ACE*

Guidance Notes

December, 2017

© PricewaterhouseCoopers
ACE* version 8.10
Table of Contents
1. What is ACE*? 2
2. Why does PwC use ACE*? 2
3. Does ACE* have any impact on my system? 3
4. Will ACE* download any confidential data? 3
5. How can I install ACE*? 4
5.1 Importing the transport 4
5.2 Manually creating the program 7
5.3 Is it possible to change the name of the ABAPs? 12

6. How can I run ACE*? 12

7. What authorizations are required to run ACE*? 18
8. How do the ABAP programs work? 20
9. What is the volume of data downloaded and how long does ACE* take to run? 20
10. How can I transfer the downloaded data to the ACE* user? 21

© PricewaterhouseCoopers
ACE* version 8.10 1 of 22
1. What is ACE*?

ACE* is an abbreviation for “Automated Controls Evaluator”.

SAP contains many controls which are embedded in the system. ACE* extracts configuration controls and
security data from SAP and analyses it to determine whether controls have been appropriately designed and
implemented into SAP.

In brief, ACE* consists of:

 two ABAPs which are the SAP part of the tool and download the required information from SAP; and
 the ACE* tool (PC part) which analyses the security and configuration control elements implemented in
a SAP environment.
 The GTL (General Test Library) which is a repository of all PwC researched and approved tests.

To achieve this, data has to be downloaded from the SAP system. The ABAPs do that in a very flexible way. They
have to be SAP release independent and able to adapt to how SAP has been configured and implemented.

ACE* can be run on any SAP instance and therefore can be used to analyse controls within SAP implementation
projects (pre go-live testing) as well as performing reviews of productive systems (live testing).

ACE* version 8 is executable on all SAP R/3 version 4.7 and higher (including any ECC or HANA systems).

2. Why does PwC use ACE*?

SAP offers some capability to analyse configuration and security controls, but these are relatively rudimentary
and difficult to use effectively. With ACE* configuration and security controls can be analysed easily using
standard tests which are tailored to each ACE* review. Complex search criteria can be applied within ACE*
allowing users to perform high level reviews and then to drill down to complete more detailed testing in areas
identified for additional work.

ACE* produces standard exception reports which are easy to understand and help with the subsequent
resolution of issues identified.

ACE* also enables PwC to perform an independent assessment of rule sets developed by the clients using the
SAP GRC products. By using ACE*, the client’s rule set can be mapped and compared to functions researched
in detail. This allows PwC to apply the benefit of research to each client’s environment.

© PricewaterhouseCoopers
ACE* version 8.10 2 of 22
3. Does ACE* have any impact on my system?

ACE* has been specifically designed to minimise the impact on the SAP environment where it is run either in
terms of system performance or data manipulation. This is because:

 only two ABAPs are required for ACE* (note that additional objects are created to improve the security
of the file path that can be used and to protect the programs from unauthroised execution – refer to
5.1.1 for detail);
 there are no other objects installed during the execution of the program; and
 the entire process is under your control.

By sequentially reading and writing from the SAP database to the disk of the application server, any impact on
system performance is reduced to a minimum.

The master ABAP /PWC/ACE8M generates the temporary ABAP /PWC/ACE8T. That is the only change that
ACE* makes on the SAP system.

Expressly, ACE* does not:

* Change any SAP repository objects (tables, structure, ABAPs, etc)

*Change any table contents

4. Will ACE* download any confidential data?

ACE* downloads authorisation, configuration, log and some master data. For certain large tables, ACE will
download only specific fields of interest. ACE has also a functionality to download detailed transactional data
but this feature is by default switched off and not activated.

PwC uses the same set of ABAPs on multiple SAP versions and for different SAP products. This increases the
flexibility and ease of use during the installation process. To achieve this flexibility, the ABAP has been designed
very dynamically analysing the SAP environment and searching for the required tables. As such, it is not
possible to provide a list of tables up-front. However, we have built in a feature which satisfies the need for
transparency.

The ABAPs write a reference list of all downloaded tables to the file B0002.QJF. The file will show table name,
table description and in which file the downloaded data is stored. Please note that due to optimization reasons,
one table can be stored in multiple files - this is also visible in the same reference file mentioned above. With
this transparency feature, you have the opportunity to review the downloaded data. Please do not hesitate to
contact your PwC contact person, in case your review will raise any questions or you feel that you do not want to
hand-over certain files.

