Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process
without prior written permission from the Commonwealth available from the Department of Communications, Information
Technology and the Arts. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth
Copyright Administration, Intellectual Property Branch, Department of Communications, Information Technology and the Arts, GPO
Box 2154, Canberra ACT 2601 or posted at <http://www.dcita.gov.au/cca>
Information about ANAO reports and activities can be found at the ANAO Internet address: http://www.anao.gov.au
Ackno w l e d g e m e n t
Appreciation is extended to PricewaterhouseCoopers who contributed significantly in developing and writing this handbook.
Disclai m e r
This handbook is not a recommendation of the SAP R/3 system, nor an endorsement of the SAP R/3, by the ANAO. Commonwealth Public
Sector agencies are responsible for deciding whether SAP R/3 is suitable for their purposes and for implementing and testing SAP R/3.
The Auditor-General, the ANAO, its officers and employees are not liable, without limitation, for any consequences incurred, or
any loss or damage suffered by an agency or by any other person as a result of their reliance on the information contained in this
handbook or resulting from their implementation or use of the SAP R/3 system, and to the maximum extent permitted by law, exclude
all liability (including in negligence) in respect of the handbook or its use.
ii
Preface
Preface
SAP continues to be a predominant financial management information system in use within the Australian
Government.
Accordingly, the Australian National Audit Office (ANAO) has developed this better practice handbook update
with significant assistance provided by PricewaterhouseCoopers. The original handbook was released by the
ANAO in 1998, and this update reflects the changes made to SAP security and control since that time.
Based on SAP R/3 release 4.6C, this update should be read in conjunction with the original handbook to gain a
fuller appreciation and understanding of functional, as well as security and control issues, associated with the
implementation and operation of SAP.
This handbook update provides better practice controls that should be considered by Australian Government
entities to assist in meeting their requirements for availability, integrity and confidentiality, and outlines:
• the various control options that should be considered, broken down into the following categories.
– SAP customisation settings which should be considered in reducing and/or mitigating identified risks
and delivering security and control best practices.
– User access security settings to be considered when designing and implementing security.
The adoption of the various control options will depend on how SAP R/3 is used within each entity and the level
of acceptable risk adopted by that entity. Striving for absolute assurance is neither cost effective nor possible.
Controls implemented should be commensurate with the nature of the business, the acceptable level of risk and
program delivery.
Oliver Winder
Acting Auditor-General
30 June 2004
iii
Security and Control for SAP R/3 Handbook Update
iv
Contents
Contents
Introduction .......................................................................................................................1
Controlling (CO)..............................................................................................................70
v
Security and Control for SAP R/3 Handbook Update
vi
Introduction
Introduction
Security and Control for SAP R/3 Handbook Update
Introduction
Introduction
The original Security and Control for SAP R/3 Handbook, developed in 1998 was produced to provide good
practice security and control guidelines when implementing and running SAP Version 3.1H. SAP has subsequently
upgraded the R/3 system, through Versions 4.0, 4.5 and 4.6, with each version including many functional changes
impacting security and controls.
This handbook update is based on SAP R/3 Release 4.6C, outlining significant functional enhancements with
relevant security and control considerations. This handbook should be read in conjunction with the original
handbook to gain a full awareness and appreciation of functional and security and control issues within the
core SAP components.
The handbook outlines business risks associated with the implementation and operation of SAP, and provides better
practice controls that should be considered by Australian Government entities that replicate control solutions
deployed at organisations globally running SAP.
SAP Upgrades
There are a number of business and technology drivers that may influence an organisation's decision to
upgrade SAP.
Business drivers
Mergers &
Strategic & divestments
operational
changes
E-business
initiatives
Why Upgrade
R/3
Cost Greater
reduction efficiency
Business Technology
process improvements
functional
enhancements
Competition
1
Security and Control for SAP R/3 Handbook Update
Drivers for upgrading SAP are often focused on achieving greater efficiency through new functionality, or
business process improvements, provided within new releases of SAP. A number of these enhancements are
outlined in the sections of this document and should be considered by decision makers.
Technology drivers
New or
MySAP.com extended
product functionality
components Improve user
acceptance /
satisfaction
Why Upgrade
R/3
Old versions Need to
no longer re-structure
supported architecture
Reduce
Update enhancements
technologies
Stabilise
environment
Technology drivers for the upgrade of SAP are generally based around the need to maintain SAP support or to
provide greater stability and ease of use for users and support teams.
2
Introduction
C o m p o n e n t s c o v e re d
Component overview
SD FI
Financial
CO
Sales &
accounting
TR
distribution
Controlling
Treasury
MM
IM Materials
management
R/3
Investment
management
AA
PS
Project
Asset
accounting
systems
Client/Server HR
RE ABAP/4 BASIS Human
resources
Real estate
management COMPONENT
OC
CS
Customer
Office
communications
service
ice
PE PM
QM
Plant
Training & event
management PP
Production
Quality
maintenance
management
planning
This handbook update covers the core SAP R/3 components commonly used by Australian Government entities.
The components covered are consistent with those in the original handbook:
This handbook update also provides an outline of the Audit Information System (AIS).
Products such as BW (Business Warehouse), CRM (Customer Relationship Management), EBP (Enterprise Buyer
Professional) and ESS (Employee Self Service) are run on separate copies of the SAP application. While these have
been detailed in each applicable section of this handbook, they are not outlined in the above diagram.
3
Security and Control for SAP R/3 Handbook Update
H o w t o u s e t h e h a n d book update
The handbook update has been divided into seven sections as follows:
• Introduction
– Controlling (CO)
A Background Section is provided for each application component providing an overview of changes in the
application component from SAP Version 3.1H to 4.6C. Also within are details of the coverage (sub-modules) of
each application component section.
A Functional Overview is given for each application component and sub-module covered by this handbook
update. This overview outlines the core functionality of the sub-modules with relevant operational benefits and
high-level control opportunities.
S I G N I F I C A N T R ISKS
For each sub-module, relevant business risks are provided which should be considered by
all organisations. For each risk identified, various control options are provided across the
following sections.
C O N F I G U R AT I ON “HOT SPOTS”
SAP customisation settings that should be considered in reducing and /or mitigating identified
risks and delivering security and control best practices.
S E C U R I T Y C O NSIDERATIONS
User access security settings to be considered when designing and implementing security
for this sub-module. Where available, sensitive high-risk SAP transaction codes are provided
with a description of the functionality. Access to these transactions should be reviewed and
appropriately restricted.
4
Introduction
U S E F U L R E P O RTS
Key control reports for each sub-module covered have been provided. Where available, the
report transaction code or report code have been provided with a description of the benefit
provided. Management should consider implementing procedures for the review of these
reports, where appropriate.
The following diagram is used throughout this handbook update to demonstrate how functionality, risks
and control options relate. Risks can be mitigated through the implementation of one or a combination of
control types, depending on organisational needs. These control types may be security related, specific control
configurations, or through the development and review of control reports. This handbook provides good
practice control options across security, configuration and reporting, which management should consider when
implementing functionality or reviewing the SAP control environment.
Functionality
ns Us
io
at ef
r
de
ul
Security consi
re
por
Significant
ts
risks
s Co
ot nf
sp igu
hot ration
5
Security and Control for SAP R/3 Handbook update
6
application
components
Basis and cross
Basis and
cross application
components
SECTION CONTENTS
Background ........................................................................................................................ .9
Environment .................................................................................................................... .10
SAP New Dimension Products ..................................................................................... .11
Security: User Security and the Profile Generator..................................................13
Functional Overview ............................................................................................................................................13
7
Security and Control for SAP R/3 Handbook Update
Reporting...........................................................................................................................25
Functional Overview ............................................................................................................................................25
8
Basis and cross application components
Environment
With the advent of the SAP workplace and the ability to access SAP through an Internet browser, a wave of
new SAP products has been developed, including Customer Relationship Management (CRM) and Supply Chain
Management (SCM), each product requiring an underlying Basis module upon which to operate.
Security
A number of new security tools have been developed to assist in the configuration and maintenance of security
in increasingly complex SAP environments. Tools considered in this section include the Profile Generator, Central
User Administration, Derived Roles and Personalised Role Menus.
Reporting
Reporting functionality within SAP has been enhanced significantly to provide greater ease of access to data.
The development of new reporting tools has improved the way users can access and extract SAP data — these
include Infoset Queries and the SAP Business Warehouse (BW).
Workflow
SAP Workflow is a cross application component but should also be viewed in the context of each business
process to which it has been applied. Workflow, as a concept, has been detailed within this section. As well, some
specific applications are discussed in the relevant business process areas.
9
Security and Control for SAP R/3 Handbook Update
E n v i ro n m e n t
With the introduction of the SAP Web GUI (Graphical User Interface), more agencies are web or partially web
enabling their SAP systems. Core functionality required by large volumes of users (e.g. Employee Self Service) is
well suited to being delivered through a standard web browser.
The following diagram illustrates how the introduction of the Web GUI has changed the SAP environment.
