SAP An Introduction October 2012. PwC Personal Introductions Marc Trevino, PwC Senior Associate...

Click here to load reader

  • date post

    22-Dec-2015
  • Category

    Documents

  • view

    217
  • download

    0

Embed Size (px)

Transcript of SAP An Introduction October 2012. PwC Personal Introductions Marc Trevino, PwC Senior Associate...

  • Slide 1
  • SAP An Introduction October 2012
  • Slide 2
  • PwC Personal Introductions Marc Trevino, PwC Senior Associate 6 years with PwC 6 years working with SAP clients 6 years of ISACA membership CISA, CPA, CIA Michael Baker, PwC Senior Associate 2 years with PwC 2 years working with SAP clients CPA Currently pursuing CISA
  • Slide 3
  • PwC Agenda What We Will Do Provide a high level overview of what SAP is SAP Authorization Concept Provide an introduction to Auditing ITGCs in SAP Segregation of Duties in SAP
  • Slide 4
  • 4 2012 PwC What is SAP?
  • Slide 5
  • PwC What does SAP stand for? Systeme, Anwendungen, Produkte in der Datenverarbeitung Systems, Applications and Products in Data Processing
  • Slide 6
  • PwC What is SAP? An order in SAP can automatically generate an inventory movement and a posting in the GL without any human intervention. SAP can track financial results, procurement, sales, manufacturing, human resources and payroll. SAP integrates all business processing through one application. Links operational results and the financial aspects of those results. SAP comprises of 18-20 modules in finance, logistics and HR. One or more SAP modules can be implemented. SAP is typically accessible by the entire business organisation. Most company information and transactions originate from SAP. Integrated Multifunctional Modular Enterprise Wide Real Time
  • Slide 7
  • PwC Overview of an SAP Environment Business process Controls (incl. automated, manual, BPR) IT General Controls Management reporting and end-user controls SAP configurable controls SAP Authorisations/User profiles SAP Basis Module Database Operating System and other Infrastructure controls Database Infrastructure Layer Application Layer Presentation Layer
  • Slide 8
  • PwC SAP Instances PR1 PH1 PC3 PE1 PA1 SAP R/3 or ECC 6.0 APO Planning SAP Human Resources SAP Customer Relationship Management SAP Procurement PS1 Solution Manager PB1 Business Warehouse
  • Slide 9
  • 9 2012 PwC SAP Authorization Concept
  • Slide 10
  • PwC Overview What is the SAP authorization concept? Security within SAP is achieved through the authorization concept The authorization is designed to ensure : Maximum security Sufficient privileges for end users to fulfil their job duties Powerful user maintenance
  • Slide 11
  • PwC User master record User requires valid user-ID and password T-code check User requires an authorization for transactions Authority check User requires an authorization for underlying authorization objects and field values 1 2 3 Overview Three levels of security in SAP
  • Slide 12
  • PwC Transaction Code (t-code) Provides access to specific functions within SAP Authorization Object: Template for security that contains fields with blank values (uncut key) SAP User Master Record (UMR) Master data for SAP users Authorization (Field Values): Authorization object with completed fields (cut key) ME21 Create Purchase Order SAP Authorization Concept The components
  • Slide 13
  • PwC Profiles Key ring that contains authorizations (cut keys) Authority Check Performed by SAP to ensure that a user ID has the correct authorization object and field value combination (cut key) to execute a particular task Roles Collection of transaction codes, authorizations and user assignments R: Display PO R: Create PO Buyer SAP Authorization Concept The components
  • Slide 14
  • PwC SAP Authorization Concept Bringing it all together Lets make an analogy the Lock and the Key To open the lock, you need the right key!
  • Slide 15
  • PwC Profile SAP Security Check Authorizations User Master Record R: Display Purchasing document R: Create Purchase Order (e.g., ME21) Buyer SAP Authorization Concept Bringing it all together
  • Slide 16
  • 16 2012 PwC Auditing ITGCs in SAP
  • Slide 17
  • PwC SAP is not a typical application / environment split Many traditional environment functions are provided within the application including: development environment change control system administration and job scheduling These functions are collectively known as SAP Basis Combined with SAP integration, this serves to complicate access security Risk based approach in a SAP environment
  • Slide 18
  • PwC SAP allows more comprehensive functionality and control, however, the following needs to be considered: Financial transactions are executed throughout the business making segregation of duties control key The SAP access mechanism is complex making security and segregation of duties a key risk Configuration has a large impact to the overall business process and controls Risk based approach in a SAP environment
  • Slide 19
  • PwC Key IT General Control Domains Consider tests for controls around: Access to programs and data Changes made to the system (Change management) Computer operations Weaknesses identified within the IT general controls can potentially undermine confirmed and tested automated controls and access controls at the business process level
  • Slide 20
  • PwC Key Areas within the SAP environment Access to Programs and Data Key areas to consider include: SAP system settings including password parameters Access to user administration functions including defining and assigning profiles to users (Profile Generator) Access to run programs/ transaction codes Assignment of SAP_ALL, SAP_NEW, other sensitive profiles Default passwords of SAP supplied accounts (SAP*, DDIC, Earlywatch, SAPCPIC etc.) Management and review of User IDs and generic User IDs Use of audit logs (SAP Table Logging)
  • Slide 21
  • PwC Key areas to consider include: Customised programs and tables should be assigned to appropriate authorisation groups. Ability to unlock production environment to make direct changes to production is restricted and monitored Segregation of duties within the change management process including developer, customizer and approver of the program change/transport Changes to SAP tables and data dictionary in the production environment is minimized Key Areas within the SAP environment Change Management
  • Slide 22
  • PwC Key Areas within the SAP environment Computer Operations Key areas to consider include: Batch jobs and interface processing should be regularly monitored, with access to amend them restricted Batch jobs run under ANOTHER user should be restricted to appropriate personnel Batch jobs run under ANY user should be completely restricted Operating and database system administrator access should be restricted
  • Slide 23
  • 23 2012 PwC Auditing SAP Segregation of Duties Example
  • Slide 24
  • 24 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC SOD Framework Overview
  • Slide 25
  • 25 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC SOD Framework SOD/SA Rule
  • Slide 26
  • 26 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC SOD Framework SOD Rule
  • Slide 27
  • 27 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC SOD Framework SOD Rule
  • Slide 28
  • 28 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC SOD Framework Object Level
  • Slide 29
  • 29 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC SOD Framework Object Level
  • Slide 30
  • 30 'Confidential Information for the sole benefit and use of [Global, beverages company]. 2012 PwC Relationships Between Layers
  • Slide 31
  • PwC Ability A Create Maintain Purchase Order t-code: ME21 Auth Object: M_BEST_BSA ACTVT: 01 Create Maintain Vendor Master Records t-code: FK01 Auth Object: F_LFA1_APP ACTVT: 01 SAP SOD Example Ability B
  • Slide 32
  • PwC Questions? 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.