SAP Security and Controls

Double invoice check in SAP

2011-11-06T09:49:00.000+08:00

SAP provides multiple controls in the area of Accounts Payable. One of them refers to the possibility of entering an invoice twice and therefore, resulting in multiple payments for the same purchase. While, it is not possible for SAP to definitively conclude that an invoice is 'duplicate', it can assist to identify 'potential duplicate' invoice based on certain parameters set in the system.
This is controlled through the 'double invoice check' indicator in the vendor master record. If this indicator is set for a vendor, it means that incoming invoices and credit memos are checked for double entries at the time of entry. In this case, SAP checks whether the invoice documents have already been entered in the Logistics invoice verification. In checking for duplicate invoices, SAP compares the following characteristics by default:
1. Vendor
2. Currency
3. Company code
4. Gross amount of the invoice
5. Reference document number
6. Invoice document date.
If all of these characteristics are the same, the system issues a message that can be customized. SAP only checks for duplicate invoices in Materials Management if you enter the reference document number upon entering the invoice.

In Customizing for the Logistics invoice verification, the following characteristics can be disabled for duplicate invoice checks:

1. Company code

2. Reference document number
3. Invoice document date.
This means that you can increase the likelihood that SAP will find a duplicate invoice, because you can reduce the number of characteristics checked.

SAP then checks whether there are FI or Accounting documents that were created with the original invoice verification or the Logistics verification, and where the relevant criteria are the same. Depending on the entry in the field "Reference", one of the following checks is carried out:

1. If a reference number was specified in the sequential invoice/ credit memo, SAP checks whether an invoice/credit memo has been posted where all the following attributes agree:
    a. Company code
   b. Vendor
    c. Currency
   d. Document date
   e. Reference number.
2. If no reference number was specified in the sequential invoice/ credit memo, the system checks whether an invoice/credit memo has been posted where all the following attributes agree:
   a. Company code
   b. Vendor
   c. Currency
   d. Document date
   e. Amount in document currency.

As a good practice, you should ensure that 'double invoice check' indicator is set as a 'mandatory' field in the vendor master configuration. This ensures that the indicator is set for all vendors. Alternatively, perform data analytics to ensure that this field is set for all vendors.
Then, check the duplicate invoice check configuration parameters to determine whether any of the three configurable parameters (i.e., Company code, Reference document number and Invoice document date) have been disabled (the more parameters disabled, better is the control).

"Alternate Payee" in Vendor Master

2011-10-26T11:13:00.000+08:00

SAP payment program can make payment to a vendor other than the one to which the invoice was posted. Payment is made to an 'alternative payee', which must be specified in the vendor master record.

An alternative payee can be defined in the ‘general data area’ and in the ‘company code data area’. The alternative payee specified in the general data area is used by every company code. If an alternative payee is defined in both areas, the specification in the company code area has priority.

This field can be misued for fraud and should be controlled. As a securtity control, there should be a regular review of vendor masters with 'alternate payee' and appropriateness of the same. Ideally, if an organization does not allow this practice, the ‘alternate payee' field in the vendor master records should be set to ‘suppressed’.

SAP NetWeaver J2EE Vulnerability

2011-08-18T11:25:00.000+08:00

It has been a while since I last blogged. However, the recent news surrounding the SAP NetWeaver J2EE vulnerability is too serious to skip. I am referring to the recent news about Alexander Polyakovk, a SAP technical security expert, who presented a security hole in SAP's J2EE engine, which is part of its NetWeaver platform.

According to his presentation at Black Hat security conference in Las Vegas, this vulnerability allows an attacker to create new administrator accounts in remotely.

Broadly, the steps are as follows:
1. Search for a particular string that was typically an indicator of the Management Portal for SAP systems using Google
2. Use a Perl script to executed the actual attack in two stages - the script would first create a new user, and then promote the new user to administrator
3. Logpn to the vulnerable SAP system using this user ID
According to his calculations, around 50 per cent of all SAP installations are affected by the bug in the J2EE Engine.

Thankfully, to provide SAP to come up with patch to protect against this vulnerability,

The script will be released by the researcher three months after the publication of an update by SAP, Alexander Polyakovk has not provided the details of the vulnerability.

