SAP Audit Guide Financial Accouting

12
SAP Audit Guide for Financial Accounting

Transcript of SAP Audit Guide Financial Accouting

Page 1: SAP Audit Guide Financial Accouting

SAP Audit Guidefor Financial Accounting

Page 2: SAP Audit Guide Financial Accouting

This Audit Guide is designed to assist the review of financial reporting processes that rely upon automated functions in SAP systems.

The specific areas examined in this Guide are relevant configurables, transactions, authorizations and reports in the General Ledger (GL), Asset Accounting (AA) and Bank Accounting (BA) components of the SAP Financial Accounting module.

The Guide provides instructions for assessing SAP application-level controls in the following areas of financial statement audits:

Reporting Structure Chart of Accounts Journal Entry Posting Period End Close Foreign Currency Translation Inter-company Transactions Asset Management and Reporting Cash Management

The Guide is delivered using clear, non-technical terms to enable financial and operational auditors successfully navigate the complexities of SAP security. Upcoming volumes of this Guide will deal with SAP controls in areas such as Revenue, Inventory, Expenditure, Human Resources and Basis.

Reporting Structure

The financial reporting structure in SAP is determined by the organization of reporting units known as company codes. There can be multiple company codes with in organizat ions with each code corresponding to a unique economic entity.

Reporting entities in differing countries should have unique company codes since they may be subject to divergent accounting and tax requirements. Each company code has one domestic currency and up to two additional currencies to support financial reporting in multiple currencies.

Company codes must be set to productive to prevent the deletion of transactional data. This can be verified through transaction code OBR3 or Table T001 through transaction SE16.

Financial Reporting

SAP Audit Guide

Page 3: SAP Audit Guide Financial Accouting

2

The company code structure should correspond to the legal reporting requirements of the company under review. The appropriateness of the structure should be reviewed through the menu path IMG> Enterprise Structure> Financial Accounting> Define Company, transaction OX15 or table T880 (note that IMG can be accessed through transaction SPRO).

Relevant global parameters in IMG should also be reviewed. This includes areas such as Country Keys, Currencies, Controlling Areas, Credit Control Areas, Fiscal Year Variants, Sales and Purchasing Organisations, Business Areas and Plants, and Cost and Profit Centers (IMG> Enterprise Structure> Financial Accounting> Global Settings> Company Code> Global Parameters).

Access to transactions such as OXO2 (edit company code) and EC01 (copy, delete and check company code) and the client configuration table T001 should be based on role requirements. Other critical transaction codes are listed in the Table A.

TRANSACTION DESCRIPTION

OX16 Assign Company Code to Company

OB38Assign Company Code to Credit Control Area

OF18Assign Company Code to Financial Management Area

OX19 Assign Company Code to Controlling Area

OX18 Assign Plant to Company Code

OVX3Assign Sales Organization to Company Code

OX01Assign Purchasing Organization to Company Code

OH05Assignment of Personnel Area to Company Code

OBB5 Cross-System Company Codes

OBY6 Enter Global Parameters

TRANSACTION DESCRIPTION

OB37Assign Company Code to a Fiscal Year Variant

OBB9Assign Posting Period Variants to Company Code

OKBD Define Functional Area

OXO3 Define Business Area

FM_FUNCTION Define Functional Area

OXO6 Maintain Controlling Area

KEP8 Create Operating Concern

Table A: Company Code Transactions

Chart of Accounts

The chart of accounts is the container for General Ledger (GL) accounts and the basis for journal entry posting and financial reporting. Chart of Accounts can be company code specific or cover multiple companies in a single SAP client. GL accounts are assigned to specific groups determined by account type. The field status for account information and the numbering interval is determined at the group level.

The configuration of all or a sample of account groups should be reviewed to assess which fields are required, optional, displayed or suppressed during the creation of a new account and to ensure that account numbering follows a logical and consistent policy. This can be performed through the menu path General Ledger Accounting> G/L Accounts> Master Data> Preparations> Define Account Group or transaction OBD4.

The structure of the Chart of Accounts should also be reviewed through transaction FSP3 to assess account groupings and identify the appropriate use of control accounts for AP and AR. The latter are known as reconciliation accounts and are updated automatically. In other words, SAP does not allow manual journal postings against such accounts. This can be performed through transactions KALE and OK17.

Page 4: SAP Audit Guide Financial Accouting

3Changes to the chart of accounts should be identified through report RFSABL00, accessible through transaction SA38. Alternatively, changes can be isolated through transactions FS04, FSP4 and FSS4. A sample of changes should be examined for evidence of approval, documentation and testing.

