IT Control Testing – SOX Compliance

0346,193

1. Overview

The objective of this document is to outline a standardized procedure to be followed while

performing and documenting the SOX test scenarios. However, the procedure and criteria may
vary from organization to organization.

2. Importance of SOX Testing

Every organization is responsible to comply with the provision of SOX Act (Sarbanes-Oxley).
Most of the organizations run on SAP as an ERP system. Therefore, all the IT controls are linked
to an Organizational Business process. These controls being set up correctly and working as
desired form an integral part of an organization’s performance in the Global Market. In order to
achieve the above, a fully complied quality assured SOX Audit of the IT controls needs to be
done to give assurance to the shareholders. Hence, it is vital that the SOX activity is completed
with due diligence and professionally in line with the quality standards.

Generally, there are three parties involved in SOX testing:-

3. Scope

The scope of testing is applicable for all the existing SOX scenarios and the newly identified
scenarios by the organization’s compliance team and auditors. The identified SOX scenarios cut
across almost all the modules in SAP any may require the testing with third party tools. The
number of SOX scenarios varies due to the addition of new scenarios in between the SOX testing
cycle. The frequency of the testing depends on an organization’s policy, it can be performed
monthly, quarterly, half yearly or annually.

4. Scope Identification

The scope of testing the IT controls can be based on multiple approaches. Again, it is the
discretion of the organization’s compliance team along with the auditors to define the approach
and frequency of testing. Following is one of the approaches. Here, we are assuming the
frequency of testing to be a yearly activity.

 Compliance team decides on X years testing validity of any given IT control. Let us
assume X here represents 2 years.
 Any control which is not tested in past 2 years forms part of the yearly testing cycle.
  Any control which is tested in the past 2 years, but modified in the interim period forms
part of the yearly testing cycle. These kind of changes to an existing control can be due
to some change requests, Bug fixes correction or new projects.
 Any new control which is introduced and brings a change in business process (es) to be
part of the testing cycle.
 Testing to be carried out only for the report which has changed in the Audit Period in
case of control consisting of multiple reports/objects.
 Identify the objects/reports which have not changed in the audit period. This helps to
identify the scope of the testing.

How to identify or carry out modifications check procedure? Below are the technical steps
involved in carrying out the modification check in SAP:-

 T-code SE93/Table TSTC to show the linkage between the report and the underlying
program.
 Table D010INC to retrieve the list of all includes under the main program. Enter the
program identified in previous step in selection screen of D010INC.
 Identify if the program and corresponding Includes were modified: Input the main
program and includes in table TRDIR to retrieve Program Name, created by, created on,
changed by and changed on.
 If the Changed on Date for all includes doesn’t falls in the current Audit period, report
need not be tested.

Guidelines for documentation (again there are not limited as mentioned below)

 Modification check to be performed in Production system.

 If a control has multiple programs (3) to be tested and only one program is changed
during the Audit Period, it need not be captured in the Modification document. The
document should contain the modification check carried out for other two programs
which have not changed in the Audit Period.
 The screenshots provided in the document are of good quality, with the right level of
resolution for viewing. It should also depict the full system level details along with the
user Id performing the tests.
 Only those programs to be captured which have not changed in the Audit Period.

Please not that the modification check is carried out where a report or object is involved. It is
not carried out for standard SAP customizations and hence such types of controls have to be
tested as per the testing cycle.

5. What exactly are we testing?

 Test of design:-To test whether the control is designed effectively in line with the
control objective. For example, SAP is configured to block the invoice if price or quantity
are outside the defined tolerance. Therefore, from test of design perspective, OMR6 will
be executed to review the settings of limits maintained for selected tolerance key for the
active company code and if they are in line with the organization’s procurement policy.
Any deviation as per settings in SAP should be highlighted as part of the test of design.
 Test of effectiveness:- To perform the actual testing. Taking the above scenario, select a
company code and create a PO, post a GR that equals PO quantity and then post invoice
 with IR quantity above tolerance limit and IR net unit price equal to PO price. System
should block the invoice.
 Test of completeness:- To confirm if the data reconciliation at the table level and the
report matches. For example, in case of bank reconciliation, the documents shown by
standard SAP t-code FS10N should match the output of standard SAP table BSEG for the
same set of selection parameters.
 Test of accuracy:- Taking the above scenario of bank reconciliation, in this case the
total amount of all documents as shown by standard SAP t-code FS10N should match the
output of standard SAP table BSEG for the same set of selection parameters.

The control documentation template should be created taking into consideration the control
objective, Business process involved, associated risk if the control fails, control owner, testing
details, conclusion remarks template, year of testing, control frequency, tester details and above
four testing criteria’s.

6. Guidelines for testing and documenting:-

Once the scope of testing is finalized with the list of all controls to be tested and sample
company code for each control is provided by the auditors/compliance team, the activity for
testing the controls can be started. The assumption is that if a control works for one of the in
scope randomly selected company code, it should work for all other active company codes in
SAP. Before starting the testing, it is important to identify the right set of testers with the right
kind of skill set required for testing the SOX controls. Apart from domain knowledge, prior
testing experience is an added advantage.

 Testing should be performed in the production systems for the provided sample
company code.
 In case the control requires posting of transaction data, in that case the test of
effectiveness should be performed in the quality system/pre-production (copy of
Production system). However, the test of design can be performed in production system.
 If the control requires testing in pre-production system, version comparison of the
transaction between the pre production and production system should be documented.
 Screenshots should be clear and not blurred with the system ID and the tester details
being captured. This is important as it captures that the control is tested in
production/pre production system and is performed by the identified SOX tester.
 Testing to large extent should be done for the data range in the given audit period. For
example, if testing is performed for 2013, data set should be for 2013.
 Briefly explain the steps while pasting the screenshots in the document.
 All the control steps to be performed as per the template.
 Better to use a conclusion success or failure template. This helps to have a common
standardization across all the tested controls,
 Highlight the smallest of deviation as that is the very purpose of this activity to find out
if the IT control is correctly set up/ working as per the organizational guiding principles.

7. Guidelines for review:- This is an important activity as this is a pre check before the control
documentation is submitted to the auditors.
  Check if the control is tested for the sample company code provided by auditors.
 Check if the screenshots are clear and all control steps are addressed.
 Clear and concise conclusion with deviations (if any) are highlighted.
 Documentation does not have any cosmetic mistakes like typos, incomplete sentences
etc.
 If the control documentation involves any calculation, to ensure if it is accurate.

8. Closure report: Once the control testing is completed, SOX testing team to submit a closure
report stating the controls tested and any noted deviations along with the tester profiles from
audit point of view.
FollowLikeRSS Feed
Task
Obtain a technical system overview of how up-to-date release planning is and record
the information required forproviding the audit certificate. Is the company working with an up-
to-date release version or is there a risk thatmaintenance for the release it is using will be
discontinued? It is important that only released versions and, if necessary,any special
releases are used. Determine the company’s release planning."Status" is used to obtain
an overview of the installation, in particular with respect to- SAP system data- Computer data
(detail data supplemented by kernel information)- Database data (detail data supplemented
by database information)Up-to-date information regarding SAP release planning is available
on SAP-Net. You will need Internet access or accessvia the company’s Online Service
System (OSS). Information on SAP-Net can be accessed under URL:
http://service.sap.com/, search term "release planning".The unit being audited is notified of
program corrections/information/problems by means of OSS Notes. Have theprocedure for
evaluating OSS Notes explained to you. Responding promptly to OSS Notes enables quick
correction ofprogram bugs and the prevention of consequent errors.
Processing notes
1) Path: System-->Status … You can view additional details by selecting "Additional
kernel info".2) Compare version with the maintenance periods on SAP-Net as follows:
a)
Select the http://service.sap.com web page
b)
Go to "SAP Online Corrections"
c)
Enter OSS user name and ID
d)
Go to "Download Support Package"
e)
Go to "Basis Support Package"3) Clarify future release planning in an interview4) Clarify the
procedure for evaluating OSS Notes in an interview.
Rating notes
Lack of SAP support for a release can have a negative impact on the stability and security of
processing. This would bethe case, for example, if older versions (no longer maintained) are
used, or if individual customizations have been madeto the standard and there have been no
adaptations to new releases. Compliance is rated between (0) and (4) dependingon how up
to date release planning is and how it is mapped in the system.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

The video player is currently playing an ad. You can skip the ad in 5 sec with a mouse or keyboard

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
1. SAP R/3 system general
Client: Auditor:
Hot packages (current/errors)
Key date: Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
On the basis of the number of hot packages loaded, establish whether the audited system is
current or out of date. Youwill need Internet access to SAP-Net or a means to access the
OSS in Walldorf from R/3. In both cases you will need anOSS user ID (available from SAP
on request upon payment of a fee). Since these are chargeable functionalities, you canalso
perform the audit tasks in collaboration with SAP Basis staff.The aim of this audit task is to
verify correct administration of hot packages, i.e. whether new patches are loaded
promptlyand correctly. This also reduces the risk of bugs in programs not being corrected.
Access rights to the OSS1 transactionare required when logging on to the Walldorf OSS via
SAP routers from the system being audited. Compare the currentversion of hot packages
according to SAP OSS with the version currently being used by the company.Large
discrepancies are an indication, that many bugs already announced/corrected by SAP are
still in the system.The status of the loaded hot packages can be viewed using a SPAM
transaction. The success of the respective loadingprocedure is indicated by a "traffic light"
display. You should also take into account which put level has already beenreleased by +S.
Information on SAP-Net can be accessed via the URL: http://service.sap.com.
Processing notes
1) /nSPAM, then in the Status box select the push button Display Patch Level2) Compare
with SAP OSS - hot packages - version:a) Select the http://service.sap.com web pageb) Go
to "Login Now"c) Enter OSS user name and IDd) Go to "QuickLinks Tab"e) Go to Patchesf)
Select SAP R/3 and drill down into the desired release of SAP R/3g) Compare the SAP
recommended patch level with the system level
Rating notes
Also refer to the previous audit action sheet (AAS). Failure to promptly and correctly load
patches can negatively impactprocessing security because the corrections in the patches
(e.g. asset history sheets) for SAP bugs are not executed, ornot executed promptly.
Ascertain in an interview what maintenance measures are performed in the unit, who
isresponsible, and whether patches are loaded promptly. Also use the transaction mentioned
above.If you find that many hot packages (e.g. more than 5) have not been loaded, have the
reasons for this explained to youand document your findings.The audit sheet is
rated between (0) and (4) depending on your findings. The greater the number of hot
packages thathave not been loaded, the greater the level of non-compliance. Also take into
account the organizational context:outsourcing or in-house system administration. If patches
are not loaded promptly and the company out sources its ITservices, agreements relating to
the provision of up-to-date patches should be included in the respective contracts (if thishas
not already been done).
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
1. SAP R/3 system general
Client: Auditor: Key date:
Evaluate client control
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system
Task
To ensure an adequate level of protection for the SAP system, there are different settings for
client control. Determine howclient control of the production system is configured: A) What
role does the client have?This field should be maintained by the company for documentation
purposes. In addition, this setting ensures that, if thereis a production client in the target
system, a cross-system client copy in which client-independent customizing objectswere
selected will not be imported into the system.B) Is the production client protected from
a client copy?This flag can be used to prevent the current client being overwritten by the
client copy program or can serve as a templatefor a client copy or customizing
comparison.C) Can CATT procedures be launched in the production system?In some
situations, launching CATT procedures can result in extensive database changes, which is
not permitted in aproduction client.The following settings should be made in the production
client:Field name Field description Recommended setting A) CCCATEGORY Role ‘P’ -
Production ClientB) CCCOPYLOCK Copy protection ‘X’ oder ‘L’
-
Protect against Client CopyC) CCIMAILDIS CATT permitted ' ' - CATT not allowed
Processing notes
Run transaction /nSE16 (SE17), then select table T000 and analyze the respective fields.
Rating notes
For settings A) and B), system protection against intentional or unintentional overwriting of
the production client ispossible. If CATT is permitted under the settings for C), tracking may
be affected by the fact that it is possible to load massdata on to the system and change it.If
none of the three client control fields on the client are set in accordance with the
recommendation, the audit sheet israted (0). If only CATT procedures are permitted and the
two other parameters are set in accordance with therecommendation, provide a rating of (2).
If all three parameters follow the recommendations, then this audit action sheetshould be
rated (4) = no non-compliance.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
1. SAP R/3 system general
Client: Auditor: Key date:
Perform system check
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
During SAP operation, it has to be always ensured that the specifications established by the
producer, SAP AG, havebeen met. SAP provides a functionality (basic High Level Check),
which can be used to check whether the SAP systemhas been implemented in accordance
with SAP specifications.The /nSICK transaction is used to check consistency between the
R3 kernel and the ABAP Dictionary, as well as thecorrect specification of the update server.
Processing notes
Run transaction /nSICK.Interview with the unit being audited with regard to any report
results.
Rating notes
Incorrect system settings that do not conform to the SAP specifications can influence
processing behavior, which maylead to errors in processing. These can manifest themselves
in various ways.If errors occur that affect (or possibly may affect) the processing of
accounting-relevant data, a rating of 0 should beprovided. If no errors occur, the audit action
sheet should be rated 4. In all cases, document any interviews held forverification purposes.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
1. SAP R/3 system general
Client: Auditor: Key date:
Basis system documentation
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

