You are on page 1of 15

SAP Audit Program

II. Design And Implementation
1. Determine if proper planning has been formalized
 Has a clearly established functional or geographical approach been established?
 Has a structure methodology been adopted?
 Has a top-down plan been developed to address system integration issues?
 Have SAP release dates been taken into consideration as part of the plan?
 Does the plan consider the time to perform a post-implementation review?
2. Determine if the proper organization and staffing for the team has been completed.
 Has a Steering Committee been organized to include all functional business areas?
 Have enterprise-wide standards been established?
 Are users assigned to key project management positions?
 Has an integration team been established with members from all functional areas?
 Has a technical team been established separate from the functional team to share
technical responsibility and to ensure standard techniques are employed?
 Is the staff size appropriate for the scope of the implementation?
 5-7 members for each core module.
3. Determine if adequate training is conducted.
 Review the training program to ensure that it is adequate and addresses all functional
 Ensure that the training approach is integrated into the project methodology.
 Ensure that adequate time for all levels of training is scheduled.
4. Determine if the project is properly controlled through budget, quality, and schedule.
 Are standard project control tools and documentation formats used across teams to
ensure consistent communication and minimize impact of team turnover?
 Are weekly or even daily cross-team progress meetings held along with monthly
steering committee meetings to communicate status and resolve issues?
 Are issues logs used to resolve project delays?
 Ensure that a consistent implementation methodology across all teams is being
 Is the project measured by workplan tasks and deliverables rather than hours spent?
 Are support systems such as Lotus Notes or e-mail established at the beginning of the
5. Determine to what extent re-engineering is being employed.
 If the project team is going through a large re-engineering effort, ensure that it is
completed prior to the beginning the SAP implementation process. Otherwise, the
changes can be incorporated during the analysis and design phases.
 Ensure that all re-engineering processes are formally signed-off.

6. Determine if a adequate global design is completed.
 Have practices and processes globally been harmonized along with SAP functionality?
 Have worldwide representatives on the project been present during the prototyping and
Join Application Develop (JAD) sessions to ensure that system decisions are properly

and company codes been standardized? 7. Determine if remote workstation processing locations are provided with “hot line” consultation on problems relating to workstation hardware and software. Workstation Security 1.  Determine if an overall integration plan has been developed and reviewed by the integration team?  Has the integration team been involved throughout the project?  Are the integration points tested throughout the project? 8. determine the risk impact of such modifications. 3. Application Support 1. Obtain a list of all the Administrators and determine that each user with this capability needs list level of authority. Obtain a list of all users and groups and ensure that each member is a valid entry. Determine the existence of a qualified group (or individual) designated to support the application. 4. III. Determine that default account rules are set to ensure that all users must properly log-on to the system. Determine if all incidents and resolutions are properly recorded. customer number. Review The Security And Control Over The NT Operating System. Obtain a configuration listing of a typical end user workstation. VI. 1. Determine if proper integration has been designed into the system. 3. 2. 2. . Obtain access to the application‟s interface (GUI) test environment. Determine if data ownership responsibilities are defined for the SAP objects (fields). 10. Determine if matrixes are used to define job functions and proper separation of duties.  Are cross-checks conducted periodically for table configurations with all team members?  Are checks conducted to ensure that table and file structures are consistent across all locations? 9. IV. Determine if the SAP software is properly configured. Review the job functions statement and interview users of the service to determine the scope and effectiveness of the position.  Has the organizational hierarchy been properly established within SAP as an initial step?  Have any modifications to the SAP supplied software been completed? If so. 4. 2. Evaluate the GUI (according to requirements and design documentation ) to determine if the edits on the system are adequate. Determine that the default password rules are set to industry standards.  Are key system checkpoints mapped to the global design to ensure the system meets the needs of each region?  Are the use of prototyping and playbacks used to validate the design?  Have key data items such as material number. 3. Determine if the user is required to signon to the workstation. chart of accounts. 4.

