cost centres
Derived Role A Derived Role B
Security and Control for SAP R/3 Handbook Update
16
CONFIGURATION HOT SPOTS
• Ensure that naming conventions have been appropriately defined which clearly identify
master and child roles.
• Where Derived Roles are used and all data (with the exception of organisational data) is
to be derived down to the child role, child roles should not be directly maintained. All
changes to the child role will be overwritten the next time information is derived from
the master role.
SECURITY CONSIDERATIONS
• Access to role administration should be tightly controlled and restricted to only relevant
user administration staff. Access to the following transactions should be restricted:
Tcode Name Description
OY21, GCE2, O002, OBZ8, OD03, OIBP, Profile Maintenance These transactions all allow
OMDM, OMEI, OMM0, OMSO, OMWG, direct access to profile
OOPR, OP15, OPCB, OPE9, OPJ1 maintenance.
17
Basis and cross application components
USEFUL REPORTS
Report Transaction Name Description
S_BCE_68001425 Roles by complex Interrogation of roles in the system
selection criteria by a number of different criteria.
S_BCE_68001418 Roles by role name Interrogation of roles in the system
by role name.
S_BCE_68001419 Roles by user assignment Interrogation of roles in the system
by user assignment.
S_BCE_68001420 Roles by transaction Interrogation of roles in the
assignment system by transaction assignment.
S_BCE_68001421 Roles by profile assignment Interrogation of roles in the by
profile system assignment.
S_BCE_68001422 Roles by authorisation Interrogation of roles in the system
object by authorisation object.
S_BCE_68001423 Roles by authorisation Interrogation of roles in the system
values by authorisation values.
S_BCE_68001424 Roles by change date Interrogation of roles in the system
by change date.
Security and Control for SAP R/3 Handbook Update
18
Security: Central User Administration
Functional Overview
With the advent of the SAP Workplace and various other new component systems, the SAP landscape has
become significantly more complex than the original R/3 system. As a result, user administration has become
more complex.
Central User Administration (CUA) addresses the difficulties of user administration by allowing all user
administration activities to be performed from a central system. CUA is available from SAP Versions 4.5A and
above, and recent versions of the Web Application Server (6.2), and can significantly reduce the resource required
for user maintenance.
CUA does not cater for single-sign on or for the syncronisation of passwords across each SAP system.
The following diagram illustrates the CUA concept. Communication between systems is achieved using SAP Application
Linked Enabling (ALE). ALE is SAP’s process that provides for the exchange of data between SAP systems.
Key:
SAP EBP Enterprise Buyer Professional
SAP CRM Customer Relationship Management
CENTRAL SYSTEMSAP R/3 4.5A
or higher
SAP EBP SYSTEM SAP CRM SYSTEM SAP R/3 SYSTEM
ALE ALE ALE
19
Basis and cross application components
SIGNIFICANT RISKS
• CUA configuration and ALE landscape may not be configured correctly resulting in failure
of systems to interface effectively.
• Access to CUA functions may not be adequately secured resulting in unauthorised
changes to users access rights.
• Access to Application Link Enabling (ALE) configuration may not be adequately secured.
• CUA error and distribution logs may not be reviewed and followed up on a timely basis.
CONFIGURATION HOT SPOTS
• Patches from SAP must be applied to install and run CUA.
• Field selection configuration should be performed in transaction SCUM ‘User Distribution
Field Selection’ to define the system (local or global) in which each item of user master
data and security is maintained. Through this transaction, configuration of user locks is
performed to define their operation.
SECURITY CONSIDERATIONS
• Access to the configuration of Central User Administration (CUA) transactions should
be controlled. Consideration should be given to restricting access to only relevant user
administration staff to the following CUA Maintenance transactions.
Tcode Name Description
SALE Display ALE Customising Used to configure the ALE environment
for CUA. This transaction also allows access
other ALE and Remote Function Call (RFC)
configuration.
SCUA Central User Administration Transaction used to maintain the CUA
landscape.
SCUL Central User Management Log Transaction used to view CUA audit
and error logs.
SCUM Central User Administration Transaction used to define field distribution
for CUA.
Security and Control for SAP R/3 Handbook Update
20
USEFUL REPORTS
Report / Transaction Name Description
SCUL Central User Management Log This transaction reports on CUA
errors and audit log.
21
Basis and cross application components
Security: Personalised User Menus
Functional Overview
SAP Version 4.6 and the first release of mySAP.com Workplace, saw a move towards personalisation within the
SAP environment. SAP menus can now be personalised for each role. When these roles are assigned to a user and
combined with other roles containing personalised menus, the user is presented with a menu structure unique
to their individual role assignments.
SIGNIFICANT RISKS
• Folder structures within the SAP menu structure (see above) are created which do not
reflect the actual business structure. It is important to ensure that these are developed in
consultation with the business, and do not take on a technical focus.
CONFIGURATION HOT SPOTS
• User menu configuration should be such that menus are efficient in use. Table SSM_CUST
contains settings which affect the user menus including whether folders should be condensed,
duplicate transactions should be deleted or the whether the menus should be sorted.
SECURITY CONSIDERATIONS
• In addition to controlling access to the Profile Generator (transaction PFCG), access should
also be controlled to the maintenance of table SSM_CUST.
Security and Control for SAP R/3 Handbook Update
22
USEFUL REPORTS
Report Transaction Name Description
SURL_LAUNCHPAD_TEST Test Launchpad Generation When the Workplace has been
implemented this report can be
used to test the contents of
a user’s launchpad including
personalised user menu entries.
23
Basis and cross application components
Transport Management System
Functional Overview
With the release of Version 4.0, SAP introduced the Transport Management System (TMS) that centralised the
configuration for the Change and Transport System (CTS) for all R/3 systems. TMS gives the SAP Administrator
the ability to manage all SAP change requests from a centralised location (i.e. from one SAP client). It also allows
pre-defined transport routes to be configured, minimising human error in the import and export of transportable
objects.
A key feature of the TMS is that it has allowed for the management of change queues from within the R/3
system and has removed the need to have deep UNIX / Windows skills for day to day SAP Administration
(although these skills are still required for the administration of the underlying database).
The introduction of TMS allows for greater control over the SAP system account and has lead to configuration
of a simplified SAP landscape. TMS has replaced the need to use transaction SE06 and previously configured
CTS tables.
SIGNIFICANT RISKS
• Administration functions such as client copies are not restricted to authorised personnel
and are performed inappropriately.
• Programs in production have not gone through appropriate change approval process.
• Developers make changes (and test changes) directly in programs in the production
system (in non emergency situations). Changes should go through the normal domain
transport route.
CONFIGURATION HOT SPOTS
• Transaction STMS now controls the movement of objects from one SAP system to another,
replacing functionality in transactions SE06.
Security and Control for SAP R/3 Handbook Update
24
SECURITY CONSIDERATIONS
• Access to the following transport management transactions should be restricted to
authorised ‘Basis team’ users only.
Tcode Name Description
SCC1, SCC4 Client Administration Transactions SCC1 and SCC4 allow users to
create a client (SCC1) and copy data from an
existing client to a target client (SCC4). In addition
there are other copy transactions (SCCX) that
perform functions such as copying user files that
should be protected and should be restricted.
SE10 Transport Organiser This transaction is used by system configuration
staff to manage verify transport requests.
SE11 ABAP Dictionary This transaction is used by developers to
manage and release their transport requests.
STMS Transport Management Transaction STMS now controls the movement of
System objects from one SAP system to another,
(previously performed within transactions SE06).
USEFUL REPORTS
Both Transport logs and Action logs are available through the Transport Organiser. These can
be used to provide an audit trail of transport activity.
25
Basis and cross application components
Reporting
Functional Overview
With the advent of personalised roles, reporting security has changed significantly. In previous versions of SAP,
reports were secured by attaching them to a report tree. Report trees were then allocated to users to ensure
users could only access approved reports.
Since folders can be specified in individual roles, personalised roles effectively make reporting trees redundant. In
order to make the allocation of reports to roles easier, SAP have therefore assigned a large number of standard
SAP reports to transaction codes.
Although report trees can still be displayed through most Web GUI configurations, it may be more appropriate
to assign reports through personalised roles, and remove report trees altogether.
SIGNIFICANT RISKS
• Although transaction codes have now been assigned to SAP standard reports, the
authorisation objects checked by these reports have not been attached to these
transaction codes. In order to allocate reports to end-users, it is therefore still necessary
to establish the required authorisation objects through testing and allocate these to the
appropriate roles.
CONFIGURATION HOT SPOTS
• All reports and programs developed should contain appropriate authorisation checks to
ensure that only authorised users are able to execute them.
SECURITY CONSIDERATIONS
• Reports which do not contain adequate authorisation object security will be accessible to
any user who has access to the transaction code required to start the report. Where users
are configured with access to all transaction codes, through the application of a ‘*’ in the
S_TCODE object, or value that contains a ‘*’ (for example ‘S*’), there is an increased risk
that reports or programs may be accessed inappropriately.
Security and Control for SAP R/3 Handbook Update
26
InfoSet Query
Functional Overview
The InfoSet Query (InfoSet replaces the term functional area) functionality has been provided to allow users
greater flexibility in reporting across all areas of the SAP system. InfoSet Query has been developed from the HR
ad-hoc query reporting which was developed in prior versions of SAP.
InfoSet Query has been developed to provide users the tools necessary to quickly develop, and run data queries.
SIGNIFICANT RISKS
• Unauthorised access to sensitive and confidential data, including HR data.
CONFIGURATION HOT SPOTS
• Consideration should be given to logging reporting performed using InfoSet Query. In
order for logging to be available, it is necessary to configure this. Configuration of InfoSet
logging can be maintained through the IMG (Basis Components-SAP-Query-Logging-
Determine Infosets for Logging)
SECURITY CONSIDERATIONS
• Access to perform InfoSet Queries is defined using roles or SAP Query user groups. These
can be configured to restrict access to relevant and appropriate InfoSets.
• Procedures should be defined for the periodic review of InfoSet Query log data. This data
is recorded in the Query Logging table (AQPROT).
• Consideration should be given to restricting access to the following transactions that
provide the user with access to the Infoset Query.