SAP R/3 system in general

Task
In order for the SAP system to function properly, customizing settings have to be made
and system parameters specifiedfor the Basis system. In addition, the audited unit can select
one of a number of possible system architectures.Commercial law requires that the
procedures used be documented, and various records are required in order
to provideverification. Additional information is available in FAIT1, PS330 and the German
"Control and Transparency in CompaniesLaw" (KonTraG). The following documents should
be available:- Overview of the hardware and software (operating system, network
environment and database) on which SAP isdeployed- Basic information with respect to the
specifications for parameterization of the system (changes to system parameters)-
Customizing concept (outline and detailed concept if available)- Summary of
special changes/extensions performed (e.g. reference to +S component)- Interface
overviewThe customizing documentation for the functional modules (Financial Accounting,
Asset Accounting, etc.) should also beavailable.
Processing notes
Have the unit being audited provide the corresponding documentation, and if necessary
learn about the systemarchitecture and the reasons why the particular operating system or
database was chosen.
Rating notes
Rate the documentation according to scope, comprehensibility, up-to-date ness,
and traceability. Specify a ratingdepending on the documentation available.Depending on
the availability of the above-mentioned documents, as well as the quality of the information
received,provide a rating between (0) and (4). You should also take into account the
organizational background of the unit beingaudited and any existing
dependencies/agreements with SBS, for example.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Basic password settings
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine whether the current login parameters present any risks in terms of access
protection. Compare the valuesidentified with the recommendations in the Corporate
Information Security Guide (IS Guide) from SIEMENS AG. Ascertainwhether the login
complies with security requirements (according to the IS Guide). Note that there is
usually more thanone parameter profile in the SAP installation. Only the current profile at the
time of the check is selected and checked byreport RSPFPAR.The RSPFPAR report lists all
basic system parameters for password creation:1) login/min_password_lng (minimum
password length has to be 8 characters)2) login/password_expiration_time (password has to
expire after a maximum of 90 days)3) login/fails_to_sessions_end (is the number of illegal
login attempts before the session is aborted set to 3?)4) login/fails_to_user_lock (the number
of failed login attempts before system lockout should be set to a max. of 5)5)
login/failed_user_auto_unlock (is a system lockout automatically canceled overnight?;
recommended setting = 0)Users who attempt to access the system using an incorrect
password are logged by the system (report RSUSR006).Experience has shown that
successful hacker attacks are preceded by a number of unsuccessful access attempts.
Usermasters with unsuccessful login attempts should therefore be analyzed regularly and
the reasons identified.6) Determine whether there have been any hacking attempts
(indicated by an increased number of incorrect loginattempts) and how the company has
responded.
Processing notes
/nSA38 -> enter "RSPFPAR", search for "login*" for questions 1) to 5)/nSA38 --> enter
"RSUSR006" for question 6)The login parameters have to be checked on all servers. The
transaction /nSM51 displays the servers, the connection canbe changed per double-
click. Alternative: Check the parameter settings directly in the operating system, with the
help of the administrator.
Rating notes
Inadequate protection for SAP access (authentication problem) may be provided – internally
by company staff or byexternal parties to whom network access has previously been
granted.If the IS Guide is not followed, the rating should be (0) = very significant non-
compliance.If the respective parameters (see above) have the recommended settings, the
rating should be (4) = no non-compliance.In the case of partial compliance, depending on
the settings made, rate the audit action sheet (2) = non-compliance.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS
(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Password rules and SNC
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Various combinations of passwords that are not permitted can be specified in the USR40
table.1) Check the contents of USR40 to determine which passwords are not permitted, as
well as the scope.2) Siemens also enables authentication using Secure Network
Communications (SNC). In this case, the passwords arenot sent as plain text over the
network. Check therefore whether an SNC authentication procedure is being used.The
following system parameters are relevant for the use of SNC:a) snc/enable = 1 (snc is
activated)b) snc/accept_insecure_cpic = 0 (recommended setting)c)
snc/accept_insecure_gui = 0 (recommended setting)d) snc/accept_insecure_rfc = 0
(recommended setting)NOTE: A separate SNC server is required if SNC is used. SNC is a
separate tool that is shipped with the standard package. Withrespect to security levels, a
distinction can be drawn between authentication, integrity and encryption checking.
Processing notes
/nSE16 -> analyze USR40 table (system services table maintenance, display input
"USR40")/nSA38 -> "RSPFPAR" report, check snc settings (see above)
Rating notes
In the case of negative findings, there is an authentication problem on the SAP R/3 level
resulting in inadequate protectionagainst internal attempts to access SAP by company staff
that have previously been granted network access.The following questions will aid in the
assessment:- Is the USR40 table being used?- Does USR40 include unit-specific settings?If
the answer to the above questions is "yes", specify a rating of (4) = no non-compliance.If the
answer to the above questions is "no", the rating should be (0) = very significant non-
compliance.Ratings between these two depend on the particular form of the USR40 table.In
all cases, recommend the use of the USR40 table for frequently used passwords.Use of
SNC should be determined only; it does not affect the rating. The settings are relevant to the
rating only in caseswhere the company has decided to use this feature and the settings
were performed in a manner that does not meetrequirements.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Handling initial passwords of inactive users
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
A so-called initial password is assigned when a user master is created. Since users will be
prompted to change thispassword when they log on for the first time, the initial password is
valid for all users created, but not yet active, on thesystem. If the company always uses the
same initial password – making it generally known – these user masters can beused by
anyone. For this reason, either a different initial password should always be assigned, or the
newly created usermaster should be locked until the first login (the lock flag can be
evaluated using the UFLAG field in table USR02, with 0signifying that the user is not locked),
to effectively prevent unauthorized use. Beginning with Version 4.6B, an individualpassword
can be created and assigned by the system as standard.Determine1) How initial passwords
are assigned to users the first time2) Whether there is a risk if the user does not log on to the
system immediately, i.e. evaluate with respect to inactiveusers.3) In addition, clarify whether
collective identities (user IDs) such as "TRAINING", "STUDENT" or "TEST" are being usedin
the production environment.
Processing notes
1) Interview with authorization administration regarding the assignment of and procedure for
initial passwords2) /nSE16 table USR02. The field TRDAT shows the last logon date. If
TRDAT is zero, then the user has never logged onat all.-> select TRDAT with selection
option "=" to display users that have never logged on-> select TRDAT > 3 months ago to
display users that have not logged on for more than 3 months. Also take into account the
user types USTYP (A = dialog user) and locked users, i.e. UFLAG = 64, in the report
lists.3) /nSE16 table USR02 -> evaluate with respect to above-mentioned collective
identities. The assigned authorizationobjects should also be taken into account for the rating.
Rating notes
If it is possible to log on using someone else's user ID, depending on the authorizations of
the respective user used, thereis a risk that business transactions will not be able to be
tracked unambiguously. Identify what arrangements have beenmade for assigning an
initial password:- how it is ensured that the created user will log on to the system
immediately,- are there regular checks of inactive users,- what are the arrangements for
locking users,- are collective identities used.Specify a rating as follows, depending on the
answers to these questions:1) If a large number of users have never logged on, an identical
password is always used, and users are always grantedwide-ranging rights, specify a rating
of (0) = very significant non-compliance.2) If there have never been inactive users, or
inactive users are locked, specify a rating of (4) = no non-compliance.3) Ratings between
these two should be specified based on the technical and organizational background. You
should alsotake into account the status of the user (e.g. dialog or batch) and the
authorizations granted in each case.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Users in clients 000 and 001
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Since client 000 represents the reference client and client 001 usually also has a reference
function, the users createdand the authorizations granted to them should be extremely
restricted. R/3 Basis administration should be created only.Determine whether only a few
authorized staff have access to clients 000 and 001. SAP provides a transaction (USMM)for
system surveys enabling you to inquire by name regarding the user master records created
in all clients (if you are notusing the filter provided for this purpose). It is easy to determine
which employees have access to the variousclients without having user rights for reports
in the individual clients.Clients "000" and "001" may only be used in dialog mode by
authorized R/3 Basis administration users.
Processing notes
1) Identify in an interview which client is used as the reference client.2) Establish which
users are created in the above-mentioned clients -> /nSE38 -> call report RSUVM005 or
transaction /nUSMM; click user list (or user classification) button and select client 000 to
001.
Rating notes
If only administrators have been created, then there is no non-compliance = (4). If other
users have a user master record,and have been granted wide-ranging authorizations, this is
a very significant non-compliance = (0).In this case you should definitely recommend that all
staff not involved in system administration be removed from the usermaster, especially in
client 000, or should be locked.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Initial passwords for standard users
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Authentication problems can arise as long as initial passwords are assigned to
SAP standard users. There is a risk thatusers will make use of the generally known initial
passwords to log on to the R/3 system.Determine whether standard users have changed
their initial passwords.Clients 000, 001 and 066 are created when the R/3 system
is installed. Standard users with specified passwords arepredefined in these clients.
Processing notes
Talk to the system manager about this problem and ask him/her to run the "RSUSR003"
report. The view authorizationsusually granted to auditors are normally insufficient.
Rating notes
Authentication problems can arise as long as initial passwords are assigned to
SAP standard users. There is a risk thatusers will make use of the generally known initial
passwords to log on to the R/3 system.If the initial passwords have not been changed for the
users, then a rating of (0) = very significant non-compliance shouldbe specified. If all users in
all clients have new passwords, the rating should be (4) = no non-compliance. If only
somepasswords have been changed in different clients, a rating of (2) = non-compliance
should be specified for this auditaction sheet.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
System parameters for SAP*
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Just as there are standard clients, in each installed R/3 system there are standard users
who are granted special,predefined rights. Users in an R/3 system are client-dependent, i.e.
a user is only valid in the client in which it wascreated. The passwords for standard users
can be changed at any time, but the users themselves cannot be deleted in R/3 as they are
hard-wired in the source code. If you try to delete the user SAP*, it will be deleted from the
user database inSAP, but it will not be deleted in the source code, i.e. the user remains in
existence with the standard password of PASS(PASS or 06071992 upon initial shipping).
Deleting a user therefore actually reinstates it with all authorizations, whichrepresents a
security gap. Audit questions:1) Determine whether SAP* has been created and what rights
have been assigned to it. (tools -> administration -> usermaintenance -> user -> select SAP*
and view profiles). What is its status (locked)?2) Judge whether the assigned rights may be
critical (especially SAP_ALL).3) Determine how passwords are assigned (refer to
login parameters and, where appropriate, use of the four-eyesprinciple).4) Is logging
on again after deletion prevented/permitted by the settings made for the parameters
in system profilelogin/no_automatic_user_sapstar = “1” for blocked / “0” for permitted.
Processing notes
1) and 2) /nSA38 -> report "RSUSR002"; enter user SAP* and view profiles Alternatively, the
information can be obtained in the authorization information system using the /nSUIM
transaction.3) Interview the company4) /nSA38 -> RSPFPAR -> search for:
Login/no_automatic_user_sapstar and compare the value with the aboveparameters.
Rating notes
If user SAP* has been deleted and the system parameters permit a new login, the rating is
(0) = very significant non-compliance. If SAP* has no rights at all, this counts as no non-
compliance = (4). If, for example, SAP* has been assignedSAP_ALL rights, this will usually
lead to a rating of significant non-compliance if no special measures have been
takenregarding its usage (e.g. the four-eyes principle).
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Standard user SAPCPIC
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
SAP uses SAPCPIC functions to communicate between processes/computers. In this case,
a user (SAPCPIC) with apassword is transferred by the invoking program. This
user/password can be used for unauthorized accesses to thesystem (refer to OSS
message 29276).Only the S_A.CPIC SAP profile, or a profile created with similar
authorizations, should be assigned to the SAPCPIC usermaster record. SAPCPIC is not a
dialog user.
Processing notes
/nSA38, report "RSUSR002", user "SAPCPIC"
Rating notes
Determine whether the user SAPCPIC exists and whether an individual password has been
assigned. Also determinewhether user rights have been limited to certain functions. This is
not the case, (for example the user has SAP_ALL rightsand the password is known), specify
a rating of (0) = very significant non-compliance. If the CPIC user has function-related
authorizations and an individual, restricted password has been assigned, a rating of (4) =
no non-complianceshould be specified.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
Analyze emergency user concept
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Emergency users are required so that the measures necessary to return the R/3 system to
its normal state can beperformed in an emergency situation. An emergency user requires
comprehensive rights, i.e. an authorization profile thatgoes far beyond normal tasks.
Consequently, an emergency user does not fit within the usual classification of anemployee;
this user can cross all organizational functional divisions. This undermines the effectiveness
of an internalcontrol system based on the concept of functional separation and minimum
rights assignment. To avoid this risk,emergency user activities have to be recorded
and checked by third parties.It is often assumed that the activities of any emergency user will
be identifiable and traceable if the emergency userpassword is kept secret and controls are
in place for the assignment of rights. Rules are usually along the lines of: "Thepassword for
this user has to be kept separately and used in an emergency only. The emergency
identities may only beused in an emergency as defined in the emergency concept." As a
result, emergency user concepts that specify mandatory recording of emergency user
activities and additionalsubsequent checks (e.g. examination of the security audit log) are
more effective.Beginning with Release 4.0, the "Security Audit Log" tool can be used to
record security-relevant system information suchas changes to user master records
or unsuccessful login attempts. The respective actions are recorded by activating theaudit
log. The recording relevant transactions can be archived. The security audit log allows long-
term access to this data.The audit files are retained until they are explicitly deleted.
Automatic archiving of log files is not yet supported by thesecurity audit log.The following
information can be logged:- successful and unsuccessful interactive login attempts-
successful and unsuccessful login attempts via RFC- RFC calls from function modules-
changes to user master records- successful and unsuccessful transaction starts- changes to
the audit configurationThe audit files are stored on the individual application servers. They
specify the file directories and their maximum size inthe following
profile parameters:Profile parameter Definition Standard or suggested valuersau/enable Acti
vates the audit log on Standard: 0 (audit log is not activated)
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
an application server Suggested: 1 (audit log is activated)rsau/local/file Specifies the director
y of the Standard: /usr/sap/<SID>/<InstNr>/log/audit log on the application audit _<SAP insta
nce number>serverrsau/max_diskspace_local Specifies the maximum length Suggested: 1,0
00,000 bytesof the audit
logrsau/selection_slots Specifies the number of storage Suggested: 2locations for the
selection optionsfor tracking security-relevanteventsChecka) the emergency user conceptb)
SAL recording activities by the emergency userNote:The SAL can also be extended to cover
a wider circle of users.
Processing notes
1) Identify which of these concepts is being used and check whether the people named in
the concept are fulfilling theirobligations.Judge the effectiveness of the emergency user
concept (are procedure traceability requirements being met?).2) Check the above settings
using /nSA38 report RSPFPAR3) Check which events are logged and how they
are archived.
Rating notes
Since inherent system checks are always more effective than subsequent checks, the
security audit log should beactivated to track the activities of emergency users. Note that
only 4 emergency users can be monitored using SAL andfailed login attempts are not
shown.If the audit determines that SAL is not being used, this is rated as a very significant
non-compliance = (0).If organizational measures are in place to monitor emergency users
created (principle of four eyes review, standardoperating procedure relating to documenting
activities performed), the relevant logs/documentation should be examinedand evaluated.
Depending on your findings, a rating of between (1) and (2) is then specified. Always remind
the unit beingaudited that SAL should be used.Since failed login attempts are not shown,
check the SysLog, at least on a spot-check basis, since it provides pertinentanalysis. Any
findings in this regard during your audit should also be included in your overall assessment.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record
C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
System administration
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
A distinction is drawn between the following administrator roles:1) Within the R/3 system: A)
R/3 Basis administration (spooling, transport, job, batch, authorization and activation
administration)B) R/3 module administration (implementation of business requirements in the
technical system)C) R/3 user administration (the administrator roles are differentiated as
follows for user rights:)a) A u t h o r i z a t i o n a d m i n i s t r a t o r: develops and changes
profiles and authorizations (inthe development system); the respective rights are however
not yet activeb) A c t i v a t i o n a d m i n i s t r a t o r: activates profiles and authorizations
(in the developmentsystem); initiates the transport of profiles and authorizations to the
production systemc) U s e r a d m i n i s t r a t o r: creates user master records in the
production system and assignsprofiles and rights to the user master records. At a minimum,
the "user administrator" and "authorization/activation administrator" should be two separate
people. Adeputy has to be appointed to provide vacation/sickness cover. The separation is
intended to ensure that no single Basisadministrator has absolute control over the R/3
system. This also ensures that no single person authorizes all rights andprofiles.2) Around
the R/3 system:System administration (for operating system, database system and
network)With smaller R/3 systems, several of the above roles can be assigned to
one person; in the case of larger R/3 systems, itis sensible to split the above roles between
several people. Responsibilities of user departments: R/3 user administrationand R/3
module administration. Responsibilities of operators: the rest of the above-mentioned
administrator roles. Assess the organization of administrators in the company
without verifying the roles in the system.
Processing notes
Hold an interview with the unit being audited. Verification takes place in audit section 3.
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record
C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Rating notes
The unit being audited should always be in a position to demonstrate a separation between
the above administratorsbased on job descriptions or a role description as part of the user
authorization concept. Note in this context that,depending on the size of the company or the
arrangements in the unit, functional separation may not always beimplemented. You
should therefore establish:- whether administrators are separated according to function
separation aspects (organizational background). Havebusiness operational rights also been
granted to these administrators?- whether the administrators (with the exception of the user
administrator) can change their own authorizations.- what the organizational rules are for the
user administrator- whether administrators are specified by name in the administrator
concept- whether administrators were informed of their rights and duties,
including information security aspectsIf possible, the minimum rights should be assigned. A
lack of functional separation in this area can undermine theeffectiveness of an internal
control system based on the principles of functional separation and minimum
rightsassignment. Where functional separation aspects are not taken into account,
determine whether, and in what form,subsequent checks are in place. Otherwise, there are
risks with respect to the traceability of the procedure used.This means that a rating = 0
will be specified for companies who have sufficient personnel to implement
functionalseparation, but who have not actually done so when assigning rights.In the case of
"smaller" units, or if administrative work is outsourced, suitable subsequent checks (such as
analysis of logfiles, spot checks of activities performed by administrators) should be
identified, or implemented in the course ofimplementing recommendations.Significant non-
compliance (1) arises, for example, if there are no contractual arrangements in place for
outsourcing andsubsequent checks are not performed or implemented.In the case of smaller
units (without sufficient personnel resources or outsourcing), a rating of 2 would be specified
in theabove case.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
 D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
System admin./completeness verification
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine who subsequently posts aborted postings.- Is it the user department that initiates
the posting?- Is it system administration?- Who deletes aborted postings?If a posting cannot
be repeated, the data for the posting has to be input manually. Aborted postings are listed
usingtransaction SM13.The list includes the users who created the posting as well as a time
stamp. The data can be input again - by the systemmanager as well. Following input, the old
posting record (with status “err”) has to be deleted. From the point of view offunctional
separation, this should be performed by the user department.
Processing notes
/nSM13 and /nSA38 report RFVBER00 - contain aborted postings. Use date selection
options to run the reports for theprevious six months./nSA38 -> RSPFPAR = rdisp/vbdelete
(# - specifies records of # days old are automatically deleted, 0 = records aredeleted
manually)/nSA38 -> RSPFPAR = rdisp/vbmail (1 = an e-mail is sent)Have the company
show you the documentation for previous posting aborts.
Rating notes
If there are no clear arrangements for the follow-up posting of aborted posting records, or
for deletion procedures, there isa risk that the accounting procedures are not in compliance
with regulations since the processed data may be incomplete.The above-mentioned aspects
of functional separation should also be taken into account.In this case binding rules for the
follow-up posting procedure that will always ensure that the accounting records arecomplete
should be created and implemented.If no rules have been specified, a rating of (0) = very
significant non-compliance should be specified.
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