Follow me for more updates soon!

Audit Information System (AIS)

2011-05-04T17:09:00.000+08:00

Audit Information System (AIS) is a native SAP tool to assist in auditing both technical and business controls in SAP system. In verions SAP R/3 4.6c and earlier, AIS could be accessed using transaction SECR. As of SAP Release 4.6C (Software component SAP_APPL, Support Package SAPKH46C27), the AIS program concept has been changed from the former menu technique (Transaction SECR) to a role-based maintenance environment (Transaction PFCG).
The AIS now consists of a number of single roles. You can obtain an overview of the AIS standard roles in your system as follows:
a. Call up Transaction PFCG
b. Enter "SAP*AUDITOR*" in the "Role" field.
c. Trigger with the F4 key. Then choose "Single roles".

The single roles are divided into two groups:
a. Transaction roles
b. Authorization roles

The transaction roles contain a menu, but have no authorization values. The authorization roles contain authorization values, but have no menu. All roles are delivered without an authorization profile.

Authorizations are usually generated on the basis of the authorization default values that are adapted to the transactions in the role menu. For AIS transaction roles, however, the authorizations had to be adjusted significantly afterwards (only display authorizations are to be permitted). As a simplified solution, special authorization roles with appropriate authorizations are available for AIS.

All single roles are combined in composite roles to provide a better overview.
a. SAP_AUDITOR: AIS - Audit Information System
b. SAP_AUDITOR_TAX: AIS - Tax Audit

The detailed information can be obtained in SAP Note 451960.

What is SNC in SAP?

2011-05-02T10:04:00.000+08:00

Secure Network Communications (SNC) is a software layer in the SAP system architecture that provides an interface to an external security product. With SNC, you can strengthen the security of your SAP system by implementing additional security functions that SAP systems do not directly provide (for example, the use of smart cards for user authentication). SNC provides security at the application level. This means that a secure connection between the components of the SAP system (for example, between the SAP GUI and the SAP application server) is guaranteed, regardless of the communication link or transport medium. You therefore have a secure network connection between two SNC-enabled communication partners.
You cannot apply SNC protection to the communication path between your application servers and your database. Therefore, we recommend you keep your application and database servers in a secured LAN that is protected with a firewall and SAProuter.

There are well-known cryptographic algorithms that have been implemented by the external security products supported and with SNC, you can apply these algorithms to your data for increased protection. All communication that takes place between two SNC-protected components is secured (for example, between the SAP GUI for Windows and the application server). Also, the security product can be changed any time without affecting the SAP system.

The following three level of security protection can be applied using SNC:
1. Authentication Only
2. Integrity protection
3. Privacy protection

What is SAP_NEW profile in SAP?

2011-05-02T09:56:00.000+08:00

SAP_NEW is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users are not hindered during the Upgrade. It contains all the necessary objects and transactions for the users to continue their work during the upgrade. It should be withdrawn once all upgrade activities is completed, and replaced with the now modified roles as it has extensive authorizations. The SAP_NEW profile grants unrestricted access to all existing functions for which additional authorization checks have been introduced. Users can therefore continue to work uninterrupted with functions not previously subject to authorization checks. This ensures upwards compatibility.

Usage during an upgrade: For functions that were not subject to any authorization checks previously, all users were authorized irrespective of their user profiles. If all users have the profile SAP_NEW in their master record, they still have the authorization for the previously unprotected functions after an upgrade. The super user or operator can then decide after the upgrade who should keep the authorizations concerned. These users are assigned the new authorizations in their standard profile. Afterwards the operator or administrator will remove the individual profiles SAP_NEW_ from the collective profile SAP_NEW.
For each release SAP_NEW contains a single profile SAP_NEW_.

Internal Transaction Calls

2011-04-28T00:55:00.000+08:00

In SAP, many transactions are called internally by another transaction. For example, when a user execute transaction OB52 to open or close an accounting period, OB52 internally calls transaction SM30 to update the corresponding tables. This ensures that the end user does not explicitly require access to SM30.
Lots of people ask me if there are ways to check such internal transaction calls in SAP. The answer - through the tables TSTCP or TCDCOUPLES. Table TCDCOUPLES is more user friendly and I will recommend use of this table if you are trying to identify internal transaction calls in SAP.