For additional security and confidentiality measures, the ABAP performs an authorisation check on the object
S_TABU_DIS (and S_TABU_CLI if it is a client independent table), requiring the user executing the program
to have appropriate display access to the tables being downloaded by ACE*.

For more information on the authorisation checks done when executing the program, please refer to section 7 of
this document.

© PricewaterhouseCoopers
ACE* version 8.10 3 of 22
 The ABAP extracts security sensitive information and access should only
be granted to the person responsible for executing it. Standard change
control and testing process should be followed to put the ABAP into
production.
The directory to which data is downloaded should preferably be encrypted
and access to the directory should be carefully controlled. Once the data
has been securely transmitted to PwC, the downloaded files should be
removed.

5. How can I install ACE*?

There are two ways in which ACE* can be imported into your system:
1. By using the transport (F04K900733) provided.
2. By creating a program on your system and pasting the code manually into the program

The preferred method is (1), but for completeness purposes, both methods will be explained here.

5.1 Importing the transport

This is the preferred method, as everything required to run ACE* in a secure and efficient manner, has already
been created for you in the transports provided. There are two sets of transport files provided:

 F04K900733 – this is contained in the K900733.F04 and R900733.F04 files

 F04K900699 – this is contained in the K900699.F04 and R900699.F04 files (this transport contains
example roles to execute ACE* – they are explained in more detail in section 7)

5.1.1What does the transport file contain

The “F04K900733” file contains the following:

 Program /PWC/ACE8M – this is the main ABAP program – it also includes an authorisation group
“ZPWC” for the program.
 Transaction codes:
o /PWC/ACE8M – this is a transaction code to execute the main program directly.
o /PWC/ACE8_SPTH – this is a transaction code to maintain the menu paths that are allowed to
be used in the main program on. It is a parameter transaction for SM30, without selection
screen, to maintain table SPTH. See detailed explanation below.
 PACE authorisation group – this is a value added to table SPTHB and should be used in conjunction
with the menu path defined in the /PWC/ACE8_SPTH t-code mentioned above.

Note that the program and the transaction codes have a /PWC/ prefix. This is a registered namespace with SAP
and it means that these objects cannot be changed once imported, unless it comes from an authorised transport
from PwC.

© PricewaterhouseCoopers
ACE* version 8.10 4 of 22
5.1.2 How to import the transport file

Once you’ve obtained the K900733.F04 and R900733.F04 files, you need to copy them into the application
server’s transports directory. This is usually configured in directory parameter DIR_TRANS (Can be viewed
from t-code AL11). The default folders are usually as follows:
 \\XXXXXXXXX\sapmnt\trans\cofiles\ - copy the K900733.F04 file in here
 \\XXXXXXXXX\sapmnt\trans\data\ - copy the R900733.F04 file in here
(Where the Xs represent the name of the application server)

If you cannot find the “cofiles” and “data” folders, please contact the person responsible for transports on the
systems. They will be able to direct you to the correct place.

Once you’ve copied the files to the correct place, go to transaction code STMS and press F5 (“Import overview”
button):

Double-click on the system you want to import the files in and you should get to the Import Queue for your
system. The transport files cannot be seen yet, as they need to be manually added. This is done by going on your
menu bar: Extras > Other requests > Add:

Manually input the transport request number (F04K900733) as follows and press Enter:

In the next window you’ll be asked to confirm – press yes and you will see that the transport has been added to
the import queue. To release the transport, simply click on the transport number and press the “Import
Request” button (Ctrl + F11).

© PricewaterhouseCoopers
ACE* version 8.10 5 of 22
Next, you need to specify the target client. The transport should always first be imported into your Development
and the Quality Assurance System so it can follow your standard change control process, including proper
testing. Then go the Options tab and specify the following:

This needs to be done because the transport was generated in a (more than likely) different version of SAP than
the one you’re running.

Once done, the transport should have been imported into your system. To execute the ACE* program, simply
execute transaction /PWC/ACE8M – it will lead you directly to the program’s selection screen.

5.1.3 How to delete the transported /PWC/ACE8 program

Because this is a program created with a registered /PWC/ namespace, it isn’t possible to delete the program via
the conventional methods. A deletion transport can be provided by your PwC contact – F04K900697. Follow
the same steps as described in 5.1.2 above and release the transport accordingly. To delete the package that
contains the /PWC/ACE8M program and t-code, use the transport F04K900737. Note that these transports
need to be released one after the other – you cannot delete a package while it still contains objects within it.

