Your SlideShare is downloading. ×
Sap audit programs_and_ic_qs
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sap audit programs_and_ic_qs

2,009
views

Published on

Published in: Technology

0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,009
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
8
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2006 Information Systems Audit and Control Association Page 1Security, Audit and Control FeaturesSAP®R/3®2ndEditionAudit ProgramsandInternal Control QuestionnairesISACA®With more than 50,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance,control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems ControlJournal®, develops international information systems auditing and control standards, and administers the globally respected Certified InformationSystems Auditor™ (CISA®) designation earned by more than 48,000 professionals since inception, and Certified Information Security Manager®(CISM®) designation, a groundbreaking credential earned by 6,000 professionals since the program’s inception.Purpose of Audit Programs and Internal Control QuestionnairesOne of ISACA’s goals is to ensure that educational products support member and industry information needs. Responding to member requestsfor useful audit programs, ISACA’s Education Board has released audit programs and internal control questionnaires, for member use through K-NET. These products are developed from ITGI publications, or provided by practitioners in the field.Control Objectives for Information and related TechnologyControl Objectives for Information and related Technology (COBIT®) has been developed as a generally applicable and accepted framework forgood information technology (IT) security and control practices for management, users, and IS audit, control and security practitioners. The auditprograms included in K-NET have been referenced to key COBIT control objectives.DisclaimerISACA (the “Owner”) has designed and created this publication, titled Security, Audit and Control Features SAP®R/3®: A Technical and RiskManagement Reference Guide, 2ndEdition (the “Work”), primarily as an educational resource for control professionals. The Owner makes noclaim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information,procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. Indetermining the propriety of any specific information, procedure or test, the control professionals should apply their own professional judgmentto the specific circumstances presented by the particular systems or information technology environment.While all care has been taken in researching and documenting the techniques described in this text, persons employing these techniques must usetheir own knowledge and judgment. ISACA and Deloitte Touche Tohmatsu, its partners and employees, shall not be liable for any losses and/ordamages (whether direct or indirect), costs, expenses or claims whatsoever arising out of the use of the techniques described, or reliance on theinformation in this reference guide.SAP, SAP R/2, SAP R/3, mySAP, SAP R/3 Enterprise, SAP Strategic Enterprise Management (SAP SEM), SAP NetWeaver, ABAP, mySAPBusiness Suite, mySAP Customer Relationship Management, mySAP Supply Chain Management, mySAP Product Lifecycle Management,mySAP Supplier Relationship Management and other SAP product/services referenced herein are the trademarks or registered trademarks of SAPAG in Germany and in several other countries. The publisher gratefully acknowledges SAP’s kind permission to use these trademarks in thispublication. SAP AG is not the publisher of this book and is not responsible for it under any aspect of press law.
  • 2. © 2006 Information Systems Audit and Control Association Page 2The purpose of these audit plans and internal control questionnaires (ICQs) is to provide the audit, control and securityprofessional with a methodology for evaluating the subject matter of the ISACA publication Security, Audit and Control FeaturesSAP®R/3®: A Technical and Risk Management Guide. They examine key issues and components that need to be considered forthis topic. The review questions have been developed and reviewed with regard to COBIT 4.0. Note: The professional shouldcustomize the audit programss and ICQs to define each specific organization’s constraints, policies and practices.The following are included here:• Revenue Business Cycle Audit Program Page 2• Expenditure Business Cycle Audit Program Page 10• Inventory Business Cycle Audit Program Page 19• Basis Security Cycle Audit Program Page 24• Revenue Business Cycle ICQ Page 43• Expenditure Business Cycle ICQ Page 45• Inventory Business Cycle ICQ Page 47• Basis Security Cycle ICQ Page 51Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists, verify completion ofany agreed-upon corrections and note remainingdeficiencies.ME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.The same background information obtained for the SAPR/3 Basis Security audit plan is required for and relevantto the business cycles. In particular the followinginformation is important:• Version and release of SAP R/3 that has beenimplemented• Total number of named users (for comparison withlogical access security testing results)• Number of SAP instances and clients• Company codes• The identification of the modules being used (FI,CO, MM, SD, PP, industry-specific, etc.)• Whether the organization has created any locallydeveloped ABAP programs or reports• Details of the risk assessment approach taken in theorganization to identify and prioritize risks• Copies of the organization’s key security policiesand standardsPO2PO3PO4PO6PO9DS2DS5AI2AI6ME1ME2Obtain details of the following:• The Organizational Model as it relates tosales/revenue activity, i.e., sales organization unitstructure in SAP R/3 and company salesorganization chart (required when evaluating theresults of access security control testing)• Interview systems implementation team if possibleand obtain process design documentation for salesand distributionDS5AI1DS6
  • 3. © 2006 Information Systems Audit and Control Association Page 3Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceIdentify the significant risks and determine the key controls.Develop a high-level process flow diagram and overallunderstanding of the revenue processing cycle includingthe following subprocesses:• Customer, material and pricing master datamaintenance• Sales order processing• Shipping, invoicing, returns and adjustments• Collecting and processing cash receiptsAI1PO9DS13Assess the key risks, determine key controls or controlweaknesses and test controls (refer sample testingprogram below and chapter 4 for techniques for testingconfigurable controls and logical access security)regarding the following factors:• The controls culture of the organization (e.g., a just-enough-control philosophy).• The need to exercise judgement to determine the keycontrols in the process and whether the controlsstructure is adequate (Any weaknesses in the controlstructure should be reported to executivemanagement and resolved.)DS5DS9PO9ME2C. Detailed Audit Steps1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Determine whether the following reports ofchanges to master data have been compared toauthorized source documents and/or a manual log ofrequested changes to ensure they were inputaccurately and timely:• For customer master data, transaction OV51 orthe report RFDABL00 will generate a listdenoting the date and time of change, old andnew values for fields and details of the user whoinput the change.• Report RFDKLIAB—Display changes to CreditManagement; can be run to display creditinformation change details for comparison toauthorized source documents.• Transaction MM04 can be used to displaymaster data changes for individual materials.• A list of pricing changes can be generated usingtransaction VK12 and subsequently selectingthe menu-options Environment, changes, report(change documents). Check the accuracy ofchanges made to the pricing master records andalso the timing at which these changes havebeen applied (which is essential to the effectiveprocessing of pricing changes) againstauthorized source documentation.DS11AI2AI6DS6
  • 4. © 2006 Information Systems Audit and Control Association Page 4Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference1.1.2 Review organization policy and process designspecifications regarding access to maintain masterdata. Test user access to create and maintaincustomer, material and pricing master data asfollows:• Customer Master Data—transaction codesFD02 (Finance), VD02 (Sales), XD02 (Central)• Material Master Data—transaction codesMM01 (Create), MM02 (Change).• Pricing Master Data—transaction codes VK11and VK12• Credit Limit—Transaction codes FD24 andFD32• Codes—Create (01), block (05) and delete (06)DS5AI2AI6DS11DS9DS12DS11PO91.1.3 Determine whether the configurable controlsettings address the risks pertaining to the validity,completeness and accuracy of master data andwhether they have been set in accordance withmanagement intentions. View the settings onlineusing the IMG as follows:• Customer Account Groups: Transaction SPROMenu Path—Financial Accounting> AccountsReceivable Accounts Payable> CustomerAccounts> Master Records> Preparation forCreating Customer Master Records> Defineaccount group with screen layout.• Material Types: Transaction SPRO MenuPath—Logistics General> Material Master>Basic Settings> Material Types> Defineattributes of material types.• Industry Sector: Transaction SPRO MenuPath—Logistics General> Material Master>Field Selection> Define industry sectors andindustry-sector-specific field selection• Understand the organization’s pricing policyand its configuration in SAP R/3 (e.g., hard-coded, manual over-ride possible, user entersprice). Pricing condition types and records canbe reviewed against the organization’s pricingpolicy using the following menu path andtransaction codes:- Transaction SPRO Menu Path—Sales andDistribution> Basic Functions> Pricing- V-44 for material price condition record- V-48 price list type condition records- V-52 Customer specific condition type
  • 5. © 2006 Information Systems Audit and Control Association Page 5Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference1.2 Master data remain current and pertinent.1.2.1 Determine whether management runs the followingreports, or equivalent, by master data type andconfirm evidence of their review of the data forcurrency and ongoing pertinence:• Customer Master Data: Run report RFDKVZ00.• Material master Data: Run report RMMVRZ00.• Pricing Master Data: Run transaction VK13.Transaction F.32 provides an overview of customersfor which no credit limit has been entered. Check theoutput from Transaction F.32 to confirm a creditlimit has been set for customers in the rangerequiring a limit.DS3PO8ME1DS111.2.2 Determine whether appropriate credit limits havebeen loaded for customers.2.1 Sales orders are processed with valid prices and terms and processing is complete, accurate and timely.2.1.1 Determine whether the ability to create, change ordelete sales orders, contracts, and delivery schedulesis restricted to authorized personnel by testing accessto the following transactions:• Create/Change Sales Order VA01/VA02• Create/Change Delivery ScheduleVA31/VA32• Create/Change Contracts VA41/VA422.1.2 Refer Master Data Integrity point 1.1.2.2.1.3 Refer Master Data Integrity point 1.1.3.2.1.4 Understand the policies and procedures regardingreconciliation of sales orders. Review operationsactivity at selected times and check for evidencethat reconciliations are being performed.2.2 Orders are processed within approved customer credit limits.
  • 6. © 2006 Information Systems Audit and Control Association Page 6Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.2.1 Determine whether the configurable controlsettings address the risks pertaining to theprocessing of orders outside customer creditlimits and whether they have been set inaccordance with management intentions. Viewthe settings online using the IMG as follows:• Transaction SPRO Menu Path: FinancialAccounting> Accounts ReceivableAccounts Payable> Credit Management>Credit Control Account• Execute transaction OVAK to show thetype of credit check performed for thecorresponding transaction types in orderprocessing.• Execute transaction OVA7 to determinewhether a credit check is performed forappropriate document types being used.• Execute transaction OVAD to show thecredit groups that have been assigned tothe delivery types being used.• Execute transaction OVA8 to show anoverview of defined credit checks forcredit control areas.2.3 Order entry data are completely and accurately transferred to the shipping and invoicing activities.2.3.1 A full list of incomplete sales documents can beobtained from the system using Transaction V.00—List Incomplete SD Documents or through thetransaction RVAUFERR. Review items on the listwith the appropriate operational management andascertain if there are legitimate reasons for the salesdocuments that remain incomplete.3. Shipping, Invoicing, Returns and Adjustments3.1 Controls are in place to prevent duplicate shipments or delay in the shipping of goods to customers.3.1.1 Generate the list of current system configurationsettings relating to copy control between sales andshipping documents using Transaction: VTLA—Display Copying Control: Sales Document toDelivery Document. Select each combination ofdelivery type and sales document type and click theItem button. Double click on each item category andverify that the entry for the indicator Qty/valuepos./neg. has been set to + (automatic update occursbetween documents as deliveries are made for lineitems specified in the sales document).
