You are on page 1of 10

Company (Name): Fiscal Year End (Date): Tested on (Date)/ tested by (Name): Tested in (System): Basis Security - Audit

Program for SAP R/3 - PREVIEW Control Activity Control Activity Type Preventive/ Detective Control Nature Manual/ Automated

Audit Program contains 46 Queries covering all critical configuration settings, transaction codes and authorization objects relevant to the Basis Security in SAP R/3. Please scroll down for detailed overview of controls covered.

Audit Program contains detailed audit procedures, a step-bystep guidance on how to obtain information from the system in support of individual control activities.

Links to the supporting test sheets are included everything has been conveniently pre-documented with fill-in fields for the data obtained as part of the testing procedures for further analysis.

IT Nature IT Dependent/ Non ITDependent

Control Rating High/ Medium/ Low

Query/ Testing Procedure No

Testing Procedures: For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The following testing procedures will assist auditors in performing tests of control for each control activity.

Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent

Information Systems Operations


Control Objective IT1: Batch and on-line transactions are executed timely and accurately by authorized personnel. Only valid production programs are executed. [Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation] Control Objective Background: Typically, computer processing occurs either based on submission of a batch job or based on input of an on-line transaction by a user. Both on-line transactions and batch jobs cause application system programs to be executed. If such programs terminate abnormally or necessary for on-line transactions or batch jobs are not executed, the transaction may not be recorded completely or accurately. If access to job scheduling and administration functions is not adequately controlled, inappropriate users may have the ability to run jobs directly in the background, bypassing transaction level security in SAP, and could potentially run jobs they are not explicitly authorized to run. IT1.01: Only authorized personnel have access to: Batch job and background session processing and administration functions in SAP R/3 Preventive Automated IT Dependent High 4 S_BTCH_NAM authorization object is important because it determines the authorized users, which users can choose from when scheduling a background job. This means that users with S_BTCH_NAM authorization can schedule jobs under different user IDs, which in effect allows users with S_BTCH_NAM potentially run jobs they are not explicitly authorized to run. Perform the following procedures to verify which users have the ability to schedule jobs under different user IDs using transactions SM36 or SM37 and authorization object S_BTCH_NAM: Execute transaction code SUIM Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " -> "By Authorization Values " AUTHORIZATION OBJECT 1: S_TCODE: SM36 (Define/Schedule Background Job) OR SM37 (Job Overview/Job Maintenance) AUTHORIZATION OBJECT 2: S_BTCH_JOB: Function/Operation (JOBACTION): RELE (Release own jobs automatically) Job Group (JOBGROUP): * (means ANY/SOME permitted job groups) AUTHORIZATION OBJECT 3: S_BTCH_NAM: Authorized user (BTCUNAME): * (means users can specify SOME/ANY names as an authorized user) - Use "*" (instead of a *) to produce a listing of users with access to run jobs under ALL names Tab 4

Audit Program covers ALL KEY configuration settings and sensitive basis transactions

144952951.xls.ms_office

Page 1 of 10

Control Activity

Control Activity Type Preventive/ Detective

Control Nature Manual/ Automated

IT Nature IT Dependent/ Non ITDependent

Control Rating High/ Medium/ Low

Query/ Testing Procedure No

Testing Procedures: For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The following testing procedures will assist auditors in performing tests of control for each control activity. Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate for such users to have such access, based on their job responsibilities and established policies, procedures, standards, and guidance. Compare the results of the test with the information obtained from the interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.

Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent

Information Systems Operations

Information Security
Control Objective IT2: Logical security tools are adequately configured and logical security techniques are implemented to ensure only appropriate individuals have access to organizations information resources and to safeguard against unauthorized access to or modifications of programs and data, that may result in incomplete, inaccurate, or invalid processing or recording of financial information. [Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation] Control Objective Background: If logical security tools and techniques are not implemented and configured appropriately, control activities within the significant flows of transactions may be ineffective, desired segregation of duties may not be enforced, and significant information resources may be modified inappropriately, disclosed without authorization, and/or become unavailable when needed (e.g., they may be deleted without authorization). IT2.06: Access to the SAP R/3 system is Preventive authorized by management and granted to valid employees based on users job responsibilities. 25 Access to the SAP R/3 system should be granted to valid employees based on users job responsibilities. Access should be authorized and approved in writing by the relevant data or process owners. Perform the following procedures to produce a listing of new user IDs created in the SAP R/3 system during the period of intended reliance: Execute transaction code SUIM Proceed to "User" -> "Users By Complex Selection Criteria" -> "By user ID" OR Execute transaction code SE16 Input table USR02 and click on "Execute" Enter 'From' and 'To' date in the 'ERDAT' (creation date of the user in the user master record) field - The 'From' and 'To' fields should be defined based on the scope of the audit Using attribute sampling guidelines, select an adequate sample of new user IDs created in SAP R/3 over the period of intended reliance, and examine documentary evidence (e.g., user access approval forms, etc.) indicating that access to SAP R/3 was appropriately approved before user ID was created in the system. Document your sampling testing, test results, and conclusions in the Tab referenced in the "Testing Ref." Column. Tab 21