Application J2EE
server Web server
SAP-ITS
SAP GUI application
gate
SAP-ITS
Presentation Web gate SAP GUI
layer
(Client PC)
Presentation
Presentation Presentation
layer
layer layer (Web
(Web
(Client PC) browser on
browser on
client PC) client PC)
The underlying SAP three tier environment remains largely unchanged from Version 3.1H for the SAP 4.5A – 4.6C
environment. The primary change is the addition of the SAP Internet Transaction Server (ITS) enabling web
connectivity and the delivery of SAP content through the Web.
Similar to the original SAP R/3 environment, the core three tier design of database, application and presentation
layers remains. In previous SAP versions, communication between the application layer of SAP and the
presentation layer or client PC would take place using software installed on the client PC — the SAP GUI.
The development of the Internet Transaction Server (ITS) has allowed presentation of SAP content through
a standard Web browser.
While high volume users will still access SAP using the SAP GUI installed on their machine, the ITS allows
SAP functionality to be extended to a wider user community, with low volume processing, such as Employee
Self Service, being delivered through a standard Internet browser.
10
Basis and cross application components
The SAP R/3 Enterprise Environment has changed the original SAP R/3 environment to incorporate web
interactivity with the underlying SAP application server. This has resulted in the SAP Web Application Server,
an application server capable of hosting java based web applications, as well as performing all of the functions
previously performed by the SAP Application Server.
Incorporating a Java web server into the SAP Web Application Server, SAP can now deliver SAP content directly
to the Web Browser, without the need for the Internet Transaction Server.
S A P N e w D i m e n s i o n Products
The SAP 4.6C environment builds on the existing R/3 environment to incorporate a number of new SAP products
aimed at streamlining business processes and adding new functionality to the core R/3 product.
SD
Sales &
FI
Financial
distribution accounting
SAP sales
MM
Materials
SAP CRM
CO
SAP marketing SAP service
ervice Controlling
management
anagement
SAP B2B
Info DB
procurement
PP SAP strategic
enterprise
BW
AM
Fixed assets
SAP SAP SCM
Production management APO management
planning
SAP logistics
SAP BI execut
execution systems
QM PS
Project
Quality
management system
PM WF
Plant
management HR
Human
IS Workflow
Industry
resources solutions
Key:
BW Business Warehouse
11
Security and Control for SAP R/3 Handbook Update
A feature of the SAP ‘New Dimension’ products is that they each reside on a separate SAP installation (instance).
Each product can be implemented independently, each requiring a separate SAP Basis installation. Basis settings
and parameters must be configured for each of the ‘New Dimension’ implementations as well as the core R/3
implementation.
SAP’s suite of ‘New Dimension’ products can be divided into the following categories:
Business Intelligence
The core product in the Business Intelligence suite is SAP Strategic Enterprise Management (SEM). SAP–SEM
allows management to take a holistic view of the organisation, providing them with the data they need to make
strategic decisions. SAP–SEM consolidates business data, as extracted from the core SAP system, using the BW
reporting tool.
SAP–SEM supports management processes in an integrated way, which means top-down translation of enterprise
strategy into business unit, product and support centre targets, as well as bottom-up performance monitoring
and related decision support.
SAP–CRM manages customer relationships by providing employees with information on trading history and
contacts with business customers in order to support sales activities.
SAP–EBP is an electronic procurement solution designed to automate the procurement process to the point of
purchase order creation. SAP–EBP allows employees to browse pre-approved vendor catalogues and select items
to be ordered raising a requisition for approval. On approval of the requisition by the appropriate manager,
a purchase order is automatically created in the core R/3 system.
12
Basis and cross application components
Functional Overview
From SAP Release 3.1G, SAP has continued to develop the Profile Generator to allow quicker development
of authorisation profiles. All authorisations should now be created using the Profile Generator, as most new
functionality relies upon the assignment of roles to users rather than authorisation profiles. It should be noted
that assigning a role to a user will automatically assign the corresponding profile.
Benefits provided through the use of the profile generator to define authorisation profiles include:
With SAP Release 4.6C, there are now over 100 standard delivered roles or role templates. These can be used as
a basis for the definition of customer specific roles, and will often contain the majority of transactions required
for a particular function.
Care should, however, be taken when using these roles. Being generic, they will often contain more access
than required, and will not contain any organisational restrictions.
A further enhancement has been the development of the password generator functionality in transaction SU01.
This allows the security administrator to generate a random password for user accounts rather than a password
which may be easily guessed.
Mass maintenance of user access security design and structure can now be performed in the profile generator,
which will significantly improve efficiency and accuracy of changes being made to a large number of records.
When in the menu tab of the profile generator, transaction code names can be toggled on/off by selecting the
magnifying glass icon in the top right of the tab.
S I G N I F I C A N T RISKS
• Unauthorised, or inappropriate, changes to user security resulting in excessive access, or
users not having access to perform functions.
• SAP standard delivered roles if allocated without configuration may not provide adequate
organisational restrictions, or may contain transactions that the organisation has deemed
to be segregation of duties conflicts.
13
Security and Control for SAP R/3 Handbook Update
S E C U R I T Y C O NSIDERATIONS
• Authorisations where a ‘*‘ value has been given should be reviewed to establish if
appropriate. Where possible ‘*’ values should be limited and be replaced with specific
values.
SU01 Maintain User Used for the creation and maintenance of User Master
Records including password resetting by system
administrators.
SU02 Profile Maintenance Tool for the direct maintenance of profiles (not
recommended in version 4.0A or above, should be
performed in the profile generator).
• SAP standard roles, where utilised, should be used as a basis for the establishment of
roles and should be checked for adequacy within the context of the security and control
environment.
• SAP standard roles should be reviewed for transactions that your organisation has deemed
segregation of duties conflicts.
• Security administers should use the password generation facility in transaction SU01
when a user account is created or requires a password change. This will ensure that
passwords are random and not easily guessable.
14
Basis and cross application components
S e c u r i t y : D e r i v e d R o l es
Functional Overview
The Profile Generator controls the creation of variants for different business units or departments within an
organisation. This has resulted in the concepts of Responsibilities (Version 4.0B), Hierarchical Activity Groups
(Version 4.5A) and more recently Derived Roles (Version 4.6A). All are conceptually similar in that they allow
the security administrator to define a set of common transactions from which variant profiles can be created
containing different organisational restrictions.
It should be noted that the use of Derived Roles can significantly reduce the resource required for security role
maintenance. These can be further explained using the following diagram:
Derived roles
MASTER ROLE
All company codes
All cost centres
S I G N I F I C A N T R ISKS
• Derived Roles are inappropriately configured resulting in inappropriate user access. Due to
limitations of organisational data that can be derived, there are certain situations where
Derived Roles cannot be used.
• Only security administration staff should have access to the Profile Generator (transaction
PFCG) where Derived Roles are maintained.
• Where Derived Roles have been defined, the master role should not be assigned to end
users as this will normally contain access to all organisational data.
15
Security and Control for SAP R/3 Handbook Update
C O N F I G U R AT I ON HOT SPOTS
• Ensure that naming conventions have been appropriately defined which clearly identify
master and child roles.
• Where Derived Roles are used and all data (with the exception of organisational data) is
to be derived down to the child role, child roles should not be directly maintained. All
changes to the child role will be overwritten the next time information is derived from
the master role.
S E C U R I T Y C O NSIDERATIONS
• Access to role administration should be tightly controlled and restricted to only relevant
user administration staff. Access to the following transactions should be restricted:
OY21, GCE2, O002, OBZ8, OD03, OIBP, Profile Maintenance These transactions all allow
OMDM, OMEI, OMM0, OMSO, OMWG, direct access to profile
OOPR, OP15, OPCB, OPE9, OPJ1 maintenance.
16
Basis and cross application components
U S E F U L R E P O RTS
Report Transaction Name Description
17
Security and Control for SAP R/3 Handbook Update
S e c u r i t y : C e n t r a l U s e r Administration
Functional Overview
With the advent of the SAP Workplace and various other new component systems, the SAP landscape has
become significantly more complex than the original R/3 system. As a result, user administration has become
more complex.
Central User Administration (CUA) addresses the difficulties of user administration by allowing all user
administration activities to be performed from a central system. CUA is available from SAP Versions 4.5A and
above, and recent versions of the Web Application Server (6.2), and can significantly reduce the resource required
for user maintenance.
CUA does not cater for single-sign on or for the syncronisation of passwords across each SAP system.
The following diagram illustrates the CUA concept. Communication between systems is achieved using SAP Application
Linked Enabling (ALE). ALE is SAP’s process that provides for the exchange of data between SAP systems.
CENTRAL SYSTEM
SAP R/3 4.5A
or higher
Key:
18
Basis and cross application components
S I G N I F I C A N T R ISKS
• CUA configuration and ALE landscape may not be configured correctly resulting in failure
of systems to interface effectively.
• Access to Application Link Enabling (ALE) configuration may not be adequately secured.
• CUA error and distribution logs may not be reviewed and followed up on a timely basis.
C O N F I G U R AT I ON HOT SPOTS
• Patches from SAP must be applied to install and run CUA.
S E C U R I T Y C O NSIDERATIONS
• Access to the configuration of Central User Administration (CUA) transactions should
be controlled. Consideration should be given to restricting access to only relevant user
administration staff to the following CUA Maintenance transactions.