Tcode Name Description
S_PH0_48000513 Ad Hoc Query Ad-hoc queries on various data sets.
SQ01 Query from User Used for the creation, change, deletion and
Group: Initial Screen execution of InfoSets Queries.
SQ02 InfoSet: Initial Screen Used for the creation, change, deletion and
execution of InfoSets Queries.
SQ03 User Groups: Used in the allocation of user groups to roles
Initial Screen or users.
27
Basis and cross application components
SAP Business Warehouse (BW)
Functional Overview
The SAP Business Warehouse is SAP’s data warehousing solution and available to support SAP core functionality.
A Data Warehouse stores data in a format optimised for reporting in a separate system from the operational
system(s) that collect the transactional data. This allows the operational system (SAP R/3) to get on with the
real-time data processing, whilst the data warehouse (SAP–BW) caters for the resource intensive reporting
requirements.
SAP–BW includes the tools required to extract, standardise and maintain the data and to produce the reports.
As a Data Warehousing solution, SAP–BW is designed to work with any data source, not just SAP systems.
SIGNIFICANT RISKS
• Unauthorised access to sensitive and confidential data through the BW system.
CONFIGURATION HOT SPOTS
• In BW field level authorisations will not be checked unless switched on. A user may
therefore be able to see data in the BW system for which they are not authorised in the
R/3 system. Important fields (characteristics) should be checked to ensure they are defined
as authorisation relevant.
• Reporting objects should be linked to infocubes where authorisation checks are required.
Where checks are required, authorisations should then be created for those infocubes and
assigned to appropriate users.
USEFUL REPORTS
Report Name Description
RSSM Authorisation Check Allows monitoring of the resolution of
Log report authorisation errors.
Security and Control for SAP R/3 Handbook Update
28
Mass Maintenance
Functional Overview
Mass Maintenance functionality has been developed as an effective tool to maintain large amounts of data . For
example, the Mass Maintenance functions allow a user to change data in a large number of purchase orders or
requisitions through the execution of a transaction.
Mass maintenance functions are supported for a number of documents including:
- Material Master
- General Ledger Records
- Purchasing Info Records
- Vendor Master
- Purchase Orders and Purchase Requisitions
- User Master
Users can operate the Mass Maintenance tool in dialog, background or a combination of both. The process can
be summarised as follows:
Document mass maintenance
4. Specify change and execute
1. Select object to be changed
2. Select records to be changed
3. Select table and field to be changed
29
Basis and cross application components
SIGNIFICANT RISKS
• Inappropriate or unauthorised change may be made to large amounts of data.
• System performance may be impacted by the execution of large Mass Maintenance
activities.
SECURITY CONSIDERATIONS
• Due to the increased risk associated with providing a user with the ability to maintain and
change large amounts of data simultaneously, access to the following key transactions
should be restricted to key experienced staff with authority to make changes:
Tcode Name Description
XK99 Mass maintenance, Used to change one or more vendors
vendor master simultaneously.
MSJ1 Mass Maintenance Used to change one or more item via
in the Background background processing.
MM17 Mass Maintenance: Indus. Used to change one or more Material
Material Master Master records simultaneously.
MM46 Mass Maintenance: Used to change one or more Retail Material
Retail Material Master Master records simultaneously.
FMMI Mass Maintenance Used to change one or more
of Open Intervals Open Intervals simultaneously.
WTAD_VKHM_ Mass Maintenance Used to change one or more Material
MAINTAIN Materials/Adds. Master records simultaneously.
IMAM Mass maintenance of Used to change one or more appropriate
appropriation requests requests simultaneously.
KE55 Mass Maintenance Profit Used to change one or more Profit Centre’s
Centre Master Data Master records simultaneously.
KE56, KE57 EC–PCA: Mass Maintenance Used to change one or more Company
Company Code Assignment Codes assignments simultaneously.
MASSOBJ Maintain Mass Maintenance Used to change one or more objects
Objects simultaneously.
Continued on the next page
Security and Control for SAP R/3 Handbook Update
30
Tcode Name Description
OB_GLACC11, G/L acct record: Used to change one or more G/L records
OB_GLACC12, Mass maintenance simultaneously.
OB_GLACC13
QI05, QI06 QM Mass maintenance Used to change one or more QM
Procurement keys simultaneously.
SOY1 SAPoffice: Used to change one or more
Mass Maintenance Users users simultaneously.
SU10 User Mass Maintenance Used to change one or more users
simultaneously.
WB30 Mass maintenance Used to change one or more Plants
MG to plant or Material Groups simultaneously.
XD99 Customer master Used to change one or more customers
mass maintenance master records simultaneously.
• Access should also be segregated from a users ability to delete the mass maintenance logs
that are generated when a user executes mass maintenance transactions.
Tcode Name Description
MSL2 Delete Mass Maintenance Logs Allows for the deletion of the mass
maintenance log — a key audit trail in the
performance of Mass Maintenance.
USEFUL REPORTS
Procedures should be implemented for review of the Mass Maintenance log on a periodic
basis to ensure inappropriate mass maintenance actions are not occurring.
TCode Name Description
MSL1 Mass Maintenance Log Provides access to an audit trail of mass
maintenance activity performed.
Continued from previous page
31
Basis and cross application components
Workflow
Functional Overview
Workflow has become a feature of many SAP implementations where repetitive and often manual business
processes can be automated to achieve efficiency gains. Through automated routing of transactions, Workflow
is particularly suited to notification and approval tasks.
Human Resources processes such as ESS (Employee Self Service), Time Management and the Managers Desktop
in particular make extensive use of Workflow for the approval of tasks such as leave requests or the completion
of staff appraisals.
‘Deadline Monitoring’ can be incorporated in the design of workflows to issue reminders for items that have
not been actioned within a reasonable timeframe, or to escalate unactioned workflow items for the attention
of others. In addition, the Workflow administrator should review for slow moving, unprocessed or erroneous
transactions. These transactions can result in business dissatisfaction or inefficient business processes and should
be carefully monitored and resolved as required.
Below is an example of the use of Workflow in the Purchase Requisition (PR) creation and approval process.
Workflow example
Triggering eventPR raised over $5000
User taskPR sent to requester'smanager for approval
Workflow resultSAP PO automatically
created
Workflow resultRequester notified of rejection and reason
Decisionapproved
Decisionrejected
Deadline monitoringPerformed to identify
exceptions, issue reminder or escalate
to next level approver
Until loop stepWait for approval
Security and Control for SAP R/3 Handbook Update
32
SIGNIFICANT RISKS
• Rules for the system selecting an approver, or delegate of an approver are not correctly
defined. This is particularly an issue when the process is driven by the organisational
structure.
• Managers do not review workflow tasks and respond on a timely basis resulting in user
dissatisfaction and inefficient business processes.
• Routing of transactions may not be fully defined resulting in unprocessed items.
• Deadline Monitoring processes are not put in place to monitor Workflow transactions.
SECURITY CONSIDERATIONS
• Access to the following Workflow related transactions should be restricted to authorised
users only.
Tcode Name Description
SWXX Workflow related transactions Workflow transactions are prefixed with
SW. These transactions should be restricted
to Workflow administration staff.
• Access should also be restricted to any alternative or client developed Workflow • Access should also be restricted to any alternative or client developed Workflow
based transactions based on the level of implementation of workflow performed.
33
Basis and cross application components
USEFUL REPORTS
The following reports can be used in the administration of workflow:
Report Transaction Name Description
PFTC_DIS Display Task Allows the display of workflow templates and
configuration (incl. the graphical workflow
representation in the workflow builder).
SWI1 Selection report Displays work items and their current statuses.
for Work Items Allows the selection and display of individual work
items.
SWI2_ADM1 Workflow Items Allows the monitoring of workflow items without
without Agents appropriate user assignments.
SWI2_DEAD Workflow Items Allows you to monitor workflow deadlines.
with monitored
Deadlines
SWI2_DIAG Diagnosis of Error analysis and diagnosis.
Workflows with Errors
Security and Control for SAP R/3 Handbook Update
34
Procurement to payables
Pro
cure
men
t to
pay
able
s
Security and Control for SAP R/3 Handbook Update
35
Procurement to payables
Procurement to payables
SECTION CONTENTS
Background .......................................................................................................................37
Enterprise Buyer Professional (EBP) ...........................................................................38
Functional Overview ............................................................................................................................................38
Significant Risks ....................................................................................................................................................39
Configuration Hot Spots ....................................................................................................................................39
Security Considerations ..................................................................................................................................... .41
Useful Reports ........................................................................................................................................................42
Vendor Field Groups .......................................................................................................43
Functional Overview ............................................................................................................................................43
Significant Risks ....................................................................................................................................................43
Configuration Hot Spots ....................................................................................................................................43
Security Considerations ......................................................................................................................................43
Dual Control for Changes to Master Records ..........................................................44
Functional Overview ............................................................................................................................................44
Significant Risks ....................................................................................................................................................44
Configuration Hot Spots ....................................................................................................................................44
Security Considerations ......................................................................................................................................44
Useful Reports ........................................................................................................................................................45
Blanket Purchase Orders ...............................................................................................46
Functional Overview ............................................................................................................................................46
Significant Risks ....................................................................................................................................................46
Configuration Hot Spots ....................................................................................................................................46
Security Considerations ......................................................................................................................................47
35
Procurement to payables
Security and Control for SAP R/3 Handbook Update
36
Useful Reports ........................................................................................................................................................47
Logistics Invoice Verification ........................................................................................48
Functional Overview ............................................................................................................................................48
Significant Risks ....................................................................................................................................................48
Configuration Hot Spots ....................................................................................................................................49
Security Considerations ......................................................................................................................................49
Automatic PO Creation .................................................................................................. 51
Functional Overview ........................................................................................................................................... .51
Significant Risks ................................................................................................................................................... .51
Configuration Hot Spots ................................................................................................................................... .51
Security Considerations ..................................................................................................................................... .51
Useful Reports ........................................................................................................................................................52
36
Security and Control for SAP R/3 Handbook Update
37
Procurement to payables
Procurementto payablesBackground
An overview of the functionality and risks and controls of the procurement to payables component as at
Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. This functionality has undergone
a number of changes since this release; these changes have been implemented to improve efficiency and controls
within the procurement to payables processes and are detailed across the following sections:
Enterprise Buyer Professional (EBP)
EBP has been developed to increase efficiency in the procurement process. This is achieved through the use
of on-line catalogues containing approved vendors and goods where a users can request the supply of goods
through a ‘shopping basket’ process.