map each user or group to a domain and ensure that each user requires this level of access. Review all system services to ensure that users are restricted to authorized functions only 10. Map all the startup applications for each user to ensure that only authorized applications are accessed. Obtain a listing of all directories sub-directories. 20. Obtain a list of all of the user‟s rights and determine if the user needs this level of authority. Determine that proper segregation of duties are in place for DataBase Administration 2. and files. Review all user profiles to ensure that only authorized users have access to the application files. 6. 19. and files. Obtain a listing of the Data Structure Diagram for the application. Review The Security And Control Over The Oracle DBMS 1. Review the event auditing for the system and determine if it is adequate. Review the system‟s configuration files and ensure that the parameters are properly set. 13. 12. Review the Power User group and ensure that only authorized individuals are members of this group. 4. Determine if any directory replication has been established and ensure that sensitive or critical data is properly protected on the remote platform. 7. 24. Review the Guest group and ensure that this group‟s authorities are restricted. 6. Determine which common user groups have been established and review the groups capability to ensure that all users need to have this level of access. sub-directories. 22. 9. 8. 3. Determine if domains or workgroups are being used. Review the backup procedures for contingency planning to ensure that they are adequate. Determine the users that have physical access to the application files and ensure that this privilege is necessary to support their job function. Review the user‟s Log-on Script to ensure that it is set up properly from a security perspective. . 18. Determine what alerts are established to notify the security administrator of any security violations. 7. 23. 15. 25. Determine what personal groups have been established for each user and ensure that the user needs this level of access to perform their job function. Review the organizational structure to ensure that there is a proper separation of duties. 14. Review the User group and ensure that only authorized individuals are members of this group. VII. Review all devices and the security settings protecting access to these devices. If they are. Obtain major Data Dictionary Views  DBA_OBJECTS  DBA_TAB_COLUMNS  DBA_USERS  DBA_VIEWS 5.ORA. Review all user and group privileges to critical or sensitive directories. Determine that all default userids and passwords have been changed.5. or files. 16. Determine if screen saver security is properly set. Review the permission levels of who owns the directories. Obtain the Database initialization file INIT. 11. 21. sub-directories. 17.

14. Review The Interface Security And Control Mechanisms 1.ORA file to see if AUDIT_TRAIL is set to TRUE and the DBA_SYS_AUDIT_OPTS & DBA_TAB_AUDIT_OPTS. Determine what level of auditing has been turned on by reviewing the INIT.  SYS  SYSTEM  SCOTT  SAPr3 8. 17. SAP uses the contents of BTCI as an on-line transaction and process it accordingly. Review the objects rights to ensure that only authorized users are allowed to operate against these objects. Determine who has been assigned import and export capability. Review reconciliation procedures in effect to ensure that they are adequate. Obtain a listing of all the application objects such as tables and views. Ensure that the WITH GRANT OPTION is only assigned to appropriate users for appropriate objects. 18. Ensure that any assignment to the user “Public” is highly restricted. 13. Identify all system interfaces 2. This data is received into BTCI database. 9. Determine that the audit trail is reviewed on a regularly bases. These changes are not logged and thereby should have dual control over any changes. 10. 11. Identify the mode of submission and the authentication practice employed to ensure that a proper audit trail is in force. 16. VIII.  DBA_TAB_GRANTS  DBA_COL_GRANTS Direct table access and stored procedure access should be investigated to ensure that only authorized users or programs have access to the application files. List off all users that have Resource or DBA privileges. Review all operating system roles OSOPER for assignment to valid users 19. List off all Roles within the database. 4. Ensure that all users are required to enter a password along with their userid to authenticate to the application.  Record counts  Total number of customer/vendors processed  Total credits  Total debits  Total amounts  Total volume 3.  SAPDBA 12. . All validation errors will be marked in BTCI and users may correct the data if their profile has a “BI” in the SYS authorization object. Determine that the passwords are required to be changed on a periodic bases. Review the use of standard SAP utilities to transform interfaced data into a SAP format. 15.