Access to SAP functions that enable users to create, modify or delete GL accounts should be restricted and based on business need. This should include transactions in Table B with authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion).

TRANSACTION DESCRIPTION

FS01 Create Master Record

FS02 Change Master Record

FS00 G/L Acct Master Record Maintenance

FS05 Block Master Record

FS06 Mark Master Record for Deletion

FSS1 Create Master Record in Company Code

FSS2 G/L Acct Master Record in Chart/Accts

FSP0Create G/L Acct Master Record in Chart/Accts

FSP1 Cross-System Company Codes

FSP2 Change G/L Acct Master Record in Chart/Accts

FSP5 Block Master Record in Chart / Accts

FSP6Mark Master Record for Deletion in Chart/Accts

Table B: GL Account Transactions

Journal Entry Posting

SAP is preconfigured with hundreds of document types for purchase orders, customer invoices, good receipts and many other transactions. Each document type has a unique 2 or 3 letter identifier and a specific numbering range. Particular attention should be paid to the GL account assignments for SAP documents since transactional data is automatically posted by the system based on the assignments defined in the system configuration. These should be reviewed through transactions OBA7 (Define Document Types) and OB41 (Posting Keys). Samples selected for review should include custom documents which are more likely to have assignment errors than standard SAP documents.

Monetary limits for journal entries, cash discounts, payment or receipts differences should be defined for document types. These can vary by company code and employee group. Tolerance levels should be reviewed through transactions OBA4 and OB57. This should include clearing procedures for critical accounts such as GR/IR.

SAP should also be configured to control posting to prior periods even though the system is capable of keeping open multiple periods at the same time. This is performed through rules defined in Posting Period Variants, part of the Financial Accounting Global Settings. Note that back posting settings in Logistics can also be configured to allow posting to prior periods. Both of these areas should be reviewed in the IMG.

SAP Business Workflow is used by many companies to review values and account assignments prior to posting journal entries. If enabled, the relevant settings for workflow variants, company codes, and approval paths and groups should be examined under Financial Accounting Global Settings> Document> Document Parking. This should include a review of fields that would cause a release to be revoked if changed after approval, which would lead to the restart of the release procedure.

BusinessObjects Planning and Consolidation (BPC) and BusinessOne should be configured to block unbalanced journal entries. In the former, this can be verified through the JRN_BALANCE parameter. The parameter should be set to 1 (Journals need to be balanced). The default value is 0 (Journals need not be balanced). In the latter, the field for Block Unbalanced Journal Entry should be checked in Administration> System Initialization> Document Settings> Journal Entry.

Page 5: SAP Audit Guide Financial Accouting

4

BPC should be configured to block unbalanced journal entries through the JRN_BALANCE parameter

The ability to create, change, delete and reverse journal entries should be restricted to authorized employees. This includes transactions in Table C with authorization objects with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and BLA and activity levels 01 (create/ enter), 02 (change), 06 (delete) and 77 (pre-enter/ park).

TRANSACTION DESCRIPTION

F-02 Enter G/L Account Posting

F-21/ F-42 Enter Transfer Posting

FB01/ FBR2 Post Document

FB05 Post with Clearing

FB11 Post Held Document

FB21 Enter Statistical Posting

FB50 G/L Account Posting

FBV0/ FBVB Post Parked Document

FBR1 Post with Reference Document

F.81Reverse Accrual Deferral Document Code

FB08 Reverse Document

F.80 Mass Reversal of Documents

TRANSACTION DESCRIPTION

FB08 Reverse Document

FB02/ FB09 Change Document

FBL4 Change G/L Account Line Items

F-03/ FB1S Clear G/L Account

FBV1 Park Document

FBV2 Change Parked Document

FBV4 Change Parked Document Header

FBD1 Enter Recurring Entry

FBD2 Change Recurring Entry

F.14 Execute Recurring Entry

F.56 Delete Recurring Entry

Table C: Journal Entry Transactions

Page 6: SAP Audit Guide Financial Accouting

5

Period End Close

The period end close process extends across many different SAP applications including SD, MM and PP. However, the majority of steps are performed within the FI and CO area. Audit procedures for the process should be tuned for each specific client since the process varies between organisations. As a guide, Table D lists the SAP transactions commonly used during the period end close process in sequential order.

Together with the transactions listed in Table D, user access to SAP functions that control the opening and closing of financial periods should be tightly controlled. This should include transaction OB52 (opening and closing FI posting periods) and OBBP (define variants for open posting periods) with authorization object S_TABU_DIS and activity level 02 (change).