ADVERTISING

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Please refer also to audit action sheet 3.02.060 in the FI section for further details.
Findings
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
System parameter settings
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
ABAP report RSPFPAR lists all basic system parameters. One of the parameters relates to
settings for monitor protection.Other parameters are explained in other audit action sheets.1)
Determine- whether the current login parameters present any risks from the point of view
of access protection.- rdisp/gui_auto_logout (automatic screen deactivation after x seconds,
default 0, should be max. 20 min.= 1200 sec.).NOTE: It would be better to use a
screensaver with password protection in order to prevent data loss, since SAPterminates the
connection when the time expires.2) In addition to the system settings, determine at the unit
being audited whethera) the rules are known and appliedb) a screensaver with password
protection is activated at all display workstationsc) instructions have been established
specifying that the screensaver has to be activated whenever anyone leaves
his/herworkstation.
Processing notes
1) /nSA38 -> enter "RSPFPAR"Establish whether the settings specified in the IS Guide have
been established. Examine the system to evaluate thisaspect.2) Have the procedure used
by the company explained to you and get answers to the above questions.
Rating notes
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
If a screensaver does not activate a specified time after leaving the workstation, there is
a risk that unauthorized personscan obtain access to data or functions to which they do
not normally have in the course of their work. This represents a"risk of manipulation" - either
intentionally or unintentionally.Failing to meet the requirements of the IS Guide rates a very
significant non-compliance (0).
Findings
SAP R/3 Audit Action Sheet
AAS:
2. User authentication
Client: Auditor: Key date:
User authentication documentation
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
With regards to user authentication and management, documentation for the following is
required:a) User authentication and related system settingsb) Password provisionsc)
Documentation of process (creation, modification and deletion of users, rights and profiles)d)
Documentation of emergency user and related options for usee) Standard users and
collective identitiesNOTE:The majority of the above can be included in the authorization
concept.
Processing notes
Obtain the documentation for the above topics from the unit being audited and
clarify anything that is unclear in aninterview.
Rating notes
Rate the documentation for the above in terms of scope, comprehensibility, up-to-date ness
and traceability. Specify arating based on the documentation available. The following
documents should be available:- Overview of authentication measures at the following
levels: operating system, network environment, database, andSAP.- Definition of password
rules (length of passwords, period of validity for passwords, etc.).
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
- Naming conventions for users (unambiguity).- Documentation of process with respect to
the creation, modification and deletion of users, rights, and profiles.- Documentation of
emergency user concept on all the above levels.- Provisions regarding standard
users, collective users, and superusers.Depending on the availability of the above-
mentioned documents, as well as the quality of the information received, youcan specify a
rating between (0) and (4). You should also take into account the organizational background
of the unitbeing audited and any existing dependencies/agreements with SBS, for example.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Authorization concept
Date: Relevance:
GAAP
Rating Module
Informational data record /
BC Basis system
No rating
Task
INFORMATIONAL DATA RECORDThe goal of the authorization concept is to prevent
unauthorized access to the R/3 system. R/3 provides a flexible butcomplex range of tools.
Drawing up and implementing the authorization concept is a task performed in the course
ofintroducing R/3 that has to be implemented by the unit being audited.The following
implementation alternatives are available:- Manual implementation (definition of rights and
profiles using transactions SU02 and SU03)- Implementation using the profile generator
(transaction PFCG)- Implementation using external tools (tools from non-SAP
vendors)Regardless of the alternative used, appropriate documentation is required to always
ensure that the access protectionprocedures are transparent and verifiable.Determine-
which strategy for implementing an authorization concept has been selected by the
company- whether the project was adequately documented (description of the internal
control system for the procedure accordingto GAAP)- if the use of the SAP profiles supplied
(e.g. SAP_ALL, F_BUCHHALTER) is prevented- whether a uniform naming convention
is used
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
The following matrix can be used for the rest of the
procedure:Manual maintenance Profile generator External toolManual maintenance Check -
-Profile generator Check Check -External tool Check Check Check
Processing notes
Have the procedure explained by the unit being audited and obtain the relevant
documentation.The procedure used for the introduction of the authorization concept is an
aid to assessing further audit results.
Rating notes
This record is an informational data record. It records and documents the authorization
management procedures used bythe unit being audited.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Assignment of roles in authorization concept
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Role descriptions should be defined and documented for all user departments affected by
the R/3 application. The menupaths and transactions that the role-holders may access
should be specified for each role description. Both the requiredaccess rights (view, change)
and any restrictions should be specified here.Basis of assessment:- Workstation description-
Org-Chart
Processing notes
Examine the concept to see whether the above questions can be answered. Clarify any
unclear points in interviews.
Rating notes
Determine whether, and in what form, role descriptions are defined and in what form the
documentation is available. Assess whether the role descriptions were created in
accordance with the requirements, the content is correct, andsufficient provision has been
made for functional separation in accordance with GAAP.Depending on the information
obtained and the documentation available, as well as the particular
organizationalbackground, you can specify a rating between (0) and (4).
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
User rights/authorization assignment
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system
Task
An authorization concept/organization that meets requirements is of crucial importance for
the integrity of the overall SAPR/3 system and data protection. The question of the workflow
and responsibilities in relation to the granting ofauthorizations and the creation/modification
of authorizations is of key importance.In terms of an internal control system (ICS) that
complies with requirements, the following issues should be addressed:1) How has
the company applied the principle of functional separation and communicated it in task and
job descriptions?
2)
How, and by whom, are critical authorization combinations prevented (e.g. by a function
separation matrix) and isfunctional separation (incl. 4-eye review) provided?
3)
How does the company update the authorization plan with respect to put levels and new
releases, and who isresponsible?
4)
Do data owners (user departments) delegate access rights to their data to another
department that is then responsiblefor assigning, managing and controlling user rights?
5)
Are the profiles officially signed off?
Processing notes
Interview with responsible user department. Have the procedure for the production system
explained to you and examinethe available documentation.
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Rating notes
The lack of a properly designed and implemented authorization concept/organization that
meets requirements poses riskswith respect to traceability as well as latent risks in terms of
compliance with regulations. If these areas are not sufficientlydocumented and your
evaluation of the system leads to a negative result (for example when evaluating“Replace” in
debugging), a rating of (0) = very significant non-compliance should be specified.If
descriptions/specifications are available, but compliance is not always ensured by means
of the rights assigned, a ratingof between (0) and (1) should be specified depending on the
rights granted.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Creating/modifying and activating authorizations
Date: Relevance:
GAAP
Rating Module
Informational data record /
BC Basis system
No rating
Task
INFORMATIONAL DATA RECORDDetermine how many users can create/modify and activate
authorizations Authorization object Field Field description Value1) Create/change
authorization:S_TCODE TCD Transaction code SU03S_USER_AUT OBJECT Authorization
object #* AUTH Authorization name #* ACTVT Activity 01 (create) or 02 (change)2) Activate
authorization:S_TCODE TCD Transaction code SU03S_USER_AUT OBJECT Authorization
object #* AUTH Authorization name #* ACTVT Activity 07 (activate)
Processing notes
/nSA38Report RSUSR002
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Enter authorization object and continue with "Input values." Queries 1 and 2 are to be
executed separately and the resultscompared.Note:Note that the query is aimed at the
overall authorization (#*); other values should be checked depending on the results.
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Creating/modifying and activating profiles
Date: Relevance:
GAAP
Rating Module
Informational data record /
BC Basis system
No rating
Task
INFORMATIONAL DATA RECORDDetermine which users can create/modify and activate
profiles. Authorization object Field Field description Value1) Create/modify
profile:S_TCODE TCD Transaction code SU02S_USER_AUT OBJECT Authorization object
#* AUTH Authorization name #* ACTVT Activity 22
(assign)S_USER_PRO PROFILE Authorization profile #* ACTVT Activity 01(create) or
02 (change)2) Activate
profile:S_TCODE TCD Transaction code SU02S_USER_PRO PROFILE Authorization profil
e #* ACTVT Activity 07 (activate)
Processing notes
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
/nSA38Report RSUSR002Enter the authorization object and continue with "Input values".
Queries 1 and 2 are to be executed separately and theresults compared.Note:Note that the
query is aimed at the overall authorization (#*); other values should be checked depending
on the results.
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment.
Findings
SAP R/3 Audit Action Sheet
AAS:
1.03.050 3. SAP R/3 authorization concept
Client: Auditor: Key date:
Creating/modifying activity groups
Date: Relevance:
GAAP
Rating Module
Informational data record/
BC Basis system
no rating
Task
INFORMATIONAL DATA RECORDNote: This record is only relevant if the profile generator is
used.Determine which users can create/modify activity groups/roles. Authorization
object Field Field
description ValueS_TCODE TCD Transaction code PFCGS_USER_AUT OBJECT Authoriza
tion object #* AUTH Authorization name #* ACTVT Activity 01 (create) or 02
(change)S_USER_PRO PROFILE Authorization profile #* ACTVT Activity 01 or 02
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
S_USER_AGR ACT_GROUP Activity group #* ACTVT Activity (01 or 02) and
64 (generate)S_USER_VAL OBJECT Authorization object #* AUTH_FILED Field
name #* AUTH_VALUE Authorization value #*S_USER_TCD TCD Transaction code #*
Processing notes
/nSA38Report RSUSR002Enter authorization object and continue with "Input values".Five
separate reports should be generated, each report will query S_TCODE with TCD =
PFCG and each of the otherobjects with their respective values. Compare all reports (using
Excel or Access if necessary).Note:Note that the query is aimed at the overall authorization
(#*); other values should be checked depending on the results.
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Creating/modifying users
Date: Relevance:
GAAP
Rating Module
Informational data record/
BC Basis system
no rating
Task
INFORMATIONAL DATA RECORDDetermine which users can create/modify users.Note:
Depending on how the process is designed (refer to AAS 1.03.000), one or both methods
should be investigated. Authorization object Field Field description Value1) Create/modify
users:
(manual)S_TCODE TCD Transaction code SU01 or SU10S_USER_PRO PROFILE Authoriz
ation profile #* ACTVT Activity 22 (assign)S_USER_GRP CLASS User group #*
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
ACTVT Activity 01 (create) or 02 (change)2) Create/modify users: (profile
generator)S_TCODE TCD Transaction code PFCGS_USER_PRO PROFILE Authorization p
rofile #* ACTVT Activity 22
(assign)S_USER_GRP CLASS User group #* ACTVT Activity (01 or 02) and
22S_USER_AGR ACT_GROUP Activity group #* ACTVT Activity 22
Processing notes
/nSA38Report RSUSR002Enter the authorization object and continue with "Input values".
Run queries 1 and 2 separately.Note that the query is aimed at the overall authorization (#*);
other values should be checked depending on the results.
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment.
Findings
SAP R/3 Audit Action Sheet
AAS:
1.03.050 3. SAP R/3 authorization concept
Client: Auditor: Key date:
Central user management
Date: Relevance:
GAAP
Rating Module
Informational data record/
BC Basis system
no rating
Task
INFORMATIONAL DATA RECORDSAP also offers the option of performing centralized user
maintenance/administration (CUA); i.e., access to another SAPsystem is possible by means
of ALE (Application Link Enabling) without having to be logged in directly.In this case a
central system is defined for distribution of the authorization data. This central system should
always be theproduction system of the unit to be audited. This is the only way to ensure
adequate protectionfor central management authorizations.Note: if centralized user
maintenance is in use (to determine, execute transaction SU01, enter a user ID, check
the Rolestab and see if a systems column appears next to the role column – if so, CUA is in
use) the following should beinvestigated in the
corresponding
central system.Determine which users can centrally distribute user rights
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Authorization object Field Field
description ValueS_TCODE TCD Transaction code SUUM and SUUMDS_USER_AGR ACT
_GROUP Activity group #* ACTVT Activity 68 and
78S_USER_GRP CLASS User group #* ACTVT Activity 68 and
78S_USER_SYS SUBSYSTEM Receiving system #* or name of systems ACTVT Activity 78
(allocate), 90 (copy), 68 (model)
Processing notes
/nSA38Report RSUSR002Enter the authorization object and continue with "Input
values."Compare all four lists.Determine the names of the systems from the unit
being audited or using transaction SUUM (middle column and expandsystem
accounts)Note:SUUM no longer available – SEE NOTE 433941.Note that the query is aimed
at the overall authorization (#*); other values should be checked depending on the results.
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment. Particularly in the case of central systems that are notproduction systems, there
is a risk of users being granted extensive rights on the production system without these
usershaving to be logged on to that system.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Authorization assignment - function separation
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
SAP provides a 6-eyes approval process for user administration (to satisfy the requirements
for function separation). Adistinction can be drawn between:- Activation administration- User
administration- Authorization administration (creating and maintaining authorizations and
profiles)The audit should begin with the organizational conditions, from the application to
create a user through setting up theuser. Also refer to AASs 1.03.030, 1.03.040, 1.03.050,
1.03.060, and 1.03.070 for additional information regarding therating. Evaluation of the
authorizations is based on these audit sheets.Note that, depending on which approach
the client is using (manual, profile generator, external tools, combinations), notall AASs will
be required for the assessment.
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS
(E
XCERPT
)
For function separation reasons, the following authorization objects (modification instance)
should not be in one profile:S_USER_PRO and S_USER_AUT and S_USER_GRPThat is,
no user in the production system should simultaneously have rights for user
and authorization maintenance.To obtain an overview and description of the fields for
the above-mentioned objects, the object documentation has to beopen at the same time
as the reports. For evaluation, the maximum may be queried using #* or, for
example,differentiated by maintenance authorization based on user groups (e.g. Super*).
Query differentiation depends on defaultsestablished by the company.
Processing notes
/nsa38 report RSUSR002 selection criteria for authorizationsEnter authorization values >
"Input values" > select by values, authorization object1 = S_TCODE then press the
"Inputvalues" button and enter "SU01" in the first value field.Repeat the procedure for the
other objects.
Rating notes
Establish who has the above authorizations and in which combinations. Always ensure that
the assigned authorizationswere granted to users in line with requirements (refer to