SCUL Central User Management Log Transaction used to view CUA audit
and error logs.
19
Security and Control for SAP R/3 Handbook Update
U S E F U L R E P O RTS
Report / Transaction Name Description
20
Basis and cross application components
S e c u r i t y : P e r s o n a l i s e d User Menus
Functional Overview
SAP Version 4.6 and the first release of mySAP.com Workplace, saw a move towards personalisation within the
SAP environment. SAP menus can now be personalised for each role. When these roles are assigned to a user and
combined with other roles containing personalised menus, the user is presented with a menu structure unique
to their individual role assignments.
S I G N I F I C A N T R ISKS
• Folder structures within the SAP menu structure (see above) are created which do not
reflect the actual business structure. It is important to ensure that these are developed in
consultation with the business, and do not take on a technical focus.
C O N F I G U R AT I ON HOT SPOTS
• User menu configuration should be such that menus are efficient in use. Table SSM_CUST
contains settings which affect the user menus including whether folders should be condensed,
duplicate transactions should be deleted or the whether the menus should be sorted.
S E C U R I T Y C O NSIDERATIONS
• In addition to controlling access to the Profile Generator (transaction PFCG), access should
also be controlled to the maintenance of table SSM_CUST.
21
Security and Control for SAP R/3 Handbook Update
U S E F U L R E P O RTS
Report Transaction Name Description
22
Basis and cross application components
Tr a n s p o r t M a n a g e m e nt System
Functional Overview
With the release of Version 4.0, SAP introduced the Transport Management System (TMS) that centralised the
configuration for the Change and Transport System (CTS) for all R/3 systems. TMS gives the SAP Administrator
the ability to manage all SAP change requests from a centralised location (i.e. from one SAP client). It also allows
pre-defined transport routes to be configured, minimising human error in the import and export of transportable
objects.
A key feature of the TMS is that it has allowed for the management of change queues from within the R/3
system and has removed the need to have deep UNIX / Windows skills for day to day SAP Administration
(although these skills are still required for the administration of the underlying database).
The introduction of TMS allows for greater control over the SAP system account and has lead to configuration
of a simplified SAP landscape. TMS has replaced the need to use transaction SE06 and previously configured
CTS tables.
S I G N I F I C A N T R ISKS
• Administration functions such as client copies are not restricted to authorised personnel
and are performed inappropriately.
• Programs in production have not gone through appropriate change approval process.
• Developers make changes (and test changes) directly in programs in the production
system (in non emergency situations). Changes should go through the normal domain
transport route.
C O N F I G U R AT I ON HOT SPOTS
• Transaction STMS now controls the movement of objects from one SAP system to another,
replacing functionality in transactions SE06.
23
Security and Control for SAP R/3 Handbook Update
S E C U R I T Y C O NSIDERATIONS
• Access to the following transport management transactions should be restricted to
authorised ‘Basis team’ users only.
SCC1, SCC4 Client Administration Transactions SCC1 and SCC4 allow users to
create a client (SCC1) and copy data from an
existing client to a target client (SCC4). In addition
there are other copy transactions (SCCX) that
perform functions such as copying user files that
should be protected and should be restricted.
U S E F U L R E P O RTS
Both Transport logs and Action logs are available through the Transport Organiser. These can
be used to provide an audit trail of transport activity.
24
Basis and cross application components
Reporting
Since folders can be specified in individual roles, personalised roles effectively make reporting trees redundant. In
order to make the allocation of reports to roles easier, SAP have therefore assigned a large number of standard
SAP reports to transaction codes.
Although report trees can still be displayed through most Web GUI configurations, it may be more appropriate
to assign reports through personalised roles, and remove report trees altogether.
S I G N I F I C A N T R ISKS
• Although transaction codes have now been assigned to SAP standard reports, the
authorisation objects checked by these reports have not been attached to these
transaction codes. In order to allocate reports to end-users, it is therefore still necessary
to establish the required authorisation objects through testing and allocate these to the
appropriate roles.
C O N F I G U R AT I ON HOT SPOTS
• All reports and programs developed should contain appropriate authorisation checks to
ensure that only authorised users are able to execute them.
S E C U R I T Y C O NSIDERATIONS
• Reports which do not contain adequate authorisation object security will be accessible to
any user who has access to the transaction code required to start the report. Where users
are configured with access to all transaction codes, through the application of a ‘*’ in the
S_TCODE object, or value that contains a ‘*’ (for example ‘S*’), there is an increased risk
that reports or programs may be accessed inappropriately.
25
Security and Control for SAP R/3 Handbook Update
InfoSet Query
Functional Overview
The InfoSet Query (InfoSet replaces the term functional area) functionality has been provided to allow users
greater flexibility in reporting across all areas of the SAP system. InfoSet Query has been developed from the HR
ad-hoc query reporting which was developed in prior versions of SAP.
InfoSet Query has been developed to provide users the tools necessary to quickly develop, and run data queries.
S I G N I F I C A N T R ISKS
• Unauthorised access to sensitive and confidential data, including HR data.
C O N F I G U R AT I ON HOT SPOTS
• Consideration should be given to logging reporting performed using InfoSet Query. In
order for logging to be available, it is necessary to configure this. Configuration of InfoSet
logging can be maintained through the IMG (Basis Components-SAP-Query-Logging-
Determine Infosets for Logging)
S E C U R I T Y C O NSIDERATIONS
• Access to perform InfoSet Queries is defined using roles or SAP Query user groups. These
can be configured to restrict access to relevant and appropriate InfoSets.
• Procedures should be defined for the periodic review of InfoSet Query log data. This data
is recorded in the Query Logging table (AQPROT).
SQ01 Query from User Used for the creation, change, deletion and
Group: Initial Screen execution of InfoSets Queries.
SQ02 InfoSet: Initial Screen Used for the creation, change, deletion and
execution of InfoSets Queries.
26
Basis and cross application components
S A P B u s i n e s s Wa re h o use (BW)
Functional Overview
The SAP Business Warehouse is SAP’s data warehousing solution and available to support SAP core functionality.
A Data Warehouse stores data in a format optimised for reporting in a separate system from the operational
system(s) that collect the transactional data. This allows the operational system (SAP R/3) to get on with the
real-time data processing, whilst the data warehouse (SAP–BW) caters for the resource intensive reporting
requirements.
SAP–BW includes the tools required to extract, standardise and maintain the data and to produce the reports.
As a Data Warehousing solution, SAP–BW is designed to work with any data source, not just SAP systems.
S I G N I F I C A N T R ISKS
• Unauthorised access to sensitive and confidential data through the BW system.
C O N F I G U R AT I ON HOT SPOTS
• In BW field level authorisations will not be checked unless switched on. A user may
therefore be able to see data in the BW system for which they are not authorised in the
R/3 system. Important fields (characteristics) should be checked to ensure they are defined
as authorisation relevant.
• Reporting objects should be linked to infocubes where authorisation checks are required.
Where checks are required, authorisations should then be created for those infocubes and
assigned to appropriate users.
U S E F U L R E P O RTS
Report Name Description
27
Security and Control for SAP R/3 Handbook Update
Mass Maintenance
Functional Overview
Mass Maintenance functionality has been developed as an effective tool to maintain large amounts of data . For
example, the Mass Maintenance functions allow a user to change data in a large number of purchase orders or
requisitions through the execution of a transaction.
- Material Master
- Vendor Master
- User Master
Users can operate the Mass Maintenance tool in dialog, background or a combination of both. The process can
be summarised as follows:
1. Select object
to be changed
2. Select records
to be changed
4. Specify change
and execute
28
Basis and cross application components
S I G N I F I C A N T R ISKS
• Inappropriate or unauthorised change may be made to large amounts of data.
S E C U R I T Y C O NSIDERATIONS
• Due to the increased risk associated with providing a user with the ability to maintain and
change large amounts of data simultaneously, access to the following key transactions
should be restricted to key experienced staff with authority to make changes:
KE55 Mass Maintenance Profit Used to change one or more Profit Centre’s
Centre Master Data Master records simultaneously.
KE56, KE57 EC–PCA: Mass Maintenance Used to change one or more Company
Company Code Assignment Codes assignments simultaneously.
29
Security and Control for SAP R/3 Handbook Update
OB_GLACC11, G/L acct record: Used to change one or more G/L records
OB_GLACC12, Mass maintenance simultaneously.
OB_GLACC13
• Access should also be segregated from a users ability to delete the mass maintenance logs
that are generated when a user executes mass maintenance transactions.
MSL2 Delete Mass Maintenance Logs Allows for the deletion of the mass
maintenance log — a key audit trail in the
performance of Mass Maintenance.
U S E F U L R E P O RTS
Procedures should be implemented for review of the Mass Maintenance log on a periodic
basis to ensure inappropriate mass maintenance actions are not occurring.
30
Basis and cross application components
Wo r k f l o w
Functional Overview
Workflow has become a feature of many SAP implementations where repetitive and often manual business
processes can be automated to achieve efficiency gains. Through automated routing of transactions, Workflow
is particularly suited to notification and approval tasks.
