e-dokumen.com

5.3 Auditing in SAP SAP environment is segregated into the 3-box system,i.e. development, testing/QA and production (live) Changes are adequately and independently tested andapproved before being implemented in the production Developers should not have access to production eitherthrough developer keys or through transactions. Production is locked for direct changes and is openedbased on specific approvals When direct changes are required in production, theyare made only through transport requests Business impact analysis of changes implemented

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.3 Auditing in SAP

5.4 Computer Operations Batch Processing and schedulingInterface testingBackupDisaster Recovery and BCPNetwork security

5.4 IT Risks within ComputerOperations Failed batch jobs are not monitored andrescheduled Interfaces are not monitored System back-ups are not taken on a regular basis Back-ups are not tested for successful restoration Back-ups are not stored at an offsite location External access to the system is not appropriatelyrestricted Data center is not designed to prevent damage dueto heating, accidental fires, etc.

5.4 Auditing in SAP Access to batch scheduling and monitoring tools isrestricted to the IT operations team Access to back-up tools is restricted to the IToperations team Failed batch jobs, interfaces and back-ups are trackedthrough a ticketing system and are resolved Back-ups are stored at an offsite location and areperiodically tested for successful restoration External access to the system is appropriatelyrestricted through firewalls, etc. and periodicallytested

Questions?

SESSION 6Review of SAP BASIS

6.0 SAP BASIS reviewITGC Domain – Computer Operations Access to maintain (create new or change/delete existing) jobschedules is appropriately restricted Access to executed critical job schedules is appropriately restricted Critical batch jobs, especially those that have a financial impact, areidentified and are monitored Failed batches are monitored and resolvedThe above procedures apply like-wise to any interfaces that have beenset-up with external applications

6.0 SAP NetWeaver / Basis What is SAP NetWeaver / BasisRole of SAP Basis team memberIT Risks within SAP BasisSAP Basis review

6.1 What is SAP NetWeaver /Basis?SAP ApplicationSAP NetWeaver / BasisDatabaseOperating SystemHardware

6.1 What is SAP NetWeaver /Basis? NetWeaver is a toolkit used to enhance businessfunctionalities delivered by SAP components. Often interchangeably referred to as SAP Basis(reference to the original toolkit that was thefoundation of SAP R/3). Act as a filter between the actual business logic in SAPR/3 and the specifics of the operating system anddatabase underneath. SAP business programmers could focus on writingbusiness logic and not have to worry whether or not itwould work on the various permutations of hardware,operating system and/or database.

6.2 Role of SAP Basis team member Activities that an SAP NetWeaver SystemAdministrator does day-to-day, include:– create users/assign roles (within SAP)– run backup– check db/os space utilization, add space ifnecessary– install SAP software, configure SAP parameters– monitor CPU/Memory/disk space/performance– configure connectivity between SAP componentsor SAP/non-SAP components– SAP software change management (i.e. TransportManagement).

6.3 IT Risks within SAP Basis Critical system administration access is not appropriatelyrestricted, e.g.– super-user access across the application– creating/modifying user access and roles– direct access to data through table maintenance– opening production (live) system for making direct changes– applying tested and approved changes to the productionsystem– access execute programs directly in production system– access to execute operating system and database commands– access to application activity logs– access to manage interfaces with other applications– access to modify system parameters (passwords, logging,etc.)

6.3 IT Risks within SAP Basis Conflicting accesses not appropriately segregated,e.g.– access develop/code a change AND implement it inthe production system– developers have access to production environment Activities performed by Basis team members arenot logged and reviewed periodically, e.g.– review of security audit logs for critical activities– where change transports are owned and implementedby Basis team, they are adequately and independentlytested prior to implementation

Questions?

