Sap audit programs_and_ic_qs

3,291 views
3,013 views

Published on

Published in: Technology
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,291
On SlideShare
0
From Embeds
0
Number of Embeds
52
Actions
Shares
0
Downloads
0
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide

Sap audit programs_and_ic_qs

  1. 1. © 2006 Information Systems Audit and Control Association Page 1Security, Audit and Control FeaturesSAP®R/3®2ndEditionAudit ProgramsandInternal Control QuestionnairesISACA®With more than 50,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance,control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems ControlJournal®, develops international information systems auditing and control standards, and administers the globally respected Certified InformationSystems Auditor™ (CISA®) designation earned by more than 48,000 professionals since inception, and Certified Information Security Manager®(CISM®) designation, a groundbreaking credential earned by 6,000 professionals since the program’s inception.Purpose of Audit Programs and Internal Control QuestionnairesOne of ISACA’s goals is to ensure that educational products support member and industry information needs. Responding to member requestsfor useful audit programs, ISACA’s Education Board has released audit programs and internal control questionnaires, for member use through K-NET. These products are developed from ITGI publications, or provided by practitioners in the field.Control Objectives for Information and related TechnologyControl Objectives for Information and related Technology (COBIT®) has been developed as a generally applicable and accepted framework forgood information technology (IT) security and control practices for management, users, and IS audit, control and security practitioners. The auditprograms included in K-NET have been referenced to key COBIT control objectives.DisclaimerISACA (the “Owner”) has designed and created this publication, titled Security, Audit and Control Features SAP®R/3®: A Technical and RiskManagement Reference Guide, 2ndEdition (the “Work”), primarily as an educational resource for control professionals. The Owner makes noclaim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information,procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. Indetermining the propriety of any specific information, procedure or test, the control professionals should apply their own professional judgmentto the specific circumstances presented by the particular systems or information technology environment.While all care has been taken in researching and documenting the techniques described in this text, persons employing these techniques must usetheir own knowledge and judgment. ISACA and Deloitte Touche Tohmatsu, its partners and employees, shall not be liable for any losses and/ordamages (whether direct or indirect), costs, expenses or claims whatsoever arising out of the use of the techniques described, or reliance on theinformation in this reference guide.SAP, SAP R/2, SAP R/3, mySAP, SAP R/3 Enterprise, SAP Strategic Enterprise Management (SAP SEM), SAP NetWeaver, ABAP, mySAPBusiness Suite, mySAP Customer Relationship Management, mySAP Supply Chain Management, mySAP Product Lifecycle Management,mySAP Supplier Relationship Management and other SAP product/services referenced herein are the trademarks or registered trademarks of SAPAG in Germany and in several other countries. The publisher gratefully acknowledges SAP’s kind permission to use these trademarks in thispublication. SAP AG is not the publisher of this book and is not responsible for it under any aspect of press law.
  2. 2. © 2006 Information Systems Audit and Control Association Page 2The purpose of these audit plans and internal control questionnaires (ICQs) is to provide the audit, control and securityprofessional with a methodology for evaluating the subject matter of the ISACA publication Security, Audit and Control FeaturesSAP®R/3®: A Technical and Risk Management Guide. They examine key issues and components that need to be considered forthis topic. The review questions have been developed and reviewed with regard to COBIT 4.0. Note: The professional shouldcustomize the audit programss and ICQs to define each specific organization’s constraints, policies and practices.The following are included here:• Revenue Business Cycle Audit Program Page 2• Expenditure Business Cycle Audit Program Page 10• Inventory Business Cycle Audit Program Page 19• Basis Security Cycle Audit Program Page 24• Revenue Business Cycle ICQ Page 43• Expenditure Business Cycle ICQ Page 45• Inventory Business Cycle ICQ Page 47• Basis Security Cycle ICQ Page 51Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists, verify completion ofany agreed-upon corrections and note remainingdeficiencies.ME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.The same background information obtained for the SAPR/3 Basis Security audit plan is required for and relevantto the business cycles. In particular the followinginformation is important:• Version and release of SAP R/3 that has beenimplemented• Total number of named users (for comparison withlogical access security testing results)• Number of SAP instances and clients• Company codes• The identification of the modules being used (FI,CO, MM, SD, PP, industry-specific, etc.)• Whether the organization has created any locallydeveloped ABAP programs or reports• Details of the risk assessment approach taken in theorganization to identify and prioritize risks• Copies of the organization’s key security policiesand standardsPO2PO3PO4PO6PO9DS2DS5AI2AI6ME1ME2Obtain details of the following:• The Organizational Model as it relates tosales/revenue activity, i.e., sales organization unitstructure in SAP R/3 and company salesorganization chart (required when evaluating theresults of access security control testing)• Interview systems implementation team if possibleand obtain process design documentation for salesand distributionDS5AI1DS6
  3. 3. © 2006 Information Systems Audit and Control Association Page 3Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceIdentify the significant risks and determine the key controls.Develop a high-level process flow diagram and overallunderstanding of the revenue processing cycle includingthe following subprocesses:• Customer, material and pricing master datamaintenance• Sales order processing• Shipping, invoicing, returns and adjustments• Collecting and processing cash receiptsAI1PO9DS13Assess the key risks, determine key controls or controlweaknesses and test controls (refer sample testingprogram below and chapter 4 for techniques for testingconfigurable controls and logical access security)regarding the following factors:• The controls culture of the organization (e.g., a just-enough-control philosophy).• The need to exercise judgement to determine the keycontrols in the process and whether the controlsstructure is adequate (Any weaknesses in the controlstructure should be reported to executivemanagement and resolved.)DS5DS9PO9ME2C. Detailed Audit Steps1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Determine whether the following reports ofchanges to master data have been compared toauthorized source documents and/or a manual log ofrequested changes to ensure they were inputaccurately and timely:• For customer master data, transaction OV51 orthe report RFDABL00 will generate a listdenoting the date and time of change, old andnew values for fields and details of the user whoinput the change.• Report RFDKLIAB—Display changes to CreditManagement; can be run to display creditinformation change details for comparison toauthorized source documents.• Transaction MM04 can be used to displaymaster data changes for individual materials.• A list of pricing changes can be generated usingtransaction VK12 and subsequently selectingthe menu-options Environment, changes, report(change documents). Check the accuracy ofchanges made to the pricing master records andalso the timing at which these changes havebeen applied (which is essential to the effectiveprocessing of pricing changes) againstauthorized source documentation.DS11AI2AI6DS6
  4. 4. © 2006 Information Systems Audit and Control Association Page 4Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference1.1.2 Review organization policy and process designspecifications regarding access to maintain masterdata. Test user access to create and maintaincustomer, material and pricing master data asfollows:• Customer Master Data—transaction codesFD02 (Finance), VD02 (Sales), XD02 (Central)• Material Master Data—transaction codesMM01 (Create), MM02 (Change).• Pricing Master Data—transaction codes VK11and VK12• Credit Limit—Transaction codes FD24 andFD32• Codes—Create (01), block (05) and delete (06)DS5AI2AI6DS11DS9DS12DS11PO91.1.3 Determine whether the configurable controlsettings address the risks pertaining to the validity,completeness and accuracy of master data andwhether they have been set in accordance withmanagement intentions. View the settings onlineusing the IMG as follows:• Customer Account Groups: Transaction SPROMenu Path—Financial Accounting> AccountsReceivable Accounts Payable> CustomerAccounts> Master Records> Preparation forCreating Customer Master Records> Defineaccount group with screen layout.• Material Types: Transaction SPRO MenuPath—Logistics General> Material Master>Basic Settings> Material Types> Defineattributes of material types.• Industry Sector: Transaction SPRO MenuPath—Logistics General> Material Master>Field Selection> Define industry sectors andindustry-sector-specific field selection• Understand the organization’s pricing policyand its configuration in SAP R/3 (e.g., hard-coded, manual over-ride possible, user entersprice). Pricing condition types and records canbe reviewed against the organization’s pricingpolicy using the following menu path andtransaction codes:- Transaction SPRO Menu Path—Sales andDistribution> Basic Functions> Pricing- V-44 for material price condition record- V-48 price list type condition records- V-52 Customer specific condition type
  5. 5. © 2006 Information Systems Audit and Control Association Page 5Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference1.2 Master data remain current and pertinent.1.2.1 Determine whether management runs the followingreports, or equivalent, by master data type andconfirm evidence of their review of the data forcurrency and ongoing pertinence:• Customer Master Data: Run report RFDKVZ00.• Material master Data: Run report RMMVRZ00.• Pricing Master Data: Run transaction VK13.Transaction F.32 provides an overview of customersfor which no credit limit has been entered. Check theoutput from Transaction F.32 to confirm a creditlimit has been set for customers in the rangerequiring a limit.DS3PO8ME1DS111.2.2 Determine whether appropriate credit limits havebeen loaded for customers.2.1 Sales orders are processed with valid prices and terms and processing is complete, accurate and timely.2.1.1 Determine whether the ability to create, change ordelete sales orders, contracts, and delivery schedulesis restricted to authorized personnel by testing accessto the following transactions:• Create/Change Sales Order VA01/VA02• Create/Change Delivery ScheduleVA31/VA32• Create/Change Contracts VA41/VA422.1.2 Refer Master Data Integrity point 1.1.2.2.1.3 Refer Master Data Integrity point 1.1.3.2.1.4 Understand the policies and procedures regardingreconciliation of sales orders. Review operationsactivity at selected times and check for evidencethat reconciliations are being performed.2.2 Orders are processed within approved customer credit limits.
