Company (Name):

Audit Program contains 46 Queries covering all critical configuration settings, Audit Program contains detailed audit procedures, a step-by- Links to the supporting test sheets are included where
Fiscal Year End (Date): transaction codes and authorization objects relevant to the Basis Security in SAP R/3. step guidance on how to obtain information from the system in everything has been conveniently pre-documented with fill-in
Tested on (Date)/ tested by (Name): Please scroll down for detailed overview of controls covered. support of individual control activities. fields for the data obtained as part of the testing procedures
Tested in (System): for further analysis.

Basis Security - Audit Program for SAP R/3 - PREVIEW

Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.

Information Systems Operations

Control Objective IT1: Batch and on-line transactions are executed timely and accurately by authorized personnel. Only valid production programs are executed.
[Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation]

Control Objective Background: Typically, computer processing occurs either based on submission of a “batch job” or based on input of an on-line transaction by a user. Both on-line transactions and batch jobs cause application system
programs to be executed. If such programs terminate abnormally or necessary for on-line transactions or batch jobs are not executed, the transaction may not be recorded completely or accurately. If access to job scheduling and
administration functions is not adequately controlled, inappropriate users may have the ability to run jobs directly in the background, bypassing transaction level security in SAP, and could potentially run jobs they are not explicitly
authorized to run.

IT1.01: Only authorized personnel have Preventive Automated IT Dependent High • • • • • • • • •

access to:
4 S_BTCH_NAM authorization object is important because it determines the authorized users, which users can Tab 4
• Batch job and background session
choose from when scheduling a background job. This means that users with S_BTCH_NAM authorization can
processing and administration functions
schedule jobs under different user IDs, which in effect allows users with S_BTCH_NAM potentially run jobs they
in SAP R/3
Audit Program covers ALL KEY are not explicitly authorized to run.
configuration settings and sensitive
basis transactions
Perform the following procedures to verify which users have the ability to schedule jobs under different user IDs
using transactions SM36 or SM37 and authorization object S_BTCH_NAM:

Execute transaction code SUIM

Proceed to the Users By Authorization Values screen via "User" -> "Users By Complex Selection Criteria" -> "By
Authorization Values"

AUTHORIZATION OBJECT 1:
• S_TCODE:
SM36 (Define/Schedule Background Job) OR
SM37 (Job Overview/Job Maintenance)

AUTHORIZATION OBJECT 2:
• S_BTCH_JOB:
Function/Operation (JOBACTION): RELE (Release own jobs automatically)
Job Group (JOBGROUP): * (means ANY/SOME permitted job groups)

AUTHORIZATION OBJECT 3:
• S_BTCH_NAM:
Authorized user (BTCUNAME): * (means users can specify SOME/ANY names as an authorized user)
- Use "*" (instead of a *) to produce a listing of users with access to run jobs under ALL names

30328382.xls Page 1 of 10
Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.

Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Assess whether it is
appropriate for such users to have such access, based on their job responsibilities and established policies,
procedures, standards, and guidance. Compare the results of the test with the information obtained from the
interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
conclusions.

• • • • • • • • • • • •

Information Security

Control Objective IT2: Logical security tools are adequately configured and logical security techniques are implemented to ensure only appropriate individuals have access to organization’s information resources and to safeguard
against unauthorized access to or modifications of programs and data, that may result in incomplete, inaccurate, or invalid processing or recording of financial information.
[Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation]

Control Objective Background: If logical security tools and techniques are not implemented and configured appropriately, control activities within the significant flows of transactions may be ineffective, desired segregation of duties may
not be enforced, and significant information resources may be modified inappropriately, disclosed without authorization, and/or become unavailable when needed (e.g., they may be deleted without authorization).