TRANSACTION DESCRIPTION

S_BCE_68000174

Update Exchange Ranges

VL10/ VL10A Ensure Movements are complete

MIRORecord Purchase Order related AP Transactions

MRBR Release Blocked Invoices

VXF3Release Billing Documents for Accounting

MMPV Open Period for Material Master Records

OB52 Open and Close Posting Periods

CJ8G Calculation of Work In Process (WIP)

KKS1Prod. and Process Order Variance Calculation

CO88 Settlement PP Order

CO02 PP Order (close)

TRANSACTION DESCRIPTION

FBD1 Enter Recurring Document

F-03 Manual Clearing General Ledger

F-32Manual Clearing Accounts Receivable

F-44 Manual Clearing Accounts Payable

FB50 Post Adjustment Entries

FAGL_FC_VAL Foreign Currency Revaluation

AIAB Order Settlement (Asset Under Construction)

AFAB Depreciation Run

ASKBN Periodic Asset Posting

FB50 Automatic GR/IR Clearing

KSA3 Accrual Calculation

MRN0 Stock Valuation

CK11N Inventory costing

CK24 Price Update

FB50 Stock value adjustment

ENGRCreate Intrastat / Extrastat periodic declaration

S_ALR_87012357

Advance Return for Tax on Sales/Purchases

FB41 Post Tax Payable

F.52 Balance Interest Calculation

Table D: Period End Close Transactions

Page 7: SAP Audit Guide Financial Accouting

6

TRANSACTION DESCRIPTION

S_ALR_87012289 Compact Document Journal

S_ALR_87012287 Document Journal

FF7A Cash Position & Liquidity Forecast

OB52 Open and Close Posting Periods

KE30 Run Profitability Report

S_ALR_87012284 Financial Statements

S_ALR_87005830 Controlling Maintain Versions

CK40N Costing Run

S_ALR_87008275 Define Percentage Overhead (actual)

AFAR Recalculating Values

ABST2 Account Reconciliation

AJRW Fiscal Year Change

AJAB Year-end closing Asset Accounting

F.07 Carry Forward AP/AR Balances

FAGLGVTR Carry Forward GL Balances

FAGLF101 Regrouping Receivables/Payable

F.17 Balance Confirmation Receivable

F.18 Balance Confirmation Payable

OB52 Close previous account period

S_ALR_87012284 Financial Statements

S_ALR_87012287 Document Journal

Table D: Period End Close Transactions cont.

Asset Management and Reporting

The Financial Accounting Asset Accounting (FI-AA) component is responsible for managing fixed assets in SAP ERP. It serves as a subsidiary ledger to the FI GL, providing detailed information on transactions involving fixed assets. AA integrates directly with other FI components such as Materials Management (MM) and Plant Maintenance (PM) and manages assets reporting from acquisition to disposal or retirement. The component also tracks, depreciates and reports upon leased assets and assets under construction.

Asset classes in SAP should be configured in line with country-specific requirements. Therefore, asset classes and the associated descriptions should be reviewed through transaction OAOA (define asset classes).

Depreciation keys should be defined for each asset class. The keys define the rules for calculating depreciation such as straight line or declining balance. They also control the useful life of assets. Auditors should review the configuration of all or a sample of depreciation keys through transaction AFAMA (View Maint. for Deprec. Key Method). Depreciation postings can be reviewed through transactions AFBP and AR25. Transaction ABST displays the reconciliation between asset accounting and the general ledger.

If the SAP Project System (PS) is operating alongside FI-AA, the relevant availability controls should be reviewed in PS. These regulate the thresholds for asset acquisitions in excess of approved, budgeted amounts which, if configured correctly, can be blocked altogether. This can be performed through transaction OPS9 and the menu path IMG> Project System> Costs> Budget> Define Tolerance Limits.

An audit of FI-AA should include a review of user access to transaction codes that provide the ability to change AA master data including asset groups and depreciation tables, as well as acquire, depreciate and dispose fixed assets. These are listed in Table E. The review should focus on authorization objects A_A_VIEW, A_S_ANLKL, A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK, S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02 and 06.

