SAP Basis Infrastructure Audit Program Excerpt

Download as xls, pdf, or txt
Download as xls, pdf, or txt
You are on page 1of 9

003366Basis Application Infrastructure - Audit Program for SAP R/3

Audit Description:
Fiscal Year End: 46 tests designed to evaluate Where applicable, links to the test
Detailed testing instructions,
KEY risks based on best sheets for supporting evidence
Audit Period: rather than generic descriptions
practices and the latest extracted from the system for
Sample Period: of the tests to be performed
auditing standards further analysis

Basis Application Infrastructure - Audit Program for SAP R/3


Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective

Information Systems Operations

Control Objective IT1: Batch and on-line transactions are executed timely and accurately by authorized personnel. Only valid production programs are executed.

Risk: Transactions may not be recorded completely or accurately. If access to job scheduling and administration functions is not adequately controlled, inappropriate users may have
the ability to run jobs directly in the background, bypassing transaction level security in SAP, and could potentially run jobs they are not explicitly authorized to run.
IT1.01: Only authorized personnel have Preventive Automated High 4 Users with S_BTCH_NAM authorization can schedule jobs under different user IDs and could potentially execute jobs Tab 4
access to batch job and background session they are not explicitly authorized to execute.
processing and administration functions in SAP
R/3 Step-by-step
Step-by-step instructions
instructions aimed
aimed to enable
to enable
anyone Perform the following procedures to verify which users have the ability to schedule jobs under different user IDs using
anyone toto execute
execute the
the tests,
tests, regardless
regardless transactions SM36 or SM37 and authorization object S_BTCH_NAM:
of
of their
their level
level of
of experience
experience in
in the
the SAP
SAP
environment
environment Execute transaction code SUIM
Proceed to the Users By Authorization Values screen via "User" -> "Users By Complex Selection Criteria" -> "By
Authorization Values"

The
The audit
audit program
program addresses
addresses the
the following
following
areas of IT General Controls (ITGC):
areas of IT General Controls (ITGC): AUTHORIZATION OBJECT 1:
•• Information
Information Systems
Systems Operations
Operations • S_TCODE:
•• Information SM36 (Define/Schedule Background Job) OR
Information Security
Security SM37 (Job Overview/Job Maintenance)

SAMPLE
•• System
System Change
Change Control
Control

AUTHORIZATION OBJECT 2:
• S_BTCH_JOB:
Function/Operation (JOBACTION): RELE (Release own jobs automatically)
Job Group (JOBGROUP): * (means ANY permitted job groups)

AUTHORIZATION OBJECT 3:
• S_BTCH_NAM:
Authorized user (BTCUNAME): * (means users can specify ANY names as an authorized user)
- Use "*" (instead of a *) to produce a listing of users with access to run jobs under ALL names

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 1 of 9


SAMPLE
Detailed testing instructions,
KEY risks based on best sheets for supporting evidence
rather than generic descriptions
practices and the latest extracted from the system for
of the tests to be performed
auditing standards
003366Basis Application Infrastructure - Audit Program for SAP R/3 further analysis

Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective

Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.

Information Security

Control Objective IT2: Logical security tools are techniques are appropriately implemented to ensure only appropriate individuals have access to organization’s information resources
to ensure complete, accurate, and valid processing or recording of financial information.

Risk: Control activities within the significant flows of transactions may be ineffective, desired segregation of duties may not be enforced, and significant information resources
may be modified inappropriately, disclosed without authorization, and/or become unavailable when needed.
IT2.02: Only authorized personnel have Preventive Automated High 16 Access to execute ABAP programs in the production environment should be restricted. There are many powerful Tab 15
access to directly execute programs in ABAP programs in the system which perform sensitive functions (e.g. deleting master data) yet do not incorporate any
Production. security checks. Users with access to execute ABAP programs in production, are given the ability to run programs
directly, bypassing transaction level security in SAP, and could potentially run programs or transactions they are not
Perform the following procedures to produce a listing of users with access to directly execute SAP R/3 programs
online using transactions SA38, SE38, SE37, or SE80:

Execute transaction code SUIM


Proceed to the Users By Authorization Values screen via "User" -> "Users By Complex Selection Criteria" -> "By
Authorization Values"