SAP Security Training | 22 - 23 April 2011 | Bangalore, India

2011-02-18T13:16:00.000+08:00

MANTRAN announces the dates for its next SAP security training at Bangalore, India on 22 and 23 April 2011. The training covers various topics related to SAP authorizations and BASIS security and is very useful for anyone interested in SAP security. Email at trainings@mantranconsulting.com for details.

Introduction
SAP is one of the most popular ERP system used across industries. SAP system hosts sensitive and confidential enterprise data and its security is paramount to any organization. Therefore, SAP security is an integral part of information security framework of an organization. While most of the IT audits focus on infrastructure security, security of the core business system such as SAP is often ignored. The primary reason is lack of knowledge and expertise in SAP security.

SAP security is a complex area and includes various areas such as authorizations, segregation of duties, BASIS controls, and business process controls. SAP provides highly granular and detailed security and controls functionalities, which can be configured as per organization’s requirements. Auditing SAP security requires specialized knowledge and expertise.
SAP security training workshop aims to cover some of the important security controls in SAP, which an IT auditor should be aware of. A good understanding of SAP security will enable IT auditors to ensure a comprehensive IT audit.

SAP security training details
Duration: 2 days
Training content: The SAP security training will cover the following areas:
1. Introduction:
    a. Overview of SAP
    b. Navigating SAP
    c. SAP architecture and landscape
2. Authorizations and Segregation of Duties (SoD):
    a. Importance of SAP authorizations
    b. SAP authorizations concept – authorization object and field, authorization, profile and role, and user master record
    c. Profile – manual, generated, single and composite
    d. Difference between profile and role
    e. Authorization checks carried out by SAP
    f. Profile generator – prerequisites, how to use profile generator, advantages and concerns
    g. SoD – importance, underlying causes of SoD and compensating controls
    h. SAP authorizations and SoD review – objectives, manual vs automated, native tools in SAP and commercial tools
3. BASIS controls:
    a. System parameters in SAP
    b. Access controls - password controls, user types, standard users security (SAP*, DDIC, SAPCPIC, EARLYWATCH), privileged profiles (SAP_ALL and SAP_NEW), standard user reports and tables
    c. Change controls - SAP landscape, system and client, system and client settings, segregation of environments, transport organizer, transport management system, developer Access Key
    d. Audit logs in SAP - security audit logs, table logs, etc
    e. Securing tables and reports
4. Important transactions, tables and reports

About the trainer
MANTRAN is a Singapore-based leading information security consulting and training company with primary focus on SAP security and controls.
Barun Kumar is the founder and a Director with MANTRAN Consulting Pte. Ltd. Barun was previously an Associate Director with IT Advisory practice of KPMG LLP in Singapore, AVP with Technology Risk Services practice of EXL Service and Manager with IT Advisory practice of KPMG in India.
Barun is an engineer, MBA, CISA, Approva Certified Professional (ACP) and ITIL v3 certified professional.
Barun has delivered many SAP trainings – both external trainings to corporate clients as well as internal trainings. This includes a large automobiles company in Pune, an engineering conglomerate in Bangalore, an airlines company in Singapore, an IT consulting company in Bangalore, and an agribusiness in Jakarta. Barun has also conducted many public trainings, which includes one with ISACA local chapter in Mumbai and independent trainings in Singapore.
Barun has more than 10 years of experience (including more than 8 years with Big 4) in SAP security services and has performed SAP security projects in India, Singapore, South Africa, Belgium, France, Switzerland, UK and US.
Barun has designed and audited SAP authorizations, SoD and BASIS controls for many large companies.

SAP Security Training | 24 - 25 Feb 2011 | Singapore

2011-01-26T10:26:00.001+08:00

MANTRAN is conducting a SAP security training on 24 - 25 Feb in Singapore. The training covers various topics related to SAP authorizations and BASIS security and is very useful for anyone interested in SAP security.

Visit http://www.mantranconsulting.com/sap_sc_training.html for details. Alternatively, email me at barunkumar@mantranconsulting.com for details/ registration forms.