Page 8: SAP Audit Guide Financial Accouting

7

Table E: Asset Accounting Transactions

Availability controls should block asset acquisitions in excess of budget

TRANSACTION DESCRIPTION

AS01 Create an Asset

AS02 Modify Asset

AS05 Block Asset Master Record

AS06 Delete Asset

ABZE Acquisition from in-house production

ABZK Acquisition from purchase w. vendor

F-90 Acquisition w/ Vendor

ABZV Acquisition from clearing Account

ABZP Asset Acquisition from affiliated company

AS21 Create an asset group

AS22 Modify Asset

AS25 Block group asset

AS26 Delete an asset group

ABZU Asset write-up

ABZS Asset write-up

ABMA Asset manually depreciate

AFAB/ AFABN Post depreciation

ABAV/ ABAVN Retire by scrapping

ABAO/ ABAON Asset Sale Without Customer

ABADAsset Retire from Sale with Customer

ABANK Retire with cost

AR31 Asset mass retirement

OAP1 Create chart of depreciation

OA52 Close previous account period

OAP2 Change chart of depreciation

Page 9: SAP Audit Guide Financial Accouting

8

Foreign Currency Translation

Foreign currency exchange ratios and rates are maintained through transactions OBBS and OB08. The underlying tables should be reviewed through these transactions to ensure that ratios and rates are regularly and accurately updated.

SAP provides a variety of valuation methods and even provides an option to create custom methods. Custom valuations should be identified and examined very closely. This can be performed through transaction OB59 (foreign currency valuation methods).

Automatic postings for foreign currency valuations should be analyzed via transaction OBA1. The assigned accounts are used to record realized/ unrealized gains and losses. This should be followed by a review of foreign currency rounding rules in transaction OB90.

Inter-Company Transactions

Inter-company reconciliation is often a bottleneck in the financial close process. As a result, some SAP clients have migrated to the Web-based BusinessObjects Inter-company application. This significantly improves the speed and accuracy of identifying, matching and eliminating related party transactions. However, the majority of organizations continue to rely upon a manual process.

Related parties are treated as trading partners in SAP and are defined through IMG > Enterprise Structure > Definition > Financial Accounting > Define Company. Once configured, SAP will post documents such as invoices, payments, receipts and asset transfers between related parties to designated inter-company accounts. Inter-company clearing accounts should be identified using transaction OBYA. All such accounts should be reviewed against the relevant financial statement assertions.

Cash Management

Cash Management (CM) is component of SAP TR that is used to monitor payment flows and safeguard liquidity. This component is used to perform bank reconciliations and therefore should be a crucial element of an SAP financial audit. Management should regularly review reports FF.6, FF67, FF7A and FF68 to monitor cash transactions and ensure bank deposits and payments are reflected in the relevant GL accounts. Note that FF67 can be used to import and process bank statements in SAP.

Changes to banking master data should be identified through transaction FI04 or report RFBKABL0 and traced to supporting documents to test for authorization, accuracy and completeness.

Also, access to critical CM transactions should be reviewed, including those listed in Table F, focusing on authorization objects F_BNKA_BUK, S_TABU_DIS, F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES, F _ B K P F _ G S B , F _ F D E S _ B U K , F _ R E G U _ B U K , F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02, 06 and 17

Page 10: SAP Audit Guide Financial Accouting

9

Table F: Cash Management Transactions

TRANSACTION DESCRIPTION

FI12 Change House Banks/Bank AccountsFI01 Change Master Record

FI02 Change Bank

FI06 Set Flag to Delete Bank

FF67 Manual Bank Statement

FF_5 Import Electronic Bank Statement

FEBAPost-process Electronic Bank Statement

FLB2 Import Lock box Data

FLB1 Post-processing Lock box Data

F-28 Incoming Payments

FB05 Post payment with clearing

FRFT Set Up Repetitive Wire

FI10 Parameters for Automatic PaymentFF/4 Import electronic check deposit listFFB4 Import electronic check deposit listFF/5 Post electronic check deposit list

FFB5 Post electronic check deposit listFF68 Manual Check Deposit TransactionFCHG Reset cashing/extract data

FF63 Create Planning Memo Record

FCHX Check Extract Creation

FCHG Delete cashing/extract data

Page 11: SAP Audit Guide Financial Accouting

Layer Seven Security

Webwww.layersevensecurity.comEmailinfo@layersevensecurity.comTelephone1 888 995 0993

Address Westbury Corporate CentreSuite 1012275 Upper Middle RoadOakville, Ontario L6H 0C3, Canada

About Us

Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems.

Our consultants have an average of ten years of experience in field of SAP security and proficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX.

The company is privately owned and headquartered in Toronto, Canada.

Page 12: SAP Audit Guide Financial Accouting

© Copyright Layer Seven Security 2011 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security.

Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.