  6. 6. © 2006 Information Systems Audit and Control Association Page 6Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.2.1 Determine whether the configurable controlsettings address the risks pertaining to theprocessing of orders outside customer creditlimits and whether they have been set inaccordance with management intentions. Viewthe settings online using the IMG as follows:• Transaction SPRO Menu Path: FinancialAccounting> Accounts ReceivableAccounts Payable> Credit Management>Credit Control Account• Execute transaction OVAK to show thetype of credit check performed for thecorresponding transaction types in orderprocessing.• Execute transaction OVA7 to determinewhether a credit check is performed forappropriate document types being used.• Execute transaction OVAD to show thecredit groups that have been assigned tothe delivery types being used.• Execute transaction OVA8 to show anoverview of defined credit checks forcredit control areas.2.3 Order entry data are completely and accurately transferred to the shipping and invoicing activities.2.3.1 A full list of incomplete sales documents can beobtained from the system using Transaction V.00—List Incomplete SD Documents or through thetransaction RVAUFERR. Review items on the listwith the appropriate operational management andascertain if there are legitimate reasons for the salesdocuments that remain incomplete.3. Shipping, Invoicing, Returns and Adjustments3.1 Controls are in place to prevent duplicate shipments or delay in the shipping of goods to customers.3.1.1 Generate the list of current system configurationsettings relating to copy control between sales andshipping documents using Transaction: VTLA—Display Copying Control: Sales Document toDelivery Document. Select each combination ofdelivery type and sales document type and click theItem button. Double click on each item category andverify that the entry for the indicator Qty/valuepos./neg. has been set to + (automatic update occursbetween documents as deliveries are made for lineitems specified in the sales document).
  7. 7. © 2006 Information Systems Audit and Control Association Page 7Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.1.2 Determine whether the following shippingreports are used to assist in controlling theshipping process:• Backlog Reports—V.15• Process Delivery Due List – VL04 ortransaction RV50SBT1• Outbound Deliveries for Picking—VL06• Outbound Deliveries for Confirmation—VL06C• Outbound Deliveries to be Loaded—VL06L• Deliveries for Transportation Planning—VL06T• Deliveries for Goods Issue List—VL06GInterview management and determine whetherany of the above reports are used to check thecomplete and timely shipment of goods tocustomers. Review a sample of any hardcopyreports used for evidence of action taken and/orreview a sample of the reports online and checkthe aging of items to determine if entries havebeen cleared in a timely manner.3.2 Invoices are generated using authorized terms and prices and are accurately calculated and recorded.3.2.1 Display current system settings relating to invoicepreparation online using the IMG:• Transaction SPRO Menu Path—Sales andDistribution> Billing> Billing Documents.Determine whether the connection between sourceand target documents supports the accurate flow ofbilling details through the sales process and supportsthe accurate calculation and posting of invoice data.3.3 All goods shipped are invoiced and invoiced in a timely manner.3.3.1 Execute transaction VF04—Process Billing DueList. All documents that have not been invoiced, orthat have been only partially invoiced, will appearon the list, sorted by invoice due date. Review theaging of items in the list. For items outstanding formore than one billing period, seek an explanationfrom management as to why the items have not beenbilled.3.3.2 Assess user access to picking lists, delivery notesand goods issues by testing access to the followingtransactions:• Create Single Delivery—VL01• Create Multiple Deliveries—VL04• Change Deliveries—VL02
  8. 8. © 2006 Information Systems Audit and Control Association Page 8Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.3.3 Execute transaction VF03 Display Invoice andclick on the expansion button next to the billingdocument field and select Billing Documents Stillto Be Passed Onto Accounting. Obtain explanationfor any invoices that appear in this list. Test useraccess to transactions to enter invoices and confirmthis is consistent with staff job roles andmanagement’s intentions.• Sales Accounts Receivable Entry—VF01 andVF04• Finance Entry—FB703.4 Credit notes and adjustments to accounts receivable are accurately calculated and recorded.3.4.1 Assess user access to sales order return and creditnotes transactions as follows:• Sales entry: Create Sales Document—VA01• Sales entry: Change Sales Document—VA02• Finance Entry—FB753.5 Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance with organizationpolicy and issued in a timely manner.3.5.1 View the sales document types configured by usingtransaction VOV8. Look for the entire salesdocument types that relate to sales order returns andcredit requests. Double click on one of thesedocument types. In the General Control section ofthe screen, there is a Reference mandatory field.Verify that the setting has been set to M. Repeatthis for all of the other relevant document types.Discuss the Reference field settings in place for theselected document types with management.Determine whether the configuration in place is setas management intended.3.5.2 Review the configuration settings for delivery andbilling blocks online using the IMG as follows:• Shipping: Transaction SPRO Menu Path:Logistics Execution> Shipping> Deliveries>Define Reasons for Blocking in Shipping• Billing: Transaction SPRO Manu Path: Salesand Distribution> Billing> BillingDocuments> Define Blocking Reason forBillingDetermine whether the settings support theprocessing of credits in line with the organization’scredit management policy and are consistent withmanagement’s intention.4. Collecting and Processing Cash Receipts4.1 Cash receipts are entered accurately, completely and in a timely manner.4.1.1. Take a sample of bank reconciliations and test foradequate clearance of reconciling items and approvalby finance management.
  9. 9. © 2006 Information Systems Audit and Control Association Page 9Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference4.1.2 Determine whether the system has beenconfigured to not allow processing of cash receiptsoutside of approved bank accounts. Executetransaction FI12 and ascertain to which bankaccounts a cash receipt can be posted. Determineif this is consistent with management’s intentions.4.1.3 Use transaction SA38 to produce the followingreports:• The Customer Open Items report(RFDOPO00)• The Customer Open Item Analysis (daysoverdue analysis) report (RFDOPR10)Determine whether these reports are reviewed andactioned regularly by locating evidence of theirreview or through corroborative inquiry withmanagement.4.2 Cash receipts are valid and are not duplicated.4.2.1 Review the accounts receivable reconciliation anddetermine whether there are any amountsunallocated or any reconciling items. Determinethe aging of these items and make inquiry ofmanagement as to the reasons for these itemsremaining unallocated or unreconciled.4.3 Cash discounts are calculated and recorded accurately.4.3.1 Review the settings in place for tolerance levelsfor allowable cash discounts and cash paymentdifferences by the following transactions:• OBA4, to determine the tolerance groups thathave been set up for users and the tolerancelimits that have been set for those groups• OB57, to determine the users who have beenallocated to the groups identified earlierDiscuss with management the settings that are inplace for tolerance levels for allowable cashdiscounts and cash payment differences.Determine whether the configuration in placeagrees with management’s intentions.4.4 Timely collection of cash receipts is monitored.4.4.1 As for 4.1.3, determine whether accountsreceivable aging reports are reviewed regularly toensure that the collection of payments is beingperformed in a timely manner.
