The challenge for the information system auditor working with SAP is to have the skills, imagination and knowledge to deter, detect and deal with fraudulent transactions. Internal audit looks at key risks facing the business and what is being done to manage those risks effectively, to help the organization achieve its objectives. A security review, as well as highlighting existing strengths, can identify potential areas of weakness or inefficiency within a system or process based upon key risks. As a result, the internal control environment can be enhanced with the final audit report outlining areas for improvement and recommended remediation activities necessary, which can form the basis of a management action plan. SAP system is a large and complex Enterprise Resource Planning (ERP) system, forming the platform for multiple inter-related business processes. It is comprised of thousands of configurable tables making it highly flexible, and has a complex integrated security function.
Therefore, SAP is a challenging environment to audit, particularly for those with minimal technical knowledge or appreciation of the business processes that operate within the system.
SAP Audit Reviews
In order to gain maximum assurance from the system, the following 3 types of review should be performed:
SAP Basis Review – This covers access security (i.e. SAP authorizations) over sensitive system administration functions, configuration of security parameter settings and manual controls over system administration processes (e.g. user provisioning, change management etc)
SAP Business Process Review – This covers both configurable (e.g. tolerance settings) and manual controls (e.g. reconciliations) within the business process under review such as revenue & receivables, procure to pay etc
SAP Segregation of Duties Review – This covers both sensitive access and identification of incompatible duties within the business process under review.
The term Segregation of Duties (SoD) is a security principle which aims to prevent fraud and errors by disseminating the tasks and associated privileges for a specific business process among multiple users. This ensures a user does not have control over an end-to-end process without any additional user intervention.
In SAP it is possible to achieve segregation of duties by controlling and monitoring access rights of users, to ensure a single user cannot execute two or more conflicting transactions. To do this, firstly a set of rules will need to be created to identify those incompatible functions which pose a risk and need to be reviewed (e.g. Post Journal Entries & Maintain GL Master Data).
Secondly, the corresponding access in SAP needs to be mapped to the individual functions so that those users with access to incompatible functions (known as ‘SoD conflicts’) can be identified and remediated as required.
The following are the types of controls available in the SAP system:
Inherent Controls – those which have been hard coded into the system and cannot be changed via configuration
Configuration Controls – those which can be changed to support control objectives (e.g. tolerance groups and validations)
Restricted Access Controls – those which can be designed during the creation and maintenance of security profiles to ensure access to sensitive processing functions and segregation of duties is appropriate
Manual Controls – those which operate outside of the system (but may relay on system outputs such as reports) and support the system controls above (e.g. reconciliations, sign-offs, and policies and procedures)
The three main types of review (SAP Basis, SAP Business Process & SAP SoD Review) can be performed entirely using audit tools and techniques developed within the SAP system itself. The type of tools available includes:
1. System Transactions
2. SAP Logs
3. SAP Reports
In the implemented SAP modules, the following audit tools have been implemented to facilitate system queries, sampling and reporting that can assist the internal audit department perform required system audits;
The system transactions include inbuilt transactions and the SAP Audit Information System utility. The Audit Information System (AIS) is a SAP tool to assist in auditing both technical and business controls in SAP system.
Some of the important transactions implemented include the following:
No. Transaction Code Purpose
1 SM19 Security audit - configuration
2 SM20 Security audit - reporting
3 SE84 Information System for SAP R/3 Authorizations
4 SECR Audit Information System
5 ST01 System Trace
6 SM21 System Log
7 SM50 Work Process Overview
8 ST05 Performance trace
9 ST03N Workload Monitor
10 SUIM User Information System Basis - User and Authorization Management. Allows the reviewer to search for users with access to sensitive system access
11 SE16 Data Browser Basis - Workbench Utilities
12 STAD Statistics display for all systems Basis - Monitoring
13 SM19 Security Audit Configuration Basis - Security
14 SA38 ABAP Reporting Basis - Report Tree
15 SCU3 Table History Basis - Table History
16 FBL5N Customer Line Items FI - Information System
17 SU24 Auth. Obj. Check Under Transactions Basis - Authorization and Role Management
18 SE16N allows the reviewer to view SAP tables to identify information such as authorization groups in use, table protection levels assigned etc
The SAP logs allow a reviewer to search for sensitive actions performed in the system (e.g. last logon date for privileged system-delivered user IDs, date production client was last opened for change etc). Transactions SM19 and SM20 allow the configuration and monitoring of Audit logs. The user can use the Security Audit Log to record security-related system information such as changes to user master records or unsuccessful logon attempts. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. By activating the audit log, you keep a record of those activities that you specify for your audit. You can then access this information for evaluation in the form of an audit analysis report. The Security Audit Log provides for long-term data access. The audit files are retained until you explicitly delete them.
Currently, the Security Audit Log does not support the automatic archiving of the log files; however, you can manually archive them at any time. You can record the following information in the Security Audit Log:
Successful and unsuccessful dialog logon attempts
Successful and unsuccessful RFC logon attempts
RFC calls to function modules
Changes to user master records
Successful and unsuccessful transaction starts
Changes to the audit configuration
These allow a reviewer to examine security configuration settings (e.g. report RSPARAM can be used to examine password parameter settings). Custom ABAP reports can also be created depending on an audit requirement.
You must sign in to rate content.