Some of the topics covered in the training are as follows:
1. SAP architecture: A typical SAP system is based on three-tier architecture. SAP provides flexibility in designing system landscape, which can be very complex for large organizations. SAP is compatible with all major hardware, OS, and database.
2. Authorizations: SAP authorization concept allows users to perform their work while securing transactions and programs from unauthorized access. It is a complex and scalable concept where approximately 2,000 authorization objects controls access to more than 100,000 transactions. The authorization components include user master records, roles (single and composite), profiles, authorizations, authorization objects and field values (activity, organization value, etc) and can be customized to organization’s requirement.
3. Segregation of Duties (SoD): SoD ensures that no one individual has complete control over major phase of a process and is enforced through a combination of authorizations and mitigating controls.
4. Profile parameters: Profile parameters control various security functionalities such as password controls, session security, auditing, etc.
5. Super users: SAP is shipped with many default super users, which serve specific purpose. It is important to secure these users. In addition to changing default passwords, additional measures are required for some super users like SAP*.
6. Auditing: Auditing is an important tool and SAP provides multiple auditing options. Some of the auditing features are change documents, document flow, security audit logs, table logs, transaction usage logs, etc.
7. Change management: Client setting and transport path are important to control unauthorized changes in SAP. Client setting can help ensures that changes cannot be made directly in SAP production system.

SAP Security Online Training

2010-11-08T16:45:00.000+08:00

MANTRAN announces dates for SAP security training series. Please visit http://www.mantranconsulting.com for details.
You can directly visit http://www.mantranconsulting.com/sap_sec_online_training.html for course details, schedule, trainer profile and registration details.

SAP Security Online Training Series

2010-11-03T10:54:00.000+08:00

Mantran Consulting Pte Ltd (MANTRAN) provides customized SAP security trainings that assist in understanding various technical, operational and financial risks associated with using SAP system and identifying controls to address these risks.
These trainings are useful for SAP security professionals including user administrators, change managers, BASIS administrators, IT auditors, operational/ financial auditors, ABAP professionals, business analysts, and any other users with interest in SAP security.
MANTRAN conducts regular classroom trainings in Singapore and India. Based on feedback and regular requests, MANTRAN has decided to conduct online SAP security trainings to suit participants who are unable to attend classroom trainings. The training has been divided into following three modules:

Each module is independent and can be taken individually. However, participants are encouraged to take SAP-OL-001 (Authorizations – design and review) before taking SAP-OL-002 (Segregation of Duties – design and review).
These are Instructor Led Training (ILT) using presentation slides and demonstrations. Trainings will be conducted by Barun Kumar (Director, Mantran Consulting Pte Ltd), who is an experienced SAP security consulting professional and trainer with approximately 10 years of SAP security experience. He has conducted multiple SAP security trainings in Singapore, India and Indonesia.
All participants will also be provided complimentary MANTRAN SAP security flashcard and self-learning aids through email upon successful registration.
‘Certificate of Completion’ will be awarded upon successful completion of training and passing of online quiz after training.
Payment can be made using Paypal or direct bank transfer. Details of the payment options will be available soon on Mantran website (http://www.mantranconsulting.com)

The detailed course content, schedule and fee are provided below.

SAP-OL-001. Authorizations – Design and Review (SAP-OL-001)
Date and time: 30 November 2010, 9:00 PM Singapore/ 6:30 PM India/ 4:00 PM Qatar
Duration: 4 hours (4 CPE hours)
Course content:

Importance of SAP authorizations
SAP authorizations concept

Authorization object and field
Authorization
Profile and role
User master record

Manual profile and generated profile
Single and composite profile
Single and composite role
Authorization checks in SAP
User buffer
Profile generator

Prerequisites
How to use profile generator
Advantages and concerns
Important tables and transactions

Important transactions, tables and reports
Secure SAP authorization design
SAP authorizations review

Objectives
Manual vs automated
Native tools
Commercial tools

SAP-OL-002. Segregation of Duties – Design and Review (SAP-OL-002)

Date and time: 16 December 2010, 9:00 PM Singapore/ 6:30 PM India/ 4:00 PM Qatar
Duration: 2 hours (2 CPE hours)
Course content:

What is Segregation of Duties (SoD)
Importance of SoD
Underlying causes of SoD
SoD framework
Designing SoD framework

Business rules
Authorizations
Other manual or automated controls
Compensating controls

Reviewing SoD

Objectives
Manual vs automated
Native tools
Commercial tools
Compensating controls

Participants are encouraged to complete SAP-OL-001 before taking this module.