  • 7. © 2006 Information Systems Audit and Control Association Page 7Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.1.2 Determine whether the following shippingreports are used to assist in controlling theshipping process:• Backlog Reports—V.15• Process Delivery Due List – VL04 ortransaction RV50SBT1• Outbound Deliveries for Picking—VL06• Outbound Deliveries for Confirmation—VL06C• Outbound Deliveries to be Loaded—VL06L• Deliveries for Transportation Planning—VL06T• Deliveries for Goods Issue List—VL06GInterview management and determine whetherany of the above reports are used to check thecomplete and timely shipment of goods tocustomers. Review a sample of any hardcopyreports used for evidence of action taken and/orreview a sample of the reports online and checkthe aging of items to determine if entries havebeen cleared in a timely manner.3.2 Invoices are generated using authorized terms and prices and are accurately calculated and recorded.3.2.1 Display current system settings relating to invoicepreparation online using the IMG:• Transaction SPRO Menu Path—Sales andDistribution> Billing> Billing Documents.Determine whether the connection between sourceand target documents supports the accurate flow ofbilling details through the sales process and supportsthe accurate calculation and posting of invoice data.3.3 All goods shipped are invoiced and invoiced in a timely manner.3.3.1 Execute transaction VF04—Process Billing DueList. All documents that have not been invoiced, orthat have been only partially invoiced, will appearon the list, sorted by invoice due date. Review theaging of items in the list. For items outstanding formore than one billing period, seek an explanationfrom management as to why the items have not beenbilled.3.3.2 Assess user access to picking lists, delivery notesand goods issues by testing access to the followingtransactions:• Create Single Delivery—VL01• Create Multiple Deliveries—VL04• Change Deliveries—VL02
  • 8. © 2006 Information Systems Audit and Control Association Page 8Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.3.3 Execute transaction VF03 Display Invoice andclick on the expansion button next to the billingdocument field and select Billing Documents Stillto Be Passed Onto Accounting. Obtain explanationfor any invoices that appear in this list. Test useraccess to transactions to enter invoices and confirmthis is consistent with staff job roles andmanagement’s intentions.• Sales Accounts Receivable Entry—VF01 andVF04• Finance Entry—FB703.4 Credit notes and adjustments to accounts receivable are accurately calculated and recorded.3.4.1 Assess user access to sales order return and creditnotes transactions as follows:• Sales entry: Create Sales Document—VA01• Sales entry: Change Sales Document—VA02• Finance Entry—FB753.5 Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance with organizationpolicy and issued in a timely manner.3.5.1 View the sales document types configured by usingtransaction VOV8. Look for the entire salesdocument types that relate to sales order returns andcredit requests. Double click on one of thesedocument types. In the General Control section ofthe screen, there is a Reference mandatory field.Verify that the setting has been set to M. Repeatthis for all of the other relevant document types.Discuss the Reference field settings in place for theselected document types with management.Determine whether the configuration in place is setas management intended.3.5.2 Review the configuration settings for delivery andbilling blocks online using the IMG as follows:• Shipping: Transaction SPRO Menu Path:Logistics Execution> Shipping> Deliveries>Define Reasons for Blocking in Shipping• Billing: Transaction SPRO Manu Path: Salesand Distribution> Billing> BillingDocuments> Define Blocking Reason forBillingDetermine whether the settings support theprocessing of credits in line with the organization’scredit management policy and are consistent withmanagement’s intention.4. Collecting and Processing Cash Receipts4.1 Cash receipts are entered accurately, completely and in a timely manner.4.1.1. Take a sample of bank reconciliations and test foradequate clearance of reconciling items and approvalby finance management.
  • 9. © 2006 Information Systems Audit and Control Association Page 9Revenue Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference4.1.2 Determine whether the system has beenconfigured to not allow processing of cash receiptsoutside of approved bank accounts. Executetransaction FI12 and ascertain to which bankaccounts a cash receipt can be posted. Determineif this is consistent with management’s intentions.4.1.3 Use transaction SA38 to produce the followingreports:• The Customer Open Items report(RFDOPO00)• The Customer Open Item Analysis (daysoverdue analysis) report (RFDOPR10)Determine whether these reports are reviewed andactioned regularly by locating evidence of theirreview or through corroborative inquiry withmanagement.4.2 Cash receipts are valid and are not duplicated.4.2.1 Review the accounts receivable reconciliation anddetermine whether there are any amountsunallocated or any reconciling items. Determinethe aging of these items and make inquiry ofmanagement as to the reasons for these itemsremaining unallocated or unreconciled.4.3 Cash discounts are calculated and recorded accurately.4.3.1 Review the settings in place for tolerance levelsfor allowable cash discounts and cash paymentdifferences by the following transactions:• OBA4, to determine the tolerance groups thathave been set up for users and the tolerancelimits that have been set for those groups• OB57, to determine the users who have beenallocated to the groups identified earlierDiscuss with management the settings that are inplace for tolerance levels for allowable cashdiscounts and cash payment differences.Determine whether the configuration in placeagrees with management’s intentions.4.4 Timely collection of cash receipts is monitored.4.4.1 As for 4.1.3, determine whether accountsreceivable aging reports are reviewed regularly toensure that the collection of payments is beingperformed in a timely manner.
  • 10. © 2006 Information Systems Audit and Control Association Page 10Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists, verify completion ofany agreed upon corrections, and note remainingdeficiencies.ME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.The same background information obtained for the SAPR/3 Basis Security audit plan is required for and relevantto the business cycles. In particular the followinginformation is important:• The version and release of SAP R/3 implemented• Total number of named users (for comparison withlogical access security testing results)• Number of SAP instances and clients• Company codes• The identification of the modules being used (FI, CO,MM, SD, PP, industry-specific, etc.)• If the organization has created any locally developedABAP programs or reports• Details of the risk assessment approach taken in theorganization to identify and prioritize risks• Copies of the organization’s key security policies andstandardsPO2PO3PO4PO6PO9DS2DS5AI2AI6ME2Obtain details of the following:• The Organizational Model as it relates to expenditureactivity, i.e., purchasing organization unit structure inSAP R/3 and purchasing/accounts payableorganization chart (required when evaluating theresults of access security control testing)• An interview of the systems implementation team, ifpossible, and the process design documentation formaterials managementDS5AI1PO7Identify the significant risks and determine the key controls.Develop a high-level process flow diagram and overallunderstanding of the expenditure processing cycleincluding the following subprocesses:• Master data maintenance• Purchasing• Invoice processing• Processing disbursementsPO9AI1DS11Assess the key risks, determine key controls or controlweaknesses and test controls (refer sample testingprogram below and chapter 4 for techniques for testingconfigurable controls and logical access security)regarding the following factors:• The controls culture of the organization (e.g., a just-enough control philosophy)• The need to exercise judgement to determine the keycontrols in the process and whether the controlsstructure is adequate (Any weaknesses in the controlstructure should be reported to executivemanagement and resolved.)DS9PO9DS5ME2
  • 11. © 2006 Information Systems Audit and Control Association Page 11Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReferenceC. Detailed Audit Steps1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Determine whether the changes made to the masterdata are complete, accurate, timely and using thespecified transaction code or SA38, whether thefollowing report of changes to master data arecompared to authorized source documents and/or amanual log of requested changes to ensure theywere input accurately and timely.• For vendor master data, the programRFKABL00 can be used to produce a list ofmaster data changes.AI6DS111.1.2 Determine whether access to create and changevendor pricing master data is restricted to adedicated area and to authorized individuals.Review organization policy and process designspecifications regarding access to maintain masterdata. Test user access via report RSUSR002 (referto chapter IV on how to test user access) to createand maintain vendor master data as follows:• Finance Entry—transaction codes FK01(Create), FK02 (Change), FK05(Block/Unblock), FK06 (Delete)• Purchasing Entry—transaction codes MK01(Create), MK02 (Change), MK05(Block/Unblock), MK06 (Delete)• Centralized Entry—transaction codes XK01(Create), XK02 (Change), XK05(Block/Unblock), XK06 (Delete)Test user access to transactions to maintain vendorpricing information:• Create info record—ME11• Change info record—ME12• Delete info record—ME15• Create condition—MEK1• Change condition—MEK2• Create condition with reference—MEK4DS5AI6DS6DS111.1.3 Determine whether the configurable control settingsaddress the risks pertaining to the validity,completeness and accuracy of master data andwhether they have been set in accordance withmanagement intentions. View the settings onlineusing the IMG as follows:• Execute transaction code OBD3 and ascertainwhether account groups have been set upcovering one-time vendor or other vendoraccounts. For high-risk account groups such asone-time vendors, check whether authorizationhas been marked as a required field.DS12DS9DS11
  • 12. © 2006 Information Systems Audit and Control Association Page 12Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference1.1.4 Determine whether a naming convention should beused for vendor names (e.g., as per letterhead) tominimize the risk of establishing duplicated vendormaster records. Extract a list of vendor accountnames from table LFA1 (Fields: NAME1=name,LIFNR= vendor number). Review a sample forcompliance with the organization’s namingconvention. View or search the list (using scansearch software tools if available) for potentialduplicates.DS11PO91.2 Master data remain current and pertinent.1.2.1 Determine whether management periodicallyreviews master data to check their currency andongoing pertinence, and whether the appropriatemanagement displays or produces a list of vendorsusing report RFKKVZ00 or equivalent. Confirmevidence of management’s review of the data on arotating basis for currency and ongoing pertinence.DS11ME12. Purchasing2.1 Purchase order entry and changes are valid, complete, accurate and timely.2.1.1 Determine whether purchase orders areprocessed with valid process and terms and ifprocessing is complete, accurate and timely.Determine whether the ability to create, change, orcancel purchase requisitions, purchase orders andoutline agreements (standing purchase orders) isrestricted to authorized personnel by testing access tothe following transactions:• Create Purchase Requisition—ME51• Change Purchase Requisition—ME52• Release Purchase Requisition—ME54• Collective Release of Purchase Requisition—ME55• Create Purchase Order, Vendor known—ME21• Change Purchase Order—ME22• Maintain Purchase Order Supplement—ME24• Create Purchase Order, Vendor unknown—ME25• Creation of Stock Transport Order—ME27• Create Outline Agreement—ME31• Change Outline Agreement—ME32• Maintain Outline Agreement Supplement—ME34DS11DS5
  • 13. © 2006 Information Systems Audit and Control Association Page 13Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.1.2 Determine whether the SAP R/3 source listfunctionality allows only specified materials to bepurchased from vendors included in the source listfor the specified material. Through discussions withmanagement, determine (types of) materials forwhich source lists should be available in the system.Also, determine (types of) materials for which asource list should not be present. Examine a selectionof materials and view the corresponding source listusing the following reports to corroborate theperformance of the control activity in the appropriateaccounting period:• ME06 reports on all material items and whetherthey belong to a source list or not• ME0M shows all material items and anyassociated vendors (including historic data). Torun ME0M, a material or a range of materialsneeds to be specified. Use the matchcode andclick on the search help option and chooseoption J—material by material group—to get alist of materials.Select the above-mentioned sample of orders andcheck against source list reports to determine ifspecific materials have been procured with unlistedvendors.DS11
  • 14. © 2006 Information Systems Audit and Control Association Page 14Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.1.3 Determine whether the SAP R/3 release strategy isused to authorize purchase orders, outline agreements(standing purchase orders) and unusual purchases(e.g., capital outlays). Obtain sufficientunderstanding of the system configuration to assessthe adequacy of the release strategy as defined andimplemented by the organization, as well as thefunction and effectiveness of established policies,procedures, standards, and guidance. The followingtransactions should be executed to obtain anunderstanding of the way the system has beenconfigured:• Release procedure: Purchase Orders—OMGSand release procedure Purchase Requisitions(with classification)—OMGQ- Click on Release Strategy. Select thestrategies one by one, by double-clicking onthe strategy. Note the release codes that areshown—authorization (authorization objectsM_BANF_FRG and M_EINK_FRG) forthese release codes should be checked.- Click on Classification. This will show theconditions under which the purchasedocument will be blocked. Ascertain if theseconditions comply with management’sintentions.• Release procedure Purchase Requisitions(without classification)—OME6- Click on Release Prerequisites. Note therelease codes that are shown - authorizationfor these release codes should be checked.- Re-execute transaction OME6 and click onDetermination of Release Strategy. This willshow the conditions under which thepurchase document will be blocked.Ascertain if these conditions comply withmanagement’s intentions.• Test user access to transactions for releasestrategies:- Release Purchase Order—ME28- Release Outline Agreement—ME35- Release Purchase Requisition—ME54- Collective Release of PurchaseRequisitions—ME55DS9DS5ME1DS132.2 Goods are only received for valid purchase orders and goods receipts are recorded completely, accurately and in atimely manner.
  • 15. © 2006 Information Systems Audit and Control Association Page 15Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference2.2.1 Determine whether goods (or materials, equipment)are received only when there are valid purchaseorders, or if goods receipts are always recordedcompletely, accurately and in a timely manner.Determine whether an investigation takes place whenreceipts have no purchase order or exceed thepurchase order quantity by more than an establishedamount. Does management review exception reportsof goods not received on time for recordedpurchases? Run the report RM06EM00 to produce alisting of Purchase Orders Outstanding. Ascertainfrom management if there are any reasons for anylong outstanding items on the report.DS9DS52.2.2 Determine whether order entry data aretransferred completely and accurately to the shippingand invoicing activities, and if the ability to input,change or cancel goods received transactions isrestricted to authorized inbound logistics/rawmaterials personnel. Test user access to transactionsfor goods receipt as follows:• Goods Receipt for Purchase Order—MB01• Goods Receipts, Purchase Order Unknown—MB0A• Goods Receipt for Production Order—MB31• Other Goods Receipts—MB1C• Cancel/reverse Material Document—MBSTTest user access to high-risk movement typestransaction code MB1C, authorization objectM_MSEG_BWA and fields ACTV and movementtypes BWART 561 through 566. These specialmovement types reflect the initial stock entry in theSAP R/3 system at the time of conversion to the SAPR/3 system.AI2DS5DS112.3 Defective goods are returned to suppliers in a timely manner.2.3.1 Determine whether defective goods (or materials,equipment) are returned in a timely manner tosuppliers, are adequately segregated from othergoods in a quality-assurance bonding area, and areregularly monitored (assigned a specific movementtype, e.g., 122) to ensure timely return to suppliersand whether credit is received in a timely manner.Ascertain from management the movement typeused to block processing and for returning rejectedgoods to suppliers (e.g., movement type 122).Execute transaction MB51 with the appropriatemovement type. Determine if there are any longoutstanding materials pending return tosuppliers/receipt of appropriate credits.DS2DS113. Invoice Processing3.1 Amounts posted to accounts payable represent goods or services received.