SESSION 7Validation of Automated Controls

7. Business Processes Period End Financial ReportingOrder to CashProcure to PayManufacture to InventoryAcquire to Retire

7.1 Period End Financial ReportingKey sub-processes Organization Structure :ClientChart of Accounts GL accounting master data :- At Chart of Accounts level- At Company code level Period Maintenance :– FI/MM Periods– 12 4 periods– Account type wise Foreign Exchange– Exchange Rates– Translation accounting– Revaluation accounting New GL functionality Parallel ledgers, Real-time document splittingCompany CodeKey T-CodesFS00 – GL MastersOB52 – Period MaintenanceOB08 – Exchange RatesFB01 – Journals processing

7.1 Period End Financial ReportingKey Automations GL marked for deletion and not blocked for postingAuto-posting enabled for key GL AccountsDocument change rules not active for key fieldsPark and Post workflow for JournalsAutomated GL determination for Translation and Revaluation Gain/LossAutomated entries classification possible in SAPInherent controls– Sub-ledger to GL reconciliation automated for Recon Accounts– No change possible to accounting relating fields once a document isposted– Debits Credits– Some fields are inherently required in a Journal EntryAccess to maintain periods is restrictedAccess to process / post Journals is restrictedSOD between Maintain period and process JournalsSOD between park and post journals in SAP

Reconciliation Account Type Auto Post Indicator

Document Change RuleForeign Exchange AccountingPosting BlockThis master record is blocked ONLY inthis Company CodeThis master record is marked for deletionONLY in this Company Code

7.2 Order to cashKey sub-processes Organization Structure :ClientCompany CodeSales AreaPlantMaster data :- Customer Master Data at Client, Co Code and Sales Area level- Pricing master data at Sales Area level- Credit LimitsKey T-CodesSales Orders processingDelivery and Post Goods Issue processing XD01 – Customer MastersVK11 – Price MastersSales Invoice processingVA01 – Sales OrderCredit Block and releaseVL01 – DeliveryRelease of Sales Invoice for accountingVF01 – Sales InvoiceReceipt of MoneyAgeing of Receivables Review

7.2 Order to cashKey Automations All Customer Masters are assigned Recon GL AccountsPricing procedures appropriately configuredPrices not changeable in Sales Orders and defaults from Price MastersDelivery requires a preceding Sales OrderDeliveries cannot be processed in excess of Sales Order quantitySales Invoice cannot be processed in excess of DeliveriesAppropriate Revenue RecognitionPrices in Sales Invoice not changeable and defaults from Price master/salesorderAutomated GL determination for Deliveries and Sales invoicesAutomated Rebate processingAccess to maintain Price Masters is restrictedAccess to release blocked invoice is restrictedSOD between Sales Order and Delivery and InvoicingSOD between Price Masters and Sales orders processing

Sales Account Determination Ageing of Debtors – settings for “Payment Terms from Invoice” Price Masters changeability

Sales order – Delivery – Invoice linkingDelivery quantity minus Invoice QuantityQuantity is calculated positivelyCopy price elements unchanged andredetermine taxesOrder

7.3 Procure to PayKey sub-processes Organization Structure :ClientCompany CodePurchase OrgPlantMaster data :- Vendor Master Data at Client, Co Code and Purchase Org level- Purchase Info records for Vendor and Materials- Material mastersKey T-CodesPurchase Orders processingPurchase Order ReleaseXK01 – Vendor MastersGoods Receipts processingMM01 – Material MastersVendor Invoice processingME21N – Purchase OrderThree way matchMIGO – Goods ReceiptRelease of Blocked Vendor Invoices for payments MIRO – Vendor InvoiceF110 - PaymentsPayments

7.3 Procure to PayKey Automations All Vendor Masters are assigned Recon GL Accounts3 way match indicators are appropriately set in Purchase OrdersAll Purchase Orders subject to release in SAPGoods Receipt cannot be processed in excess of Purchase Order quantityVendor Invoice cannot be processed in excess of Goods receiptPrices in Vendor Invoice not changeable and defaults from Purchase OrderTabs in invoice for differential amount posting should be inactiveVendor not changeable in invoiceAutomated GL determination for Goods Receipts and Vendor invoicesDuplicate Invoice checkAutomated payments accountingPayments to Alternate PayeesAccess to release Purchase Orders is restrictedAccess to release blocked invoices is restrictedSOD between PO create and PO releaseSOD between Vendor Masters and Payments processing

Purchase Order Approval 3 way match configuration (PO – GR - IR) 3 way match indicators in PO Invoice tolerances for 3 way match

Duplicate invoice Check Account determination

7.4 Manufacture to InventoryKey sub-processes Organization Structure :ClientCompany CodePlantStorage LocationMaster data :- Material Master Data – Basic, Accounting, Costing, Plant, Sales Views- Bill of Material- RoutingKey T-CodesConsumption processingMM01 – Material MastersProduction order processingCS01 – BOMOther goods movementsCA01 – RoutingInventory valuationMB01 – Goods Movements

