Security and Control Update For SAP R3 PDF

Security and Control Update
For SAP R/3
Guide to Effective Control – Handbook U p d a t e

Security and Control for SAP R/3 Handbook
© Commonwealth of Australia 2004

ISSN 1036-7632
ISBN 0 642 80791 4
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process
without prior written permission from the Commonwealth available from the Department of Communications, Information
Technology and the Arts. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth
Copyright Administration, Intellectual Property Branch, Department of Communications, Information Technology and the Arts, GPO
Box 2154, Canberra ACT 2601 or posted at <http://www.dcita.gov.au/cca>
The Publications Manager,

Australian National Audit Office,
GPO Box 707,
Canberra ACT 2601
Information about ANAO reports and activities can be found at the ANAO Internet address: http://www.anao.gov.au
Ackno w l e d g e m e n t
Appreciation is extended to PricewaterhouseCoopers who contributed significantly in developing and writing this handbook.
Disclai m e r
This handbook is not a recommendation of the SAP R/3 system, nor an endorsement of the SAP R/3, by the ANAO. Commonwealth Public
Sector agencies are responsible for deciding whether SAP R/3 is suitable for their purposes and for implementing and testing SAP R/3.
The Auditor-General, the ANAO, its officers and employees are not liable, without limitation, for any consequences incurred, or
any loss or damage suffered by an agency or by any other person as a result of their reliance on the information contained in this
handbook or resulting from their implementation or use of the SAP R/3 system, and to the maximum extent permitted by law, exclude
all liability (including in negligence) in respect of the handbook or its use.
Design by GREY Worldwide
ii
Preface
Preface
SAP continues to be a predominant financial management information system in use within the Australian
Government.
Accordingly, the Australian National Audit Office (ANAO) has developed this better practice handbook update
with significant assistance provided by PricewaterhouseCoopers. The original handbook was released by the
ANAO in 1998, and this update reflects the changes made to SAP security and control since that time.
Based on SAP R/3 release 4.6C, this update should be read in conjunction with the original handbook to gain a
fuller appreciation and understanding of functional, as well as security and control issues, associated with the
implementation and operation of SAP.
This handbook update provides better practice controls that should be considered by Australian Government
entities to assist in meeting their requirements for availability, integrity and confidentiality, and outlines:
• the significant risks associated with each functional enhancement; and
• the various control options that should be considered, broken down into the following categories.
– SAP customisation settings which should be considered in reducing and/or mitigating identified risks
and delivering security and control best practices.
– User access security settings to be considered when designing and implementing security.
– Useful key control reports for review.
The adoption of the various control options will depend on how SAP R/3 is used within each entity and the level
of acceptable risk adopted by that entity. Striving for absolute assurance is neither cost effective nor possible.
Controls implemented should be commensurate with the nature of the business, the acceptable level of risk and
program delivery.
Oliver Winder
Acting Auditor-General
30 June 2004
iii
Security and Control for SAP R/3 Handbook Update
iv
Contents
Contents
Introduction .......................................................................................................................1
Basis and Cross Application Components (BC)...................................................... 34
Procurement to Payables (MM) ................................................................................. 52
Financial Accounting (FI) ............................................................................................ 64
Controlling (CO)..............................................................................................................70
Human Resources (HR) ................................................................................................ 86
Audit Information System (AIS) ................................................................................ 96
v
vi
Introduction
Introduction
Introduction
Introduction
The original Security and Control for SAP R/3 Handbook, developed in 1998 was produced to provide good
practice security and control guidelines when implementing and running SAP Version 3.1H. SAP has subsequently
upgraded the R/3 system, through Versions 4.0, 4.5 and 4.6, with each version including many functional changes
impacting security and controls.
This handbook update is based on SAP R/3 Release 4.6C, outlining significant functional enhancements with
relevant security and control considerations. This handbook should be read in conjunction with the original
handbook to gain a full awareness and appreciation of functional and security and control issues within the
core SAP components.
The handbook outlines business risks associated with the implementation and operation of SAP, and provides better
practice controls that should be considered by Australian Government entities that replicate control solutions
deployed at organisations globally running SAP.
SAP Upgrades
There are a number of business and technology drivers that may influence an organisation's decision to
upgrade SAP.
Business drivers
Mergers &
Strategic & divestments
operational
changes
E-business
initiatives
Why Upgrade
R/3
Cost Greater
reduction efficiency
Business Technology
process improvements
functional
enhancements
Competition
1
Drivers for upgrading SAP are often focused on achieving greater efficiency through new functionality, or
business process improvements, provided within new releases of SAP. A number of these enhancements are
outlined in the sections of this document and should be considered by decision makers.
Technology drivers
New or
MySAP.com extended
product functionality
components Improve user
acceptance /
satisfaction
Why Upgrade
R/3
Old versions Need to
no longer re-structure
supported architecture
Reduce
Update enhancements
technologies
Stabilise
environment
Technology drivers for the upgrade of SAP are generally based around the need to maintain SAP support or to
provide greater stability and ease of use for users and support teams.
2
Introduction
C o m p o n e n t s c o v e re d
Component overview
SD FI
Financial
CO
Sales &
accounting
TR
distribution
Controlling
Treasury
MM
IM Materials
management
R/3
Investment
management
AA
PS
Project
Asset
accounting
systems
Client/Server HR
RE ABAP/4 BASIS Human
resources
Real estate
management COMPONENT
OC
CS
Customer
Office
communications
service
ice
PE PM
QM
Plant
Training & event
management PP
Production
Quality
maintenance
management
planning
This handbook update covers the core SAP R/3 components commonly used by Australian Government entities.
The components covered are consistent with those in the original handbook:
• Basis Component (BC);
• Materials Management (MM) in this handbook referred to as ‘Procurement to Payables’;
• Financial Accounting (FI): includes AA (Asset Accounting);
• Controlling (CO); and
• Human Resources (HR): includes PA (Personnel Administration) and PD (Personnel Development).
This handbook update also provides an outline of the Audit Information System (AIS).
Products such as BW (Business Warehouse), CRM (Customer Relationship Management), EBP (Enterprise Buyer
Professional) and ESS (Employee Self Service) are run on separate copies of the SAP application. While these have
been detailed in each applicable section of this handbook, they are not outlined in the above diagram.
3
H o w t o u s e t h e h a n d book update
The handbook update has been divided into seven sections as follows:
• Introduction
• Basis and Cross Application Components
• The various application components:
– Procurement to Payables (MM)
– Financial Accounting (FI)
– Controlling (CO)
– Human Resources (HR)
• Audit Information System (AIS)
A Background Section is provided for each application component providing an overview of changes in the
application component from SAP Version 3.1H to 4.6C. Also within are details of the coverage (sub-modules) of
each application component section.
A Functional Overview is given for each application component and sub-module covered by this handbook
update. This overview outlines the core functionality of the sub-modules with relevant operational benefits and
high-level control opportunities.
Further detail is provided for each sub-module, including the following:
S I G N I F I C A N T R ISKS
For each sub-module, relevant business risks are provided which should be considered by
all organisations. For each risk identified, various control options are provided across the
following sections.
C O N F I G U R AT I ON “HOT SPOTS”
SAP customisation settings that should be considered in reducing and /or mitigating identified
risks and delivering security and control best practices.
S E C U R I T Y C O NSIDERATIONS
User access security settings to be considered when designing and implementing security
for this sub-module. Where available, sensitive high-risk SAP transaction codes are provided
with a description of the functionality. Access to these transactions should be reviewed and
appropriately restricted.
4
Introduction
U S E F U L R E P O RTS
Key control reports for each sub-module covered have been provided. Where available, the
report transaction code or report code have been provided with a description of the benefit
provided. Management should consider implementing procedures for the review of these
reports, where appropriate.
The following diagram is used throughout this handbook update to demonstrate how functionality, risks
and control options relate. Risks can be mitigated through the implementation of one or a combination of
control types, depending on organisational needs. These control types may be security related, specific control
configurations, or through the development and review of control reports. This handbook provides good
practice control options across security, configuration and reporting, which management should consider when
implementing functionality or reviewing the SAP control environment.
Functionality
ns Us
io
at ef
r
de
ul
Security consi
re
por
Significant
ts
risks
s Co
ot nf
sp igu
hot ration
5
Security and Control for SAP R/3 Handbook update
6
application
components
Basis and cross
Basis and cross

application components
Basis and cross application components
Basis and
cross application
components
SECTION CONTENTS
Background ........................................................................................................................ .9
Environment .................................................................................................................... .10
SAP New Dimension Products ..................................................................................... .11
Security: User Security and the Profile Generator..................................................13
Functional Overview ............................................................................................................................................13
Significant Risks ....................................................................................................................................................13
Security Considerations ......................................................................................................................................14
Security: Derived Roles ..................................................................................................15

Configuration Hot Spots ....................................................................................................................................16
Useful Reports ........................................................................................................................................................17
Security: Central User Administration .......................................................................18

Useful Reports ........................................................................................................................................................20
Security: Personalised User Menus ............................................................................ .21

7
Useful Reports ........................................................................................................................................................22
Transport Management System ...................................................................................23

Useful Reports ........................................................................................................................................................24
Reporting...........................................................................................................................25
InfoSet Query ...................................................................................................................26

SAP Business Warehouse (BW) ....................................................................................27

Useful Reports ........................................................................................................................................................27
Mass Maintenance ..........................................................................................................28

Useful Reports ........................................................................................................................................................30
Workflow .......................................................................................................................... .31

Useful Reports ........................................................................................................................................................33
8
Basis and cross

application
components
B a c k g ro u n d
An overview of the functionality, risks and controls of the SAP Basis module as at Version 3.1H is covered
within the full Better Practice Handbook for SAP R/3. The Basis module has undergone a number of changes
since this release, with the main changes impacting on security and controls summarised below and detailed
across the following Basis section.
Environment
With the advent of the SAP workplace and the ability to access SAP through an Internet browser, a wave of
new SAP products has been developed, including Customer Relationship Management (CRM) and Supply Chain
Management (SCM), each product requiring an underlying Basis module upon which to operate.
Security
A number of new security tools have been developed to assist in the configuration and maintenance of security
in increasingly complex SAP environments. Tools considered in this section include the Profile Generator, Central
User Administration, Derived Roles and Personalised Role Menus.
Transport Management Syst e m

As the SAP landscape has become more complex, so have change control mechanisms to manage changes.
Since Release 3.1, a number of changes have taken place in the change control area; the most significant is the
development of the Transport Management System (TMS).
Reporting
Reporting functionality within SAP has been enhanced significantly to provide greater ease of access to data.
The development of new reporting tools has improved the way users can access and extract SAP data — these
include Infoset Queries and the SAP Business Warehouse (BW).
Workflow
SAP Workflow is a cross application component but should also be viewed in the context of each business
process to which it has been applied. Workflow, as a concept, has been detailed within this section. As well, some
specific applications are discussed in the relevant business process areas.
9
E n v i ro n m e n t
With the introduction of the SAP Web GUI (Graphical User Interface), more agencies are web or partially web
enabling their SAP systems. Core functionality required by large volumes of users (e.g. Employee Self Service) is
well suited to being delivered through a standard web browser.
The following diagram illustrates how the introduction of the Web GUI has changed the SAP environment.
Changes in the SAP environment
BASIS release to 4.6C SEP enterprise (after 4.6c)
Database server Database server