  10. 10. © 2006 Information Systems Audit and Control Association Page 10Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists, verify completion ofany agreed upon corrections, and note remainingdeficiencies.ME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.The same background information obtained for the SAPR/3 Basis Security audit plan is required for and relevantto the business cycles. In particular the followinginformation is important:• The version and release of SAP R/3 implemented• Total number of named users (for comparison withlogical access security testing results)• Number of SAP instances and clients• Company codes• The identification of the modules being used (FI, CO,MM, SD, PP, industry-specific, etc.)• If the organization has created any locally developedABAP programs or reports• Details of the risk assessment approach taken in theorganization to identify and prioritize risks• Copies of the organization’s key security policies andstandardsPO2PO3PO4PO6PO9DS2DS5AI2AI6ME2Obtain details of the following:• The Organizational Model as it relates to expenditureactivity, i.e., purchasing organization unit structure inSAP R/3 and purchasing/accounts payableorganization chart (required when evaluating theresults of access security control testing)• An interview of the systems implementation team, ifpossible, and the process design documentation formaterials managementDS5AI1PO7Identify the significant risks and determine the key controls.Develop a high-level process flow diagram and overallunderstanding of the expenditure processing cycleincluding the following subprocesses:• Master data maintenance• Purchasing• Invoice processing• Processing disbursementsPO9AI1DS11Assess the key risks, determine key controls or controlweaknesses and test controls (refer sample testingprogram below and chapter 4 for techniques for testingconfigurable controls and logical access security)regarding the following factors:• The controls culture of the organization (e.g., a just-enough control philosophy)• The need to exercise judgement to determine the keycontrols in the process and whether the controlsstructure is adequate (Any weaknesses in the controlstructure should be reported to executivemanagement and resolved.)DS9PO9DS5ME2
  11. 11. © 2006 Information Systems Audit and Control Association Page 11Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceC. Detailed Audit Steps1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Determine whether the changes made to the masterdata are complete, accurate, timely and using thespecified transaction code or SA38, whether thefollowing report of changes to master data arecompared to authorized source documents and/or amanual log of requested changes to ensure theywere input accurately and timely.• For vendor master data, the programRFKABL00 can be used to produce a list ofmaster data changes.AI6DS111.1.2 Determine whether access to create and changevendor pricing master data is restricted to adedicated area and to authorized individuals.Review organization policy and process designspecifications regarding access to maintain masterdata. Test user access via report RSUSR002 (referto chapter IV on how to test user access) to createand maintain vendor master data as follows:• Finance Entry—transaction codes FK01(Create), FK02 (Change), FK05(Block/Unblock), FK06 (Delete)• Purchasing Entry—transaction codes MK01(Create), MK02 (Change), MK05(Block/Unblock), MK06 (Delete)• Centralized Entry—transaction codes XK01(Create), XK02 (Change), XK05(Block/Unblock), XK06 (Delete)Test user access to transactions to maintain vendorpricing information:• Create info record—ME11• Change info record—ME12• Delete info record—ME15• Create condition—MEK1• Change condition—MEK2• Create condition with reference—MEK4DS5AI6DS6DS111.1.3 Determine whether the configurable control settingsaddress the risks pertaining to the validity,completeness and accuracy of master data andwhether they have been set in accordance withmanagement intentions. View the settings onlineusing the IMG as follows:• Execute transaction code OBD3 and ascertainwhether account groups have been set upcovering one-time vendor or other vendoraccounts. For high-risk account groups such asone-time vendors, check whether authorizationhas been marked as a required field.DS12DS9DS11
  12. 12. © 2006 Information Systems Audit and Control Association Page 12Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference1.1.4 Determine whether a naming convention should beused for vendor names (e.g., as per letterhead) tominimize the risk of establishing duplicated vendormaster records. Extract a list of vendor accountnames from table LFA1 (Fields: NAME1=name,LIFNR= vendor number). Review a sample forcompliance with the organization’s namingconvention. View or search the list (using scansearch software tools if available) for potentialduplicates.DS11PO91.2 Master data remain current and pertinent.1.2.1 Determine whether management periodicallyreviews master data to check their currency andongoing pertinence, and whether the appropriatemanagement displays or produces a list of vendorsusing report RFKKVZ00 or equivalent. Confirmevidence of management’s review of the data on arotating basis for currency and ongoing pertinence.DS11ME12. Purchasing2.1 Purchase order entry and changes are valid, complete, accurate and timely.2.1.1 Determine whether purchase orders areprocessed with valid process and terms and ifprocessing is complete, accurate and timely.Determine whether the ability to create, change, orcancel purchase requisitions, purchase orders andoutline agreements (standing purchase orders) isrestricted to authorized personnel by testing access tothe following transactions:• Create Purchase Requisition—ME51• Change Purchase Requisition—ME52• Release Purchase Requisition—ME54• Collective Release of Purchase Requisition—ME55• Create Purchase Order, Vendor known—ME21• Change Purchase Order—ME22• Maintain Purchase Order Supplement—ME24• Create Purchase Order, Vendor unknown—ME25• Creation of Stock Transport Order—ME27• Create Outline Agreement—ME31• Change Outline Agreement—ME32• Maintain Outline Agreement Supplement—ME34DS11DS5
  13. 13. © 2006 Information Systems Audit and Control Association Page 13Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.1.2 Determine whether the SAP R/3 source listfunctionality allows only specified materials to bepurchased from vendors included in the source listfor the specified material. Through discussions withmanagement, determine (types of) materials forwhich source lists should be available in the system.Also, determine (types of) materials for which asource list should not be present. Examine a selectionof materials and view the corresponding source listusing the following reports to corroborate theperformance of the control activity in the appropriateaccounting period:• ME06 reports on all material items and whetherthey belong to a source list or not• ME0M shows all material items and anyassociated vendors (including historic data). Torun ME0M, a material or a range of materialsneeds to be specified. Use the matchcode andclick on the search help option and chooseoption J—material by material group—to get alist of materials.Select the above-mentioned sample of orders andcheck against source list reports to determine ifspecific materials have been procured with unlistedvendors.DS11
  14. 14. © 2006 Information Systems Audit and Control Association Page 14Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.1.3 Determine whether the SAP R/3 release strategy isused to authorize purchase orders, outline agreements(standing purchase orders) and unusual purchases(e.g., capital outlays). Obtain sufficientunderstanding of the system configuration to assessthe adequacy of the release strategy as defined andimplemented by the organization, as well as thefunction and effectiveness of established policies,procedures, standards, and guidance. The followingtransactions should be executed to obtain anunderstanding of the way the system has beenconfigured:• Release procedure: Purchase Orders—OMGSand release procedure Purchase Requisitions(with classification)—OMGQ- Click on Release Strategy. Select thestrategies one by one, by double-clicking onthe strategy. Note the release codes that areshown—authorization (authorization objectsM_BANF_FRG and M_EINK_FRG) forthese release codes should be checked.- Click on Classification. This will show theconditions under which the purchasedocument will be blocked. Ascertain if theseconditions comply with management’sintentions.• Release procedure Purchase Requisitions(without classification)—OME6- Click on Release Prerequisites. Note therelease codes that are shown - authorizationfor these release codes should be checked.- Re-execute transaction OME6 and click onDetermination of Release Strategy. This willshow the conditions under which thepurchase document will be blocked.Ascertain if these conditions comply withmanagement’s intentions.• Test user access to transactions for releasestrategies:- Release Purchase Order—ME28- Release Outline Agreement—ME35- Release Purchase Requisition—ME54- Collective Release of PurchaseRequisitions—ME55DS9DS5ME1DS132.2 Goods are only received for valid purchase orders and goods receipts are recorded completely, accurately and in atimely manner.
  15. 15. © 2006 Information Systems Audit and Control Association Page 15Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.2.1 Determine whether goods (or materials, equipment)are received only when there are valid purchaseorders, or if goods receipts are always recordedcompletely, accurately and in a timely manner.Determine whether an investigation takes place whenreceipts have no purchase order or exceed thepurchase order quantity by more than an establishedamount. Does management review exception reportsof goods not received on time for recordedpurchases? Run the report RM06EM00 to produce alisting of Purchase Orders Outstanding. Ascertainfrom management if there are any reasons for anylong outstanding items on the report.DS9DS52.2.2 Determine whether order entry data aretransferred completely and accurately to the shippingand invoicing activities, and if the ability to input,change or cancel goods received transactions isrestricted to authorized inbound logistics/rawmaterials personnel. Test user access to transactionsfor goods receipt as follows:• Goods Receipt for Purchase Order—MB01• Goods Receipts, Purchase Order Unknown—MB0A• Goods Receipt for Production Order—MB31• Other Goods Receipts—MB1C• Cancel/reverse Material Document—MBSTTest user access to high-risk movement typestransaction code MB1C, authorization objectM_MSEG_BWA and fields ACTV and movementtypes BWART 561 through 566. These specialmovement types reflect the initial stock entry in theSAP R/3 system at the time of conversion to the SAPR/3 system.AI2DS5DS112.3 Defective goods are returned to suppliers in a timely manner.2.3.1 Determine whether defective goods (or materials,equipment) are returned in a timely manner tosuppliers, are adequately segregated from othergoods in a quality-assurance bonding area, and areregularly monitored (assigned a specific movementtype, e.g., 122) to ensure timely return to suppliersand whether credit is received in a timely manner.Ascertain from management the movement typeused to block processing and for returning rejectedgoods to suppliers (e.g., movement type 122).Execute transaction MB51 with the appropriatemovement type. Determine if there are any longoutstanding materials pending return tosuppliers/receipt of appropriate credits.DS2DS113. Invoice Processing3.1 Amounts posted to accounts payable represent goods or services received.