Manual

IT Dependent

High

Control Objective IT3: Systems configuration and security settings are appropriately implemented and administered to protect against unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or recording of organizations financial data. [Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation] Control Objective Background: If information security is not administered appropriately, significant information resources may be modified inappropriately, disclosed without authorization, and/or unavailable when needed (e.g., they may be deleted without authorization). Furthermore, such security breaches may go undetected. If an entity relies on security features of its application systems to restrict access to sensitive application functions, weaknesses in network or operating system security (e.g., user authentication and overall system access) may render such application security features ineffective.

144952951.xls.ms_office

Page 2 of 10

Control Activity

Control Activity Type Preventive/ Detective

Control Nature Manual/ Automated Automated

IT Nature IT Dependent/ Non ITDependent IT Dependent

Control Rating High/ Medium/ Low High

Query/ Testing Procedure No 29

Testing Procedures: For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain reasonable assurance that controls operate effectively in accordance with established policies, procedures, and guidelines. The following testing procedures will assist auditors in performing tests of control for each control activity. The passwords to the default SAP R/3 user IDs are well known, and therefore if they are not changed, these IDs could be used by unauthorized users to gain access to the system. Perform the following procedures to verify that the default SAP R/3 passwords for SAP*, DDIC, SAPCPIC and EarlyWatch have been changed: Execute transaction SA38 (ABAP Reporting) Enter report name RSUSR003 and click on "Execute" Verify that default passwords for DDIC, SAP*, SAPCPIC, & EarlyWatch have been changed in all clients Document your conclusions.

Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent N/A (if needed, include reference to supporting evidence considered pertinent)

IT3.03: The default SAP R/3 passwords Preventive Information are changed: Systems Operations SAP* - PASS DDIC - 19920706 SAPCPIC - ADMIN EarlyWatch - SUPPORT

The complete audit program contains 46 Queries designed to provide auditors, management, or control professionals reasonable assurance that controls over SAP security operate effectively and in accordance with management's intentions. Batch job and background session processing and administration functions in SAP - controls to ensure that only authorized personnel have access to process and administer batch job and background sessions in SAP and that job processing activities are monitored (SM35, SM36, SM37, RZ01, SM64 & S_BTCH_JOB, S_BTCH_ADM, S_BTCH_NAM, S_BDC_MONI, etc.): - Release jobs automatically during scheduling - Ability to delete jobs of other users - Ability to administer background sessions in SAP R/3 - Ability to schedule jobs under different user IDs - Access to the batch input management functionality in SAP R/3 - Monitoring procedures to identify processing errors and/or issues and more. Access to the end user authorization and administration functions - controls to ensure that only appropriate individuals have access to organizations information resources and to safeguard against unauthorized access to or modifications of programs and data, that may result in incomplete, inaccurate, or invalid processing or recording of financial information (PFCG, SU01, SU02, SU03, SU10, SU12, SU22, SU24 & S_USER_PRO, S_USER_AGR, S_USER_GRP, S_USER_AUT, S_DEVELOP, etc.): - Access to the profile generator to maintain roles, authorizations, and profiles - Access to maintain users, authorizations and authorization profiles manually - Access to maintain assignment of authorization objects to transactions - Controls to ensure access to the SAP R/3 system is authorized by management - Controls to ensure access to the SAP R/3 is disabled for employees that no longer require such access and much more. Systems configuration and security settings - controls to ensure that systems configuration and security settings are appropriately implemented and administered to protect against unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or recording of organizations financial data: - Access to execute programs (online/background) via SA38, SE38, SE37, SE80, etc. - Table maintenance including SAP R/3 data dictionary, Client-independent tables, & Custom tables (SE16, SE17, SM30, SM31, SE11, SE12, etc.) - Password parameter values; access to maintain profile parameters (RZ10, etc.) - Security of the powerful default user IDs, powerful transaction privileges and the assignment of powerful SAP R/3 profiles (SAP*, DDIC, EARLYWATCH, SAP_ALL, SAP_NEW, etc.) - Locking critical and sensitive transaction codes in production - Maintaining & executing external OS commands (SM49, SM69, etc.) & more. System Change Control - controls to ensure that changes are made in the development environment and transported to production to minimize the likelihood of disruption, unauthorized alterations, and errors in order to ensure accurate, complete, and valid processing and recording of financial information: - Ensuring that changes are made in the development environment and transported to production (SCC4, SE06, SPRO, SM30, SM31, etc.): (1) The Client Maintenance settings (2) The Global System Change Option settings 144952951.xls.ms_office (3) The IMG Customizing settings - Ensuring that access to perform corrections and transports is appropriately restricted (SE01, SE03, SE09, SE10): (1) The SAP Workbench Organizer settings