(UNIX or NT) (UNIX or NT)
Application SAP Web application

server server
Application J2EE
server Web server
SAP-ITS
SAP GUI application
gate
SAP-ITS
Presentation Web gate SAP GUI
layer
(Client PC)
Presentation
Presentation Presentation
layer
layer layer (Web
(Web
(Client PC) browser on
browser on
client PC) client PC)
The underlying SAP three tier environment remains largely unchanged from Version 3.1H for the SAP 4.5A – 4.6C
environment. The primary change is the addition of the SAP Internet Transaction Server (ITS) enabling web
connectivity and the delivery of SAP content through the Web.
Similar to the original SAP R/3 environment, the core three tier design of database, application and presentation
layers remains. In previous SAP versions, communication between the application layer of SAP and the
presentation layer or client PC would take place using software installed on the client PC — the SAP GUI.
The development of the Internet Transaction Server (ITS) has allowed presentation of SAP content through
a standard Web browser.
While high volume users will still access SAP using the SAP GUI installed on their machine, the ITS allows
SAP functionality to be extended to a wider user community, with low volume processing, such as Employee
Self Service, being delivered through a standard Internet browser.
10
The SAP R/3 Enterprise Environment has changed the original SAP R/3 environment to incorporate web
interactivity with the underlying SAP application server. This has resulted in the SAP Web Application Server,
an application server capable of hosting java based web applications, as well as performing all of the functions
previously performed by the SAP Application Server.
Incorporating a Java web server into the SAP Web Application Server, SAP can now deliver SAP content directly
to the Web Browser, without the need for the Internet Transaction Server.
S A P N e w D i m e n s i o n Products
The SAP 4.6C environment builds on the existing R/3 environment to incorporate a number of new SAP products
aimed at streamlining business processes and adding new functionality to the core R/3 product.
New dimension products
SD
Sales &
FI
Financial
distribution accounting
SAP sales
MM
Materials
SAP CRM
CO
SAP marketing SAP service
ervice Controlling
management
anagement
SAP B2B
Info DB
procurement
PP SAP strategic
enterprise
BW
AM
Fixed assets
SAP SAP SCM
Production management APO management
planning
SAP logistics
SAP BI execut
execution systems
QM PS
Project
Quality
management system
PM WF
Plant
management HR
Human
IS Workflow
Industry
resources solutions
Key:
BW Business Warehouse
SAP CRM Customer Relationship Management
SAP SCM Supply Chain Management
SAP BI Business Intelligence
SAP APO Advanced Planning and Optimisation
11
A feature of the SAP ‘New Dimension’ products is that they each reside on a separate SAP installation (instance).
Each product can be implemented independently, each requiring a separate SAP Basis installation. Basis settings
and parameters must be configured for each of the ‘New Dimension’ implementations as well as the core R/3
implementation.
SAP’s suite of ‘New Dimension’ products can be divided into the following categories:
Business Intelligence
The core product in the Business Intelligence suite is SAP Strategic Enterprise Management (SEM). SAP–SEM
allows management to take a holistic view of the organisation, providing them with the data they need to make
strategic decisions. SAP–SEM consolidates business data, as extracted from the core SAP system, using the BW
reporting tool.
SAP–SEM supports management processes in an integrated way, which means top-down translation of enterprise
strategy into business unit, product and support centre targets, as well as bottom-up performance monitoring
and related decision support.
Customer Relationship Man a g e m e n t

SAP Customer Relationship Management (CRM) enhances the core SAP Sales and Distribution module to provide
solutions for Customer Interaction, Marketing and Mobile Salespersons.
SAP–CRM manages customer relationships by providing employees with information on trading history and
contacts with business customers in order to support sales activities.
Supply Chain Management

The core products in the Supply Chain Management suite are SAP Advanced Planning Optimiser (APO) and SAP
Enterprise Buyer Professional (EBP, formerly SAP B2B).
SAP–APO is a supply network-planning tool designed to enable production-based organisations to effectively

manage their supply networks.
SAP–EBP is an electronic procurement solution designed to automate the procurement process to the point of
purchase order creation. SAP–EBP allows employees to browse pre-approved vendor catalogues and select items
to be ordered raising a requisition for approval. On approval of the requisition by the appropriate manager,
a purchase order is automatically created in the core R/3 system.
12
S e c u r i t y : U s e r S e c u r i ty and the Profile Generator
Functional Overview
From SAP Release 3.1G, SAP has continued to develop the Profile Generator to allow quicker development
of authorisation profiles. All authorisations should now be created using the Profile Generator, as most new
functionality relies upon the assignment of roles to users rather than authorisation profiles. It should be noted
that assigning a role to a user will automatically assign the corresponding profile.
Benefits provided through the use of the profile generator to define authorisation profiles include:
• reduced complexity and ease of use; and
• simplification of role and profile administration.
With SAP Release 4.6C, there are now over 100 standard delivered roles or role templates. These can be used as
a basis for the definition of customer specific roles, and will often contain the majority of transactions required
for a particular function.
Care should, however, be taken when using these roles. Being generic, they will often contain more access
than required, and will not contain any organisational restrictions.
A further enhancement has been the development of the password generator functionality in transaction SU01.
This allows the security administrator to generate a random password for user accounts rather than a password
which may be easily guessed.
Mass maintenance of user access security design and structure can now be performed in the profile generator,
which will significantly improve efficiency and accuracy of changes being made to a large number of records.
When in the menu tab of the profile generator, transaction code names can be toggled on/off by selecting the
magnifying glass icon in the top right of the tab.
S I G N I F I C A N T RISKS
• Unauthorised, or inappropriate, changes to user security resulting in excessive access, or
users not having access to perform functions.
• Authorisation values may be inaccurately defined, granting inappropriate access to users.
• SAP standard delivered roles if allocated without configuration may not provide adequate
organisational restrictions, or may contain transactions that the organisation has deemed
to be segregation of duties conflicts.
• Passwords provided to users by security administration staff are standard, or easily

guessable, resulting in unauthorised users gaining access to the SAP system.
13
• Authorisations where a ‘*‘ value has been given should be reviewed to establish if
appropriate. Where possible ‘*’ values should be limited and be replaced with specific
values.
• As with access to all user administration functionality, access to role maintenance

activities should be controlled. Access should be restricted to the following transactions
which provide users with access to role and profile maintenance activities:
Tcode Name Description
PFCG Profile Generator Tool for maintenance of roles and profiles.
SU01 Maintain User Used for the creation and maintenance of User Master
Records including password resetting by system
administrators.
SU02 Profile Maintenance Tool for the direct maintenance of profiles (not
recommended in version 4.0A or above, should be
performed in the profile generator).
SU03 Authorisation Tool for the direct maintenance of authorisations

Maintenance (not recommended in version 4.0A or above).
• SAP standard roles, where utilised, should be used as a basis for the establishment of
roles and should be checked for adequacy within the context of the security and control
environment.
• SAP standard roles should be reviewed for transactions that your organisation has deemed
segregation of duties conflicts.
• Security administers should use the password generation facility in transaction SU01
when a user account is created or requires a password change. This will ensure that
passwords are random and not easily guessable.
14
S e c u r i t y : D e r i v e d R o l es
Functional Overview
The Profile Generator controls the creation of variants for different business units or departments within an
organisation. This has resulted in the concepts of Responsibilities (Version 4.0B), Hierarchical Activity Groups
(Version 4.5A) and more recently Derived Roles (Version 4.6A). All are conceptually similar in that they allow
the security administrator to define a set of common transactions from which variant profiles can be created
containing different organisational restrictions.
It should be noted that the use of Derived Roles can significantly reduce the resource required for security role
maintenance. These can be further explained using the following diagram:
Derived roles
MASTER ROLE
All company codes
All cost centres
Derived Role A Derived Role B
CHILD ROLE CHILD ROLE

Business unit (BU) 'A' ROLE Business unit (BU) 'B' ROLE
BU 'A' Company codes BU 'B' Company codes
BU 'A' Cost centres BU 'B' Cost centres
• Derived Roles are inappropriately configured resulting in inappropriate user access. Due to
limitations of organisational data that can be derived, there are certain situations where
Derived Roles cannot be used.
• Only security administration staff should have access to the Profile Generator (transaction
PFCG) where Derived Roles are maintained.
• Where Derived Roles have been defined, the master role should not be assigned to end
users as this will normally contain access to all organisational data.
15
C O N F I G U R AT I ON HOT SPOTS
• Ensure that naming conventions have been appropriately defined which clearly identify
master and child roles.
• Where Derived Roles are used and all data (with the exception of organisational data) is
to be derived down to the child role, child roles should not be directly maintained. All
changes to the child role will be overwritten the next time information is derived from
the master role.
• Access to role administration should be tightly controlled and restricted to only relevant
user administration staff. Access to the following transactions should be restricted:
OY21, GCE2, O002, OBZ8, OD03, OIBP, Profile Maintenance These transactions all allow
OMDM, OMEI, OMM0, OMSO, OMWG, direct access to profile
OOPR, OP15, OPCB, OPE9, OPJ1 maintenance.
16
Report Transaction Name Description
S_BCE_68001425 Roles by complex Interrogation of roles in the system

selection criteria by a number of different criteria.
S_BCE_68001418 Roles by role name Interrogation of roles in the system

by role name.
S_BCE_68001419 Roles by user assignment Interrogation of roles in the system

by user assignment.
S_BCE_68001420 Roles by transaction Interrogation of roles in the

assignment system by transaction assignment.
S_BCE_68001421 Roles by profile assignment Interrogation of roles in the by

profile system assignment.
S_BCE_68001422 Roles by authorisation Interrogation of roles in the system

object by authorisation object.
S_BCE_68001423 Roles by authorisation Interrogation of roles in the system

values by authorisation values.
S_BCE_68001424 Roles by change date Interrogation of roles in the system

by change date.
17
S e c u r i t y : C e n t r a l U s e r Administration
Functional Overview
With the advent of the SAP Workplace and various other new component systems, the SAP landscape has
become significantly more complex than the original R/3 system. As a result, user administration has become
more complex.
Central User Administration (CUA) addresses the difficulties of user administration by allowing all user
administration activities to be performed from a central system. CUA is available from SAP Versions 4.5A and
above, and recent versions of the Web Application Server (6.2), and can significantly reduce the resource required
for user maintenance.
CUA does not cater for single-sign on or for the syncronisation of passwords across each SAP system.
The following diagram illustrates the CUA concept. Communication between systems is achieved using SAP Application
Linked Enabling (ALE). ALE is SAP’s process that provides for the exchange of data between SAP systems.
CENTRAL SYSTEM
SAP R/3 4.5A
or higher
ALE ALE ALE
SAP EBP SYSTEM SAP CRM SYSTEM SAP R/3 SYSTEM
Key:
SAP EBP Enterprise Buyer Professional
SAP CRM Customer Relationship Management
18
• CUA configuration and ALE landscape may not be configured correctly resulting in failure
of systems to interface effectively.
• Access to CUA functions may not be adequately secured resulting in unauthorised

changes to users access rights.
• Access to Application Link Enabling (ALE) configuration may not be adequately secured.
• CUA error and distribution logs may not be reviewed and followed up on a timely basis.
• Patches from SAP must be applied to install and run CUA.
• Field selection configuration should be performed in transaction SCUM ‘User Distribution

