SAP Basis Infrastructure Audit Program Excerpt
SAP Basis Infrastructure Audit Program Excerpt
SAP Basis Infrastructure Audit Program Excerpt
Audit Description:
Fiscal Year End: 46 tests designed to evaluate Where applicable, links to the test
Detailed testing instructions,
KEY risks based on best sheets for supporting evidence
Audit Period: rather than generic descriptions
practices and the latest extracted from the system for
Sample Period: of the tests to be performed
auditing standards further analysis
Control Objective IT1: Batch and on-line transactions are executed timely and accurately by authorized personnel. Only valid production programs are executed.
Risk: Transactions may not be recorded completely or accurately. If access to job scheduling and administration functions is not adequately controlled, inappropriate users may have
the ability to run jobs directly in the background, bypassing transaction level security in SAP, and could potentially run jobs they are not explicitly authorized to run.
IT1.01: Only authorized personnel have Preventive Automated High 4 Users with S_BTCH_NAM authorization can schedule jobs under different user IDs and could potentially execute jobs Tab 4
access to batch job and background session they are not explicitly authorized to execute.
processing and administration functions in SAP
R/3 Step-by-step
Step-by-step instructions
instructions aimed
aimed to enable
to enable
anyone Perform the following procedures to verify which users have the ability to schedule jobs under different user IDs using
anyone toto execute
execute the
the tests,
tests, regardless
regardless transactions SM36 or SM37 and authorization object S_BTCH_NAM:
of
of their
their level
level of
of experience
experience in
in the
the SAP
SAP
environment
environment Execute transaction code SUIM
Proceed to the Users By Authorization Values screen via "User" -> "Users By Complex Selection Criteria" -> "By
Authorization Values"
The
The audit
audit program
program addresses
addresses the
the following
following
areas of IT General Controls (ITGC):
areas of IT General Controls (ITGC): AUTHORIZATION OBJECT 1:
•• Information
Information Systems
Systems Operations
Operations • S_TCODE:
•• Information SM36 (Define/Schedule Background Job) OR
Information Security
Security SM37 (Job Overview/Job Maintenance)
SAMPLE
•• System
System Change
Change Control
Control
AUTHORIZATION OBJECT 2:
• S_BTCH_JOB:
Function/Operation (JOBACTION): RELE (Release own jobs automatically)
Job Group (JOBGROUP): * (means ANY permitted job groups)
AUTHORIZATION OBJECT 3:
• S_BTCH_NAM:
Authorized user (BTCUNAME): * (means users can specify ANY names as an authorized user)
- Use "*" (instead of a *) to produce a listing of users with access to run jobs under ALL names
Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.
Information Security
Control Objective IT2: Logical security tools are techniques are appropriately implemented to ensure only appropriate individuals have access to organization’s information resources
to ensure complete, accurate, and valid processing or recording of financial information.
Risk: Control activities within the significant flows of transactions may be ineffective, desired segregation of duties may not be enforced, and significant information resources
may be modified inappropriately, disclosed without authorization, and/or become unavailable when needed.
IT2.02: Only authorized personnel have Preventive Automated High 16 Access to execute ABAP programs in the production environment should be restricted. There are many powerful Tab 15
access to directly execute programs in ABAP programs in the system which perform sensitive functions (e.g. deleting master data) yet do not incorporate any
Production. security checks. Users with access to execute ABAP programs in production, are given the ability to run programs
directly, bypassing transaction level security in SAP, and could potentially run programs or transactions they are not
Perform the following procedures to produce a listing of users with access to directly execute SAP R/3 programs
online using transactions SA38, SE38, SE37, or SE80:
AUTHORIZATION OBJECT 1:
• S_TCODE:
SA38 (ABAP Reporting) OR
SE38 (ABAP Editor) OR
SE37 (ABAP Function Modules) OR
SE80 (Object Navigator)
AUTHORIZATION OBJECT 2:
• S_PROGRAM:
User action (P_ACTION): SUBMIT (means Start/Execute the program)
Auth. Group (P_GROUP): * (means SOME/ANY auth. groups that users are authorized to work with)
- Programs not assigned to auth. group can be maintained by any user with SUBMIT in P_ACTION
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.
Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective
IT2.06: Access to the SAP R/3 system is Preventive Manual High 25 Access to the SAP R/3 system should be granted to valid employees based on users’ job responsibilities. Access Tab 21
authorized by management and granted to should be authorized and approved in writing by the relevant data or process owners. Perform the following
valid employees based on users’ job procedures to produce a listing of new user IDs created in the SAP R/3 system during the period of intended reliance:
SAMPLE
responsibilities.