Vendor Master Data
While vendor master data in itself has not changed significantly in Version 4.6C, the controls and methods
surrounding securing vendor master data has been improved. Improvements have included the introduction of
vendor field groups and authorisation of changes made to sensitive vendor fields.
Blanket Purchase Orders (POs)
With Release 4.0A of SAP it has become possible to create POs with a value limit and a validity period instead of
a delivery date, making it possible to create a Blanket POs rather than having to create a PO for each requirement
when purchasing goods to be consumed immediately.
Logistics Invoice Verif ication (LIV)
While LIV has been available in SAP since Release 3.0A, a number of enhancements have been made to
LIV processes.
Automatic PO Creation
On entry of a goods receipt for which a PO has not been created, it is possible to configure the SAP system so
that these POs are automatically created.
Mass Maintenance of Master Data
Functionality has been implemented to allow for Mass Maintenance of master data including Material and
Vendor Master records. Details of Mass Maintenance functionality have been provided in the Basis and Cross
Application components section of this handbook.
37
Procurement to payables
Security and Control for SAP R/3 Handbook Update
38
Security and Control for SAP R/3 Handbook Update
38
Enterprise Buyer Professional (EBP)
Functional Overview
EBP (previously BBP) was developed to allow users to purchase predefined products from approved vendors using
an on-line catalogue. Users browse through the on-line catalogue selecting products and required quantities
that are then put into a user's Shopping Cart.
The EBP process is summarised using the following diagram:
Catalogues available to users may be internal or external. Where external catalogues are available, the approved
vendors can maintain these.
EBP users do not enter prices or material descriptions as these are selected from the catalogue. Most header
information for the order is automatically populated by EBP (e.g. delivery date which is populated through the
use of the Vendor Info Record and Vendor is automatic from the catalogue).
The EBP user specifies the deliver-to address from a list of pre-defined configured deliver-to addresses.
The EBP system resides on a separate SAP installation to the core SAP system and therefore requires a separate
SAP Basis installation. This means that Basis settings and parameters should also be correctly configured to
appropriately control the EBP environment.
Requester selects goods
from catalogue and places
in 'shopping trolley'
Enterprise buyer professional
On approval
purchase order
is created
Requester submits
'shopping trolley' and
Workflow routes to
delegate or approver
Delegate or approver
receives and approves
or rejects request via
Workflow
Goods are received by
requester
Three way match
performed and
payment made
Requester enter
goods receipt into EBP
Invoice received from
supplier or generated
through evaluated
receipts settlement
Processing performed in: EBP systemEBP or Core R/3 system
Core R/3 system
39
Procurement to payables
39
Procurement to payables
SIGNIFICANT RISKS
• Approval processes and Workflow are not appropriately defined resulting in unauthorised
procurement of goods.
• Limits for shopping trolley, approval levels or minimum value of shopping trolleys not
requiring approval may not be correctly configured resulting in inappropriate procurement
of goods.
• Changes to shopping trolleys may be executed following approval resulting in non-
authorised procurement of goods.
• Invoices can be entered via EBP resulting in increased risk of inappropriate access or
segregation of duties risks.
CONFIGURATION HOT SPOTS
• Back end interfacing systems should be defined to ensure that data is interfaced
appropriately. This will generally mean defining the interface between the EBP system and
the core R/3 system.
• Fields, or attributes, to appear on EBP screens should be defined. This will include defining
the user groups and activities that can be performed for each of the fields (for example,
define that the requester can ‘change’ the deliver-to address).
• Key fields to be completed should be configured as mandatory to ensure all relevant
information is captured. This will ensure that data is available to create relevant
purchasing documents.
• Product catalogues should be configured to ensure that users are able to appropriately
select from approved internal or external sources.
• Workflow should be configured to ensure appropriate approval processes are triggered
when an EBP transaction is executed.
• Deliver-to-addresses should be configured to ensure goods are only delivered to approved
delivery points.
• Appropriate delegation limits should be configured for EBP transactions. For example,
consideration should be given to the configuration of the following through Workflow
events.
Continued on the next page
Security and Control for SAP R/3 Handbook Update
40
Condition Example
No Approval Where shopping trolleys are less than an approved amount, the Workflow
may be configured so that No Approval is required. Limits should be
applied in line with delegation policy.
Single Approval Where shopping trolley is greater than the No Approval limit, manager
approval should be required and configured through Workflow. This
should ideally be driven from the organisational structure.
Double Approval Consideration should be given to the application of a Double Approval
step where the value of purchase is above a specified amount. In this
case a line manager and a higher-level manager would approve.
• High-risk material groups should be configured to require approval regardless of the
dollar value of the goods provided. This may improve controls with regard to certain
materials that are at particular risk of inappropriate purchase.
• Output from the execution of EBP transactions should be configured.
For example, POs may be automatically generated following the entry and approval of
an EBP transaction. Alternatively, purchase requisitions may be generated and require a
Purchasing Officer to create the PO.
• Payment terms configured in the EBP system should correspond with those defined in the
core SAP system to ensure that there are no inconsistencies.
Security and Control for SAP R/3 Handbook Update
40
Continued from previous page
41
Procurement to payables
SECURITY CONSIDERATIONS
• The EBP system resides on a separate instance of SAP and interfaces with a core SAP
system. The EBP system Basis components should be appropriately configured and
secured.
• Consideration should be given to configuration of Personalisation settings at an individual
or role level. These may include the following:
Personalisation Object Key Description
BBP_APPROVAL_LIMIT Highest value of shopping cart that can be approved
BBP_SPENDING_LIMIT Value above which approval is necessary
BBP_WFL_SECURITY_BADI Specifies whether change can be made or what actions should
be taken when changes are made to a shopping cart during
the approval process. Consideration should be given to forcing
the approval process to re-start when changes are made.
• EBP administration transactions as well as EBP end user transactions should be
appropriately restricted. These include, but are not limited to:
Tcode Name Description
BBPAT03 Create User EBP transaction used to create a user ID.
BBPAT04 Forgotten User ID/Password EBP transaction to request / apply for
password and user ID.
BBPAT05 Change User Data Transaction used to change or display EBP
user details.
BBPIV01, Entry of Invoice EBP transactions used to enter invoices.
BBPIV02, BBPIV03
BBPPU07 Access to the Managers EBP transaction used to access the
Inbox Manager's Inbox and related information.
BBP_BW_SC3 Shopping Carts per product Business Warehouse reports used to display
BBP_BW_SC4 or per Cost Center summarised shopping cart information.
41
Procurement to payables
Security and Control for SAP R/3 Handbook Update
42
Security and Control for SAP R/3 Handbook Update
42
USEFUL REPORTS
EBP is an extension of existing procurement functionality and, as such, core SAP reports
applicable to procurement are equally applicable to EBP processes.
Workflow is key to successful operation of EBP. Work items may be left in error or not resolved
resulting in failure of the EBP process. Processes should be put in place for the running of
control reports to ensure that all transactions are processed appropriately.
Consideration should also be given to reviewing reports detailing catalogue content changes
for all external catalogues to ensure these are appropriate.
43
Procurement to payables
Vendor Field Groups
Functional Overview
As of Version 3.1H of SAP, field groups have been implemented to improve controls over changes to vendor (and
customer) master records. Vendor field groups can be used to restrict the access of a user to a subsection of
fields within the vendor master records.
Field groups are an effective way of restricting access to maintain highly sensitive master data (including bank
details) from other general data (such as phone numbers) which a larger group of users may require access to
maintain.
Dual control can be used for both customer and vendor master records to improve controls over key fields. When
a change is made to a sensitive field the SAP system can be configured to require release of a change made.
SIGNIFICANT RISKS
Details of risks associated with the vendor master data are provided on Page 21 of the Security
and Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:
• Unauthorised changes to vendor master data details may result in inappropriate payment.
CONFIGURATION HOT SPOTS
• Vendor fields groups, should be appropriately defined. This is generally best executed by
defining logical sets of fields (i.e. segregation of address and payment information into
different vendor field groups.).
SECURITY CONSIDERATIONS
• Access to maintain field groups, including assignment of fields to field groups, should be
restricted.
• Users should be assigned appropriate field group authorisations based on authorisation
object ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’. This object is used to ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’. This object is used to ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’.
specify which activities are permitted for the individual account groups.
43
Procurement to payables
Security and Control for SAP R/3 Handbook Update
44
Dual Control for Changes to Master Records
Functional Overview
Dual Control has been provided to have greater control over changes to sensitive data. When configured, the
Dual Control functionality creates segregation between the changing and approval of changes to sensitive fields.
This is applicable to both the vendor and customer master records.
SIGNIFICANT RISKS
Details of risks associated with the Vendor Master are provided on Page 21 of the Security and
Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:
• Unauthorised changes to vendor master details may result in inappropriate payment.
CONFIGURATION HOT SPOTS
• Fields that require dual control must be configured as sensitive fields. When configured,
each change to the field is subject to an independent confirmation. It should be noted
that a user cannot confirm their own changes.
• Processes for the confirmation of changes should be configured. This is can be performed
through workflow events or through manual processes.
SECURITY CONSIDERATIONS
• Access to define sensitive fields should be appropriately restricted to ensure that fields are
not inappropriately removed from the sensitive fields table.
• Access to the following confirmation transactions should be appropriately restricted to
relevant purchasing staff. This includes:
Tcode Name Description
FK08 Confirm Vendor Changes Used to confirm or approve vendor changes
Individually that are made.
FK09 Confirm Vendor Changes List Used to list vendor changes that
require confirmation.
FD08 Confirm Customer Changes Used to confirm or approve customer
Individually changes that are made.
FD09 Confirm Customer Used to list customer changes that require
Changes List confirmation.
Security and Control for SAP R/3 Handbook Update
44
45
Procurement to payables
USEFUL REPORTSLists of changes that are waiting to be confirmed can be generated using transaction FK09
(Vendor Changes List) and FD09 (Customer Changes List).