  • 16. © 2006 Information Systems Audit and Control Association Page 16Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.1.1 Determine whether amounts posted to accountspayable represent goods or services received, theability to input, change, cancel or release vendorinvoices for payment is restricted to authorizedpersonnel and the ability to input vendor invoicesthat do not have a purchase order and/or goodsreceipt is restricted to authorized personnel. Testuser access to transactions for invoice processing:• Enter Invoice MRHR, MR01• Change Invoice FB02• Process Blocked Invoice MR02• Cancel Invoice MR08• Enter Credit Memo MRHGDS6DS9AI63.2 Accounts payable amounts are calculated completely and accurately and recorded in a timely manner.3.2.1 Determine whether the SAP R/3 software isconfigured to perform a three-way match. Executetransaction code OMF4—(Change View “fieldSelection at document level”: Overview) by selectingME21—(Create Purchase Order) and then selectingGR/IR Control. Determine whether GR/IR Controlhas been set globally to required entry. If the GR/IRControl indicator has not been set globally for allvendors, determine whether it has been set forparticular vendors by displaying table LFM1, fieldname WEBRE, using transaction SE16. Where GR/IRControl has not been set, ascertain if there are anyreasons from management.DS9DS53.2.2 Determine whether the SAP R/3 software isconfigured with quantity and price tolerance limits.Tolerance limits for price variances and messagesettings for invoice verification (online matching)should be checked as follows:• Variance settings:-—Execute transaction OMEU & OMR6. Thesystem will now show an overview of thedefined tolerance limits. Double-click on theentries that relate to the organization beingaudited. Two entries need to be checked, one fortolerance key PE (price) and one for tolerancekey SE (discount). Note the values shown. Botha lower and upper limit may be specified as apercentage value. (PE also allows setting of anabsolute value.)• Message settings: —Execute transaction OME0. Click on buttonPosition. Enter values 00, 06 and 207 (messagefor price variance) and press Enter. Note thevalue in the categories field. Possible values areW for warning and ‘E’ for error.Ascertain whether the values noted comply withmanagement intentions.DS9DS10
  • 17. © 2006 Information Systems Audit and Control Association Page 17Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference3.2.3 Determine whether the GR/IR account balances(RM07MSAL) report is executed and reviewedperiodically. Check that there are appropriateprocedures in place to investigate unmatchedpurchase orders. In particular, long outstanding itemsshould be followed-up and cleared.AI63.2.4 Determine whether reports of outstanding purchaseorders are reviewed regularly. Run the reportRM06EM00 to produce a listing of Purchase OrdersOutstanding and review long outstanding items withmanagement.PO113.2.5 Determine whether the SAP R/3 software restrictsthe ability to modify the exchange- rate table toauthorized personnel, management approves valuesin the centrally maintained exchange rate table andthe SAP R/3 software automatically calculatesforeign currency translations, based on values in thecentrally maintained exchange rate table. Determinewhether management reviews a sample of changesto exchange rates above a certain percentage havingregard to the volume and value of foreign currencytransactions for the organization. Test user access tothe exchange rates and the related authorizationobjects:• Exchange rate via standard transactionFirst, execute transaction SUCU. Click onPosition. Enter value V_TCURR and pressEnter. Note the value in the field AuthorizationGroup. Then test user access to transaction codeOB08, Authorization Object: S_TABU_DIS(Class Basis: Administration), Field Activity:value 02 and Field Authorization Group: Valuenoted with transaction SUCU.• Exchange rate via view maintenanceFirst, execute transaction SUCU. Click onPosition. Enter Table Name value V_T001R,Click on Choose. Note the value in the fieldauthorization group. Do the same for tableV_TCURF. Then test user access to transactioncodes as follows with Authorization Object:S_TABU_DIS (Class Basis: Administration),Field Activity: 02 and Field Authorizationgroup: Value noted with transaction SUCU:- Maintain table rounding units—OB90- Maintain table foreign currency ratios—OBBS- Table view maintenance—SM30.DS5AI63.3 Credit notes and other adjustments are calculated completely and accurately and recorded in a timely manner.3.3.1 Determine whether the ability to input, change,cancel or release credit notes is restricted toauthorized personnel. Test user access to postinvoices directly to vendor accounts:• Enter Credit Note—F-41• Enter Invoice—F-43PO2DS5
  • 18. © 2006 Information Systems Audit and Control Association Page 18Expenditure Business Cycle Audit ProgramControl Objective/Test Documentation/Matters ArisingCOBITReference4. Processing Disbursements4.1 Disbursements are made only for goods and services received, calculated accurately, recorded and distributed to theappropriate suppliers in a timely manner.4.1.1 Determine whether disbursements are made only forgoods and services received, calculated accurately,recorded and distributed to the appropriate suppliersin a timely manner, and whether managementapproves the SAP R/3 payment run parameterspecification. Test user access to transactions toprocess disbursements:• Automatic payment transactions—F110• Parameters for payment —F111• Payment with printout—F-58DS5PO64.1.2 Test user access to blocked invoices :• Change document—FB02• Change line items—FB09• Block/unblock vendor (centrally)—XK05• Block/unblock vendor—FK05
  • 19. © 2006 Information Systems Audit and Control Association Page 19Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists, verify completion ofany agreed upon corrections and note remainingdeficienciesME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.The same background information obtained for the SAPR/3 Basis Security audit plan is required for and relevantto the business cycles. In particular the followinginformation is important:• The version and release of SAP R/3 that has beenimplemented• Total number of named users (for comparison withlogical access security testing results)• Number of SAP instances and clients• Company codes• The identification of the modules (FI, CO, MM, SD,PP, industry-specific, etc.) being used• Whether the organization has created any locallydeveloped ABAP programs or reports• Details of the risk assessment approach taken in theorganization to identify and prioritize risks• Copies of the organization’s key security policies andstandards• A review of outstanding audit findings, if any, fromprevious yearsPO2PO3PO4PO6PO9DS2DS5AI2AI6ME2Obtain the following relevant business cycle details:• The organizational model as it relates to inventoryactivity, i.e., plant organization unit structure in SAPR/3 and manufacturing organization chart (requiredwhen evaluating the results of access security controltesting)• Interview systems implementation team if possibleand obtain process design documentation formaterials and warehouse managementPO4AI4Identify the significant risks and determine the key controls.Develop a high-level process flow diagram and overallunderstanding of the inventory processing cycle includingthe following subprocesses:• Master data maintenance• Raw materials management• Producing and costing inventory• Handling and shipping finished goodsDS11DS12DS6DS13
  • 20. © 2006 Information Systems Audit and Control Association Page 20Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReferenceAssess the key risks, determine key controls or controlweaknesses and test controls (refer detailed sampletesting program below and chapter 4 for techniques fortesting configurable controls and logical access security)having regard to the following factors:• The controls culture of the organization (e.g., a just-enough control philosophy)• The need to exercise judgement to determine the keycontrols in the process and whether the controlsstructure is adequate (Any weaknesses in the controlstructure should be reported to executivemanagement and resolved.)PO9ME2C. Detailed Audit Steps1. Master Data MaintenanceChanges made to master data are valid, complete, accurate and timely1.1.1 Take a sample of inventory file updates usingtransaction MB59, which allows users to performa search on multiple materials by a particularrange of dates and check back to authorizedsource documentation. Review the process forphysical stock-takes to confirm the complete,accurate, valid and timely recording of stockdifferences.DS11DS131.1.2 Review organization policy and process designspecifications regarding access to maintainmaterial master data. Test user access to thefollowing transaction codes:• Create Material—MM01• Change Material—MM02• Flag Material for Deletion—MM06DS11DS13
  • 21. © 2006 Information Systems Audit and Control Association Page 21Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReference1.1.3 Determine whether the configurable controlsettings address the risks pertaining to thevalidity, completeness and accuracy of masterdata and whether they have been set inaccordance with management intentions. Viewthe settings online using the IMG as follows:• Material Types: Transaction SPRO MenuPath—Logistics General> MaterialMaster> Basic Settings> Material Types>Define Attributes of Material Types• Industry Sector: Transaction SPRO MenuPath—Logistics General> MaterialMaster> Field Selection> Define industrysectors and industry-sector-specific fieldselection• Default Price Types: Execute transactionOMW1 and determine whether defaultsettings have been set for the price type formaterial records• Tolerances for Physical Inventorydifferences: Execute transaction OMJ2 andcompare defined tolerances toorganizational policy and judge forreasonablenessPO9DS11DS12DS13DS6ME1ME21.2 Inventory master data remain current and pertinent.1.2.1 Determine whether the appropriate managementrun the Materials List transaction code MM60, orequivalent by material type and confirm evidenceof their review of the data on a rotating basis forcurrency and ongoing pertinence.ME1DS11ME41.3 Settings or changes to the bill of materials or process order settlement rules are valid, complete, accurate and timely.1.3.1 Review organization policy and process designspecifications regarding access to maintain bill ofmaterials (BOM) and process order settlementrules. Test user access to the following transactioncodes:• Create Material BOM—CS0• Change Material BOM—CS02• Make Mass Changes—CS20• Change Single-layered BOM—CS72• Change Multi-layered BOM—CS75• Change Settlement Rules—nondisplayabletransaction code KOBK (refer to menu path:Logistics > Production Process > ProcessOrder > Process Order > Display > Enter theprocess order number and press Enter then goto Header > Settlement Rule)ME1DS131.3.2 Take a sample of bill of materials updates usingtransaction CS80 and check back to authorizedsource documentation.DS132. Raw Materials Management2.1 Inventory is saleable, useable and safeguarded adequately.
  • 22. © 2006 Information Systems Audit and Control Association Page 22Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReference2.1.1 Confirm that the DRP process takes into accountstock on hand, forecast requirements, economicorder quantities and back orders. Executetransaction code MB5M and ascertain the reasonfor any old stock being held (Shelf Life List). Usetransaction MC46 to identify slow moving itemsand MC50 for “dead” stock (i.e., stock that hasnot been used for a certain period of time). Testthat managers are reviewing this information on aregular basis.DS6DS13ME12.2 Raw materials are only received and accepted with valid purchase orders and recorded accurately and in a timelymanner.2.2.1 Test that management executes the report ofoutstanding purchase orders using transactionME2L (refer Expenditure Cycle 2.2.1) andfollow-up on any long outstanding items.DS132.2.2 Review the reconciliation of the goodsreceived/invoice received account (transactioncode MB5S, refer Expenditure cycle 3.2.3) andconfirm that unmatched items have beeninvestigated in a timely manner.ME1ME22.2.3 Test user access to transactions for goods receipt(refer to the Expenditure cycle 2.2.2) as follows:• Goods Receipt for Purchase Order—MB01.• Goods Receipts Purchase Order Unknown—MB0A• Goods Receipt for Order—MB31• Enter Other Goods Receipts—MB1C• Cancel Material Document—MBST• Goods Movement—MIGODS13ME1DS122.2.4 Test the controls over inventory stock takes (refer1.1.1).2.3 Defective raw materials are returned to suppliers in a timely manner.2.3.1 Ascertain from management the movement typeused to block processing and for returningrejected goods to suppliers (e.g., movement type122). Execute transaction MB51 with theappropriate movement type (refer Expenditurecycle 2.3.1). Determine if there are any longoutstanding materials pending return tosuppliers/receipt of appropriate credits.DS133. Producing and Costing Inventory3.1 Transfers of materials to/from production, production costs and defective products/scrap are valid and recordedaccurately, completely and in the appropriate period.3.1.1 Review the policy and procedures concerning thetransfer of materials and confirm that the abovecontrols are in place and operating. Test thatinventory-in-transit accounts are regularlyreviewed to ensure the accounts are cleared andreconciled. Confirm that default price types havebeen established for all materials (refer 1.1.3).ME2DS63.1.2 Test user access to bills of material (refer 1.3.1).