SAP-OL-003. BASIS/ Technical Controls in SAP (SAP-OL-003)
Date and time: 20 January 2011, 9:00 PM Singapore/ 6:30 PM India/ 4:00 PM Qatar
Duration: 4 hours (4 CPE hours)
Course content:

Information security fundamentals
System parameters
Access controls

Password controls
User types
Standard users – SAP*, DDIC, SAPCPIC, EARLYWATCH
Privileged profiles – SAP_ALL and SAP_NEW
Standard user reports and tables

Change controls

SAP landscape, system and client
System and client settings
Segregation of environments
Transport organizer
Transport management system
Developer Access Key
Important authorizations and tables

Scheduled jobs
Audit logs

Security audit logs
Table logs

Securing tables and reports
Locking transactions
Important transactions

Please email at trainings@mantranconsulting.com for details and registration.

What is '&NC&' in authorization groups

2010-10-30T14:59:00.000+08:00

Access to specific tables and reports can be restricted using authorization groups. For example, if we consider that user 'JOHN' has access browse table using transaction SE16 but as user administrator, you want to restrict the access to only 10 specific tables. In SAP, these 10 tables can be assigned to one authorization group (let's say the authorization group 'ABCD'). When you create the role to be assigned to JOHN, you assign value 'ABCD' in the authorization group field for authorization objects S_TABU_DIS and S_TABU_CLI. This will ensure that JOHN can browse only these 10 tables which belong to authorization group 'ABCD'.

The same concept applies to reports as well. Table TRDIR stores the authorization groups for all tables while table TDDAT stores the authorization groups for all reports in SAP.

You may notice that some tables have no authorization groups - which basically means that any user with authorizations to browse tables can browse these tables. The user does not need any authorization group in her profile to browse these tables.

You may also notice that some tables have an authorization group '&NC&'. '&NC&' is slightly better from having a BLANK authorization group since only users with any authorization groups in their profile can access these tables. So, it doesn't matter what authorization group is specified in the user's profile - as long as there is an authorization group in the user profile, the user can access tables assigned to authorization group '&NC&'.

So, it is best to have specific authorization groups assigned to each table you want to protect against unauthorized access. For others, at least have the authorization group as '&NC&' (Not the best option but still better than leaving it blank!)

Restriction on number of roles assigned to users

2010-10-29T07:55:00.000+08:00

Many people ask me if there are any restriction on number of roles that can be assigned to a user and whether this is a configurable setting. SAP actualy does not restrict number of roles that can be assigned to a user. However, due to data structure of the table USR04 (which stores the profiles assigned to a user), maximum 312 profiles can be assigned to a user.
The maximum length of the field PROFS in table USR04, which stores profiles assigned to a users is 3750 characters. Out of this, first 2 characters are used for 'change indicator' ad therefore 3748 fields are available to store rofile names. The profile name can be 12 characters long and therefore, maximum profile that can be stored for a user is 312.
Change indicator indicates informatin about the status of the user (i.e., user created 'C' or user changed 'M').
Earlier, function module GET_AUTH_VALUES assumed that a user can be assigned maximum 300 profiles (although actually 312 profile assigments is technically possible). When more than 300 profiles were assigned to a user, the function module discarded all found profiles. This limitation was solved by SAP Note 841612, whcih provided a solution for increasing the number of usable profiles per user from 300 to the maximum value of 312.
BTW, there is no restrictions on number of transactions that can be assigned to a role - just use the '*' wild character and you can assign all transactions to a role!

Developer Access Key

2010-09-30T21:29:00.002+08:00

SAP developers require two things before they can actually do development work in SAP - right authorizations and a developer access key. As with everything else in SAP, when a developer tries to execute a transaction, she will need the required authorizations in her profiles. In addition, she needs to be assigned a developer access key. The authorizations can be checked in the user master records while the developer access key can be checked using table DEVACCESS. Table DEVACCESS will show the user ID and the developer key assigned to the user ID. You should only expect to see name of developers in this table.