45
Procurement to payables
Security and Control for SAP R/3 Handbook Update
46
Blanket Purchase Orders
Functional Overview
Up until Release 4.0A, a Purchase Order (PO) would generally need to be created for each requirement, including
orders placed for goods that were to be consumed immediately. The PO served as the basis for the creation of
the goods receipt (if required) and for the invoice verification process.
As of Release 4.0A, Blanket POs have made it possible to create a PO with a value limit and a validity period
instead of a delivery date. These documents are created with a document type ‘FO’ and an item category of B
— Limit.
The benefits of utilising the Blanket PO is that it allows a user to procure various materials or services from
vendors in cases where the creation and processing of individual POs is not deemed economical. Blanket PO’s
would generally be utilised for low value, high use items for which this process is deemed appropriate.
It should be noted that in order to utilise Blanket POs, Logistics Invoice Verification (LIV) must be used.
SIGNIFICANT RISKS
• No goods receipt or entry and acceptance of services is required with Blanket Purchase
Orders. Invoices are posted directly with reference to the order which may result in bypass
of purchasing controls.
CONFIGURATION HOT SPOTS
• Tolerances specific to Blanket Purchase Orders should be correctly configured to ensure
that when an invoice exceeds these limits these will be appropriately blocked for review.
Tolerances to be configured include:
Tolerance Code Tolerance Name Tolerance Description
LA Amount of Blanket Determines if the value limit of the Blanket
Purchase Order Purchase Order has been exceeded by the
processed invoices and blocks any
invoices which will exceed the PO value.
An upper percentage or absolute
tolerances may be defined.
LD Blanket Purchase Determines whether the posting date of
Order time limit the invoices is within the configured
exceeded tolerance of the Blanket
Purchase Orders valid time.
The system compares the number of days
outside the Blanket Purchase Orders
validity date with a configured absolute
upper limit.
Security and Control for SAP R/3 Handbook Update
46
47
Procurement to payables
SECURITY CONSIDERATIONS
• Access should be restricted to be able to create or change Blanket Purchase Orders due to
the increased risks associated with this. This may be performed by restricting users access
to document type FO.
• Access should be restricted to transactions which can be used to create purchase orders
including:
TCode Name Description
ME21, ME21N Create Purchase Order Transactions used to create POs.
ME22, ME22N Change Purchase Order Transactions used to change existing POs.
MEMASSPO Mass Change of Purchase Allows a user to update a large number of
Orders POs simultaneously.
MEPO Purchase Order Enjoy transaction used to create and change
PO documents.
USEFUL REPORTS
While there are no Blanket Purchase Order specific SAP delivered standard reports,
management should consider developing reporting to identify the following:
• Blanket POs that have expired or are about to expire and require re-assessment and
potentially recreation.
• Blanket POs that have been created to ensure that these are appropriate and approved.
This may be produced by using standard reports, however, configure these based on the
Blanket PO document type.
47
Procurement to payables
Security and Control for SAP R/3 Handbook Update
48
Logistics Invoice Verif ication
Functional Overview
Logistics Invoice Verification (LIV) has undergone a number of enhancements up to Version 4.6C of SAP. LIV is
part of the Materials Management component and is used to complete the procurement process.
LIV has been developed based on the conventional invoice verification processes and as such, this section should
be read in conjunction with page 39 of the Security and Control for SAP R/3 handbook — Procurement to
Payables section. Functions of the conventional invoice verification processes are available through LIV, however
these separate components may continue to be run in tandem.
LIV provides additional functionality that was not available in the conventional invoice verification processes,
including the disbursement of information to the Materials Management and Finance components. Additional
functionality has been developed by SAP for the LIV process, which includes but is not limited to the following:
• Invoices can be verified on-line or in the background.
• Multiple account assignments or multiple company codes for posting can be used.
• The system can be automatically configured to post a credit memo for the difference between the value
of the invoice and the value for which the system expected an invoice. This can be particularly useful for
vendors who consistently over-charge.
• Workflow can be integrated into the invoice process to aid in the resolution of blocked invoices.
SIGNIFICANT RISKS
Significant risks associated with LIV are detailed in the Security and Controls for SAP R/3
Handbook page 40 that discusses the invoice verification process. These include the following:
• Invoices may not match the corresponding purchase order and/or goods receipt. However,
they may still be processed for payment.
• Invoices may be processed that do not relate to a valid purchase order in the system.
Security and Control for SAP R/3 Handbook Update
48
49
Procurement to payables
49
Procurement to payables
CONFIGURATION HOT SPOTS
• LIV invoices can be processed in the background. Where background processing occurs,
the system can be configured to assign the status of ‘Verified as correct’ or ‘Completed’
on a Company Code by Company Code basis. Consideration should be given to configuring
the background-processed invoices as ‘Verified as correct’ so that these invoices can then,
following review be marked as ‘Completed’.
• Tolerance groups can be configured for individual vendors using tolerance groups
(Transaction OMRX). Tolerance groups define the way the system reacts as a result of
positive or negative invoice differences.
Tolerance groups defined can be assigned to each vendor in the vendor master record and
can be effective in reducing processing time where vendors consistently over charge. This
is achieved by configuring the system to treat variances received appropriately.
• Where invoices are blocked, Workflow events can be triggered. Typically the blocking of an
invoice will trigger a Workflow item to the buyer where they can change the PO, release
of the invoice items or flag the invoice as in dispute.
SECURITY CONSIDERATIONS
• With the introduction of LIV, a number of new transactions have been created which
should be appropriately restricted. Consideration should be given to restricting access to
the following key LIV transactions:
Tcode Name Description
MIRO Enter Invoice Enjoy transaction used to process invoices.
MIR7 Park Invoice Used to Park invoices where ‘Park and Post’
functionality is utilised.
MIRA Enter Invoices for Invoice Processes invoices for verification via background
Verification in the Background processing.
MR8M Cancel Invoice Document Used to cancel invoice documents.
MRBR Release Blocked Invoices Allows the user to release blocked invoices for
processing and payment.
MIR6 Invoice Overview Provides for analysis of invoices by various
selection criteria.
MR90 Output Messages Allows for viewing output documents generated
from SAP.
continued on the next page
Security and Control for SAP R/3 Handbook Update
50
Tcode Name Description
MRRL Evaluated Receipt Provides for automatic settlement for ERS
Settlement (ERS) transactions.
MRKO Consignment and Pipeline Automatically settles withdrawals from
Settlement consignment and pipeline.
MRIS Invoicing Plan Settlement Provides for settlement automatically based on
the invoicing plan.
MRNB Revaluation Used to re-value purchases based on
retrospective changes.
MRA1 Create Archive Allows for the archiving of documents.
MRA2 Delete Documents Allows for the deletion of documents.
• As with all invoice processes, consideration should be given to restricting access to invoice
verification functions by company code and plant.
• Access to the authorisation object ‘Invoices: Blocking reasons’ should also be restricted to
ensure that only authorised users are able to release blocked invoices. It is critical that the
releasing function be segregated from invoice entry, to ensure that the approval processes
are not compromised.
continued on the next page
51
Procurement to payables
Automatic PO Creation
Functional Overview
Release 4.0A enables the SAP system to be configured to automatically create a Purchase Order (PO) during the
Goods Receipt (GR) process. In order for this process to occur, standing data must be created as SAP valuates
the GR at the price defined in the Purchasing Info Record.
SIGNIFICANT RISKS
• Automatic creation of POs at the point of GR results in bypass of purchase order controls
(e.g. electronic approval).
CONFIGURATION HOT SPOTS
• In order for this to occur each plant must be assigned to a purchasing organisation so that
the system can determine the purchasing info records.
• SAP can be configured to automatically create a PO for certain pre-defined movement
types.
SECURITY CONSIDERATIONS
• Where automatic creation of a GR is available, access to process Goods Receipts should be
restricted to appropriate staff.
Tcode Name Description
MB01 Post Goods Receipt for PO Transaction used to process a Goods Receipt
where a PO is available.
MB0A Post Goods Receipt for PO Transaction used to process a Goods Receipt
where a PO is available.
MB1C Other Goods Receipts Allows for the processing of Goods Receipt
other than by reference to a PO.
Security and Control for SAP R/3 Handbook Update
52
USEFUL REPORTS
While there are no specific SAP delivered standard reports with regard to automatically
created POs, consideration should be given to developing reports to identify POs created to
ensure that these are approved and generated in line with business process requirements.
Financial accounting
Fin
anci
al a
cco
un
tin
g
Security and Control for SAP R/3 Handbook Update
Financial accounting
SECTION CONTENTS
Background ...................................................................................................................... .55
General Ledger ................................................................................................................ .56
Functional Overview ............................................................................................................................................56
Significant Risks ....................................................................................................................................................58
Configuration Hot Spots ....................................................................................................................................58
Security Considerations ......................................................................................................................................59
Useful Reports ........................................................................................................................................................60
Asset Accounting ........................................................................................................... .61
Functional Overview ........................................................................................................................................... .61
Significant Risks ....................................................................................................................................................62
Configuration Hot Spots ....................................................................................................................................62
Security Considerations ......................................................................................................................................62
Useful Reports ........................................................................................................................................................63
53
Financial accounting
Security and Control for SAP R/3 Handbook Update
54
Financial accountingBackground
An overview of the functionality, risks and controls of the Financial Accounting module as at Version 3.1H
is covered within the full Better Practice Handbook for SAP R/3. The Financial Accounting module of SAP has
undergone a number of changes since Version 3.1H. Whilst many of these changes do not have a significant
controls impact, there are a number where additional control functionality has been made available through
enhancements. These are detailed in the following subsections:
General Ledger
Since the General Ledger forms the core of the SAP financials package, very few significant changes have been
applied to this area. However, a number of additional inherent and configurable controls have been added to
enhance the control environment.
Key changes to the General Ledger area include the addition of true reversal functionality simplifying reversal
postings and the inclusion of a cash journal to enhance control over cash management activities.
Asset Accounting
Significant enhancements have been made around the Asset Accounting module. These have resulted in
improved asset management functionality. A key change in the Asset Management module is the introduction
of the Asset Explorer for improved asset reporting.
