ANAO - SAP Audit Handbook

Security and Control Update

For SAP R/3

Guide to Effective Control – Handbook Update

© Commonwealth of Australia 2004ISSN 1036-7632ISBN 0 642 80791 4

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth available from the Department of Communications, Information Technology and the Arts. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Intellectual Property Branch, Department of Communications, Information Technology and the Arts, GPO Box 2154, Canberra ACT 2601 or posted at <http://www.dcita.gov.au/cca>

The Publications Manager,Australian National Audit Office,GPO Box 707,Canberra ACT 2601

Information about ANAO reports and activities can be found at the ANAO Internet address: http://www.anao.gov.au

AcknowledgementAppreciation is extended to PricewaterhouseCoopers who contributed significantly in developing and writing this handbook.

DisclaimerThis handbook is not a recommendation of the SAP R/3 system, nor an endorsement of the SAP R/3, by the ANAO. Commonwealth Public Sector agencies are responsible for deciding whether SAP R/3 is suitable for their purposes and for implementing and testing SAP R/3.

The Auditor-General, the ANAO, its officers and employees are not liable, without limitation, for any consequences incurred, or any loss or damage suffered by an agency or by any other person as a result of their reliance on the information contained in this handbook or resulting from their implementation or use of the SAP R/3 system, and to the maximum extent permitted by law, exclude all liability (including in negligence) in respect of the handbook or its use.

Design by GREY Worldwide

Security and Control for SAP R/3 Handbook

ii

PrefaceSAP continues to be a predominant financial management information system in use within the Australian

Government.

Accordingly, the Australian National Audit Office (ANAO) has developed this better practice handbook update

with significant assistance provided by PricewaterhouseCoopers. The original handbook was released by the

ANAO in 1998, and this update reflects the changes made to SAP security and control since that time.

Based on SAP R/3 release 4.6C, this update should be read in conjunction with the original handbook to gain a

fuller appreciation and understanding of functional, as well as security and control issues, associated with the

implementation and operation of SAP.

This handbook update provides better practice controls that should be considered by Australian Government

entities to assist in meeting their requirements for availability, integrity and confidentiality, and outlines:

• the significant risks associated with each functional enhancement; and

• the various control options that should be considered, broken down into the following categories.

– SAP customisation settings which should be considered in reducing and/or mitigating identified risks

and delivering security and control best practices.

– User access security settings to be considered when designing and implementing security.

– Useful key control reports for review.

The adoption of the various control options will depend on how SAP R/3 is used within each entity and the level

of acceptable risk adopted by that entity. Striving for absolute assurance is neither cost effective nor possible.

Controls implemented should be commensurate with the nature of the business, the acceptable level of risk and

program delivery.

Oliver WinderOliver Winder

Acting Auditor-General

30 June 2004

iii

Preface

Security and Control for SAP R/3 Handbook Update

iv

v

ContentsIntroduction .......................................................................................................................1

Basis and Cross Application Components (BC) ...................................................... 34

Procurement to Payables (MM) ................................................................................. 52

Financial Accounting (FI) ............................................................................................ 64

Controlling (CO) ..............................................................................................................70

Human Resources (HR) ................................................................................................ 86

Audit Information System (AIS) ................................................................................ 96

Contents


vi

Intr

od

uct

ion

Introduction

IntroductionThe original Security and Control for SAP R/3 Handbook, developed in 1998 was produced to provide good

practice security and control guidelines when implementing and running SAP Version 3.1H. SAP has subsequently

upgraded the R/3 system, through Versions 4.0, 4.5 and 4.6, with each version including many functional changes

impacting security and controls.

This handbook update is based on SAP R/3 Release 4.6C, outlining significant functional enhancements with

relevant security and control considerations. This handbook should be read in conjunction with the original

handbook to gain a full awareness and appreciation of functional and security and control issues within the

core SAP components.

The handbook outlines business risks associated with the implementation and operation of SAP, and provides better

practice controls that should be considered by Australian Government entities that replicate control solutions

deployed at organisations globally running SAP.

SAP Upgrades

There are a number of business and technology drivers that may influence an organisation's decision to

upgrade SAP.

1

Introduction

Business drivers

Why Upgrade

R/3

Strategic &operational

changes

Cost reduction

BusinessBusinessprocess

functionalenhancements

Mergers &divestments

E-businessinitiativesinitiatives

Greaterefficiency

TechnologyTechnologyimprovements

Competition


2

Drivers for upgrading SAP are often focused on achieving greater efficiency through new functionality, or

business process improvements, provided within new releases of SAP. A number of these enhancements are

outlined in the sections of this document and should be considered by decision makers.

Technology drivers for the upgrade of SAP are generally based around the need to maintain SAP support or to

provide greater stability and ease of use for users and support teams.

Technology drivers

Why Upgrade

R/3

MySAP.comproduct

components

Old versionsno longersupported

UpdateUpdatetechnologies

New or extended

functionalityImprove useracceptance /acceptance /satisfactionsatisfaction

Need to re-structure architecture

ReduceReduceenhancements

Stabiliseenvironment

Components covered

This handbook update covers the core SAP R/3 components commonly used by Australian Government entities.

The components covered are consistent with those in the original handbook:

• Basis Component (BC);

• Materials Management (MM) in this handbook referred to as ‘Procurement to Payables’;

• Financial Accounting (FI): includes AA (Asset Accounting);

• Controlling (CO); and

• Human Resources (HR): includes PA (Personnel Administration) and PD (Personnel Development).

This handbook update also provides an outline of the Audit Information System (AIS).

Products such as BW (Business Warehouse), CRM (Customer Relationship Management), EBP (Enterprise Buyer

Professional) and ESS (Employee Self Service) are run on separate copies of the SAP application. While these have

been detailed in each applicable section of this handbook, they are not outlined in the above diagram.

3

Introduction

Component overview

SDSales &

distribution

PPProduction planning

QMQuality

management

PMPMPlant

maintenance

R/3Client/Server

ABAP/4 BASIS COMPONENT

FIFinancial

accounting COControllingControllingTR

Treasury

OCOffice

communicationscommunications

AAAsset

accounting

MMMaterials

management

HRHuman

resources

IMInvestment

managementmanagement

PSProject systems

REReal estate

management

CSCustomer

serviceice

PETraining & event Training & event Training & event

management

How to use the handbook update

The handbook update has been divided into seven sections as follows:

• Introduction

• Basis and Cross Application Components

• The various application components:

– Procurement to Payables (MM)

– Financial Accounting (FI)

– Controlling (CO)

– Human Resources (HR)

• Audit Information System (AIS)

A Background Section is provided for each application component providing an overview of changes in the

application component from SAP Version 3.1H to 4.6C. Also within are details of the coverage (sub-modules) of

each application component section.

A Functional Overview is given for each application component and sub-module covered by this handbook

update. This overview outlines the core functionality of the sub-modules with relevant operational benefits and

high-level control opportunities.

Further detail is provided for each sub-module, including the following:

SIGNIFICANT RISKS

For each sub-module, relevant business risks are provided which should be considered by

all organisations. For each risk identified, various control options are provided across the

following sections.

CONFIGURATION “HOT SPOTS”

SAP customisation settings that should be considered in reducing and /or mitigating identified

risks and delivering security and control best practices.

SECURITY CONSIDERATIONS

User access security settings to be considered when designing and implementing security

for this sub-module. Where available, sensitive high-risk SAP transaction codes are provided

with a description of the functionality. Access to these transactions should be reviewed and

appropriately restricted.


4

USEFUL REPORTS

Key control reports for each sub-module covered have been provided. Where available, the

report transaction code or report code have been provided with a description of the benefit

provided. Management should consider implementing procedures for the review of these

reports, where appropriate.

The following diagram is used throughout this handbook update to demonstrate how functionality, risks

and control options relate. Risks can be mitigated through the implementation of one or a combination of

control types, depending on organisational needs. These control types may be security related, specific control

configurations, or through the development and review of control reports. This handbook provides good

practice control options across security, configuration and reporting, which management should consider when

implementing functionality or reviewing the SAP control environment.

5

Introduction

Functionality

Significantrisks

Se

curi

tyco

nsi

der

ations Useful

rep

orts

Configurationhotspots

Security and Control for SAP R/3 Handbook update

6

Bas

is a

nd

cro

ss

app

licat

ion

co

mp

on

ents

Basis and cross application components

7



SECTION CONTENTS

Background ........................................................................................................................ .9

Environment .................................................................................................................... .10

SAP New Dimension Products ..................................................................................... .11

Security: User Security and the Profile Generator ................................................. .13

Functional Overview ............................................................................................................................................13

Significant Risks ....................................................................................................................................................13

Security Considerations ......................................................................................................................................14

Security: Derived Roles ................................................................................................. .15



Configuration Hot Spots ....................................................................................................................................16


Useful Reports ........................................................................................................................................................17

Security: Central User Administration ...................................................................... .18





Useful Reports ........................................................................................................................................................20

Security: Personalised User Menus ............................................................................ .21

Functional Overview ........................................................................................................................................... .21

Significant Risks ................................................................................................................................................... .21


8

Configuration Hot Spots ................................................................................................................................... .21

Security Considerations ..................................................................................................................................... .21

Useful Reports ........................................................................................................................................................22

Transport Management System .................................................................................. .23





Useful Reports ........................................................................................................................................................24

Reporting .......................................................................................................................... .25





InfoSet Query .................................................................................................................. .26





SAP Business Warehouse (BW) ................................................................................... .27




Useful Reports ........................................................................................................................................................27

Mass Maintenance ......................................................................................................... .28




Useful Reports ........................................................................................................................................................30

Workflow .......................................................................................................................... .31




Useful Reports ........................................................................................................................................................33

9


Basis and cross application componentsBackground

An overview of the functionality, risks and controls of the SAP Basis module as at Version 3.1H is covered

within the full Better Practice Handbook for SAP R/3. The Basis module has undergone a number of changes

since this release, with the main changes impacting on security and controls summarised below and detailed

across the following Basis section.

Environment

With the advent of the SAP workplace and the ability to access SAP through an Internet browser, a wave of

new SAP products has been developed, including Customer Relationship Management (CRM) and Supply Chain

Management (SCM), each product requiring an underlying Basis module upon which to operate.

Security

A number of new security tools have been developed to assist in the configuration and maintenance of security

in increasingly complex SAP environments. Tools considered in this section include the Profile Generator, Central

User Administration, Derived Roles and Personalised Role Menus.

Transport Management System

As the SAP landscape has become more complex, so have change control mechanisms to manage changes.

Since Release 3.1, a number of changes have taken place in the change control area; the most significant is the

development of the Transport Management System (TMS).

Reporting

Reporting functionality within SAP has been enhanced significantly to provide greater ease of access to data.

The development of new reporting tools has improved the way users can access and extract SAP data — these

include Infoset Queries and the SAP Business Warehouse (BW).

Workflow

SAP Workflow is a cross application component but should also be viewed in the context of each business

process to which it has been applied. Workflow, as a concept, has been detailed within this section. As well, some

specific applications are discussed in the relevant business process areas.

9


Environment

With the introduction of the SAP Web GUI (Graphical User Interface), more agencies are web or partially web

enabling their SAP systems. Core functionality required by large volumes of users (e.g. Employee Self Service) is

well suited to being delivered through a standard web browser.

The following diagram illustrates how the introduction of the Web GUI has changed the SAP environment.

The underlying SAP three tier environment remains largely unchanged from Version 3.1H for the SAP 4.5A – 4.6C

environment. The primary change is the addition of the SAP Internet Transaction Server (ITS) enabling web

connectivity and the delivery of SAP content through the Web.

Similar to the original SAP R/3 environment, the core three tier design of database, application and presentation

layers remains. In previous SAP versions, communication between the application layer of SAP and the

presentation layer or client PC would take place using software installed on the client PC — the SAP GUI.