  • 23. © 2006 Information Systems Audit and Control Association Page 23Inventory Business Cycle Audit ProgramControl Objective/Test Documentation / Matters ArisingCOBITReference3.1.3 Test user access to issue goods (transaction codeMB1A), to posting of transfers between plants(transaction code MB1B) and to move goods(transaction code MIGO).DS13ME13.1.4 Test user access to create (transaction code CR01)or change (transaction code CR02) work centers.DS13ME14. Handling and Shipping Finished Goods4.1 Finished goods received from production are recorded completely and accurately in the appropriate period.4.1.1 Test inventory stock take procedures (refer 1.1.1) DS13ME14.1.2 Test user access to change settlement rules (refer1.3.1).ME1DS134.2 Goods returned by customers are accepted in accordance with the organization’s policies.4.2.1 Review the policies and procedures for receivinginventory back into the warehouse. Review somereturns of inventory and ensure they are supportedwith adequate documentation from the qualityinspector. Ascertain from management themovement type used for goods returned fromcustomers. Execute transaction MB51 with theappropriate movement type. Determine if thereare any long outstanding materials pending returnto inventory/provision of appropriate credits.ME1AI44.3 Shipments are recorded accurately, in a timely manner and in the appropriate period.4.3.1 Test user access to transfer stock between plants(transaction code LT04) or Change OutboundDelivery (transaction code VL02N).DS13ME14.3.2 Take a sample of Deliver Due List and Owed toCustomer Report and test for evidence ofmanagement action. Review settings usingtransaction code OMWB and confirm thataccounts assignments are set to valid COGSaccounts.ME1ME4DS13
  • 24. © 2006 Information Systems Audit and Control Association Page 24Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceA. Prior Audit/Examination Report Follow-upReview prior report, if one exists verify completion ofany agreed upon corrections and note remainingdeficiencies.ME1B. Preliminary Audit StepsGain an understanding of the SAP R/3 environment.Determine what version and release of the SAP R/3software has been implemented. If multiple versions,document the various versions.PO4Obtain details of the following:• Operating system(s) and platforms• Total number of named users (for comparison withlimits specified in contract)• Number of SAP R/3 instances and clients• Database management system used to store data forthe SAP R/3 system• Location of the servers and the related LAN/WANconnections (need to verify security and controls,including environmental, surrounding the hardwareand the network security controls surrounding theconnectivity) and, if possible, obtain copies ofnetwork topology diagrams• List of business partners, related organizations, andremote locations that are permitted to connect to theR/3 environment• Various means used to connect to the R/3environment (e.g., dial-up, remote access server,Internet transaction server) and the network diagramif availablePO2PO3DS2DS12In a standard SAP R/3 configuration, separate systems fordevelopment, test and production are implemented.Determine whether:• This approach was taken• The instances are totally separate systems or arewithin the same systemPO2Determine whether the SAP production environment isconnected to other SAP or non-SAP systems. If yes,obtain details as to the nature of connectivity, frequencyof information transfers, and security and controlmeasures surrounding these transfers (i.e., to ensureaccuracy and completeness).PO2DS5Identify the modules (FI, CO, MM, SD, PP, industry-specific, etc.) that are being used.PO2
  • 25. © 2006 Information Systems Audit and Control Association Page 25Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceIdentify whether the organization has implemented any ofthe following:• Internet transaction server• Any of the New Dimension products (e.g., SupplyChain Management, Customer RelationshipManagement, Business Intelligence)• Audit information system. If implemented, determinehow it is used (i.e., only for annual audits or on aregular basis to monitor and report on securityissues).PO2PO3ME2Determine whether the organization makes use of anymySAP.com functionality. If yes, describe functionalityand purpose.PO2Determine whether the organization has created anylocally developed APAB/4 programs/reports or tables. Ifyes, determine how these programs/reports are used.Depending on the importance/extent of use, review anddocument the development and change managementprocess surrounding the creation/modification of theseprograms/reports or tables.AI2AI6Obtain copies of the organization’s key security policiesand standards. Highlight key areas of concern, including:• Information security policy• Sensitivity classification• Logical and physical access control requirements• Network security requirements, includingrequirements for encryption, firewalls, etc.• Platform security requirements (e.g., configurationrequirements)PO6DS5DS12Obtain information regarding any awareness programsthat have been delivered to staff on the key securitypolicies and standards. Consider specifically thefrequency of delivery and any statistics on the extent ofcoverage (i.e., what percentage of staff have received theawareness training).PO6DS7Maintain authorizations and profiles, for example:• Have job roles, including the related transactions,been defined and documented?• Do procedures for maintaining (creating/changing/deleting) roles exist and are they followed?PO7AI4DS5
  • 26. © 2006 Information Systems Audit and Control Association Page 26Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceDetermine whether adequate access administrationprocedures exist in written form. Do any of the followingprocedures exist within the organization? (If yes,document the process and comment on compliance withthe policies and standards, and the adequacy of resultingdocumentation.)• Procedures to add/change/delete user master records• Procedures to handle temporary access requests• Procedures to handle emergency access requests• Procedures to remove users who have never loggedinto the system• Procedures to automatically notify the administrationstaff when staff holding sensitive or critical positionsleave the organization or change positionsPO7AI4DS5Obtain copies of the organization’s change managementpolicies, processes, procedures, and changedocumentation. Consider specifically:• Transport processes and procedures, includingallowed transport paths• Emergency change processes and procedures• Development standards, including namingconventions, testing requirements, and move-to-production requirementsAI4AI6Determine whether the organization has a defined processfor creating and maintaining clients. If yes, obtain copiesand documentation related to the creation andmaintenance of clients.PO2AI6Determine the organization’s approach to SAP OnlineSupport Services (OSS). Verify the extent of accesspermitted and processes used to request, approve,authenticate, grant, monitor, and terminate OSS access.DS2DS5Review outstanding audit findings, if any, from previousyears. Assess impact on current audit.ME1ME2Identify the significant risks and determine the key controls.Obtain details of the risk assessment approach taken inthe organization to identify and prioritize risks.PO9Obtain copies of and review:• Completed risk assessments impacting the R/3environment.• Approved requests to deviate from security policiesand standards.Assess the impact of the above documents on theplanning of the R/3 audit.PO9ME1In the case of a recent implementation/upgrade, obtain acopy of the security implementation plan. Assess whetherthe plan took into account the protection of criticalobjects within the organization and segregation of duties.Determine whether an appropriate naming convention(i.e., for profiles) has been developed to help securitymaintenance and to comply with required SAP R/3naming conventions.PO3DS5PO7
  • 27. © 2006 Information Systems Audit and Control Association Page 27Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceC. Detailed Audit Steps1. Application Installation (Implementation Guide and Organizational Model)1.1 Configuration changes are made in the development environment and transported to production.1.1.1 Test that access to the transaction code (SPRO) andthe authorization object (S_IMG_ACTV) for theIMG has been restricted in the productionenvironment.1.1.4 Restrict access to transaction code SCC4, whichcontrols the production client settings. Execute thistransaction code and then double click on eachclient being tested. Each of the settings should bereviewed for appropriateness. It is important tonote that the No Changes setting should be set forcross-client tables. Also ensure that eCAAT andCAAT are set to Not Allowed.1.2 The Organizational Model has been configured correctly to meet the needs of the organization.1.2.1 Obtain information on the Organizational Modelfrom the system by reviewing tables or by utilizingthe SAP R/3 Audit Information System (AIS) thatdepicts the OM graphically (refer to figure 12.5).Compare it to the real organization structure andmanagement interviewed in relation to differencesor difficulties that may have emerged during orafter the implementation.1.2.2 Test access to the transaction code (SPRO) andthe authorization object (S_IMG_ACTV) for theIMG in the production environment.1.3 Changes to critical number ranges are controlled.1.3.1 Via transaction SUIM, review authorizationobject S_NUMBER (*) for those users with thefollowing authorization value sets:• Maintain Number Range Intervals (02)• Change Number Range Status (11)• Initialize Number Levels (13)• Maintain Number Range Objects (17) for allNumber Range Objects.1.4 Access to system and customizing tables is restricted narrowly.1.4.1 By using transaction code SE16, browse tableTDDAT. In the table name field enter Z* and thenY* to identify all of the custom tables. Determinethose tables that have &NC& within theAuthorization Group field. Assess whether thesesettings (&NC&) are appropriate.1.4.2 Access to modify critical tables can be tested viathe objects S_TABU_DIS (value 02) andtransaction codes SM31 or SM30. If the table iscross-client, the user master record must contain athird object, S _TABU_CLI (value X). UseRSUSR002 via SA38 to check for theserestrictions.
  • 28. © 2006 Information Systems Audit and Control Association Page 28Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference2. Application Development (ABAP/4 Workbench and Transport System)2.1 Application modifications are planned, tested and implemented in a phased manner.2.1.1 Determine the system landscape and clientstrategy, and review the change control policiesand procedures (including documentation) totransport objects between environments. Workwith the Basis/Transport Administrator to obtain arandom sample of transports and trace back todocumentation. Ensure authorization for thetransport was obtained and confirm that thespecified transport path was followed. Foremergency changes, ensure that the specifiedemergency process was followed. Confirm thatappropriate authorizations were obtained and thatdocumentation was subsequently completed.Review the system change option and confirm ithas been set to No Changes Allowed (refer to1.1.2 above). Review segregation of duties withrespect to creating and releasing change requests.Test user access to authorization objectS_TRANSPRT and ACTVT expect 03 and anyTransport Type TTYPE. Assess theappropriateness of such access in comparison withthe users’ job functions.AI6DS52.2 Customized ABAP/4 programs are secured appropriately.2.2.1 To identify customized programs that have not beenassigned to an authorization group entertransaction code SE16. Browse the table TRDIRand enter the values of Z* and then Y* in theprogram name field. This will produce a list of allcustomized programs assuming that theorganization has followed standard namingconvention when customizing programs. Filter thislist for programs that do not have a value in theauthorization group field (SECU). Auditorsshould concentrate their investigations onusers who have SE38, SA38, SE80 and SE37.These users will automatically have access torun many of these programs.2.2.2 From this list select a representative sample ofcustomized programs and check the source code tosee whether an Authority-Check statement hasbeen included. Use transaction code SA38 and runthe ABAP/4 program RSABAPSC with theappropriate program name and Authority-Check inthe ABAP/4 language commands selection field todisplay the authority-check statements for each ofthe sampled programs. Note that the results mayinclude other programs called by the sampledprograms with the appropriate authority-checkstatements. The results of the test should beconfirmed with management.
  • 29. © 2006 Information Systems Audit and Control Association Page 29Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference2.2.3 Review and assess the value for the parametersbelow (use RSPARAM report):• Auth/no_check_in_some_cases (Can beeither Y or N. If set to the recommendedvalue of Y (permit authorization checks),monitor the content of SU24 carefully tomake sure that these entries are setappropriately)• Auth/rfc_authority_check (recommend setto 2 to permit full checking)DS52.2.4 Use report RSUSR002 to test the number of userswho have access to execute all programsindependent of the authorization group assigned.Enter the authorization object S_PROGRAM withthe activity value of SUBMIT or BTCSUBMITand the authorization object S_TCODE with atransaction code of SA38,SE37, SE38 or SE802.2.5 Review the policy, procedures and criteria forestablishing program authorization groups,assigning the ABAP/4 programs to groups andincluding authority-check statements in programs.Compare the results from testing to establishedpolices, procedures, standards and guidance (notethat organizations may use additional transactions,tables, authorization objects, ABAP/4 programs,and reports to control their systems).2.3 The creation or modification of programs is performed in the development system and migrated through the testsystem to production.2.3.1 Produce a list of users who have access to developprograms in the production system by executingreport RSUSR002 with the authorization objectS_DEVELOP, the activity values of 01, 02 or 06and with the transaction code value SE38. ABAP/4programs that are not assigned to an authorizationgroup may be changed by any user withauthorization for object S_DEVELOP, dependingon whether the user has been assigned a developerskey and the correct object keys.2.4 Access for making changes to the dictionary is restricted to authorized individuals.2.4.1 Execute the report RSUSR002. Review users withthe following authorization to determine whetherthey are appropriate:• Data Dictionary object: S_DEVELOP with anyof the Activity values 01, 02, 06, 07 and accessto any of the transaction codes SE11, SE12,SE15, SE16, SE37, SE38, SE80
  • 30. © 2006 Information Systems Audit and Control Association Page 30Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference2.5 Access to modify and develop queries is restricted.2.5.1 Using report RSUSR002, enter the authorizationobject S_QUERY with activity value 02 andtransaction code SQ01, to identify all users whocan create and maintain queries. In addition, usingthe authorization object S_QUERY with activityvalue 23 and transaction codes SQ02 or SQ03,produce a report identifying all users who canmaintain functional areas and user groups. Reviewthe lists with management for reasonableness.2.6 Relevant company codes are set to Productive in the production environment.2.6.1 Transaction code OBR3 contains a list of companycodes and whether they have been set toProductive. This information is also available intable T001 and can be viewed using transactioncode SE16. Perform a review of this list. Ininstances where company codes that have not beenset to Productive, the reasons should beinvestigated with management.3. Application Operations (Computing Center Management System)3.1 The Computing Center Management System is configured appropriately.3.1.1 Determine via inquiry whether transaction RZ04was used to set up operations modes, instances andtimetables to ensure that the CCMS displaysmeaningful data.3.1.2 Determine how the organization is monitoring itsSAP R/3 system. Understand the policies,procedures, standards, and guidance regarding theexecution of SAPSTART and STOPSAP programsor their equivalent in the organization’senvironment. Check that only authorized personnelmay execute these programs.3.1.3 Generate a list of users with the ability to access theAlert Monitor by performing online accessauthorization testing for these authorization objectsS_RZL_ADM, activity values 01 (administrator)and 03 (display) and transaction code, value AL01(if a 3.x system) or RZ20 (if a 4.x system).