55
Financial accounting
General Ledger
Functional Overview
A number of changes and enhancements have been made to the General Ledger since Release 3.1H. These
changes are outlined below:
• True Document Reversals and Negative Postings
As of Release 4.0A, reverse postings and adjustment postings can be indicated as negative postings. Negative
postings reduce transaction figures in customer, vendor, and G/L accounts without having to reverse the
document by posting a reversal document. This type of reversal is called a true reversal.
The true reversal functionality allows reversal postings to be traced back to original documents. This improves
accuracy of document reversals since these can now reference the original document.
• Reversal Reason Codes
In SAP Release 4.5B, reversal reason codes have been made mandatory fields. A number of default reversal reason
codes have been configured in SAP as standard, however additional codes may be configured.
Mandatory requirement for reversal reason codes adds additional control over the reversal of documents and
provides enhanced audit trail over the reversal of documents.
• Distributing Exchange Rates using ALE
As of SAP Release 4.5A, it is now possible to distribute exchange rates between SAP systems using Application
Link Enabling (ALE) technology. This improves controls over exchange rates ensuring these are consistent across
SAP systems and improves ease of maintenance.
• Cash Sub-Journals
The cash journal is a bank accounting sub ledger available for the management and reporting of cash positions.
The cash journal can be used independently of other posting transactions allowing more flexibility and accuracy
in cash management reporting.
The benefit of the cash journal is that opening and closing balances, as well as receipts and payments balances
are automatically calculated and displayed. The cash journal would also allow an agency to run more than one
cash journal per company code and to run separate cash journals for each currency.
• Alternative Payment Currency
Prior to 4.5A, payments in alternative currency could only be created and posted manually. As of 4.5A, it is
possible to enter a payment currency (which can differ to the standard currency of the document) for open
items to be paid automatically by the payment run. Users can specify an amount equal to the gross amount of
the item in the payment currency. The payment currency is supported in both Accounts Payable and Accounts
Receivable.
This facility reduces the risk of errors through removal of manual currency calculations.
Security and Control for SAP R/3 Handbook Update
56
57
Financial accounting
• Editing G/L Account Master Records
The screen layout for G/L account master records has been reorganized to allow for G/L account master records
to be edited from the data screen.
Mass maintenance functionality is also available for G/L account master records to improve efficiency and
accuracy (refer to Basis and Cross Application Components of this handbook update for more detail).
• G/L Account Clearing Tolerances
As of 4.6A, tolerances for G/L account clearing have been extended. These tolerances, which are defined for a
user and an account, are used to determine whether the system will issue error messages to the user or post the
differences automatically.
These tolerances can be used to further restrict general tolerances that are in place for particular users or G/L
accounts as required.
• New Banking Interfaces
Since Release 4.5, new interfaces are available relating to Electronic Funds Transfer (EFT) and banking across
GL, AR and AP. These interfaces provide enhancements to electronic banking functionality allowing analysis of
notes to payees, the creation of custom electronic banking methods and the determination of business partners
from remittance advices.
The new functionality also enables central check routines and alternative check algorithms to be used when the
system checks banking attributes.
Extension of standard banking interface controls providing greater flexibility in control procedures around bank
interfaces. It also allows for automatic checking of banking attributes using appropriate check routines and/or
algorithms.
• Requesting G/L Account Master Data Changes via the Internet/Intranet
As of SAP Release 4.6C, it is possible to configure requests for master data changes to be sent via the Intranet/
Internet. The requester can request the creation, change, delete, or lock to G/L Account master data.
In this scenario a user will fill out a request form for the master data change in the Intranet/Internet. In the form,
the requester describes the reason for the request and submits to the responsible processor or processing group. The
processor or processing group then receives the request in their inbox or Workflow inbox in the SAP R/3 System.
The request form can be accessed from there, as can the transactions needed for processing master data.
This provides an improved audit trail and control over changes to G/L account master data.
• Foreign Currency Postings
For documents posted in foreign currency, it is now possible to post the rounding differences to a separate
revenue/expense account. This allows for greater control over variances providing standardisation and efficiency
in the handling of rounding errors.
Security and Control for SAP R/3 Handbook Update
58
SIGNIFICANT RISKS
Risks and controls as defined on page 72 of the Security and Control for SAP R/3 Handbook
remain relevant. Additional risks relevant to the new functionality include:
• Inappropriate document reversal processes are implemented.
• Inappropriate changes are made to General Ledger master data or the Chart of Accounts
through the use of mass maintenance functions.
CONFIGURATION HOT SPOTS
• Consideration should be given to whether negative postings are permitted for each
company code. Where true document reversals and negative postings are appropriate,
reversal reasons should be reviewed and configured to ensure they are in line with
business requirements and provide appropriate reasons for analysis purposes.
• In order to effectively use cash sub-journals these should be appropriately configured.
This will include:
– creating appropriate GL accounts for the Cash Journal;
– defining appropriate document types for Cash Journal documents; and
– defining appropriate number range intervals for Cash Journal documents.
• Where required, alternative payment currencies should be configured. This will include:
– maintaining automatic account assignments for payment differences arising during
payment; and
– defining appropriate accounts including clearing accounts for instances where payment
differences occur as a result of payment currency.
• Where processes have been implemented for the request of G/L Account Master Data
changes via the Internet/Intranet, appropriate approvals through Workflow should be
configured.
SECURITY CONSIDERATIONS
• New GL authorisation objects have been provided and should be taken into consideration
when defining security.
Authorisation Object Description
F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages
• Existing roles should be reviewed to establish whether or not the new authorisation
objects should be added.
• Consideration should be given to the removal of access to legacy transactions.
Further, access to the following transactions should be restricted to relevant finance /
accounting staff:
Tcode Name Description
GP12N Planning Enjoy transaction version of transaction GP12.
FS10N G/L Account Balance Enjoy transaction versions of FS10, FD10 and FK10.
FD10N
FK10N
FBL1N–FBL6N Vendor Line Items Enjoy transaction versions of FBL1–FBL6.
FB60 Invoice Data Entry Update of previously used F–43 and FB10.
Invoice/Credit Fast Entry
FB50 G/L Posting Update of previously used F–02 transaction.
59
Financial accounting
Security and Control for SAP R/3 Handbook Update
60
USEFUL REPORTS
Improvements have been made in reporting of line items where a negative posting to an
account has taken place. To make the deriving of balances from the line item amounts easier,
negative postings are marked with a minus sign behind the posting key (or with a special
G/L indicator where necessary). This enhancement is aimed at eliminating errors by making
balances and line item reports easier to read and interpret.
Asset Accounting
Functional Overview
A number of changes have been implemented to enhance functionality around Asset Accounting.
• Custom Defined Fields
Asset number ranges which were previously assigned only by asset class can now be further defined based on
other fields in the asset master record, such as location and cost centre.
• Wizard for Creating Asset Classes from G/L Accounts
Up to now, it has been possible to create asset classes from an asset G/L account using the asset class generator.
An on-screen help wizard is now available to automate this process.
Previously, it was possible to create two different asset classes with the same name when using the asset class
generator. The system now prevents this from happening and assists in ensuring completeness and accuracy of
data input.
• Creating Assets from Purchase Orders and Purchase Requisitions
Since SAP Release 4.5A, an asset can be created from the purchase order and purchase requisition creation
transactions, where Materials Management is being used.
Asset master data information is entered through dialog boxes and directly in to the asset master data
transactions. The user therefore requires appropriate access to create assets in order to utilize this functionality.
Where assets are not created appropriately, these are identifiable through the incomplete asset reporting
processes which were previously available in SAP.
• Intercompany Asset Transfers
With Release 4.0A, when assets are to be transferred between companies within a single SAP instance, the system
enables a user to post completely from the sending company code. The system automatically performs receiving
and asset creation if necessary in the receiving company code.
Please note, however, that this function is only available for transfers within a single client. Transfers between
clients or systems must be posted in two steps (retirement and acquisition).
• Multiple Asset Creation
Multiple assets can be created in one transaction provided they have identical asset classes and company codes.
When saved, a range of main or sub numbers and individual descriptions are assigned.
Previously, a user would need to create assets one-by-one, copy assets or create all assets as one asset in a
group asset.
• Asset Value Date
The Asset Value Date is the date used when posting asset transactions and has a direct influence on the
depreciation calculations. Previously, the rules for determining the asset value date for Asset Accounting
transactions were hard coded in SAP however functionality is now available to configure these dates.
While Asset Value Date customisation provides additional flexibility in calculating asset values, this may lead to
inaccurate asset value dates and values being applied.
61
Financial accounting
Security and Control for SAP R/3 Handbook Update
62
SIGNIFICANT RISKS
Risks and controls as defined on page 94 of the Security and Control for SAP R/3 Handbook
remain relevant. Additional risks relevant to the new functionality include the following:
• Asset Value Dates may be customised incorrectly resulting in inaccurate depreciation
calculation.
• Asset master records may not be set up correctly or may not contain all necessary data.
CONFIGURATION HOT SPOTS
• Asset Value Dates should not be configured unless required. If configuring of Asset Value
Dates is necessary, care should be taken to ensure these are in line with business and
accounting requirements.
SECURITY CONSIDERATIONS
• New Asset Accounting authorisation objects have been provided and should be taken into
consideration when defining security.
Authorisation Object Description
A_S_KOSTL Asset Master Record Maintenance: Company Code/Cost Centre
This authorisation object allows the restriction of users to
maintain asset master records for a particular cost centre or
company code.
• Existing roles should be reviewed to establish whether or not the new authorisation
objects should be added.
• Consideration should be given to removal of access to obsolete transactions. Further,
access to the following transaction should be restricted to only relevant Finance / Asset
Accounting staff:
Tcode Name Description
AW01N Asset Explorer Provides access to many asset accounting functions.
63
Financial accounting
USEFUL REPORTS
The Asset Explorer provides information on posted and planned asset values. This tool,
accessed through transaction AW01N provides access to functions available in the previous
asset value display transaction, however has extended this to provide improved access to and
display of asset information such as depreciation areas, asset master data and current year
transactions. The Asset Explorer also provides functions for printing the values as required.
