Professional Documents
Culture Documents
Program for SAP R/3 - PREVIEW Control Activity Control Activity Type Preventive/ Detective Control Nature Manual/ Automated
Audit Program contains 46 Queries covering all critical configuration settings, transaction codes and authorization objects relevant to the Basis Security in SAP R/3. Please scroll down for detailed overview of controls covered.
Audit Program contains detailed audit procedures, a step-bystep guidance on how to obtain information from the system in support of individual control activities.
Links to the supporting test sheets are included everything has been conveniently pre-documented with fill-in fields for the data obtained as part of the testing procedures for further analysis.
Testing Procedures: For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The following testing procedures will assist auditors in performing tests of control for each control activity.
Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent
Audit Program covers ALL KEY configuration settings and sensitive basis transactions
144952951.xls.ms_office
Page 1 of 10
Control Activity
Testing Procedures: For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The following testing procedures will assist auditors in performing tests of control for each control activity. Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate for such users to have such access, based on their job responsibilities and established policies, procedures, standards, and guidance. Compare the results of the test with the information obtained from the interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.
Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent
Information Security
Control Objective IT2: Logical security tools are adequately configured and logical security techniques are implemented to ensure only appropriate individuals have access to organizations information resources and to safeguard against unauthorized access to or modifications of programs and data, that may result in incomplete, inaccurate, or invalid processing or recording of financial information. [Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation] Control Objective Background: If logical security tools and techniques are not implemented and configured appropriately, control activities within the significant flows of transactions may be ineffective, desired segregation of duties may not be enforced, and significant information resources may be modified inappropriately, disclosed without authorization, and/or become unavailable when needed (e.g., they may be deleted without authorization). IT2.06: Access to the SAP R/3 system is Preventive authorized by management and granted to valid employees based on users job responsibilities. 25 Access to the SAP R/3 system should be granted to valid employees based on users job responsibilities. Access should be authorized and approved in writing by the relevant data or process owners. Perform the following procedures to produce a listing of new user IDs created in the SAP R/3 system during the period of intended reliance: Execute transaction code SUIM Proceed to "User" -> "Users By Complex Selection Criteria" -> "By user ID" OR Execute transaction code SE16 Input table USR02 and click on "Execute" Enter 'From' and 'To' date in the 'ERDAT' (creation date of the user in the user master record) field - The 'From' and 'To' fields should be defined based on the scope of the audit Using attribute sampling guidelines, select an adequate sample of new user IDs created in SAP R/3 over the period of intended reliance, and examine documentary evidence (e.g., user access approval forms, etc.) indicating that access to SAP R/3 was appropriately approved before user ID was created in the system. Document your sampling testing, test results, and conclusions in the Tab referenced in the "Testing Ref." Column. Tab 21
Manual
IT Dependent
High
Control Objective IT3: Systems configuration and security settings are appropriately implemented and administered to protect against unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or recording of organizations financial data. [Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation] Control Objective Background: If information security is not administered appropriately, significant information resources may be modified inappropriately, disclosed without authorization, and/or unavailable when needed (e.g., they may be deleted without authorization). Furthermore, such security breaches may go undetected. If an entity relies on security features of its application systems to restrict access to sensitive application functions, weaknesses in network or operating system security (e.g., user authentication and overall system access) may render such application security features ineffective.
144952951.xls.ms_office
Page 2 of 10
Control Activity
Testing Procedures: For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The following testing procedures will assist auditors in performing tests of control for each control activity. The passwords to the default SAP R/3 user IDs are well known, and therefore if they are not changed, these IDs could be used by unauthorized users to gain access to the system. Perform the following procedures to verify that the default SAP R/3 passwords for SAP*, DDIC, SAPCPIC and EarlyWatch have been changed: Execute transaction SA38 (ABAP Reporting) Enter report name RSUSR003 and click on "Execute" Verify that default passwords for DDIC, SAP*, SAPCPIC, & EarlyWatch have been changed in all clients Document your conclusions.
Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent N/A (if needed, include reference to supporting evidence considered pertinent)
IT3.03: The default SAP R/3 passwords Preventive Information are changed: Systems Operations SAP* - PASS DDIC - 19920706 SAPCPIC - ADMIN EarlyWatch - SUPPORT
The complete audit program contains 46 Queries designed to provide auditors, management, or control professionals reasonable assurance that controls over SAP security operate effectively and in accordance with management's intentions. Batch job and background session processing and administration functions in SAP - controls to ensure that only authorized personnel have access to process and administer batch job and background sessions in SAP and that job processing activities are monitored (SM35, SM36, SM37, RZ01, SM64 & S_BTCH_JOB, S_BTCH_ADM, S_BTCH_NAM, S_BDC_MONI, etc.): - Release jobs automatically during scheduling - Ability to delete jobs of other users - Ability to administer background sessions in SAP R/3 - Ability to schedule jobs under different user IDs - Access to the batch input management functionality in SAP R/3 - Monitoring procedures to identify processing errors and/or issues and more. Access to the end user authorization and administration functions - controls to ensure that only appropriate individuals have access to organizations information resources and to safeguard against unauthorized access to or modifications of programs and data, that may result in incomplete, inaccurate, or invalid processing or recording of financial information (PFCG, SU01, SU02, SU03, SU10, SU12, SU22, SU24 & S_USER_PRO, S_USER_AGR, S_USER_GRP, S_USER_AUT, S_DEVELOP, etc.): - Access to the profile generator to maintain roles, authorizations, and profiles - Access to maintain users, authorizations and authorization profiles manually - Access to maintain assignment of authorization objects to transactions - Controls to ensure access to the SAP R/3 system is authorized by management - Controls to ensure access to the SAP R/3 is disabled for employees that no longer require such access and much more. Systems configuration and security settings - controls to ensure that systems configuration and security settings are appropriately implemented and administered to protect against unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or recording of organizations financial data: - Access to execute programs (online/background) via SA38, SE38, SE37, SE80, etc. - Table maintenance including SAP R/3 data dictionary, Client-independent tables, & Custom tables (SE16, SE17, SM30, SM31, SE11, SE12, etc.) - Password parameter values; access to maintain profile parameters (RZ10, etc.) - Security of the powerful default user IDs, powerful transaction privileges and the assignment of powerful SAP R/3 profiles (SAP*, DDIC, EARLYWATCH, SAP_ALL, SAP_NEW, etc.) - Locking critical and sensitive transaction codes in production - Maintaining & executing external OS commands (SM49, SM69, etc.) & more. System Change Control - controls to ensure that changes are made in the development environment and transported to production to minimize the likelihood of disruption, unauthorized alterations, and errors in order to ensure accurate, complete, and valid processing and recording of financial information: - Ensuring that changes are made in the development environment and transported to production (SCC4, SE06, SPRO, SM30, SM31, etc.): (1) The Client Maintenance settings (2) The Global System Change Option settings 144952951.xls.ms_office (3) The IMG Customizing settings - Ensuring that access to perform corrections and transports is appropriately restricted (SE01, SE03, SE09, SE10): (1) The SAP Workbench Organizer settings
Page 3 of 10
Control Activity
Control Control IT Nature Control Rating Query/ Testing Procedures: IT Dependent/ High/ For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Activity Type Nature Testing Non ITMedium/ reasonable assurance that controls operate effectively in accordance with established policies, procedures, and Preventive/ Manual/ Procedure following testing procedures will assist auditors in performing tests of control for each control Detective Automated System Change Control - controls to ensure that changes are made in Dependent the development Low environment and transported toguidelines. production The to minimize the likelihood of No disruption, unauthorized alterations, and errors in order to ensure accurate, complete, and valid processing and recordingactivity. of financial information: - Ensuring that changes are made in the development environment and transported to production (SCC4, SE06, SPRO, SM30, SM31, etc.): (1) The Client Maintenance settings Information Systems Operations (2) The Global System Change Option settings (3) The IMG Customizing settings - Ensuring that access to perform corrections and transports is appropriately restricted (SE01, SE03, SE09, SE10): (1) The SAP Workbench Organizer settings (2) The SAP Transport System settings (3) Access to perform transports in SAP - Controls to ensure that access to develop programs is not allocated in production (SE38, SA38, SE37, SE80; DEVACCESS table, etc.) - Ensuring that SAP R/3 system landscape supports the separation of production environments from development or test environments and much more.
Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent
The audit program covers all critical configuration settings and access controls to ascertain adequate levels of security of the SAP R/3 control environment. The audit program is available for purchase at http://soxmadeeasy.com/SAP_Basis.html.
144952951.xls.ms_office
Page 4 of 10
sheets are included where conveniently pre-documented with data obtained as part of the testing
144952951.xls.ms_office
Page 5 of 10
144952951.xls.ms_office
Page 6 of 10
144952951.xls.ms_office
Page 7 of 10
144952951.xls.ms_office
Page 8 of 10
144952951.xls.ms_office
Users with access to schedule jobs under different user IDs using transactions SM36 or SM37: Count *Insert additional rows as needed User ID User Name Locked? Valid From (Yes/No) *Exclude locked user IDs ("0" or "Blank" in this field means that user ID is NOT locked)
Tab 4
Click to Return To The Audit Program Valid Through *Exclude IDs that are past their validity date (no access) User Type *Exclude D (System) and C (Communication) IDs (no end user access); leave A (Dialog) and S (Service) IDs for analysis Access Appropriate Exceptions as per the Job Noted? Responsibilities? (Yes/No) (Yes/No) Comments/ Exception Detail
1 2 3 4 5 Total 0 0 0
Page 9 of 10
144952951.xls.ms_office
Listing of user IDs created in SAP R/3 between [date] and [date]: Count *Insert additional rows as needed 1 2 3 4 5 Total 0 0 SAP Client SAP User ID User Name Created On (Date) * Exclude IDs created before or after the period of intended reliance Selected For Testing? (Yes/No)
Tab 21
Click to Return To The Audit Program Access to SAP Approved? (Yes/No) Approved By (Name, Title) Approved On Exceptions (Date) Noted? (Yes/No) Comments/ Exception Detail
Complete for SAP User IDs selected for testing in Column "F". N/A for remaining IDs.
Page 10 of 10