organizational concept in unit) and that the authorizationsassigned to users comply with the
stipulations in the authorization concept. This means that if, for example,
3 activationadministrators are specified in the authorization concept, then only 3 users have
this authorization (organizationalprovision).If the conceptual requirements are adequately
designed and authorization assignment that supports adequate functionseparation is
implemented, then there is no non-compliance = (4). If this is not the case, a rating
of between (0) and (3)should be specified depending on the number of selected users.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Users with SAP_ALL /SAP_NEW profile
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine who has all rights in the SAP system.The collective profile SAP_ALL is a
"standard profile" containing comprehensive authorizations.The SAP_NEW profile is a
"standard profile" that SAP AG makes available during release upgrades. The profile
containscomprehensive authorizations for the authorization objects that were developed for
a new release. The profile should notbe assigned to any user master record, since excessive
access rights could be granted as a result of the blanketassignment of new authorizations.
Moreover, assignment of the profiles undermines the effectiveness of an internalcontrol
system, where only those right required by an employee to perform his/her work are
assigned, and therefore alsoundermines all operational workflows based on function
separation. For example, the Basis administrator should begranted only the authorizations
required for Basis administration. This authorizes him or her to manage the entire R/3system
but not however to perform tasks in other areas such as HR (refer to table edit authorizations
andtable viewing). As it grants comprehensive rights, SAP_ALL should not be assigned to
any user master record (with theexception of an emergency user master record, for which
special provisions have to be made).
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Processing notes
/nSA38 > report "RSUSR002", profile "SAP_ALL"/nSA38 > report "RSUSR002",
profile "SAP_NEW"
Rating notes
The lack of functional separation due to the use of the SAP_ALL collective profile
undermines the effectiveness of aninternal control system based on the principles
of functional separation and minimum rights assignment. In addition, itincludes
authorizations that according to GAAP should not be granted on production accounting
systems since they mayconflict with traceability principles.If users who are regularly active in
daily operations have this profile, this audit action sheet should be rated (0).Only emergency
users whose deployment is tracked and documented in the security audit log may have
this profile.With respect to the SAP_NEW profile, a rating between 0 and 4 should be
specified depending on the other roles/profilesassigned and what form they take.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Batch input - access rights
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Batch input sessions contain data intended for processing in the R/3 system. Many contain
accounting-relevant data.Therefore, batch input sessions have to be processed promptly,
completely and correctly. The various ways users canaccess batch input sessions can be
mapped in the batch input interfaces. If there is wide-ranging access to BI sessions(including
authorizations to delete without previously completing processing), there is a risk
of incompleteness and of non-compliance with regulations. Authorization object
S_BDC_MONI "batch input authorization" with the fields batch input,monitoring activities and
session name is available for mapping function access to BI sessions. The SAP R/3
systemclassifies the following values as monitoring activities (BDCAKTI):Instance: Risk:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
AONL - Running a session online Modification of field content ABTC - Running a batch
session Unauthorized processing ANAL - Analyzing sessions and logs Possible modification
of
dataDELE- Deleting sessions and logs Completeness (if session had not yet been processe
d)LOCK- Locking and unlocking sessions If necessary, period allocationFREE- Releasing se
ssions Unauthorized processingThe session name (BDCGROUPID) authorization field can
be used to restrict access to individual sessions or to genericsessions (e.g. "HU*").The
following instances are relevant: Authorization object Field Field description Value1)
S_BDC_MONI BDCAKTI Monitoring activity DELEBDCGROUPID Session name #* A N D2)
S_TCODE TCD Transaction code SM35
Processing notes
/nsa38 report RSUSR002 selection criteria for authorizationsEnter authorization values >
"Input values" > select by values, authorization object1 = S_BDC_MONI then press
"Inputvalues" button and input ALL or the above values in the first value field. Expand the
search criteria to include authorizationobject2 = S_TCODE with input value SM35.In this
context you should also clarify whether differentiated access using appropriate naming
conventions of sessions ismapped. This also serves to specify the values identified above.
Rating notes
The number of users who can delete the BI sessions is the main rating criterion for the
above reports. If a large number ofusers (i.e. far more than the number of financial
accounting or Basis staff) are authorized to delete BI sessions, then this AAS should
be rated (0) = very significant non-compliance.If however authorization for analyzing and
deleting BI sessions has only been granted to users who should actually havethese rights in
accordance with organizational stipulations, and only the other activities (such as AONL,
ABTC, LOCK)deviate from the authorization concept, then the AAS can be rated (3) = minor
non-compliance. If all authorizations arerestricted and the authorized users are actually
entitled to have these rights, this AAS can be rated (4) = no non-compliance.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
BI job scheduling under different user ID
 Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
It is possible to schedule jobs as batch or background jobs both under one's own and under
someone else's user name.In such cases the job is processed with the authorizations of the
other user. This capability can have the effect of a 'Trojanhorse' since a user can then make
use of sensitive authorizations that are not available through the user master record.Such
access is checked using authorization object S_BTCH_NAM. The assignment of
authorizations to this object shouldbe restricted and has to be justified.Determine which
users can schedule jobs under a different name:The following instances are relevant:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Authorization object Field Field
description Value1)S_BTCH_JOB JOBACTION Operations on a job RELEJOBGROUP Com
bination of jobs to form a group #*S_BTCH_ADM BTCADMIN ID for batch administrator YS_
BTCH_NAM BTCUNAME Batch user name #*2)S_TCODE TCD Transaction code SM37
Processing notes
/nSA38 report RSUSR002 selection criteria for authorizationsEnter authorization values >
"Input values" > enter values as shown above, run option 1 and 2 separately.Note all users
that have access to both option 1 and 2.Only those with all objects can schedule jobs!
Rating notes
If batch input sessions can be run under someone else's user name, unambiguous tracking
with respect to theresponsibility for business transactions is made more difficult. The above
authorization should be restricted and has to be justified. Establish who has the above
authorization. If an unjustifiably large number of users have this authorization, this AAS
should be rated (0) = very significant non-compliance. If the number of users with this
authorization is justifiable, alsofrom a function-related point of view, a rating of (4) can be
specified.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Replace in debugging
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine who can "electronically erase". This authorization can negatively impact the
traceability of the procedure used.It thus conflicts with the requirements of both commercial
law and GAAP.The S_DEVELOP authorization object controls whether changes are possible
to the program logic or field contents(including tables) during program execution. Since the
above-mentioned activity requires processing in the main memory,it is not possible to record
the activities performed, and therefore not possible to provide evidence of changes.The
following instances are relevant:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Authorization object Field Field
description ValueS_DEVELOP OBJTYPE Object type PROG, SYST, DEBUG ACTVT Activity 02S
_TCODE TCD Transaction code SA38 or SE38 (also SE16 for tables)
Processing notes
/nSA38 report RSUSR002These 2 objects are to be executed together.
Rating notes
If users who are regularly active in daily operations – the number of users is irrelevant here –
have the aboveauthorization, this audit action sheet should be rated (0).Only emergency
users whose deployment is tracked and documented in the security audit log may have
thisauthorization. In this case there is no non-compliance, provided that the use of this
function is adequately documented.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Editing change documents
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine who can edit change documents. Since deletion of change documents
jeopardizes traceability, deployment ofthese actions contravenes the legally required
traceability of accounting data if an archiving run was not previouslyperformed. The change
documents authorization object (S_SCD0) allows access to change documents that the
SAPsystem generates during changes to master data or user master data records.
According to §257 of the German
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Commercial Code (HGB), master data change documents are documents that have to
be retained and stored for a periodof at least 10 years. Standard SAP supports the
maintenance (i.e. editing) or deletion of change documents.(e.g. with report
RSCDOK99) Authorization object S_SCD0 has to have the following values:08 - View
change documents06 - Delete change documents12 - Maintain change document objects
Processing notes
/nSA38 --> RSUSR002--> authorization object 1 = S_SCD0 (press "Input values" button)
and query activities 06 and 12 insequence.Note:Do not query a transaction code; the object
is used in different transactions and reports and a conclusive query would notbe worth the
effort.
Rating notes
If users who are authorized to delete change documents are regularly active in
daily operations, rate as (0) = verysignificant noncompliance, regardless of the number of
users concerned. This functionality is permitted only for definedemergency users whose
deployment is monitored in the security audit log. In addition, binding operating procedures
thatdefine the cycles for archiving change documents should be present.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Developer rights on production system
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
The SAP system allows ABAPs on the production system to be protected against changes. If
this capability is not utilized,it is possible for someone with the relevant rights to delete
or change the ABAPs on the system, or to create new,unreleased ABAPs. If an existing
ABAP is changed, the SAP system records the date, version number and user ID of the
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
user who made the change. The original form of the ABAP is also stored and assigned
a modification flag. In this waySAP ensures that the original version and the latest updated
version are saved. However, a change history recordingintermediate versions is not
maintained, i.e. logs are not established. Besides the risk that changes to ABAPs on
theproduction system could jeopardize the integrity of the entire system, the corresponding
combination of rights could makeit impossible to ensure the traceability of the processing
system for the reasons stated above. This can also undermineany internal control system in
place, since there is also access to the anchoring of the "authority check" in the
programs.Establish therefore who can perform application development on the production
system.Note:Only relevant if object protection (system change option) is not switched on in
the system and the identified users alsoactually have a developer ID on the production
system, and if it does not involve objects in the SAP namespace.
Processing notes
1) /nSA38 RSUSR002 object S_DEVELOP with activity #* and object type "ALL"
and S_TCODE with SE38 or SE80.2) Object S_PROGRAM with user action ABAP/4
program "SUBMIT" authorization group with value "ALL"-> compare the two lists.3) Identify
developer key: /nSE16, call DEVACCESS table and match the user IDs there with the
above reports.Only those present in all three reports may perform application development
on the production system.
Rating notes
If application development is performed directly on the production system, problems with
respect to compliance withregulations and traceability arise since it is possible for all controls
such as testing, acceptance, and release procedures tobe circumvented. In addition, data
may be accessed and modified.No users active in day-to-day operations should have the
above authorizations. Only viewing functionalities are permitted. A rating of (0) = very
significant non-compliance should therefore be specified if users (any number greater than
zero)have the above authorizations. Only defined emergency users may be granted rights to
modify data.
Finding
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Number range maintenance authorization
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Access to number ranges is controlled using the S_NUMBER authorization object. The
following critical activities from thepoint of view of year-end closing should be differentiated:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
02- Create, change or delete number range or change number range intervals11- Change
number range status (= last number used) for a number range13- Initialize number range
status (= last number used) for a number rangeDetermine who can maintain number
ranges.The following instances are relevant: Authorization object Field Field
description ValueS_NUMBER NROBJ Number range object #* ACTVT Activity 11 (or above
values)S_TCODE TCD Transaction code SNRO or SNUM
Processing notes
/nsa38 report RSUSR002 selection criteria for authorizationsEnter authorization values >
"Input values" > enter values as shown above. Both objects are to be queried together.
Rating notes
If the number range status is changed, there is risk that procedure traceability can no longer
be guaranteed sincedocument numbers could be duplicated or gaps in document numbers
could be subsequently filled. These rights shouldbe restricted to selected users.If a large
number of users who do not need access to this functionality for their daily tasks have this
authorization, this AAS should be rated (0). A rating of (4) may only be specified if this
authorization was granted extremely restrictively toselected users.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
System administration
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Determine who has access rights for system administration. Authorization object
S_ADMI_FCD controls system administration access rights. There are forms of this
authorizationobject that jeopardize the traceability of the data processing procedure used.
The authorizations should therefore not beassigned, or only assigned in a very restricted
form, to system administration users. The following (alternative) instancesare
relevant: Authorization object Field Field
description Value(1) S_TCODE TCD Transaction code SM50 (process admin. incl. backgrou
nddebugging)S_ADMI_FCD S_ADMI_FCD
System admin function PADM(2) S_TCODE TCD Transaction code SM13 (update administratio
n)S_ADMI_FCD S_ADMI_FCD System admin function UADM(3) S_TCODE TCD Transactio
n code SM49 (execution of UNIX/SINIXcommands)S_ADMI_FCD S_ADMI_FCD System ad
min function UNIX (SAP via report SAPMSOS0)(4) S_TCODE TCD Transaction code OKC3
(delete CO transaction data)S_ADMI_FCD S_ADMI_FCD System admin function RSET (unl
ogged modifications on entiresystem)(5) S_TCODE TCD Transaction code SP1
1S_ADMI_FCD S_ADMI_FCD System admin function SPTD or SPTR (TemSe management)(6) S_T
CODE TCD Transaction code SM19S_ADMI_FCD S_ADMI_FCD System admin function A
UDA (Basis Audit Administration)Determine which users are permitted to perform all actions
on update records and reorganization. Access to external (i.e. not generated by
the respective user themselves) update records is controlled by the authorizationobject for
update administration S_ADMI_FCD in the form UADM. This authorization object also
controls reorganization ofthe update database.This authorization should be restricted to
selected users.
Processing notes
/nSA38 report RSUSR002 selection criteria for authorizationsEnter authorization values >
"Input values" > enter values as shown aboveThe results should be documented individually
for queries (1)-(6).
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment. If not correctly applied, authorizations such as forupdate administration
jeopardize the traceability of the procedure used. They should therefore be restricted to
selectedBasis users. If this is the case, the rating should be (4). If not, where there
is extensive non-function-related assignment ofauthorizations, a rating of (0) =
very significant non-compliance should be specified.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
System administration (RZ10) profile maintenance
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =

Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Task
SAP instances can be started and stopped in the Computer Center Management System
(CCMS) using transactionRZ10. System profile parameters (e.g. the rec/client parameter for
table logging or suppressing authorization checks) mayalso be changed using
this transaction. The authorizations for this transaction should be restricted to selected
systemadministration users.The following instances are relevant: Authorization
object Field Field
description ValueS_TCODE TCD Transaction code RZ10S_RZL_ADM ACTVT Activity 01De
termine who performs the system administration tasks relating to instances.
Processing notes
/nsa38 report RSUSR002 selection criteria for authorizationsEnter authorization values >
"Input values" > select by values, authorization object1 = S_TCODE then press
"Inputvalues" button and input RZ10 in the first value field.
Rating notes
The lack of functional separation in this area undermines the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment. Establish therefore who has the above authorization.It should be restricted to
selected Basis users. If this is the case, the rating should be (4). If not, where there is
extensivenon-function related assignment of authorizations, a rating of (0) should
be specified.
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Table maintenance
Date:
Objects S_TABU_DIS and S_TABU
Relevance:
GAAP
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
In many areas, work on the SAP R/3 system is controlled by tables, i.e., important system
workflows can be influenced bytable settings.For this reason, the table maintenance
authorization should be assigned only to defined and competent users in theindividual user
departments or to SAP system management as part of a clear, organizationally specified
tablemaintenance procedure. For reasons of access protection and the data ownership
principle, the table update authorizationshould be assigned in accordance with the table
classification and should be tailored to the respective application area. Inaddition, an internal
control system has to be implemented by logging table updates. The change documents
have to bechecked by another person by means of spot checks, in accordance with the four-
eyes principle.Note:Changing/adding a table authorization class, by means of transaction
SE13 for example, results in a repair flag. As aresult this change can be overwritten again at
the next put or release update, i.e. the modifications will have to beperformed again for a
new release.Check who has the right to change tables: Authorization object Field Field
description Value1) S_TCODE TCD Transaction code SM31 or SE16 (table maintenance for
all S_TABU_DIS DICBERCLS Authorization group #* table classes) ACTVT Activity 02Note:
Specifying the authorization group (e.g. FB31 for posting periods) allows authorizations for
special table classes tobe queried.See the TDDAT table for other table classes. In
addition cross-client
tables:2) S_TCODE TCD Transaction code SM31 (table maintenance forS_TABU_CLI
CLIIDMAINT Flag X all cross-client tab.)
Processing notes
/nSA38 RSUSR0021) Authorization object: "S_TABU_DIS" Activity: 02 Authorization group:
#* (for all table classes)2) Authorization object: "S_TABU_DIS" Activity: 02 Authorization
group: FB31 (for posting periods)3) Authorization object: "S_TCODE" SM31 Authorization
object "S_TABU_CLI" Value: X
Rating notes
A lack of function separation with respect to table maintenance according to the data
ownership principle undermines theeffectiveness of an internal control system based on the
principles of functional separation and minimum rightsassignment and adds to subsequent
work for checking the changes made.The following ratings are specified:1. If a large number
of users are authorized to maintain tables and no subsequent checks are in place a rating of
(0) =very significant non-compliance should be specified.2. If a large number of users are
authorized to maintain tables, but it can be demonstrated that subsequent checks
areperformed through examination of the change logs generated, a rating of (3) = minor non-
compliance should be specified.3. If authorizations are assigned on the basis of functions,
this is rated as no non-compliance (4). Assignment of table maintenance authorizations
should always be function-related using table classes (for selected usersin the relevant user
departments).
Findings
SAP R/3 Audit Action Sheet
AAS:
3. SAP R/3 authorization concept
Client: Auditor: Key date:
Logical operating system commands (UNIX)
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
The following audit tasks relate to development and R/3 Basis administration:In R/3 logical
operating system commands can be executed as external commands. Both the maintenance
and theexecution of external commands are protected by means of R/3 authorizations.
External commands can be maintainedand executed either online (via the CCMS menu) or
via special function modules in ABAP programs. A) Execution of external commandsExternal
commands can be executed using transaction SM49. R/3 contains detailed information for
every externalcommand, including the operating system commands, the predefined
parameters in their full length, and information onwhether additional parameters are
permitted.In addition, the commands predefined by SAP can be supplemented by user-
defined commands and parameters.B) Maintenance of external commandsExternal
commands can be modified using transaction SM69.The following authorizations
are required to execute/maintain logical
operating systems:Object Field Field description ValueS_TCODE TCD Transaction code SM
49 or SM69S_RZL_ADM ACTVT Activity 01S_LOG_COM COMMAND Logical command na
me #*OPSYSTEM R/3 system, operating system #*HOST R/3 system, application server #*I
n the case of S_LOG_COM it may be additionally necessary to match the values of the fields
to selected commands(SM49).
Processing notes
/nSA38 RSUSR002 All three options are to be executed together.
Rating notes
Access rights to the operating system level can undermine the effectiveness of an internal
control system based on theprinciples of functional separation and minimum rights
assignment, especially if the commands predefined by SAP aresupplemented by user-
defined commands and parameters.Check therefore who has the above-mentioned
authorizations. Authorization should be very restricted. If this is the case,there is no non-
compliance. If this is not the case, a rating of between (0) and (3) should be specified
depending on thetechnical and organizational situation.
Findings
SAP R/3 Audit Action Sheet
AAS:
4. Authorization checks
Client: Auditor: Key date:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Self-developed programs
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
A so-called AUTHORITY-CHECK should always be performed when a report is executed to
enable an authorization checkto be run.GENERAL NOTE ON AUTHORIZATION CHECKS: A u t h
o r i z a t i o n g r o u p s can be used to protect tables, accounts and account groups (e.g.
all fixed assetaccounts). Allocation is performed via the TDDAT table (for tables). A u t h o r i
z a t i o n c l a s s e s can be used to protect specific reports with authorizations. Allocation is
performed viathe RSCSAUTH report. In addition authorization classes in report trees can
be allocated to the nodes and thus protect allsubordinate reports (using this method, reports
cannot then be called up directly).Using AUTHORITY-CHECKS, reports can provide
protection in the source text against access to specific data. Access tothe data will
be permitted only if the user has the authorizations stored in the source text. The
AUTHORITY-CHECKS canalso be stored using logical databases. Access through logical
databases means that the data is no longer accesseddirectly, but indirectly via the logical
database as a query interface.Perform spot checks to determine whether AUTHORITY-
CHECKS are mandatory in self-developed programs.(Programs with name convention Z*, Y*
or other namespaces agreed on by the unit being audited and SAP)- Development
guidelines- Spot checks in the source text of self-developed programs or logical databases
Processing notes
1) Examine the development guidelines and evaluate them with respect to whether
AUTHORITY-CHECKS are mandatory.2) Spot check the source text of self-developed
programs/reports and ascertain whether AUTHORITY-CHECKS havebeen
implemented./nSA38 RSABAPSC and name of selected ABAPs (specific ABAP name
required – wildcards are not supported)For a rough assessment: /nSA38 RPINCL10 with
search for authority-check and reports Z*, Y*.The spot checks performed should be
documented as part of the working documents.3) If a logical database is used, the source
text of the logical database should be examined for AUTHORITY-CHECKS/nSE84 ->
programming -> program library -> logical databases -> select database (stored in properties
of ABAP /nSE38)-> source text
Rating notes
The lack of authority checks undermines the effectiveness of an internal control system
based on the principles offunctional separation and minimum rights assignment and can lead
to risks with respect to the procedure used andcompliance with regulations. Ascertain
whether an AUTHORITY-CHECK was implemented in self-generated reports,enabling only
users having the rights defined in it to start a report. If this is not the case, then the audit
action sheet shouldbe rated (0) = very significant non-compliance. A rating of (4) = no non-
compliance can be specified if organizational instructions indicate AUTHORITY-CHECKS
arebinding, and compliance with these instructions can be tested in spot checks and verified.
Findings
SAP R/3 Audit Action Sheet
 AAS:
4. Authorization checks
Client: Auditor: Key date:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Authorization parameters on the system
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine what basic settings the company has made with respect to access protection in
the current/present systemprofile and whether they pose any risks.The following parameters
govern authorization:1) AUTH/NO_CHECK_IN_SOME_CASES: If "Y", authorization
checks when SAP's profile generator is used can belimited using transaction SU24
and therefore monitored by the system administrator.The authorization check is only
restricted if the check flags are also changed. In organizational terms, therefore, note whois
permitted to change check flags and when. (the value has to be the same in both the
development and the productionsystem.)2) AUTH/OBJECT_DISABLING_ACTIVE (from SAP
4.5): If Y, the authorization check for objects (except S_* and P_*)may be switched off.
Can be verified with transaction AUTH_DISPLAY_OBJECTS. (the check has been switched
off if theobject is red)3) AUTH/RFC_AUTHORITY_CHECK: (1 = authorization check is
active). Specifies whether authorization checks areperformed with respect to Remote
Function Call (RFC) against the authorization object S_RFC.4)
AUTH/SYSTEM_ACCESS_CHECK_OFF: (0 = checking remains active). Automatic
authorization checks can beswitched off for specific ABAP/4 language elements. These
language elements are, for example, file operations, kernelfunction calls, or CPIC calls.
Processing notes
/nsa38 > input "RSPFPAR" > evaluation of above parameters (in substituted form) with
search function search values ->highlight -> F8
Rating notes
Establish which system settings at the unit being audited are affected. Always ensure that
authorization checks are usedto provide the security required both by Siemens guidelines
and the principles of GAAP. If this is the case, a rating of (4)can be specified. If authorization
checks are switched off, a rating of between (0) and (3) should be specified dependingon the
degree to which they have been switched off.
Findings
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client: Auditor:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Key date:
Traceability of table changes
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
The SAP R/3 system is controlled by tables. Tables should be seen as external program
components and therefore – likeprogram changes – they constitute a mandatory part of
the process documentation.They are therefore subject to the German statutory retention
period of at least 10 years (§257 HGB). The table changelogs can be controlled on the
system using two parameters:- In the system parameters (RSPARAM) the entry "rec/client"
may be used to define whether logs should be maintained,and for which R/3 system clients.
In addition, check whether changes have previously been made to
the parameter.Furthermore, change logs can be activated when transports are loaded.
In this case, the RECCLIENT parameter has tobe set in TMS to the same value as
rec/client.- In the technical settings of each individual table, you can control which tables are
to be included in the logs using the "logflag".Note that self-created tables (T9*, Y*, Z*
or additional namespaces) should always be flagged for mandatory logging.
Processing notes
/nSA38 -> enter "RSPFPAR", parameter: rec/client/nTU02 -> select respective server -> history of
file and search for rec/client/nSTMS -> system overview -> select production server -> select
display -> transport tool tabIf the RECCLIENT parameter is not present in the list, logs are
not maintained during imports.
Rating notes
If the rec/client parameter is not set to "ALL" or to the corresponding client numbers,
traceability is jeopardized for theprocedure. This AAS should therefore be given a rating of
(0) = very significant non-compliance.Note: If the parameter is set, make sure the proper
authorizations for table maintenance and downstream controls arepresent.
Findings
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Auditor: Key date:
Users with SAP_ALL /SAP_NEW profile
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