  16. 16. © 2006 Information Systems Audit and Control Association Page 16Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.1.1 Determine whether amounts posted to accountspayable represent goods or services received, theability to input, change, cancel or release vendorinvoices for payment is restricted to authorizedpersonnel and the ability to input vendor invoicesthat do not have a purchase order and/or goodsreceipt is restricted to authorized personnel. Testuser access to transactions for invoice processing:• Enter Invoice MRHR, MR01• Change Invoice FB02• Process Blocked Invoice MR02• Cancel Invoice MR08• Enter Credit Memo MRHGDS6DS9AI63.2 Accounts payable amounts are calculated completely and accurately and recorded in a timely manner.3.2.1 Determine whether the SAP R/3 software isconfigured to perform a three-way match. Executetransaction code OMF4—(Change View “fieldSelection at document level”: Overview) by selectingME21—(Create Purchase Order) and then selectingGR/IR Control. Determine whether GR/IR Controlhas been set globally to required entry. If the GR/IRControl indicator has not been set globally for allvendors, determine whether it has been set forparticular vendors by displaying table LFM1, fieldname WEBRE, using transaction SE16. Where GR/IRControl has not been set, ascertain if there are anyreasons from management.DS9DS53.2.2 Determine whether the SAP R/3 software isconfigured with quantity and price tolerance limits.Tolerance limits for price variances and messagesettings for invoice verification (online matching)should be checked as follows:• Variance settings:-—Execute transaction OMEU & OMR6. Thesystem will now show an overview of thedefined tolerance limits. Double-click on theentries that relate to the organization beingaudited. Two entries need to be checked, one fortolerance key PE (price) and one for tolerancekey SE (discount). Note the values shown. Botha lower and upper limit may be specified as apercentage value. (PE also allows setting of anabsolute value.)• Message settings: —Execute transaction OME0. Click on buttonPosition. Enter values 00, 06 and 207 (messagefor price variance) and press Enter. Note thevalue in the categories field. Possible values areW for warning and ‘E’ for error.Ascertain whether the values noted comply withmanagement intentions.DS9DS10
  17. 17. © 2006 Information Systems Audit and Control Association Page 17Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.2.3 Determine whether the GR/IR account balances(RM07MSAL) report is executed and reviewedperiodically. Check that there are appropriateprocedures in place to investigate unmatchedpurchase orders. In particular, long outstanding itemsshould be followed-up and cleared.AI63.2.4 Determine whether reports of outstanding purchaseorders are reviewed regularly. Run the reportRM06EM00 to produce a listing of Purchase OrdersOutstanding and review long outstanding items withmanagement.PO113.2.5 Determine whether the SAP R/3 software restrictsthe ability to modify the exchange- rate table toauthorized personnel, management approves valuesin the centrally maintained exchange rate table andthe SAP R/3 software automatically calculatesforeign currency translations, based on values in thecentrally maintained exchange rate table. Determinewhether management reviews a sample of changesto exchange rates above a certain percentage havingregard to the volume and value of foreign currencytransactions for the organization. Test user access tothe exchange rates and the related authorizationobjects:• Exchange rate via standard transactionFirst, execute transaction SUCU. Click onPosition. Enter value V_TCURR and pressEnter. Note the value in the field AuthorizationGroup. Then test user access to transaction codeOB08, Authorization Object: S_TABU_DIS(Class Basis: Administration), Field Activity:value 02 and Field Authorization Group: Valuenoted with transaction SUCU.• Exchange rate via view maintenanceFirst, execute transaction SUCU. Click onPosition. Enter Table Name value V_T001R,Click on Choose. Note the value in the fieldauthorization group. Do the same for tableV_TCURF. Then test user access to transactioncodes as follows with Authorization Object:S_TABU_DIS (Class Basis: Administration),Field Activity: 02 and Field Authorizationgroup: Value noted with transaction SUCU:- Maintain table rounding units—OB90- Maintain table foreign currency ratios—OBBS- Table view maintenance—SM30.DS5AI63.3 Credit notes and other adjustments are calculated completely and accurately and recorded in a timely manner.3.3.1 Determine whether the ability to input, change,cancel or release credit notes is restricted toauthorized personnel. Test user access to postinvoices directly to vendor accounts:• Enter Credit Note—F-41• Enter Invoice—F-43PO2DS5
  18. 18. © 2006 Information Systems Audit and Control Association Page 18Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference4. Processing Disbursements4.1 Disbursements are made only for goods and services received, calculated accurately, recorded and distributed to theappropriate suppliers in a timely manner.4.1.1 Determine whether disbursements are made only forgoods and services received, calculated accurately,recorded and distributed to the appropriate suppliersin a timely manner, and whether managementapproves the SAP R/3 payment run parameterspecification. Test user access to transactions toprocess disbursements:• Automatic payment transactions—F110• Parameters for payment —F111• Payment with printout—F-58DS5PO64.1.2 Test user access to blocked invoices :• Change document—FB02• Change line items—FB09• Block/unblock vendor (centrally)—XK05• Block/unblock vendor—FK05
  19. 19. © 2006 Information Systems Audit and Control Association Page 19Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists, verify completion ofany agreed upon corrections and note remainingdeficienciesME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.The same background information obtained for the SAPR/3 Basis Security audit plan is required for and relevantto the business cycles. In particular the followinginformation is important:• The version and release of SAP R/3 that has beenimplemented• Total number of named users (for comparison withlogical access security testing results)• Number of SAP instances and clients• Company codes• The identification of the modules (FI, CO, MM, SD,PP, industry-specific, etc.) being used• Whether the organization has created any locallydeveloped ABAP programs or reports• Details of the risk assessment approach taken in theorganization to identify and prioritize risks• Copies of the organization’s key security policies andstandards• A review of outstanding audit findings, if any, fromprevious yearsPO2PO3PO4PO6PO9DS2DS5AI2AI6ME2Obtain the following relevant business cycle details:• The organizational model as it relates to inventoryactivity, i.e., plant organization unit structure in SAPR/3 and manufacturing organization chart (requiredwhen evaluating the results of access security controltesting)• Interview systems implementation team if possibleand obtain process design documentation formaterials and warehouse managementPO4AI4Identify the significant risks and determine the key controls.Develop a high-level process flow diagram and overallunderstanding of the inventory processing cycle includingthe following subprocesses:• Master data maintenance• Raw materials management• Producing and costing inventory• Handling and shipping finished goodsDS11DS12DS6DS13
  20. 20. © 2006 Information Systems Audit and Control Association Page 20Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReferenceAssess the key risks, determine key controls or controlweaknesses and test controls (refer detailed sampletesting program below and chapter 4 for techniques fortesting configurable controls and logical access security)having regard to the following factors:• The controls culture of the organization (e.g., a just-enough control philosophy)• The need to exercise judgement to determine the keycontrols in the process and whether the controlsstructure is adequate (Any weaknesses in the controlstructure should be reported to executivemanagement and resolved.)PO9ME2C. Detailed Audit Steps1. Master Data MaintenanceChanges made to master data are valid, complete, accurate and timely1.1.1 Take a sample of inventory file updates usingtransaction MB59, which allows users to performa search on multiple materials by a particularrange of dates and check back to authorizedsource documentation. Review the process forphysical stock-takes to confirm the complete,accurate, valid and timely recording of stockdifferences.DS11DS131.1.2 Review organization policy and process designspecifications regarding access to maintainmaterial master data. Test user access to thefollowing transaction codes:• Create Material—MM01• Change Material—MM02• Flag Material for Deletion—MM06DS11DS13
  21. 21. © 2006 Information Systems Audit and Control Association Page 21Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReference1.1.3 Determine whether the configurable controlsettings address the risks pertaining to thevalidity, completeness and accuracy of masterdata and whether they have been set inaccordance with management intentions. Viewthe settings online using the IMG as follows:• Material Types: Transaction SPRO MenuPath—Logistics General> MaterialMaster> Basic Settings> Material Types>Define Attributes of Material Types• Industry Sector: Transaction SPRO MenuPath—Logistics General> MaterialMaster> Field Selection> Define industrysectors and industry-sector-specific fieldselection• Default Price Types: Execute transactionOMW1 and determine whether defaultsettings have been set for the price type formaterial records• Tolerances for Physical Inventorydifferences: Execute transaction OMJ2 andcompare defined tolerances toorganizational policy and judge forreasonablenessPO9DS11DS12DS13DS6ME1ME21.2 Inventory master data remain current and pertinent.1.2.1 Determine whether the appropriate managementrun the Materials List transaction code MM60, orequivalent by material type and confirm evidenceof their review of the data on a rotating basis forcurrency and ongoing pertinence.ME1DS11ME41.3 Settings or changes to the bill of materials or process order settlement rules are valid, complete, accurate and timely.1.3.1 Review organization policy and process designspecifications regarding access to maintain bill ofmaterials (BOM) and process order settlementrules. Test user access to the following transactioncodes:• Create Material BOM—CS0• Change Material BOM—CS02• Make Mass Changes—CS20• Change Single-layered BOM—CS72• Change Multi-layered BOM—CS75• Change Settlement Rules—nondisplayabletransaction code KOBK (refer to menu path:Logistics > Production Process > ProcessOrder > Process Order > Display > Enter theprocess order number and press Enter then goto Header > Settlement Rule)ME1DS131.3.2 Take a sample of bill of materials updates usingtransaction CS80 and check back to authorizedsource documentation.DS132. Raw Materials Management2.1 Inventory is saleable, useable and safeguarded adequately.
  22. 22. © 2006 Information Systems Audit and Control Association Page 22Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReference2.1.1 Confirm that the DRP process takes into accountstock on hand, forecast requirements, economicorder quantities and back orders. Executetransaction code MB5M and ascertain the reasonfor any old stock being held (Shelf Life List). Usetransaction MC46 to identify slow moving itemsand MC50 for “dead” stock (i.e., stock that hasnot been used for a certain period of time). Testthat managers are reviewing this information on aregular basis.DS6DS13ME12.2 Raw materials are only received and accepted with valid purchase orders and recorded accurately and in a timelymanner.2.2.1 Test that management executes the report ofoutstanding purchase orders using transactionME2L (refer Expenditure Cycle 2.2.1) andfollow-up on any long outstanding items.DS132.2.2 Review the reconciliation of the goodsreceived/invoice received account (transactioncode MB5S, refer Expenditure cycle 3.2.3) andconfirm that unmatched items have beeninvestigated in a timely manner.ME1ME22.2.3 Test user access to transactions for goods receipt(refer to the Expenditure cycle 2.2.2) as follows:• Goods Receipt for Purchase Order—MB01.• Goods Receipts Purchase Order Unknown—MB0A• Goods Receipt for Order—MB31• Enter Other Goods Receipts—MB1C• Cancel Material Document—MBST• Goods Movement—MIGODS13ME1DS122.2.4 Test the controls over inventory stock takes (refer1.1.1).2.3 Defective raw materials are returned to suppliers in a timely manner.2.3.1 Ascertain from management the movement typeused to block processing and for returningrejected goods to suppliers (e.g., movement type122). Execute transaction MB51 with theappropriate movement type (refer Expenditurecycle 2.3.1). Determine if there are any longoutstanding materials pending return tosuppliers/receipt of appropriate credits.DS133. Producing and Costing Inventory3.1 Transfers of materials to/from production, production costs and defective products/scrap are valid and recordedaccurately, completely and in the appropriate period.3.1.1 Review the policy and procedures concerning thetransfer of materials and confirm that the abovecontrols are in place and operating. Test thatinventory-in-transit accounts are regularlyreviewed to ensure the accounts are cleared andreconciled. Confirm that default price types havebeen established for all materials (refer 1.1.3).ME2DS63.1.2 Test user access to bills of material (refer 1.3.1).