Page 3 of 10

Control Activity

Control Control IT Nature Control Rating Query/ Testing Procedures: IT Dependent/ High/ For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Activity Type Nature Testing Non ITMedium/ reasonable assurance that controls operate effectively in accordance with established policies, procedures, and Preventive/ Manual/ Procedure following testing procedures will assist auditors in performing tests of control for each control Detective Automated System Change Control - controls to ensure that changes are made in Dependent the development Low environment and transported toguidelines. production The to minimize the likelihood of No disruption, unauthorized alterations, and errors in order to ensure accurate, complete, and valid processing and recordingactivity. of financial information: - Ensuring that changes are made in the development environment and transported to production (SCC4, SE06, SPRO, SM30, SM31, etc.): (1) The Client Maintenance settings Information Systems Operations (2) The Global System Change Option settings (3) The IMG Customizing settings - Ensuring that access to perform corrections and transports is appropriately restricted (SE01, SE03, SE09, SE10): (1) The SAP Workbench Organizer settings (2) The SAP Transport System settings (3) Access to perform transports in SAP - Controls to ensure that access to develop programs is not allocated in production (SE38, SA38, SE37, SE80; DEVACCESS table, etc.) - Ensuring that SAP R/3 system landscape supports the separation of production environments from development or test environments and much more.

Testing Reference Conclusion Reference to supporting Effective/ evidence considered Ineffective pertinent

The audit program covers all critical configuration settings and access controls to ascertain adequate levels of security of the SAP R/3 control environment. The audit program is available for purchase at http://soxmadeeasy.com/SAP_Basis.html.

144952951.xls.ms_office

Page 4 of 10

sheets are included where conveniently pre-documented with data obtained as part of the testing

Exception Details For ineffective controls

Mitigating Controls For ineffective controls

Planned Remediation Procedures For ineffective controls

Planned Remediation Date For ineffective controls

Remediation Status Completed/ In Progress

Ref. to PostRemediation Testing Details If applicable

144952951.xls.ms_office

Page 5 of 10

Exception Details For ineffective controls

Mitigating Controls For ineffective controls

Planned Remediation Procedures For ineffective controls

Planned Remediation Date For ineffective controls

Remediation Status Completed/ In Progress

Ref. to PostRemediation Testing Details If applicable

144952951.xls.ms_office

Page 6 of 10

Exception Details For ineffective controls

Mitigating Controls For ineffective controls

Planned Remediation Procedures For ineffective controls

Planned Remediation Date For ineffective controls

Remediation Status Completed/ In Progress

Ref. to PostRemediation Testing Details If applicable

144952951.xls.ms_office

Page 7 of 10

Exception Details For ineffective controls

Mitigating Controls For ineffective controls

Planned Remediation Procedures For ineffective controls

Planned Remediation Date For ineffective controls

Remediation Status Completed/ In Progress

Ref. to PostRemediation Testing Details If applicable

144952951.xls.ms_office

Page 8 of 10

144952951.xls.ms_office
Users with access to schedule jobs under different user IDs using transactions SM36 or SM37: Count *Insert additional rows as needed User ID User Name Locked? Valid From (Yes/No) *Exclude locked user IDs ("0" or "Blank" in this field means that user ID is NOT locked)

Tab 4
Click to Return To The Audit Program Valid Through *Exclude IDs that are past their validity date (no access) User Type *Exclude D (System) and C (Communication) IDs (no end user access); leave A (Dialog) and S (Service) IDs for analysis Access Appropriate Exceptions as per the Job Noted? Responsibilities? (Yes/No) (Yes/No) Comments/ Exception Detail

1 2 3 4 5 Total 0 0 0

Page 9 of 10

144952951.xls.ms_office
Listing of user IDs created in SAP R/3 between [date] and [date]: Count *Insert additional rows as needed 1 2 3 4 5 Total 0 0 SAP Client SAP User ID User Name Created On (Date) * Exclude IDs created before or after the period of intended reliance Selected For Testing? (Yes/No)

Tab 21
Click to Return To The Audit Program Access to SAP Approved? (Yes/No) Approved By (Name, Title) Approved On Exceptions (Date) Noted? (Yes/No) Comments/ Exception Detail

Complete for SAP User IDs selected for testing in Column "F". N/A for remaining IDs.

Page 10 of 10

You might also like