The development of the Internet Transaction Server (ITS) has allowed presentation of SAP content through

a standard Web browser.

While high volume users will still access SAP using the SAP GUI installed on their machine, the ITS allows

SAP functionality to be extended to a wider user community, with low volume processing, such as Employee

Self Service, being delivered through a standard Internet browser.


10

Changes in the SAP environment

BASIS release to 4.6C

Database server(UNIX or NT)

Applicationserver

SEP enterprise (after 4.6c)

Database server(UNIX or NT)

SAP Web application server

Application server

J2EEWeb server

SAP GUI

Presentation layer

(Client PC)

Presentation layer (Webbrowser on client PC)

SAP GUI

Presentation layer

(Client PC)

SAP-ITSapplication

gate

SAP-ITSWeb gate

Presentation layer(Web

browser on client PC)

The SAP R/3 Enterprise Environment has changed the original SAP R/3 environment to incorporate web

interactivity with the underlying SAP application server. This has resulted in the SAP Web Application Server,

an application server capable of hosting java based web applications, as well as performing all of the functions

previously performed by the SAP Application Server.

Incorporating a Java web server into the SAP Web Application Server, SAP can now deliver SAP content directly

to the Web Browser, without the need for the Internet Transaction Server.

SAP New Dimension Products

The SAP 4.6C environment builds on the existing R/3 environment to incorporate a number of new SAP products

aimed at streamlining business processes and adding new functionality to the core R/3 product.

Key:

BW Business Warehouse

SAP CRM Customer Relationship Management

SAP SCM Supply Chain Management

SAP BI Business Intelligence

SAP APO Advanced Planning and Optimisation

11


SDSDSales &

distributiondistribution

FIFinancial

accounting

New dimension products

MMMaterials

managementanagementanagement

PPProductionplanning

QMQuality

managementmanagement

PMPlant

management HRHuman

resources

COControlling

AMFixed assets

management

PSProjectsystemsystem

WFWorkflowIS

Industry solutions

SAP sales

SAP marketingSAP marketingSAP marketingSAP marketing SAP SAP SAP serviceervice

Info DBInfo DB

SAPAPO

SAP logisticsexecutexecution systems

SAP strategic SAP strategic enterprise enterprise

management

SAP SAP B2Bprocurementprocurement

BW

SAP CRM

SAP SCM

SAP BI

A feature of the SAP ‘New Dimension’ products is that they each reside on a separate SAP installation (instance).

Each product can be implemented independently, each requiring a separate SAP Basis installation. Basis settings

and parameters must be configured for each of the ‘New Dimension’ implementations as well as the core R/3

implementation.

SAP’s suite of ‘New Dimension’ products can be divided into the following categories:

Business Intel l igence

The core product in the Business Intelligence suite is SAP Strategic Enterprise Management (SEM). SAP–SEM

allows management to take a holistic view of the organisation, providing them with the data they need to make

strategic decisions. SAP–SEM consolidates business data, as extracted from the core SAP system, using the BW

reporting tool.

SAP–SEM supports management processes in an integrated way, which means top-down translation of enterprise

strategy into business unit, product and support centre targets, as well as bottom-up performance monitoring

and related decision support.

Customer Relationship Management

SAP Customer Relationship Management (CRM) enhances the core SAP Sales and Distribution module to provide

solutions for Customer Interaction, Marketing and Mobile Salespersons.

SAP–CRM manages customer relationships by providing employees with information on trading history and

contacts with business customers in order to support sales activities.

Supply Chain Management

The core products in the Supply Chain Management suite are SAP Advanced Planning Optimiser (APO) and SAP

Enterprise Buyer Professional (EBP, formerly SAP B2B).

SAP–APO is a supply network-planning tool designed to enable production-based organisations to effectively

manage their supply networks.

SAP–EBP is an electronic procurement solution designed to automate the procurement process to the point of

purchase order creation. SAP–EBP allows employees to browse pre-approved vendor catalogues and select items

to be ordered raising a requisition for approval. On approval of the requisition by the appropriate manager,

a purchase order is automatically created in the core R/3 system.


12

Security: User Security and the Profi le Generator

Functional Overview

From SAP Release 3.1G, SAP has continued to develop the Profile Generator to allow quicker development

of authorisation profiles. All authorisations should now be created using the Profile Generator, as most new

functionality relies upon the assignment of roles to users rather than authorisation profiles. It should be noted

that assigning a role to a user will automatically assign the corresponding profile.

Benefits provided through the use of the profile generator to define authorisation profiles include:

• reduced complexity and ease of use; and

• simplification of role and profile administration.

With SAP Release 4.6C, there are now over 100 standard delivered roles or role templates. These can be used as

a basis for the definition of customer specific roles, and will often contain the majority of transactions required

for a particular function.

Care should, however, be taken when using these roles. Being generic, they will often contain more access

than required, and will not contain any organisational restrictions.

A further enhancement has been the development of the password generator functionality in transaction SU01.

This allows the security administrator to generate a random password for user accounts rather than a password

which may be easily guessed.

Mass maintenance of user access security design and structure can now be performed in the profile generator,

which will significantly improve efficiency and accuracy of changes being made to a large number of records.

When in the menu tab of the profile generator, transaction code names can be toggled on/off by selecting the

magnifying glass icon in the top right of the tab.

SIGNIFICANT RISKS

• Unauthorised, or inappropriate, changes to user security resulting in excessive access, or

users not having access to perform functions.

• Authorisation values may be inaccurately defined, granting inappropriate access to users.

• SAP standard delivered roles if allocated without configuration may not provide adequate

organisational restrictions, or may contain transactions that the organisation has deemed

to be segregation of duties conflicts.

• Passwords provided to users by security administration staff are standard, or easily

guessable, resulting in unauthorised users gaining access to the SAP system.

13



• Authorisations where a ‘*‘ value has been given should be reviewed to establish if

appropriate. Where possible ‘*’ values should be limited and be replaced with specific

values.

• As with access to all user administration functionality, access to role maintenance

activities should be controlled. Access should be restricted to the following transactions

which provide users with access to role and profile maintenance activities:

Tcode Name Description

PFCG Profile Generator Tool for maintenance of roles and profiles.

SU01 Maintain User Used for the creation and maintenance of User Master

Records including password resetting by system

administrators.

SU02 Profile Maintenance Tool for the direct maintenance of profiles (not

recommended in version 4.0A or above, should be

performed in the profile generator).

SU03 Authorisation Tool for the direct maintenance of authorisations

Maintenance (not recommended in version 4.0A or above).

• SAP standard roles, where utilised, should be used as a basis for the establishment of

roles and should be checked for adequacy within the context of the security and control

environment.

• SAP standard roles should be reviewed for transactions that your organisation has deemed

segregation of duties conflicts.

• Security administers should use the password generation facility in transaction SU01

when a user account is created or requires a password change. This will ensure that

passwords are random and not easily guessable.


14

Security: Derived Roles

Functional Overview

The Profile Generator controls the creation of variants for different business units or departments within an

organisation. This has resulted in the concepts of Responsibilities (Version 4.0B), Hierarchical Activity Groups

(Version 4.5A) and more recently Derived Roles (Version 4.6A). All are conceptually similar in that they allow

the security administrator to define a set of common transactions from which variant profiles can be created

containing different organisational restrictions.

It should be noted that the use of Derived Roles can significantly reduce the resource required for security role

maintenance. These can be further explained using the following diagram:

SIGNIFICANT RISKS

• Derived Roles are inappropriately configured resulting in inappropriate user access. Due to

limitations of organisational data that can be derived, there are certain situations where

Derived Roles cannot be used.

• Only security administration staff should have access to the Profile Generator (transaction

PFCG) where Derived Roles are maintained.

• Where Derived Roles have been defined, the master role should not be assigned to end

users as this will normally contain access to all organisational data.

15


Derived roles

MASTER ROLEAll company codes

All cost centres

CHILD ROLEBusiness unit (BU) 'A' ROLE

BU 'A' Company codesBU 'A' Cost centres

CHILD ROLEBusiness unit (BU) 'B' ROLE

BU 'B' Company codesBU 'B' Cost centres

Derived Role A Derived Role B


16

CONFIGURATION HOT SPOTS

• Ensure that naming conventions have been appropriately defined which clearly identify

master and child roles.

• Where Derived Roles are used and all data (with the exception of organisational data) is

to be derived down to the child role, child roles should not be directly maintained. All

changes to the child role will be overwritten the next time information is derived from

the master role.


• Access to role administration should be tightly controlled and restricted to only relevant

user administration staff. Access to the following transactions should be restricted:


OY21, GCE2, O002, OBZ8, OD03, OIBP, Profile Maintenance These transactions all allow

OMDM, OMEI, OMM0, OMSO, OMWG, direct access to profile

OOPR, OP15, OPCB, OPE9, OPJ1 maintenance.

17


USEFUL REPORTS

Report Transaction Name Description

S_BCE_68001425 Roles by complex Interrogation of roles in the system

selection criteria by a number of different criteria.

S_BCE_68001418 Roles by role name Interrogation of roles in the system

by role name.

S_BCE_68001419 Roles by user assignment Interrogation of roles in the system

by user assignment.

S_BCE_68001420 Roles by transaction Interrogation of roles in the

assignment system by transaction assignment.

S_BCE_68001421 Roles by profile assignment Interrogation of roles in the by

profile system assignment.

S_BCE_68001422 Roles by authorisation Interrogation of roles in the system

object by authorisation object.

S_BCE_68001423 Roles by authorisation Interrogation of roles in the system

values by authorisation values.

S_BCE_68001424 Roles by change date Interrogation of roles in the system

by change date.


18

Security: Central User Administration

Functional Overview

With the advent of the SAP Workplace and various other new component systems, the SAP landscape has

become significantly more complex than the original R/3 system. As a result, user administration has become

more complex.

Central User Administration (CUA) addresses the difficulties of user administration by allowing all user

administration activities to be performed from a central system. CUA is available from SAP Versions 4.5A and

above, and recent versions of the Web Application Server (6.2), and can significantly reduce the resource required

for user maintenance.

CUA does not cater for single-sign on or for the syncronisation of passwords across each SAP system.

The following diagram illustrates the CUA concept. Communication between systems is achieved using SAP Application

Linked Enabling (ALE). ALE is SAP’s process that provides for the exchange of data between SAP systems.

Key:

SAP EBP Enterprise Buyer Professional

SAP CRM Customer Relationship Management

CENTRAL SYSTEMSAP R/3 4.5A

or higher

SAP EBP SYSTEM SAP CRM SYSTEM SAP R/3 SYSTEM

ALE ALE ALE

19


SIGNIFICANT RISKS

• CUA configuration and ALE landscape may not be configured correctly resulting in failure

of systems to interface effectively.

• Access to CUA functions may not be adequately secured resulting in unauthorised

changes to users access rights.

• Access to Application Link Enabling (ALE) configuration may not be adequately secured.

• CUA error and distribution logs may not be reviewed and followed up on a timely basis.


• Patches from SAP must be applied to install and run CUA.

• Field selection configuration should be performed in transaction SCUM ‘User Distribution

Field Selection’ to define the system (local or global) in which each item of user master

data and security is maintained. Through this transaction, configuration of user locks is

performed to define their operation.


• Access to the configuration of Central User Administration (CUA) transactions should

be controlled. Consideration should be given to restricting access to only relevant user

administration staff to the following CUA Maintenance transactions.


SALE Display ALE Customising Used to configure the ALE environment

for CUA. This transaction also allows access

other ALE and Remote Function Call (RFC)

configuration.

SCUA Central User Administration Transaction used to maintain the CUA

landscape.