Review The Disaster Recovery/Contingency Plan(s) 1.(default password = 06071992) DDIC . Ensure that all default passwords have been changed for all clients (000.SERVICES . Review the plan for adequacy. 001. Evaluate that the plan has been recently tested 4.(default password = admin) EarlyWatch . login/password_expiration_time  Changing of password after a certain number of days (default = 0) login/min_password_ing  Sets the minimum password length (default = 3) login/fails_to_session_end  Number of attempts before SAP stops the session (default = 3) login/fails_to_user_lock  Number of attempts before SAP locks the User Master record (default = 12) rdisp/gui_auto_logout  Inactivity parameter (default = 0. Determine is one of the following is implement to ensure system reliability:  Mirroring  Duplexing  Fault tolerance machines  On-Line vaulting X. 3.TABLE MAINTENANCE .Scroll down to each parameter. Path: SYSTEM . 2. Obtain a copy of the system control parameters to ensure that proper access control parameters are established. Identify any critical or sensitive data that is redundant to ensure that changes are made to both systems in a timely fashion. Obtain a copy of the disaster recovery/contingency plan.DISPLAY 7. and 066) SAP* .Enter RSPARAM .SERVICES - REPORTING . These are in Table RS38M. parameter not active) 6. Determine that proper segregation of duties are in place for profile.5. Ensure that backup copies of critical or sensitive data is properly protected.(default password = 19920706) SAPCPIC . Determine that proper segregation of duties are in place for System Administration 4. authorization-object generation 2. Review The BASIS Module 1.USR40 . 5. Determine that proper segregation of duties are in place for program development 3.(default password = support) . IX. Determine that proper segregation of duties are in place for table maintenance 5. Determine if additional password checks for specific password have been implemented Path: SYSTEM .

(default password = SAPr3 ) 8. Sys .Enter TSTC - Select . or „Z‟ 9. except of the users of the “SUPER” user group. „Y‟.Table TACT SAP profiles (both SAP supplied and user defined) . Obtain a listing of the following: SAP users .(default password = Change_On_Install ) System .client independent tables S_TABU_DIS  Create/Change access to object . Determine which transactions or programs allow a user to exit SAP and obtain an operating system prompt.Table TOBJ SAP transactions .USR04 SAP authorization-objects . Determine who on the system has the following authorizations objects and profiles: S_TABU_ANZ  Display tables in all classes S_TABU_ALL  Standard table maintenance all authorizations S_TABU_CLI  Maintain client-independent tables  Create/Change access to tables .TABLE MAINTENANCE . SE17  Custom Transaction (User defined start with a „X‟.Table TSTC  Path: SYSTEM .Table Maintenance all tables S_USER_ALL  Permits complete authorizations to maintain users SAP_ALL  Permits all access privileges.DISPLAY  Also Transaction SM31. Ensure that any user with this capability requires this for their job responsibilities 10.(default password = Manager ) SAPr3 . S_TOOL_EX_A  Access to the performance monitor SAP_NEW  Delivers all changes for authorization objects S_BTCH_ADM  Permits administration for managing background jobs S_BDC_ALL  All batch input activities S_BTCH_ALL  All batch processing authorizations S_DDIC_ALL  DDIC: All authorizations S_DDIC_SU  Data Dictionary: All authorizations S_NUMBER .SERVICES . SE16.Table USR01 SAP activity codes .

USER  Basis system authorizations for end-users (e.Maintain and display change documents  06 . KREDITOR for vendors ACTVT 02 Change number range intervals 03 Display number range intervals 11 Change the last-used number in a number range interval 13 Initialize the last-used number when transporting ranges between clients 17 Maintain number range objects S_SCDO_ALL  Change documents: All authorizations  Activity Codes  02 . styles.g.Maintain change documents S_SCRP_ALL  All SAPscripts texts. profiles and authorizations (as offered by S_USER_ALL) S_A.Delete change documents  08 .SYSTEM  Unlimited access to all users.  Number range maintenance: All authorizations FIELDS VALUE NROBJ Any Number range object name (for example. layout sets maintenance S_SYST_ALL  All system authorizations SAP_ANWEND  All SAP R/3 (excluding system) application authorizations Z_ANWEND  All user authorizations (excluding BC system) S_ABAP_ALL  All ABAP/4 authorizations S_ADMI_ALL  All System administrative functions S_A.” S_A.CUSTOMIZ  Authorizations for use in the SAP Customizing system S_A. S_PROGRAM ) .ADMIN  Authorization for SAP system administration: This includes all authorizations except for:  Maintenance of users in user group SUPER  Maintenance of profiles and authorizations with names beginning “S_S.Display change documents  12 .DEVELOP  Authorizations for use in the SAP Development environment (excludes any user or profile authorizations S_A.