Another change in reporting applicable to Asset accounting is the change from program
RASKBU00 for periodic posting of changes to asset values in a depreciation area, to a new
program RAPERB00. In Version 4.6C, report RASKBU00 no longer exists.
Security and Control for SAP R/3 Handbook Update
64
Controlling
Co
ntr
olli
ng
Security and Control for SAP R/3 Handbook Update
Controlling
SECTION CONTENTS
Background .......................................................................................................................66
Controlling ........................................................................................................................66
Functional Overview ............................................................................................................................................66
Significant Risks ....................................................................................................................................................67
Configuration Hot Spots ....................................................................................................................................67
Security Considerations ......................................................................................................................................67
Useful Reports ........................................................................................................................................................69
65
Controll ing
Security and Control for SAP R/3 Handbook Update
66
Background
An overview of the functionality, risks and controls of the Controlling (CO) module as at Version 3.1H
is covered within the full Better Practice Handbook for SAP R/3. The Controlling module has undergone a
number of enhancements and changes since this release; this has included the introduction of master data
enhancements and an alternative CO authorisation concept.
This section outlines the significant changes that have taken place in the controlling module since 3.1H and the
impact that this has had on security and controls.
Controll ing
Functional Overview
A number of changes and enhancements have been made to the CO Module since Release 3.1H. These changes
are outlined below:
• Parked Documents in Controlling
From Release 4.6A, the system now creates corresponding CO documents for parked documents from Financial
Accounting and Materials Management components.
This enables CO postings to be parked and posted creating a segregation and approval process
• New CO Master Data enhancements for Master Data
As of Release 4.0A, it is possible to add additional master data fields for cost elements, cost centres, activity
types, and business processes. SAP allows the maintenance of these new fields within the original master data
processing locations.
When adding these master data fields, consideration should be given to the nature of this information and
whether additional custom security checks for these fields should be used.
• Requesting of Controlling Master Data Changes via the Internet/Intranet
As of SAP Release 4.6C, it is possible to put approval processes for master data changes in place via the Intranet/
Internet. The process for approval of these changes can be configured by workflow or other means.
Implementation of this approval process can provide an audit trail of reasons for changes to Controlling master
data and ensure that changes to Controlling master data will always have appropriate approvals.
• Deletion of Controlling Master Data
A test run function is available to check whether master data selected for deletion has any dependencies that
may cause issues, should the deletion process take place. The test run completes extensive checks of dependent
data; reporting on data that might be affected by the proposed deletion(s), and preventing deletion where
dependent data is present.
• Manager’s Desktop
As of Release 4.6A, Controlling reporting has been integrated into the Manager’s Desktop. (For more detail on
the Manager’s Desktop, see the Human Resources section of this handbook update).
• New Reconciliation Account Field in Line Items
As of Release 4.0A, line items in the reconciliation ledger have been extended to include a field for G/L account.
This field records the G/L account to which the reconciliation posting was made in Financial Accounting. This
can be the account corresponding to the cost element or an adjustment account.
Utilising this functionality can improve reconciliation ledger reporting.
SIGNIFICANT RISKS
• As detailed on page 110 of the Security and Control for SAP R/3 Handbook, the
significant risk associated with the Controlling component is that transaction postings
in the SAP application modules may not update the Controlling module if the central
interface is not appropriately configured.
CONFIGURATION HOT SPOTS
• If reconciliation line items currently exist which do not have the Reconciliation Account
Field completed it will be necessary to obtain values and fill in the account field. This can
be achieved by executing the program ‘RKAKALX2’.
SECURITY CONSIDERATIONS
• From Release 4.0, the authorisation concept for controlling has been revisited. This has
resulted in the introduction of two new authorisation fields against which users can be
checked:
CO–OM Responsibility Area:
A responsibility area is composed of a standard hierarchy using the controlling objects
cost centre, order, profit centre and business process.
CO_ACTION Controlling Action:
Each transaction in the Controlling module creates both an activity (e.g. create or change)
and a CO Action. The new CO authorisation objects check the CO Action and therefore
allows greater flexibility in the authorisation of the Controlling module.
• The following new authorisation objects have been provided for the Controlling module.
Consideration should be given to restricting access to relevant finance / accounting staff:
67
Controll ing
Continued on the next page
Authorisation Object Description
K_CCA General Authorisation Object for Cost Centre Accounting
K_ORDER General Authorisation Object for Internal Orders
K_ABC General Authorisation Object for Business Processes
K_ZBASSL Calculation base
K_ZKALSM Costing sheet
K_ZENTSL Credit
K_KMOB_DCT Document Type for Manual Funds Reservation
K_ZZUSSL Overhead
K_ZSCHL Overhead key
K_PEP Authorisation Object for Period–End Partner
K_ML_MTART Material Ledger: Material Type
K_ML_VA CO Material Ledger: Valuation Area
K_MLPR_VA Material Price Change: Valuation Area
K_SUM_CO General CO Summarization Without Classification
K_TEMPL Auth. Template (ABC–allocation, formula planning)
K_CSKS Cost Centre Master
K_PCAS_PRC Profit Centres
K_PCA Responsibility Area, Profit Centre
K_ML_MGV Material Ledger: Master Data of the Quantity Struct
• As of Release 4.6A, a new authorisation check for company code takes place when CO/FI
(Controlling / Financial Accounting) reconciliation postings are made (transaction KALC).
The authorisation object F_BKPF_BUK is not checked by this transaction, confirming the
user’s authorisation to post reconciliations for the proposed company code(s).
Consideration should be given to adding the authorisation object F_BKPF_BUK to any
roles containing transaction KALC and applying appropriate company code values.
Security and Control for SAP R/3 Handbook Update
68
Continued from the previous page
69
Controll ing
USEFUL REPORTS
As stated in the Security and Control for SAP R/3 Handbook page 113, there are numerous
reports available via the controlling component. A number of reports have been added that
should be considered by management for review, which includes but is not limited to the
following:
• Cost Flow Overview Report has been added which reports on cost behaviour in controlling
and reconciliation postings.
• Profitability Analysis Line Item Reports which has been created to enhance existing
profitability analysis functionality.
Further, a number of previously available reports have been altered to utilise the ABAP List
Viewer that provides greater flexibility in reporting, data extraction and analysis.
Security and Control for SAP R/3 Handbook Update
70
Human resources
Hu
man
res
ou
rces
Security and Control for SAP R/3 Handbook Update
Human resources
SECTION CONTENTS
Background .......................................................................................................................73
Employee Self Service ....................................................................................................74
Functional Overview ............................................................................................................................................74
Significant Risks ....................................................................................................................................................74
Configuration Hot Spots ....................................................................................................................................75
Security Considerations ......................................................................................................................................75
Useful Reports ........................................................................................................................................................76
The Managers Desktop ..................................................................................................77
Functional Overview ............................................................................................................................................77
Significant Risks ....................................................................................................................................................78
Configuration Hot Spots ....................................................................................................................................78
Security Considerations ......................................................................................................................................78
Useful Reports ........................................................................................................................................................79
Compensation Management .........................................................................................80
Functional Overview ............................................................................................................................................80
Significant Risks ....................................................................................................................................................80
Configuration Hot Spots ....................................................................................................................................80
Security Considerations ..................................................................................................................................... .81
Useful Reports ....................................................................................................................................................... .81
Cross Application Timesheets and Time Management ..........................................82
Significant Risks ....................................................................................................................................................82
Configuration Hot Spots ....................................................................................................................................82
Security Considerations ......................................................................................................................................83
Useful Reports ........................................................................................................................................................84
Other Key Changes Since Version 3.1H .....................................................................85
Ad Hoc Query .........................................................................................................................................................85
71
Human resources
Security and Control for SAP R/3 Handbook Update
72
Benefits ....................................................................................................................................................................85
Significant Risks ....................................................................................................................................................85
Security Considerations ......................................................................................................................................85
Useful Reports ........................................................................................................................................................86
Background
An overview of the functionality, risks and controls of the Human Resources (HR) module as at Version
3.1H is covered within the full Better Practice Handbook for SAP R/3. The components of HR have undergone
significant changes from Version 3.1H, making it possible to split functionality into small units and extend
integration between components. The main components of HR in Version 4.6 include:
Personnel Management
The sub-modules, formerly known as Personnel Administration (HR–PA) and Personnel Planning and Development
(HR–PD), have been combined.
Personal Time Management
This is used in the planning, recording and valuation of employees work performed and absence times.
Payroll Accounting
This provides a number of work processes including the generation of payroll results and remuneration
statements, bank transfers and cheque payments.
In addition to the changes in the structure of the HR module, a number of functional enhancements have been
developed impacting the overall controls environment. These are detailed below and should be considered in
conjunction with those outlined in the previous handbook.
Significant changes include the introduction of ESS (Employee Self Service) and the Managers Desktop that
provide for the decentralisation of HR functions leading to increased risks and control requirements.
73
Human resources
Security and Control for SAP R/3 Handbook Update
74
Employee Self Service
Functional Overview
SAP Employee Self Service (ESS) has been developed to provide real-time access and data maintenance
capabilities to employees. This allows for a reduction in central administration through the assignment of
many data entry and related customer service activities to employees that were previously performed by an
organisation’s HR, Payroll, Benefits, and Travel Departments.
Activities performed in ESS may include:
• entry of time sheet information;
• entry of leave requests;
• maintenance of personnel information;
• display of pay slips by employees; and
• salary packaging.
ESS enables employees to view, create, and maintain data through a web browser. ESS can provide a powerful
employee information and service portal through an intranet. Functionality can be integrated with other
employee tasks including:
• email;
• employee directory;
• calendar; and
• workflow work items.
ESS includes core HR capabilities, but also offers logistical, financial and office functionality through its
integration with the SAP database ensuring consistency and integrity of data.
ESS functionality can be integrated with the Managers Desktop to implement effective approval processes. This
is generally configured using Workflow.
SIGNIFICANT RISKS
ESS provides many HR display and update capabilities to all employees in an organisation. This
creates additional security and privacy risks including:
• Excessive access to sensitive HR data.
• Unauthorised access to confidential HR data.
• Access to maintain sensitive infotypes, which should be restricted to the HR department.
• Inaccurate update of HR employee master data.
It is vital that employees are restricted to their own records and appropriate info types.