SCUL Central User Management Log Transaction used to view CUA audit

and error logs.

SCUM Central User Administration Transaction used to define field distribution

for CUA.


20

USEFUL REPORTS

Report / Transaction Name Description

SCUL Central User Management Log This transaction reports on CUA

errors and audit log.

21


Security: Personalised User Menus

Functional Overview

SAP Version 4.6 and the first release of mySAP.com Workplace, saw a move towards personalisation within the

SAP environment. SAP menus can now be personalised for each role. When these roles are assigned to a user and

combined with other roles containing personalised menus, the user is presented with a menu structure unique

to their individual role assignments.

SIGNIFICANT RISKS

• Folder structures within the SAP menu structure (see above) are created which do not

reflect the actual business structure. It is important to ensure that these are developed in

consultation with the business, and do not take on a technical focus.


• User menu configuration should be such that menus are efficient in use. Table SSM_CUST

contains settings which affect the user menus including whether folders should be condensed,

duplicate transactions should be deleted or the whether the menus should be sorted.


• In addition to controlling access to the Profile Generator (transaction PFCG), access should

also be controlled to the maintenance of table SSM_CUST.


22

USEFUL REPORTS


SURL_LAUNCHPAD_TEST Test Launchpad Generation When the Workplace has been

implemented this report can be

used to test the contents of

a user’s launchpad including

personalised user menu entries.

23


Transport Management System

Functional Overview

With the release of Version 4.0, SAP introduced the Transport Management System (TMS) that centralised the

configuration for the Change and Transport System (CTS) for all R/3 systems. TMS gives the SAP Administrator

the ability to manage all SAP change requests from a centralised location (i.e. from one SAP client). It also allows

pre-defined transport routes to be configured, minimising human error in the import and export of transportable

objects.

A key feature of the TMS is that it has allowed for the management of change queues from within the R/3

system and has removed the need to have deep UNIX / Windows skills for day to day SAP Administration

(although these skills are still required for the administration of the underlying database).

The introduction of TMS allows for greater control over the SAP system account and has lead to configuration

of a simplified SAP landscape. TMS has replaced the need to use transaction SE06 and previously configured

CTS tables.

SIGNIFICANT RISKS

• Administration functions such as client copies are not restricted to authorised personnel

and are performed inappropriately.

• Programs in production have not gone through appropriate change approval process.

• Developers make changes (and test changes) directly in programs in the production

system (in non emergency situations). Changes should go through the normal domain

transport route.


• Transaction STMS now controls the movement of objects from one SAP system to another,

replacing functionality in transactions SE06.


24


• Access to the following transport management transactions should be restricted to

authorised ‘Basis team’ users only.


SCC1, SCC4 Client Administration Transactions SCC1 and SCC4 allow users to

create a client (SCC1) and copy data from an

existing client to a target client (SCC4). In addition

there are other copy transactions (SCCX) that

perform functions such as copying user files that

should be protected and should be restricted.

SE10 Transport Organiser This transaction is used by system configuration

staff to manage verify transport requests.

SE11 ABAP Dictionary This transaction is used by developers to

manage and release their transport requests.

STMS Transport Management Transaction STMS now controls the movement of

System objects from one SAP system to another,

(previously performed within transactions SE06).

USEFUL REPORTS

Both Transport logs and Action logs are available through the Transport Organiser. These can

be used to provide an audit trail of transport activity.

25


Reporting

Functional Overview

With the advent of personalised roles, reporting security has changed significantly. In previous versions of SAP,

reports were secured by attaching them to a report tree. Report trees were then allocated to users to ensure

users could only access approved reports.

Since folders can be specified in individual roles, personalised roles effectively make reporting trees redundant. In

order to make the allocation of reports to roles easier, SAP have therefore assigned a large number of standard

SAP reports to transaction codes.

Although report trees can still be displayed through most Web GUI configurations, it may be more appropriate

to assign reports through personalised roles, and remove report trees altogether.

SIGNIFICANT RISKS

• Although transaction codes have now been assigned to SAP standard reports, the

authorisation objects checked by these reports have not been attached to these

transaction codes. In order to allocate reports to end-users, it is therefore still necessary

to establish the required authorisation objects through testing and allocate these to the

appropriate roles.


• All reports and programs developed should contain appropriate authorisation checks to

ensure that only authorised users are able to execute them.


• Reports which do not contain adequate authorisation object security will be accessible to

any user who has access to the transaction code required to start the report. Where users

are configured with access to all transaction codes, through the application of a ‘*’ in the

S_TCODE object, or value that contains a ‘*’ (for example ‘S*’), there is an increased risk

that reports or programs may be accessed inappropriately.


26

InfoSet Query

Functional Overview

The InfoSet Query (InfoSet replaces the term functional area) functionality has been provided to allow users

greater flexibility in reporting across all areas of the SAP system. InfoSet Query has been developed from the HR

ad-hoc query reporting which was developed in prior versions of SAP.

InfoSet Query has been developed to provide users the tools necessary to quickly develop, and run data queries.

SIGNIFICANT RISKS

• Unauthorised access to sensitive and confidential data, including HR data.


• Consideration should be given to logging reporting performed using InfoSet Query. In

order for logging to be available, it is necessary to configure this. Configuration of InfoSet

logging can be maintained through the IMG (Basis Components-SAP-Query-Logging-

Determine Infosets for Logging)


• Access to perform InfoSet Queries is defined using roles or SAP Query user groups. These

can be configured to restrict access to relevant and appropriate InfoSets.

• Procedures should be defined for the periodic review of InfoSet Query log data. This data

is recorded in the Query Logging table (AQPROT).

• Consideration should be given to restricting access to the following transactions that

provide the user with access to the Infoset Query.


S_PH0_48000513 Ad Hoc Query Ad-hoc queries on various data sets.

SQ01 Query from User Used for the creation, change, deletion and

Group: Initial Screen execution of InfoSets Queries.

SQ02 InfoSet: Initial Screen Used for the creation, change, deletion and

execution of InfoSets Queries.

SQ03 User Groups: Used in the allocation of user groups to roles

Initial Screen or users.

27


SAP Business Warehouse (BW)

Functional Overview

The SAP Business Warehouse is SAP’s data warehousing solution and available to support SAP core functionality.

A Data Warehouse stores data in a format optimised for reporting in a separate system from the operational

system(s) that collect the transactional data. This allows the operational system (SAP R/3) to get on with the

real-time data processing, whilst the data warehouse (SAP–BW) caters for the resource intensive reporting

requirements.

SAP–BW includes the tools required to extract, standardise and maintain the data and to produce the reports.

As a Data Warehousing solution, SAP–BW is designed to work with any data source, not just SAP systems.

SIGNIFICANT RISKS

• Unauthorised access to sensitive and confidential data through the BW system.


• In BW field level authorisations will not be checked unless switched on. A user may

therefore be able to see data in the BW system for which they are not authorised in the

R/3 system. Important fields (characteristics) should be checked to ensure they are defined

as authorisation relevant.

• Reporting objects should be linked to infocubes where authorisation checks are required.

Where checks are required, authorisations should then be created for those infocubes and

assigned to appropriate users.

USEFUL REPORTS

Report Name Description

RSSM Authorisation Check Allows monitoring of the resolution of

Log report authorisation errors.


28

Mass Maintenance

Functional Overview

Mass Maintenance functionality has been developed as an effective tool to maintain large amounts of data . For

example, the Mass Maintenance functions allow a user to change data in a large number of purchase orders or

requisitions through the execution of a transaction.

Mass maintenance functions are supported for a number of documents including:

- Material Master

- General Ledger Records

- Purchasing Info Records

- Vendor Master

- Purchase Orders and Purchase Requisitions

- User Master

Users can operate the Mass Maintenance tool in dialog, background or a combination of both. The process can

be summarised as follows:

Document mass maintenance

4. Specify change and execute

1. Select object to be changed

2. Select records to be changed

3. Select table and field to be changed

29


SIGNIFICANT RISKS

• Inappropriate or unauthorised change may be made to large amounts of data.

• System performance may be impacted by the execution of large Mass Maintenance

activities.


• Due to the increased risk associated with providing a user with the ability to maintain and

change large amounts of data simultaneously, access to the following key transactions

should be restricted to key experienced staff with authority to make changes:


XK99 Mass maintenance, Used to change one or more vendors

vendor master simultaneously.

MSJ1 Mass Maintenance Used to change one or more item via

in the Background background processing.

MM17 Mass Maintenance: Indus. Used to change one or more Material

Material Master Master records simultaneously.

MM46 Mass Maintenance: Used to change one or more Retail Material

Retail Material Master Master records simultaneously.

FMMI Mass Maintenance Used to change one or more

of Open Intervals Open Intervals simultaneously.

WTAD_VKHM_ Mass Maintenance Used to change one or more Material

MAINTAIN Materials/Adds. Master records simultaneously.

IMAM Mass maintenance of Used to change one or more appropriate

appropriation requests requests simultaneously.

KE55 Mass Maintenance Profit Used to change one or more Profit Centre’s

Centre Master Data Master records simultaneously.

KE56, KE57 EC–PCA: Mass Maintenance Used to change one or more Company

Company Code Assignment Codes assignments simultaneously.

MASSOBJ Maintain Mass Maintenance Used to change one or more objects

Objects simultaneously.

Continued on the next page


30


OB_GLACC11, G/L acct record: Used to change one or more G/L records

OB_GLACC12, Mass maintenance simultaneously.

OB_GLACC13

QI05, QI06 QM Mass maintenance Used to change one or more QM

Procurement keys simultaneously.

SOY1 SAPoffice: Used to change one or more

Mass Maintenance Users users simultaneously.

SU10 User Mass Maintenance Used to change one or more users

simultaneously.

WB30 Mass maintenance Used to change one or more Plants

MG to plant or Material Groups simultaneously.

XD99 Customer master Used to change one or more customers

mass maintenance master records simultaneously.

• Access should also be segregated from a users ability to delete the mass maintenance logs

that are generated when a user executes mass maintenance transactions.


MSL2 Delete Mass Maintenance Logs Allows for the deletion of the mass

maintenance log — a key audit trail in the

performance of Mass Maintenance.

USEFUL REPORTS

Procedures should be implemented for review of the Mass Maintenance log on a periodic

basis to ensure inappropriate mass maintenance actions are not occurring.

TCode Name Description

MSL1 Mass Maintenance Log Provides access to an audit trail of mass

maintenance activity performed.

Continued from previous page

31


Workflow

Functional Overview

Workflow has become a feature of many SAP implementations where repetitive and often manual business

processes can be automated to achieve efficiency gains. Through automated routing of transactions, Workflow

is particularly suited to notification and approval tasks.

Human Resources processes such as ESS (Employee Self Service), Time Management and the Managers Desktop

in particular make extensive use of Workflow for the approval of tasks such as leave requests or the completion

of staff appraisals.

‘Deadline Monitoring’ can be incorporated in the design of workflows to issue reminders for items that have

not been actioned within a reasonable timeframe, or to escalate unactioned workflow items for the attention

of others. In addition, the Workflow administrator should review for slow moving, unprocessed or erroneous

transactions. These transactions can result in business dissatisfaction or inefficient business processes and should

be carefully monitored and resolved as required.

Below is an example of the use of Workflow in the Purchase Requisition (PR) creation and approval process.

Workflow example

Triggering eventPR raised over $5000

User taskPR sent to requester'smanager for approval

Workflow resultSAP PO automatically

created

Workflow resultRequester notified of rejection and reason

Decisionapproved

Decisionrejected

Deadline monitoringPerformed to identify

exceptions, issue reminder or escalate

to next level approver

Until loop stepWait for approval


32

SIGNIFICANT RISKS

• Rules for the system selecting an approver, or delegate of an approver are not correctly

defined. This is particularly an issue when the process is driven by the organisational

structure.