Human Resources processes such as ESS (Employee Self Service), Time Management and the Managers Desktop
in particular make extensive use of Workflow for the approval of tasks such as leave requests or the completion
of staff appraisals.
‘Deadline Monitoring’ can be incorporated in the design of workflows to issue reminders for items that have
not been actioned within a reasonable timeframe, or to escalate unactioned workflow items for the attention
of others. In addition, the Workflow administrator should review for slow moving, unprocessed or erroneous
transactions. These transactions can result in business dissatisfaction or inefficient business processes and should
be carefully monitored and resolved as required.
Below is an example of the use of Workflow in the Purchase Requisition (PR) creation and approval process.
Workflow example
Triggering event
PR raised over $5000
User task
PR sent to requester's
manager for approval
31
Security and Control for SAP R/3 Handbook Update
S I G N I F I C A N T R ISKS
• Rules for the system selecting an approver, or delegate of an approver are not correctly
defined. This is particularly an issue when the process is driven by the organisational
structure.
• Managers do not review workflow tasks and respond on a timely basis resulting in user
dissatisfaction and inefficient business processes.
• Deadline Monitoring processes are not put in place to monitor Workflow transactions.
S E C U R I T Y C O NSIDERATIONS
• Access to the following Workflow related transactions should be restricted to authorised
users only.
32
Basis and cross application components
U S E F U L R E P O RTS
The following reports can be used in the administration of workflow:
SWI1 Selection report Displays work items and their current statuses.
for Work Items Allows the selection and display of individual work
items.
33
Security and Control for SAP R/3 Handbook Update
34
Procurement
to payables
Procurement to payables
Security and Control for SAP R/3 Handbook Update
Procurement to payables
Procurement
to payables
SECTION CONTENTS
Background .......................................................................................................................37
35
Security and Control for SAP R/3 Handbook Update
36
Procurement to payables
Procurement
to payables
B a c k g ro u n d
An overview of the functionality and risks and controls of the procurement to payables component as at
Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. This functionality has undergone
a number of changes since this release; these changes have been implemented to improve efficiency and controls
within the procurement to payables processes and are detailed across the following sections:
Automatic PO Creation
On entry of a goods receipt for which a PO has not been created, it is possible to configure the SAP system so
that these POs are automatically created.
37
Security and Control for SAP R/3 Handbook Update
E n t e rp r i s e B u y e r P ro fessional (EBP)
Functional Overview
EBP (previously BBP) was developed to allow users to purchase predefined products from approved vendors using
an on-line catalogue. Users browse through the on-line catalogue selecting products and required quantities
that are then put into a user's Shopping Cart.
Requester submits
'shopping trolley' and Requester enter
Workflow routes to goods receipt into EBP
delegate or approver
Catalogues available to users may be internal or external. Where external catalogues are available, the approved
vendors can maintain these.
EBP users do not enter prices or material descriptions as these are selected from the catalogue. Most header
information for the order is automatically populated by EBP (e.g. delivery date which is populated through the
use of the Vendor Info Record and Vendor is automatic from the catalogue).
The EBP user specifies the deliver-to address from a list of pre-defined configured deliver-to addresses.
The EBP system resides on a separate SAP installation to the core SAP system and therefore requires a separate
SAP Basis installation. This means that Basis settings and parameters should also be correctly configured to
appropriately control the EBP environment.
38
Procurement to payables
S I G N I F I C A N T R ISKS
• Approval processes and Workflow are not appropriately defined resulting in unauthorised
procurement of goods.
• Limits for shopping trolley, approval levels or minimum value of shopping trolleys not
requiring approval may not be correctly configured resulting in inappropriate procurement
of goods.
• Invoices can be entered via EBP resulting in increased risk of inappropriate access or
segregation of duties risks.
C O N F I G U R AT I ON HOT SPOTS
• Back end interfacing systems should be defined to ensure that data is interfaced
appropriately. This will generally mean defining the interface between the EBP system and
the core R/3 system.
• Fields, or attributes, to appear on EBP screens should be defined. This will include defining
the user groups and activities that can be performed for each of the fields (for example,
define that the requester can ‘change’ the deliver-to address).
• Product catalogues should be configured to ensure that users are able to appropriately
select from approved internal or external sources.
• Appropriate delegation limits should be configured for EBP transactions. For example,
consideration should be given to the configuration of the following through Workflow
events.
39
Security and Control for SAP R/3 Handbook Update
Condition Example
No Approval Where shopping trolleys are less than an approved amount, the Workflow
may be configured so that No Approval is required. Limits should be
applied in line with delegation policy.
Single Approval Where shopping trolley is greater than the No Approval limit, manager
approval should be required and configured through Workflow. This
should ideally be driven from the organisational structure.
For example, POs may be automatically generated following the entry and approval of
an EBP transaction. Alternatively, purchase requisitions may be generated and require a
Purchasing Officer to create the PO.
• Payment terms configured in the EBP system should correspond with those defined in the
core SAP system to ensure that there are no inconsistencies.
40
Procurement to payables
S E C U R I T Y C O NSIDERATIONS
• The EBP system resides on a separate instance of SAP and interfaces with a core SAP
system. The EBP system Basis components should be appropriately configured and
secured.
BBP_BW_SC3 Shopping Carts per product Business Warehouse reports used to display
BBP_BW_SC4 or per Cost Center summarised shopping cart information.
41
Security and Control for SAP R/3 Handbook Update
USEFUL REPORTS
EBP is an extension of existing procurement functionality and, as such, core SAP reports
applicable to procurement are equally applicable to EBP processes.
Workflow is key to successful operation of EBP. Work items may be left in error or not resolved
resulting in failure of the EBP process. Processes should be put in place for the running of
control reports to ensure that all transactions are processed appropriately.
Consideration should also be given to reviewing reports detailing catalogue content changes
for all external catalogues to ensure these are appropriate.
42
Procurement to payables
Ve n d o r F i e l d G ro u p s
Field groups are an effective way of restricting access to maintain highly sensitive master data (including bank
details) from other general data (such as phone numbers) which a larger group of users may require access to
maintain.
Dual control can be used for both customer and vendor master records to improve controls over key fields. When
a change is made to a sensitive field the SAP system can be configured to require release of a change made.
S I G N I F I C A N T R ISKS
Details of risks associated with the vendor master data are provided on Page 21 of the Security
and Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:
• Unauthorised changes to vendor master data details may result in inappropriate payment.
C O N F I G U R AT I ON HOT SPOTS
• Vendor fields groups, should be appropriately defined. This is generally best executed by
defining logical sets of fields (i.e. segregation of address and payment information into
different vendor field groups.).
S E C U R I T Y C O NSIDERATIONS
• Access to maintain field groups, including assignment of fields to field groups, should be
restricted.
43
Security and Control for SAP R/3 Handbook Update
Functional Overview
Dual Control has been provided to have greater control over changes to sensitive data. When configured, the
Dual Control functionality creates segregation between the changing and approval of changes to sensitive fields.
This is applicable to both the vendor and customer master records.
S I G N I F I C A N T R ISKS
Details of risks associated with the Vendor Master are provided on Page 21 of the Security and
Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:
C O N F I G U R AT I ON HOT SPOTS
• Fields that require dual control must be configured as sensitive fields. When configured,
each change to the field is subject to an independent confirmation. It should be noted
that a user cannot confirm their own changes.
• Processes for the confirmation of changes should be configured. This is can be performed
through workflow events or through manual processes.
S E C U R I T Y C O NSIDERATIONS
• Access to define sensitive fields should be appropriately restricted to ensure that fields are
not inappropriately removed from the sensitive fields table.
FK09 Confirm Vendor Changes List Used to list vendor changes that
require confirmation.
44
Procurement to payables
U S E F U L R E P O RTS
Lists of changes that are waiting to be confirmed can be generated using transaction FK09
(Vendor Changes List) and FD09 (Customer Changes List).
45
Security and Control for SAP R/3 Handbook Update
B l a n k e t P u rc h a s e O rd ers
Functional Overview
Up until Release 4.0A, a Purchase Order (PO) would generally need to be created for each requirement, including
orders placed for goods that were to be consumed immediately. The PO served as the basis for the creation of
the goods receipt (if required) and for the invoice verification process.
As of Release 4.0A, Blanket POs have made it possible to create a PO with a value limit and a validity period
instead of a delivery date. These documents are created with a document type ‘FO’ and an item category of B
— Limit.
The benefits of utilising the Blanket PO is that it allows a user to procure various materials or services from
vendors in cases where the creation and processing of individual POs is not deemed economical. Blanket PO’s
would generally be utilised for low value, high use items for which this process is deemed appropriate.
It should be noted that in order to utilise Blanket POs, Logistics Invoice Verification (LIV) must be used.
S I G N I F I C A N T R ISKS
• No goods receipt or entry and acceptance of services is required with Blanket Purchase
Orders. Invoices are posted directly with reference to the order which may result in bypass
of purchasing controls.
C O N F I G U R AT I ON HOT SPOTS
• Tolerances specific to Blanket Purchase Orders should be correctly configured to ensure
that when an invoice exceeds these limits these will be appropriately blocked for review.