© PricewaterhouseCoopers
ACE* version 8.10 6 of 22
5.2 Manually creating the program

This is not the preferred method – as it involves a much more manual process, which could increase the
chances of an error being made. Also, it will not be created under the registered /PWC/ namespace.
Nonetheless, if you still want to create the program via this method, please ask your PwC contact for the
ZACE8M.txt and ZACE8T.txt files.

ACE* comprises of two custom ABAP programs that need to be loaded into the SAP production environment:

ZACE8M.TXT The master ACE* ABAP

ZACE8T.TXT The temporary ABAP which is called by the master as necessary

5.2.1 Copy the ABAP programs onto the SAP GUI client

The two ABAP files are usually provided either on a usb drive or by e-mail (both files together are less than
150K in size). These files should be copied onto the local hard drive of the workstation from which the ABAPs
will be loaded into SAP.

Note: The ACE* ABAP programs MUST be loaded into and run from the main productive client, and
NEVER from within another client (eg client 000)

5.2.2 Upload the 2 ABAPs into SAP

The ABAP programs now need to be uploaded from the SAP workstation into SAP using the ABAP Workbench.
Please note that the ABAPs should always be uploaded in the Development environment and tested before
transporting it to the production environment.

5.2.2.1 Create the ACE* program in SAP

Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

In the program field enter ZACE8M as the program name and click on Create:

© PricewaterhouseCoopers
ACE* version 8.10 7 of 22
Please make sure that the name of the programs created in SAP matches the file names of the ABAP provided
i.e. ZACE8M and ZACE8T (ignore the .txt file extension).

Note: You will need an OSS/Developer key to load the ABAP.

5.2.2.2 Assign attributes to the ACE* program

In the following screen, assign the program attributes as below and click on “Save”:

Title: Enter a text that describes the ABAP such as “Z/PWC/ACE8M”

Type: Select “Executable Program”

Application: Select “Cross-application”

© PricewaterhouseCoopers
ACE* version 8.10 8 of 22
Enter any valid custom development class used in your environment (e.g. Z001 in this case) and click “Save” to
save the program attributes. It is encouraged to use an authorisation group – the program used in the transport
method uses authorization group “ZPWC”.

A message will be received indicating “Attributes for program ZACE8M saved.”

© PricewaterhouseCoopers
ACE* version 8.10 9 of 22
5.2.3 Deploy the ACE* ABAP into the SAP program created

Use path: Tools > ABAP Workbench > Development > ABAP Editor (or use transaction code SE38)

Copy and paste the code from the ZACE8M.txt text file as displayed below.

Select the “Save” button. A message will be received indicating that the program has been saved as displayed
below.

Return to the ABAP Editor initial screen using the Back Arrow in the toolbar.

5.2.4 Activate the ABAP

The ABAP needs to be activated before it can be run. Select the ZACE8M program and click the “Activate”
button (or use: Program > Activate).

Select the row containing ZACE8M and click on the “OK” button:

© PricewaterhouseCoopers
ACE* version 8.10 10 of 22
5.2.5 Load the temporary ABAP

Repeat steps 5.2.1 to 5.2.4 for the program ZACE8T.

Important:

 Clients should remove the ACE ABAP after the assignment is complete if it is not a recurring
assignment.
 Older versions should not be kept and any updates PwC provides should be used to overwrite the old
version.
 The ACE ABAP should be considered as sensitive access and should be appropriately restricted.
 The client should populate an authorization group for the program when they create it for further
protection.

© PricewaterhouseCoopers
ACE* version 8.10 11 of 22
5.3 Is it possible to change the name of the ABAPs?

If the ACE* ABAPs do not conform to the naming convention used, it is possible to change their names from
ZACE8M and ZACE8T. If this is done however, the code in ZACE8M has to be changed to ensure that the
master ABAP calls the re-named temporary ABAP and not ZACE8T. This requires one line of code to be
changed which is found in the ZACE8M ABAP.

Please note that this cannot be done if the program was created by the transport, as it is contained in a
registered /PWC/ namespace.