But what happens when the entry for a developer is deleted in the DEVACCESS table but the developer continues to use the same user ID? The answer is that the developer can still use the old developer access key.

The reason: Developer access key is nothing but an algorithm based on system number and SID and some other system values (SAP does not reveal the information). The developer access key is validated by SAP using a Kernel level C system program ''CHECK_DEVELOPER_KEY'. So, even if the developer access key has been deleted for a user ID in the DEVACCESS table, she can still use the same developer access key.

So the control should be to:
1. If the developer still works in the company and only the job role has changed, remove the developer authorizations in the user master records.
2. You may also want to assign a new user ID with the required access instead of using the existing user ID - just in case she gets the authorizations by mistake!

One more suggestion, turn on table logging for table DEVACCESS to review all the changes.

Logistics Invoice Verification - Blocking of Invoices

2010-09-26T13:57:00.000+08:00

When an invoice is entered into SAP in purhcasing, the invoice may be blocked either manually or automatically. The automati block may be due to any of the following reasons:
1. Variances - Invoice may be blocked due to variance between invoice, goods receipt and purchase order. These variances are defined as 'Tolerance Keys' (refer IMG > Materials Management > Logistics Invoice > Verfication Invoice Block > Set Tolerance Limits). Each tolerance key defines the permissible variances for difference in quantity, price, schedule, etc.
2. Amount of an invoice item - Invoice may be blocked if any item contains a large amount (refer IMG > Materials Management > Logistics Invoice > Verfication Invoice Block > Item Amount Check)
3. Stochastic Block - SAP can be configured to block automatically a random sample of invoices processed via invoice verification. This is referred to as ‘stochastic blocking’ and can be configured to block a specified percentage of all invoices or a percentage of all invoices above some threshold value (refer IMG > Materials Management > Logistics Invoice > Verfication Invoice Block > Set Stochastic Block)

When an invoice is blocked, it cannot be paid. Blocked invoice needs to be released before they can be paid.

SAP Security & Controls Training | Bangalore, India | 11 - 12 Sep 2010

2010-07-15T09:40:00.000+08:00

MANTRAN (www.mantranconsulting.com) is conducting SAP Security & Controls training workshop in Bangalore, India on 11 and 12 September 2010. The workshop is being organized in partnership with with CPA iRisk Advisors Pvt Ltd (www.cpairiskadvisors.com).
The workshop will primarily cover three areas – authorizations, segregation of duties and BASIS controls. The detailed content is as follows:
Module I: SAP authorizations and Segregation of Duties

Module II: BASIS Controls

The workshop will be conducted by Barun Kumar, who is the founder and a Director with MANTRAN Consulting Pte. Ltd. Before starting MANTRAN, Barun was an Associate Director with IT Advisory practice of KPMG LLP in Singapore. Barun has previously worked as an AVP with Technology Risk Services practice of EXL Service and as Manager with IT Advisory practice of KPMG in India.
Barun is an engineer, MBA, CISA, Approva Certified Professional (ACP) and ITIL v3 certified professional.
Barun has delivered many SAP trainings – both external trainings to corporate clients as well as internal trainings. The external training includes a large automobiles company in India, an engineering conglomerate in India and an airlines company in Singapore.
Barun has more than 9 years of experience (including more than 8 years with Big 4) in SAP security services and has performed SAP security projects in India, Singapore, South Africa, Belgium, France, Switzerland, UK and US.
Barun has designed and audited SAP authorizations, SoD and BASIS controls for many large companies.

Apart from the SAP security and controls training slides, the participants will also receive the following complimentary deliverables:
• One-page SAP security flash card
• SAP R/3 Report Navigator tool (summary of various useful SAP reports in a HELP file format)
• SAP Table Reference tool (summary of various useful SAP tables and their interrelationship with hyperlinks between tables for easy navigation)
Participation certificate will be provided to all participants.