CONFIGURATION HOT SPOTS
• Key ESS data should be defined as required entry in the system to ensure all necessary
information is captured.
• There is an increased need to log changes to sensitive infotypes to ensure they are
included in the ‘Logged Changes in Infotypes’ audit report.
• Structural authorisation profiles should be defined and assigned to users ensuring access
is appropriately restricted to appropriate organisational units.
• All SAP users must be assigned to an ESS user through infotype 0105 to ensure they are
able to only access relevant and appropriate information.
SECURITY CONSIDERATIONS
• Structural authorisations are not new, however, they are of greater importance where
an ESS HR structure is implemented. Increased control through ‘PD Authority Profiles’ is
critical to the security of employee data. These authorisations define which objects in the
organisational plan a user is permitted to access, for example:
– Organisational units
– Qualifications and requirements
– Business events
Structural authorisation profiles define which activities (create, change or display) a user
is permitted to execute within each of these objects.
A user’s access to HR data and functionality is made up of traditional SAP authorisations
and the HR structural authorisation providing an additional level of security.
Users should be assigned to an appropriately restricted structural authorisation. Users
should not be assigned the PD_ALL authorisation that allows access to all employees.
• With the implementation of ESS, there is a need to restrict user’s access to their own
employee master record. This is restricted through the “HR: Master data — Check
personnel number” (P_PERNR) authorisation object.personnel number” (P_PERNR) authorisation object.personnel number”
A user can be restricted from accessing their own record or restricted to updating only
their own record, using the P_PERNR object. Where the P_PERNR object is not applied
a user has access to all employee information. This may be applied on an infotype by
infotype basis.
Consideration should be given to implementing procedures to control/govern the access
of HR users who are also ESS users, as failure to correctly configure P_PERNR for sensitive
infotypes may result in HR users having access to inappropriately update their own data.
75
Human resources
Continued on the next page
Security and Control for SAP R/3 Handbook Update
76
• SAP User Master Records (UMR) must be assigned to an employee record in order for
structural authorisations to operate. Where a UMR has not been assigned to an employee
record, the user is not restricted by a structural authorisation.
• Access should be restricted to only relevant HR staff to the following ESS and structural
authorisation related sensitive transactions:
Tcode Name Description
OOSP Change View “Authorisation Maintain the content of an authorisation
Profile”: Overview profile
OOSB Change View “User Allocate a user to a structural authorisation
Authorisations”: Overview profile
HRUSER Set up and maintain Administer ESS users (create, change, delete,
ESS user password administration etc)
• Organisations often authenticate users access to ESS based on network account
authentication. Where this is the case, ESS users do not log into the SAP system and the
default passwords may remain unchanged, increasing the risk of unauthorised access.
USEFUL REPORTS
A number of key control reports are available to assist in the administration of structural
authorisations and ESS.
Report Code Name Description
ESS_USERCOMPARE Reconcile User Master Reconciliation report listing users
with HR Master not allocated to an employee
record.
ESS_SEL_PERNR_VIA_PNP Choose Personnel Various analyses over ESS users.
and ESS_SEL_PERNR_ Numbers
VIA_PCH
Continued from the previous page
77
Human resources
The Managers Desktop
Functional Overview
The Managers Desktop was released in Version 4.5 to allow managers immediate access to relevant HR, Financial
Accounting and Controlling data. It allows all functional managers to perform administrative tasks for their area
of responsibility that may previously have been centralised.
The Managers Desktop provides up-to-date information through integrated reports allowing greater management
control over personnel.
The Managers Desktop provides a number of ‘Themes’ which break down the activities which can be performed
in this application including:
Theme Theme Description
Employee Employee information reports, including:
• Entry and approval of travel requirements
• Education and training data
• Creation of appraisals
Organisation Planning and administration reports:
• Organisation maintenance
• Transfers processing
Costs and Budget • Cost centre accounting functions
• Compensation Management
Recruitment Records of decisions related to employee recruitment
Special Areas Integrated web browser allows access to Intranet and Internet pages
Workflow Inbox Facilitates integration with ESS and approval activities such as:
• Leave requests and time sheets
• Expenses
Security and Control for SAP R/3 Handbook Update
78
SIGNIFICANT RISKS
• The organisational plan (organisational structure) is not accurately defined or maintained
resulting in:
– Manager access to employees outside their responsibility;
– Managers not having access to their employees; and
– Transactions not properly routed for approval.
• Unauthorised approval of time, expense or other employee data.
• Unauthorised updates / changes to HR data.
• Poor controls regarding delegation of responsibilities result in excessive access.
• Transactions not approved in a timely manner.
CONFIGURATION HOT SPOTS
• In order for the Managers Desktop to work it is important the organisational plan
be accurately defined, including the assignment of employees to positions. Incorrect
allocation of employees to positions will result in Managers gaining inappropriate access
to HR data.
• In order for a user to utilise the Managers Desktop the user must be the holder of a chief
position within the organisational chart. The system uses the chief position indicator
to determine the organisational units managed directly and indirectly by the position
holder.
• Managers Desktop ‘Themes’ which grant access to various components of the Managers
Desktop functionality must be configured to appropriately restrict information.
SECURITY CONSIDERATIONS
• Access to the following sensitive transactions should be restricted to relevant managers:
Tcode Name Description
PPMDT Managers Desktop Transaction provides access to the Managers
Desktop.
Appropriate controls should be implemented for the temporary delegation of system access and
removal of this system access.
79
Human resources
USEFUL REPORTS
As detailed in page 123 of the Security and Control for SAP R/3 Handbook, the ‘Logged
Changes in Infotype Data’ report should be run on a regular basis to review changes made to Changes in Infotype Data’ report should be run on a regular basis to review changes made to Changes in Infotype Data’
key infotypes to ensure they are appropriate.
Controls for the review and clearing of workflow items which are not actioned in a timely
manner should be implemented. This should include implementation of appropriate deadline
monitoring and escalation procedures. Refer to the Basis and Cross Application Components
section within this handbook update for further details.
Security and Control for SAP R/3 Handbook Update
80
Compensation Management
Functional Overview
Compensation Management is a new component within SAP available from Release 4.0A. The Compensation
Management component administers compensation policies for an organisation.
Compensation Management can be integrated with the Managers Desktop and can be used as an effective
tool to plan and perform compensation adjustments to individuals, employee groups, or based on other
organisational breakdowns.
SIGNIFICANT RISKS
• Unauthorised / inaccurate update of compensation data resulting in over, or under,
compensation to employees.
• Inappropriate approval processes configured resulting in inappropriate compensation
adjustments being applied.
• Unauthorised access to sensitive and confidential compensation data.
CONFIGURATION HOT SPOTS
• Compensation areas need to be defined as appropriate groupings of employees for
compensation administration.
• Appropriate features of employees should be selected to ensure that employees fall into
the correct Compensation areas or eligibility groups.
• Compensation administration views should be configured to ensure that only appropriate
employee information is displayed through compensation administration function.
• Workflow and the organisational structure should be configured to ensure that
compensation adjustments are subject to appropriate approval processes.
SECURITY CONSIDERATIONS
Access to the following Compensation Management sensitive transactions should be restricted
to only relevant senior HR staff:
Tcode Name Description
HRCMP0001C Compensation adjustment change — Adjustment of employee
Salary Review compensation.
HRCMP0080 Total Compensation statement display Total compensation statements.
HRCMP0081 Print Total Compensation statement Printing of total compensation
statements.
HRCMP0060C Granting Employee Awards: Change Allocate long-term incentive
awards such as stock options,
restricted stock, and performance
units to employees.
USEFUL REPORTS
There are several reports available to assist in controlling Compensation Management that
should be reviewed on a regular basis by relevant senior HR staff to monitor employee
compensation.
Report Name Description
S_AHR_61018799 Compa (Comparison) -Ratio Analysis To identify whether employees’
salaries are within appropriate
salary bands.
S_AHR_61018798 Compare Actual Basic Salaries and Report of employee base salaries
Planned Compensation compared to the compensation
assigned to the job or position.
81
Human resources
Security and Control for SAP R/3 Handbook Update
82
Cross Application Timesheets and Time Management
Time Management has been enhanced from earlier releases and provides processes supporting the planning and
recording of employee work.
A significant change in Time Management is Cross Application Timesheet (CAT) functionality that was
introduced in Version 4.0A of SAP R/3 and provides a standard interface for recording time across components
of SAP. CAT combines existing SAP time recording functions into a single process and provides information to
other components including, internal activity allocation for Controlling and Personnel Time Management for
attendances and absences.
SIGNIFICANT RISKS
• Inaccurate entry of timesheet data resulting in incorrect payment to employees.
• Duplicate processing of data through interfacing components.
• Entry or approval of time data does not occur in a timely manner.
CONFIGURATION HOT SPOTS
• Data entry profiles determine the data entry process and the layout of the time sheet.
Consideration should be given to the following configurations affecting users entering
time sheet data:
Setting Description
Profile Changeable Allows a user with access to a profile to change profile settings.
With Target Hours Available details which can be included on the face of the timesheet.
Totals Line
Clock Times
Release on Saving On saving time information consideration should be given to whether it
is automatically or manually released.
Approval Required Workflow configured to ensure time data is subject to appropriate
approvals.
No Changes After Should be configured to ensure time data is displayed on the data entry
Approval screen after approval and cannot be changed.
Highlight Rejected Can be configured to show user records that have been rejected by
Records approvers, highlighting the need for further action.
Time Settings Time settings should be configured based on the standard working week.
This will include defining the number of periods a user can view and
change, (past and future).
Continued on the next page
Setting Description
Personnel Selection Defines the profile selection criteria for personnel time data entry.
Default Values Time sheets can be configured to display default values when accessed.
Data Entry Checks Data entry checks can be configured to improve the quality and
completeness of data entry. Consideration should be given to applying
validation tolerances to reduce inaccurate time sheet entry.
For Users with HR The system can be configured to give an error or warning message when
interfacing errors occur between CAT and HR.
Workflow Approval A Workflow approval procedure can be configured which will be initiated
on completion of time sheet entry.
• Field selections should be configured as required, input, display, hidden or highlighted in
the user screens.