log and queue .Allocate Authorizations to a profile S_USER_GRP  User Master Maintenance: User Groups  Transaction SU01 .g. FRANK) BDCAKTI ABTC Submit sessions for execution AONL Run sessions in interactive mode ANAL Analyze sessions. Determine who has data dictionary access by reviewing who has the following transaction capability SE11  ABAP/4 Data Dictionary Maintenance SE12  ABAP/4 Data Dictionary Display SE13  Maintain Technical Settings (Tables) SE14  Utilities for Dictionary Tables SE15  ABAP/4 Repository Information System SE16  Data Browser 12.Delete all Users S_USER_PRO  User Master Maintenance: Authorization Profile  Transaction SU01 .Maintenance of Authorizations  Transaction SU02 .Delete or Add a Profile for all Users  Transaction SU12 .Maintain Users  Transaction SU10 .Maintain Users  Transaction SU02 -  Transaction SU10 .11.Delete or Add a Profile for all Users S_BDC_MONI  Batch input authorization  FIELDS VALUES BDCGROUPID Any Name of batch sessions for which the user is authorized (e. Determine who on the system has the following authorization-objects for Security Administration S_USER_AUT  User Master Maintenance: Authorizations  Transaction SU03 .

Evaluating traces  SM21 . Determine who on the system has the following powerful authorization-objects S_ADMI_FCD  Provides system administration functions including the following:  TRAC .ABAP/4 program debugging mode  REPL .SE41 GUI Interface maintenance  DDIC . 13.LIST .Authorization for administration of spool requests in spool output control (all users and clients)  SP0R .Examine the system kernel from within the ABAP/4 debugger  CUAD .Test „Basis: Administration‟ .Altering values in debugging mode  KERN . batch  UNIX .Reset/Delete data without archiving .SAPscripts font maintenance  STOM .Select profile and Choose WHERE-USED LIST (To determine users who has this profile).Data Dictionary maintenance  TCOD .Authorization for client-dependent spool administration  SP01 .OVERVIEW .Update Administration  Transactions:  SM13  T000 .Evaluating system logs  NADM .Authorization for administration of spool requests (all users) in spool output control. FREE Release sessions LOCK Lock/Unlock sessions DELE Delete sessions  Path: TOOLS .ABAP/4 trace authorization  STOP .Execute UNIX commands from the SAP system with program SAPMSOS0  RSET .Network Administration  Transactions:  SM54  SM55  SM59  UADM .Choose WHERE-USED LIST (To determine profiles) .Scroll to the appropriate object .Transaction code maintenance  SE01 .Changing system TRACE switches  STOR .Authorization for spool administration in all clients  SPAR .Transport system transaction SE01  FONT .ADMINISTRATION .Lock/Unlock Transactions  SPAD .CHOOSE OBJECT .Enter * in Authorization Field .AUTHORIZATIONS .  BTCH . Access is limited to spool requests in the current client of the user.AUTHORIZATIONS - INFORMATION .MAINTAIN USERS .Create a new client  TLCK .