Using attribute sampling guidelines, select an adequate sample of new user IDs created in SAP R/3 over the period of
intended reliance, and examine documentary evidence (e.g., user access approval forms, etc.) indicating that access
to SAP R/3 was appropriately approved before user ID was created in the system. Document your sampling testing,
test results, and conclusions in the Tab referenced in the "Testing Ref." Column.
Control Objective IT4: Programs and systems changes are appropriately managed to minimize the likelihood of disruption, unauthorized alterations, and errors in order to
ensure accurate, complete, and valid processing and recording of financial information. (Assertion: Completeness, Cut-off, Presentation, Recording, Validity, Valuation)
Risk: Inappropriate or unauthorized decisions to make changes to programs and systems can result in system's inability to meet the entity's information processing needs,
consequently processing and calculating data that is not complete, accurate, or valid.
IT4.02: Access to perform corrections and Preventive Automated High 42 The system uses the Correction and Transport Organizer object to test authorization to create or modify transport Tab 31
transports is restricted in all environments. requests and tasks (corrections) and to use the correction and transport management functions. It is recommended
that authorization to create transport requests and to execute transport requests should be restricted to leaders of
Only authorized personnel have access to: development projects.
• The SAP Workbench Organizer
• The SAP Transport System Perform the following procedures to generate a listing of users who have SAP R/3 user access to create and to
• Perform transports in SAP. execute transport requests using transactions SE01, SE09, or SE10:
Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective
AUTHORIZATION OBJECT 1:
• S_TCODE:
SE01 (Transport Organizer) OR
SE09 (Workbench/Transport Organizer) OR
SE10 (Transport Organizer)
AUTHORIZATION OBJECT 2:
• S_DATASET:
Activity (ACTVT): * (means SOME/ANY of the permitted activities below)
- 33: Normal file read
- 34: Normal file write or deletion
- A6: Read file with filter (operating system command)
- A7: Write to a file with filter (operating system command)
ABAP/4 program name (PROGRAM): * (means SOME/ANY ABAP/4 programs)
File name (FILENAME): * (means SOME/ANY operating system files)
AUTHORIZATION OBJECT 3:
• S_TRANSPRT:
Activity (ACTVT): 01 (Create) OR 02 (Change) OR 06 (Delete) OR 43 (Release)
Additional activities that may be of interest to auditors:
- 23 (Maintain)
- 65 (Reorganize)
- 78 (Assign)
- 90 (Copy)
Request type (TTYPE): * (means SOME/ANY of the permitted request types below)
Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.
Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective
Users with access to schedule jobs under different user IDs using transactions SM36 or SM37:
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude: as per the Job Noted?
rows as needed *Exclude locked users: are past their - D (System) IDs Responsibilities? (Yes/No)
- 0: unlocked validity date (no - C (Communication) IDs (Yes/No)
- Blank: unlocked access) (no end user access)
- 128: temporary lock,
do not filter out
1
2
3
4
SAMPLE
5
Total 0 0 0
Users with access to directly execute SAP R/3 programs online using transaction SA38, SE38, SE37, or SE80: Click to Return To The Audit Program
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude: as per the Job Noted?
rows as needed *Exclude locked users: are past their - D (System) IDs Responsibilities? (Yes/No)
SAMPLE
- 0: unlocked validity date (no - C (Communication) IDs (Yes/No)
- Blank: unlocked access) (no end user access)
- 128: temporary lock,
do not filter out
1
2
3
4
5
Total 0 0 0
Listing of user IDs created in SAP R/3 between [date] and [date]:
Count SAP Client SAP User ID User Name Created On Selected For Access to SAP Approved By Approved On Exceptions Comments/ Exception Detail
*Insert (Date) Testing? Approved? (Name, Title) (Date) Noted?
additional * Exclude IDs (Yes/No) (Yes/No) (Yes/No)
rows as created before or
needed after the period of
intended reliance Complete for SAP User IDs selected for testing in Column "F". N/A for remaining IDs.
1
2
3
SAMPLE
4
5
Total 0 0 0 0
Users with access to create and to execute transport requests using transactions SE01, SE09, or SE10: Click to Return To The Audit Program
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude: as per the Job Noted?
rows as needed *Exclude locked users: are past their - D (System) IDs Responsibilities? (Yes/No)
- 0: unlocked validity date (no - C (Communication) IDs (Yes/No)
- Blank: unlocked access) (no end user access)
SAMPLE
- 128: temporary lock,
do not filter out
1
2
3
4
5
Total 0 0 0