  23. 23. © 2006 Information Systems Audit and Control Association Page 23Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReference3.1.3 Test user access to issue goods (transaction codeMB1A), to posting of transfers between plants(transaction code MB1B) and to move goods(transaction code MIGO).DS13ME13.1.4 Test user access to create (transaction code CR01)or change (transaction code CR02) work centers.DS13ME14. Handling and Shipping Finished Goods4.1 Finished goods received from production are recorded completely and accurately in the appropriate period.4.1.1 Test inventory stock take procedures (refer 1.1.1) DS13ME14.1.2 Test user access to change settlement rules (refer1.3.1).ME1DS134.2 Goods returned by customers are accepted in accordance with the organization’s policies.4.2.1 Review the policies and procedures for receivinginventory back into the warehouse. Review somereturns of inventory and ensure they are supportedwith adequate documentation from the qualityinspector. Ascertain from management themovement type used for goods returned fromcustomers. Execute transaction MB51 with theappropriate movement type. Determine if thereare any long outstanding materials pending returnto inventory/provision of appropriate credits.ME1AI44.3 Shipments are recorded accurately, in a timely manner and in the appropriate period.4.3.1 Test user access to transfer stock between plants(transaction code LT04) or Change OutboundDelivery (transaction code VL02N).DS13ME14.3.2 Take a sample of Deliver Due List and Owed toCustomer Report and test for evidence ofmanagement action. Review settings usingtransaction code OMWB and confirm thataccounts assignments are set to valid COGSaccounts.ME1ME4DS13
  24. 24. © 2006 Information Systems Audit and Control Association Page 24Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists verify completion ofany agreed upon corrections and note remainingdeficiencies.ME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.Determine what version and release of the SAP R/3software has been implemented. If multiple versions,document the various versions.PO4Obtain details of the following:• Operating system(s) and platforms• Total number of named users (for comparison withlimits specified in contract)• Number of SAP R/3 instances and clients• Database management system used to store data forthe SAP R/3 system• Location of the servers and the related LAN/WANconnections (need to verify security and controls,including environmental, surrounding the hardwareand the network security controls surrounding theconnectivity) and, if possible, obtain copies ofnetwork topology diagrams• List of business partners, related organizations, andremote locations that are permitted to connect to theR/3 environment• Various means used to connect to the R/3environment (e.g., dial-up, remote access server,Internet transaction server) and the network diagramif availablePO2PO3DS2DS12In a standard SAP R/3 configuration, separate systems fordevelopment, test and production are implemented.Determine whether:• This approach was taken• The instances are totally separate systems or arewithin the same systemPO2Determine whether the SAP production environment isconnected to other SAP or non-SAP systems. If yes,obtain details as to the nature of connectivity, frequencyof information transfers, and security and controlmeasures surrounding these transfers (i.e., to ensureaccuracy and completeness).PO2DS5Identify the modules (FI, CO, MM, SD, PP, industry-specific, etc.) that are being used.PO2
  25. 25. © 2006 Information Systems Audit and Control Association Page 25Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceIdentify whether the organization has implemented any ofthe following:• Internet transaction server• Any of the New Dimension products (e.g., SupplyChain Management, Customer RelationshipManagement, Business Intelligence)• Audit information system. If implemented, determinehow it is used (i.e., only for annual audits or on aregular basis to monitor and report on securityissues).PO2PO3ME2Determine whether the organization makes use of anymySAP.com functionality. If yes, describe functionalityand purpose.PO2Determine whether the organization has created anylocally developed APAB/4 programs/reports or tables. Ifyes, determine how these programs/reports are used.Depending on the importance/extent of use, review anddocument the development and change managementprocess surrounding the creation/modification of theseprograms/reports or tables.AI2AI6Obtain copies of the organization’s key security policiesand standards. Highlight key areas of concern, including:• Information security policy• Sensitivity classification• Logical and physical access control requirements• Network security requirements, includingrequirements for encryption, firewalls, etc.• Platform security requirements (e.g., configurationrequirements)PO6DS5DS12Obtain information regarding any awareness programsthat have been delivered to staff on the key securitypolicies and standards. Consider specifically thefrequency of delivery and any statistics on the extent ofcoverage (i.e., what percentage of staff have received theawareness training).PO6DS7Maintain authorizations and profiles, for example:• Have job roles, including the related transactions,been defined and documented?• Do procedures for maintaining (creating/changing/deleting) roles exist and are they followed?PO7AI4DS5
  26. 26. © 2006 Information Systems Audit and Control Association Page 26Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceDetermine whether adequate access administrationprocedures exist in written form. Do any of the followingprocedures exist within the organization? (If yes,document the process and comment on compliance withthe policies and standards, and the adequacy of resultingdocumentation.)• Procedures to add/change/delete user master records• Procedures to handle temporary access requests• Procedures to handle emergency access requests• Procedures to remove users who have never loggedinto the system• Procedures to automatically notify the administrationstaff when staff holding sensitive or critical positionsleave the organization or change positionsPO7AI4DS5Obtain copies of the organization’s change managementpolicies, processes, procedures, and changedocumentation. Consider specifically:• Transport processes and procedures, includingallowed transport paths• Emergency change processes and procedures• Development standards, including namingconventions, testing requirements, and move-to-production requirementsAI4AI6Determine whether the organization has a defined processfor creating and maintaining clients. If yes, obtain copiesand documentation related to the creation andmaintenance of clients.PO2AI6Determine the organization’s approach to SAP OnlineSupport Services (OSS). Verify the extent of accesspermitted and processes used to request, approve,authenticate, grant, monitor, and terminate OSS access.DS2DS5Review outstanding audit findings, if any, from previousyears. Assess impact on current audit.ME1ME2Identify the significant risks and determine the key controls.Obtain details of the risk assessment approach taken inthe organization to identify and prioritize risks.PO9Obtain copies of and review:• Completed risk assessments impacting the R/3environment.• Approved requests to deviate from security policiesand standards.Assess the impact of the above documents on theplanning of the R/3 audit.PO9ME1In the case of a recent implementation/upgrade, obtain acopy of the security implementation plan. Assess whetherthe plan took into account the protection of criticalobjects within the organization and segregation of duties.Determine whether an appropriate naming convention(i.e., for profiles) has been developed to help securitymaintenance and to comply with required SAP R/3naming conventions.PO3DS5PO7
  27. 27. © 2006 Information Systems Audit and Control Association Page 27Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceC. Detailed Audit Steps1. Application Installation (Implementation Guide and Organizational Model)1.1 Configuration changes are made in the development environment and transported to production.1.1.1 Test that access to the transaction code (SPRO) andthe authorization object (S_IMG_ACTV) for theIMG has been restricted in the productionenvironment.1.1.4 Restrict access to transaction code SCC4, whichcontrols the production client settings. Execute thistransaction code and then double click on eachclient being tested. Each of the settings should bereviewed for appropriateness. It is important tonote that the No Changes setting should be set forcross-client tables. Also ensure that eCAAT andCAAT are set to Not Allowed.1.2 The Organizational Model has been configured correctly to meet the needs of the organization.1.2.1 Obtain information on the Organizational Modelfrom the system by reviewing tables or by utilizingthe SAP R/3 Audit Information System (AIS) thatdepicts the OM graphically (refer to figure 12.5).Compare it to the real organization structure andmanagement interviewed in relation to differencesor difficulties that may have emerged during orafter the implementation.1.2.2 Test access to the transaction code (SPRO) andthe authorization object (S_IMG_ACTV) for theIMG in the production environment.1.3 Changes to critical number ranges are controlled.1.3.1 Via transaction SUIM, review authorizationobject S_NUMBER (*) for those users with thefollowing authorization value sets:• Maintain Number Range Intervals (02)• Change Number Range Status (11)• Initialize Number Levels (13)• Maintain Number Range Objects (17) for allNumber Range Objects.1.4 Access to system and customizing tables is restricted narrowly.1.4.1 By using transaction code SE16, browse tableTDDAT. In the table name field enter Z* and thenY* to identify all of the custom tables. Determinethose tables that have &NC& within theAuthorization Group field. Assess whether thesesettings (&NC&) are appropriate.1.4.2 Access to modify critical tables can be tested viathe objects S_TABU_DIS (value 02) andtransaction codes SM31 or SM30. If the table iscross-client, the user master record must contain athird object, S _TABU_CLI (value X). UseRSUSR002 via SA38 to check for theserestrictions.
  28. 28. © 2006 Information Systems Audit and Control Association Page 28Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference2. Application Development (ABAP/4 Workbench and Transport System)2.1 Application modifications are planned, tested and implemented in a phased manner.2.1.1 Determine the system landscape and clientstrategy, and review the change control policiesand procedures (including documentation) totransport objects between environments. Workwith the Basis/Transport Administrator to obtain arandom sample of transports and trace back todocumentation. Ensure authorization for thetransport was obtained and confirm that thespecified transport path was followed. Foremergency changes, ensure that the specifiedemergency process was followed. Confirm thatappropriate authorizations were obtained and thatdocumentation was subsequently completed.Review the system change option and confirm ithas been set to No Changes Allowed (refer to1.1.2 above). Review segregation of duties withrespect to creating and releasing change requests.Test user access to authorization objectS_TRANSPRT and ACTVT expect 03 and anyTransport Type TTYPE. Assess theappropriateness of such access in comparison withthe users’ job functions.AI6DS52.2 Customized ABAP/4 programs are secured appropriately.2.2.1 To identify customized programs that have not beenassigned to an authorization group entertransaction code SE16. Browse the table TRDIRand enter the values of Z* and then Y* in theprogram name field. This will produce a list of allcustomized programs assuming that theorganization has followed standard namingconvention when customizing programs. Filter thislist for programs that do not have a value in theauthorization group field (SECU). Auditorsshould concentrate their investigations onusers who have SE38, SA38, SE80 and SE37.These users will automatically have access torun many of these programs.2.2.2 From this list select a representative sample ofcustomized programs and check the source code tosee whether an Authority-Check statement hasbeen included. Use transaction code SA38 and runthe ABAP/4 program RSABAPSC with theappropriate program name and Authority-Check inthe ABAP/4 language commands selection field todisplay the authority-check statements for each ofthe sampled programs. Note that the results mayinclude other programs called by the sampledprograms with the appropriate authority-checkstatements. The results of the test should beconfirmed with management.