:
Logging of table changes
Date: Relevance:
GAAP
Rating Module Put level:
|0|1|2|3|4|N|I|
BC Basis system
4.6C
Task
Ascertain whether changes to accounting-relevant SAP or customer tables are recorded in
such a way that a changehistory can be demonstrated over a period of ten years. Table
change history is active if the system parameter "rec/client"is set to the production client or
to "ALL". In addition, a log flag may be set in every table so that changes are written to
thedatabase table DBTABPRT. A general evaluation of the log flag may be performed
using table DD09L. As a form of subsequent control measure, the table changes should be
analyzed regularly by the user using reportRSTBHIST/ RSVTPROT (table report).Changes
are archived in a sequential file using the RSTBARCH report. The report RSTBPDEL, which
enables thedeletion of table change documents, is critical in this case.
Processing notes
Examine the change logs on a spot check basis and establish who is responsible for the
above-mentioned controls./nsa38 -> "RSTBHIST" -> execute ->tables with history
managementNote: Setting the log flag using transaction SE13 triggers a repair flag, so
this change will be overwritten again by asubsequent put or release upgrade. Self-created,
accounting-relevant tables are significant.
Rating notes
Since tables can be thought of as external program components, table changes have to
be logged and retained for aperiod of at least 10 years as "miscellaneous organizational
documentation" in accordance with §257 HGB. If changes toaccounting-relevant tables are
not logged, the procedure used cannot be traced since the system did not produce
therequired change history. In this case a rating of (0) = very significant non-compliance
should be specified.Other evidence, e.g. hard copies of screen contents, or evidence of
processing chains (invoices) does not provide thesame quality.
Findings
SAP R/3 Audit Action Sheet
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
AAS:
5. Logging and checking
Client: Auditor: Key date:
Batch input session processing (errors)
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
There is a risk that error sessions may not be processed, or not processed promptly. This
can result in inconsistencies inthe data, or can jeopardize the completeness of processing. It
should therefore be checked which BI sessions are presentin the system and what
their status is.Establish whether erroneous BI sessions or processing backlogs are present
in the system.SAP provides transaction SM35.Obtain an overview of the current situation at
the unit being audited.- Are there any erroneous batch input sessions?- Are there any batch
input sessions which have been created but which have not yet been processed?- Are
erroneous or newly created batch input sessions processed promptly?- Who is responsible
for regular checks? (user department or IT department?)- Are batch input sessions manually
or automatically deleted in a controlled manner? (according to what criteria?)
Processing notes
/nSM35, specify period and status (erroneous, to be processed, etc.). Have monitoring and
processing for erroneous BIsessions explained in an interview.
Rating notes
If accounting-relevant BI sessions have not been fully processed, incompleteness of data
results in non-compliance withregulations. This would result in a rating of (0). If there are no
accounting-relevant erroneous sessions, the principle ofprompt posting is met. In this case a
rating of (4) = no non-compliance should be specified.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client: Auditor: Key date:
Document number assignment (gaps)
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
As standard on distributed SAP R/3 systems, a certain quantity of document numbers are
buffered on the individualapplication servers in order to improve performance. The number
of buffered document numbers can be set usingtransaction SNRO. When documents are
processed, document numbers from the respective buffers are then assigned bythe
application servers, i.e. the document numbers are not assigned in the order the documents
are created. The buffereddocument numbers are marked as assigned in the number range
interval, although they have not yet been assigned. Ifthe SAP system is shut down, any
unassigned document numbers are lost since the buffers are deleted, and newdocument
numbers in accordance with the number range interval status are buffered the next time
thesystem starts up. This can produce g a p s i n t h e d o c u m e n t n u m b e r s.To work
around this problem, document number buffering may be switched off using transaction
SNRO. From the point ofview of the audit, it is necessary to identify the number ranges
for which buffering is switched on or off. In our opinionthere should be no buffering for
accounting documents.Determine accounting-relevant number ranges by interview, or
via the description to the number range objects. Also takeinto account self-defined number
ranges.In conjunction with actual aborted postings, gaps caused by document number
buffering can make it virtually impossibleto subsequently determine whether a gap in the
document numbers is due to the technical situation (ignored numbers inthe buffer store of
the application server) or to business transactions that were not processed (RFVBER00
problem).
Processing notes
/nSA38, select RSNRODS1, start and analyze the overview of all number ranges and their
buffering.
Rating notes
Ascertain whether there is a risk of non-compliance with regulations as a result of gaps
arising, or already present in, thedocument numbers due to document number buffering
being switched on for accounting-relevant number range objects.This would
directly jeopardize traceability, since the completeness of processing cannot
be demonstrated seamlessly. Ifdocument number buffering is switched on, in some
circumstances it cannot be determined whether gaps in documentnumbers are the result of
unprocessed postings or document numbers assigned to the buffer that were not used.If
document number buffering is switched on for accounting-relevant number range objects, a
rating of (0) should bespecified. If this is not the case a rating of (4) = no non-compliance
can be specified. In this context, specify above all theorganizational measures with respect
to control and reconciliation (refer to RFVBER00 and Batch-Input).
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client: Auditor: Key date:
Identifying modifications
Date: Relevance:
GAAP
 Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
To ensure the correctness and traceability of the processing procedures, and that the R/3
system can be updated,modifications have to be performed and documented in compliance
with SAP naming conventions.User modifications are changes and/or additions to standard
SAP.The most important audit fields here are tables, ABAPs and transactions. If modified by
users, they have to conform to thefollowing naming conventions:- Transactions: begin with Z
or Y (Here only for information)- ABAP: begin with Y or Z (Here only for information)- Tables:
begin with T9, P9, Y or Z (Important for table logging)Since Release 3.x, changing a
standard object is only possible with the permission of SAP AG since the system asks foran
authorization number that can only be obtained in Walldorf. Beginning with Rel. 3.1, the
system also providesprotection against the use of an "incorrect" naming convention.
Company-specific application development is onlypossible by means of fixed company-
specific application classes. Since these application classes also allow theevaluation of
modifications by the company as a key, adherence to the naming convention for a report or
table is of lesserimportance. The different application classes mean that even two identically
named reports can be differentiated.In addition, other system elements such as authorization
objects and Dynpros (SAP screens) may be relevant to theabove question. The table
change logs can be viewed using transaction SCU3.
Processing notes
Spot check whether accounting-relevant self-created tables are logged./nSE16
DD09L.Select table name: Z* and select log with value X. Other namespaces analogously.If
necessary, have the client explain how accounting-relevant tables are identified and what
criteria are used formaintaining logs.
Rating notes
Spot check to see whether tables in the customer namespace have the log flag set. If this is
not the case for accounting-relevant tables, procedure traceability is jeopardized and a
rating of very significant non-compliance = (0) is specified.In addition, use the above
program to determine which settings have been made for programs and transactions.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client: Auditor: Key date:
Logging options
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
R/3 provides a large number of logs for system management, monitoring, error correction
and checking. Logs and checksare important for monitoring the security of the system
and tracking events if an error occurs. A) Audit information system (AIS)B) Security audit
logC) System logD) Daily statistics in CCMSE) Logging of specific activities (application
logging, workflow, changes to business objects, data changes in tables andchanges to
user master records, profiles and authorizations)F) Additional information on logging and
checkingDetermine and evaluate which log and checking tools the unit being audited uses
for its internal control system.Determine how the individual log options are used in
combination with one another.
Processing notes
Determine in interviews which logs and control functions are being used in the respective
unit. Obtain the relevant reportsand add them to your working documents.
Rating notes
If all the above functionalities and control options are not used, a rating of very significant
non-compliance = (0) should bespecified.If, for example, only the AIS (A) is not used, but all
other information tools (B) to (F) are, a rating of (4) can be specified.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client: Auditor: Key date:
System change option (history)
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
SAP provides transaction SE06, which can be used to create a history of changes to the
system change option. Thissystem change option setting applies to the entire SAP system
and all established clients.Using the settings and change history, establish whether the
system change option (protection against changes atdifferent levels - application
development, Customizing...) has been changed during the period under examination.
Processing notes
Look at the system change option history log (can usually only be viewed with the help of the
administrator)./nSE06 -> system change option -> log Add printout to working documents.
Rating notes
If analysis of the change history indicates that changes have been made to the settings, non-
compliance with regulations(traceability) may arise since it may be assumed that the
specifications relating to application development using theChange and Transport Organizer
are not in force during periods when the system change option is open. Moreover, anopen
system change option provides no protection against extensive authorizations (e.g. rights for
applicationdevelopment). A rating of between (0) and (4) is specified depending on
your findings.
Finding
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
5. Logging and checking
Client: Auditor: Key date:
System log (evaluation)
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system
Task
The R/3 system logs all system errors, warnings, user locks and process messages in the
system log (SysLog). Thesystem log records information in two different log types:a) Local
logs (directory of local file is rslg/local/file)b) Central logsTransaction SM21 can be used to
read messages in the system log. You can adjust the view to your own requirements.SAP
recommends maintaining a central log file on a selected application server. The central log
consists of two files: anactive file (parameter: rslg/central/file) and an old file (parameter:
rslg/central/old_file). The active file contains the currentlog. Once the maximum size
is reached, the system switches over log files. It deletes the old log file, makes
the currentlyactive file the old file, and creates a new active file. The change takes place
when the size of the active log file reacheshalf the value specified in the
rslg/max_diskspace_central parameter. R/3 does not support saving of the old system
logfiles.Note: Central logging is not available with Windows NT or AS/400.
Processing notes
/nSM21 -> enter time limits ->SYSLOGTake into account whether a local or central log file is
used. Examine the recent past (5-7 working days) in the system logfor extraordinary events
(for example, aborted update records or indications that the debugging function
has beenexecuted, message A14, A19).
Rating notes
If you cannot access the system log, tracking important processes is difficult, if
not impossible.If you find, for example, that a rollback was performed with transaction FB01,
this indicates that posting transactions wereaborted. If errors occurred during the execution
of transaction SE38, this could constitute a violation of the regulationsprohibiting
erasure.Have selected error messages explained to you and draw your conclusions for the
rating. Consider the organizationalcontext. If there are a large number of error messages
relating to the above-mentioned examples, and there is noevidence to support the
explanations given to you or there is no further documentation available, this AAS should be
rated(0).
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Change management in general
 Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
To lock production SAP systems against changes, SAP provides settings in either the
respective client itself or via theconfiguration of the Workbench Organizer (system
change option).Changes to the individual clients in the SAP system are governed by the
settings in the "T000" table.These should be set as follows for production
clients:Field Field description ValueCCCORACTIV Transp.connection 2 (Customizing cannot
be changed in this client)CCNOCLIIND NoClilnd 3 (no changes to repository and client-
independent cust. object)If this is not the case, users who have application development
rights can make changes on the production system.
Processing notes
/nSE16Call table T000 and double-click the row of the respective client./nSA38 RSTBHIST
and report to table T000.
Rating notes
SAP systems should be locked against changes. The corresponding settings should be
made in table T000 and usingtransaction SE06. A distinction can be drawn
between changes to client-independent customizing and repository objectsand client-specific
settings. Production systems should always be locked against online changes. If this is the
case, thenthere is no non-compliance and a rating of (4) should be specified. If changes are
permitted to cross-client objects, arating of (2) to (3) should be specified, taking into account
the technical and organizational measures in the unit.If, for example, the system change
option is temporarily set to changeable, this ensures that checks are subsequentlyperformed
and there is sufficient justification (traceability) for the change of status, a rating of (4) can
also be specified.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Analyze application development
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Change Management refers to the handling of changes in an SAP R/3 production system as
a whole. All changes arealways made on the development system and are then transferred
to the production system using the Change andTransport Organizer (CTO).This results in
the following IS requirements:- Together with the requesting user department and
the operator, the department responsible for maintenance and furtherdevelopment has to
define a documented change management concept as well as the necessary change
managementprocesses (authorization procedure, documentation of changes, acceptance
testing and release, archiving and relateddocumentation).- The supporting function within
CTO should be utilized All application development and maintenance on the SAP R/3
system has to be performed within the context of a clearorganizational procedure to ensure
the correctness of the processing procedure and the update capability of the R/3system.The
relevant request, development, testing, release and handover procedures have to
be implemented within theorganization, and any commercial and fiscal documentation
regulations have to be observed. A development and testingenvironment that is separate
from the production environment is a minimum requirement. The ideal configuration is
athree-way division: a testing and development system, a quality/release system and a
production system which can belinked to one another by means of the mechanisms provided
by SAP.In the latter case, the process is as follows: Once the requested program
developments have been successfullycompleted, the programs are transferred to the
integration system using CTO. Additional test runs are performed toensure that the
implemented program matches the requirements, and that the requested functionalities are
provided. Alsocheck whether thorough documentation comprehensible to a competent third
party is available for the developments/changes performed. These measures are a
mandatory element of every internal control system, i.e. a formalized testing,acceptance and
release procedure is always necessary.The instances of the specific objects of the user
authorization concept enable, through the use of CTO, the technicalhandover procedure to
be implemented in such a way that function separation is provided by separating the release
andperformance of transport functions.The retention period for process documentation is
10 years.
Processing notes
Determine procedures for application development and implementation of system changes
in an interview and add anydocumentation to your working documentation. On the basis of
retrospective spot checks you selected yourself, i.e. basedon a change in the production
system (e.g. a self-created report or table), have the client demonstrate whether
theprocedure you recorded was followed (tracking the change from production system to
the test system to the developmentsystem with all logs and release forms).Procedure for
own check:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Identify last updaterReports /nSE38 -> program name -> display attributesTables/nSE13 ->
table nameIdentify transport/change request/nSE03 -> search for objects in requests/tasks ->
select relevant object (program) -> highlight -> view request Analyze the transport log and
the request documentation.Have the unit being audited show you the releases and transport
documentation for the respective transport/task.
Rating notes
This audit action sheet should be rated (4) if there is no non-compliance with the above
requirements. For ratings between(0)-(3), it should be explicitly stated that the rating will
depend primarily on the organizational situation of the respectivebusiness unit. There is a
very significant non-compliance if, for example, neither organizational nor technical
measureshave been taken to establish a traceable change management system (different
systems, operating procedures for use ofCTO, organizational guidelines for retention, etc.).
Additional specific audit tasks are also stated in the following AASs.
Findings
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Application development and CTO
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
The Change and Transport Organizer links the development, integration and production
environments. It enables theimplementation of a testing, acceptance and release procedure,
as well as the fulfillment of statutory documentationobligations. In addition, authorization
objects prevent the same objects being processed by multiple users. It also ensuresthat old
versions can be restored at any time or can be compared with other versions. Incorrect