To change the names of the ABAPs programs search for the line:
Data: subrepid like sy-repid value ‘ZACE8T’
and replace ZACE8T with the new name for the ABAP program

6. How can I run ACE*?

6.1 Setup directory access for ACE-S using the PACE authorisation group

The ACE* ABAP has been programmed to require the user running the program to have access to file path
authorisation group PACE. Therefore the file path, that will be used to download the files to, needs to be
authorised in table SPTH and assigned to authorisation group PACE.

a. Transport method: /PWC/ACE_SPTH is a parameter transaction of SM30 restricted to table SPTH.

Execute transaction /PWC/ACE_SPTH to maintain the file path you want to use for ACE*.
b. Manually creating the program: Add authorisation group PACE in table SPTHB using transaction
SM30. Then maintain the file path you want to use for ACE* in table SPTH.

Please note that in the screen print above the “NR (No Read)” has been unchecked for file path “*” and “/”.
Good practice is to first restrict all file paths on the server, by checking the “NR” box, and then authorising
specific paths on the server (i.e. white list concept). Do not change this setting without evaluating which batch
jobs have already been set up, which file path they require access to and maintaining SPTH accordingly. Please

© PricewaterhouseCoopers
ACE* version 8.10 12 of 22
also note that this is a customising change and must be done in development and transported through to
production. For more information on the authority checks required, go to Section 7.

© PricewaterhouseCoopers
ACE* version 8.10 13 of 22
6.2 Select the ACE* parameters

The first two ABAP parameters in the program should be maintained:

© PricewaterhouseCoopers
ACE* version 8.10 14 of 22
In most cases, the default parameter values should be correct (except the application server path and the start
of the financial year as mentioned below). The different parameters are explained below:

© PricewaterhouseCoopers
ACE* version 8.10 15 of 22
Section Parameter Description Recommendation

Path on the application This defines the specific path on the application server where the This must be
Parameters

server ACE* data will be downloaded to. maintained see the

note below.
Core

Start of the financial year The start of the financial year date is used for download date related This must be
data, such as change documents, etc. maintained

Data Report for all clients Defines if data is only downloaded from the current client or all Should not be changed
Log Analysis for all clients clients in the SAP instance.

CDS data Defines if aggregated change document information will be Should not be changed
downloaded.

Authorization groups Defines if tables with authorization groups should be downloaded. Should not be changed

Object help information Defines if authorization object help will be downloaded. Should not be changed

Desolved values Defines if desolved values are downloaded. Desolved values allow Should not be changed
ACE* to display a drop down list of possible values for authorization
fields.
Scope of Download

Field status definition Defines if the tables related to field status are downloaded. Should not be changed

Base component Defines if core tables of the base component are downloaded Should not be changed

With user details Defines if user information in the tables USR03, ADCP, ADRP are Should not be changed
hidden in the download.
TLD ACE* will download data generated by the SAP Performance Should not be changed
Monitor. In ACE* this is called Transaction Log Data (TLD).
Month, weekly or daily data: Specifies the summary level at which
the data will be downloaded.
Period limit: This setting will limit the data downloaded to
respectively the number of months, weeks or days specified.
Record limit: This setting will limit the data downloaded to the
number of records specified.

Module specific Defines if tables or desolved values for these modules are Should not be changed
downloads downloaded

Specify additional tables Allows including additional tables to be downloaded. Should not be changed

Optional data in MB Defines download limits per table avoiding any space issues to the Should not be changed
Special data in MB application server. The limits are specified in MB!
Additional data in MB
Space limit for

Optional data: Data which is not absolutely necessary to analyze

authorizations. If not downloaded than the efficiency of the
tables

authorization analysis will be significantly impacted. Most of the

configuration data is classified as optional.
Special data: Data which are handled specially such as extended
download data – see below.
Additional data: Data which has been selected for download via
parameter: ‘ Specify additional tables’ – see above.

Download strategy Determines the method used by the ABAP to download data from Should not be changed
Download Strategy

SAP.
and Code Page

If “less read rollback” is selected, the ABAP could run long.

If the SAP system is very powerful, the value can be switched to
“better performance”, and then the ABAP is executed faster.

Code page Downloads the data in a different code page. Should not be changed
This options should never be changed without consultation, since it
may impact the readability of the data.

© PricewaterhouseCoopers
ACE* version 8.10 16 of 22
 KPI Indicators New feature in piloting phase – please do not use yet Should not be changed
KPI

Company Code New feature in piloting phase – please do not use yet Should not be changed

Multiple Selection Downloading posting information based on BKPF/BSEG and related Should not be changed
Download

tables based on selection criteria via ACE ABAP.