Field Selection’ to define the system (local or global) in which each item of user master
data and security is maintained. Through this transaction, configuration of user locks is
performed to define their operation.
• Access to the configuration of Central User Administration (CUA) transactions should
be controlled. Consideration should be given to restricting access to only relevant user
administration staff to the following CUA Maintenance transactions.
SALE Display ALE Customising Used to configure the ALE environment

for CUA. This transaction also allows access
other ALE and Remote Function Call (RFC)
configuration.
SCUA Central User Administration Transaction used to maintain the CUA

landscape.
SCUL Central User Management Log Transaction used to view CUA audit
and error logs.
SCUM Central User Administration Transaction used to define field distribution

for CUA.
19
Report / Transaction Name Description
SCUL Central User Management Log This transaction reports on CUA

errors and audit log.
20
S e c u r i t y : P e r s o n a l i s e d User Menus
Functional Overview
SAP Version 4.6 and the first release of mySAP.com Workplace, saw a move towards personalisation within the
SAP environment. SAP menus can now be personalised for each role. When these roles are assigned to a user and
combined with other roles containing personalised menus, the user is presented with a menu structure unique
to their individual role assignments.
• Folder structures within the SAP menu structure (see above) are created which do not
reflect the actual business structure. It is important to ensure that these are developed in
consultation with the business, and do not take on a technical focus.
• User menu configuration should be such that menus are efficient in use. Table SSM_CUST
contains settings which affect the user menus including whether folders should be condensed,
duplicate transactions should be deleted or the whether the menus should be sorted.
• In addition to controlling access to the Profile Generator (transaction PFCG), access should
also be controlled to the maintenance of table SSM_CUST.
21
SURL_LAUNCHPAD_TEST Test Launchpad Generation When the Workplace has been

implemented this report can be
used to test the contents of
a user’s launchpad including
personalised user menu entries.
22
Tr a n s p o r t M a n a g e m e nt System
Functional Overview
With the release of Version 4.0, SAP introduced the Transport Management System (TMS) that centralised the
configuration for the Change and Transport System (CTS) for all R/3 systems. TMS gives the SAP Administrator
the ability to manage all SAP change requests from a centralised location (i.e. from one SAP client). It also allows
pre-defined transport routes to be configured, minimising human error in the import and export of transportable
objects.
A key feature of the TMS is that it has allowed for the management of change queues from within the R/3
system and has removed the need to have deep UNIX / Windows skills for day to day SAP Administration
(although these skills are still required for the administration of the underlying database).
The introduction of TMS allows for greater control over the SAP system account and has lead to configuration
of a simplified SAP landscape. TMS has replaced the need to use transaction SE06 and previously configured
CTS tables.
• Administration functions such as client copies are not restricted to authorised personnel
and are performed inappropriately.
• Programs in production have not gone through appropriate change approval process.
• Developers make changes (and test changes) directly in programs in the production
system (in non emergency situations). Changes should go through the normal domain
transport route.
• Transaction STMS now controls the movement of objects from one SAP system to another,
replacing functionality in transactions SE06.
23
• Access to the following transport management transactions should be restricted to
authorised ‘Basis team’ users only.
SCC1, SCC4 Client Administration Transactions SCC1 and SCC4 allow users to
create a client (SCC1) and copy data from an
existing client to a target client (SCC4). In addition
there are other copy transactions (SCCX) that
perform functions such as copying user files that
should be protected and should be restricted.
SE10 Transport Organiser This transaction is used by system configuration

staff to manage verify transport requests.
SE11 ABAP Dictionary This transaction is used by developers to

manage and release their transport requests.
STMS Transport Management Transaction STMS now controls the movement of

System objects from one SAP system to another,
(previously performed within transactions SE06).
Both Transport logs and Action logs are available through the Transport Organiser. These can
be used to provide an audit trail of transport activity.
24
Reporting
F unctional Ove rvi ew

With the advent of personalised roles, reporting security has changed significantly. In previous versions of SAP,
reports were secured by attaching them to a report tree. Report trees were then allocated to users to ensure
users could only access approved reports.
Since folders can be specified in individual roles, personalised roles effectively make reporting trees redundant. In
order to make the allocation of reports to roles easier, SAP have therefore assigned a large number of standard
SAP reports to transaction codes.
Although report trees can still be displayed through most Web GUI configurations, it may be more appropriate
to assign reports through personalised roles, and remove report trees altogether.
• Although transaction codes have now been assigned to SAP standard reports, the
authorisation objects checked by these reports have not been attached to these
transaction codes. In order to allocate reports to end-users, it is therefore still necessary
to establish the required authorisation objects through testing and allocate these to the
appropriate roles.
• All reports and programs developed should contain appropriate authorisation checks to
ensure that only authorised users are able to execute them.
• Reports which do not contain adequate authorisation object security will be accessible to
any user who has access to the transaction code required to start the report. Where users
are configured with access to all transaction codes, through the application of a ‘*’ in the
S_TCODE object, or value that contains a ‘*’ (for example ‘S*’), there is an increased risk
that reports or programs may be accessed inappropriately.
25
InfoSet Query
Functional Overview
The InfoSet Query (InfoSet replaces the term functional area) functionality has been provided to allow users
greater flexibility in reporting across all areas of the SAP system. InfoSet Query has been developed from the HR
ad-hoc query reporting which was developed in prior versions of SAP.
InfoSet Query has been developed to provide users the tools necessary to quickly develop, and run data queries.
• Unauthorised access to sensitive and confidential data, including HR data.
• Consideration should be given to logging reporting performed using InfoSet Query. In
order for logging to be available, it is necessary to configure this. Configuration of InfoSet
logging can be maintained through the IMG (Basis Components-SAP-Query-Logging-
Determine Infosets for Logging)
• Access to perform InfoSet Queries is defined using roles or SAP Query user groups. These
can be configured to restrict access to relevant and appropriate InfoSets.
• Procedures should be defined for the periodic review of InfoSet Query log data. This data
is recorded in the Query Logging table (AQPROT).
• Consideration should be given to restricting access to the following transactions that

provide the user with access to the Infoset Query.
S_PH0_48000513 Ad Hoc Query Ad-hoc queries on various data sets.
SQ01 Query from User Used for the creation, change, deletion and
Group: Initial Screen execution of InfoSets Queries.
SQ02 InfoSet: Initial Screen Used for the creation, change, deletion and
execution of InfoSets Queries.
SQ03 User Groups: Used in the allocation of user groups to roles

Initial Screen or users.
26
S A P B u s i n e s s Wa re h o use (BW)
Functional Overview
The SAP Business Warehouse is SAP’s data warehousing solution and available to support SAP core functionality.
A Data Warehouse stores data in a format optimised for reporting in a separate system from the operational
system(s) that collect the transactional data. This allows the operational system (SAP R/3) to get on with the
real-time data processing, whilst the data warehouse (SAP–BW) caters for the resource intensive reporting
requirements.
SAP–BW includes the tools required to extract, standardise and maintain the data and to produce the reports.
As a Data Warehousing solution, SAP–BW is designed to work with any data source, not just SAP systems.
• Unauthorised access to sensitive and confidential data through the BW system.
• In BW field level authorisations will not be checked unless switched on. A user may
therefore be able to see data in the BW system for which they are not authorised in the
R/3 system. Important fields (characteristics) should be checked to ensure they are defined
as authorisation relevant.
• Reporting objects should be linked to infocubes where authorisation checks are required.
Where checks are required, authorisations should then be created for those infocubes and
assigned to appropriate users.
Report Name Description
RSSM Authorisation Check Allows monitoring of the resolution of

Log report authorisation errors.
27
Mass Maintenance
Functional Overview
Mass Maintenance functionality has been developed as an effective tool to maintain large amounts of data . For
example, the Mass Maintenance functions allow a user to change data in a large number of purchase orders or
requisitions through the execution of a transaction.
Mass maintenance functions are supported for a number of documents including:
- Material Master
- General Ledger Records
- Purchasing Info Records
- Vendor Master
- Purchase Orders and Purchase Requisitions
- User Master
Users can operate the Mass Maintenance tool in dialog, background or a combination of both. The process can
be summarised as follows:
Document mass maintenance
1. Select object
to be changed
2. Select records
to be changed
3. Select table and

field to be
changed
4. Specify change
and execute
28
• Inappropriate or unauthorised change may be made to large amounts of data.
• System performance may be impacted by the execution of large Mass Maintenance

activities.
• Due to the increased risk associated with providing a user with the ability to maintain and
change large amounts of data simultaneously, access to the following key transactions
should be restricted to key experienced staff with authority to make changes:
XK99 Mass maintenance, Used to change one or more vendors

vendor master simultaneously.
MSJ1 Mass Maintenance Used to change one or more item via

in the Background background processing.
MM17 Mass Maintenance: Indus. Used to change one or more Material

Material Master Master records simultaneously.
MM46 Mass Maintenance: Used to change one or more Retail Material

Retail Material Master Master records simultaneously.
FMMI Mass Maintenance Used to change one or more

of Open Intervals Open Intervals simultaneously.
WTAD_VKHM_ Mass Maintenance Used to change one or more Material

MAINTAIN Materials/Adds. Master records simultaneously.
IMAM Mass maintenance of Used to change one or more appropriate

appropriation requests requests simultaneously.
KE55 Mass Maintenance Profit Used to change one or more Profit Centre’s
Centre Master Data Master records simultaneously.
KE56, KE57 EC–PCA: Mass Maintenance Used to change one or more Company
Company Code Assignment Codes assignments simultaneously.
MASSOBJ Maintain Mass Maintenance Used to change one or more objects

Objects simultaneously.
Continued on the next page
29
Continued from previous page
OB_GLACC11, G/L acct record: Used to change one or more G/L records
OB_GLACC12, Mass maintenance simultaneously.
OB_GLACC13
QI05, QI06 QM Mass maintenance Used to change one or more QM

Procurement keys simultaneously.
SOY1 SAPoffice: Used to change one or more

Mass Maintenance Users users simultaneously.
SU10 User Mass Maintenance Used to change one or more users

simultaneously.
WB30 Mass maintenance Used to change one or more Plants

MG to plant or Material Groups simultaneously.
XD99 Customer master Used to change one or more customers

mass maintenance master records simultaneously.
• Access should also be segregated from a users ability to delete the mass maintenance logs
that are generated when a user executes mass maintenance transactions.
MSL2 Delete Mass Maintenance Logs Allows for the deletion of the mass
maintenance log — a key audit trail in the
performance of Mass Maintenance.
Procedures should be implemented for review of the Mass Maintenance log on a periodic
basis to ensure inappropriate mass maintenance actions are not occurring.
TCode Name Description
MSL1 Mass Maintenance Log Provides access to an audit trail of mass

maintenance activity performed.
30
Wo r k f l o w
Functional Overview
Workflow has become a feature of many SAP implementations where repetitive and often manual business
processes can be automated to achieve efficiency gains. Through automated routing of transactions, Workflow
is particularly suited to notification and approval tasks.
Human Resources processes such as ESS (Employee Self Service), Time Management and the Managers Desktop
in particular make extensive use of Workflow for the approval of tasks such as leave requests or the completion
of staff appraisals.
‘Deadline Monitoring’ can be incorporated in the design of workflows to issue reminders for items that have
not been actioned within a reasonable timeframe, or to escalate unactioned workflow items for the attention
of others. In addition, the Workflow administrator should review for slow moving, unprocessed or erroneous
transactions. These transactions can result in business dissatisfaction or inefficient business processes and should
be carefully monitored and resolved as required.
Below is an example of the use of Workflow in the Purchase Requisition (PR) creation and approval process.
Workflow example
Triggering event
PR raised over $5000
User task
PR sent to requester's
manager for approval
Until loop step Deadline monitoring

Wait for approval Performed to identify
exceptions, issue
reminder or escalate
to next level approver
Decision Decision
approved rejected
Workflow result Workflow result

SAP PO automatically Requester notified of
created rejection and reason
31
• Rules for the system selecting an approver, or delegate of an approver are not correctly
defined. This is particularly an issue when the process is driven by the organisational
structure.
• Managers do not review workflow tasks and respond on a timely basis resulting in user
dissatisfaction and inefficient business processes.
• Routing of transactions may not be fully defined resulting in unprocessed items.
• Deadline Monitoring processes are not put in place to monitor Workflow transactions.
• Access to the following Workflow related transactions should be restricted to authorised
users only.
SWXX Workflow related transactions Workflow transactions are prefixed with

SW. These transactions should be restricted
to Workflow administration staff.
• Access should also be restricted to any alternative or client developed Workflow

based transactions based on the level of implementation of workflow performed.
32
The following reports can be used in the administration of workflow:
PFTC_DIS Display Task Allows the display of workflow templates and

configuration (incl. the graphical workflow
representation in the workflow builder).
SWI1 Selection report Displays work items and their current statuses.
for Work Items Allows the selection and display of individual work
items.
SWI2_ADM1 Workflow Items Allows the monitoring of workflow items without

without Agents appropriate user assignments.
SWI2_DEAD Workflow Items Allows you to monitor workflow deadlines.

with monitored
Deadlines
SWI2_DIAG Diagnosis of Error analysis and diagnosis.