46
Procurement to payables
SECURITY CONSIDERATIONS
• Access should be restricted to be able to create or change Blanket Purchase Orders due to
the increased risks associated with this. This may be performed by restricting users access
to document type FO.
• Access should be restricted to transactions which can be used to create purchase orders
including:
ME22, ME22N Change Purchase Order Transactions used to change existing POs.
U S E F U L R E P O RTS
While there are no Blanket Purchase Order specific SAP delivered standard reports,
management should consider developing reporting to identify the following:
• Blanket POs that have expired or are about to expire and require re-assessment and
potentially recreation.
• Blanket POs that have been created to ensure that these are appropriate and approved.
This may be produced by using standard reports, however, configure these based on the
Blanket PO document type.
47
Security and Control for SAP R/3 Handbook Update
L o g i s t i c s I n v o i c e Ve r i fication
Functional Overview
Logistics Invoice Verification (LIV) has undergone a number of enhancements up to Version 4.6C of SAP. LIV is
part of the Materials Management component and is used to complete the procurement process.
LIV has been developed based on the conventional invoice verification processes and as such, this section should
be read in conjunction with page 39 of the Security and Control for SAP R/3 handbook — Procurement to
Payables section. Functions of the conventional invoice verification processes are available through LIV, however
these separate components may continue to be run in tandem.
LIV provides additional functionality that was not available in the conventional invoice verification processes,
including the disbursement of information to the Materials Management and Finance components. Additional
functionality has been developed by SAP for the LIV process, which includes but is not limited to the following:
• Multiple account assignments or multiple company codes for posting can be used.
• The system can be automatically configured to post a credit memo for the difference between the value
of the invoice and the value for which the system expected an invoice. This can be particularly useful for
vendors who consistently over-charge.
• Workflow can be integrated into the invoice process to aid in the resolution of blocked invoices.
S I G N I F I C A N T R ISKS
Significant risks associated with LIV are detailed in the Security and Controls for SAP R/3
Handbook page 40 that discusses the invoice verification process. These include the following:
• Invoices may not match the corresponding purchase order and/or goods receipt. However,
they may still be processed for payment.
• Invoices may be processed that do not relate to a valid purchase order in the system.
48
Procurement to payables
C O N F I G U R AT I ON HOT SPOTS
• LIV invoices can be processed in the background. Where background processing occurs,
the system can be configured to assign the status of ‘Verified as correct’ or ‘Completed’
on a Company Code by Company Code basis. Consideration should be given to configuring
the background-processed invoices as ‘Verified as correct’ so that these invoices can then,
following review be marked as ‘Completed’.
• Tolerance groups can be configured for individual vendors using tolerance groups
(Transaction OMRX). Tolerance groups define the way the system reacts as a result of
positive or negative invoice differences.
Tolerance groups defined can be assigned to each vendor in the vendor master record and
can be effective in reducing processing time where vendors consistently over charge. This
is achieved by configuring the system to treat variances received appropriately.
• Where invoices are blocked, Workflow events can be triggered. Typically the blocking of an
invoice will trigger a Workflow item to the buyer where they can change the PO, release
of the invoice items or flag the invoice as in dispute.
S E C U R I T Y C O N SIDERATIONS
• With the introduction of LIV, a number of new transactions have been created which
should be appropriately restricted. Consideration should be given to restricting access to
the following key LIV transactions:
MIR7 Park Invoice Used to Park invoices where ‘Park and Post’
functionality is utilised.
MIRA Enter Invoices for Invoice Processes invoices for verification via background
Verification in the Background processing.
MRBR Release Blocked Invoices Allows the user to release blocked invoices for
processing and payment.
49
Security and Control for SAP R/3 Handbook Update
• As with all invoice processes, consideration should be given to restricting access to invoice
verification functions by company code and plant.
• Access to the authorisation object ‘Invoices: Blocking reasons’ should also be restricted to
ensure that only authorised users are able to release blocked invoices. It is critical that the
releasing function be segregated from invoice entry, to ensure that the approval processes
are not compromised.
50
Procurement to payables
A u t o m a t i c P O C re a t i on
Functional Overview
Release 4.0A enables the SAP system to be configured to automatically create a Purchase Order (PO) during the
Goods Receipt (GR) process. In order for this process to occur, standing data must be created as SAP valuates
the GR at the price defined in the Purchasing Info Record.
S I G N I F I C A N T R ISKS
• Automatic creation of POs at the point of GR results in bypass of purchase order controls
(e.g. electronic approval).
C O N F I G U R AT I ON HOT SPOTS
• In order for this to occur each plant must be assigned to a purchasing organisation so that
the system can determine the purchasing info records.
S E C U R I T Y C O NSIDERATIONS
• Where automatic creation of a GR is available, access to process Goods Receipts should be
restricted to appropriate staff.
MB01 Post Goods Receipt for PO Transaction used to process a Goods Receipt
where a PO is available.
MB0A Post Goods Receipt for PO Transaction used to process a Goods Receipt
where a PO is available.
MB1C Other Goods Receipts Allows for the processing of Goods Receipt
other than by reference to a PO.
51
Security and Control for SAP R/3 Handbook Update
U S E F U L R E P O RTS
While there are no specific SAP delivered standard reports with regard to automatically
created POs, consideration should be given to developing reports to identify POs created to
ensure that these are approved and generated in line with business process requirements.
52
Financial
accounting
Financial accounting
Security and Control for SAP R/3 Handbook Update
Financial accounting
Financial
accounting
SECTION CONTENTS
Background .......................................................................................................................55
53
Security and Control for SAP R/3 Handbook Update
54
Financial accounting
Financial
accounting
B a c k g ro u n d
An overview of the functionality, risks and controls of the Financial Accounting module as at Version 3.1H
is covered within the full Better Practice Handbook for SAP R/3. The Financial Accounting module of SAP has
undergone a number of changes since Version 3.1H. Whilst many of these changes do not have a significant
controls impact, there are a number where additional control functionality has been made available through
enhancements. These are detailed in the following subsections:
General Ledger
Since the General Ledger forms the core of the SAP financials package, very few significant changes have been
applied to this area. However, a number of additional inherent and configurable controls have been added to
enhance the control environment.
Key changes to the General Ledger area include the addition of true reversal functionality simplifying reversal
postings and the inclusion of a cash journal to enhance control over cash management activities.
Asset Accounting
Significant enhancements have been made around the Asset Accounting module. These have resulted in
improved asset management functionality. A key change in the Asset Management module is the introduction
of the Asset Explorer for improved asset reporting.
55
Security and Control for SAP R/3 Handbook Update
General Ledger
Functional Overview
A number of changes and enhancements have been made to the General Ledger since Release 3.1H. These
changes are outlined below:
As of Release 4.0A, reverse postings and adjustment postings can be indicated as negative postings. Negative
postings reduce transaction figures in customer, vendor, and G/L accounts without having to reverse the
document by posting a reversal document. This type of reversal is called a true reversal.
The true reversal functionality allows reversal postings to be traced back to original documents. This improves
accuracy of document reversals since these can now reference the original document.
In SAP Release 4.5B, reversal reason codes have been made mandatory fields. A number of default reversal reason
codes have been configured in SAP as standard, however additional codes may be configured.
Mandatory requirement for reversal reason codes adds additional control over the reversal of documents and
provides enhanced audit trail over the reversal of documents.
As of SAP Release 4.5A, it is now possible to distribute exchange rates between SAP systems using Application
Link Enabling (ALE) technology. This improves controls over exchange rates ensuring these are consistent across
SAP systems and improves ease of maintenance.
• Cash Sub-Journals
The cash journal is a bank accounting sub ledger available for the management and reporting of cash positions.
The cash journal can be used independently of other posting transactions allowing more flexibility and accuracy
in cash management reporting.
The benefit of the cash journal is that opening and closing balances, as well as receipts and payments balances
are automatically calculated and displayed. The cash journal would also allow an agency to run more than one
cash journal per company code and to run separate cash journals for each currency.
Prior to 4.5A, payments in alternative currency could only be created and posted manually. As of 4.5A, it is
possible to enter a payment currency (which can differ to the standard currency of the document) for open
items to be paid automatically by the payment run. Users can specify an amount equal to the gross amount of
the item in the payment currency. The payment currency is supported in both Accounts Payable and Accounts
Receivable.
This facility reduces the risk of errors through removal of manual currency calculations.
56
Financial accounting
The screen layout for G/L account master records has been reorganized to allow for G/L account master records
to be edited from the data screen.
Mass maintenance functionality is also available for G/L account master records to improve efficiency and
accuracy (refer to Basis and Cross Application Components of this handbook update for more detail).
As of 4.6A, tolerances for G/L account clearing have been extended. These tolerances, which are defined for a
user and an account, are used to determine whether the system will issue error messages to the user or post the
differences automatically.
These tolerances can be used to further restrict general tolerances that are in place for particular users or G/L
accounts as required.
Since Release 4.5, new interfaces are available relating to Electronic Funds Transfer (EFT) and banking across
GL, AR and AP. These interfaces provide enhancements to electronic banking functionality allowing analysis of
notes to payees, the creation of custom electronic banking methods and the determination of business partners
from remittance advices.