• • • • • • • • • • • •
IT2.06: Access to the SAP R/3 system is Preventive Manual IT Dependent High 25 Access to the SAP R/3 system should be granted to valid employees based on users’ job responsibilities. Access Tab 21
authorized by management and granted should be authorized and approved in writing by the relevant data or process owners. Perform the following
to valid employees based on users’ job procedures to produce a listing of new user IDs created in the SAP R/3 system during the period of intended
responsibilities. reliance:

• Execute transaction code SUIM

Proceed to "User" -> "Users By Complex Selection Criteria" -> "By user ID"
OR
• Execute transaction code SE16
Input table USR02 and click on "Execute"
Enter 'From' and 'To' date in the 'ERDAT' (creation date of the user in the user master record) field
- The 'From' and 'To' fields should be defined based on the scope of the audit

Using attribute sampling guidelines, select an adequate sample of new user IDs created in SAP R/3 over the
period of intended reliance, and examine documentary evidence (e.g., user access approval forms, etc.) indicating
that access to SAP R/3 was appropriately approved before user ID was created in the system. Document your
sampling testing, test results, and conclusions in the Tab referenced in the "Testing Ref." Column.

• • • • • •

Control Objective IT3: Systems configuration and security settings are appropriately implemented and administered to protect against unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or
recording of organization’s financial data.
[Control Objective Assertion: Pervasive to All Accounts: Completeness, Cut-off, Presentation, Recording, Validity, Valuation]

Control Objective Background: If information security is not administered appropriately, significant information resources may be modified inappropriately, disclosed without authorization, and/or unavailable when needed (e.g., they
may be deleted without authorization). Furthermore, such security breaches may go undetected. If an entity relies on security features of its application systems to restrict access to sensitive application functions, weaknesses in network
or operating system security (e.g., user authentication and overall system access) may render such application security features ineffective.

30328382.xls Page 2 of 10
Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.

• • • • • •
IT3.03: The default SAP R/3 passwords Preventive Automated IT Dependent High 29 The passwords to the default SAP R/3 user IDs are well known, and therefore if they are not changed, these IDs N/A
are changed: could be used by unauthorized users to gain access to the system. (if needed, include
• SAP* - PASS reference to supporting
• DDIC - 19920706 Perform the following procedures to verify that the default SAP R/3 passwords for SAP*, DDIC, SAPCPIC and evidence considered
• SAPCPIC - ADMIN EarlyWatch have been changed: pertinent)
• EarlyWatch - SUPPORT • Execute transaction SA38 (ABAP Reporting)
Enter report name RSUSR003 and click on "Execute"
Verify that default passwords for DDIC, SAP*, SAPCPIC, & EarlyWatch have been changed in all clients
Document your conclusions.

• • • • • •

The complete audit program contains 46 Queries designed to provide auditors, management, or control professionals reasonable assurance that controls over SAP security operate effectively and in accordance with management's
intentions.

• Batch job and background session processing and administration functions in SAP - controls to ensure that only authorized personnel have access to process and
administer batch job and background sessions in SAP and that job processing activities are monitored (SM35, SM36, SM37, RZ01, SM64 & S_BTCH_JOB, S_BTCH_ADM, S_BTCH_NAM, S_BDC_MONI, etc.):
- Release jobs automatically during scheduling
- Ability to delete jobs of other users
- Ability to administer background sessions in SAP R/3
- Ability to schedule jobs under different user IDs
- Access to the batch input management functionality in SAP R/3
- Monitoring procedures to identify processing errors and/or issues and more.

• Access to the end user authorization and administration functions - controls to ensure that only appropriate individuals have access to organization’s information resources and
to safeguard against unauthorized access to or modifications of programs and data, that may result in incomplete, inaccurate, or invalid processing or recording of financial information
(PFCG, SU01, SU02, SU03, SU10, SU12, SU22, SU24 & S_USER_PRO, S_USER_AGR, S_USER_GRP, S_USER_AUT, S_DEVELOP, etc.):
- Access to the profile generator to maintain roles, authorizations, and profiles
- Access to maintain users, authorizations and authorization profiles manually
- Access to maintain assignment of authorization objects to transactions
- Controls to ensure access to the SAP R/3 system is authorized by management
- Controls to ensure access to the SAP R/3 is disabled for employees that no longer require such access and much more.