Other details:
Date: 11 and 12 September 2010
Location: Bangalore
Course fee: INR 15,000 per participant (Early bird discount of INR 1,500 applies for registration before 15 Aug 2010)
Contact details:
India: +91 (124) 435 4214 ( CPA iRisk Advisors Pvt Ltd, Level 4, Augusta Point, Golf Course Road, Gurgaon- HR- 122002)
Singapore: +65 8118 9972 (Mantran Consulting Pte Ltd, 14 Robinson Road, #13-00 Far East Finance Building, Singapore 048545)
Email us at trainings@mantranconsulting.com for registration form.

Visit http://www.mantranconsulting.com/sap_sc_training.html for further details.

USer group 'SUPER'

2010-07-14T22:37:00.000+08:00

The SUPER user group has a special status in the predefined user profiles. The users that are assigned to group SUPER can be maintained or deleted only by the new superuser that you define, provided that:

1. You use the predefined profiles
2. You follow SAP's other user and authorization maintenance recommendations.
Authorizations can be restricted to specific user groups.

User group SUPER: Assign all user and authorization administrator user IDs to the group SUPER. If you use the predefined user maintenance authorizations, this group assignment ensures that user administrators cannot modify their own user master records or those of other administrators. Users in group SUPER can be maintained only by administrators that have the predefined profiles S_A.SYSTEM or SAP_ALL.

SAP Security Practices Survey 2010 Report - Protecting SAP*

2010-07-12T16:58:00.000+08:00

Here is another extract from the MANTRAN SAP Security Practices Survey Report 2010:
SAP* is a special super user in SAP and has system-wide access. It is hard-coded in SAP, cannot be deleted and has special properties. These properties also create security issues, which needs to be addressed. Most organizations use multiple controls to secure SAP*. Surprisingly, only 54% organizations have changed the default password of SAP* and only 57% have disabled special property of SAP* (using parameter 'login/no_automatic_user_sap*').

There is no absolute ‘right’ way of securing SAP*. Usually it takes a combination of security controls to completely secure SAP*. Mantran recommends the following:

1. Configure parameter 'login/no_automatic_user_sap* to ‘Y’
2. Remove powerful profiles from SAP*
3. Change default password and lock the user ID.

SAP Security & Controls Training | 22 - 23 July | Singapore

2010-06-24T00:48:00.003+08:00

Mantran Consulting Pte Ltd is conducting a 2-day SAP security & controls workshop in Singapore on 22 and 23 July 2010. Please find attached the details in the attached brochures.
Course Content: The workshop will primarily cover three areas – authorizations, segregation of duties and BASIS controls.
Module I: SAP authorizations and Segregation of Duties

Module II: BASIS Controls

Deliverables

Apart from the SAP security and controls training slides, the participants will also receive the following complimentary deliverables:

• One-page SAP security flash card

• SAP R/3 Report Navigator tool (summary of various useful SAP reports in a HELP file format)

• SAP Table Reference tool (summary of various useful SAP tables and their interrelationship with hyperlinks between tables for easy navigation)
Participation certificate will be provided to all participants.
Registration Details
Date: 22 and 23 July 2010
Course fee: SGD 1,200 per participant
Payment options: Payment can be made by crossed cheque to Mantran Consulting Pte. Ltd. or direct transfer to the following account:
Account Name: Mantran Consulting Pte Ltd
Bank Name: OCBC/ Bank Code: 7339/ Branch Code: 612
Swift Code: OCBCSGSG
Account Number: 612860379001
Cancellation and refund policy: Mantran Consulting Pte Ltd reserves the right to change the venue, date, speakers, and program or cancel the program. A full refund of fees will be made in the event of cancellation.

If you are interested in the training, please contact us at training@mantranconsulting.com or Barun Kumar at +65 8118 9972.

Mantran Consulting Pte. Ltd.
14 Robinson Road #13-00
Far East Finance Building
Singapore 048545
Tel. +65 6401 5160
Fax. +65 6323 1839
Web. www.mantranconsulting.com

SAP Security Practices Survey Report - 2010

2010-06-05T13:43:00.000+08:00

MANTRAN has released its first SAP Security Practices Survey Report. The are being sent to the participants.
One of the main findings from the survey is that the general awareness about business process controls in SAP is less compared to technical controls (i.e., BASIS and authorizations).
For example, 'stochastic block' for invoice checks and 'PMIN' for pricing are not used by a large number or organizations. 81% organizations are not using 'stochastic block' for invoice checks. This included 16% organizations, which said that they do not need this functionality.