• Overtime compensation types should be appropriately defined to ensure that where
overtime is entered it is accurately accounted for.
• Rejection reasons should be configured and provide enough detail to the user to take the
appropriate action to resolve time sheet errors.
• Configuration can be applied to take an appropriate action to rectify overlapping time
records.
SECURITY CONSIDERATIONS
In order to enter time data a user must call the time sheet with a data entry profile. The data
entry profile determines the data entry process and the layout of the time sheet.
Consideration should be given to segregating the entering of time sheet information and the
approval of time sheets. Workflow approval processes should be implemented to control this.
Access should be restricted to the following Time Management sensitive transactions; approval
of time sheets should be restricted to relevant functional managers and/or HR staff:
Tcode Name Description
CAT2, CAT3 Time Sheet: Initial Screen Enter time sheet details.
CAPS Time Sheet: Approve Times (Select by Master Data) Approve time sheets.
CAT4 Time Sheet: Approve Times (Selection by Approve time sheets.
Org. Assignment)
CAPP Time Sheet: Approve Times Approve time sheets.
83
Human resources
Continued from the previous page
Continued on the next page
Security and Control for SAP R/3 Handbook Update
84
Tcode Name Description
PP61 Change Shift Plan: Entry Screen Amendment of shift plans.
PA61 Maintain Time Data Entry of time data into SAP.
PA70 Fast Entry Entry of time data into SAP.
USEFUL REPORTS
Controls for the review and clearing of workflow items which are not actioned in a timely
manner should be implemented. This should include implementation of appropriate deadline
monitoring and escalation procedures. Refer to the Basis and Cross Application Components
section for further details.
Continued from the previous page
85
Human resources
Other Key Changes Since Version 3.1H
Ad Hoc Query
To provide greater reporting flexibility and functionality, SAP developed the Ad Hoc Query functionality which has
since been extended in Version 4.6C, to integrate with other application areas and been renamed InfoSet Queries.
This functionality has been further documented in the Basis and Cross Application Components section of this
handbook update.
Benefits
Benefits functionality has been enhanced from earlier SAP R/3 releases. The Benefits component can be used
to develop benefits packages for employees and provides easy access to benefits related information for
administrative staff, executives and employees.
SIGNIFICANT RISKS
• Users have the ability to allocate benefits inappropriately to an employee.
• Inaccurate calculation and reporting of employee benefits.
SECURITY CONSIDERATIONS
• Access should be given and restricted to only relevant HR staff to the following sensitive
transactions including:
Transaction Code Name Description
HRBEN0001 Enrolment To enrol employees, or make changes to
benefit elections.
HRBEN00ADJRSN Mass Generation of To perform mass maintenance.
Adjustment Reasons
Security and Control for SAP R/3 Handbook
86
USEFUL REPORTS
There are several reports available to assist in controlling Benefits; consideration should be
given to reviewing these reports on a regular basis.
Report ABAP ID Name Description
RPLBEN09 Changes in Eligibility Provides a list of employees who are
no longer eligible for a benefit plan in which
they are participating with reasons.
RPLBEN08 Changes in benefit elections Provides a list of deviations from system
allocated default values in an employee’s
general benefits data.
RPLBEN13 Change in default Provides a list of deviations from system
values from general benefits allocated default values in an employee’s
information general benefits data (Infotype 0171).
RPLBEN18 Contribution limit check Provides employee contributions that are
not within defined contribution limits on
a key date.
Audit information
system
Au
dit
info
rmat
ion
syst
em
Security and Control for SAP R/3 Handbook Update
Audit information system
SECTION CONTENTS
Background ...................................................................................................................... .89
Using Audit Information System ................................................................................ .90
Starting an Audit ..................................................................................................................................................90
Installation Check .................................................................................................................................................91
Preparatory Tasks ..................................................................................................................................................91
Systems Audit .........................................................................................................................................................92
Business Audit ........................................................................................................................................................93
Customising Audits ...............................................................................................................................................94
Security Considerations ......................................................................................................................................95
87
Audit information system
Security and Control for SAP R/3 Handbook Update
88
89
Audit information system
Audit information systemBackground
The Audit Information System (AIS) has been developed to provide internal and external auditors, Security
Administrators and those with data protection and controlling responsibilities with a tool to assist in
understanding and completing required tasks in the complex SAP environment.
The SAP Audit Information System (AIS) provides a centralised repository for reports, queries, and views of data
that have a control implication.
AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and
above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the
production system on a real time basis.
AIS is currently focused on two key areas that are covered in more detail below:
• Systems Audit; and
• Business Audit.
SAP has suggested that AIS functionality will be further developed to include other components, including
Materials Management (MM) and Sales and Distribution (SD).
AIS consists of an Audit Report Tree, which provides a facility to access and document audit steps within a SAP
system, and download audit and additional related data to other programs for reporting or additional analysis.
The structure of the reporting tree menu is designed by SAP to reflect the procedures followed when conducting
an audit. AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching
of comments, as well as allowing for tracking the audit’s progress.
AIS also has the capability to extract data into pre-defined formats appropriate for data.
Using Audit Information System
Starting an Audit
Transaction code SECR is used to access the AIS. The user can elect to enter:
• Complete audit
When executed, this provides all tests and documentation available in the AIS system.
• User defined audit
When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.
Security and Control for SAP R/3 Handbook Update
90
91
Audit information system
Once started the user is provided with a report tree structure that sets out all applicable documentation and
tests that are executable.
The reporting tree contains steps that include variants for each type of function. These can be centrally
maintained to apply across multiple audit tasks.
Instal lation Check
The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants
listed in AIS are currently available in the current system environment.
The Installation check can be initiated through selecting Extras — Installation — Installation check from Extras — Installation — Installation check from Extras — Installation — Installation check
transaction SECR.
Preparatory Tasks
In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the
user to customise the audit to improve efficiency in completion of tasks.
The preparatory tasks within AIS are broken into three areas:
Area Description
AIS Customisation Allows for audit customisation through the definition of variables and constants
to be utilised in the audit process. This may include variables such as company
codes which are then used in reporting.
Customise Financial Provides the user with functions relevant to the configuration and
Information System extraction of financial information.
ABAP/4 Query including Provides access to logical database structure and information pertinent to
download extracting data for analysis purposes.
Security and Control for SAP R/3 Handbook Update
92
Systems Audit
The "Systems Audit" is primarily used for administration and review of system activities, such as, security and
change control. The users are provided with easy access to many of the standard SAP security and control reports
and audit trails.
Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of
security items to be considered which can be amended as required.
The System Audit functionality in AIS is broken down into the following key areas which include:
Area Description
Systems Configuration Allows the user to gain details of the environment and general set up
of the SAP system.
Transport Group Information relevant to change control processes, and system set-up.
Tables / Repository Includes information regarding table configuration, change logging
as well as table security.
Development / Customising Information with regard to development processes including change control,
blocked transactions and report security.
Background Processing Information relevant to background processing, including the graphical job
schedule and access to the job overview.
System Logs Provides access to logs (system, access, database etc) as well as configuration
settings pertinent to these logs.
User Administration Provides access to information relevant to administration and security of the SAP
system. This includes various reports on:
- User Security and Authorisations
- Profile Generator
- User administration such as users who have not logged into the system for
a predefined period of time.
Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport
Management System, repository and table browser. It also provides comprehensive tools to review the security
around user access.
93
Audit information system
Business Audit
The “Business Audit” functionality in AIS allows the auditor to produce financial statements and balance sheets,
as well as perform general ledger, accounts payable and accounts receivable activities and queries.
For example, through the business audit functionality, auditors can perform and document their review of
general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation
accounts, as well as duplicate invoice reviews.
The Business Audit is broken into the following areas:
Area Description
Organisational Overview This area allows the user to familiarise with the enterprise structure that has
been implemented into SAP.
Further, the user is provided with information about the financial structure of
the organisation including details on Account Determination and Special General
Ledger.
Financial Statement The Financial Statement Oriented Audit provides the user with details of
Oriented Audit Account reconciliation, Balance Sheet, Profit & Loss and other General Ledger
related reports which can be used for financial analysis.
Process Oriented Audit The Process Oriented Audit steps are broken down into the various areas of SAP
including retail, procurement, production and sales and distribution.
Areas of this section are at various levels of development.
When the audit begins, the present parameters and selection criteria are edited by using the “Preparatory
Tasks” in the Business Audit menu. The auditor customises the reporting tree to reflect the correct time period
and organisational structure required for the audit. The use of these “variants” helps reduce the potential for
adversely affecting system performance, by limiting the parameters for which the reports are run.
Business Audit functionality is not generally considered to be comprehensive and many items included in the
menu structure are not yet functional. This should be considered when utilising AIS.
Security and Control for SAP R/3 Handbook Update
94
Customising Audits
To make effective use of the AIS tool it is important to customise the audits and ensure that only relevant
information is provided.
All information provided in the complete audit can be partitioned into audit programs specific to the particular
needs and scope of audit work to be completed.
This can be performed by selecting Audit Information System — Create/change view.
A new view can then be created where you can manually select from the tree structure the components that are
to be displayed in this user defined view.
Following the customisation and generation of an audit this can be accessed by selecting the user-defined audit
that has been created.
95
Audit information system
Security Considerations
In order for a user to access configuration, data or other reports, relevant access must be provided to the user.
The AIS provides links through to various reports and other information, and therefore, access provided to
complete AIS tasks may vary between users in line with tasks the individual is to perform.
The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation.
In order for a user to be able to edit notes in AIS the user must have been provided with the following
authorisation objects:
S_IMG_ACTV
Field Value
PROJAUTH 900 Project for Audit: 900
ACTVT 02 Change activity
IMG_ACTIV NOTE Edit notes
In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorisations
must be provided:
Authorisation for editing status information:
S_IMG_ACTV
Field Value
PROJAUTH 900 Project for Audit: 900
ACTVT 02 Change activity
IMG_ACTIV STAT Edit status
Other security, which may be granted to the user in order to complete tasks, may include:
• Authorisation to view data in the IMG.
• Authorisation to display user and security information.
• System administration and other system and performance monitoring functions.
• Change control authorisations.
Security and Control for SAP R/3 Handbook Update
96