7.4 Manufacture to InventoryKey Automations Inventory valuation method appropriateAutomated Accounting of goods movementAll transactions result in value and quantity updateNegative stock not configuredNo direct changes to material costNo use of sensitive movement types like 501/309/561Split valuation activeSOD between Inventory count and posting Inventory count resultsAccess to direct changes to Material cost is restrictedAccess to sensitive movements is restricted

Moving Average Inventory ValuationStandard Cost Inventory Valuation

7.5 Acquire to RetireKey sub-processes Organization Structure :– ClientChart of DepreciationCompany CodeMaster data :- Asset Master Data – General, Depreciation ViewsDepreciation Calculation and accountingCapitalization , retirement and scrapping accountingKey Automations Key T-CodesAS01 – Asset MastersAppropriate Depreciation configurationAFAB – DepreciationAutomated GL account determinationAIBU – CapitalizationFields in Asset Master dataABAVN – ScrappingNegative Books values not permittedABAON - RetirementReal-time posting and calculationABUMN – TransferRestricted access to Asset Masters and transactions

Asset Master Data and Depreciation

Account determination1 0000 Depreciation Posting to GL

Questions?

SESSION 8Authorization Concept

8.1 Users and Authorization Concept Users must be setupand roles assigned touser master recordsbefore you can use theSAP System. A user can only log onto the system if he orshe has a user masterrecord. Usermenuauthorizations areassigned to themaster record viaor more roles.andalsouserone

8.2 User Master RecordInformation

8.3 Roles and Profiles Roles contain Profiles. The system will automatically add the appropriate Profile(s) foreach Role assigned Profiles contain Authorization Objects. Single profile consists of single or multiple Authorisations. Composite profile consist of multiple profiles. Profiles that come delivered with the system or were created from scratch can beassigned directly to users. Profiles that were created for a Role are attached to that Role cannot be assigneddirectly. You must assign the Role and the system will then assign the user thecorrect Profile. In SAP systems, users are typically assigned the appropriate roles / profiles by thesecurity team

8.4 Authorization Objects Authorization Objects are the keys to SAP security When you attempt actions in SAP the system checks to see whether youhave the appropriate Authorizations. (AUTH CHECK Statement) The same Authorization Objects can be used by different Transactions Example —in order to create, change or display an accounting document, a usermust have the Authorization Object F BKPF BUK with the appropriatevalues

8.5 Examples of AuthorisationPurposeAuthorizationExample 1Example 2Create postingfor Apple Co.Change postingfor Orange C0AuthorizationABCDescriptionF BKPF BUKAuthorizationObjectACTVTField 1Company Code BUKRSField 2AuthorizationXYZActivityValue 1Value 201(Create)1000(Apple Co.)TechnicalName02(Change)2000(Orange Co)

8.6 Profiles and authorisation object in SAP

8.7 SAP Structural SecurityComponentsSAP ProfileGeneratorSAPAuthorizationStructureSAP AccessRestrictionElementsUserUSOBT CUSOBX C(SU24)RolesProfileMenu dataAuthorizationfield valuesAuthorizationobject fields

8.8 Mechanism of Access Control User logs onto SAP. User authorisations loaded into the user buffer. User requests transaction directly or through the menu tree. SAP checks if the transaction is blocked. SAP verifies access to the transaction code in the user buffer. Authorisations required read from ABAP program. SAPverifies that authorisations are available in the user buffer. SAP allows user to perform called transaction. If any of the above verifications fail – Access isdenied.

8.9 SAP Security: Transactions2 SUo1: Creates and maintains usersSUo2: Creates and maintains profilesPFCG: Profile GeneratorSU53: Displays LAST authorization failureSTo1: Traces keystrokesSUo3: Lists objects and classesSMo4: Monitors user activitySE16: can be used to download SAP security tables.SU1o: Adds or deletes a profile to all users

Questions?

SESSION 9Segregation of Duties

9.1 SOD - Impact on AuditSOD Conflict Risks Evaluation of SOD is primarily for fraud risk. Impact of SODs on automated controls. For e.g. end to end access in Purchase & Payable process. Multiple Tcode can perform the same function. I dentification of SOD per transaction requires SAP expertise.