  • 31. © 2006 Information Systems Audit and Control Association Page 31Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.2 Batch processing operations are secured appropriately.3.2.1 Obtain a list of Batch users by executing reportRSUSR002 with the following authorizations:• Batch Input: Transaction code—SM35,authorization object—S_BDC_MONI, Field:BDCAKTI Value: DELE, FREE, LOCK,REOG and Field: BDCGROUP Value: *• Batch Administration: Transaction code—SM64, authorization object—S_BTCH_ADM,Field: BTCADMIN Value: Y• Batch Processing: Transaction code—SM36,authorization object—S_BTCH_JOB, Field:JOBACTION Value: DELE, RELE,authorization object—S_BTCH_NAM Value:*• Batch Processing: Transaction code—SM37,authorization object—S_BTCH_JOB, Field:JOBACTION Value: DELE, RELE, PLAN, -authorization object—S_BTCH_NAM Value:*3.2.2 Determine by corroborative inquiry that uploadprograms have been removed from the productionenvironment as appropriate.3.3 Default system parameter settings are reviewed and configured to suit the organization’s environment.3.3.1 Obtain a printout of the values of the followingkey parameters (run report RSPARAM via SA38on each instance as appropriate) and compare tothe requirements as set out in the policies andstandards:• Login/password_expiration time (number ofdays after which a password must bechanged)• Login/min_password_lng (minimumpassword length)• Login/fails_to_session_end (number of timesa user can enter an incorrect password beforethe system terminates the logon attempt)• Login/fails_to_user_lock (number of timesper day a user can enter an incorrectpassword before the system locks the usermaster record)• Login/failed_user_auto_unlock (specifieswhether a locked User Master Record willautomatically unlock itself after being lockeddue to an excessive number of invalid loginattempts—a value of 0 means that the usermaster record must be unlocked by theadministrator)• Auth/check_value_write_on (Enables thetransaction [SU53] for authorization analysiswhen this parameter is set to a value greaterthan 0.)• Auth/no_check_on_TCODE (The systemchecks for transaction code access [theDS5AI6DS5ME1
  • 32. © 2006 Information Systems Audit and Control Association Page 32Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReferenceS_TCODE authorization object]. Whereavailable, setting this parameter to Y allowsthe authorization check for transaction codeto be switched off.)• Auth/system_access_check_off (Thisparameter switches off the automaticauthorization check for particular ABAP/4language elements [file operations, CPICcalls and calls to kernel functions]. Thisparameter may be used to ensure downwardcompatibility of the R/3 kernel [value=0,check remains active].)• Rdisp/gui_auto_logout (specifies after howmany minutes of inactivity will the user beautomatically logged out)Confirm that the system profile parameter filesand default.pfl are protected from unauthorizedaccess. Confirm that there is a mechanism/processto ensure that the profiles are regularly checked toensure that they have not been changedinappropriately. Obtain any related changedocumentation and ensure that:• The documentation is authorized.• Related log entries reflect the expectedchanges.• A current printout of the RSUSR006 report isobtained and reviewed for unusual items ortrends. Determine whether management hasa process for frequent monitoring ofunsuccessful login attempts and/or lockedusers via a review of this report. If yes,obtain details on the following frequency ofmonitoring.Review a reasonable sample of previouslyfollowed up reports and assess the appropriatenessof the follow-up on unusual findings. Run reportRSUSR200. Review and follow up on:• Users with original passwords.• Users who have not logged in during the last60 days• Users who have not changed their passwordsin the last 60 days (or any duration that isappropriate for the organization).Obtain a sample of user master records in theproduction environment and work with theauthorization security administrator and the jobdescriptions to assess segregation of duties (referchapter 4 for more guidance) and theappropriateness of the access granted.DS5ME1DS5PO4DS53.4 Critical and sensitive transaction codes are locked in production.
  • 33. © 2006 Information Systems Audit and Control Association Page 33Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.4.1 Execute report RSUSR002 with the transactioncode SM01 to provide a list of all users who haveaccess to lock or unlock transaction codes in thesystem. Review and confirm this list withmanagement to ensure only authorized users haveaccess.3.4.2 Entering transaction code SM01 will display a listof transaction codes with a check box beside them. Across in the check box indicates that the transactioncode has been locked. Sensitive transaction codesshould be reviewed to ensure they have been lockedfrom user access. Such transaction codes include butare not limited to:• SCC5 Client Delete• SCC0 Client Copy (may overwrite theproduction client)• SM49 Execute Logical Commands (mayallow pass through to operating system)• SM69 Execute Logical Commands (mayallow pass through to operating system).3.5 Users are prevented from logging in with trivial or easily guessable passwords.3.5.1 Based on the review of the key security policies,determine whether there are any charactercombinations (apart from the SAP R/3 standards)that the policy has prohibited from use. If yes,obtain a printout of the contents of table USR40and confirm that the list of “illegal” words iscontained therein.PO6DS53.6 SAP Router is configured to act as a gateway to secure communications into and out of the SAP R/3 environment.SAP Router3.6.1 Discuss with the operating system administratorsthe procedures surrounding changes to SAPRouter and the procedures surrounding restartingSAP Router when it goes down.AI4DS5M1M23.6.2 Obtain a list of individuals with view and/or changeaccess to the SAP Router binary. Review the listwith key management and assess theappropriateness of the segregation of duties.3.6.3 Request an extract of the SAP Router permissionstable (for example, execute the UNIX commandSAP router –L <path>) from the operating systemadministrator. Review the permissions table withthe operating systems administrator. Compare withnetwork diagram to assess the appropriateness ofthe IP addresses and with change controldocumentation to confirm that management hasappropriately authorized changes.3.6.4 If logging is Active, ascertain the frequency withwhich the logs are reviewed and followed up.3.6.5 Obtain a reasonable sample of the logs and reviewthem with the operating systems administrator.
  • 34. © 2006 Information Systems Audit and Control Association Page 34Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.7 Remote access by software vendors is controlled adequately.3.7.1 Determine the organization’s approach to SAPOnline Support Services (OSS). Verify the extentof access permitted and processes used to request,approve, authenticate, grant, monitor andterminate OSS access. Check that changes aresubject to normal testing and migration controls.DS2DS53.7.2 Obtain a list of OSS users on the production client,enter transaction code OSS1 using the client’sadministrator ID. Click on the SAPNET iconfollowed by the administration icon. Perform anauthorization analysis by authorization objectview. This will provide a list of all users assignedOSS by authorization object. In particular, theusers who have been assigned to AdministrationAuthorization and Open Service Connectionsshould be reviewed for reasonableness withmanagement.3.8 SAP R/3 Remote Function Call (RFC) and Common Programming Interface—Communications (CPI-C) are secured.3.8.1 Ascertain whether the login information (dialogand/or non-dialog users) is stored and reviewed.Obtain a representative sample and review toensure that dialog users are appropriate (i.e., validemployees with authorization) and that nondialoguser IDs are appropriate. To do this, executetransaction code SM59. This will display the tableRFCDES, which controls the communicationbetween systems. The table lists the RFCdestinations, which will include all R/3connections that are on the system. Expand eachof the R/3 connections and double click on eachconnection to verify that no dialog user ID is listedwith its password.PO2AI4DS5ME1ME23.8.2 Determine whether these systems are protectedwith the appropriate network measures (e.g., SAPRouter/firewall/routers).3.8.3 Assess the strength/adequacy (i.e., robustness) ofpassword measures to authenticate RFCconnections.3.8.4 Confirm with R/3 security authorization managerthat authority checks are included in functionalmodules called via RFC.3.8.5 Via report RSUSR002, identify users who haveaccess to t-code SM59. Assess whether thisaccess is appropriate (work with User AccessManagement).3.8.6 If using release 4.0 or higher, ascertain whetherSNC protection has been applied to RFC calls. Ifyes, cross-reference to SNC documentation andtesting performed earlier.
  • 35. © 2006 Information Systems Audit and Control Association Page 35Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.9 Technology infrastructure is configured to secure communications and operations in the SAP R/3 environment.Firewall3.9.1 Discuss with the firewall administrators theprocedures surrounding changes to the firewallrules and recovery of firewalls in the event of anoutage.AI4DS5ME1ME23.9.2 Obtain a list of individuals with view and/or changeaccess to the firewall rules. Review the list withkey management and assess the appropriateness ofthe segregation of duties.DS53.9.3 Review the permissions table with the firewalladministrator. Compare with network diagram toassess the appropriateness of the IP addresses.DS133.9.4 If logging is set to Logging Active, ascertain thefrequency with which the logs are reviewed andfollowed up.3.9.5 Obtain a reasonable sample of the logs and reviewthem with the firewalls administrator.Secure Network Communications (SNC)3.9.6 Identify the communication paths that have beenprotected by SNC/external security product.AI4DS5ME1ME23.9.7 Assess whether the level of protection isappropriate for each of the various communicationpaths. Use the requirements set out in theinformation security policy and various riskassessments to assist in the assessment.3.9.8 Review the configuration for each path with theNetwork Security Administrator forappropriateness.Secure Store and Forward (SSF) Mechanisms and Digital Signatures3.9.9 Determine whether there are any regional laws orregulations with which the organization mustcomply that govern the use of digital signatures. Ifyes, confirm that the organization is incompliance.ME3DS53.9.10 Determine whether the organization uses anexternal product for SSF. If yes:• Ascertain whether the organization useshardware- or software-based keys.• Describe the controls surrounding issuanceand changing of the public and private keys.• Ascertain whether the organization uses self-signed certificates or CA-signed certificates.PO2DS5DS133.9.11 If using release 4.5 or higher, determine whetherSAPSECULIB is used as the default SSF provider. Ifyes, determine whether the file SAPSECU.pse isprotected from unauthorized access.DS5Workstation Security
  • 36. © 2006 Information Systems Audit and Control Association Page 36Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference3.9.12 Via inspection, ensure that staff utilize any ofthe available security measures surroundingworkstations/PCs (for example, screensavers, power-on passwords, third party security products, physicalcontrols). Consider specifically, whether:• Users are able to bypass screen saver/power-on passwords.• Screen savers activate automatically or are(as a rule) activated by users when they leavetheir work areas.DS53.9.13 Regarding virus protection, determine whether:• Virus scanners are used on the networkand/or workstations.• Virus signatures are kept up-to-date.• There is a procedure for disseminating viruseducation to users.DS5DS133.9.14 Assess adequacy of physical controls. Considerspecifically:• Are the workstations in secure/restrictedareas?• How is the area secured (e.g., security cards,keys, combination locks)?• Do individuals circumvent these controls(i.e., piggyback at entrance, prop open thedoor)?DS12DS5Operating System and Database Security3.9.15 Work with the systems and database administratorto confirm that the passwords on the standardoperating system and database user IDs have beenchanged, appropriate security parameters havebeen set and that appropriate security proceduresare in place and operating.DS5
  • 37. © 2006 Information Systems Audit and Control Association Page 37Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4. Application Security (Profile Generator and Security Administration)4.1 Duties within the security administration environment are segregated adequately.4.1.1 Determine whether the system administrator tasksare segregated into the following administratorfunctions by generating user lists for the followingauthorizations using report RSUSR002.• For the Profile Generator:- Create and change Activity Groups: Usedto define and update Activity Groups. Useauthorization S_USER_AGR withauthorization field values of 01 and 02.This should be tested in conjunction withtransaction code PFCG.- Transport Activity Group: Used totransport or activate Activity Groups to/inproduction. Use authorizationS_USER_AGR with authorization fieldvalues of 21. This should be tested inconjunction with transaction code PFCG.- Transfer profiles to user master records:Used to assign or transfer authorizationprofiles into the user master records forthe relevant activity group users. Useauthorization S_USER_AGR withauthorization field values of 22. Thisshould be tested in conjunction withtransaction code PFCG.• For manual maintenance:- User master maintenance—Authorizations: Defines and updatesauthorization profiles and authorizations.This should be tested in conjunction withtransaction code SU03. Recommendedsettings:- Authorization Object: S_USER_PROwith authorization field values: 01,02, 03, 06, 08- Authorization Object:S_USER_AUT with authorizationfield values: 01, 02, 03, 06, 08- User master maintenance—Activation:Activates authorization profiles andauthorizations but cannot create or changethem. This should be tested in conjunctionwith transaction code SU02Recommended settings:- Authorization Object:S_USER_PRO with authorizationfield values of 06, 07- Authorization Object:S_USER_AUT with authorizationfield values of 06, 07