• Managers do not review workflow tasks and respond on a timely basis resulting in user

dissatisfaction and inefficient business processes.

• Routing of transactions may not be fully defined resulting in unprocessed items.

• Deadline Monitoring processes are not put in place to monitor Workflow transactions.


• Access to the following Workflow related transactions should be restricted to authorised

users only.


SWXX Workflow related transactions Workflow transactions are prefixed with

SW. These transactions should be restricted

to Workflow administration staff.

• Access should also be restricted to any alternative or client developed Workflow • Access should also be restricted to any alternative or client developed Workflow

based transactions based on the level of implementation of workflow performed.

33


USEFUL REPORTS

The following reports can be used in the administration of workflow:


PFTC_DIS Display Task Allows the display of workflow templates and

configuration (incl. the graphical workflow

representation in the workflow builder).

SWI1 Selection report Displays work items and their current statuses.

for Work Items Allows the selection and display of individual work

items.

SWI2_ADM1 Workflow Items Allows the monitoring of workflow items without

without Agents appropriate user assignments.

SWI2_DEAD Workflow Items Allows you to monitor workflow deadlines.

with monitored

Deadlines

SWI2_DIAG Diagnosis of Error analysis and diagnosis.

Workflows with Errors


34

Procurement to payables

Pro

cure

men

t to

pay

able

s

35



SECTION CONTENTS

Background .......................................................................................................................37

Enterprise Buyer Professional (EBP) ...........................................................................38





Useful Reports ........................................................................................................................................................42

Vendor Field Groups .......................................................................................................43





Dual Control for Changes to Master Records ..........................................................44





Useful Reports ........................................................................................................................................................45

Blanket Purchase Orders ...............................................................................................46





35



36

Useful Reports ........................................................................................................................................................47

Logistics Invoice Verification ........................................................................................48





Automatic PO Creation .................................................................................................. 51


Significant Risks ................................................................................................................................................... .51

Configuration Hot Spots ................................................................................................................................... .51


Useful Reports ........................................................................................................................................................52

36


37


Procurementto payablesBackground

An overview of the functionality and risks and controls of the procurement to payables component as at

Version 3.1H is covered within the full Better Practice Handbook for SAP R/3. This functionality has undergone

a number of changes since this release; these changes have been implemented to improve efficiency and controls

within the procurement to payables processes and are detailed across the following sections:

Enterprise Buyer Professional (EBP)

EBP has been developed to increase efficiency in the procurement process. This is achieved through the use

of on-line catalogues containing approved vendors and goods where a users can request the supply of goods

through a ‘shopping basket’ process.

Vendor Master Data

While vendor master data in itself has not changed significantly in Version 4.6C, the controls and methods

surrounding securing vendor master data has been improved. Improvements have included the introduction of

vendor field groups and authorisation of changes made to sensitive vendor fields.

Blanket Purchase Orders (POs)

With Release 4.0A of SAP it has become possible to create POs with a value limit and a validity period instead of

a delivery date, making it possible to create a Blanket POs rather than having to create a PO for each requirement

when purchasing goods to be consumed immediately.

Logistics Invoice Verif ication (LIV)

While LIV has been available in SAP since Release 3.0A, a number of enhancements have been made to

LIV processes.

Automatic PO Creation

On entry of a goods receipt for which a PO has not been created, it is possible to configure the SAP system so

that these POs are automatically created.

Mass Maintenance of Master Data

Functionality has been implemented to allow for Mass Maintenance of master data including Material and

Vendor Master records. Details of Mass Maintenance functionality have been provided in the Basis and Cross

Application components section of this handbook.

37



38


38

Enterprise Buyer Professional (EBP)

Functional Overview

EBP (previously BBP) was developed to allow users to purchase predefined products from approved vendors using

an on-line catalogue. Users browse through the on-line catalogue selecting products and required quantities

that are then put into a user's Shopping Cart.

The EBP process is summarised using the following diagram:

Catalogues available to users may be internal or external. Where external catalogues are available, the approved

vendors can maintain these.

EBP users do not enter prices or material descriptions as these are selected from the catalogue. Most header

information for the order is automatically populated by EBP (e.g. delivery date which is populated through the

use of the Vendor Info Record and Vendor is automatic from the catalogue).

The EBP user specifies the deliver-to address from a list of pre-defined configured deliver-to addresses.

The EBP system resides on a separate SAP installation to the core SAP system and therefore requires a separate

SAP Basis installation. This means that Basis settings and parameters should also be correctly configured to

appropriately control the EBP environment.

Requester selects goods

from catalogue and places

in 'shopping trolley'

Enterprise buyer professional

On approval

purchase order

is created

Requester submits

'shopping trolley' and

Workflow routes to

delegate or approver

Delegate or approver

receives and approves

or rejects request via

Workflow

Goods are received by

requester

Three way match

performed and

payment made

Requester enter

goods receipt into EBP

Invoice received from

supplier or generated

through evaluated

receipts settlement

Processing performed in: EBP systemEBP or Core R/3 system

Core R/3 system

39


39


SIGNIFICANT RISKS

• Approval processes and Workflow are not appropriately defined resulting in unauthorised

procurement of goods.

• Limits for shopping trolley, approval levels or minimum value of shopping trolleys not

requiring approval may not be correctly configured resulting in inappropriate procurement

of goods.

• Changes to shopping trolleys may be executed following approval resulting in non-

authorised procurement of goods.

• Invoices can be entered via EBP resulting in increased risk of inappropriate access or

segregation of duties risks.


• Back end interfacing systems should be defined to ensure that data is interfaced

appropriately. This will generally mean defining the interface between the EBP system and

the core R/3 system.

• Fields, or attributes, to appear on EBP screens should be defined. This will include defining

the user groups and activities that can be performed for each of the fields (for example,

define that the requester can ‘change’ the deliver-to address).

• Key fields to be completed should be configured as mandatory to ensure all relevant

information is captured. This will ensure that data is available to create relevant

purchasing documents.

• Product catalogues should be configured to ensure that users are able to appropriately

select from approved internal or external sources.

• Workflow should be configured to ensure appropriate approval processes are triggered

when an EBP transaction is executed.

• Deliver-to-addresses should be configured to ensure goods are only delivered to approved

delivery points.

• Appropriate delegation limits should be configured for EBP transactions. For example,

consideration should be given to the configuration of the following through Workflow

events.



40

Condition Example

No Approval Where shopping trolleys are less than an approved amount, the Workflow

may be configured so that No Approval is required. Limits should be

applied in line with delegation policy.

Single Approval Where shopping trolley is greater than the No Approval limit, manager

approval should be required and configured through Workflow. This

should ideally be driven from the organisational structure.

Double Approval Consideration should be given to the application of a Double Approval

step where the value of purchase is above a specified amount. In this

case a line manager and a higher-level manager would approve.

• High-risk material groups should be configured to require approval regardless of the

dollar value of the goods provided. This may improve controls with regard to certain

materials that are at particular risk of inappropriate purchase.

• Output from the execution of EBP transactions should be configured.

For example, POs may be automatically generated following the entry and approval of

an EBP transaction. Alternatively, purchase requisitions may be generated and require a

Purchasing Officer to create the PO.

• Payment terms configured in the EBP system should correspond with those defined in the

core SAP system to ensure that there are no inconsistencies.


40

Continued from previous page

41



• The EBP system resides on a separate instance of SAP and interfaces with a core SAP

system. The EBP system Basis components should be appropriately configured and

secured.

• Consideration should be given to configuration of Personalisation settings at an individual

or role level. These may include the following:

Personalisation Object Key Description

BBP_APPROVAL_LIMIT Highest value of shopping cart that can be approved

BBP_SPENDING_LIMIT Value above which approval is necessary

BBP_WFL_SECURITY_BADI Specifies whether change can be made or what actions should

be taken when changes are made to a shopping cart during

the approval process. Consideration should be given to forcing

the approval process to re-start when changes are made.

• EBP administration transactions as well as EBP end user transactions should be

appropriately restricted. These include, but are not limited to:


BBPAT03 Create User EBP transaction used to create a user ID.

BBPAT04 Forgotten User ID/Password EBP transaction to request / apply for

password and user ID.

BBPAT05 Change User Data Transaction used to change or display EBP

user details.

BBPIV01, Entry of Invoice EBP transactions used to enter invoices.

BBPIV02, BBPIV03

BBPPU07 Access to the Managers EBP transaction used to access the

Inbox Manager's Inbox and related information.

BBP_BW_SC3 Shopping Carts per product Business Warehouse reports used to display

BBP_BW_SC4 or per Cost Center summarised shopping cart information.

41



42


42

USEFUL REPORTS

EBP is an extension of existing procurement functionality and, as such, core SAP reports

applicable to procurement are equally applicable to EBP processes.

Workflow is key to successful operation of EBP. Work items may be left in error or not resolved

resulting in failure of the EBP process. Processes should be put in place for the running of

control reports to ensure that all transactions are processed appropriately.

Consideration should also be given to reviewing reports detailing catalogue content changes

for all external catalogues to ensure these are appropriate.

43


Vendor Field Groups

Functional Overview

As of Version 3.1H of SAP, field groups have been implemented to improve controls over changes to vendor (and

customer) master records. Vendor field groups can be used to restrict the access of a user to a subsection of

fields within the vendor master records.

Field groups are an effective way of restricting access to maintain highly sensitive master data (including bank

details) from other general data (such as phone numbers) which a larger group of users may require access to

maintain.

Dual control can be used for both customer and vendor master records to improve controls over key fields. When

a change is made to a sensitive field the SAP system can be configured to require release of a change made.

SIGNIFICANT RISKS

Details of risks associated with the vendor master data are provided on Page 21 of the Security

and Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:

• Unauthorised changes to vendor master data details may result in inappropriate payment.


• Vendor fields groups, should be appropriately defined. This is generally best executed by

defining logical sets of fields (i.e. segregation of address and payment information into

different vendor field groups.).


• Access to maintain field groups, including assignment of fields to field groups, should be

restricted.

• Users should be assigned appropriate field group authorisations based on authorisation

object ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’. This object is used to ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’. This object is used to ‘F_LFA1_GRP’ — ‘Vendor: Account Group Authorisation’.

specify which activities are permitted for the individual account groups.

43



44

Dual Control for Changes to Master Records

Functional Overview

Dual Control has been provided to have greater control over changes to sensitive data. When configured, the

Dual Control functionality creates segregation between the changing and approval of changes to sensitive fields.

This is applicable to both the vendor and customer master records.

SIGNIFICANT RISKS

Details of risks associated with the Vendor Master are provided on Page 21 of the Security and

Controls for SAP R/3 Handbook. Additional risks relevant to the new functionality include:

• Unauthorised changes to vendor master details may result in inappropriate payment.


• Fields that require dual control must be configured as sensitive fields. When configured,

each change to the field is subject to an independent confirmation. It should be noted

that a user cannot confirm their own changes.

• Processes for the confirmation of changes should be configured. This is can be performed

through workflow events or through manual processes.


• Access to define sensitive fields should be appropriately restricted to ensure that fields are

not inappropriately removed from the sensitive fields table.

• Access to the following confirmation transactions should be appropriately restricted to

relevant purchasing staff. This includes:


FK08 Confirm Vendor Changes Used to confirm or approve vendor changes

Individually that are made.

FK09 Confirm Vendor Changes List Used to list vendor changes that

require confirmation.

FD08 Confirm Customer Changes Used to confirm or approve customer

Individually changes that are made.

FD09 Confirm Customer Used to list customer changes that require

Changes List confirmation.


44

45


USEFUL REPORTSLists of changes that are waiting to be confirmed can be generated using transaction FK09

(Vendor Changes List) and FD09 (Customer Changes List).