AUTHORIZATION OBJECT 1:
• S_TCODE:
SA38 (ABAP Reporting) OR
SE38 (ABAP Editor) OR
SE37 (ABAP Function Modules) OR
SE80 (Object Navigator)

AUTHORIZATION OBJECT 2:
• S_PROGRAM:
User action (P_ACTION): SUBMIT (means Start/Execute the program)
Auth. Group (P_GROUP): * (means SOME/ANY auth. groups that users are authorized to work with)
- Programs not assigned to auth. group can be maintained by any user with SUBMIT in P_ACTION

Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 2 of 9


Detailed testing instructions,
KEY risks based on best sheets for supporting evidence
rather than generic descriptions
practices and the latest extracted from the system for
of the tests to be performed
auditing standards
003366Basis Application Infrastructure - Audit Program for SAP R/3 further analysis

Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective

IT2.06: Access to the SAP R/3 system is Preventive Manual High 25 Access to the SAP R/3 system should be granted to valid employees based on users’ job responsibilities. Access Tab 21
authorized by management and granted to should be authorized and approved in writing by the relevant data or process owners. Perform the following
valid employees based on users’ job procedures to produce a listing of new user IDs created in the SAP R/3 system during the period of intended reliance:

SAMPLE
responsibilities.

• Execute transaction code SUIM


Proceed to "User" -> "Users By Complex Selection Criteria" -> "By user ID"
OR
• Execute transaction code SE16
Input table USR02 and click on "Execute"
Enter 'From' and 'To' date in the 'ERDAT' (creation date of the user in the user master record) field
▫ The 'From' and 'To' fields should be defined based on the scope of the audit

Using attribute sampling guidelines, select an adequate sample of new user IDs created in SAP R/3 over the period of
intended reliance, and examine documentary evidence (e.g., user access approval forms, etc.) indicating that access
to SAP R/3 was appropriately approved before user ID was created in the system. Document your sampling testing,
test results, and conclusions in the Tab referenced in the "Testing Ref." Column.

System Change Control

Control Objective IT4: Programs and systems changes are appropriately managed to minimize the likelihood of disruption, unauthorized alterations, and errors in order to
ensure accurate, complete, and valid processing and recording of financial information. (Assertion: Completeness, Cut-off, Presentation, Recording, Validity, Valuation)

Risk: Inappropriate or unauthorized decisions to make changes to programs and systems can result in system's inability to meet the entity's information processing needs,
consequently processing and calculating data that is not complete, accurate, or valid.
IT4.02: Access to perform corrections and Preventive Automated High 42 The system uses the Correction and Transport Organizer object to test authorization to create or modify transport Tab 31
transports is restricted in all environments. requests and tasks (corrections) and to use the correction and transport management functions. It is recommended
that authorization to create transport requests and to execute transport requests should be restricted to leaders of
Only authorized personnel have access to: development projects.
• The SAP Workbench Organizer
• The SAP Transport System Perform the following procedures to generate a listing of users who have SAP R/3 user access to create and to
• Perform transports in SAP. execute transport requests using transactions SE01, SE09, or SE10:

Execute transaction code SUIM


Proceed to the Users By Authorization Values screen via "User" -> "Users By Complex Selection Criteria" -> "By
Authorization Values"

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 3 of 9


Detailed testing instructions,
KEY risks based on best sheets for supporting evidence
Only authorized personnel have access to: rather than generic descriptions
• The SAP Workbench Organizer practices and the latest extracted from the system for
of the tests to be performed
• The SAP Transport System auditing standards
003366Basis Application Infrastructure - Audit Program for SAP R/3 further analysis
• Perform transports in SAP.

Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective

AUTHORIZATION OBJECT 1:
• S_TCODE:
SE01 (Transport Organizer) OR
SE09 (Workbench/Transport Organizer) OR
SE10 (Transport Organizer)

AUTHORIZATION OBJECT 2:
• S_DATASET:
Activity (ACTVT): * (means SOME/ANY of the permitted activities below)
- 33: Normal file read
- 34: Normal file write or deletion
- A6: Read file with filter (operating system command)
- A7: Write to a file with filter (operating system command)
ABAP/4 program name (PROGRAM): * (means SOME/ANY ABAP/4 programs)
File name (FILENAME): * (means SOME/ANY operating system files)