  • 38. © 2006 Information Systems Audit and Control Association Page 38Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference- User master maintenance—User Groups:Defines, creates and edits user masterrecords, edits the list of profiles in a usermaster record and sets user parameters.This should be tested in conjunction withtransaction code SU01. Recommendedsettings:- Authorization Object:S_USER_GRP with authorizationfield values of: 01, 02, 03, 06, 22- Authorization Object:S_USER_PRO with authorizationfield values of: 22Only the superuser should have authorization fieldvalues of 05 to lock and unlock users (prevent orallow logons) and change passwords.Hardcopies of RSUSR100/101/102 reports shouldbe assessed for evidence of review and action bymanagement.4.1.2 Test user access to effect mass changes to UserMaster Records authorization objectsS_USER_GRP and S_USER_PRO withauthorization field values of 01, 02, 05 and 06 andtransaction codes SU10 (Delete/add a profile forall users) and SU12 (Delete all users).4.2 Adequate security authorization documentation is maintained.4.2.1 Select a random sample of authorized changedocumentation that pertains to changes to UserMaster Records. Run report RSUSR100 andassess whether the changes made are asdocumented.AI6DS5ME14.2.2. Select a random sample of authorized changedocumentation that pertains to changes to profiles.Run report RSUSR101 and assess whether thechanges made are as documented.AI6DS5ME14.2.3 Select a random sample of authorized changedocumentation that pertains to changes toauthorizations. Run report RSUSR102 and assesswhether the changes made are as documented.AI6DS5ME14.3 The Super User SAP* is secured properly.4.3.1 To determine whether the SAP* user has beenlocked, execute transaction SA38 (Reporting) withreport name RSUSR002 and press F8. Enter SAP*in the User field and press F8. Verify that theSAP* Group field says SUPER. Click on theOther View button twice. The User status field forSAP* should say Locked.DS5
  • 39. © 2006 Information Systems Audit and Control Association Page 39Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4.3.2 For SAP*, run report RSUSR003 to confirm that:• The ID has been deactivated in all clients anda new super user created.• The password has been changed from thedefault (i.e., not trivial).4.4 Default users are secured properly.4.4.1 To test whether the default password has beenchanged for DDIC, SAPCPIC and Earlywatch,execute the SAP R/3 report RSUSR003 anddetermine if the default passwords have beenchanged. To determine whether the SAPCPIC andEarlywatch users have been locked, executetransaction SA38 (Reporting) with report nameRSUSR002 and press F8. Enter the user name inthe User field and press F8. Verify that the Groupfield says SUPER. Click on the Other View buttontwice. The User status field for should say Locked.DS54.5 Access to powerful profiles is restricted.4.5.1 Review users assigned the privileged profiles ofSAP_ALL and SAP_NEW for appropriateness.Users who have been assigned these superuserprofiles should be assigned to user group Super orequivalent, which should be maintained by alimited number of Basis personnel only.To perform this test, execute transaction SA38 andenter report name RSUSR002. In the part noted asSelection Criteria for User enter SAP_ALL intothe Profile field. Click on the button to the right ofthe text box. Enter SAP_NEW in the first emptytext box. Click on Copy. By executing this report,all users who have superuser functionality will belisted. Other powerful profiles that should bechecked for user access include S_A.USER andS_A.ADMIN (used to administer user masterrecord authorizations).Check the user list identified by this test toascertain whether individuals who have access tothe above-mentioned functionality require thisaccess, based on their job responsibilities andestablished policies procedures, standards andguidance.
  • 40. © 2006 Information Systems Audit and Control Association Page 40Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4.6 The authorization group that contains powerful users is restricted.4.6.1 Identify the system administrators within theorganization and determine to which user groupstheir user IDs belong. Using report RSUSR002,review the system for users with the authorizationobject S_USER_AGR (Profile Generatorenvironment) with the activity values 01,02, 21and 22 and transaction code PFCG or theauthorization object S_USER_GRP (manualmaintenance) with the activity values of 01, 02, 05and 06 and the transaction code SU01. Theauthorization field user group in user mastermaintenance should be similar to one of the valuesidentified above. This would usually be the groupSUPER or ITO-SYSTEM.4.7 Changes to critical SAP R/3 tables are logged by the system and reviewed by management.4.7.1 Review security procedures created by managementthat identify what tables are being logged and howoften these logs are reviewed by management. Forchanges to be logged, the system profile parameterrec/client needs to be activated. This can bechecked by reviewing the report RSPARAM andensuring the value for this parameter is set toeither ALL or to the client numbers that shall havetable logging enabled. Enter transaction codeSE16 and enter table TPROT as the object namealong with an X in the PROTFLAG field. Thiswill identify tables that have their changes logged.Run report RSTBPROT (table log) or RSTBHIST(table change analysis), which lists all changes totables that have log data changes activated in theirtechnical settings for the period specified. Take arepresentative sample of changes to these tablesand compare these to the original supportinginformation/documentation. Obtain explanationsfor any changes for which supporting informationor documentation is not available.DS54.8 Changes made to the data dictionary are authorized and reviewed regularly.4.8.1 Understand management’s policies andprocedures regarding the review of datadictionary reports. Assess the adequacy of suchpolicies, procedures, standards, and guidance,taking into account the:• Frequency with which the review isperformed• Level of detail in the reports• Other independent data to whichmanagement compares the reports• Likelihood that the person performing thereview will be able to identify exceptionitems and• Nature of exception items that they can beexpected to identifyDS5
  • 41. © 2006 Information Systems Audit and Control Association Page 41Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference4.9 Log and trace files are configured appropriately and secured.4.9.1 For security audit log, using release 4.0 or higher:• Confirm that the security audit log has beenactivated by running the report RSPARAM andconfirming the following parameter values:- Rsau/enable (activates logging onapplication server; if value is “0”, it is notactive)- Rsau/local/file (specifies the location of thelog; confirms that it is appropriately located- Rsau/max_diskspace/local (specifies themaximum size of the log; confirm that thesize is adequate for the organization)• Obtain a listing of events that are logged (can bedone via SM20). Review for appropriatenessand link to required logging that may bespecified in the security policies and standards.• Determine frequency and thoroughness ofreview of the logs. If possible, obtain arepresentative sample of the logs and assess theadequacy of the follow-up process and reviewfor unusual items.DS5ME14.9.2 Review the system log:• Run the report RSPARAM and review thefollowing parameter values to obtain thelocations of the log files:- Rslg/local/file (specifies the location of thelocal log on the application server; default:/usr/sap/<SID>/D20/log/SLOG<SAP_instance_#>)- Rslg/collect_daemon/host (specifies theapplication server that maintains the centrallog; default: <hostname of main instance>)- Rslg/central/file (specifies the location ofthe active file for the central log on theapplication server; default:/usr/sap/<SID>/SYS/global/ SLOGJ)- Rslg/central/old_file (specifies the locationof the old file for the central log on theapplication server; default:/usr/sap/<SID>/SYS/global/ SLOGJO)- Rslg/max_diskspace/local (specifies themaximum length of the local log; default:0.5 MB)- Rslg/max_diskspace/central (specifies themaximum length of the central log; default:2 MB)- Rstr/file (the absolute pathname of the tracefile: the trace filename is TRACE<R/3System Number>)• Obtain a listing of events that are logged (can bedone via SM21). Review for appropriatenessDS5DS10DS11DS13ME1
  • 42. © 2006 Information Systems Audit and Control Association Page 42Basis Security Cycle Audit ProgramControl Objective/Test Documentation / Matters Arising COBITReference(including the size of each local and central logfile) and link to required logging, which may bespecified in the security policies and standards.• Determine frequency and thoroughness ofreview of the logs. If possible, obtain arepresentative sample of the logs and assess theadequacy of the follow-up process and reviewfor unusual items.• Work with the operating system administrator todetermine who has permissions to these files.Ensure the access is appropriate.
  • 43. © 2006 Information Systems Audit and Control Association Page 43Revenue Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Does relevant management, other than theinitiators, check online reports of master dataadditions and changes back to sourcedocumentation on a sample basis?DS111.1.2 Is access to create and change master datarestricted to authorized individuals?DS51.1.3 Have configurable controls been designed into theprocess to maintain the integrity of master data?DS91.2 Master data remain current and pertinent.1.2.1 Does management periodically review master datato check their currency and ongoing pertinence?DS111.2.2 Have appropriate credit limits been loaded forcustomers?DS22. Sales Order Processing2.1 Sales orders are processed with valid prices and terms, and processing is complete, accurate and timely.2.1.1 Is the ability to create, change or delete salesorders, contracts, and delivery schedules restrictedto authorized personnel?DS5AI62.1.2 Has the ability to modify sales pricing informationbeen restricted to authorized personnel (refermaster data integrity 1.1.2)?DS52.1.2 Has the system been configured to limit theoverwrite of prices compared to the price masterdata (SAP allows for no changes or a certaintolerance level)?2.1.3 Has the system been configured such that a salesorder is blocked for further processing when thecustomer either gets too low a price or the pricethe sales person gives is not satisfactory (refermaster data integrity 1.1.3 )?DS92.1.4 Are any fax orders reconciled periodically betweenthe system and fax printouts to reduce the risk ofduplicate orders?PO82.2 Orders are processed within approved customer credit limits.2.2.1 Has the SAP R/3 software been configured todisallow the processing of sales orders that exceedcustomer credit limits?DS92.3 Order entry data are completely and accurately transferred to the shipping and invoicing activities.2.3.1 Are reports of open sales documents prepared andmonitored to check for timely shipment?ME1DS113. Shipping, Invoicing, Returns and Adjustments3.1 Controls are in place to prevent duplicate shipments or delay in the shipping of goods to customers.3.1.1 Does the SAP R/3 software match goods shippedto open line items on an open sales order and closeeach line item as the goods are shipped, therebypreventing further shipments for those line items?DS6Are available shipping reports used to assist incontrolling the shipping process?PO113.2 Invoices are generated using authorized terms and prices and are calculated and recorded accurately.
  • 44. © 2006 Information Systems Audit and Control Association Page 44Revenue Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A3.2.1 Does the SAP R/3 software automatically calculateinvoice amounts and post invoices based onconfiguration data?AI53.3 All goods shipped are invoiced in a timely manner.3.3.1 Are reports of goods shipped but not invoiced andun-invoiced debit and credit note requests preparedand investigated promptly?DS53.3.2 Is the ability to create, change or delete pickingslips, delivery notes and goods issues restricted toauthorized personnel?AI73.3.3 Are reports of invoices issued but not posted in FIprepared and investigated promptly?AI73.4 Credit notes and adjustments to accounts receivable are accurately calculated and recorded.3.4.1 Is the ability to create, change or delete sales orderreturn and credit requests and subsequent creditnote transactions restricted to authorizedpersonnel?DS53.5 Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance withorganization policy and in a timely manner.3.5.1 Are sales order returns and credit requesttransactions matched to invoices?3.5.2 Have processing controls including a billing blockor a delivery block been configured to block creditmemos, or free of charge subsequent deliverydocuments that do not comply with theorganization’s policy on credits or returns?AI2DS94. Collecting and Processing Cash Receipts4.1 Cash receipts are entered accurately, completely and in a timely manner.4.1.1 Are bank statements reconciled to the generalledger regularly?4.1.2 Has the system been configured to not allowprocessing of cash receipts outside of approvedbank accounts?DS94.1.3 Are customer open items and accounts receivableaging reports prepared and analyzed regularly?AI44.2 Cash receipts are valid and are not duplicated.4.2.1 Are receipts allocated to a customer’s accountsupported by a remittance advice that cross-references to an invoice number?PO44.2.1 IS any unallocated cash or amounts received thatare not cross-referenced to an invoice numberimmediately followed-up with the customer?DS114.3 Cash discounts are calculated and recorded accurately.4.3.1 Have tolerance levels for allowable cash discountsand cash payment differences in the SAP R/3system been defined such that amounts in excessof such levels cannot be entered into the SAP R/3system?PO9PO84.4 Timely collection of cash receipts is monitored.4.4.1 As for 4.1.3, are customer open items and accountsreceivable aging reports prepared and analyzedregularly?PO4AI4
  • 45. © 2006 Information Systems Audit and Control Association Page 45Expenditure Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Does relevant management, other than theinitiators, check online reports of master dataadditions and changes back to sourcedocumentation on a sample basis?PO4DS111.1.2 Is access to create and change master datarestricted to authorized individuals?DS51.1.2 Are user accounts validated against HR lists andaccess in alignment with role requirements?1.1.2 Are user accounts reviewed by management in linewith organization policy?1.1.3 Have configurable controls been designed into theprocess to maintain the integrity of master data?DS91.1.4 Is a naming convention used for vendor names(e.g., as per letterhead) to minimize the risk ofestablishing duplicated vendor master records?DS21.2 Inventory master data remain current and pertinent.1.2.1 Does management periodically review master datato check their currency and ongoing pertinence?DS112. Purchasing2.1 Purchase order entry and changes are valid, complete, accurate and timely.2.1.1 Is the ability to create, change, or cancel purchaserequisitions, purchase orders and outlineagreements (standing purchase orders) restricted toauthorized personnel?DS5AI62.1.2 Does the SAP R/3 source list functionality onlyallow specified materials to be purchased fromvendors included in the source list for the specifiedmaterial?DS22.1.3 Is the SAP R/3 release strategy used to authorizepurchase orders, outline agreements (standingpurchase orders), and unusual purchases (forexample, capital outlays)?AI62.2 Goods are only received for valid purchase orders and goods receipts are recorded completely, accurately andin a timely manner.2.2.1 When goods received are matched to openpurchase orders, are receipts with no purchaseorder or that exceed the purchase order quantity bymore than an established amount investigated?DS62.2.1 Does management review exception reports ofgoods not received on time for recordedpurchases?DS52.2.2 Is the ability to input, change, or cancel goodsreceived transactions restricted to authorizedinbound logistics/raw materials personnel?DS52.3 Defective goods are returned to suppliers in a timely manner.