45



46

Blanket Purchase Orders

Functional Overview

Up until Release 4.0A, a Purchase Order (PO) would generally need to be created for each requirement, including

orders placed for goods that were to be consumed immediately. The PO served as the basis for the creation of

the goods receipt (if required) and for the invoice verification process.

As of Release 4.0A, Blanket POs have made it possible to create a PO with a value limit and a validity period

instead of a delivery date. These documents are created with a document type ‘FO’ and an item category of B

— Limit.

The benefits of utilising the Blanket PO is that it allows a user to procure various materials or services from

vendors in cases where the creation and processing of individual POs is not deemed economical. Blanket PO’s

would generally be utilised for low value, high use items for which this process is deemed appropriate.

It should be noted that in order to utilise Blanket POs, Logistics Invoice Verification (LIV) must be used.

SIGNIFICANT RISKS

• No goods receipt or entry and acceptance of services is required with Blanket Purchase

Orders. Invoices are posted directly with reference to the order which may result in bypass

of purchasing controls.


• Tolerances specific to Blanket Purchase Orders should be correctly configured to ensure

that when an invoice exceeds these limits these will be appropriately blocked for review.

Tolerances to be configured include:

Tolerance Code Tolerance Name Tolerance Description

LA Amount of Blanket Determines if the value limit of the Blanket

Purchase Order Purchase Order has been exceeded by the

processed invoices and blocks any

invoices which will exceed the PO value.

An upper percentage or absolute

tolerances may be defined.

LD Blanket Purchase Determines whether the posting date of

Order time limit the invoices is within the configured

exceeded tolerance of the Blanket

Purchase Orders valid time.

The system compares the number of days

outside the Blanket Purchase Orders

validity date with a configured absolute

upper limit.


46

47



• Access should be restricted to be able to create or change Blanket Purchase Orders due to

the increased risks associated with this. This may be performed by restricting users access

to document type FO.

• Access should be restricted to transactions which can be used to create purchase orders

including:

TCode Name Description

ME21, ME21N Create Purchase Order Transactions used to create POs.

ME22, ME22N Change Purchase Order Transactions used to change existing POs.

MEMASSPO Mass Change of Purchase Allows a user to update a large number of

Orders POs simultaneously.

MEPO Purchase Order Enjoy transaction used to create and change

PO documents.

USEFUL REPORTS

While there are no Blanket Purchase Order specific SAP delivered standard reports,

management should consider developing reporting to identify the following:

• Blanket POs that have expired or are about to expire and require re-assessment and

potentially recreation.

• Blanket POs that have been created to ensure that these are appropriate and approved.

This may be produced by using standard reports, however, configure these based on the

Blanket PO document type.

47



48

Logistics Invoice Verif ication

Functional Overview

Logistics Invoice Verification (LIV) has undergone a number of enhancements up to Version 4.6C of SAP. LIV is

part of the Materials Management component and is used to complete the procurement process.

LIV has been developed based on the conventional invoice verification processes and as such, this section should

be read in conjunction with page 39 of the Security and Control for SAP R/3 handbook — Procurement to

Payables section. Functions of the conventional invoice verification processes are available through LIV, however

these separate components may continue to be run in tandem.

LIV provides additional functionality that was not available in the conventional invoice verification processes,

including the disbursement of information to the Materials Management and Finance components. Additional

functionality has been developed by SAP for the LIV process, which includes but is not limited to the following:

• Invoices can be verified on-line or in the background.

• Multiple account assignments or multiple company codes for posting can be used.

• The system can be automatically configured to post a credit memo for the difference between the value

of the invoice and the value for which the system expected an invoice. This can be particularly useful for

vendors who consistently over-charge.

• Workflow can be integrated into the invoice process to aid in the resolution of blocked invoices.

SIGNIFICANT RISKS

Significant risks associated with LIV are detailed in the Security and Controls for SAP R/3

Handbook page 40 that discusses the invoice verification process. These include the following:

• Invoices may not match the corresponding purchase order and/or goods receipt. However,

they may still be processed for payment.

• Invoices may be processed that do not relate to a valid purchase order in the system.


48

49


49



• LIV invoices can be processed in the background. Where background processing occurs,

the system can be configured to assign the status of ‘Verified as correct’ or ‘Completed’

on a Company Code by Company Code basis. Consideration should be given to configuring

the background-processed invoices as ‘Verified as correct’ so that these invoices can then,

following review be marked as ‘Completed’.

• Tolerance groups can be configured for individual vendors using tolerance groups

(Transaction OMRX). Tolerance groups define the way the system reacts as a result of

positive or negative invoice differences.

Tolerance groups defined can be assigned to each vendor in the vendor master record and

can be effective in reducing processing time where vendors consistently over charge. This

is achieved by configuring the system to treat variances received appropriately.

• Where invoices are blocked, Workflow events can be triggered. Typically the blocking of an

invoice will trigger a Workflow item to the buyer where they can change the PO, release

of the invoice items or flag the invoice as in dispute.


• With the introduction of LIV, a number of new transactions have been created which

should be appropriately restricted. Consideration should be given to restricting access to

the following key LIV transactions:


MIRO Enter Invoice Enjoy transaction used to process invoices.

MIR7 Park Invoice Used to Park invoices where ‘Park and Post’

functionality is utilised.

MIRA Enter Invoices for Invoice Processes invoices for verification via background

Verification in the Background processing.

MR8M Cancel Invoice Document Used to cancel invoice documents.

MRBR Release Blocked Invoices Allows the user to release blocked invoices for

processing and payment.

MIR6 Invoice Overview Provides for analysis of invoices by various

selection criteria.

MR90 Output Messages Allows for viewing output documents generated

from SAP.

continued on the next page


50


MRRL Evaluated Receipt Provides for automatic settlement for ERS

Settlement (ERS) transactions.

MRKO Consignment and Pipeline Automatically settles withdrawals from

Settlement consignment and pipeline.

MRIS Invoicing Plan Settlement Provides for settlement automatically based on

the invoicing plan.

MRNB Revaluation Used to re-value purchases based on

retrospective changes.

MRA1 Create Archive Allows for the archiving of documents.

MRA2 Delete Documents Allows for the deletion of documents.

• As with all invoice processes, consideration should be given to restricting access to invoice

verification functions by company code and plant.

• Access to the authorisation object ‘Invoices: Blocking reasons’ should also be restricted to

ensure that only authorised users are able to release blocked invoices. It is critical that the

releasing function be segregated from invoice entry, to ensure that the approval processes

are not compromised.

continued on the next page

51


Automatic PO Creation

Functional Overview

Release 4.0A enables the SAP system to be configured to automatically create a Purchase Order (PO) during the

Goods Receipt (GR) process. In order for this process to occur, standing data must be created as SAP valuates

the GR at the price defined in the Purchasing Info Record.

SIGNIFICANT RISKS

• Automatic creation of POs at the point of GR results in bypass of purchase order controls

(e.g. electronic approval).


• In order for this to occur each plant must be assigned to a purchasing organisation so that

the system can determine the purchasing info records.

• SAP can be configured to automatically create a PO for certain pre-defined movement

types.


• Where automatic creation of a GR is available, access to process Goods Receipts should be

restricted to appropriate staff.


MB01 Post Goods Receipt for PO Transaction used to process a Goods Receipt

where a PO is available.

MB0A Post Goods Receipt for PO Transaction used to process a Goods Receipt

where a PO is available.

MB1C Other Goods Receipts Allows for the processing of Goods Receipt

other than by reference to a PO.


52

USEFUL REPORTS

While there are no specific SAP delivered standard reports with regard to automatically

created POs, consideration should be given to developing reports to identify POs created to

ensure that these are approved and generated in line with business process requirements.

Financial accounting

Fin

anci

al a

cco

un

tin

g


SECTION CONTENTS

Background ...................................................................................................................... .55

General Ledger ................................................................................................................ .56





Useful Reports ........................................................................................................................................................60

Asset Accounting ........................................................................................................... .61





Useful Reports ........................................................................................................................................................63

53



54

Financial accountingBackground

An overview of the functionality, risks and controls of the Financial Accounting module as at Version 3.1H

is covered within the full Better Practice Handbook for SAP R/3. The Financial Accounting module of SAP has

undergone a number of changes since Version 3.1H. Whilst many of these changes do not have a significant

controls impact, there are a number where additional control functionality has been made available through

enhancements. These are detailed in the following subsections:

General Ledger

Since the General Ledger forms the core of the SAP financials package, very few significant changes have been

applied to this area. However, a number of additional inherent and configurable controls have been added to

enhance the control environment.

Key changes to the General Ledger area include the addition of true reversal functionality simplifying reversal

postings and the inclusion of a cash journal to enhance control over cash management activities.

Asset Accounting

Significant enhancements have been made around the Asset Accounting module. These have resulted in

improved asset management functionality. A key change in the Asset Management module is the introduction

of the Asset Explorer for improved asset reporting.

55


General Ledger

Functional Overview

A number of changes and enhancements have been made to the General Ledger since Release 3.1H. These

changes are outlined below:

• True Document Reversals and Negative Postings

As of Release 4.0A, reverse postings and adjustment postings can be indicated as negative postings. Negative

postings reduce transaction figures in customer, vendor, and G/L accounts without having to reverse the

document by posting a reversal document. This type of reversal is called a true reversal.

The true reversal functionality allows reversal postings to be traced back to original documents. This improves

accuracy of document reversals since these can now reference the original document.

• Reversal Reason Codes

In SAP Release 4.5B, reversal reason codes have been made mandatory fields. A number of default reversal reason

codes have been configured in SAP as standard, however additional codes may be configured.

Mandatory requirement for reversal reason codes adds additional control over the reversal of documents and

provides enhanced audit trail over the reversal of documents.

• Distributing Exchange Rates using ALE

As of SAP Release 4.5A, it is now possible to distribute exchange rates between SAP systems using Application

Link Enabling (ALE) technology. This improves controls over exchange rates ensuring these are consistent across

SAP systems and improves ease of maintenance.

• Cash Sub-Journals

The cash journal is a bank accounting sub ledger available for the management and reporting of cash positions.

The cash journal can be used independently of other posting transactions allowing more flexibility and accuracy

in cash management reporting.

The benefit of the cash journal is that opening and closing balances, as well as receipts and payments balances

are automatically calculated and displayed. The cash journal would also allow an agency to run more than one

cash journal per company code and to run separate cash journals for each currency.

• Alternative Payment Currency

Prior to 4.5A, payments in alternative currency could only be created and posted manually. As of 4.5A, it is

possible to enter a payment currency (which can differ to the standard currency of the document) for open

items to be paid automatically by the payment run. Users can specify an amount equal to the gross amount of

the item in the payment currency. The payment currency is supported in both Accounts Payable and Accounts

Receivable.

This facility reduces the risk of errors through removal of manual currency calculations.


56

57


• Editing G/L Account Master Records

The screen layout for G/L account master records has been reorganized to allow for G/L account master records

to be edited from the data screen.

Mass maintenance functionality is also available for G/L account master records to improve efficiency and

accuracy (refer to Basis and Cross Application Components of this handbook update for more detail).

• G/L Account Clearing Tolerances

As of 4.6A, tolerances for G/L account clearing have been extended. These tolerances, which are defined for a

user and an account, are used to determine whether the system will issue error messages to the user or post the

differences automatically.

These tolerances can be used to further restrict general tolerances that are in place for particular users or G/L

accounts as required.

• New Banking Interfaces

Since Release 4.5, new interfaces are available relating to Electronic Funds Transfer (EFT) and banking across

GL, AR and AP. These interfaces provide enhancements to electronic banking functionality allowing analysis of

notes to payees, the creation of custom electronic banking methods and the determination of business partners

from remittance advices.