AUTHORIZATION OBJECT 3:
• S_TRANSPRT:
Activity (ACTVT): 01 (Create) OR 02 (Change) OR 06 (Delete) OR 43 (Release)
Additional activities that may be of interest to auditors:
- 23 (Maintain)
- 65 (Reorganize)
- 78 (Assign)
- 90 (Copy)
Request type (TTYPE): * (means SOME/ANY of the permitted request types below)

Request type (Change and Transport System):


- CLCP: Client transports
- CUST: Customizing requests
- DLOC: Local change requests
- DTRA: Transportable change requests
- MOVE: Relocation transports (all three types)
- PATC: Advance corrections and deliveries
- PIEC: Object lists
- TASK: Tasks (repair or correction)
- TRAN: Transports of copies

Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is appropriate
for such users to have such access, based on their job responsibilities and established policies, procedures,
standards, and guidance. Compare the results of the test with the information obtained from the interviews with the
individuals responsible for the control activity. Investigate any discrepancies. Document your conclusions.

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 4 of 9


Detailed testing instructions,
KEY risks based on best sheets for supporting evidence
rather than generic descriptions
practices and the latest extracted from the system for
of the tests to be performed
auditing standards
003366Basis Application Infrastructure - Audit Program for SAP R/3 further analysis

Control Description Control Control Control Risk Query/ Test Testing Procedures: Testing Ref. Conclusion on
Type Nature High/ Step No The testing guidance below has been designed to assist the reviewer in performing the tests of operating Ref. to supporting Operating
Preventive/ Manual/ Medium/ effectiveness of an entity's internal controls to gain reasonable assurance that controls operate effectively in evidence obtained Effectiveness
Detective Automated Low accordance with established policies, procedures, and guidelines and applicable laws and regulations. during the test of Effective/
control Ineffective

Please refer to https://soxmadeeasy.com for more information.

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 5 of 9


003366Basis Application Infrastructure - Audit Program for SAP R/3

Users with access to schedule jobs under different user IDs using transactions SM36 or SM37:
Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude: as per the Job Noted?
rows as needed *Exclude locked users: are past their - D (System) IDs Responsibilities? (Yes/No)
- 0: unlocked validity date (no - C (Communication) IDs (Yes/No)
- Blank: unlocked access) (no end user access)
- 128: temporary lock,
do not filter out

1
2
3
4

SAMPLE
5

Total 0 0 0

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 6 of 9


002060Supporting Evidence - Tab 15

Users with access to directly execute SAP R/3 programs online using transaction SA38, SE38, SE37, or SE80: Click to Return To The Audit Program

Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude: as per the Job Noted?
rows as needed *Exclude locked users: are past their - D (System) IDs Responsibilities? (Yes/No)

SAMPLE
- 0: unlocked validity date (no - C (Communication) IDs (Yes/No)
- Blank: unlocked access) (no end user access)
- 128: temporary lock,
do not filter out

1
2
3
4
5

Total 0 0 0

Basis Application Infrastructure Page 7 of 9


003366Basis Application Infrastructure - Audit Program for SAP R/3

Listing of user IDs created in SAP R/3 between [date] and [date]:
Count SAP Client SAP User ID User Name Created On Selected For Access to SAP Approved By Approved On Exceptions Comments/ Exception Detail
*Insert (Date) Testing? Approved? (Name, Title) (Date) Noted?
additional * Exclude IDs (Yes/No) (Yes/No) (Yes/No)
rows as created before or
needed after the period of
intended reliance Complete for SAP User IDs selected for testing in Column "F". N/A for remaining IDs.

1
2
3

SAMPLE
4
5

Total 0 0 0 0

00-046Copyright © SOXMadeEasy.com. May not be reproduced or distributed. Page 8 of 9


002060Supporting Evidence - Tab 31

Users with access to create and to execute transport requests using transactions SE01, SE09, or SE10: Click to Return To The Audit Program

Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude: as per the Job Noted?
rows as needed *Exclude locked users: are past their - D (System) IDs Responsibilities? (Yes/No)
- 0: unlocked validity date (no - C (Communication) IDs (Yes/No)
- Blank: unlocked access) (no end user access)

SAMPLE
- 128: temporary lock,
do not filter out

1
2
3
4
5

Total 0 0 0

Basis Application Infrastructure Page 9 of 9

You might also like