Workflows with Errors
33
34
Procurement
to payables
Procurement to payables
Procurement
to payables
SECTION CONTENTS
Background .......................................................................................................................37
Enterprise Buyer Professional (EBP) ...........................................................................38

Useful Reports ........................................................................................................................................................42
Vendor Field Groups .......................................................................................................43

Dual Control for Changes to Master Records ..........................................................44

Useful Reports ........................................................................................................................................................45
Blanket Purchase Orders ...............................................................................................46

35
Useful Reports ........................................................................................................................................................47
Logistics Invoice Verification........................................................................................48

Automatic PO Creation .................................................................................................. 51

Useful Reports ........................................................................................................................................................52
36
Procurement
to payables
B a c k g ro u n d
An overview of the functionality and risks and controls of the procurement to payables component as at
Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. This functionality has undergone
a number of changes since this release; these changes have been implemented to improve efficiency and controls
within the procurement to payables processes and are detailed across the following sections:
Enterprise Buyer Profession a l ( E B P )

EBP has been developed to increase efficiency in the procurement process. This is achieved through the use
of on-line catalogues containing approved vendors and goods where a users can request the supply of goods
through a ‘shopping basket’ process.
Vendor Master Data

While vendor master data in itself has not changed significantly in Version 4.6C, the controls and methods
surrounding securing vendor master data has been improved. Improvements have included the introduction of
vendor field groups and authorisation of changes made to sensitive vendor fields.
Blanket Purchase Orders (PO s )

With Release 4.0A of SAP it has become possible to create POs with a value limit and a validity period instead of
a delivery date, making it possible to create a Blanket POs rather than having to create a PO for each requirement
when purchasing goods to be consumed immediately.
Logistics Invoice Verificatio n ( L I V )

While LIV has been available in SAP since Release 3.0A, a number of enhancements have been made to
LIV processes.
Automatic PO Creation
On entry of a goods receipt for which a PO has not been created, it is possible to configure the SAP system so
that these POs are automatically created.
Mass Maintenance of Maste r D a t a

Functionality has been implemented to allow for Mass Maintenance of master data including Material and
Vendor Master records. Details of Mass Maintenance functionality have been provided in the Basis and Cross
Application components section of this handbook.
37
E n t e rp r i s e B u y e r P ro fessional (EBP)
Functional Overview
EBP (previously BBP) was developed to allow users to purchase predefined products from approved vendors using
an on-line catalogue. Users browse through the on-line catalogue selecting products and required quantities
that are then put into a user's Shopping Cart.
The EBP process is summarised using the following diagram:
Enterprise buyer professional
Requester selects goods

Goods are received by
from catalogue and places
requester
in 'shopping trolley'
Requester submits
'shopping trolley' and Requester enter
Workflow routes to goods receipt into EBP
delegate or approver
Delegate or approver Invoice received from

receives and approves supplier or generated
or rejects request via through evaluated
Workflow receipts settlement
On approval Three way match

purchase order performed and
is created payment made
EBP or Core Core R/3

Processing performed in: EBP system
R/3 system system
Catalogues available to users may be internal or external. Where external catalogues are available, the approved
vendors can maintain these.
EBP users do not enter prices or material descriptions as these are selected from the catalogue. Most header
information for the order is automatically populated by EBP (e.g. delivery date which is populated through the
use of the Vendor Info Record and Vendor is automatic from the catalogue).
The EBP user specifies the deliver-to address from a list of pre-defined configured deliver-to addresses.
The EBP system resides on a separate SAP installation to the core SAP system and therefore requires a separate
SAP Basis installation. This means that Basis settings and parameters should also be correctly configured to
appropriately control the EBP environment.
38
• Approval processes and Workflow are not appropriately defined resulting in unauthorised
procurement of goods.
• Limits for shopping trolley, approval levels or minimum value of shopping trolleys not
requiring approval may not be correctly configured resulting in inappropriate procurement
of goods.
• Changes to shopping trolleys may be executed following approval resulting in non-

authorised procurement of goods.
• Invoices can be entered via EBP resulting in increased risk of inappropriate access or
segregation of duties risks.
• Back end interfacing systems should be defined to ensure that data is interfaced
appropriately. This will generally mean defining the interface between the EBP system and
the core R/3 system.
• Fields, or attributes, to appear on EBP screens should be defined. This will include defining
the user groups and activities that can be performed for each of the fields (for example,
define that the requester can ‘change’ the deliver-to address).
• Key fields to be completed should be configured as mandatory to ensure all relevant

information is captured. This will ensure that data is available to create relevant
purchasing documents.
• Product catalogues should be configured to ensure that users are able to appropriately
select from approved internal or external sources.
• Workflow should be configured to ensure appropriate approval processes are triggered

when an EBP transaction is executed.
• Deliver-to-addresses should be configured to ensure goods are only delivered to approved

delivery points.
• Appropriate delegation limits should be configured for EBP transactions. For example,
consideration should be given to the configuration of the following through Workflow
events.
39
Continued from previous page
Condition Example
No Approval Where shopping trolleys are less than an approved amount, the Workflow
may be configured so that No Approval is required. Limits should be
applied in line with delegation policy.
Single Approval Where shopping trolley is greater than the No Approval limit, manager
approval should be required and configured through Workflow. This
should ideally be driven from the organisational structure.
Double Approval Consideration should be given to the application of a Double Approval

step where the value of purchase is above a specified amount. In this
case a line manager and a higher-level manager would approve.
• High-risk material groups should be configured to require approval regardless of the

dollar value of the goods provided. This may improve controls with regard to certain
materials that are at particular risk of inappropriate purchase.
• Output from the execution of EBP transactions should be configured.
For example, POs may be automatically generated following the entry and approval of
an EBP transaction. Alternatively, purchase requisitions may be generated and require a
Purchasing Officer to create the PO.
• Payment terms configured in the EBP system should correspond with those defined in the
core SAP system to ensure that there are no inconsistencies.
40
• The EBP system resides on a separate instance of SAP and interfaces with a core SAP
system. The EBP system Basis components should be appropriately configured and
secured.
• Consideration should be given to configuration of Personalisation settings at an individual

or role level. These may include the following:
Personalisation Object Key Description
BBP_APPROVAL_LIMIT Highest value of shopping cart that can be approved
BBP_SPENDING_LIMIT Value above which approval is necessary
BBP_WFL_SECURITY_BADI Specifies whether change can be made or what actions should

be taken when changes are made to a shopping cart during
the approval process. Consideration should be given to forcing
the approval process to re-start when changes are made.
• EBP administration transactions as well as EBP end user transactions should be

appropriately restricted. These include, but are not limited to:
BBPAT03 Create User EBP transaction used to create a user ID.
BBPAT04 Forgotten User ID/Password EBP transaction to request / apply for

password and user ID.
BBPAT05 Change User Data Transaction used to change or display EBP

user details.
BBPIV01, Entry of Invoice EBP transactions used to enter invoices.

BBPIV02, BBPIV03
BBPPU07 Access to the Managers EBP transaction used to access the

Inbox Manager's Inbox and related information.
BBP_BW_SC3 Shopping Carts per product Business Warehouse reports used to display
BBP_BW_SC4 or per Cost Center summarised shopping cart information.
41
USEFUL REPORTS
EBP is an extension of existing procurement functionality and, as such, core SAP reports
applicable to procurement are equally applicable to EBP processes.
Workflow is key to successful operation of EBP. Work items may be left in error or not resolved
resulting in failure of the EBP process. Processes should be put in place for the running of
control reports to ensure that all transactions are processed appropriately.
Consideration should also be given to reviewing reports detailing catalogue content changes
for all external catalogues to ensure these are appropriate.
42
Ve n d o r F i e l d G ro u p s
F unctional Ove rvi ew

As of Version 3.1H of SAP, field groups have been implemented to improve controls over changes to vendor (and
customer) master records. Vendor field groups can be used to restrict the access of a user to a subsection of
fields within the vendor master records.
Field groups are an effective way of restricting access to maintain highly sensitive master data (including bank
details) from other general data (such as phone numbers) which a larger group of users may require access to
maintain.
Dual control can be used for both customer and vendor master records to improve controls over key fields. When
a change is made to a sensitive field the SAP system can be configured to require release of a change made.
Details of risks associated with the vendor master data are provided on Page 21 of the Security
and Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:
• Unauthorised changes to vendor master data details may result in inappropriate payment.
• Vendor fields groups, should be appropriately defined. This is generally best executed by
defining logical sets of fields (i.e. segregation of address and payment information into
different vendor field groups.).
• Access to maintain field groups, including assignment of fields to field groups, should be
restricted.
• Users should be assigned appropriate field group authorisations based on authorisation

object ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’. This object is used to
specify which activities are permitted for the individual account groups.
43
D u a l C o n t ro l f o r C h a nges to Master Records
Functional Overview
Dual Control has been provided to have greater control over changes to sensitive data. When configured, the
Dual Control functionality creates segregation between the changing and approval of changes to sensitive fields.
This is applicable to both the vendor and customer master records.
Details of risks associated with the Vendor Master are provided on Page 21 of the Security and
Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:
• Unauthorised changes to vendor master details may result in inappropriate payment.
• Fields that require dual control must be configured as sensitive fields. When configured,
each change to the field is subject to an independent confirmation. It should be noted
that a user cannot confirm their own changes.
• Processes for the confirmation of changes should be configured. This is can be performed
through workflow events or through manual processes.
• Access to define sensitive fields should be appropriately restricted to ensure that fields are
not inappropriately removed from the sensitive fields table.
• Access to the following confirmation transactions should be appropriately restricted to

relevant purchasing staff. This includes:
FK08 Confirm Vendor Changes Used to confirm or approve vendor changes

Individually that are made.
FK09 Confirm Vendor Changes List Used to list vendor changes that
require confirmation.
FD08 Confirm Customer Changes Used to confirm or approve customer

Individually changes that are made.
FD09 Confirm Customer Used to list customer changes that require

Changes List confirmation.
44
Lists of changes that are waiting to be confirmed can be generated using transaction FK09
(Vendor Changes List) and FD09 (Customer Changes List).
45
B l a n k e t P u rc h a s e O rd ers
Functional Overview
Up until Release 4.0A, a Purchase Order (PO) would generally need to be created for each requirement, including
orders placed for goods that were to be consumed immediately. The PO served as the basis for the creation of
the goods receipt (if required) and for the invoice verification process.
As of Release 4.0A, Blanket POs have made it possible to create a PO with a value limit and a validity period
instead of a delivery date. These documents are created with a document type ‘FO’ and an item category of B
— Limit.
The benefits of utilising the Blanket PO is that it allows a user to procure various materials or services from
vendors in cases where the creation and processing of individual POs is not deemed economical. Blanket PO’s
would generally be utilised for low value, high use items for which this process is deemed appropriate.
It should be noted that in order to utilise Blanket POs, Logistics Invoice Verification (LIV) must be used.
• No goods receipt or entry and acceptance of services is required with Blanket Purchase
Orders. Invoices are posted directly with reference to the order which may result in bypass
of purchasing controls.
• Tolerances specific to Blanket Purchase Orders should be correctly configured to ensure
that when an invoice exceeds these limits these will be appropriately blocked for review.
Tolerances to be configured include:
Tolerance Code Tolerance Name Tolerance Description
LA Amount of Blanket Determines if the value limit of the Blanket