9.1 SOD - Impact on AuditKey considerations Identification of "critical" SODs. Identification of compensating controls. Business Process Review controls may not address the risk of SOD conflicts. Extracting data for such transactions can be done using SAP standard tables SOD Analysis is "Point-in-time” Profiles also may have changed Risk of multiple user id being used by the same person. E.g. Generic user ids,Sharing of passwords. Assessment of SODs through·Tcode —SUIM·Tools such as Bizrights, SAP GRC·Auditors proprietary tools

Questions?

SESSION 10Data Migration - SAP

IT MigrationIT Migration A process of movement of any one or group of ITAssets from one state of existence to another.IT Assets Hardware, Software, Data, related infrastructureData Migration A process of moving data from one data structureto another. It is required when any organisationreplaces Application or Database system

Objectives of Migration Audit Data Integrity Control Adequacy Business Continuity Effectiveness

SAP Migration- Phases Vendor Selection Process Re-engineering Change Management Data Migration

Data Migration to SAP - Process Determining Source and Target Data Formats Data Mapping (Mapping A/c Balances etc.) Data Conversion/cleansing Business Sign-off Data Conversion program Test plan and Test Data Data Validation and Reconciliation Integration Testing Promote to Production Data conversion Execution Data Validation Final Signoff by all stakeholders

Data Migration to SAP – Key Points Addressing Open PO’s Open, SO’s etc. Uploads through T-Code “LSMW” or“LTMC” if migrating to S4 HANA Scrutinize the “Data Migration Account” Sign-Offs Archival of Legacy

SESSION 11SAP Upgrade

SAP Upgrade SAP does not support earlier versions. Support for ECC 6.0 will end in 2025. Existing ECC6.0 installations need to Move to SAPS4/HANA. In a Technical Upgrade, existing functionality is notchanged.– There is no Data Migration In a Functional Upgrade, all business processes andcontrols will have to be re-assessed for changes.– There will be Data Migration.

SESSION 12Report Validation

12.1 Report Validation Reports may be Standard or Customized Customized Reports begin with Y or Z “System-dependent Manual Controls” alsorely on Reports from SAP. Identify source of the Report – SAP or BWReport?

12.2 Reports – Impact on Audit In case ITGC are reliable – Standard Reports may be relied upon in caseof no change in the design/logic of thestandard report. Need to establish there is nochange.– Logic of Customized Reports (beginning withY or Z) should be validated, either throughwhite-box or black box testing– Ensure appropriateness of Input Parameters

12.2 Reports – Impact on Audit -contd. In case of inadequate ITGCs, additionalprocedures will be required to determinecompleteness and accuracy of the data Generally detailed substantive testing ofreports is done to ensure completenessand accuracy of reports We may be able to leverage on testingperformed by the client

SESSION 13JE Extraction and Analysis

13.1 Manual JE’s – Impact on Audit Fraud Risk and Risk of ManagementOverride of Controls JE’s are either manual or automated Non-reliance on ITGCs – all entries on parwith Manual entries Substantive audit of manual JE’s notpractical

13.1 Manual JE’s – Impact on Audit– contd. All entries posted in BSEG and BKPFTables. Roll-forward to ensure completeness ofpopulation Cut-off to be defined for analysis Opening and Closing Trial Balances perSAP need to match up with audited figures

13.2 Manual JE’s – Impact on Audit– contd. JE Roll-forward and Analysis through useof CAATs Identification of “Doc-Types” used forManual Journal Entries may be incorrect Identification of T-Codes used for passingmanual entries extremely critical

13.2 Manual JE’s – Impact on Audit– contd. Criteria for analysis very critical– Back-dated entries– Transactions passed by IT users– Materiality overall and for specific accounts– Unusual Account Combination/Passed atunreasonable times

Questions?

Session 14Robotic Process Automation (RPA) in SAP

AutomationWhat is Automation?Automation, the applica

SAP SD - Electronic Data Interchange (EDI) ¾ SAP-MM ( M aterial M anagement) SAP MM - Purchasing SAP MM - Inventory Management SAP MM - Warehouse Management SAP ML - Material Ledger . 2.6 SAP Modules [. contd .] ¾ SAP-PP (