The new functionality also enables central check routines and alternative check algorithms to be used when the
system checks banking attributes.
Extension of standard banking interface controls providing greater flexibility in control procedures around bank
interfaces. It also allows for automatic checking of banking attributes using appropriate check routines and/or
algorithms.
As of SAP Release 4.6C, it is possible to configure requests for master data changes to be sent via the Intranet/
Internet. The requester can request the creation, change, delete, or lock to G/L Account master data.
In this scenario a user will fill out a request form for the master data change in the Intranet/Internet. In the form,
the requester describes the reason for the request and submits to the responsible processor or processing group. The
processor or processing group then receives the request in their inbox or Workflow inbox in the SAP R/3 System.
The request form can be accessed from there, as can the transactions needed for processing master data.
This provides an improved audit trail and control over changes to G/L account master data.
For documents posted in foreign currency, it is now possible to post the rounding differences to a separate
revenue/expense account. This allows for greater control over variances providing standardisation and efficiency
in the handling of rounding errors.
57
Security and Control for SAP R/3 Handbook Update
S I G N I F I C A N T R ISKS
Risks and controls as defined on page 72 of the Security and Control for SAP R/3 Handbook
remain relevant. Additional risks relevant to the new functionality include:
• Inappropriate changes are made to General Ledger master data or the Chart of Accounts
through the use of mass maintenance functions.
C O N F I G U R AT I ON HOT SPOTS
• Consideration should be given to whether negative postings are permitted for each
company code. Where true document reversals and negative postings are appropriate,
reversal reasons should be reviewed and configured to ensure they are in line with
business requirements and provide appropriate reasons for analysis purposes.
• Where required, alternative payment currencies should be configured. This will include:
– defining appropriate accounts including clearing accounts for instances where payment
differences occur as a result of payment currency.
• Where processes have been implemented for the request of G/L Account Master Data
changes via the Internet/Intranet, appropriate approvals through Workflow should be
configured.
58
Financial accounting
S E C U R I T Y C O NSIDERATIONS
• New GL authorisation objects have been provided and should be taken into consideration
when defining security.
• Existing roles should be reviewed to establish whether or not the new authorisation
objects should be added.
FS10N G/L Account Balance Enjoy transaction versions of FS10, FD10 and FK10.
FD10N
FK10N
FB60 Invoice Data Entry Update of previously used F–43 and FB10.
Invoice/Credit Fast Entry
59
Security and Control for SAP R/3 Handbook Update
U S E F U L R E P O RTS
Improvements have been made in reporting of line items where a negative posting to an
account has taken place. To make the deriving of balances from the line item amounts easier,
negative postings are marked with a minus sign behind the posting key (or with a special
G/L indicator where necessary). This enhancement is aimed at eliminating errors by making
balances and line item reports easier to read and interpret.
60
Financial accounting
Asset Accounting
Functional Overview
A number of changes have been implemented to enhance functionality around Asset Accounting.
Asset number ranges which were previously assigned only by asset class can now be further defined based on
other fields in the asset master record, such as location and cost centre.
Up to now, it has been possible to create asset classes from an asset G/L account using the asset class generator.
An on-screen help wizard is now available to automate this process.
Previously, it was possible to create two different asset classes with the same name when using the asset class
generator. The system now prevents this from happening and assists in ensuring completeness and accuracy of
data input.
Since SAP Release 4.5A, an asset can be created from the purchase order and purchase requisition creation
transactions, where Materials Management is being used.
Asset master data information is entered through dialog boxes and directly in to the asset master data
transactions. The user therefore requires appropriate access to create assets in order to utilize this functionality.
Where assets are not created appropriately, these are identifiable through the incomplete asset reporting
processes which were previously available in SAP.
With Release 4.0A, when assets are to be transferred between companies within a single SAP instance, the system
enables a user to post completely from the sending company code. The system automatically performs receiving
and asset creation if necessary in the receiving company code.
Please note, however, that this function is only available for transfers within a single client. Transfers between
clients or systems must be posted in two steps (retirement and acquisition).
Multiple assets can be created in one transaction provided they have identical asset classes and company codes.
When saved, a range of main or sub numbers and individual descriptions are assigned.
Previously, a user would need to create assets one-by-one, copy assets or create all assets as one asset in a
group asset.
The Asset Value Date is the date used when posting asset transactions and has a direct influence on the
depreciation calculations. Previously, the rules for determining the asset value date for Asset Accounting
transactions were hard coded in SAP however functionality is now available to configure these dates.
While Asset Value Date customisation provides additional flexibility in calculating asset values, this may lead to
inaccurate asset value dates and values being applied.
61
Security and Control for SAP R/3 Handbook Update
S I G N I F I C A N T RISKS
Risks and controls as defined on page 94 of the Security and Control for SAP R/3 Handbook
remain relevant. Additional risks relevant to the new functionality include the following:
• Asset master records may not be set up correctly or may not contain all necessary data.
C O N F I G U R AT I ON HOT SPOTS
• Asset Value Dates should not be configured unless required. If configuring of Asset Value
Dates is necessary, care should be taken to ensure these are in line with business and
accounting requirements.
S E C U R I T Y C O N SIDERATIONS
• New Asset Accounting authorisation objects have been provided and should be taken into
consideration when defining security.
• Existing roles should be reviewed to establish whether or not the new authorisation
objects should be added.
62
Financial accounting
USEF UL REPORTS
The Asset Explorer provides information on posted and planned asset values. This tool,
accessed through transaction AW01N provides access to functions available in the previous
asset value display transaction, however has extended this to provide improved access to and
display of asset information such as depreciation areas, asset master data and current year
transactions. The Asset Explorer also provides functions for printing the values as required.
Another change in reporting applicable to Asset accounting is the change from program
RASKBU00 for periodic posting of changes to asset values in a depreciation area, to a new
program RAPERB00. In Version 4.6C, report RASKBU00 no longer exists.
63
Security and Control for SAP R/3 Handbook Update
64
Controlling
Controlling
Security and Control for SAP R/3 Handbook Update
Controlling
Controlling
SECTION CONTENTS
Background .......................................................................................................................66
Controlling ........................................................................................................................66
Functional Overview ............................................................................................................................................66
65
Security and Control for SAP R/3 Handbook Update
B a c k g ro u n d
An overview of the functionality, risks and controls of the Controlling (CO) module as at Version 3.1H
is covered within the full Better Practice Handbook for SAP R/3. The Controlling module has undergone a
number of enhancements and changes since this release; this has included the introduction of master data
enhancements and an alternative CO authorisation concept.
This section outlines the significant changes that have taken place in the controlling module since 3.1H and the
impact that this has had on security and controls.
C o n t ro l l i n g
Functional Overview
A number of changes and enhancements have been made to the CO Module since Release 3.1H. These changes
are outlined below:
From Release 4.6A, the system now creates corresponding CO documents for parked documents from Financial
Accounting and Materials Management components.
This enables CO postings to be parked and posted creating a segregation and approval process
As of Release 4.0A, it is possible to add additional master data fields for cost elements, cost centres, activity
types, and business processes. SAP allows the maintenance of these new fields within the original master data
processing locations.
When adding these master data fields, consideration should be given to the nature of this information and
whether additional custom security checks for these fields should be used.
As of SAP Release 4.6C, it is possible to put approval processes for master data changes in place via the Intranet/
Internet. The process for approval of these changes can be configured by workflow or other means.
Implementation of this approval process can provide an audit trail of reasons for changes to Controlling master
data and ensure that changes to Controlling master data will always have appropriate approvals.
A test run function is available to check whether master data selected for deletion has any dependencies that
may cause issues, should the deletion process take place. The test run completes extensive checks of dependent
data; reporting on data that might be affected by the proposed deletion(s), and preventing deletion where
dependent data is present.
66
Controlling
• Manager’s Desktop
As of Release 4.6A, Controlling reporting has been integrated into the Manager’s Desktop. (For more detail on
the Manager’s Desktop, see the Human Resources section of this handbook update).
As of Release 4.0A, line items in the reconciliation ledger have been extended to include a field for G/L account.
This field records the G/L account to which the reconciliation posting was made in Financial Accounting. This
can be the account corresponding to the cost element or an adjustment account.
S I G N I F I C A N T R ISKS
• As detailed on page 110 of the Security and Control for SAP R/3 Handbook, the
significant risk associated with the Controlling component is that transaction postings
in the SAP application modules may not update the Controlling module if the central
interface is not appropriately configured.
C O N F I G U R AT I ON HOT SPOTS
• If reconciliation line items currently exist which do not have the Reconciliation Account
Field completed it will be necessary to obtain values and fill in the account field. This can
be achieved by executing the program ‘RKAKALX2’.
S E C U R I T Y C O N SIDERATIONS
• From Release 4.0, the authorisation concept for controlling has been revisited. This has
resulted in the introduction of two new authorisation fields against which users can be
checked:
Each transaction in the Controlling module creates both an activity (e.g. create or change)
and a CO Action. The new CO authorisation objects check the CO Action and therefore
allows greater flexibility in the authorisation of the Controlling module.