Purchase Order Purchase Order has been exceeded by the
processed invoices and blocks any
invoices which will exceed the PO value.
An upper percentage or absolute

tolerances may be defined.
LD Blanket Purchase Determines whether the posting date of

Order time limit the invoices is within the configured
exceeded tolerance of the Blanket
Purchase Orders valid time.
The system compares the number of days

outside the Blanket Purchase Orders
validity date with a configured absolute
upper limit.
46
SECURITY CONSIDERATIONS
• Access should be restricted to be able to create or change Blanket Purchase Orders due to
the increased risks associated with this. This may be performed by restricting users access
to document type FO.
• Access should be restricted to transactions which can be used to create purchase orders
including:
TCode Name Description
ME21, ME21N Create Purchase Order Transactions used to create POs.
ME22, ME22N Change Purchase Order Transactions used to change existing POs.
MEMASSPO Mass Change of Purchase Allows a user to update a large number of

Orders POs simultaneously.
MEPO Purchase Order Enjoy transaction used to create and change

PO documents.
While there are no Blanket Purchase Order specific SAP delivered standard reports,
management should consider developing reporting to identify the following:
• Blanket POs that have expired or are about to expire and require re-assessment and
potentially recreation.
• Blanket POs that have been created to ensure that these are appropriate and approved.
This may be produced by using standard reports, however, configure these based on the
Blanket PO document type.
47
L o g i s t i c s I n v o i c e Ve r i fication
Functional Overview
Logistics Invoice Verification (LIV) has undergone a number of enhancements up to Version 4.6C of SAP. LIV is
part of the Materials Management component and is used to complete the procurement process.
LIV has been developed based on the conventional invoice verification processes and as such, this section should
be read in conjunction with page 39 of the Security and Control for SAP R/3 handbook — Procurement to
Payables section. Functions of the conventional invoice verification processes are available through LIV, however
these separate components may continue to be run in tandem.
LIV provides additional functionality that was not available in the conventional invoice verification processes,
including the disbursement of information to the Materials Management and Finance components. Additional
functionality has been developed by SAP for the LIV process, which includes but is not limited to the following:
• Invoices can be verified on-line or in the background.
• Multiple account assignments or multiple company codes for posting can be used.
• The system can be automatically configured to post a credit memo for the difference between the value
of the invoice and the value for which the system expected an invoice. This can be particularly useful for
vendors who consistently over-charge.
• Workflow can be integrated into the invoice process to aid in the resolution of blocked invoices.
Significant risks associated with LIV are detailed in the Security and Controls for SAP R/3
Handbook page 40 that discusses the invoice verification process. These include the following:
• Invoices may not match the corresponding purchase order and/or goods receipt. However,
they may still be processed for payment.
• Invoices may be processed that do not relate to a valid purchase order in the system.
48
• LIV invoices can be processed in the background. Where background processing occurs,
the system can be configured to assign the status of ‘Verified as correct’ or ‘Completed’
on a Company Code by Company Code basis. Consideration should be given to configuring
the background-processed invoices as ‘Verified as correct’ so that these invoices can then,
following review be marked as ‘Completed’.
• Tolerance groups can be configured for individual vendors using tolerance groups
(Transaction OMRX). Tolerance groups define the way the system reacts as a result of
positive or negative invoice differences.
Tolerance groups defined can be assigned to each vendor in the vendor master record and
can be effective in reducing processing time where vendors consistently over charge. This
is achieved by configuring the system to treat variances received appropriately.
• Where invoices are blocked, Workflow events can be triggered. Typically the blocking of an
invoice will trigger a Workflow item to the buyer where they can change the PO, release
of the invoice items or flag the invoice as in dispute.
S E C U R I T Y C O N SIDERATIONS
• With the introduction of LIV, a number of new transactions have been created which
should be appropriately restricted. Consideration should be given to restricting access to
the following key LIV transactions:
MIRO Enter Invoice Enjoy transaction used to process invoices.
MIR7 Park Invoice Used to Park invoices where ‘Park and Post’
functionality is utilised.
MIRA Enter Invoices for Invoice Processes invoices for verification via background
Verification in the Background processing.
MR8M Cancel Invoice Document Used to cancel invoice documents.
MRBR Release Blocked Invoices Allows the user to release blocked invoices for
processing and payment.
MIR6 Invoice Overview Provides for analysis of invoices by various

selection criteria.
MR90 Output Messages Allows for viewing output documents generated

from SAP.
continued on the next page
49
continued on the next page
MRRL Evaluated Receipt Provides for automatic settlement for ERS

Settlement (ERS) transactions.
MRKO Consignment and Pipeline Automatically settles withdrawals from

Settlement consignment and pipeline.
MRIS Invoicing Plan Settlement Provides for settlement automatically based on

the invoicing plan.
MRNB Revaluation Used to re-value purchases based on

retrospective changes.
MRA1 Create Archive Allows for the archiving of documents.
MRA2 Delete Documents Allows for the deletion of documents.
• As with all invoice processes, consideration should be given to restricting access to invoice
verification functions by company code and plant.
• Access to the authorisation object ‘Invoices: Blocking reasons’ should also be restricted to
ensure that only authorised users are able to release blocked invoices. It is critical that the
releasing function be segregated from invoice entry, to ensure that the approval processes
are not compromised.
50
A u t o m a t i c P O C re a t i on
Functional Overview
Release 4.0A enables the SAP system to be configured to automatically create a Purchase Order (PO) during the
Goods Receipt (GR) process. In order for this process to occur, standing data must be created as SAP valuates
the GR at the price defined in the Purchasing Info Record.
• Automatic creation of POs at the point of GR results in bypass of purchase order controls
(e.g. electronic approval).
• In order for this to occur each plant must be assigned to a purchasing organisation so that
the system can determine the purchasing info records.
• SAP can be configured to automatically create a PO for certain pre-defined movement

types.
• Where automatic creation of a GR is available, access to process Goods Receipts should be
restricted to appropriate staff.
MB01 Post Goods Receipt for PO Transaction used to process a Goods Receipt
where a PO is available.
MB0A Post Goods Receipt for PO Transaction used to process a Goods Receipt
where a PO is available.
MB1C Other Goods Receipts Allows for the processing of Goods Receipt
other than by reference to a PO.
51
While there are no specific SAP delivered standard reports with regard to automatically
created POs, consideration should be given to developing reports to identify POs created to
ensure that these are approved and generated in line with business process requirements.
52
Financial
accounting
Financial accounting
Financial
accounting
SECTION CONTENTS
Background .......................................................................................................................55
General Ledger .................................................................................................................56

Useful Reports ........................................................................................................................................................60
Asset Accounting ........................................................................................................... .61

Useful Reports ........................................................................................................................................................63
53
54
Financial
accounting
B a c k g ro u n d
An overview of the functionality, risks and controls of the Financial Accounting module as at Version 3.1H
is covered within the full Better Practice Handbook for SAP R/3. The Financial Accounting module of SAP has
undergone a number of changes since Version 3.1H. Whilst many of these changes do not have a significant
controls impact, there are a number where additional control functionality has been made available through
enhancements. These are detailed in the following subsections:
General Ledger
Since the General Ledger forms the core of the SAP financials package, very few significant changes have been
applied to this area. However, a number of additional inherent and configurable controls have been added to
enhance the control environment.
Key changes to the General Ledger area include the addition of true reversal functionality simplifying reversal
postings and the inclusion of a cash journal to enhance control over cash management activities.
Asset Accounting
Significant enhancements have been made around the Asset Accounting module. These have resulted in
improved asset management functionality. A key change in the Asset Management module is the introduction
of the Asset Explorer for improved asset reporting.
55
General Ledger
Functional Overview
A number of changes and enhancements have been made to the General Ledger since Release 3.1H. These
changes are outlined below:
• True Document Reversals and Negative Postings
As of Release 4.0A, reverse postings and adjustment postings can be indicated as negative postings. Negative
postings reduce transaction figures in customer, vendor, and G/L accounts without having to reverse the
document by posting a reversal document. This type of reversal is called a true reversal.
The true reversal functionality allows reversal postings to be traced back to original documents. This improves
accuracy of document reversals since these can now reference the original document.
• Reversal Reason Codes
In SAP Release 4.5B, reversal reason codes have been made mandatory fields. A number of default reversal reason
codes have been configured in SAP as standard, however additional codes may be configured.
Mandatory requirement for reversal reason codes adds additional control over the reversal of documents and
provides enhanced audit trail over the reversal of documents.
• Distributing Exchange Rates using ALE
As of SAP Release 4.5A, it is now possible to distribute exchange rates between SAP systems using Application
Link Enabling (ALE) technology. This improves controls over exchange rates ensuring these are consistent across
SAP systems and improves ease of maintenance.
• Cash Sub-Journals
The cash journal is a bank accounting sub ledger available for the management and reporting of cash positions.
The cash journal can be used independently of other posting transactions allowing more flexibility and accuracy
in cash management reporting.
The benefit of the cash journal is that opening and closing balances, as well as receipts and payments balances
are automatically calculated and displayed. The cash journal would also allow an agency to run more than one
cash journal per company code and to run separate cash journals for each currency.
• Alternative Payment Currency
Prior to 4.5A, payments in alternative currency could only be created and posted manually. As of 4.5A, it is
possible to enter a payment currency (which can differ to the standard currency of the document) for open
items to be paid automatically by the payment run. Users can specify an amount equal to the gross amount of
the item in the payment currency. The payment currency is supported in both Accounts Payable and Accounts
Receivable.
This facility reduces the risk of errors through removal of manual currency calculations.
56
• Editing G/L Account Master Records
The screen layout for G/L account master records has been reorganized to allow for G/L account master records
to be edited from the data screen.
Mass maintenance functionality is also available for G/L account master records to improve efficiency and
accuracy (refer to Basis and Cross Application Components of this handbook update for more detail).
• G/L Account Clearing Tolerances
As of 4.6A, tolerances for G/L account clearing have been extended. These tolerances, which are defined for a
user and an account, are used to determine whether the system will issue error messages to the user or post the
differences automatically.
These tolerances can be used to further restrict general tolerances that are in place for particular users or G/L
accounts as required.
• New Banking Interfaces
Since Release 4.5, new interfaces are available relating to Electronic Funds Transfer (EFT) and banking across
GL, AR and AP. These interfaces provide enhancements to electronic banking functionality allowing analysis of
notes to payees, the creation of custom electronic banking methods and the determination of business partners
from remittance advices.
The new functionality also enables central check routines and alternative check algorithms to be used when the
system checks banking attributes.
Extension of standard banking interface controls providing greater flexibility in control procedures around bank
interfaces. It also allows for automatic checking of banking attributes using appropriate check routines and/or
algorithms.
• Requesting G/L Account Master Data Changes via the Internet/Intranet
As of SAP Release 4.6C, it is possible to configure requests for master data changes to be sent via the Intranet/
Internet. The requester can request the creation, change, delete, or lock to G/L Account master data.
In this scenario a user will fill out a request form for the master data change in the Intranet/Internet. In the form,
the requester describes the reason for the request and submits to the responsible processor or processing group. The
processor or processing group then receives the request in their inbox or Workflow inbox in the SAP R/3 System.
The request form can be accessed from there, as can the transactions needed for processing master data.
This provides an improved audit trail and control over changes to G/L account master data.
• Foreign Currency Postings
For documents posted in foreign currency, it is now possible to post the rounding differences to a separate
revenue/expense account. This allows for greater control over variances providing standardisation and efficiency
in the handling of rounding errors.
57
Risks and controls as defined on page 72 of the Security and Control for SAP R/3 Handbook
remain relevant. Additional risks relevant to the new functionality include:
• Inappropriate document reversal processes are implemented.
• Inappropriate changes are made to General Ledger master data or the Chart of Accounts
through the use of mass maintenance functions.
• Consideration should be given to whether negative postings are permitted for each
company code. Where true document reversals and negative postings are appropriate,
reversal reasons should be reviewed and configured to ensure they are in line with
business requirements and provide appropriate reasons for analysis purposes.
• In order to effectively use cash sub-journals these should be appropriately configured.