The new functionality also enables central check routines and alternative check algorithms to be used when the

system checks banking attributes.

Extension of standard banking interface controls providing greater flexibility in control procedures around bank

interfaces. It also allows for automatic checking of banking attributes using appropriate check routines and/or

algorithms.

• Requesting G/L Account Master Data Changes via the Internet/Intranet

As of SAP Release 4.6C, it is possible to configure requests for master data changes to be sent via the Intranet/

Internet. The requester can request the creation, change, delete, or lock to G/L Account master data.

In this scenario a user will fill out a request form for the master data change in the Intranet/Internet. In the form,

the requester describes the reason for the request and submits to the responsible processor or processing group. The

processor or processing group then receives the request in their inbox or Workflow inbox in the SAP R/3 System.

The request form can be accessed from there, as can the transactions needed for processing master data.

This provides an improved audit trail and control over changes to G/L account master data.

• Foreign Currency Postings

For documents posted in foreign currency, it is now possible to post the rounding differences to a separate

revenue/expense account. This allows for greater control over variances providing standardisation and efficiency

in the handling of rounding errors.


58

SIGNIFICANT RISKS

Risks and controls as defined on page 72 of the Security and Control for SAP R/3 Handbook

remain relevant. Additional risks relevant to the new functionality include:

• Inappropriate document reversal processes are implemented.

• Inappropriate changes are made to General Ledger master data or the Chart of Accounts

through the use of mass maintenance functions.


• Consideration should be given to whether negative postings are permitted for each

company code. Where true document reversals and negative postings are appropriate,

reversal reasons should be reviewed and configured to ensure they are in line with

business requirements and provide appropriate reasons for analysis purposes.

• In order to effectively use cash sub-journals these should be appropriately configured.

This will include:

– creating appropriate GL accounts for the Cash Journal;

– defining appropriate document types for Cash Journal documents; and

– defining appropriate number range intervals for Cash Journal documents.

• Where required, alternative payment currencies should be configured. This will include:

– maintaining automatic account assignments for payment differences arising during

payment; and

– defining appropriate accounts including clearing accounts for instances where payment

differences occur as a result of payment currency.

• Where processes have been implemented for the request of G/L Account Master Data

changes via the Internet/Intranet, appropriate approvals through Workflow should be

configured.


• New GL authorisation objects have been provided and should be taken into consideration

when defining security.

Authorisation Object Description

F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages

• Existing roles should be reviewed to establish whether or not the new authorisation

objects should be added.

• Consideration should be given to the removal of access to legacy transactions.

Further, access to the following transactions should be restricted to relevant finance /

accounting staff:


GP12N Planning Enjoy transaction version of transaction GP12.

FS10N G/L Account Balance Enjoy transaction versions of FS10, FD10 and FK10.

FD10N

FK10N

FBL1N–FBL6N Vendor Line Items Enjoy transaction versions of FBL1–FBL6.

FB60 Invoice Data Entry Update of previously used F–43 and FB10.

Invoice/Credit Fast Entry

FB50 G/L Posting Update of previously used F–02 transaction.

59



60

USEFUL REPORTS

Improvements have been made in reporting of line items where a negative posting to an

account has taken place. To make the deriving of balances from the line item amounts easier,

negative postings are marked with a minus sign behind the posting key (or with a special

G/L indicator where necessary). This enhancement is aimed at eliminating errors by making

balances and line item reports easier to read and interpret.

Asset Accounting

Functional Overview

A number of changes have been implemented to enhance functionality around Asset Accounting.

• Custom Defined Fields

Asset number ranges which were previously assigned only by asset class can now be further defined based on

other fields in the asset master record, such as location and cost centre.

• Wizard for Creating Asset Classes from G/L Accounts

Up to now, it has been possible to create asset classes from an asset G/L account using the asset class generator.

An on-screen help wizard is now available to automate this process.

Previously, it was possible to create two different asset classes with the same name when using the asset class

generator. The system now prevents this from happening and assists in ensuring completeness and accuracy of

data input.

• Creating Assets from Purchase Orders and Purchase Requisitions

Since SAP Release 4.5A, an asset can be created from the purchase order and purchase requisition creation

transactions, where Materials Management is being used.

Asset master data information is entered through dialog boxes and directly in to the asset master data

transactions. The user therefore requires appropriate access to create assets in order to utilize this functionality.

Where assets are not created appropriately, these are identifiable through the incomplete asset reporting

processes which were previously available in SAP.

• Intercompany Asset Transfers

With Release 4.0A, when assets are to be transferred between companies within a single SAP instance, the system

enables a user to post completely from the sending company code. The system automatically performs receiving

and asset creation if necessary in the receiving company code.

Please note, however, that this function is only available for transfers within a single client. Transfers between

clients or systems must be posted in two steps (retirement and acquisition).

• Multiple Asset Creation

Multiple assets can be created in one transaction provided they have identical asset classes and company codes.

When saved, a range of main or sub numbers and individual descriptions are assigned.

Previously, a user would need to create assets one-by-one, copy assets or create all assets as one asset in a

group asset.

• Asset Value Date

The Asset Value Date is the date used when posting asset transactions and has a direct influence on the

depreciation calculations. Previously, the rules for determining the asset value date for Asset Accounting

transactions were hard coded in SAP however functionality is now available to configure these dates.

While Asset Value Date customisation provides additional flexibility in calculating asset values, this may lead to

inaccurate asset value dates and values being applied.

61



62

SIGNIFICANT RISKS

Risks and controls as defined on page 94 of the Security and Control for SAP R/3 Handbook

remain relevant. Additional risks relevant to the new functionality include the following:

• Asset Value Dates may be customised incorrectly resulting in inaccurate depreciation

calculation.

• Asset master records may not be set up correctly or may not contain all necessary data.


• Asset Value Dates should not be configured unless required. If configuring of Asset Value

Dates is necessary, care should be taken to ensure these are in line with business and

accounting requirements.


• New Asset Accounting authorisation objects have been provided and should be taken into

consideration when defining security.


A_S_KOSTL Asset Master Record Maintenance: Company Code/Cost Centre

This authorisation object allows the restriction of users to

maintain asset master records for a particular cost centre or

company code.

• Existing roles should be reviewed to establish whether or not the new authorisation

objects should be added.

• Consideration should be given to removal of access to obsolete transactions. Further,

access to the following transaction should be restricted to only relevant Finance / Asset

Accounting staff:


AW01N Asset Explorer Provides access to many asset accounting functions.

63


USEFUL REPORTS

The Asset Explorer provides information on posted and planned asset values. This tool,

accessed through transaction AW01N provides access to functions available in the previous

asset value display transaction, however has extended this to provide improved access to and

display of asset information such as depreciation areas, asset master data and current year

transactions. The Asset Explorer also provides functions for printing the values as required.

Another change in reporting applicable to Asset accounting is the change from program

RASKBU00 for periodic posting of changes to asset values in a depreciation area, to a new

program RAPERB00. In Version 4.6C, report RASKBU00 no longer exists.


64

Controlling

Co

ntr

olli

ng

Controlling

SECTION CONTENTS

Background .......................................................................................................................66

Controlling ........................................................................................................................66





Useful Reports ........................................................................................................................................................69

65

Controll ing


66

Background

An overview of the functionality, risks and controls of the Controlling (CO) module as at Version 3.1H

is covered within the full Better Practice Handbook for SAP R/3. The Controlling module has undergone a

number of enhancements and changes since this release; this has included the introduction of master data

enhancements and an alternative CO authorisation concept.

This section outlines the significant changes that have taken place in the controlling module since 3.1H and the

impact that this has had on security and controls.

Controll ing

Functional Overview

A number of changes and enhancements have been made to the CO Module since Release 3.1H. These changes

are outlined below:

• Parked Documents in Controlling

From Release 4.6A, the system now creates corresponding CO documents for parked documents from Financial

Accounting and Materials Management components.

This enables CO postings to be parked and posted creating a segregation and approval process

• New CO Master Data enhancements for Master Data

As of Release 4.0A, it is possible to add additional master data fields for cost elements, cost centres, activity

types, and business processes. SAP allows the maintenance of these new fields within the original master data

processing locations.

When adding these master data fields, consideration should be given to the nature of this information and

whether additional custom security checks for these fields should be used.

• Requesting of Controlling Master Data Changes via the Internet/Intranet

As of SAP Release 4.6C, it is possible to put approval processes for master data changes in place via the Intranet/

Internet. The process for approval of these changes can be configured by workflow or other means.

Implementation of this approval process can provide an audit trail of reasons for changes to Controlling master

data and ensure that changes to Controlling master data will always have appropriate approvals.

• Deletion of Controlling Master Data

A test run function is available to check whether master data selected for deletion has any dependencies that

may cause issues, should the deletion process take place. The test run completes extensive checks of dependent

data; reporting on data that might be affected by the proposed deletion(s), and preventing deletion where

dependent data is present.

• Manager’s Desktop

As of Release 4.6A, Controlling reporting has been integrated into the Manager’s Desktop. (For more detail on

the Manager’s Desktop, see the Human Resources section of this handbook update).

• New Reconciliation Account Field in Line Items

As of Release 4.0A, line items in the reconciliation ledger have been extended to include a field for G/L account.

This field records the G/L account to which the reconciliation posting was made in Financial Accounting. This

can be the account corresponding to the cost element or an adjustment account.

Utilising this functionality can improve reconciliation ledger reporting.

SIGNIFICANT RISKS

• As detailed on page 110 of the Security and Control for SAP R/3 Handbook, the

significant risk associated with the Controlling component is that transaction postings

in the SAP application modules may not update the Controlling module if the central

interface is not appropriately configured.


• If reconciliation line items currently exist which do not have the Reconciliation Account

Field completed it will be necessary to obtain values and fill in the account field. This can

be achieved by executing the program ‘RKAKALX2’.


• From Release 4.0, the authorisation concept for controlling has been revisited. This has

resulted in the introduction of two new authorisation fields against which users can be

checked:

CO–OM Responsibility Area:

A responsibility area is composed of a standard hierarchy using the controlling objects

cost centre, order, profit centre and business process.

CO_ACTION Controlling Action:

Each transaction in the Controlling module creates both an activity (e.g. create or change)

and a CO Action. The new CO authorisation objects check the CO Action and therefore

allows greater flexibility in the authorisation of the Controlling module.

• The following new authorisation objects have been provided for the Controlling module.

Consideration should be given to restricting access to relevant finance / accounting staff:

67

Controll ing



K_CCA General Authorisation Object for Cost Centre Accounting

K_ORDER General Authorisation Object for Internal Orders

K_ABC General Authorisation Object for Business Processes

K_ZBASSL Calculation base

K_ZKALSM Costing sheet

K_ZENTSL Credit

K_KMOB_DCT Document Type for Manual Funds Reservation

K_ZZUSSL Overhead

K_ZSCHL Overhead key

K_PEP Authorisation Object for Period–End Partner

K_ML_MTART Material Ledger: Material Type

K_ML_VA CO Material Ledger: Valuation Area

K_MLPR_VA Material Price Change: Valuation Area

K_SUM_CO General CO Summarization Without Classification

K_TEMPL Auth. Template (ABC–allocation, formula planning)

K_CSKS Cost Centre Master

K_PCAS_PRC Profit Centres

K_PCA Responsibility Area, Profit Centre

K_ML_MGV Material Ledger: Master Data of the Quantity Struct

• As of Release 4.6A, a new authorisation check for company code takes place when CO/FI

(Controlling / Financial Accounting) reconciliation postings are made (transaction KALC).

The authorisation object F_BKPF_BUK is not checked by this transaction, confirming the

user’s authorisation to post reconciliations for the proposed company code(s).