  29. 29. © 2006 Information Systems Audit and Control Association Page 29Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference2.2.3 Review and assess the value for the parametersbelow (use RSPARAM report):• Auth/no_check_in_some_cases (Can beeither Y or N. If set to the recommendedvalue of Y (permit authorization checks),monitor the content of SU24 carefully tomake sure that these entries are setappropriately)• Auth/rfc_authority_check (recommend setto 2 to permit full checking)DS52.2.4 Use report RSUSR002 to test the number of userswho have access to execute all programsindependent of the authorization group assigned.Enter the authorization object S_PROGRAM withthe activity value of SUBMIT or BTCSUBMITand the authorization object S_TCODE with atransaction code of SA38,SE37, SE38 or SE802.2.5 Review the policy, procedures and criteria forestablishing program authorization groups,assigning the ABAP/4 programs to groups andincluding authority-check statements in programs.Compare the results from testing to establishedpolices, procedures, standards and guidance (notethat organizations may use additional transactions,tables, authorization objects, ABAP/4 programs,and reports to control their systems).2.3 The creation or modification of programs is performed in the development system and migrated through the testsystem to production.2.3.1 Produce a list of users who have access to developprograms in the production system by executingreport RSUSR002 with the authorization objectS_DEVELOP, the activity values of 01, 02 or 06and with the transaction code value SE38. ABAP/4programs that are not assigned to an authorizationgroup may be changed by any user withauthorization for object S_DEVELOP, dependingon whether the user has been assigned a developerskey and the correct object keys.2.4 Access for making changes to the dictionary is restricted to authorized individuals.2.4.1 Execute the report RSUSR002. Review users withthe following authorization to determine whetherthey are appropriate:• Data Dictionary object: S_DEVELOP with anyof the Activity values 01, 02, 06, 07 and accessto any of the transaction codes SE11, SE12,SE15, SE16, SE37, SE38, SE80
  30. 30. © 2006 Information Systems Audit and Control Association Page 30Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference2.5 Access to modify and develop queries is restricted.2.5.1 Using report RSUSR002, enter the authorizationobject S_QUERY with activity value 02 andtransaction code SQ01, to identify all users whocan create and maintain queries. In addition, usingthe authorization object S_QUERY with activityvalue 23 and transaction codes SQ02 or SQ03,produce a report identifying all users who canmaintain functional areas and user groups. Reviewthe lists with management for reasonableness.2.6 Relevant company codes are set to Productive in the production environment.2.6.1 Transaction code OBR3 contains a list of companycodes and whether they have been set toProductive. This information is also available intable T001 and can be viewed using transactioncode SE16. Perform a review of this list. Ininstances where company codes that have not beenset to Productive, the reasons should beinvestigated with management.3. Application Operations (Computing Center Management System)3.1 The Computing Center Management System is configured appropriately.3.1.1 Determine via inquiry whether transaction RZ04was used to set up operations modes, instances andtimetables to ensure that the CCMS displaysmeaningful data.3.1.2 Determine how the organization is monitoring itsSAP R/3 system. Understand the policies,procedures, standards, and guidance regarding theexecution of SAPSTART and STOPSAP programsor their equivalent in the organization’senvironment. Check that only authorized personnelmay execute these programs.3.1.3 Generate a list of users with the ability to access theAlert Monitor by performing online accessauthorization testing for these authorization objectsS_RZL_ADM, activity values 01 (administrator)and 03 (display) and transaction code, value AL01(if a 3.x system) or RZ20 (if a 4.x system).
  31. 31. © 2006 Information Systems Audit and Control Association Page 31Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.2 Batch processing operations are secured appropriately.3.2.1 Obtain a list of Batch users by executing reportRSUSR002 with the following authorizations:• Batch Input: Transaction code—SM35,authorization object—S_BDC_MONI, Field:BDCAKTI Value: DELE, FREE, LOCK,REOG and Field: BDCGROUP Value: *• Batch Administration: Transaction code—SM64, authorization object—S_BTCH_ADM,Field: BTCADMIN Value: Y• Batch Processing: Transaction code—SM36,authorization object—S_BTCH_JOB, Field:JOBACTION Value: DELE, RELE,authorization object—S_BTCH_NAM Value:*• Batch Processing: Transaction code—SM37,authorization object—S_BTCH_JOB, Field:JOBACTION Value: DELE, RELE, PLAN, -authorization object—S_BTCH_NAM Value:*3.2.2 Determine by corroborative inquiry that uploadprograms have been removed from the productionenvironment as appropriate.3.3 Default system parameter settings are reviewed and configured to suit the organization’s environment.3.3.1 Obtain a printout of the values of the followingkey parameters (run report RSPARAM via SA38on each instance as appropriate) and compare tothe requirements as set out in the policies andstandards:• Login/password_expiration time (number ofdays after which a password must bechanged)• Login/min_password_lng (minimumpassword length)• Login/fails_to_session_end (number of timesa user can enter an incorrect password beforethe system terminates the logon attempt)• Login/fails_to_user_lock (number of timesper day a user can enter an incorrectpassword before the system locks the usermaster record)• Login/failed_user_auto_unlock (specifieswhether a locked User Master Record willautomatically unlock itself after being lockeddue to an excessive number of invalid loginattempts—a value of 0 means that the usermaster record must be unlocked by theadministrator)• Auth/check_value_write_on (Enables thetransaction [SU53] for authorization analysiswhen this parameter is set to a value greaterthan 0.)• Auth/no_check_on_TCODE (The systemchecks for transaction code access [theDS5AI6DS5ME1
  32. 32. © 2006 Information Systems Audit and Control Association Page 32Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceS_TCODE authorization object]. Whereavailable, setting this parameter to Y allowsthe authorization check for transaction codeto be switched off.)• Auth/system_access_check_off (Thisparameter switches off the automaticauthorization check for particular ABAP/4language elements [file operations, CPICcalls and calls to kernel functions]. Thisparameter may be used to ensure downwardcompatibility of the R/3 kernel [value=0,check remains active].)• Rdisp/gui_auto_logout (specifies after howmany minutes of inactivity will the user beautomatically logged out)Confirm that the system profile parameter filesand default.pfl are protected from unauthorizedaccess. Confirm that there is a mechanism/processto ensure that the profiles are regularly checked toensure that they have not been changedinappropriately. Obtain any related changedocumentation and ensure that:• The documentation is authorized.• Related log entries reflect the expectedchanges.• A current printout of the RSUSR006 report isobtained and reviewed for unusual items ortrends. Determine whether management hasa process for frequent monitoring ofunsuccessful login attempts and/or lockedusers via a review of this report. If yes,obtain details on the following frequency ofmonitoring.Review a reasonable sample of previouslyfollowed up reports and assess the appropriatenessof the follow-up on unusual findings. Run reportRSUSR200. Review and follow up on:• Users with original passwords.• Users who have not logged in during the last60 days• Users who have not changed their passwordsin the last 60 days (or any duration that isappropriate for the organization).Obtain a sample of user master records in theproduction environment and work with theauthorization security administrator and the jobdescriptions to assess segregation of duties (referchapter 4 for more guidance) and theappropriateness of the access granted.DS5ME1DS5PO4DS53.4 Critical and sensitive transaction codes are locked in production.
  33. 33. © 2006 Information Systems Audit and Control Association Page 33Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.4.1 Execute report RSUSR002 with the transactioncode SM01 to provide a list of all users who haveaccess to lock or unlock transaction codes in thesystem. Review and confirm this list withmanagement to ensure only authorized users haveaccess.3.4.2 Entering transaction code SM01 will display a listof transaction codes with a check box beside them. Across in the check box indicates that the transactioncode has been locked. Sensitive transaction codesshould be reviewed to ensure they have been lockedfrom user access. Such transaction codes include butare not limited to:• SCC5 Client Delete• SCC0 Client Copy (may overwrite theproduction client)• SM49 Execute Logical Commands (mayallow pass through to operating system)• SM69 Execute Logical Commands (mayallow pass through to operating system).3.5 Users are prevented from logging in with trivial or easily guessable passwords.3.5.1 Based on the review of the key security policies,determine whether there are any charactercombinations (apart from the SAP R/3 standards)that the policy has prohibited from use. If yes,obtain a printout of the contents of table USR40and confirm that the list of “illegal” words iscontained therein.PO6DS53.6 SAP Router is configured to act as a gateway to secure communications into and out of the SAP R/3 environment.SAP Router3.6.1 Discuss with the operating system administratorsthe procedures surrounding changes to SAPRouter and the procedures surrounding restartingSAP Router when it goes down.AI4DS5M1M23.6.2 Obtain a list of individuals with view and/or changeaccess to the SAP Router binary. Review the listwith key management and assess theappropriateness of the segregation of duties.3.6.3 Request an extract of the SAP Router permissionstable (for example, execute the UNIX commandSAP router –L <path>) from the operating systemadministrator. Review the permissions table withthe operating systems administrator. Compare withnetwork diagram to assess the appropriateness ofthe IP addresses and with change controldocumentation to confirm that management hasappropriately authorized changes.3.6.4 If logging is Active, ascertain the frequency withwhich the logs are reviewed and followed up.3.6.5 Obtain a reasonable sample of the logs and reviewthem with the operating systems administrator.