This will include:
– creating appropriate GL accounts for the Cash Journal;
– defining appropriate document types for Cash Journal documents; and
– defining appropriate number range intervals for Cash Journal documents.
• Where required, alternative payment currencies should be configured. This will include:
– maintaining automatic account assignments for payment differences arising during

payment; and
– defining appropriate accounts including clearing accounts for instances where payment
differences occur as a result of payment currency.
• Where processes have been implemented for the request of G/L Account Master Data
changes via the Internet/Intranet, appropriate approvals through Workflow should be
configured.
58
• New GL authorisation objects have been provided and should be taken into consideration
when defining security.
Authorisation Object Description
F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages
• Existing roles should be reviewed to establish whether or not the new authorisation
objects should be added.
• Consideration should be given to the removal of access to legacy transactions.

Further, access to the following transactions should be restricted to relevant finance /
accounting staff:
GP12N Planning Enjoy transaction version of transaction GP12.
FS10N G/L Account Balance Enjoy transaction versions of FS10, FD10 and FK10.
FD10N
FK10N
FBL1N–FBL6N Vendor Line Items Enjoy transaction versions of FBL1–FBL6.
FB60 Invoice Data Entry Update of previously used F–43 and FB10.
Invoice/Credit Fast Entry
FB50 G/L Posting Update of previously used F–02 transaction.
59
Improvements have been made in reporting of line items where a negative posting to an
account has taken place. To make the deriving of balances from the line item amounts easier,
negative postings are marked with a minus sign behind the posting key (or with a special
G/L indicator where necessary). This enhancement is aimed at eliminating errors by making
balances and line item reports easier to read and interpret.
60
Asset Accounting
Functional Overview
A number of changes have been implemented to enhance functionality around Asset Accounting.
• Custom Defined Fields
Asset number ranges which were previously assigned only by asset class can now be further defined based on
other fields in the asset master record, such as location and cost centre.
• Wizard for Creating Asset Classes from G/L Accounts
Up to now, it has been possible to create asset classes from an asset G/L account using the asset class generator.
An on-screen help wizard is now available to automate this process.
Previously, it was possible to create two different asset classes with the same name when using the asset class
generator. The system now prevents this from happening and assists in ensuring completeness and accuracy of
data input.
• Creating Assets from Purchase Orders and Purchase Requisitions
Since SAP Release 4.5A, an asset can be created from the purchase order and purchase requisition creation
transactions, where Materials Management is being used.
Asset master data information is entered through dialog boxes and directly in to the asset master data
transactions. The user therefore requires appropriate access to create assets in order to utilize this functionality.
Where assets are not created appropriately, these are identifiable through the incomplete asset reporting
processes which were previously available in SAP.
• Intercompany Asset Transfers
With Release 4.0A, when assets are to be transferred between companies within a single SAP instance, the system
enables a user to post completely from the sending company code. The system automatically performs receiving
and asset creation if necessary in the receiving company code.
Please note, however, that this function is only available for transfers within a single client. Transfers between
clients or systems must be posted in two steps (retirement and acquisition).
• Multiple Asset Creation
Multiple assets can be created in one transaction provided they have identical asset classes and company codes.
When saved, a range of main or sub numbers and individual descriptions are assigned.
Previously, a user would need to create assets one-by-one, copy assets or create all assets as one asset in a
group asset.
• Asset Value Date
The Asset Value Date is the date used when posting asset transactions and has a direct influence on the
depreciation calculations. Previously, the rules for determining the asset value date for Asset Accounting
transactions were hard coded in SAP however functionality is now available to configure these dates.
While Asset Value Date customisation provides additional flexibility in calculating asset values, this may lead to
inaccurate asset value dates and values being applied.
61
S I G N I F I C A N T RISKS
Risks and controls as defined on page 94 of the Security and Control for SAP R/3 Handbook
remain relevant. Additional risks relevant to the new functionality include the following:
• Asset Value Dates may be customised incorrectly resulting in inaccurate depreciation

calculation.
• Asset master records may not be set up correctly or may not contain all necessary data.
• Asset Value Dates should not be configured unless required. If configuring of Asset Value
Dates is necessary, care should be taken to ensure these are in line with business and
accounting requirements.
• New Asset Accounting authorisation objects have been provided and should be taken into
consideration when defining security.
A_S_KOSTL Asset Master Record Maintenance: Company Code/Cost Centre
This authorisation object allows the restriction of users to

maintain asset master records for a particular cost centre or
company code.
• Existing roles should be reviewed to establish whether or not the new authorisation
objects should be added.
• Consideration should be given to removal of access to obsolete transactions. Further,

access to the following transaction should be restricted to only relevant Finance / Asset
Accounting staff:
AW01N Asset Explorer Provides access to many asset accounting functions.
62
USEF UL REPORTS
The Asset Explorer provides information on posted and planned asset values. This tool,
accessed through transaction AW01N provides access to functions available in the previous
asset value display transaction, however has extended this to provide improved access to and
display of asset information such as depreciation areas, asset master data and current year
transactions. The Asset Explorer also provides functions for printing the values as required.
Another change in reporting applicable to Asset accounting is the change from program
RASKBU00 for periodic posting of changes to asset values in a depreciation area, to a new
program RAPERB00. In Version 4.6C, report RASKBU00 no longer exists.
63
64
Controlling
Controlling
Controlling
Controlling
SECTION CONTENTS
Background .......................................................................................................................66
Controlling ........................................................................................................................66
Useful Reports ........................................................................................................................................................69
65
B a c k g ro u n d
An overview of the functionality, risks and controls of the Controlling (CO) module as at Version 3.1H
is covered within the full Better Practice Handbook for SAP R/3. The Controlling module has undergone a
number of enhancements and changes since this release; this has included the introduction of master data
enhancements and an alternative CO authorisation concept.
This section outlines the significant changes that have taken place in the controlling module since 3.1H and the
impact that this has had on security and controls.
C o n t ro l l i n g
Functional Overview
A number of changes and enhancements have been made to the CO Module since Release 3.1H. These changes
are outlined below:
• Parked Documents in Controlling
From Release 4.6A, the system now creates corresponding CO documents for parked documents from Financial
Accounting and Materials Management components.
This enables CO postings to be parked and posted creating a segregation and approval process
• New CO Master Data enhancements for Master Data
As of Release 4.0A, it is possible to add additional master data fields for cost elements, cost centres, activity
types, and business processes. SAP allows the maintenance of these new fields within the original master data
processing locations.
When adding these master data fields, consideration should be given to the nature of this information and
whether additional custom security checks for these fields should be used.
• Requesting of Controlling Master Data Changes via the Internet/Intranet
As of SAP Release 4.6C, it is possible to put approval processes for master data changes in place via the Intranet/
Internet. The process for approval of these changes can be configured by workflow or other means.
Implementation of this approval process can provide an audit trail of reasons for changes to Controlling master
data and ensure that changes to Controlling master data will always have appropriate approvals.
• Deletion of Controlling Master Data
A test run function is available to check whether master data selected for deletion has any dependencies that
may cause issues, should the deletion process take place. The test run completes extensive checks of dependent
data; reporting on data that might be affected by the proposed deletion(s), and preventing deletion where
dependent data is present.
66
Controlling
• Manager’s Desktop
As of Release 4.6A, Controlling reporting has been integrated into the Manager’s Desktop. (For more detail on
the Manager’s Desktop, see the Human Resources section of this handbook update).
• New Reconciliation Account Field in Line Items
As of Release 4.0A, line items in the reconciliation ledger have been extended to include a field for G/L account.
This field records the G/L account to which the reconciliation posting was made in Financial Accounting. This
can be the account corresponding to the cost element or an adjustment account.
Utilising this functionality can improve reconciliation ledger reporting.
• As detailed on page 110 of the Security and Control for SAP R/3 Handbook, the
significant risk associated with the Controlling component is that transaction postings
in the SAP application modules may not update the Controlling module if the central
interface is not appropriately configured.
• If reconciliation line items currently exist which do not have the Reconciliation Account
Field completed it will be necessary to obtain values and fill in the account field. This can
be achieved by executing the program ‘RKAKALX2’.
• From Release 4.0, the authorisation concept for controlling has been revisited. This has
resulted in the introduction of two new authorisation fields against which users can be
checked:
CO–OM Responsibility Area:
A responsibility area is composed of a standard hierarchy using the controlling objects

cost centre, order, profit centre and business process.
CO_ACTION Controlling Action:
Each transaction in the Controlling module creates both an activity (e.g. create or change)
and a CO Action. The new CO authorisation objects check the CO Action and therefore
allows greater flexibility in the authorisation of the Controlling module.
• The following new authorisation objects have been provided for the Controlling module.
Consideration should be given to restricting access to relevant finance / accounting staff:
67
Continued from the previous page
K_CCA General Authorisation Object for Cost Centre Accounting
K_ORDER General Authorisation Object for Internal Orders
K_ABC General Authorisation Object for Business Processes
K_ZBASSL Calculation base
K_ZKALSM Costing sheet
K_ZENTSL Credit
K_KMOB_DCT Document Type for Manual Funds Reservation
K_ZZUSSL Overhead
K_ZSCHL Overhead key
K_PEP Authorisation Object for Period–End Partner
K_ML_MTART Material Ledger: Material Type
K_ML_VA CO Material Ledger: Valuation Area
K_MLPR_VA Material Price Change: Valuation Area
K_SUM_CO General CO Summarization Without Classification
K_TEMPL Auth. Template (ABC–allocation, formula planning)
K_CSKS Cost Centre Master
K_PCAS_PRC Profit Centres
K_PCA Responsibility Area, Profit Centre
K_ML_MGV Material Ledger: Master Data of the Quantity Struct
• As of Release 4.6A, a new authorisation check for company code takes place when CO/FI
(Controlling / Financial Accounting) reconciliation postings are made (transaction KALC).
The authorisation object F_BKPF_BUK is not checked by this transaction, confirming the
user’s authorisation to post reconciliations for the proposed company code(s).
Consideration should be given to adding the authorisation object F_BKPF_BUK to any

roles containing transaction KALC and applying appropriate company code values.
68
Controlling
As stated in the Security and Control for SAP R/3 Handbook page 113, there are numerous
reports available via the controlling component. A number of reports have been added that
should be considered by management for review, which includes but is not limited to the
following:
• Cost Flow Overview Report has been added which reports on cost behaviour in controlling
and reconciliation postings.
• Profitability Analysis Line Item Reports which has been created to enhance existing
profitability analysis functionality.
Further, a number of previously available reports have been altered to utilise the ABAP List
Viewer that provides greater flexibility in reporting, data extraction and analysis.
69
70
Human
resources
Human resources
Human resources
Human resources
SECTION CONTENTS
Background .......................................................................................................................73
Employee Self Service ....................................................................................................74

Useful Reports ........................................................................................................................................................76
The Managers Desktop ..................................................................................................77

Useful Reports ........................................................................................................................................................79
Compensation Management.........................................................................................80
Useful Reports ........................................................................................................................................................81
Cross Application Timesheets and Time Management ..........................................82

Useful Reports ........................................................................................................................................................84
Other Key Changes Since Version 3.1H .....................................................................85

Ad Hoc Query .........................................................................................................................................................85
71
Benefits ....................................................................................................................................................................85
Useful Reports ........................................................................................................................................................86
72
Human resources
B a c k g ro u n d
An overview of the functionality, risks and controls of the Human Resources (HR) module as at Version
3.1H is covered within the full Better Practice Handbook for SAP R/3. The components of HR have undergone
significant changes from Version 3.1H, making it possible to split functionality into small units and extend
integration between components. The main components of HR in Version 4.6 include:
Personnel Management
The sub-modules, formerly known as Personnel Administration (HR–PA) and Personnel Planning and Development
(HR–PD), have been combined.
Personal Time Management