  • 46. © 2006 Information Systems Audit and Control Association Page 46Expenditure Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A2.3.1 Are rejected raw materials adequately segregatedfrom other raw materials in a quality assurancebonding area and are they regularly monitored(assigned a movement type of 122) to ensuretimely return to suppliers?PO43. Invoice Processing3.1 Amounts posted to accounts payable represent goods or services received.3.1.1 Is the ability to input, change, cancel or releasevendor invoices for payment restricted toauthorized personnel?DS53.1.1 Is the ability to input vendor invoices that do nothave a purchase order and/or goods receipt assupport further restricted to authorized personnel?DS53.2 Accounts payable amounts are calculated completely and accurately and recorded in a timely manner.3.2.1 Is the SAP R/3 software configured to perform athree-way match?DS93.2.2 Is the SAP R/3 software configured with quantityand price tolerance limits?DS93.2.3 Is the GR/IR account regularly reconciled? DS113.2.4 Are reports of outstanding purchase ordersregularly reviewed?DS113.2.5 Does the SAP R/3 software restrict the ability tomodify the exchange rate table to authorizedpersonnel?DS53.2.5 Does management approve values in the centrallymaintained exchange rate table?PO63.2.5 Does the SAP R/3 software automatically calculateforeign currency translation, based on values in thecentrally maintained exchange rate table?DS113.3 Credit notes and other adjustments are calculated completely and accurately and recorded in a timelymanner.3.3.1 Is the ability to input, change, cancel or releasecredit notes restricted to authorized personnel?DS54. Processing Disbursements4.1 Disbursements made only for goods and services received are calculated, recorded and distributed to theappropriate suppliers accurately and in a timely manner.4.1.1 Does management approve the SAP R/3 paymentrun parameter specification?PO64.1.2 Does the SAP R/3 software restrict to authorizedpersonnel the ability to release invoices that havebeen blocked for payment, either for an individualinvoice or for a specified vendor?DS5
  • 47. © 2006 Information Systems Audit and Control Association Page 47Inventory Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A1. Master Data Maintenance1.1 Changes made to master data are valid, complete, accurate and timely.1.1.1 Does relevant management, other than theinitiators, check online reports (using transactioncode MM04) of master data additions and changesback to source documentation on a sample basis?DS111.1.1 Do persons, independent of day-to-day custody orrecording of inventory, count physical inventoryon a continuous inventory basis?ME21.1.1 Are monthly stock takes performed? DS131.1.1 Where inventory adjustment forms are used, arethey sequentially pre-numbered and is thesequence of such forms accounted for?DS131.1.2 Have the creation and maintenance of master databeen assigned and restricted to a dedicated areawithin the organization that understands how theymay affect organizational processes and theimportance of timely changes?DS111.1.3 Have configurable controls been designed into theprocess to maintain the integrity of master data?DS91.2 Inventory master data remain current and pertinent.1.2.1 Does management periodically review master datato check their currency and ongoing pertinence?DS111.3 Settings or changes to the bill of materials or process order settlement rules are valid, complete, accurate andtimely.1.3.1 Is the ability to create, change or delete the bill ofmaterials restricted to authorized personnel?AI6DS51.3.2 Does relevant management, other than theinitiators, check online reports of bill of materialsor settlement rule additions and changes back tosource documentation on a sample basis?PO42. Raw Materials Management2.1 Inventory is saleable, useable and adequately safeguarded.2.1.1 Are raw material requirements planned based onforecast orders and production plans and does thesystem functionality monitor and maintaininventory levels in accordance with organizationpolicies?DS1DS32.1.1 Is the saleability of finished goods and usability ofraw materials (including shelf life dates) assessedregularly during continuous inventory counts andare any goods or raw materials scrappedappropriately approved?DS32.1.1 Does the quality department test a sample of rawmaterials and are rejected raw materials adequatelysegregated from other raw materials into a separatequality assurance bonding area and regularlymonitored by the quality department personnel toensure timely return to suppliers?DS6
  • 48. © 2006 Information Systems Audit and Control Association Page 48Inventory Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A2.1.1 Does management review reports of slow-turnoverinventory to ensure that it is still saleable oruseable?DS112.1.1 Do goods inwards/outwards personnel monitor allincoming and outgoing vehicles and ensure allgoods leaving the premises are accompanied byduly completed documentation (e.g., Inter-company stock transfer order, delivery docket orgoods returned note)?DS32.1.1 Are goods delivered only to designated, physicallysecure loading bays within the warehouses and arethey accepted only by authorized inboundlogistic/raw materials personnel?DS12DS32.1.1 Is inventory stored in properly secured (gateslocked at night and premises alarmed)environmentally conditioned warehouse locationswhere access is restricted to authorized personnel?DS122.2 Raw materials are received and accepted only with valid purchase orders, and are recorded accurately and ina timely manner.2.2.1 Are goods received matched online with purchaseorder details and/or invoices?DS132.2.1 Are long outstanding goods receipt notes, purchaseorders, and/or invoices investigated timely andaccrued as appropriate?ME22.2.1 Are documents cancelled once matched or onpayment of the invoice to prevent reuse?PO82.2.1 Does management review exception reports ofgoods not received on time for recordedpurchases?ME12.2.2 When goods received are matched to openpurchase orders, are receipts with no purchaseorder, or that exceed the purchase order quantityby more than an established amount, investigated?PO82.2.3 Is the ability to input, change or cancel goodsreceived transactions restricted to authorizedinbound logistics/raw materials personnel?DS52.2.4 Do persons independent of day-to-day custody orrecording of inventory count physical inventory ona continuous-inventory basis?PO42.2.4 Are inventory counts reconciled to inventoryrecords and inventory records reconciled to thegeneral ledger?PO82.3 Defective raw materials are returned to suppliers in a timely manner.2.3.1 Are rejected raw materials adequately segregatedfrom other raw materials in a quality assurancebonding area and are they regularly monitored(assigned a movement type of 122) to ensuretimely return to suppliers?PO4M2
  • 49. © 2006 Information Systems Audit and Control Association Page 49Inventory Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A2.3.1 Are defective raw materials received fromsuppliers logged and recorded in the qualitymanagement system and is the log monitored toensure that the defective goods are returnedpromptly and that credit is received in a timelymanner?DS23. Producing and Costing Inventory3.1 Transfers of materials to/from production, production costs and defective products/scrap are valid, recordedaccurately, completely and in the appropriate period.3.1.1 Are inventories received, including transfers,counted and compared to the pick list (that is usedto record movements of inventory in the financialrecords), by personnel in the area assumingresponsibility for the inventory (e.g., production,goods storage), and are they recorded in theappropriate period?DS133.1.1 Does management reconcile the goods-in-transitaccounts regularly and do these accounts net offagainst other plants’ outgoing goods-in-transitaccounts?PO8DS33.1.1 Is an appropriate costing method used for rawmaterials at purchase order price and is the rawmaterials costing rolled into finished goods on amonthly basis?DS133.1.1 Does the quality department, based on theirknowledge of day-to-day activities, review recordsof scrapped and reworked items and checkwhether such items have been correctly identifiedand properly recorded in the appropriateaccounting period?DS33.1.1 Is the ability to create or change bills of materialrestricted to authorized personnel?DS5AI63.1.1 Is access to the material transfers and adjustmentstransactions appropriately restricted to authorizedpersonnel?DS5AI63.1.1 Is the ability to create or change work centersrestricted to authorized personnel?DS5AI63.1.2 Is the ability to create or change bills of materialrestricted to authorized personnel?DS5AI63.1.3 Is access to the material transfers and adjustmentstransactions appropriately restricted to authorizedpersonnel?DS5AI63.1.4 Is the ability to create or change work centersrestricted to authorized personnel?DS5AI64. Handling and Shipping Finished Goods4.1 Finished goods received from production are recorded completely and accurately in the appropriate period.4.1.1 Do persons independent of day-to-day custody orrecording of inventory count physical inventory ona “Continuous Inventory” basis (refer 1.1.1)?PO44.1.2 Is the changing of the settlement rules restricted toauthorized users (refer 1.3.1)?4.2 Goods returned by customers are accepted in accordance with the organization’s policies.
  • 50. © 2006 Information Systems Audit and Control Association Page 50Inventory Business Cycle ICQResponse Comment COBITReferenceControl Objective/QuestionYes No N/A4.2.1 Are quality-control inspections performed forfinished goods returned by customers and/orreceived from production to assess whether suchgoods should be returned to inventory, reworkedor scrapped?M1PO114.2.1 Does the QA team inspect the goods before acredit note can be issued?4.3 Shipments are recorded accurately, timely and in the appropriate period.4.3.1 Is access restricted to transferring stock betweenplants or executing the Post Goods Issue thatcreates the intercompany stock transfer adviceand/or generates an electronic (EDI) or manualinvoice?DS124.3.1 Do outbound logistics/finished goods personnelmonitor all incoming and outgoing vehicles andensure all goods leaving the premises areaccompanied by duly completed documentation(e.g., delivery docket or goods returned note)?ME14.3.1 Before goods are shipped, are the details of theapproved order compared to actual goods preparedfor shipment by an individual independent of theorder picking process?PO44.3.2 Are the SAP R/3 reports (delivery due list andowed-to-customer report) of open sales documentsprepared and monitored to ensure timelyshipment?DS114.3.2 Does the SAP R/3 account assignmentconfiguration ensure that amounts for shippedgoods are posted to the appropriate cost-of-goods-sold account?