14. screen and menu painters. Determine who is defined to the “Super” user master record .Enter * in Authorization Field .) S_QUERY  Part of the object class „Basis: Development Environment‟  Authorization for ABAP/4 Query  Permits you to run or maintain queries S_DEVELOP  Part of the object class „Basis: Development Environment‟  Permits access to ABAP/4 development tools and dictionary/data modeler.ADMINISTRATION .Select „Basis: Development Environment‟ .Choose WHERE-USED LIST to obtain profiles . copy programs. 18.Choose one of the objects .  SYNC .LIST . Determine that all users on the system belong to a group 16. 15.OVERVIEW . customizing system.AUTHORIZATIONS .MAINTAIN USERS - PROFILES . and Correction and Transport System S_EDITOR  Part of the object class „Basis: Development Environment‟  Permits editor checks for maintaining tables (release 2. delete programs  VARIANT . Determine what audit trails exist and who reviews them on a regular bases 17.ADMINISTRATION . S_PROGRAM  Part of the object class „Basis: Development Environment‟  ABAP/4: Program Run Checks  Values for field P_GROUP  Any Any program group or for example (TEST)  Values for field P_ACTION  SUBMIT .AUTHORIZATION - INFORMATION .Submit program for background execution S_TRANSPRT  Part of the object class „Basis: Development Environment‟  Correction and Transport System and Request Management  Permits access to ABAP/4 development workbench.maintain program attributes.Select profile and choose WHERE-USED LIST to obtain users. and object browser.CHOOSE OBJECT .LIST .start programs  EDIT .Reset buffers S_BTCH_ADM  Provides all authorizations for managing background jobs  Path: TOOLS .  Path: TOOLS . Determine all users with the standard user profile S_SPOOL_ALL . Ensure that SAP_NEW is not used in the production environment  Allows for the automatic release updates of new authorizations to this user. This profile would provide the user with all authorities to bypass any restrictions on spool access.Select profiles and choose WHERE-USED LIST.Maintain program attributes and texts  BTCSUBMIT .MAINTAIN USERS .Enter S_BTCH_ADM .

(example Financial Accounting) Then (example Company Code) * Activity 02 (or any other activity code) LIST Where Used (gives you Authorization-objects) Where Used (gives you Profiles) Where Used (gives you Users) Using this methodology you can view any critical object for any module to determine which users have what access rights.ADMINISTRATION . And Control Of The Core Modules 1. Review or document the workflow of the application. Access Control  Review all users that have access to the application and ensure that they require this level of access. Review procedures to ensure that additions. TYPE OF MESSAGE]  CTS logs  Path: SE10 XI. 21.CHANGE DOCUMENTS  Changes to a user‟s authorizations  Changes to password. 2.INFORMATION . validity and account ID for a user  Changes to profiles (activation)  Changes to authorizations (activation)  Activity Log  Path: TOOLS . Review The Audit. changes. Determine if adequate controls exist to mitigate the identified exposures.19. Determine who review the following log files:  SAP System Log  Operating System Logs for SAP messages (optional)  Change Documents  Dictionary Logs  Path: Development .MONITORING .  Signon Access . DATE. Ensure that the SAP* userid is protected by setting login/no_automatic_user_sap* 20.SYSTEM LOG  on [USER. Security.ABAP/4 DICTIONARY . TERMINAL.ADMINISTRATION . 3.MAINTAIN USERS . 23. PROFILES.INFORMATION SYSTEM  Log of Security Changes  Path: TOOLS .[ USERS. AUTHORIZATIONS] . 4. Identify key exposures within the workflow. and deletions of user‟s access privileges are properly maintained. user group. Determine the procedures followed in the event emergency access privileges are required. 22. Determine who has what access rights into the system by using the following methodology TOOLS-ADMINISTRATION-MAINTAIN USERS-INFORMATION-OVERVIEW- AUTHORIZATION CHOOSE OBJECT. user type.

7. Unix. 11. Determine if any back doors exist in the system  Unix  Oracle  Informix  DB2  NT  SAP XII. 5. Evaluate any recent application failures to ensure that an adequate contingency plan exist. Evaluate any sensitive or critical derived data to ensure that it is created according to the established integrity standards. Review The Change Management Process . Review the security administration of:  adding users  deleting users  updating user information  password construction  Determine who is the system administrator for the application and how many of these administrators are assigned to the application. 10.  Review the final edit process to ensure the integrity of the process  Review all system interfaces to determine that data integrity is properly maintained. Oracle or DB2 without going through the initial logon process. Evaluate the outputs of the system to ensure that sensitive or critical output is properly handled. 12. Evaluate the level of system documentation to ensure that it is adequate. 6.  Test the invalid attempts for userid and password  Obtain a copy of the corporate security standards. Review the management reports to see if additional reports are needed: 13.  Evaluate sensitive or critical batch jobs to ensure that they perform according to the established integrity standards. Determine if a user can log on directly to NT.  Menu Level Access  File Level Access  Review User ID associated with the data file to ensure that only authorized users are allowed access to the data. Integrity Checking  Evaluate sensitive or critical on-line transactions to ensure that they perform according to the established integrity standards. Interview the user to ensure that they are satisfied with the current system and that it meets the organization‟s business needs.  Review all default users to ensure that proper security and control is maintained. 8. 9. Evaluate several recent application changes to ensure that proper procedures were followed.