This is used in the planning, recording and valuation of employees work performed and absence times.
Payroll Accounting
This provides a number of work processes including the generation of payroll results and remuneration
statements, bank transfers and cheque payments.
In addition to the changes in the structure of the HR module, a number of functional enhancements have been
developed impacting the overall controls environment. These are detailed below and should be considered in
conjunction with those outlined in the previous handbook.
Significant changes include the introduction of ESS (Employee Self Service) and the Managers Desktop that
provide for the decentralisation of HR functions leading to increased risks and control requirements.
73
Employee Self Service
Functional Overview
SAP Employee Self Service (ESS) has been developed to provide real-time access and data maintenance
capabilities to employees. This allows for a reduction in central administration through the assignment of
many data entry and related customer service activities to employees that were previously performed by an
organisation’s HR, Payroll, Benefits, and Travel Departments.
Activities performed in ESS may include:
• entry of time sheet information;
• entry of leave requests;
• maintenance of personnel information;
• display of pay slips by employees; and
• salary packaging.
ESS enables employees to view, create, and maintain data through a web browser. ESS can provide a powerful
employee information and service portal through an intranet. Functionality can be integrated with other
employee tasks including:
• email;
• employee directory;
• calendar; and
• workflow work items.
ESS includes core HR capabilities, but also offers logistical, financial and office functionality through its
integration with the SAP database ensuring consistency and integrity of data.
ESS functionality can be integrated with the Managers Desktop to implement effective approval processes. This
is generally configured using Workflow.
ESS provides many HR display and update capabilities to all employees in an organisation. This
creates additional security and privacy risks including:
• Excessive access to sensitive HR data.
• Unauthorised access to confidential HR data.
• Access to maintain sensitive infotypes, which should be restricted to the HR department.
• Inaccurate update of HR employee master data.
It is vital that employees are restricted to their own records and appropriate info types.
74
Human resources
• Key ESS data should be defined as required entry in the system to ensure all necessary
information is captured.
• There is an increased need to log changes to sensitive infotypes to ensure they are
included in the ‘Logged Changes in Infotypes’ audit report.
• Structural authorisation profiles should be defined and assigned to users ensuring access
is appropriately restricted to appropriate organisational units.
• All SAP users must be assigned to an ESS user through infotype 0105 to ensure they are
able to only access relevant and appropriate information.
• Structural authorisations are not new, however, they are of greater importance where
an ESS HR structure is implemented. Increased control through ‘PD Authority Profiles’ is
critical to the security of employee data. These authorisations define which objects in the
organisational plan a user is permitted to access, for example:
– Organisational units
– Qualifications and requirements
– Business events
Structural authorisation profiles define which activities (create, change or display) a user
is permitted to execute within each of these objects.
A user’s access to HR data and functionality is made up of traditional SAP authorisations

and the HR structural authorisation providing an additional level of security.
Users should be assigned to an appropriately restricted structural authorisation. Users

should not be assigned the PD_ALL authorisation that allows access to all employees.
• With the implementation of ESS, there is a need to restrict user’s access to their own
employee master record. This is restricted through the “HR: Master data — Check
personnel number” (P_PERNR) authorisation object.
A user can be restricted from accessing their own record or restricted to updating only
their own record, using the P_PERNR object. Where the P_PERNR object is not applied
a user has access to all employee information. This may be applied on an infotype by
infotype basis.
Consideration should be given to implementing procedures to control/govern the access

of HR users who are also ESS users, as failure to correctly configure P_PERNR for sensitive
infotypes may result in HR users having access to inappropriately update their own data.
75
• SAP User Master Records (UMR) must be assigned to an employee record in order for
structural authorisations to operate. Where a UMR has not been assigned to an employee
record, the user is not restricted by a structural authorisation.
• Access should be restricted to only relevant HR staff to the following ESS and structural
authorisation related sensitive transactions:
OOSP Change View “Authorisation Maintain the content of an authorisation

Profile”: Overview profile
OOSB Change View “User Allocate a user to a structural authorisation

Authorisations”: Overview profile
HRUSER Set up and maintain Administer ESS users (create, change, delete,
ESS user password administration etc)
• Organisations often authenticate users access to ESS based on network account

authentication. Where this is the case, ESS users do not log into the SAP system and the
default passwords may remain unchanged, increasing the risk of unauthorised access.
A number of key control reports are available to assist in the administration of structural
authorisations and ESS.
Report Code Name Description
ESS_USERCOMPARE Reconcile User Master Reconciliation report listing users

with HR Master not allocated to an employee
record.
ESS_SEL_PERNR_VIA_PNP Choose Personnel Various analyses over ESS users.

and ESS_SEL_PERNR_ Numbers
VIA_PCH
76
Human resources
T h e M a n a g e r s D e s k t op
Functional Overview
The Managers Desktop was released in Version 4.5 to allow managers immediate access to relevant HR, Financial
Accounting and Controlling data. It allows all functional managers to perform administrative tasks for their area
of responsibility that may previously have been centralised.
The Managers Desktop provides up-to-date information through integrated reports allowing greater management
control over personnel.
The Managers Desktop provides a number of ‘Themes’ which break down the activities which can be performed
in this application including:
Theme Theme Description
Employee Employee information reports, including:
• Entry and approval of travel requirements
• Education and training data
• Creation of appraisals
Organisation Planning and administration reports:
• Organisation maintenance
• Transfers processing
Costs and Budget • Cost centre accounting functions
• Compensation Management
Recruitment Records of decisions related to employee recruitment
Special Areas Integrated web browser allows access to Intranet and Internet pages
Workflow Inbox Facilitates integration with ESS and approval activities such as:
• Leave requests and time sheets
• Expenses
77
• The organisational plan (organisational structure) is not accurately defined or maintained
resulting in:
– Manager access to employees outside their responsibility;
– Managers not having access to their employees; and
– Transactions not properly routed for approval.
• Unauthorised approval of time, expense or other employee data.
• Unauthorised updates / changes to HR data.
• Poor controls regarding delegation of responsibilities result in excessive access.
• Transactions not approved in a timely manner.
• In order for the Managers Desktop to work it is important the organisational plan
be accurately defined, including the assignment of employees to positions. Incorrect
allocation of employees to positions will result in Managers gaining inappropriate access
to HR data.
• In order for a user to utilise the Managers Desktop the user must be the holder of a chief
position within the organisational chart. The system uses the chief position indicator
to determine the organisational units managed directly and indirectly by the position
holder.
• Managers Desktop ‘Themes’ which grant access to various components of the Managers
Desktop functionality must be configured to appropriately restrict information.
• Access to the following sensitive transactions should be restricted to relevant managers:
PPMDT Managers Desktop Transaction provides access to the Managers

Desktop.
Appropriate controls should be implemented for the temporary delegation of system access and
removal of this system access.
78
Human resources
As detailed in page 123 of the Security and Control for SAP R/3 Handbook, the ‘Logged
Changes in Infotype Data’ report should be run on a regular basis to review changes made to
key infotypes to ensure they are appropriate.
Controls for the review and clearing of workflow items which are not actioned in a timely
manner should be implemented. This should include implementation of appropriate deadline
monitoring and escalation procedures. Refer to the Basis and Cross Application Components
section within this handbook update for further details.
79
C o m p e n s a t i o n M a n a g ement
Functional Overview
Compensation Management is a new component within SAP available from Release 4.0A. The Compensation
Management component administers compensation policies for an organisation.
Compensation Management can be integrated with the Managers Desktop and can be used as an effective
tool to plan and perform compensation adjustments to individuals, employee groups, or based on other
organisational breakdowns.
• Unauthorised / inaccurate update of compensation data resulting in over, or under,
compensation to employees.
• Inappropriate approval processes configured resulting in inappropriate compensation

adjustments being applied.
• Unauthorised access to sensitive and confidential compensation data.
• Compensation areas need to be defined as appropriate groupings of employees for
compensation administration.
• Appropriate features of employees should be selected to ensure that employees fall into
the correct Compensation areas or eligibility groups.
• Compensation administration views should be configured to ensure that only appropriate

employee information is displayed through compensation administration function.
• Workflow and the organisational structure should be configured to ensure that

compensation adjustments are subject to appropriate approval processes.
80
Human resources
Access to the following Compensation Management sensitive transactions should be restricted
to only relevant senior HR staff:
HRCMP0001C Compensation adjustment change — Adjustment of employee

Salary Review compensation.
HRCMP0080 Total Compensation statement display Total compensation statements.
HRCMP0081 Print Total Compensation statement Printing of total compensation

statements.
HRCMP0060C Granting Employee Awards: Change Allocate long-term incentive

awards such as stock options,
restricted stock, and performance
units to employees.
There are several reports available to assist in controlling Compensation Management that
should be reviewed on a regular basis by relevant senior HR staff to monitor employee
compensation.
Report Name Description
S_AHR_61018799 Compa (Comparison) -Ratio Analysis To identify whether employees’

salaries are within appropriate
salary bands.
S_AHR_61018798 Compare Actual Basic Salaries and Report of employee base salaries
Planned Compensation compared to the compensation
assigned to the job or position.
81
C ro s s A p p l i c a t i o n T i mesheets and Time Management

Time Management has been enhanced from earlier releases and provides processes supporting the planning and
recording of employee work.
A significant change in Time Management is Cross Application Timesheet (CAT) functionality that was
introduced in Version 4.0A of SAP R/3 and provides a standard interface for recording time across components
of SAP. CAT combines existing SAP time recording functions into a single process and provides information to
other components including, internal activity allocation for Controlling and Personnel Time Management for
attendances and absences.
• Inaccurate entry of timesheet data resulting in incorrect payment to employees.
• Duplicate processing of data through interfacing components.
• Entry or approval of time data does not occur in a timely manner.
• Data entry profiles determine the data entry process and the layout of the time sheet.
Consideration should be given to the following configurations affecting users entering
time sheet data:
Setting Description
Profile Changeable Allows a user with access to a profile to change profile settings.
With Target Hours Available details which can be included on the face of the timesheet.
Totals Line
Clock Times
Release on Saving On saving time information consideration should be given to whether it

is automatically or manually released.
Approval Required Workflow configured to ensure time data is subject to appropriate

approvals.
No Changes After Should be configured to ensure time data is displayed on the data entry
Approval screen after approval and cannot be changed.
Highlight Rejected Can be configured to show user records that have been rejected by
Records approvers, highlighting the need for further action.
Time Settings Time settings should be configured based on the standard working week.
This will include defining the number of periods a user can view and
change, (past and future).
82
Human resources
Setting Description
Personnel Selection Defines the profile selection criteria for personnel time data entry.
Default Values Time sheets can be configured to display default values when accessed.
Data Entry Checks Data entry checks can be configured to improve the quality and
completeness of data entry. Consideration should be given to applying
validation tolerances to reduce inaccurate time sheet entry.
For Users with HR The system can be configured to give an error or warning message when
interfacing errors occur between CAT and HR.
Workflow Approval A Workflow approval procedure can be configured which will be initiated
on completion of time sheet entry.
• Field selections should be configured as required, input, display, hidden or highlighted in

the user screens.
• Overtime compensation types should be appropriately defined to ensure that where

overtime is entered it is accurately accounted for.
• Rejection reasons should be configured and provide enough detail to the user to take the
appropriate action to resolve time sheet errors.
• Configuration can be applied to take an appropriate action to rectify overlapping time

records.
In order to enter time data a user must call the time sheet with a data entry profile. The data
entry profile determines the data entry process and the layout of the time sheet.
Consideration should be given to segregating the entering of time sheet information and the
approval of time sheets. Workflow approval processes should be implemented to control this.
Access should be restricted to the following Time Management sensitive transactions; approval
of time sheets should be restricted to relevant functional managers and/or HR staff:
CAT2, CAT3 Time Sheet: Initial Screen Enter time sheet details.
CAPS Time Sheet: Approve Times (Select by Master Data) Approve time sheets.
CAT4 Time Sheet: Approve Times (Selection by Approve time sheets.