  • 51. © 2006 Information Systems Audit and Control Association Page 51Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferencesSAP R/3 Control EnvironmentA Establish control over information and information systems.A1 Has senior management established policies andstandards governing the information systems ofthe entity?PO6A2 Has senior management assignedresponsibilities for information, its processing,and its use?PO2A3 Is user management responsible for providinginformation that supports the entity’s objectivesand policies?PO4A4 Is user management responsible for thecompleteness, accuracy, authorization, securityand timeliness of information?PO8DS11A5 Is information systems management responsiblefor providing the information systemscapabilities necessary for achievement of thedefined information systems objectives andpolicies of the entity?PO3DS1DS3A6 Does senior management approve plans fordevelopment and acquisition of informationsystems?PO5A7 Does senior management monitor the extent towhich development/configuration, operation,and control of information systems complieswith established policies and plans?ME1A8 Are there outstanding audit findings fromprevious years?ME1ME2B Ensure that the information systems selected (whether new implementation or upgrade) meet the needs of theentity.B1 Are there procedures to ensure that decisions todevelop or acquire information systems aremade in accordance with the objectives andpolicies of the entity?PO5AI1B2 Are there procedures to determine costs,savings and benefits before a decision is madeto develop or acquire an information system?AI1B3 Are there procedures to ensure that theinformation system being developed or acquiredmeets user requirements?AI1B4 Are there procedures to ensure that informationsystems, programs, and configuration changesare adequately tested prior to implementation?AI2AI3C Ensure that the acquisition and configuration of information systems (whether new implementation orupgrade) are carried out in an efficient and effective manner.C1 Are standards established and enforced toensure the efficiency and effectiveness of thesystems acquisition and configuration process?PO10AI1AI2C2 Are there procedures to ensure that all systemsare acquired and configured in accordance withthe established standards?AI2
  • 52. © 2006 Information Systems Audit and Control Association Page 52Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferencesC3 Is an approved acquisition plan (project plan)used to measure progress?PO10C4 Do all personnel involved in system acquisitionand configuration activities receive adequatetraining and supervision?PO7D Ensure the efficient and effective implementation or upgrade of information systems.D1 Has responsibility been assigned forimplementation/configuration/upgrade ofinformation systems?PO4D2 Are there procedures to ensure the efficiencyand effectiveness of the implementation/configuration/upgrade of information systems?AI4D3 Are there procedures to ensure that informationsystems are implemented/configured/upgradedin accordance with the established standards?AI3D4 Is an approved implementation plan used tomeasure progress?PO10D5 Is effective control maintained over theconversion of information and the initialoperation of the information system?AI7D6 Does user management participate in theconversion of data from the existing system tothe new system?AI7D7 Is final approval obtained from usermanagement prior to going live with a newinformation/upgraded system?AI7E Ensure the efficient and effective maintenance of information systems.E1 Are there procedures to document and scheduleall planned changes to information systems(including key ABAP programs)?AI6E2 Are there procedures to ensure that onlyauthorized changes are initiated?AI6E3 Are there procedures to ensure that onlyauthorized, tested and documented changes toinformation systems are accepted into theproduction client?AI7AI6E4 Are there procedures to report plannedinformation systems changes to informationsystems management and to the users affected?AI6DS8E5 Are there procedures to allow for and controlemergency changes?AI6E6 Are controls in place to prevent unauthorizedchanges to information systems (including keyABAP programs)?AI6DS5F Ensure that present and future requirements of users of information systems processing can be met.F1 Are there written agreements between users andinformation systems processing, defining thenature and level of services to be provided?DS1F2 Is there appropriate management reportingwithin information systems processing?DS4ME1
  • 53. © 2006 Information Systems Audit and Control Association Page 53Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferencesF3 Does information systems processingmanagement keep senior and user managementinformed about technical developments thatcould support the achievement of the objectivesand policies of the entity?DS3DS4F4 Are there procedures/capacity planningactivities to examine the adequacy ofinformation processing resources to meet entityobjectives in the future?DS3F5 Are there periodic planning activities toexamine the adequacy of the volume of skilledstaff (i.e., operating system, hardware, network,R/3) to support the systems now and in thefuture?PO7F6 Are there procedures for the approval,monitoring and control of the acquisition andupgrade of hardware and systems software?AI3DS3F7 Is there a process for monitoring the volume ofnamed and concurrent SAP R/3 users to ensurethat the license agreement is not being violated?ME3DS3F8 If the R/3 implementation is not at the mostcurrent version, is there a planned upgradeapproach?PO3AI3DS3G Ensure the efficient and effective use of resources within information systems processing.G1 Are budgets for information systems processingactivities prepared on a regular basis?PO5G2 Are standards established and enforced toensure efficient and effective use of informationsystems processing?PO6G3 Is there an incident management process thatensures that information-processing problemsare detected and corrected on a timely basis?DS5DS10G4 Are users of information systems processingfacilities accountable for the resources used bythem?DS6H Ensure that there is an appropriate segregation of incompatible functions within the entity.H1 Does the organization structure established bysenior management provide for an appropriatesegregation of incompatible functions?PO4I Ensure that all access to information and information systems is authorized.I1 Are there procedures to ensure that informationand information systems are accessed inaccordance with established policies andprocedures?DS5J Ensure that information systems processing is protected physically from unauthorized access and fromaccidental or deliberate loss or damage.J1 Are the database, application and presentationservers located in a physically separate andprotected environment (i.e., a data center)?DS12J2 Are there procedures to ensure thatenvironmental conditions (such as temperatureand humidity) for hardware facilities areadequately controlled?DS12K Ensure that information processing can be recovered and resumed after operations have been interrupted.
  • 54. © 2006 Information Systems Audit and Control Association Page 54Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferencesK1 Are there procedures to allow informationprocessing to resume operations in the event ofan interruption?DS4K2 Are emergency, backup, and recovery plansdocumented and tested on a regular basis toensure that they remain current and operational?DS4K3 Do personnel receive adequate training andsupervision in emergency backup and recoveryprocedures?DS4DS7L Ensure that critical user activities can be maintained and recovered following interruption.L1 Are there backup and recovery plans to allowusers of information systems to resumeoperations in the event of an interruption?DS4L2 Are all information and resources required byusers to resume processing backed up regularly?DS4DS11L3 Do user personnel receive adequate training andsupervision in the conduct of the recoveryprocedures?DS4DS7L4 Are application controls designed with regard toany weaknesses in segregation, security,development and processing controls that mayaffect the information system?DS4DS5L5 Are there procedures to ensure that output isreviewed by users/management forcompleteness, accuracy and consistency?DS4ME1L6 Is there some method of ensuring that controlprocedures relating to completeness, accuracyand authorization are ensured?DS4ME2L7 Are there established policies and proceduresfor record retention?DS4PO61. Application Installation (Implementation Guide and Organizational Model)1.1 Configuration changes are made in the development environment and transported to production.1.1.1 Has access to the Implementation Guide (IMG)in production been restricted?DS51.1.2 Have the production client settings been flaggedto not allow changes to programs andconfiguration?DS91.2 The Organizational Model has been configured correctly to meet the needs of the organization.1.2.1 Was the Organizational Model well thought-outand agreed upon early in the implementationand did the relevant organization groups assistwith key design decisions?PO41.2.2 Has access to the organization configurationfunctionality been restricted?DS51.3 Changes to critical number ranges are controlled.1.3.1 Has the SAP R/3 software security beenappropriately configured to restrict the ability tochange critical number ranges (i.e., companycodes, chart of accounts and accounting perioddata)?DS5Has the production environment been set to non-modifiable?AI61.4 Access to system and customizing tables is restricted narrowly.
  • 55. © 2006 Information Systems Audit and Control Association Page 55Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferences1.4.1 Have all of the customized SAP R/3 tables beenassigned to the appropriate authorization group?DS5PO41.4.2 Has the ability to modify critical tables beenappropriately restricted in the productionsystem?DS5AI62. Application Development (ABAP/4 Workbench and Transport System)2.1 Application modifications are planned, tested and implemented in a phased manner.2.1.1 Are appropriate change controls proceduresfollowed for all transports?AI62.1.1 Has the production system change option beenset to No Changes Allowed?AI62.1.1 Has the ability to create versus release changerequests been segregated?PO42.2 Customized ABAP/4 programs are secured appropriately.2.2.1 Have customized ABAP/4 programs beenassigned to authorization groups?PO4DS52.2.2 Has an authority-check statement been includedwithin customized ABAP/4 programs so that theuser’s authority to access objects is checked atrun time?AI62.3 The creation or modification of programs is performed in the development system and migrated through thetest system to production.2.3.1 Has access to directly change production sourcecode within the production environment beencontrolled very tightly?AI62.4 Access for making changes to the dictionary is restricted to authorized individuals.2.4.1 Has the ability to make changes to the SAP R/3data dictionary been restricted and accessprivileges appropriately assigned based on jobresponsibilities?PO42.5 Access to modify and develop queries is restricted.2.5.1 Have authorization groups for creating andrunning the ABAP/4 Queries been appropriatelyestablished in the SAP R/3 software in such away that some end users can maintain andexecute queries, while others can only executeexisting queries?PO4DS52.6 Relevant company codes are set to Productive in the production environment.2.6.1 Have company codes that are workingproductively been set to Productive to reduce therisk that deletion programs may reset thecompany code data by mistake?AI6PO43. Application Operations (Computing Center Management System)3.1 The Computing Center Management System is configured appropriately.3.1.1 Have operation modes, instances and theComputing Center Management System(CCMS) timetable been correctly defined, suchthat the CCMS display will be meaningful?AI23.1.1 Is access to the system and start-up profilestightly controlled?AI63.1.1 Are change procedures followed strictly andchanges to the profiles well documented?AI6DS11
  • 56. © 2006 Information Systems Audit and Control Association Page 56Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferences3.1.1 Has access to the CCMS Alert Monitor beenproperly secured?AI6DS103.2 Batch processing operations are secured appropriately.3.2.1 Have batch input, batch administration andbatch processing capabilities been restrictedappropriately?DS5DS113.2.1 Have batch upload programs created to loadinitial master data and take on balances beendeleted from the production environmentfollowing “go-live”?AI73.3 Default system parameter settings have been reviewed and configured to suit the organization’s environment.3.3.1 During implementation, did the organization setthe SAP R/3 system profile parameters toappropriate values?AI43.4 Critical and sensitive transaction codes are locked in production.3.4.1 Have sensitive transaction codes been locked inthe production environment and does theorganization have procedures for locking andunlocking these transaction codes?DS5DS113.5 Users are prevented from logging in with trivial or easily guessable passwords.3.5.1 Has management set up a list of “illegal”passwords that users are not allowed to use?DS5DS133.6 SAP Router is configured to act as a gateway to secure communications into and out of the SAP R/3environment.3.6.1 Is the network protected by SAP Router and afirewall?DS53.6.1 Are appropriate change management proceduresfor any modifications to the SAP Routerpermission table in place and operating?AI63.6.1 Is the SAP Router log file used to monitorremote communications activity?DS53.6.1 Are Secure Network Communications (SNC)and an external security product used to protectthe communication between the components ofthe R/3 system?3.7 Remote access by software vendors is controlled adequately.3.7.1 Is SAP or the support provider’s accessrestricted to a test/development environment,ideally on a separate file server from theproduction environment, activated only onrequest, and all activity logged and reviewed byan individual with the ability to understand theactions that have been taken?DS5AI63.7.2 Are changes subject to normal testing andmigration controls before being implemented onthe production system?AI63.8 SAP R/3 Remote Function Call (RFC) and Common Programming Interface—Communications (CPI-C) aresecured.3.8.1 Have the SAP R/3 RFC and CPI-Ccommunications been secured so that any userwho makes use of a connection will be promptedto enter a user name and password?DS5
  • 57. © 2006 Information Systems Audit and Control Association Page 57Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferences3.9 Technology 1nfrastructure is configured to secure communications and operations in the SAP R/3environment.3.9.1 Has technology infrastructure been configuredto secure communications and operations in theSAP R/3 environment? Consider the followingareas:• Firewall• Secure Network Communications(SNC)• Secure Store and Forward (SSF)Mechanisms and digital signatures• Workstation security• Operating system and database securityDS5PO24. Application Security (Profile Generator and Security Administration)4.1 Duties within the security administration environment are segregated adequately.4.1.1 Has the organization allocated the securityadministration function among differentindividuals?PO44.2 Adequate security authorization documentation is maintained.4.2.1 Was original documentation of the SAP R/3authorizations and their use developed andsigned off by management during theimplementation and has it been maintainedadequately?DS4AI74.3 The super user SAP* is properly secured.4.3.1 Has the SAP* been assigned to the securityadministrators authorization group to preventinadvertent deletion, the password changedfrom the default, all profiles and authorizationsdeleted and the user locked?DS54.3.2 Has the system parameter(login/no_automatic_user_sapstar) been set?AI64.4 Default users are secured properly.4.4.1 Have the passwords for the default users DDIC,SAPCPIC and Earlywatch been changed fromthe default?DS54.5 Access to powerful profiles is restricted.4.5.1 Has a new super user account with theSAP_ALL and SAP_NEW profiles been createdwith a confidential ID and secret password foremergency use and has access to powerfulprofiles been restricted appropriately?DS5AI14.6 The authorization group that contains powerful users is restricted.4.6.1 Has the authorization group that containspowerful users been restricted to the new superuser and a backup?DS5AI34.7 Changes to critical SAP R/3 tables are logged by the system and reviewed by management.4.7.1 Are all changes to the critical SAP R/3 tableslogged by the system and does the periodicreview of these logs form part of the securityprocedures for the organization?AI6DS114.8 Changes made to the data dictionary are authorized and reviewed regularly.
  • 58. © 2006 Information Systems Audit and Control Association Page 58Basis Security ICQResponseQuestionsYES NO N/AComments COBITReferences4.8.1 Are details of modifications to the datadictionary maintained and change controlprocedures followed?AI6DS11Are the SAP R/3 Data Dictionary InformationSystem reports (DD reports) regularly generatedand reviewed by management?ME1DS114.9 Log and trace files are configured and secured appropriately.4.9.1 Is logging appropriately configured and are logand trace files secured at the operating systemlevel at the location specified within the systemprofile?DS9