  34. 34. © 2006 Information Systems Audit and Control Association Page 34Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.7 Remote access by software vendors is controlled adequately.3.7.1 Determine the organization’s approach to SAPOnline Support Services (OSS). Verify the extentof access permitted and processes used to request,approve, authenticate, grant, monitor andterminate OSS access. Check that changes aresubject to normal testing and migration controls.DS2DS53.7.2 Obtain a list of OSS users on the production client,enter transaction code OSS1 using the client’sadministrator ID. Click on the SAPNET iconfollowed by the administration icon. Perform anauthorization analysis by authorization objectview. This will provide a list of all users assignedOSS by authorization object. In particular, theusers who have been assigned to AdministrationAuthorization and Open Service Connectionsshould be reviewed for reasonableness withmanagement.3.8 SAP R/3 Remote Function Call (RFC) and Common Programming Interface—Communications (CPI-C) are secured.3.8.1 Ascertain whether the login information (dialogand/or non-dialog users) is stored and reviewed.Obtain a representative sample and review toensure that dialog users are appropriate (i.e., validemployees with authorization) and that nondialoguser IDs are appropriate. To do this, executetransaction code SM59. This will display the tableRFCDES, which controls the communicationbetween systems. The table lists the RFCdestinations, which will include all R/3connections that are on the system. Expand eachof the R/3 connections and double click on eachconnection to verify that no dialog user ID is listedwith its password.PO2AI4DS5ME1ME23.8.2 Determine whether these systems are protectedwith the appropriate network measures (e.g., SAPRouter/firewall/routers).3.8.3 Assess the strength/adequacy (i.e., robustness) ofpassword measures to authenticate RFCconnections.3.8.4 Confirm with R/3 security authorization managerthat authority checks are included in functionalmodules called via RFC.3.8.5 Via report RSUSR002, identify users who haveaccess to t-code SM59. Assess whether thisaccess is appropriate (work with User AccessManagement).3.8.6 If using release 4.0 or higher, ascertain whetherSNC protection has been applied to RFC calls. Ifyes, cross-reference to SNC documentation andtesting performed earlier.
  35. 35. © 2006 Information Systems Audit and Control Association Page 35Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.9 Technology infrastructure is configured to secure communications and operations in the SAP R/3 environment.Firewall3.9.1 Discuss with the firewall administrators theprocedures surrounding changes to the firewallrules and recovery of firewalls in the event of anoutage.AI4DS5ME1ME23.9.2 Obtain a list of individuals with view and/or changeaccess to the firewall rules. Review the list withkey management and assess the appropriateness ofthe segregation of duties.DS53.9.3 Review the permissions table with the firewalladministrator. Compare with network diagram toassess the appropriateness of the IP addresses.DS133.9.4 If logging is set to Logging Active, ascertain thefrequency with which the logs are reviewed andfollowed up.3.9.5 Obtain a reasonable sample of the logs and reviewthem with the firewalls administrator.Secure Network Communications (SNC)3.9.6 Identify the communication paths that have beenprotected by SNC/external security product.AI4DS5ME1ME23.9.7 Assess whether the level of protection isappropriate for each of the various communicationpaths. Use the requirements set out in theinformation security policy and various riskassessments to assist in the assessment.3.9.8 Review the configuration for each path with theNetwork Security Administrator forappropriateness.Secure Store and Forward (SSF) Mechanisms and Digital Signatures3.9.9 Determine whether there are any regional laws orregulations with which the organization mustcomply that govern the use of digital signatures. Ifyes, confirm that the organization is incompliance.ME3DS53.9.10 Determine whether the organization uses anexternal product for SSF. If yes:• Ascertain whether the organization useshardware- or software-based keys.• Describe the controls surrounding issuanceand changing of the public and private keys.• Ascertain whether the organization uses self-signed certificates or CA-signed certificates.PO2DS5DS133.9.11 If using release 4.5 or higher, determine whetherSAPSECULIB is used as the default SSF provider. Ifyes, determine whether the file SAPSECU.pse isprotected from unauthorized access.DS5Workstation Security
  36. 36. © 2006 Information Systems Audit and Control Association Page 36Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.9.12 Via inspection, ensure that staff utilize any ofthe available security measures surroundingworkstations/PCs (for example, screensavers, power-on passwords, third party security products, physicalcontrols). Consider specifically, whether:• Users are able to bypass screen saver/power-on passwords.• Screen savers activate automatically or are(as a rule) activated by users when they leavetheir work areas.DS53.9.13 Regarding virus protection, determine whether:• Virus scanners are used on the networkand/or workstations.• Virus signatures are kept up-to-date.• There is a procedure for disseminating viruseducation to users.DS5DS133.9.14 Assess adequacy of physical controls. Considerspecifically:• Are the workstations in secure/restrictedareas?• How is the area secured (e.g., security cards,keys, combination locks)?• Do individuals circumvent these controls(i.e., piggyback at entrance, prop open thedoor)?DS12DS5Operating System and Database Security3.9.15 Work with the systems and database administratorto confirm that the passwords on the standardoperating system and database user IDs have beenchanged, appropriate security parameters havebeen set and that appropriate security proceduresare in place and operating.DS5
  37. 37. © 2006 Information Systems Audit and Control Association Page 37Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4. Application Security (Profile Generator and Security Administration)4.1 Duties within the security administration environment are segregated adequately.4.1.1 Determine whether the system administrator tasksare segregated into the following administratorfunctions by generating user lists for the followingauthorizations using report RSUSR002.• For the Profile Generator:- Create and change Activity Groups: Usedto define and update Activity Groups. Useauthorization S_USER_AGR withauthorization field values of 01 and 02.This should be tested in conjunction withtransaction code PFCG.- Transport Activity Group: Used totransport or activate Activity Groups to/inproduction. Use authorizationS_USER_AGR with authorization fieldvalues of 21. This should be tested inconjunction with transaction code PFCG.- Transfer profiles to user master records:Used to assign or transfer authorizationprofiles into the user master records forthe relevant activity group users. Useauthorization S_USER_AGR withauthorization field values of 22. Thisshould be tested in conjunction withtransaction code PFCG.• For manual maintenance:- User master maintenance—Authorizations: Defines and updatesauthorization profiles and authorizations.This should be tested in conjunction withtransaction code SU03. Recommendedsettings:- Authorization Object: S_USER_PROwith authorization field values: 01,02, 03, 06, 08- Authorization Object:S_USER_AUT with authorizationfield values: 01, 02, 03, 06, 08- User master maintenance—Activation:Activates authorization profiles andauthorizations but cannot create or changethem. This should be tested in conjunctionwith transaction code SU02Recommended settings:- Authorization Object:S_USER_PRO with authorizationfield values of 06, 07- Authorization Object:S_USER_AUT with authorizationfield values of 06, 07
  38. 38. © 2006 Information Systems Audit and Control Association Page 38Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference- User master maintenance—User Groups:Defines, creates and edits user masterrecords, edits the list of profiles in a usermaster record and sets user parameters.This should be tested in conjunction withtransaction code SU01. Recommendedsettings:- Authorization Object:S_USER_GRP with authorizationfield values of: 01, 02, 03, 06, 22- Authorization Object:S_USER_PRO with authorizationfield values of: 22Only the superuser should have authorization fieldvalues of 05 to lock and unlock users (prevent orallow logons) and change passwords.Hardcopies of RSUSR100/101/102 reports shouldbe assessed for evidence of review and action bymanagement.4.1.2 Test user access to effect mass changes to UserMaster Records authorization objectsS_USER_GRP and S_USER_PRO withauthorization field values of 01, 02, 05 and 06 andtransaction codes SU10 (Delete/add a profile forall users) and SU12 (Delete all users).4.2 Adequate security authorization documentation is maintained.4.2.1 Select a random sample of authorized changedocumentation that pertains to changes to UserMaster Records. Run report RSUSR100 andassess whether the changes made are asdocumented.AI6DS5ME14.2.2. Select a random sample of authorized changedocumentation that pertains to changes to profiles.Run report RSUSR101 and assess whether thechanges made are as documented.AI6DS5ME14.2.3 Select a random sample of authorized changedocumentation that pertains to changes toauthorizations. Run report RSUSR102 and assesswhether the changes made are as documented.AI6DS5ME14.3 The Super User SAP* is secured properly.4.3.1 To determine whether the SAP* user has beenlocked, execute transaction SA38 (Reporting) withreport name RSUSR002 and press F8. Enter SAP*in the User field and press F8. Verify that theSAP* Group field says SUPER. Click on theOther View button twice. The User status field forSAP* should say Locked.DS5
  39. 39. © 2006 Information Systems Audit and Control Association Page 39Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4.3.2 For SAP*, run report RSUSR003 to confirm that:• The ID has been deactivated in all clients anda new super user created.• The password has been changed from thedefault (i.e., not trivial).4.4 Default users are secured properly.4.4.1 To test whether the default password has beenchanged for DDIC, SAPCPIC and Earlywatch,execute the SAP R/3 report RSUSR003 anddetermine if the default passwords have beenchanged. To determine whether the SAPCPIC andEarlywatch users have been locked, executetransaction SA38 (Reporting) with report nameRSUSR002 and press F8. Enter the user name inthe User field and press F8. Verify that the Groupfield says SUPER. Click on the Other View buttontwice. The User status field for should say Locked.DS54.5 Access to powerful profiles is restricted.4.5.1 Review users assigned the privileged profiles ofSAP_ALL and SAP_NEW for appropriateness.Users who have been assigned these superuserprofiles should be assigned to user group Super orequivalent, which should be maintained by alimited number of Basis personnel only.To perform this test, execute transaction SA38 andenter report name RSUSR002. In the part noted asSelection Criteria for User enter SAP_ALL intothe Profile field. Click on the button to the right ofthe text box. Enter SAP_NEW in the first emptytext box. Click on Copy. By executing this report,all users who have superuser functionality will belisted. Other powerful profiles that should bechecked for user access include S_A.USER andS_A.ADMIN (used to administer user masterrecord authorizations).Check the user list identified by this test toascertain whether individuals who have access tothe above-mentioned functionality require thisaccess, based on their job responsibilities andestablished policies procedures, standards andguidance.