settings with respect tothe Change and Transport Organizer in connection with application
development and customizing can consequently jeopardize the integrity of the SAP R/3
system. Audit tasks1. Obtain an overview of what systems are in use (STMS).2. Analyze the
settings made (SE06), e.g. in relation to:- Local objects- SAP® R/3 application components-
SAP® R/3 Basis component- Development WorkbenchRisk:If a testing, acceptance, and
release procedure has not been implemented in application development and
maintenance(and in Customizing), there is a risk that the internal control system will be
undermined and system integrity will beimpacted. Furthermore, traceability and fulfillment of
statutory documentation obligations may be jeopardized.Documentation of audit
findings:Interview recordsExamination of system settings (copies)Extracts from
miscellaneous documentationStandard operating procedures
Processing notes
/nSTMS further in system overview./nSE06 (together with an administrator, since
viewing rights are insufficient here)
Rating notes
Depending on your findings for the individual audit, you should make recommendations to
ensure that the aboverequirements are met.For instance:- Barring direct changes on
production system- Defining retention periods for CTO logs (archiving concept)- Functional
separation aspects taken into account in CTO
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
If your findings for the above issues are negative, this audit action sheet should be rated (0).
If changes are barred on theproduction system and there are only informal instructions
relating to the retention of CTO logs, this AAS should be ratedbetween (2) and (3).
Findings
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Transport layers
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine how the transport layers were set up.- are through transports prescribed?- are
cross-transports permitted in the transport routes?- what is the transport ID of the production
system?Development projects are not normally carried out on the production system but
rather, depending on the scope, on oneor more development or quality assurance systems.
To ensure the consistency of objects, each repository object has adefined original location.
Changes are usually carried out at the original location to avoid unintentional
paralleldevelopments. The original location of repository objects can be changed
by relocation transports.If several development systems are in use, in some circumstances it
may be necessary to specifically transport objects toR/3 systems that are not supplied using
regular change transports. The transport properties of the object (original
system,development class, transport layer) can be changed in this case. Repository and
Customizing objects are transportedfrom the development system to other R/3 systems in
the network using transport routes defined in the TransportManagement System during the
configuration of the system network. Transport consists of exporting the objects from
thesource system in which the objects were changed and importing them into one or more
target systems. A transport log is automatically created for each change request. If, for
example, a production system exhibits oddbehavior after an import from the quality
assurance system, it can be immediately identified which objects weretransported, who the
ordering party was, and the reason for the transport.
Processing notes
/nSTMS then select transport routes.
Rating notes
This AAS serves primarily to determine the technical and organizational background. The
issues set out are ratedprimarily as part of AAS 1.06.020.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Transport requests in the production system
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Date: Relevance:
GAAP
Task
Determine which transport requests were created directly on the production system without
going through the three-tiersystem environment. The origin of transport requests can be
identified from the name of the systems (3-characterabbreviation). These names can be
called up from the transport organizer. Transaction SE01 can be used to view thetransport
requests with specification of the users. If transport requests are created directly on
the production system, thethree-tier structure provided by SAP is circumvented. There are
risks arising from non-traceable and incorrectprogramming work: the disintegration of the
consolidation and production system, as well as potential problems with newreleases if the
changes are not added to the consolidation system.
Processing notes
Transaction /nSE01 User = *, request type = select all , request status = select all ->
Display All transports displayed with xxxK (where xxx is equal to the production system sid)
were created in the productionsystem. Investigate why changes were made directly in the
production system.
Rating notes
Review any changes have been made directly in the production system. A simple
explanation is not sufficient. The reason,type and extent of activities performed should be
documented in such a way that they are clear to a competent third party.If this is not
the case, this AAS should be rated (0).
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Backdoor in application development
Date: Relevance:
GAAP
Rating Module
Informational data record
/ BC Basis system
No rating
Task
INFORMATIONAL DATA RECORD Ascertain whether the coding contains any backdoors
"overlooked" by SAP and notify the company.From our audits in SAP R/3 environments we
have discovered several security gaps which would allow programs andtables to be
deleted/changed with SAP view authorizations, irrespective of the presence of a developer
ID normallyrequired for application development or of the system change option setting.The
programs that trigger these actions originate from SAP AG Walldorf. They are contained in
almost all R/3 releaseshipping versions. They were originally intended for migration work.
These programs have no authority checks based onthe SAP user authorization concept.
Accordingly, they can be used by users who have no application developmentauthorizations,
but only the right to start reports. These rights are included in the view profiles (e.g.
S_A.Show) shipped bySAP as standard. The only access protection in the sources
we encountered is an Include that performs a user namematch. Since these functionalities
are not documented or reported to those responsible for user authorization concepts,their
effect is comparable to backdoors or Trojan horses, by which those in the know can
gain uncontrolled access to thesystem. We have informed SAP AG of this problem. It is
currently being investigated with a high-priority message. Theresult (restrictive limitation of
the above risks) will be, we were informed in advance, published soon via the OSS
or hotpackages. Consequently, its implementation in those companies that use SAP
depends on their chosen update cycle withOSS Notes or hot packages. Since the transfer
of OSS Notes or the loading of hot packages can extend over a longperiod, in which the
above-mentioned risks are still present, we recommend permitting the use of migration tools
in theauthorization concept only where there is a specific need.Our reservations concern
primarily the reportsRS3UREPERS3UMLOERS3UREPLRS3UREPM and the RS3URINC
Include.However, there are also other table-changing access facilities in the migration tools
whose use should be permitted duringa migration phase only. We strongly recommend you
take corrective measures.
Processing notes
Check how the above issues are dealt with at the unit being audited and whether the reports
are available on the system./nSA38 > enter the name of the report > select the dropdown
(search) to determine if the report exists.
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Rating notes
No rating.
Findings
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Customizing authorizations
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Who has authorizations for the SAP Customizing system? Access to the projects in the
Customizing system (Tools > Customizing) is protected by the following three
authorizationobjects:1)- Templates in
CustomizingS_CTEMPLAT ACTVT Activity 01 or 02 BRANCH Industry #*OBJNAME Name of t. #* A
user with these rights can maintain the templates in Customizing.2) - IMG
authorizations:S_IMG_ACTV PROAUTH Project number
#* ACTVT Activity 02IMG_ACT Activity list ACTS_IMG_GENE ACTVT Activity #* A user with
this authorization can generate the Customizing model that is used for all customizing
projects on the SAPsystem. IMG generation, for example, determines which SAP
components are affected by Customizing. This authorizationobject should be assigned only
to a few privileged users.3)- Table maintenance authorizations:S_TABU_DIS DICBERCLS
Authorization group #* or special authorization groups ACTVT Activity 02Users can only
change the tables in a Customizing function if they have the relevant authorizations.
Processing notes
/nSA38, report RSUSR002, evaluation 1) - 3) separately.
Rating notes
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
If you find during your audit that assignment of the above authorizations was justified by the
requirements and functionalseparation aspects were observed in relation to the unit being
audited, a rating of no non-compliance (4) is specified.If non-expert users have access to
these functionalities and if there is no formalized organizational structure for
handlingcustomizing activities, this AAS should be rated (0).
Findings
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Customizing projects authorizations
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Identify which users have access to project management in
Customizing.Object Field Field description ValueS_CTS_ADMI CTS_ADMFC Administration
tasks in CTS PROJS_PROJECT PROJECT_ID Name of project #* APPL_COMP Applicatio
n component code #* ACTVT Activity 02 or
23PROJ_CONF Flag whether activity is confidential XS_PROJECTS APPL_COMP Applicati
on component code #*PRCLASS Possible project class #* ACTVT Activity 70S_PROJ_AUT
PROJECT_ID Name of project #* ACTVT Activity 02PROJ_CONF Flag whether activity is co
nfidential XS_PRO_AUTH PROAUTH Project number #* ACTVT Activity 01 or 02
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
Processing notes
Entry via /nSA38, RSUSR002, above authorization objects. The reports should be
compared.
Rating notes
If you find during your audit that assignment of the above authorizations was justified by the
requirements and functionalseparation aspects were observed by the unit being audited, a
rating of no non-compliance (4) is specified.If non-expert users (e.g. bookkeepers,
warehouse employees or similar, NOT OI or CONSULTANTS) have theseauthorizations and
if there is no formalized organizational structure for the handling of customizing activities,
then this AASshould be rated (0).
Findings
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Transport Management System authorizations
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
 Ascertain who has access to the Transport Management System (TMS).1) TMS:Data import
with client
copyS_TCODE TCD Transaction code SCC1 or SCCLS_CLNT_IMP ACTVT Activity 21 or 602)
Administration functions in
CTSS_TCODE TCD Transaction code SE09 or SE10 or SE01S_CTS_ADMI CTS_ADMFCT
Administration tasks SYSC (system change option)IMPA (Import all transport requests)IMPS
(Import individual transport requests)TADD (forward transport requests to import
queue)TDEL (delete transport requests from import queue)TQAS (activate or delete inactive
requests)
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
TADM (execute tp commands)QTEA (authorize transports in prod. system)
Processing notes
Enter via /nSA38, RSUSR002, and the authorization objects above. The above instances
should be evaluated based onthe audited unit's concept. It is not absolutely necessary to
evaluate the contents of each field separately.
Rating notes
If you find during your audit that assignment of the above authorizations was justified by the
requirements and functionalseparation aspects were observed by the unit being audited, a
rating of no non-compliance (4) is specified.If non-expert users have access to these
authorizations and if there is no formalized organizational structure for handlingthe TMS, this
AAS should be rated (0).
Findings
SAP R/3 Audit Action Sheet
AAS:
6. Change management
Client: Auditor: Key date:
Change and Transport Organizer authorizations
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
 Ascertain who has access to the Change and Transport Organizer (CTO). Changes made
directly on the productionsystem – circumventing the transport routes – are not permitted.
That is to say, except in an emergency (refer toemergency user concept), no changes may
be carried out directly on the production system.CTO:S_TRANSPRT TTYPE Request type
(Change & Transport System)Possible values:CLCP Client transportsCUST Customizing
requestsDLOC Local change requestsDTRA Transportable change requests
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
MOVE Relocation transports (all three types)PATC Preliminary corrections and deliveriesPIEC Bills
of materialTASK Tasks (repair or correction)TRAN Transport of copies ACTVT ActivityPossible
values:01 Add or create02 Change03 View05 Lock06 Delete23 Change in object list editor43
Release50 Change source client of a request60 Import65 Reorganize75 Release external
requests78 Enter request in transport proposal90 Change owner
Processing notes
Entry via nSA38, RSUSR002, above authorization objectsParticularly important on production
system: Request types CUST, DLOC, DTRA, PIEC, TASK Activity: 01
Rating notes
If you find during your audit that assignment of the above authorizations was justified by the
requirements and functionalseparation aspects were observed by the unit being audited, a
rating of no non-compliance (4) is specified. - NOTE: Alsotake into account the issues
established in AAS 52. If non-expert users have access to these authorizations and if there
isno formalized organizational structure for handling CTO, then this AAS should be rated (0).
Findings
SAP R/3 Audit Action Sheet
AAS:
7. Remote communication
Client: Auditor: Key date:
General audit tasks
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Remote connections can be used to access an R/3 system from the outside: applications
can use RFCs (remote functioncalls) to access R/3 function modules located on other
systems. The CPI-C interface (Common Programming Interface -Communication) enables
program-to-program communication between R/3 systems. Frequently, copying
systemcomponents also results in the RFC destinations of other systems that are not
required on a production system to becopied as well. When copying system components,
always ensure that only the RFC destinations which are actually usedare present on the
production system. Only minimal rights may be assigned to a CPI-C user on the target
system.Determine whether the necessary measures have been taken to protect these
connections. The following issues shouldbe addressed:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
- Were the RFC destinations required for remote communications documented (jointly by the
user department and R/3Basis administration) in such a way that in each case the purpose,
source, target, user IDs used, and the called functionmodules and function groups are
named?
-
Is there a list signed by the departments involved?
-
Were authorization checks built into the function modules when they can be called
using RFCs?
-
Were the authorizations for the maintenance of RFC destinations restricted?S_TCODE with
SM59 and S_ADMI_FCD with NADM
-
Who has access to table "RFCDES"?S_TCODE with SE16 and S_TABU_DIS activity 02
and authorization group SCThe RFC users and passwords are encrypted using a static key
and are stored in the "RFCDES" table. Note however thatR/3 can decrypt the passwords
itself.- Is access to the "RFCDES" table limited to Basis administration? Also ascertain
whether OSS Note 43417 has beenobserved:- The RFC Software Development Kit may not
be installed on the production server.- Possible communication relationships between
external CPI-C or RFC server programs and the R/3 applications shouldbe restricted by
entries in the "secinfo" file.- Monitoring of the R/3 gateway should only be permitted from
gateway monitors. System parameter "gw/monitor" shouldbe set to 1 or 2 (OSS Note
64016). The value 1 allows for the monitoring of a local gateway and value 2 allows for
themonitoring of local and remote gateways.
Processing notes
For parameter: /nSA38 --> RSPFPAR --> gw/monitor parameter (should be 1 or 2!)/nSA38
RSUSR002 and above-mentioned objects.Have the unit being audited provide you with the
relevant documentation and conduct an interview regarding the aboveissues.
Rating notes
If these questions cannot be adequately answered, or if there is no documentation available
for them, this AAS should berated (0). All other ratings depend on the actual organization
and installation in the respective unit. Ratings of between (1)and (4) may be specified.
Findings
SAP R/3 Audit Action Sheet
AAS:
7. Remote communication
Client: Auditor: Key date:
Access to RFC connections
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
Determine who has access to remote connections and whether this access is appropriately
restricted to the actualactivities to
be performed.Object Field Field description ValueS_RFC RFC_TYPE Type of RFC object to
be protected FUGRRFC_NAME Name of RFC object to be protected #* ACTVT Activity 16N
ote:
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
It may be necessary not only to check the comprehensive authorization (#*), but also to
perform more detailed analyses.
Processing notes
/nSA38 RSUSR002Note: It is not necessary to specify a transaction code since the RFC
functionality is usually triggered from the normalapplication environment.
Rating notes
Comprehensive access to RFC functions should be limited to Basis support.Other users
should only receive the RFC objects they require themselves. If authorizations are assigned
too extensively,i.e. the assignment of authorizations is not justified by the requirements, very
significant non-compliance (0) exists.
Findings
SAP R/3 Audit Action Sheet
AAS:
7. Remote communication
Client: Auditor: Key date:
Interfaces
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
SAP provides a transaction (SM59) that can be used to determine which interfaces have
been set up between the auditedSAP R/3 systems and other systems (e.g. R/3 connections,
internal connections, TCP-IP connections etc.). Thetransaction is suitable for fast analysis of
the system structure and for assessing the security of the connection (are initialpasswords
still being used?). Determine which interfaces/connections the system being audited is using
to communicate
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
with external/internal systems, and clarify above all whether there is a risk of unauthorized
access as a result of thepasswords assigned.
Processing notes
Call transaction SM59 = input field = /nSM59 (report: RSRFCRFC), then open subitems.
Double-clicking a subitemdisplays the specific configuration of the connection (who, when,
with what password etc.). Are there any branches that donot belong in the Production
System (they may have been copied during a client copy). Verify that the user ID assigned
tothe destinations are all communications users and not dialog users (dialog users can
execute remote logins to thedestination system and this is a security risk).Note:This is
normally only possible with the assistance of the administrator, because viewing rights are
not usually sufficient.
Rating notes
If passwords have not been changed (use of initial passwords), there is a risk of
unauthorized access and traceability is jeopardized. This results in a rating of (0)
unless there is any compelling reason for this situation.
Findings
SAP R/3 Audit Action Sheet
AAS:
7. Remote communication
Client: Auditor: Key date:
RFC and CPI-C programs
Date: Relevance:
GAAP
Rating Module
|0|1|2|3|4|N|I|
BC Basis system