Consideration should be given to adding the authorisation object F_BKPF_BUK to any

roles containing transaction KALC and applying appropriate company code values.


68

Continued from the previous page

69

Controll ing

USEFUL REPORTS

As stated in the Security and Control for SAP R/3 Handbook page 113, there are numerous

reports available via the controlling component. A number of reports have been added that

should be considered by management for review, which includes but is not limited to the

following:

• Cost Flow Overview Report has been added which reports on cost behaviour in controlling

and reconciliation postings.

• Profitability Analysis Line Item Reports which has been created to enhance existing

profitability analysis functionality.

Further, a number of previously available reports have been altered to utilise the ABAP List

Viewer that provides greater flexibility in reporting, data extraction and analysis.


70

Human resources

Hu

man

res

ou

rces

Human resources

SECTION CONTENTS

Background .......................................................................................................................73

Employee Self Service ....................................................................................................74





Useful Reports ........................................................................................................................................................76

The Managers Desktop ..................................................................................................77





Useful Reports ........................................................................................................................................................79

Compensation Management .........................................................................................80





Useful Reports ....................................................................................................................................................... .81

Cross Application Timesheets and Time Management ..........................................82




Useful Reports ........................................................................................................................................................84

Other Key Changes Since Version 3.1H .....................................................................85

Ad Hoc Query .........................................................................................................................................................85

71

Human resources


72

Benefits ....................................................................................................................................................................85



Useful Reports ........................................................................................................................................................86

Background

An overview of the functionality, risks and controls of the Human Resources (HR) module as at Version

3.1H is covered within the full Better Practice Handbook for SAP R/3. The components of HR have undergone

significant changes from Version 3.1H, making it possible to split functionality into small units and extend

integration between components. The main components of HR in Version 4.6 include:

Personnel Management

The sub-modules, formerly known as Personnel Administration (HR–PA) and Personnel Planning and Development

(HR–PD), have been combined.

Personal Time Management

This is used in the planning, recording and valuation of employees work performed and absence times.

Payroll Accounting

This provides a number of work processes including the generation of payroll results and remuneration

statements, bank transfers and cheque payments.

In addition to the changes in the structure of the HR module, a number of functional enhancements have been

developed impacting the overall controls environment. These are detailed below and should be considered in

conjunction with those outlined in the previous handbook.

Significant changes include the introduction of ESS (Employee Self Service) and the Managers Desktop that

provide for the decentralisation of HR functions leading to increased risks and control requirements.

73

Human resources


74

Employee Self Service

Functional Overview

SAP Employee Self Service (ESS) has been developed to provide real-time access and data maintenance

capabilities to employees. This allows for a reduction in central administration through the assignment of

many data entry and related customer service activities to employees that were previously performed by an

organisation’s HR, Payroll, Benefits, and Travel Departments.

Activities performed in ESS may include:

• entry of time sheet information;

• entry of leave requests;

• maintenance of personnel information;

• display of pay slips by employees; and

• salary packaging.

ESS enables employees to view, create, and maintain data through a web browser. ESS can provide a powerful

employee information and service portal through an intranet. Functionality can be integrated with other

employee tasks including:

• email;

• employee directory;

• calendar; and

• workflow work items.

ESS includes core HR capabilities, but also offers logistical, financial and office functionality through its

integration with the SAP database ensuring consistency and integrity of data.

ESS functionality can be integrated with the Managers Desktop to implement effective approval processes. This

is generally configured using Workflow.

SIGNIFICANT RISKS

ESS provides many HR display and update capabilities to all employees in an organisation. This

creates additional security and privacy risks including:

• Excessive access to sensitive HR data.

• Unauthorised access to confidential HR data.

• Access to maintain sensitive infotypes, which should be restricted to the HR department.

• Inaccurate update of HR employee master data.

It is vital that employees are restricted to their own records and appropriate info types.


• Key ESS data should be defined as required entry in the system to ensure all necessary

information is captured.

• There is an increased need to log changes to sensitive infotypes to ensure they are

included in the ‘Logged Changes in Infotypes’ audit report.

• Structural authorisation profiles should be defined and assigned to users ensuring access

is appropriately restricted to appropriate organisational units.

• All SAP users must be assigned to an ESS user through infotype 0105 to ensure they are

able to only access relevant and appropriate information.


• Structural authorisations are not new, however, they are of greater importance where

an ESS HR structure is implemented. Increased control through ‘PD Authority Profiles’ is

critical to the security of employee data. These authorisations define which objects in the

organisational plan a user is permitted to access, for example:

– Organisational units

– Qualifications and requirements

– Business events

Structural authorisation profiles define which activities (create, change or display) a user

is permitted to execute within each of these objects.

A user’s access to HR data and functionality is made up of traditional SAP authorisations

and the HR structural authorisation providing an additional level of security.

Users should be assigned to an appropriately restricted structural authorisation. Users

should not be assigned the PD_ALL authorisation that allows access to all employees.

• With the implementation of ESS, there is a need to restrict user’s access to their own

employee master record. This is restricted through the “HR: Master data — Check

personnel number” (P_PERNR) authorisation object.personnel number” (P_PERNR) authorisation object.personnel number”

A user can be restricted from accessing their own record or restricted to updating only

their own record, using the P_PERNR object. Where the P_PERNR object is not applied

a user has access to all employee information. This may be applied on an infotype by

infotype basis.

Consideration should be given to implementing procedures to control/govern the access

of HR users who are also ESS users, as failure to correctly configure P_PERNR for sensitive

infotypes may result in HR users having access to inappropriately update their own data.

75

Human resources



76

• SAP User Master Records (UMR) must be assigned to an employee record in order for

structural authorisations to operate. Where a UMR has not been assigned to an employee

record, the user is not restricted by a structural authorisation.

• Access should be restricted to only relevant HR staff to the following ESS and structural

authorisation related sensitive transactions:


OOSP Change View “Authorisation Maintain the content of an authorisation

Profile”: Overview profile

OOSB Change View “User Allocate a user to a structural authorisation

Authorisations”: Overview profile

HRUSER Set up and maintain Administer ESS users (create, change, delete,

ESS user password administration etc)

• Organisations often authenticate users access to ESS based on network account

authentication. Where this is the case, ESS users do not log into the SAP system and the

default passwords may remain unchanged, increasing the risk of unauthorised access.

USEFUL REPORTS

A number of key control reports are available to assist in the administration of structural

authorisations and ESS.

Report Code Name Description

ESS_USERCOMPARE Reconcile User Master Reconciliation report listing users

with HR Master not allocated to an employee

record.

ESS_SEL_PERNR_VIA_PNP Choose Personnel Various analyses over ESS users.

and ESS_SEL_PERNR_ Numbers

VIA_PCH


77

Human resources

The Managers Desktop

Functional Overview

The Managers Desktop was released in Version 4.5 to allow managers immediate access to relevant HR, Financial

Accounting and Controlling data. It allows all functional managers to perform administrative tasks for their area

of responsibility that may previously have been centralised.

The Managers Desktop provides up-to-date information through integrated reports allowing greater management

control over personnel.

The Managers Desktop provides a number of ‘Themes’ which break down the activities which can be performed

in this application including:

Theme Theme Description

Employee Employee information reports, including:

• Entry and approval of travel requirements

• Education and training data

• Creation of appraisals

Organisation Planning and administration reports:

• Organisation maintenance

• Transfers processing

Costs and Budget • Cost centre accounting functions

• Compensation Management

Recruitment Records of decisions related to employee recruitment

Special Areas Integrated web browser allows access to Intranet and Internet pages

Workflow Inbox Facilitates integration with ESS and approval activities such as:

• Leave requests and time sheets

• Expenses


78

SIGNIFICANT RISKS

• The organisational plan (organisational structure) is not accurately defined or maintained

resulting in:

– Manager access to employees outside their responsibility;

– Managers not having access to their employees; and

– Transactions not properly routed for approval.

• Unauthorised approval of time, expense or other employee data.

• Unauthorised updates / changes to HR data.

• Poor controls regarding delegation of responsibilities result in excessive access.

• Transactions not approved in a timely manner.


• In order for the Managers Desktop to work it is important the organisational plan

be accurately defined, including the assignment of employees to positions. Incorrect

allocation of employees to positions will result in Managers gaining inappropriate access

to HR data.

• In order for a user to utilise the Managers Desktop the user must be the holder of a chief

position within the organisational chart. The system uses the chief position indicator

to determine the organisational units managed directly and indirectly by the position

holder.

• Managers Desktop ‘Themes’ which grant access to various components of the Managers

Desktop functionality must be configured to appropriately restrict information.


• Access to the following sensitive transactions should be restricted to relevant managers:


PPMDT Managers Desktop Transaction provides access to the Managers

Desktop.

Appropriate controls should be implemented for the temporary delegation of system access and

removal of this system access.

79

Human resources

USEFUL REPORTS

As detailed in page 123 of the Security and Control for SAP R/3 Handbook, the ‘Logged

Changes in Infotype Data’ report should be run on a regular basis to review changes made to Changes in Infotype Data’ report should be run on a regular basis to review changes made to Changes in Infotype Data’

key infotypes to ensure they are appropriate.

Controls for the review and clearing of workflow items which are not actioned in a timely

manner should be implemented. This should include implementation of appropriate deadline

monitoring and escalation procedures. Refer to the Basis and Cross Application Components

section within this handbook update for further details.


80

Compensation Management

Functional Overview

Compensation Management is a new component within SAP available from Release 4.0A. The Compensation

Management component administers compensation policies for an organisation.

Compensation Management can be integrated with the Managers Desktop and can be used as an effective

tool to plan and perform compensation adjustments to individuals, employee groups, or based on other

organisational breakdowns.

SIGNIFICANT RISKS

• Unauthorised / inaccurate update of compensation data resulting in over, or under,

compensation to employees.

• Inappropriate approval processes configured resulting in inappropriate compensation

adjustments being applied.

• Unauthorised access to sensitive and confidential compensation data.


• Compensation areas need to be defined as appropriate groupings of employees for

compensation administration.

• Appropriate features of employees should be selected to ensure that employees fall into

the correct Compensation areas or eligibility groups.

• Compensation administration views should be configured to ensure that only appropriate

employee information is displayed through compensation administration function.

• Workflow and the organisational structure should be configured to ensure that

compensation adjustments are subject to appropriate approval processes.


Access to the following Compensation Management sensitive transactions should be restricted

to only relevant senior HR staff:


HRCMP0001C Compensation adjustment change — Adjustment of employee

Salary Review compensation.

HRCMP0080 Total Compensation statement display Total compensation statements.

HRCMP0081 Print Total Compensation statement Printing of total compensation

statements.

HRCMP0060C Granting Employee Awards: Change Allocate long-term incentive

awards such as stock options,

restricted stock, and performance

units to employees.

USEFUL REPORTS

There are several reports available to assist in controlling Compensation Management that

should be reviewed on a regular basis by relevant senior HR staff to monitor employee

compensation.

Report Name Description

S_AHR_61018799 Compa (Comparison) -Ratio Analysis To identify whether employees’

salaries are within appropriate

salary bands.

S_AHR_61018798 Compare Actual Basic Salaries and Report of employee base salaries

Planned Compensation compared to the compensation

assigned to the job or position.

81

Human resources


82

Cross Application Timesheets and Time Management

Time Management has been enhanced from earlier releases and provides processes supporting the planning and

recording of employee work.

A significant change in Time Management is Cross Application Timesheet (CAT) functionality that was

introduced in Version 4.0A of SAP R/3 and provides a standard interface for recording time across components

of SAP. CAT combines existing SAP time recording functions into a single process and provides information to

other components including, internal activity allocation for Controlling and Personnel Time Management for

attendances and absences.

SIGNIFICANT RISKS

• Inaccurate entry of timesheet data resulting in incorrect payment to employees.