Posting

By default, data will not be downloaded.

If selected for download by ticking one of the two options, then
please specify filtering criteria, since no limits apply.

Multiple Selection Use ACE ABAPs to efficiently download large SAP transaction and Should not be changed
master data tables
Download
Extended

Used largely for CAATs purposes – ready to be used with ACL

By default, data will not be downloaded.
If selected for download, then please specify filtering criteria. Despite
the limits for extended data applies, the downloaded data can get
quite big.

Only Rep If the selection ‘Only Report Testing’ (Only Rep) is ticked then no This must be
other parameters above are taken into account (including path). The maintained see FAQ
Report Testing

ABAP will then solely analyze the specified reports and produce an in ACE* Toolbox.
on-line report – NO DATA will be written to the application server.

ABAP Programs The selection ‘ABAP Programs’ allows you to specify the reports. If This must be
you want to specify multiple reports, then click on the icon to the maintained see FAQ
right of the field allowing you to specify multiple reports. You can in ACE* Toolbox.
also enter transaction codes; in this case ACE will evaluate the
transaction and search for the associated report.

In the “Path on the application server” field, specify the exact location (e.g. [Drive]:\usr\sap\ACE*, for
Windows, or /usr/sap/ACE*, for UNIX) on the application server (or other server with a mapping from the
application server) where the downloaded data is to be saved. The directory should have enough free space to
accommodate the downloaded data (typically between 500MB and 2GB is required).

The operating system that is used to write the ACE* files to (QJF’s) must be
the same as the SAP application server operating system.

6.3 Run the ABAP (execute in the background)

Execute ACE* in the background by selecting the menu path: Program > Execute > Background:

© PricewaterhouseCoopers
ACE* version 8.10 17 of 22
If the “Execute Immediately” button is pressed then you will see a message that /PWC/ACE8M has started as a
background job.

6.4 Check status of the ABAP

To check the status of the ABAP, go to the Background Job Overview screen (Transaction code SMX). Enter a
“*” in the Job Name field and select the current date in the From and To fields. Click on “Execute”.

To check the status of the ABAP, go to the Own Background Jobs screen (Transaction code SMX). A status of
Active means that the job is still running. A status of Finished means that the job is complete.

7. What authorizations are required to run ACE*?

The following authorizations are required to run ACE*:

 S_TCODE /PWC/ACE8M
 S_ADMI_FCD with PADM
 S_BTCH_JOB with RELE (in JOBACTION field)
 S_DATASET with ACTVT 33 and PROGRAM /PWC/ACE9M
 S_LOG_COM with Command LIST_DB2DUMP
 S_TABU_CLI with X
 S_USER_AUT with ACTVT 03 (Display) and 08 (Display Change Documents)
 S_USER_GRP with ACTVT 03 and 08
 S_USER_PRO with ACTVT 03 and 08
 S_SCD0 with ACTVT 08
 S_TABU_DIS with ACTVT 03 and the authorisation groups for all the tables dynamically downloaded
by ACE*

Additional authorisation checks, if using the PACE authorisation group as detailed in section 6.1 above (only
available if using the transport method):
- S_TCODE /PWC/ACE8_SPTH
- S_PATH with ACTVT 02 and 03 and PACE authorisation group

(NB: this contains maintenance access – it should only be done by appropriate people that are responsible for
table maintenance and basis administration on your production system).

The roles, containing the access listed above, have been created in transport F04k900699 (For instructions on
how to import transports, refer to the steps detailed in section 5.1). For the standard role to execute ACE*, you
can assign role /PWC/ACE_EXECUTE. For the additional authorisation group maintenance, you can assign
role /PWC/ACE_MAINTAIN_SPTH.

NB: Only assign these roles to appropriate users that are generally responsible for these tasks
on your system.

Additional authorisation checks if not using the transport method (not encouraged):
- S_PROGRAM with implemented P_GROUP and S_TCODE

Additional authorisation checks if exporting Transaction Log Data:

 S_TOOLS_EX with authorisation value S_TOOLS_EX_A
Without having object S_TOOLS_EX the downloaded TLD data (aka performance monitor data) will
be encrypted.

© PricewaterhouseCoopers
ACE* version 8.10 18 of 22
At the operating system level:
 The SAP user at the OS level has to have write access to the directory specified in the “path on the
application server” field in the ABAP.