Sample some recent changes for your audit area and review the procedures followed. Determine if the configuration parameters for the gateway are properly set.old. 4. Determine if sensitive data travels across the network in clear text. Determine that all authentication processes within the application architecture are secured as they go across the network. Security. 7. Determine if the SNMP agent is enabled within the network components. 2.1. Determine that all authentication processes within the Client/Server architecture are secured as they go across the network. 9. 5. (Authority-Check). Ensure that only authorized users can access the SNMP‟s capabilities. Determine if repairs are properly made. Identify the architecture of the change environment  Development  Integration  Consolidation  Production 6. 7. Network Audit. Determine who has the authority to migrate modified customer-defined objects to production SE01 .Customizing 4. Security. Determine that proper segregation of duties are in place for the migration of test to production 2. Determine that the authentication mechanism to signon to the gateway is secured. 8. And Control 1. replaced by Workbench Organizer SE06 . and Control of Remote Communications . 5.Enables the ABAP/4 Development Workbench SE10 .Used to set up and maintain the Workbench Organizer (Dictionary Access) SE09 . 6. These programs should be extensively tested. XIII. Ensure that network diagnostic tools are properly assigned and locked up when not in use. XIV. Audit. Determine and evaluate change control procedures for Emergency fixes Master Data Configuration elements ABAPs Custom Programming SAP code 3.  Bridges  Routers  Hubs 3. Determine that the administrative rights to the gateway are properly assigned. Determine if all ABAP programs check for proper authorization prior to production implementation.

7. Determine that all remote connections enter through a secured point of entry.1. the relevant authorization objects are selected automatically. This user menu only allows the user to use the business transactions available in the menu. Ensure that the authentication process does not go across the network in clear text. 6. 3. Ensure that any hacking activity is properly controlled by good authentication controls. Session Manager Defines corporate menu and user specific menus can be generated for each user. 4. Determine that a log file records all connections. based on the selected functions from the company menu (business transactions) by the administrator. Obtain a listing of all remote connections attached to the SAP environment. Tables DD02T Information on all tables DD09L Tables and log field to log changes to configuration tables T003 Defines for each document type the account type that can be accessed TOBJ Objects TACT Activity Codes TSTC Transactions TRDIR ABAP programs and authorization groups in field SECU TDDAT Authorization groups FC31 Maintaining accounting periods USR01 User master record USR02 User id and password USR03 User address information USR04 Contains link between user-id and attached profiles USR05 Field defaults UST10C Establish the link between one composite profile and its subordinate components UST10S Attaches objects and authorities to single profiles UST12 Lists possible authorities with their field values per authorization object USOBT Objects required by a transaction are referenced in this table Profile Generator When the profile generator is used. 2. and group together in a new authorization profile. Validate the signon requirements for remote authentication. SAP Access to client 066 1. Echo sessions and observe activity 2. 5. Ensure that direct access to Personal Computers or File Servers is restricted without first going through the authentication server. Enable table logging of data changes on key tables .

Statistics analysis log (STAT) records user and transactions (volatile. deletes at midnight)  If SAP has ABAP/4 access in 066 they can effectively “jump” across clients  Even ABAP/4 Workbench – Display “03” access to SE38 and object S_DEVELOP provides the ability to EXECUTE programs  Challenge SAP “why” they are asking for more access.  Disable the connection when SAP not logging on  Effective use of the SAPRouter to prevent unauthorized access from other sources.3.0B records a user and the transactions they performed and whether they were successful/failed at the transaction 4. . New audit log available in 4.