• The following new authorisation objects have been provided for the Controlling module.
Consideration should be given to restricting access to relevant finance / accounting staff:
67
Security and Control for SAP R/3 Handbook Update
K_ZENTSL Credit
K_ZZUSSL Overhead
• As of Release 4.6A, a new authorisation check for company code takes place when CO/FI
(Controlling / Financial Accounting) reconciliation postings are made (transaction KALC).
The authorisation object F_BKPF_BUK is not checked by this transaction, confirming the
user’s authorisation to post reconciliations for the proposed company code(s).
68
Controlling
U S E F U L R E P O RTS
As stated in the Security and Control for SAP R/3 Handbook page 113, there are numerous
reports available via the controlling component. A number of reports have been added that
should be considered by management for review, which includes but is not limited to the
following:
• Cost Flow Overview Report has been added which reports on cost behaviour in controlling
and reconciliation postings.
• Profitability Analysis Line Item Reports which has been created to enhance existing
profitability analysis functionality.
Further, a number of previously available reports have been altered to utilise the ABAP List
Viewer that provides greater flexibility in reporting, data extraction and analysis.
69
Security and Control for SAP R/3 Handbook Update
70
Human
resources
Human resources
Security and Control for SAP R/3 Handbook Update
Human resources
Human resources
SECTION CONTENTS
Background .......................................................................................................................73
Compensation Management.........................................................................................80
Functional Overview ............................................................................................................................................80
71
Security and Control for SAP R/3 Handbook Update
Benefits ....................................................................................................................................................................85
72
Human resources
B a c k g ro u n d
An overview of the functionality, risks and controls of the Human Resources (HR) module as at Version
3.1H is covered within the full Better Practice Handbook for SAP R/3. The components of HR have undergone
significant changes from Version 3.1H, making it possible to split functionality into small units and extend
integration between components. The main components of HR in Version 4.6 include:
Personnel Management
The sub-modules, formerly known as Personnel Administration (HR–PA) and Personnel Planning and Development
(HR–PD), have been combined.
Payroll Accounting
This provides a number of work processes including the generation of payroll results and remuneration
statements, bank transfers and cheque payments.
In addition to the changes in the structure of the HR module, a number of functional enhancements have been
developed impacting the overall controls environment. These are detailed below and should be considered in
conjunction with those outlined in the previous handbook.
Significant changes include the introduction of ESS (Employee Self Service) and the Managers Desktop that
provide for the decentralisation of HR functions leading to increased risks and control requirements.
73
Security and Control for SAP R/3 Handbook Update
Functional Overview
SAP Employee Self Service (ESS) has been developed to provide real-time access and data maintenance
capabilities to employees. This allows for a reduction in central administration through the assignment of
many data entry and related customer service activities to employees that were previously performed by an
organisation’s HR, Payroll, Benefits, and Travel Departments.
• salary packaging.
ESS enables employees to view, create, and maintain data through a web browser. ESS can provide a powerful
employee information and service portal through an intranet. Functionality can be integrated with other
employee tasks including:
• email;
• employee directory;
• calendar; and
ESS includes core HR capabilities, but also offers logistical, financial and office functionality through its
integration with the SAP database ensuring consistency and integrity of data.
ESS functionality can be integrated with the Managers Desktop to implement effective approval processes. This
is generally configured using Workflow.
S I G N I F I C A N T R ISKS
ESS provides many HR display and update capabilities to all employees in an organisation. This
creates additional security and privacy risks including:
It is vital that employees are restricted to their own records and appropriate info types.
74
Human resources
C O N F I G U R AT I ON HOT SPOTS
• Key ESS data should be defined as required entry in the system to ensure all necessary
information is captured.
• There is an increased need to log changes to sensitive infotypes to ensure they are
included in the ‘Logged Changes in Infotypes’ audit report.
• Structural authorisation profiles should be defined and assigned to users ensuring access
is appropriately restricted to appropriate organisational units.
• All SAP users must be assigned to an ESS user through infotype 0105 to ensure they are
able to only access relevant and appropriate information.
S E C U R I T Y C O NSIDERATIONS
• Structural authorisations are not new, however, they are of greater importance where
an ESS HR structure is implemented. Increased control through ‘PD Authority Profiles’ is
critical to the security of employee data. These authorisations define which objects in the
organisational plan a user is permitted to access, for example:
– Organisational units
– Business events
Structural authorisation profiles define which activities (create, change or display) a user
is permitted to execute within each of these objects.
• With the implementation of ESS, there is a need to restrict user’s access to their own
employee master record. This is restricted through the “HR: Master data — Check
personnel number” (P_PERNR) authorisation object.
A user can be restricted from accessing their own record or restricted to updating only
their own record, using the P_PERNR object. Where the P_PERNR object is not applied
a user has access to all employee information. This may be applied on an infotype by
infotype basis.
75
Security and Control for SAP R/3 Handbook Update
• SAP User Master Records (UMR) must be assigned to an employee record in order for
structural authorisations to operate. Where a UMR has not been assigned to an employee
record, the user is not restricted by a structural authorisation.
• Access should be restricted to only relevant HR staff to the following ESS and structural
authorisation related sensitive transactions:
HRUSER Set up and maintain Administer ESS users (create, change, delete,
ESS user password administration etc)
U S E F U L R E P O RTS
A number of key control reports are available to assist in the administration of structural
authorisations and ESS.
76
Human resources
T h e M a n a g e r s D e s k t op
Functional Overview
The Managers Desktop was released in Version 4.5 to allow managers immediate access to relevant HR, Financial
Accounting and Controlling data. It allows all functional managers to perform administrative tasks for their area
of responsibility that may previously have been centralised.
The Managers Desktop provides up-to-date information through integrated reports allowing greater management
control over personnel.
The Managers Desktop provides a number of ‘Themes’ which break down the activities which can be performed
in this application including:
• Creation of appraisals
• Organisation maintenance
• Transfers processing
• Compensation Management
Special Areas Integrated web browser allows access to Intranet and Internet pages
Workflow Inbox Facilitates integration with ESS and approval activities such as:
• Expenses
77
Security and Control for SAP R/3 Handbook Update
S I G N I F I C A N T R ISKS
• The organisational plan (organisational structure) is not accurately defined or maintained
resulting in:
C O N F I G U R AT I ON HOT SPOTS
• In order for the Managers Desktop to work it is important the organisational plan
be accurately defined, including the assignment of employees to positions. Incorrect
allocation of employees to positions will result in Managers gaining inappropriate access
to HR data.
• In order for a user to utilise the Managers Desktop the user must be the holder of a chief
position within the organisational chart. The system uses the chief position indicator
to determine the organisational units managed directly and indirectly by the position
holder.
• Managers Desktop ‘Themes’ which grant access to various components of the Managers
Desktop functionality must be configured to appropriately restrict information.
S E C U R I T Y C O NSIDERATIONS
• Access to the following sensitive transactions should be restricted to relevant managers:
Appropriate controls should be implemented for the temporary delegation of system access and
removal of this system access.
78
Human resources
U S E F U L R E P O RTS
As detailed in page 123 of the Security and Control for SAP R/3 Handbook, the ‘Logged
Changes in Infotype Data’ report should be run on a regular basis to review changes made to
key infotypes to ensure they are appropriate.
Controls for the review and clearing of workflow items which are not actioned in a timely
manner should be implemented. This should include implementation of appropriate deadline
monitoring and escalation procedures. Refer to the Basis and Cross Application Components
section within this handbook update for further details.
79
Security and Control for SAP R/3 Handbook Update
C o m p e n s a t i o n M a n a g ement
Functional Overview
Compensation Management is a new component within SAP available from Release 4.0A. The Compensation
Management component administers compensation policies for an organisation.
Compensation Management can be integrated with the Managers Desktop and can be used as an effective
tool to plan and perform compensation adjustments to individuals, employee groups, or based on other
organisational breakdowns.
S I G N I F I C A N T R ISKS
• Unauthorised / inaccurate update of compensation data resulting in over, or under,
compensation to employees.
C O N F I G U R AT I ON HOT SPOTS
• Compensation areas need to be defined as appropriate groupings of employees for
compensation administration.
• Appropriate features of employees should be selected to ensure that employees fall into
the correct Compensation areas or eligibility groups.
80
Human resources
S E C U R I T Y C O NSIDERATIONS
Access to the following Compensation Management sensitive transactions should be restricted
to only relevant senior HR staff:
U S E F U L R E P O RTS
There are several reports available to assist in controlling Compensation Management that
should be reviewed on a regular basis by relevant senior HR staff to monitor employee
compensation.
S_AHR_61018798 Compare Actual Basic Salaries and Report of employee base salaries
Planned Compensation compared to the compensation
assigned to the job or position.
81
Security and Control for SAP R/3 Handbook Update
A significant change in Time Management is Cross Application Timesheet (CAT) functionality that was
introduced in Version 4.0A of SAP R/3 and provides a standard interface for recording time across components
of SAP. CAT combines existing SAP time recording functions into a single process and provides information to
other components including, internal activity allocation for Controlling and Personnel Time Management for
attendances and absences.