Task
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

C
OMPANY
D
ELTA
: SAP R/3 A
UDIT
A
CTION
S
HEETS

(E
XCERPT
)
The R/3 gateway controls whether external server programs can be executed. You can
specify which external serverprograms may be started via the gateway or which programs
may register with the gateway. The security information thatthe gateway requires to permit
the starting or registration of external server programs is stored in the "secinfo"
file.Communication via the gateway can be restricted here. If this file does not exist, there
are no restrictions for starting orregistering external server programs.Determine- whether the
"secinfo" file exists and its contents are maintained.- who is responsible for this.- whether all
secinfo files on a system are consistent? Since every instance has its own gateway, all
secinfo files on asystem have to be consistent.- whether authorizations for external server
programs are restricted.- whether access to the "secinfo" file is restricted to R/3 Basis
administration.
Processing notes
1) Interview Basis administration, have them show you the settings on the system and check
tat the related authorizationobjects are restricted using the user info system (incl.
B_ALE_RECV)2) Location of secinfo.dat: nSA38, report RSPFPAR, evaluate parameter
gw/sec_info
Rating notes
For data security reasons it is important to restrict access of external server programs with
entries in the "secinfo" file. Ifthe entries in the "secinfo" file are not maintained, or if the file
does not exist, and the responsibilities for this file are notdefined, this audit action sheet
should be rated (0) = very significant non-compliance. If the "secinfo" files are all present,but
the "secinfo" files are not maintained consistently and the authorizations are not restricted,
this audit action sheetshould be rated (1) = significant non-compliance. If all the above points
are met with the exception of the clear allocationof responsibilities, this audit action sheet
should be rated (3) = minor noncompliance.
Findings
0 = Very significant non-compliance; 1 = Significant non-compliance; 2 = Non-compliance; 3 =
Minor non-compliance; 4 = No non-compliance; N = Not relevant; I = Informational data record

Reward Your Curiosity

Everything you want to read.

Anytime. Anywhere. Any device.
Read free for 30 days
No Commitment. Cancel anytime.