• Systems configuration and security settings - controls to ensure that systems configuration and security settings are appropriately implemented and administered to
protect against unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or recording of organization’s financial data:
- Access to execute programs (online/background) via SA38, SE38, SE37, SE80, etc.
- Table maintenance including SAP R/3 data dictionary, Client-independent tables, & Custom tables (SE16, SE17, SM30, SM31, SE11, SE12, etc.)
- Password parameter values; access to maintain profile parameters (RZ10, etc.)
- Security of the powerful default user IDs, powerful transaction privileges and the assignment of powerful SAP R/3 profiles (SAP*, DDIC, EARLYWATCH, SAP_ALL, SAP_NEW, etc.)
- Locking critical and sensitive transaction codes in production
- Maintaining & executing external OS commands (SM49, SM69, etc.) & more.

30328382.xls Page 3 of 10
Control Activity Control Control IT Nature Control Rating Query/ Testing Procedures: Testing Reference Conclusion
Activity Type Nature IT Dependent/ High/ Testing For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to supporting Effective/
Preventive/ Manual/ Non IT- Medium/ Procedure reasonable assurance that controls operate effectively in accordance with established policies, procedures, and evidence considered Ineffective
Detective Automated Dependent Low No guidelines. The following testing procedures will assist auditors in performing tests of control for each control pertinent
activity.

• System Change Control - controls to ensure that changes are made in the development environment and transported to production to minimize the likelihood of
disruption, unauthorized alterations, and errors in order to ensure accurate, complete, and valid processing and recording of financial information:
- Ensuring that changes are made in the development environment and transported to production (SCC4, SE06, SPRO, SM30, SM31, etc.):
(1) The Client Maintenance settings
(2) The Global System Change Option settings
(3) The IMG Customizing settings
- Ensuring that access to perform corrections and transports is appropriately restricted (SE01, SE03, SE09, SE10):
(1) The SAP Workbench Organizer settings
(2) The SAP Transport System settings
(3) Access to perform transports in SAP
- Controls to ensure that access to develop programs is not allocated in production (SE38, SA38, SE37, SE80; DEVACCESS table, etc.)
- Ensuring that SAP R/3 system landscape supports the separation of production environments from development or test environments and much more.

The audit program covers all critical configuration settings and access controls to ascertain adequate levels of security of the SAP R/3 control environment. The audit program is available for purchase at
http://soxmadeeasy.com/SAP_Basis.html.

30328382.xls Page 4 of 10
st sheets are included where
niently pre-documented with fill-in
as part of the testing procedures

Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls

30328382.xls Page 5 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls

30328382.xls Page 6 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls

30328382.xls Page 7 of 10
Exception Details Mitigating Controls Planned Remediation Procedures Planned Remediation Ref. to Post-
For ineffective controls For ineffective controls For ineffective controls Remediation Status Remediation
Date Completed/ Testing Details
For ineffective In Progress If applicable
controls

30328382.xls Page 8 of 10
30328382.xls 000099Tab 4

Users with access to schedule jobs under different user IDs using transactions SM36 or SM37: Click to Return To The Audit Program

Count User ID User Name Locked? Valid From Valid Through User Type Access Appropriate Exceptions Comments/ Exception Detail
*Insert additional (Yes/No) *Exclude IDs that *Exclude D (System) and C as per the Job Noted?
rows as needed *Exclude locked user IDs are past their (Communication) IDs (no end Responsibilities? (Yes/No)
("0" or "Blank" in this field validity date (no user access); leave A (Dialog) (Yes/No)
means that user ID is NOT access) and S (Service) IDs for
locked) analysis

1
2
3
4
5

Total 0 0 0

Page 9 of 10
30328382.xls 000099Tab 21

Listing of user IDs created in SAP R/3 between [date] and [date]: Click to Return To The Audit Program

Count SAP Client SAP User ID User Name Created On Selected For Access to SAP Approved By Approved On Exceptions Comments/ Exception Detail
*Insert (Date) Testing? Approved? (Name, Title) (Date) Noted?
additional * Exclude IDs (Yes/No) (Yes/No) (Yes/No)
rows as created before or
needed after the period of
intended reliance Complete for SAP User IDs selected for testing in Column "F". N/A for remaining IDs.

1
2
3
4
5

Total 0 0 0 0

Page 10 of 10