  40. 40. © 2006 Information Systems Audit and Control Association Page 40Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4.6 The authorization group that contains powerful users is restricted.4.6.1 Identify the system administrators within theorganization and determine to which user groupstheir user IDs belong. Using report RSUSR002,review the system for users with the authorizationobject S_USER_AGR (Profile Generatorenvironment) with the activity values 01,02, 21and 22 and transaction code PFCG or theauthorization object S_USER_GRP (manualmaintenance) with the activity values of 01, 02, 05and 06 and the transaction code SU01. Theauthorization field user group in user mastermaintenance should be similar to one of the valuesidentified above. This would usually be the groupSUPER or ITO-SYSTEM.4.7 Changes to critical SAP R/3 tables are logged by the system and reviewed by management.4.7.1 Review security procedures created by managementthat identify what tables are being logged and howoften these logs are reviewed by management. Forchanges to be logged, the system profile parameterrec/client needs to be activated. This can bechecked by reviewing the report RSPARAM andensuring the value for this parameter is set toeither ALL or to the client numbers that shall havetable logging enabled. Enter transaction codeSE16 and enter table TPROT as the object namealong with an X in the PROTFLAG field. Thiswill identify tables that have their changes logged.Run report RSTBPROT (table log) or RSTBHIST(table change analysis), which lists all changes totables that have log data changes activated in theirtechnical settings for the period specified. Take arepresentative sample of changes to these tablesand compare these to the original supportinginformation/documentation. Obtain explanationsfor any changes for which supporting informationor documentation is not available.DS54.8 Changes made to the data dictionary are authorized and reviewed regularly.4.8.1 Understand management’s policies andprocedures regarding the review of datadictionary reports. Assess the adequacy of suchpolicies, procedures, standards, and guidance,taking into account the:• Frequency with which the review isperformed• Level of detail in the reports• Other independent data to whichmanagement compares the reports• Likelihood that the person performing thereview will be able to identify exceptionitems and• Nature of exception items that they can beexpected to identifyDS5
  41. 41. © 2006 Information Systems Audit and Control Association Page 41Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4.9 Log and trace files are configured appropriately and secured.4.9.1 For security audit log, using release 4.0 or higher:• Confirm that the security audit log has beenactivated by running the report RSPARAM andconfirming the following parameter values:- Rsau/enable (activates logging onapplication server; if value is “0”, it is notactive)- Rsau/local/file (specifies the location of thelog; confirms that it is appropriately located- Rsau/max_diskspace/local (specifies themaximum size of the log; confirm that thesize is adequate for the organization)• Obtain a listing of events that are logged (can bedone via SM20). Review for appropriatenessand link to required logging that may bespecified in the security policies and standards.• Determine frequency and thoroughness ofreview of the logs. If possible, obtain arepresentative sample of the logs and assess theadequacy of the follow-up process and reviewfor unusual items.DS5ME14.9.2 Review the system log:• Run the report RSPARAM and review thefollowing parameter values to obtain thelocations of the log files:- Rslg/local/file (specifies the location of thelocal log on the application server; default:/usr/sap/<SID>/D20/log/SLOG<SAP_instance_#>)- Rslg/collect_daemon/host (specifies theapplication server that maintains the centrallog; default: <hostname of main instance>)- Rslg/central/file (specifies the location ofthe active file for the central log on theapplication server; default:/usr/sap/<SID>/SYS/global/ SLOGJ)- Rslg/central/old_file (specifies the locationof the old file for the central log on theapplication server; default:/usr/sap/<SID>/SYS/global/ SLOGJO)- Rslg/max_diskspace/local (specifies themaximum length of the local log; default:0.5 MB)- Rslg/max_diskspace/central (specifies themaximum length of the central log; default:2 MB)- Rstr/file (the absolute pathname of the tracefile: the trace filename is TRACE<R/3System Number>)• Obtain a listing of events that are logged (can bedone via SM21). Review for appropriatenessDS5DS10DS11DS13ME1
  42. 42. © 2006 Information Systems Audit and Control Association Page 42Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference(including the size of each local and central logfile) and link to required logging, which may bespecified in the security policies and standards.• Determine frequency and thoroughness ofreview of the logs. If possible, obtain arepresentative sample of the logs and assess theadequacy of the follow-up process and reviewfor unusual items.• Work with the operating system administrator todetermine who has permissions to these files.Ensure the access is appropriate.
  43. 43. © 2006 Information Systems Audit and Control Association Page 43Revenue Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Does relevant management, other than theinitiators, check online reports of master dataadditions and changes back to sourcedocumentation on a sample basis?DS111.1.2 Is access to create and change master datarestricted to authorized individuals?DS51.1.3 Have configurable controls been designed into theprocess to maintain the integrity of master data?DS91.2 Master data remain current and pertinent.1.2.1 Does management periodically review master datato check their currency and ongoing pertinence?DS111.2.2 Have appropriate credit limits been loaded forcustomers?DS22. Sales Order Processing2.1 Sales orders are processed with valid prices and terms, and processing is complete, accurate and timely.2.1.1 Is the ability to create, change or delete salesorders, contracts, and delivery schedules restrictedto authorized personnel?DS5AI62.1.2 Has the ability to modify sales pricing informationbeen restricted to authorized personnel (refermaster data integrity 1.1.2)?DS52.1.2 Has the system been configured to limit theoverwrite of prices compared to the price masterdata (SAP allows for no changes or a certaintolerance level)?2.1.3 Has the system been configured such that a salesorder is blocked for further processing when thecustomer either gets too low a price or the pricethe sales person gives is not satisfactory (refermaster data integrity 1.1.3 )?DS92.1.4 Are any fax orders reconciled periodically betweenthe system and fax printouts to reduce the risk ofduplicate orders?PO82.2 Orders are processed within approved customer credit limits.2.2.1 Has the SAP R/3 software been configured todisallow the processing of sales orders that exceedcustomer credit limits?DS92.3 Order entry data are completely and accurately transferred to the shipping and invoicing activities.2.3.1 Are reports of open sales documents prepared andmonitored to check for timely shipment?ME1DS113. Shipping, Invoicing, Returns and Adjustments3.1 Controls are in place to prevent duplicate shipments or delay in the shipping of goods to customers.3.1.1 Does the SAP R/3 software match goods shippedto open line items on an open sales order and closeeach line item as the goods are shipped, therebypreventing further shipments for those line items?DS6Are available shipping reports used to assist incontrolling the shipping process?PO113.2 Invoices are generated using authorized terms and prices and are calculated and recorded accurately.
  44. 44. © 2006 Information Systems Audit and Control Association Page 44Revenue Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A3.2.1 Does the SAP R/3 software automatically calculateinvoice amounts and post invoices based onconfiguration data?AI53.3 All goods shipped are invoiced in a timely manner.3.3.1 Are reports of goods shipped but not invoiced andun-invoiced debit and credit note requests preparedand investigated promptly?DS53.3.2 Is the ability to create, change or delete pickingslips, delivery notes and goods issues restricted toauthorized personnel?AI73.3.3 Are reports of invoices issued but not posted in FIprepared and investigated promptly?AI73.4 Credit notes and adjustments to accounts receivable are accurately calculated and recorded.3.4.1 Is the ability to create, change or delete sales orderreturn and credit requests and subsequent creditnote transactions restricted to authorizedpersonnel?DS53.5 Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance withorganization policy and in a timely manner.3.5.1 Are sales order returns and credit requesttransactions matched to invoices?3.5.2 Have processing controls including a billing blockor a delivery block been configured to block creditmemos, or free of charge subsequent deliverydocuments that do not comply with theorganization’s policy on credits or returns?AI2DS94. Collecting and Processing Cash Receipts4.1 Cash receipts are entered accurately, completely and in a timely manner.4.1.1 Are bank statements reconciled to the generalledger regularly?4.1.2 Has the system been configured to not allowprocessing of cash receipts outside of approvedbank accounts?DS94.1.3 Are customer open items and accounts receivableaging reports prepared and analyzed regularly?AI44.2 Cash receipts are valid and are not duplicated.4.2.1 Are receipts allocated to a customer’s accountsupported by a remittance advice that cross-references to an invoice number?PO44.2.1 IS any unallocated cash or amounts received thatare not cross-referenced to an invoice numberimmediately followed-up with the customer?DS114.3 Cash discounts are calculated and recorded accurately.4.3.1 Have tolerance levels for allowable cash discountsand cash payment differences in the SAP R/3system been defined such that amounts in excessof such levels cannot be entered into the SAP R/3system?PO9PO84.4 Timely collection of cash receipts is monitored.4.4.1 As for 4.1.3, are customer open items and accountsreceivable aging reports prepared and analyzedregularly?PO4AI4

×