S I G N I F I C A N T R ISKS
• Inaccurate entry of timesheet data resulting in incorrect payment to employees.
C O N F I G U R AT I ON HOT SPOTS
• Data entry profiles determine the data entry process and the layout of the time sheet.
Consideration should be given to the following configurations affecting users entering
time sheet data:
Setting Description
Profile Changeable Allows a user with access to a profile to change profile settings.
With Target Hours Available details which can be included on the face of the timesheet.
Totals Line
Clock Times
No Changes After Should be configured to ensure time data is displayed on the data entry
Approval screen after approval and cannot be changed.
Highlight Rejected Can be configured to show user records that have been rejected by
Records approvers, highlighting the need for further action.
Time Settings Time settings should be configured based on the standard working week.
This will include defining the number of periods a user can view and
change, (past and future).
82
Human resources
Setting Description
Personnel Selection Defines the profile selection criteria for personnel time data entry.
Default Values Time sheets can be configured to display default values when accessed.
Data Entry Checks Data entry checks can be configured to improve the quality and
completeness of data entry. Consideration should be given to applying
validation tolerances to reduce inaccurate time sheet entry.
For Users with HR The system can be configured to give an error or warning message when
interfacing errors occur between CAT and HR.
Workflow Approval A Workflow approval procedure can be configured which will be initiated
on completion of time sheet entry.
• Rejection reasons should be configured and provide enough detail to the user to take the
appropriate action to resolve time sheet errors.
S E C U R I T Y C O NSIDERATIONS
In order to enter time data a user must call the time sheet with a data entry profile. The data
entry profile determines the data entry process and the layout of the time sheet.
Consideration should be given to segregating the entering of time sheet information and the
approval of time sheets. Workflow approval processes should be implemented to control this.
Access should be restricted to the following Time Management sensitive transactions; approval
of time sheets should be restricted to relevant functional managers and/or HR staff:
CAT2, CAT3 Time Sheet: Initial Screen Enter time sheet details.
CAPS Time Sheet: Approve Times (Select by Master Data) Approve time sheets.
83
Security and Control for SAP R/3 Handbook Update
U S E F U L R E P O RTS
Controls for the review and clearing of workflow items which are not actioned in a timely
manner should be implemented. This should include implementation of appropriate deadline
monitoring and escalation procedures. Refer to the Basis and Cross Application Components
section for further details.
84
Human resources
Ad Hoc Query
To provide greater reporting flexibility and functionality, SAP developed the Ad Hoc Query functionality which has
since been extended in Version 4.6C, to integrate with other application areas and been renamed InfoSet Queries.
This functionality has been further documented in the Basis and Cross Application Components section of this
handbook update.
Benefits
Benefits functionality has been enhanced from earlier SAP R/3 releases. The Benefits component can be used
to develop benefits packages for employees and provides easy access to benefits related information for
administrative staff, executives and employees.
S I G N I F I C A N T R ISKS
• Users have the ability to allocate benefits inappropriately to an employee.
S E C U R I T Y C O NSIDERATIONS
• Access should be given and restricted to only relevant HR staff to the following sensitive
transactions including:
85
Security and Control for SAP R/3 Handbook
U S E F U L R E P O RTS
There are several reports available to assist in controlling Benefits; consideration should be
given to reviewing these reports on a regular basis.
86
Audit
system
information
Audit information
system
Security and Control for SAP R/3 Handbook Update
Audit information system
Audit
information
system
SECTION CONTENTS
Background .......................................................................................................................89
Systems Audit.........................................................................................................................................................92
Customising Audits...............................................................................................................................................94
87
Security and Control for SAP R/3 Handbook Update
88
Audit information system
Audit
information
system
B a c k g ro u n d
The Audit Information System (AIS) has been developed to provide internal and external auditors, Security
Administrators and those with data protection and controlling responsibilities with a tool to assist in
understanding and completing required tasks in the complex SAP environment.
The SAP Audit Information System (AIS) provides a centralised repository for reports, queries, and views of data
that have a control implication.
AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and
above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the
production system on a real time basis.
AIS is currently focused on two key areas that are covered in more detail below:
• Business Audit.
SAP has suggested that AIS functionality will be further developed to include other components, including
Materials Management (MM) and Sales and Distribution (SD).
AIS consists of an Audit Report Tree, which provides a facility to access and document audit steps within a SAP
system, and download audit and additional related data to other programs for reporting or additional analysis.
The structure of the reporting tree menu is designed by SAP to reflect the procedures followed when conducting
an audit. AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching
of comments, as well as allowing for tracking the audit’s progress.
AIS also has the capability to extract data into pre-defined formats appropriate for data.
89
Security and Control for SAP R/3 Handbook Update
U s i n g A u d i t I n f o r m a t ion System
Starting an Audit
Transaction code SECR is used to access the AIS. The user can elect to enter:
• Complete audit
When executed, this provides all tests and documentation available in the AIS system.
When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.
90
Audit information system
Once started the user is provided with a report tree structure that sets out all applicable documentation and
tests that are executable.
The reporting tree contains steps that include variants for each type of function. These can be centrally
maintained to apply across multiple audit tasks.
Installation Check
The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants
listed in AIS are currently available in the current system environment.
The Installation check can be initiated through selecting Extras — Installation — Installation check from
transaction SECR.
Preparatory Tasks
In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the
user to customise the audit to improve efficiency in completion of tasks.
The preparatory tasks within AIS are broken into three areas:
Area Description
AIS Customisation Allows for audit customisation through the definition of variables and constants
to be utilised in the audit process. This may include variables such as company
codes which are then used in reporting.
Customise Financial Provides the user with functions relevant to the configuration and
Information System extraction of financial information.
ABAP/4 Query including Provides access to logical database structure and information pertinent to
download extracting data for analysis purposes.
91
Security and Control for SAP R/3 Handbook Update
Systems Audit
The "Systems Audit" is primarily used for administration and review of system activities, such as, security and
change control. The users are provided with easy access to many of the standard SAP security and control reports
and audit trails.
Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of
security items to be considered which can be amended as required.
The System Audit functionality in AIS is broken down into the following key areas which include:
Area Description
Systems Configuration Allows the user to gain details of the environment and general set up
of the SAP system.
Transport Group Information relevant to change control processes, and system set-up.
Development / Customising Information with regard to development processes including change control,
blocked transactions and report security.
Background Processing Information relevant to background processing, including the graphical job
schedule and access to the job overview.
System Logs Provides access to logs (system, access, database etc) as well as configuration
settings pertinent to these logs.
User Administration Provides access to information relevant to administration and security of the SAP
system. This includes various reports on:
- User Security and Authorisations
- Profile Generator
- User administration such as users who have not logged into the system for
a predefined period of time.
Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport
Management System, repository and table browser. It also provides comprehensive tools to review the security
around user access.
92
Audit information system
Business Audit
The “Business Audit” functionality in AIS allows the auditor to produce financial statements and balance sheets,
as well as perform general ledger, accounts payable and accounts receivable activities and queries.
For example, through the business audit functionality, auditors can perform and document their review of
general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation
accounts, as well as duplicate invoice reviews.
Area Description
Organisational Overview This area allows the user to familiarise with the enterprise structure that has
been implemented into SAP.
Further, the user is provided with information about the financial structure of
the organisation including details on Account Determination and Special General
Ledger.
Financial Statement The Financial Statement Oriented Audit provides the user with details of
Oriented Audit Account reconciliation, Balance Sheet, Profit & Loss and other General Ledger
related reports which can be used for financial analysis.
Process Oriented Audit The Process Oriented Audit steps are broken down into the various areas of SAP
including retail, procurement, production and sales and distribution.
Areas of this section are at various levels of development.
When the audit begins, the present parameters and selection criteria are edited by using the “Preparatory
Tasks” in the Business Audit menu. The auditor customises the reporting tree to reflect the correct time period
and organisational structure required for the audit. The use of these “variants” helps reduce the potential for
adversely affecting system performance, by limiting the parameters for which the reports are run.
Business Audit functionality is not generally considered to be comprehensive and many items included in the
menu structure are not yet functional. This should be considered when utilising AIS.
93
Security and Control for SAP R/3 Handbook Update
Customising Audits
To make effective use of the AIS tool it is important to customise the audits and ensure that only relevant
information is provided.
All information provided in the complete audit can be partitioned into audit programs specific to the particular
needs and scope of audit work to be completed.
A new view can then be created where you can manually select from the tree structure the components that are
to be displayed in this user defined view.
Following the customisation and generation of an audit this can be accessed by selecting the user-defined audit
that has been created.
94
Audit information system
Security Considerations
In order for a user to access configuration, data or other reports, relevant access must be provided to the user.
The AIS provides links through to various reports and other information, and therefore, access provided to
complete AIS tasks may vary between users in line with tasks the individual is to perform.
The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation.
In order for a user to be able to edit notes in AIS the user must have been provided with the following
authorisation objects:
S_IMG_ACTV
Field Value
In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorisations
must be provided:
S_IMG_ACTV
Field Value
Other security, which may be granted to the user in order to complete tasks, may include:
95
Security and Control for SAP R/3 Handbook Update
96