• Duplicate processing of data through interfacing components.

• Entry or approval of time data does not occur in a timely manner.


• Data entry profiles determine the data entry process and the layout of the time sheet.

Consideration should be given to the following configurations affecting users entering

time sheet data:

Setting Description

Profile Changeable Allows a user with access to a profile to change profile settings.

With Target Hours Available details which can be included on the face of the timesheet.

Totals Line

Clock Times

Release on Saving On saving time information consideration should be given to whether it

is automatically or manually released.

Approval Required Workflow configured to ensure time data is subject to appropriate

approvals.

No Changes After Should be configured to ensure time data is displayed on the data entry

Approval screen after approval and cannot be changed.

Highlight Rejected Can be configured to show user records that have been rejected by

Records approvers, highlighting the need for further action.

Time Settings Time settings should be configured based on the standard working week.

This will include defining the number of periods a user can view and

change, (past and future).


Setting Description

Personnel Selection Defines the profile selection criteria for personnel time data entry.

Default Values Time sheets can be configured to display default values when accessed.

Data Entry Checks Data entry checks can be configured to improve the quality and

completeness of data entry. Consideration should be given to applying

validation tolerances to reduce inaccurate time sheet entry.

For Users with HR The system can be configured to give an error or warning message when

interfacing errors occur between CAT and HR.

Workflow Approval A Workflow approval procedure can be configured which will be initiated

on completion of time sheet entry.

• Field selections should be configured as required, input, display, hidden or highlighted in

the user screens.

• Overtime compensation types should be appropriately defined to ensure that where

overtime is entered it is accurately accounted for.

• Rejection reasons should be configured and provide enough detail to the user to take the

appropriate action to resolve time sheet errors.

• Configuration can be applied to take an appropriate action to rectify overlapping time

records.


In order to enter time data a user must call the time sheet with a data entry profile. The data

entry profile determines the data entry process and the layout of the time sheet.

Consideration should be given to segregating the entering of time sheet information and the

approval of time sheets. Workflow approval processes should be implemented to control this.

Access should be restricted to the following Time Management sensitive transactions; approval

of time sheets should be restricted to relevant functional managers and/or HR staff:


CAT2, CAT3 Time Sheet: Initial Screen Enter time sheet details.

CAPS Time Sheet: Approve Times (Select by Master Data) Approve time sheets.

CAT4 Time Sheet: Approve Times (Selection by Approve time sheets.

Org. Assignment)

CAPP Time Sheet: Approve Times Approve time sheets.

83

Human resources




84


PP61 Change Shift Plan: Entry Screen Amendment of shift plans.

PA61 Maintain Time Data Entry of time data into SAP.

PA70 Fast Entry Entry of time data into SAP.

USEFUL REPORTS

Controls for the review and clearing of workflow items which are not actioned in a timely

manner should be implemented. This should include implementation of appropriate deadline

monitoring and escalation procedures. Refer to the Basis and Cross Application Components

section for further details.


85

Human resources

Other Key Changes Since Version 3.1H

Ad Hoc Query

To provide greater reporting flexibility and functionality, SAP developed the Ad Hoc Query functionality which has

since been extended in Version 4.6C, to integrate with other application areas and been renamed InfoSet Queries.

This functionality has been further documented in the Basis and Cross Application Components section of this

handbook update.

Benefits

Benefits functionality has been enhanced from earlier SAP R/3 releases. The Benefits component can be used

to develop benefits packages for employees and provides easy access to benefits related information for

administrative staff, executives and employees.

SIGNIFICANT RISKS

• Users have the ability to allocate benefits inappropriately to an employee.

• Inaccurate calculation and reporting of employee benefits.


• Access should be given and restricted to only relevant HR staff to the following sensitive

transactions including:

Transaction Code Name Description

HRBEN0001 Enrolment To enrol employees, or make changes to

benefit elections.

HRBEN00ADJRSN Mass Generation of To perform mass maintenance.

Adjustment Reasons

Security and Control for SAP R/3 Handbook

86

USEFUL REPORTS

There are several reports available to assist in controlling Benefits; consideration should be

given to reviewing these reports on a regular basis.

Report ABAP ID Name Description

RPLBEN09 Changes in Eligibility Provides a list of employees who are

no longer eligible for a benefit plan in which

they are participating with reasons.

RPLBEN08 Changes in benefit elections Provides a list of deviations from system

allocated default values in an employee’s

general benefits data.

RPLBEN13 Change in default Provides a list of deviations from system

values from general benefits allocated default values in an employee’s

information general benefits data (Infotype 0171).

RPLBEN18 Contribution limit check Provides employee contributions that are

not within defined contribution limits on

a key date.

Audit information

system

Au

dit

info

rmat

ion

syst

em

Audit information system

SECTION CONTENTS

Background ...................................................................................................................... .89

Using Audit Information System ................................................................................ .90

Starting an Audit ..................................................................................................................................................90

Installation Check .................................................................................................................................................91

Preparatory Tasks ..................................................................................................................................................91

Systems Audit .........................................................................................................................................................92

Business Audit ........................................................................................................................................................93

Customising Audits ...............................................................................................................................................94


87



88

89


Audit information systemBackground

The Audit Information System (AIS) has been developed to provide internal and external auditors, Security

Administrators and those with data protection and controlling responsibilities with a tool to assist in

understanding and completing required tasks in the complex SAP environment.

The SAP Audit Information System (AIS) provides a centralised repository for reports, queries, and views of data

that have a control implication.

AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and

above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the

production system on a real time basis.

AIS is currently focused on two key areas that are covered in more detail below:

• Systems Audit; and

• Business Audit.

SAP has suggested that AIS functionality will be further developed to include other components, including

Materials Management (MM) and Sales and Distribution (SD).

AIS consists of an Audit Report Tree, which provides a facility to access and document audit steps within a SAP

system, and download audit and additional related data to other programs for reporting or additional analysis.

The structure of the reporting tree menu is designed by SAP to reflect the procedures followed when conducting

an audit. AIS allows the auditor to set up a report view specific to the audit, perform tasks such as the attaching

of comments, as well as allowing for tracking the audit’s progress.

AIS also has the capability to extract data into pre-defined formats appropriate for data.

Using Audit Information System

Starting an Audit

Transaction code SECR is used to access the AIS. The user can elect to enter:

• Complete audit

When executed, this provides all tests and documentation available in the AIS system.

• User defined audit

When executed, this provides tests and documentation applicable to the User-defined audit selected by the user.


90

91


Once started the user is provided with a report tree structure that sets out all applicable documentation and

tests that are executable.

The reporting tree contains steps that include variants for each type of function. These can be centrally

maintained to apply across multiple audit tasks.

Instal lation Check

The Installation Check is an AIS tool which, when executed, checks whether all of the programs and variants

listed in AIS are currently available in the current system environment.

The Installation check can be initiated through selecting Extras — Installation — Installation check from Extras — Installation — Installation check from Extras — Installation — Installation check

transaction SECR.

Preparatory Tasks

In preparation for the completion of an audit, the user may complete preparatory tasks. These tasks allow the

user to customise the audit to improve efficiency in completion of tasks.

The preparatory tasks within AIS are broken into three areas:

Area Description

AIS Customisation Allows for audit customisation through the definition of variables and constants

to be utilised in the audit process. This may include variables such as company

codes which are then used in reporting.

Customise Financial Provides the user with functions relevant to the configuration and

Information System extraction of financial information.

ABAP/4 Query including Provides access to logical database structure and information pertinent to

download extracting data for analysis purposes.


92

Systems Audit

The "Systems Audit" is primarily used for administration and review of system activities, such as, security and

change control. The users are provided with easy access to many of the standard SAP security and control reports

and audit trails.

Checklists are available to assist in the execution of an AIS systems audit. These checklists provide samples of

security items to be considered which can be amended as required.

The System Audit functionality in AIS is broken down into the following key areas which include:

Area Description

Systems Configuration Allows the user to gain details of the environment and general set up

of the SAP system.

Transport Group Information relevant to change control processes, and system set-up.

Tables / Repository Includes information regarding table configuration, change logging

as well as table security.

Development / Customising Information with regard to development processes including change control,

blocked transactions and report security.

Background Processing Information relevant to background processing, including the graphical job

schedule and access to the job overview.

System Logs Provides access to logs (system, access, database etc) as well as configuration

settings pertinent to these logs.

User Administration Provides access to information relevant to administration and security of the SAP

system. This includes various reports on:

- User Security and Authorisations

- Profile Generator

- User administration such as users who have not logged into the system for

a predefined period of time.

Using the System Audit functionality, the user can access key parts of the Basis module, including the Transport

Management System, repository and table browser. It also provides comprehensive tools to review the security

around user access.

93


Business Audit

The “Business Audit” functionality in AIS allows the auditor to produce financial statements and balance sheets,

as well as perform general ledger, accounts payable and accounts receivable activities and queries.

For example, through the business audit functionality, auditors can perform and document their review of

general ledger posting keys, automatic postings, billing and document types, number ranges and reconciliation

accounts, as well as duplicate invoice reviews.

The Business Audit is broken into the following areas:

Area Description

Organisational Overview This area allows the user to familiarise with the enterprise structure that has

been implemented into SAP.

Further, the user is provided with information about the financial structure of

the organisation including details on Account Determination and Special General

Ledger.

Financial Statement The Financial Statement Oriented Audit provides the user with details of

Oriented Audit Account reconciliation, Balance Sheet, Profit & Loss and other General Ledger

related reports which can be used for financial analysis.

Process Oriented Audit The Process Oriented Audit steps are broken down into the various areas of SAP

including retail, procurement, production and sales and distribution.

Areas of this section are at various levels of development.

When the audit begins, the present parameters and selection criteria are edited by using the “Preparatory

Tasks” in the Business Audit menu. The auditor customises the reporting tree to reflect the correct time period

and organisational structure required for the audit. The use of these “variants” helps reduce the potential for

adversely affecting system performance, by limiting the parameters for which the reports are run.

Business Audit functionality is not generally considered to be comprehensive and many items included in the

menu structure are not yet functional. This should be considered when utilising AIS.


94

Customising Audits

To make effective use of the AIS tool it is important to customise the audits and ensure that only relevant

information is provided.

All information provided in the complete audit can be partitioned into audit programs specific to the particular

needs and scope of audit work to be completed.

This can be performed by selecting Audit Information System — Create/change view.

A new view can then be created where you can manually select from the tree structure the components that are

to be displayed in this user defined view.

Following the customisation and generation of an audit this can be accessed by selecting the user-defined audit

that has been created.

95


Security Considerations

In order for a user to access configuration, data or other reports, relevant access must be provided to the user.

The AIS provides links through to various reports and other information, and therefore, access provided to

complete AIS tasks may vary between users in line with tasks the individual is to perform.

The transaction to start the AIS is SECR and a user must therefore be granted transaction start authorisation.

In order for a user to be able to edit notes in AIS the user must have been provided with the following

authorisation objects:

S_IMG_ACTV

Field Value

PROJAUTH 900 Project for Audit: 900

ACTVT 02 Change activity

IMG_ACTIV NOTE Edit notes

In order for a user to be able to edit the status of the audit and tasks in the AIS the following authorisations

must be provided:

Authorisation for editing status information:

S_IMG_ACTV

Field Value

PROJAUTH 900 Project for Audit: 900

ACTVT 02 Change activity

IMG_ACTIV STAT Edit status

Other security, which may be granted to the user in order to complete tasks, may include:

• Authorisation to view data in the IMG.

• Authorisation to display user and security information.

• System administration and other system and performance monitoring functions.

• Change control authorisations.


96

ANAO - SAP Audit Handbook

Documents

Transcript of ANAO - SAP Audit Handbook