Org. Assignment)
CAPP Time Sheet: Approve Times Approve time sheets.
83
PP61 Change Shift Plan: Entry Screen Amendment of shift plans.
PA61 Maintain Time Data Entry of time data into SAP.
PA70 Fast Entry Entry of time data into SAP.
Controls for the review and clearing of workflow items which are not actioned in a timely
manner should be implemented. This should include implementation of appropriate deadline
monitoring and escalation procedures. Refer to the Basis and Cross Application Components
section for further details.
84
Human resources
O t h e r K e y C h a n g e s S ince Version 3.1H
Ad Hoc Query
To provide greater reporting flexibility and functionality, SAP developed the Ad Hoc Query functionality which has
since been extended in Version 4.6C, to integrate with other application areas and been renamed InfoSet Queries.
This functionality has been further documented in the Basis and Cross Application Components section of this
handbook update.
Benefits
Benefits functionality has been enhanced from earlier SAP R/3 releases. The Benefits component can be used
to develop benefits packages for employees and provides easy access to benefits related information for
administrative staff, executives and employees.
• Users have the ability to allocate benefits inappropriately to an employee.
• Inaccurate calculation and reporting of employee benefits.
• Access should be given and restricted to only relevant HR staff to the following sensitive
transactions including:
Transaction Code Name Description
HRBEN0001 Enrolment To enrol employees, or make changes to

benefit elections.
HRBEN00ADJRSN Mass Generation of To perform mass maintenance.

Adjustment Reasons
85
Security and Control for SAP R/3 Handbook
There are several reports available to assist in controlling Benefits; consideration should be
given to reviewing these reports on a regular basis.
Report ABAP ID Name Description
RPLBEN09 Changes in Eligibility Provides a list of employees who are

no longer eligible for a benefit plan in which
they are participating with reasons.
RPLBEN08 Changes in benefit elections Provides a list of deviations from system

allocated default values in an employee’s
general benefits data.
RPLBEN13 Change in default Provides a list of deviations from system

values from general benefits allocated default values in an employee’s
information general benefits data (Infotype 0171).
RPLBEN18 Contribution limit check Provides employee contributions that are

not within defined contribution limits on
a key date.
86
Audit
system
information
Audit information
system
Audit information system
Audit
information
system
SECTION CONTENTS
Background .......................................................................................................................89
Using Audit Information System .................................................................................90

Starting an Audit ..................................................................................................................................................90
Installation Check .................................................................................................................................................91
Preparatory Tasks ..................................................................................................................................................91
Systems Audit.........................................................................................................................................................92
Business Audit ........................................................................................................................................................93
Customising Audits...............................................................................................................................................94
87
88
Audit
information
system
B a c k g ro u n d
The Audit Information System (AIS) has been developed to provide internal and external auditors, Security
Administrators and those with data protection and controlling responsibilities with a tool to assist in
understanding and completing required tasks in the complex SAP environment.
The SAP Audit Information System (AIS) provides a centralised repository for reports, queries, and views of data
that have a control implication.
AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and
above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the
production system on a real time basis.
AIS is currently focused on two key areas that are covered in more detail below:
• Systems Audit; and
• Business Audit.
SAP has suggested that AIS functionality will be further developed to include other components, including
Materials Management (MM) and Sales and Distribution (SD).
AIS consists of an Audit Report Tree, which provides a facility to access and document audit steps within a SAP
system, and download audit and additional related data to other programs for reporting or additional analysis.
The structure of the reporting tree menu is designed by SAP to reflect the procedures followed when conducting
an audit. AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching
of comments, as well as allowing for tracking the audit’s progress.
AIS also has the capability to extract data into pre-defined formats appropriate for data.
89
U s i n g A u d i t I n f o r m a t ion System
Starting an Audit
Transaction code SECR is used to access the AIS. The user can elect to enter:
• Complete audit
When executed, this provides all tests and documentation available in the AIS system.
• User defined audit
When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.
90
Once started the user is provided with a report tree structure that sets out all applicable documentation and
tests that are executable.
The reporting tree contains steps that include variants for each type of function. These can be centrally
maintained to apply across multiple audit tasks.
Installation Check
The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants
listed in AIS are currently available in the current system environment.
The Installation check can be initiated through selecting Extras — Installation — Installation check from
transaction SECR.
Preparatory Tasks
In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the
user to customise the audit to improve efficiency in completion of tasks.
The preparatory tasks within AIS are broken into three areas:
Area Description
AIS Customisation Allows for audit customisation through the definition of variables and constants
to be utilised in the audit process. This may include variables such as company
codes which are then used in reporting.
Customise Financial Provides the user with functions relevant to the configuration and
Information System extraction of financial information.
ABAP/4 Query including Provides access to logical database structure and information pertinent to
download extracting data for analysis purposes.
91
Systems Audit
The "Systems Audit" is primarily used for administration and review of system activities, such as, security and
change control. The users are provided with easy access to many of the standard SAP security and control reports
and audit trails.
Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of
security items to be considered which can be amended as required.
The System Audit functionality in AIS is broken down into the following key areas which include:
Area Description
Systems Configuration Allows the user to gain details of the environment and general set up
of the SAP system.
Transport Group Information relevant to change control processes, and system set-up.
Tables / Repository Includes information regarding table configuration, change logging

as well as table security.
Development / Customising Information with regard to development processes including change control,
blocked transactions and report security.
Background Processing Information relevant to background processing, including the graphical job
schedule and access to the job overview.
System Logs Provides access to logs (system, access, database etc) as well as configuration
settings pertinent to these logs.
User Administration Provides access to information relevant to administration and security of the SAP
system. This includes various reports on:
- User Security and Authorisations
- Profile Generator
- User administration such as users who have not logged into the system for
a predefined period of time.
Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport
Management System, repository and table browser. It also provides comprehensive tools to review the security
around user access.
92
Business Audit
The “Business Audit” functionality in AIS allows the auditor to produce financial statements and balance sheets,
as well as perform general ledger, accounts payable and accounts receivable activities and queries.
For example, through the business audit functionality, auditors can perform and document their review of
general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation
accounts, as well as duplicate invoice reviews.
The Business Audit is broken into the following areas:
Area Description
Organisational Overview This area allows the user to familiarise with the enterprise structure that has
been implemented into SAP.
Further, the user is provided with information about the financial structure of
the organisation including details on Account Determination and Special General
Ledger.
Financial Statement The Financial Statement Oriented Audit provides the user with details of
Oriented Audit Account reconciliation, Balance Sheet, Profit & Loss and other General Ledger
related reports which can be used for financial analysis.
Process Oriented Audit The Process Oriented Audit steps are broken down into the various areas of SAP
including retail, procurement, production and sales and distribution.
Areas of this section are at various levels of development.
When the audit begins, the present parameters and selection criteria are edited by using the “Preparatory
Tasks” in the Business Audit menu. The auditor customises the reporting tree to reflect the correct time period
and organisational structure required for the audit. The use of these “variants” helps reduce the potential for
adversely affecting system performance, by limiting the parameters for which the reports are run.
Business Audit functionality is not generally considered to be comprehensive and many items included in the
menu structure are not yet functional. This should be considered when utilising AIS.
93
Customising Audits
To make effective use of the AIS tool it is important to customise the audits and ensure that only relevant
information is provided.
All information provided in the complete audit can be partitioned into audit programs specific to the particular
needs and scope of audit work to be completed.
This can be performed by selecting Audit Information System — Create/change view.
A new view can then be created where you can manually select from the tree structure the components that are
to be displayed in this user defined view.
Following the customisation and generation of an audit this can be accessed by selecting the user-defined audit
that has been created.
94
Security Considerations
In order for a user to access configuration, data or other reports, relevant access must be provided to the user.
The AIS provides links through to various reports and other information, and therefore, access provided to
complete AIS tasks may vary between users in line with tasks the individual is to perform.
The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation.
In order for a user to be able to edit notes in AIS the user must have been provided with the following
authorisation objects:
S_IMG_ACTV
Field Value
PROJAUTH 900 Project for Audit: 900
ACTVT 02 Change activity
IMG_ACTIV NOTE Edit notes
In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorisations
must be provided:
Authorisation for editing status information:
S_IMG_ACTV
Field Value
PROJAUTH 900 Project for Audit: 900
ACTVT 02 Change activity
IMG_ACTIV STAT Edit status
Other security, which may be granted to the user in order to complete tasks, may include:
• Authorisation to view data in the IMG.
• Authorisation to display user and security information.
• System administration and other system and performance monitoring functions.
• Change control authorisations.
95
96

Security and Control Update For SAP R3 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Security and Control Update For SAP R3 PDF

Caricato da

Copyright:

Formati disponibili

Security and Control Update

For SAP R/3

Guide to Effective Control – Handbook U p d a t e

© Commonwealth of Australia 2004

The Publications Manager,

Design by GREY Worldwide

• the significant risks associated with each functional enhancement; and

– Useful key control reports for review.

Basis and Cross Application Components (BC)...................................................... 34

Procurement to Payables (MM) ................................................................................. 52

Financial Accounting (FI) ............................................................................................ 64

Human Resources (HR) ................................................................................................ 86

Audit Information System (AIS) ................................................................................ 96

• Basis Component (BC);

• Materials Management (MM) in this handbook referred to as ‘Procurement to Payables’;

• Financial Accounting (FI): includes AA (Asset Accounting);

• Controlling (CO); and

• Human Resources (HR): includes PA (Personnel Administration) and PD (Personnel Development).

• Basis and Cross Application Components

• The various application components:

– Procurement to Payables (MM)

– Financial Accounting (FI)

– Human Resources (HR)

• Audit Information System (AIS)

Further detail is provided for each sub-module, including the following:

Basis and cross

Significant Risks ....................................................................................................................................................13

Security Considerations ......................................................................................................................................14

Security: Derived Roles ..................................................................................................15

Significant Risks ....................................................................................................................................................15

Configuration Hot Spots ....................................................................................................................................16

Security Considerations ......................................................................................................................................16

Useful Reports ........................................................................................................................................................17

Security: Central User Administration .......................................................................18

Significant Risks ....................................................................................................................................................19

Configuration Hot Spots ....................................................................................................................................19

Security Considerations ......................................................................................................................................19

Useful Reports ........................................................................................................................................................20

Security: Personalised User Menus ............................................................................ .21

Significant Risks ....................................................................................................................................................21

Configuration Hot Spots ....................................................................................................................................21

Security Considerations ......................................................................................................................................21

Useful Reports ........................................................................................................................................................22

Transport Management System ...................................................................................23

Significant Risks ....................................................................................................................................................23

Configuration Hot Spots ....................................................................................................................................23

Security Considerations ......................................................................................................................................24

Useful Reports ........................................................................................................................................................24

Significant Risks ....................................................................................................................................................25

Configuration Hot Spots ....................................................................................................................................25

Security Considerations ......................................................................................................................................25

InfoSet Query ...................................................................................................................26

Significant Risks ....................................................................................................................................................26

Configuration Hot Spots ....................................................................................................................................26

Security Considerations ......................................................................................................................................26

SAP Business Warehouse (BW) ....................................................................................27

Significant Risks ....................................................................................................................................................27

Configuration Hot Spots ....................................................................................................................................27

Useful Reports ........................................................................................................................................................27

Mass Maintenance ..........................................................................................................28

Significant Risks ....................................................................................................................................................29

Security Considerations ......................................................................................................................................29

Useful Reports ........................................................................................................................................................30