The ABAP extracts security sensitive information and access should only
be granted to the person responsible for executing it. Standard change
control and testing process should be followed to put the ABAP into
production.

Please remove the ABAP once the assignment is complete, if it is not a

recurring engagement. Older versions of the ABAP should not be retained.
Any updates PwC provides should be used to overwrite any older
versions.

The directory to which data is downloaded should preferably be encrypted

and access to the directory should be carefully controlled. Once the data
has been securely transmitted to PwC, the downloaded files should be
removed.

© PricewaterhouseCoopers
ACE* version 8.10 19 of 22
8. How do the ABAP programs work?

There are two ABAPs:

 /PWC/ACE8M (Master ABAP) and
 /PWC/ACE8T (Temporary ABAP).

The Master ABAP generates and executes the Temporary ABAP.

The overall purpose of these ABAPs is to search for relevant data and to download this to the application server.
The downloaded data can split into three types:

 Special data (downloaded by Master ABAP).

Some data is downloaded by the Master ABAP directly. This data is downloaded based on a join of
multiple tables, a selection of a single table or standard SAP function.

 Standard data (downloaded by Temporary ABAP).

Each downloaded file relates to one SAP table. In the procedure ‘FILLFIXB0005’ these tables are
selected and the names of the tables are saved in an internal table (B0005). The Temporary ABAP is
generated for each entry in this table, and submitted by the procedure ‘EXP-STAND’. The Temporary
ABAP then downloads the data to the specified directory path on the application server.

 Data of internal tables (downloaded by Master ABAP).

During the import, seven internal tables are populated. These tables describe the downloaded data.

The ABAPs do not change or modify any data in the SAP system

9. What is the volume of data downloaded and how long

does ACE* take to run?

The volume of data and run-time of the ABAP cannot be predicted exactly as ACE* dynamically selects what
data to run depending on the size of the SAP implementation (i.e. number of users) how authorizations have
been built and the scope of the data to be downloaded as defined in the variant of the ABAP.

However, an example is provided below:

Example

SAP Release ECC6

Number of users: 2,545

Scope of downloaded files: Full

Number of downloaded files: 1,841

Space required on application server: 1.16 GB

Run time of the ABAP: 2 hours

© PricewaterhouseCoopers
ACE* version 8.10 20 of 22
10. How can I transfer the downloaded data to the ACE*
user?
Once the job has finished, navigate to the application server path specified in the ABAP for the downloaded files
(e.g. [Drive]:\usr\sap\ace, for Windows NT, or /usr/sap/ace, for UNIX servers). Up to 2000 files (depending
on the size of the SAP instance) with the .QJF extension will be saved here.

The names of the output files generated by ACE* should not be changed

These files now need to be transferred from the application server to the ACE* user. There are several ways of
doing this and the best way will depend on the system architecture and the software and hardware available.
Note that often the data has to be first transferred from the SAP application server to a SAPGUI PC because of
restricted access rights on the SAP application server. Options available are:

Option Method Advantages Disadvantages

From the application server:

CD/DVD Writer Use a CD/DVD writer connected Easiest and quickest method Requires a CD/DVD writer to be
to the SAP application server connected to the SAP
application server

Use FTP or File Copy to copy the data from the SAP application server to a SAPGUI workstation and then:
FTP and CD/DVD Writer Use a CD/DVD writer attached Easy and quick method Requires a CD/DVD writer to be
to the SAPGUI workstation connected to the SAPGUI
workstation.

FTP and memory stick Zip up the data in packets and This method is always possible The workstation containing the
use a memory stick to transfer data must have a USB port.
the data to the ACE user

FTP and email E-mail the zipped data in This can be a quick solution Data needs to be zipped into
packets to the ACE* user packets <5MB and e-mail
security may be a concern

Please transfer all files created during the download including 0KB files.
If you have any questions or queries or get any error message, please contact your local PwC auditor with
screenshots, and details of error message.

© PricewaterhouseCoopers
ACE* version 8.10 21 of 22
© 2017 PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers to
the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context
requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does
not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is
not responsible or liable for the acts or omissions of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the acts and
omissions of any other member firm nor can it control the exercise of another member firm's professional
judgment or bind another member firm or PwCIL in any way.

© PricewaterhouseCoopers
ACE* version 8.10 22 of 22