Vendor invoices can be randomly blocked for further checks. If the stochastic block is active and an invoice, which is not subject to any other blocking reason, is posted, it can be randomly selected for blocking. Stochastic block is not set at item level, but for the whole invoice. If a stochastic block is set when the invoice is posted, SAP automatically sets an ‘R’ in the field ‘Payment Block’ in the document header data. There is no blocking indicator in the individual items.
84% organizations do not use 'PMIN' for pricing. This includes 24%, who said that they do not need this functionality.

When pricing is done for a sales document line item, if the net price of the item falls below the minimum, the system should automatically compute a surcharge to bring the price up to the minimum price. The minimum price can be defined using condition type PMIN. The system compares the minimum price with the net price calculated to that point in the pricing procedure. If the minimum price is not met, the system computes the necessary surcharge and assigns it to the PMIN condition line.

I will continue to bring more snippets from the survey report in my blogs in coming weeks. If you wish to receive a copy of the report, please email me at barunkumar@mantranconsulting.com. Visit http://www.mantranconsulting.com/survey.html for more details on the survey.

SAP Security and Controls Training Schedule for 2010

2010-05-19T10:28:00.000+08:00

Security and controls in SAP is a complex area and requires specialized knowledge and training. SAP provides highly granular and detailed security and controls functionalities, which can be configured as per organization’s requirements.

Some of the key concepts in SAP security & controls are as follows:

SAP architecture: A typical SAP system is based on three-tier architecture. SAP provides flexibility in designing system landscape, which can be very complex for large organizations. SAP is compatible with all major hardware, OS, and database.
Authorizations: SAP authorization concept allows users to perform their work while securing transactions and programs from unauthorized access. It is a complex and scalable concept where approximately 2,000 authorization objects controls access to more than 100,000 transactions. The authorization components include user master records, roles (single and composite), profiles, authorizations, authorization objects and field values (activity, organization value, etc) and can be customized to organization’s requirement.
Segregation of Duties (SoD): SoD ensures that no one individual has complete control over major phase of a process and is enforced through a combination of authorizations and mitigating controls.
Profile parameters: Profile parameters control various security functionalities such as password controls, session security, auditing, etc.
Super users: SAP is shipped with many default super users, which serve specific purpose. It is important to secure these users. In addition to changing default passwords, additional measures are required for some super users like SAP*.
Auditing: Auditing is an important tool and SAP provides multiple auditing options. Some of the auditing features are change documents, document flow, security audit logs, table logs, transaction usage logs, etc.
Change management: Client setting and transport path are important to control unauthorized changes in SAP. Client setting can help ensures that changes cannot be made directly in SAP production system.

Our SAP security and controls training covers all these concepts and more.

Why attend this training?
As more and more organizations use SAP to support their business processes, there is a growing need for SAP security & controls professional. Global demand for SAP security & controls professionals is increasing and this workshop is a big step in becoming one.

This SAP Security & Controls workshop covers various key concepts in SAP security & controls. This workshop aims to equip participant with in-depth understanding of key aspects of SAP security and controls. The workshop includes live demo and hands-on exercises to assist participant in applying the learning.

Some of the benefits of attending this workshop are as follows:

Gain in-depth knowledge of SAP security and controls functionalities
Simulate real life scenarios in dealing with security and controls issues in SAP
Real-time demos and exercises to demonstrate key concepts
Complementary SAP security & controls aids.

All participants will receive a certificate of attendance upon successful completion of the training.

Training Schedule
The training schedule for June – Aug 2010 is as follows:

Singapore: 17 – 18 June 2010
India – Bangalore: 25 – 26 June 2010
India – Pune: 9 – 10 July 2010
India – Mumbai: 23 – 24 July 2010
India – New Delhi: 6 – 7 Aug 2010
India – Coimbatore: 29 – 30 June 2010
India – Cochin: 27 – 28 July 2010
India – Kolkata: 9 – 10 August 2010
Malaysia – Kuala Lumpur: 16 – 17 July 2010

Notes:

The training does not cover the controls related to various business processes such as sales, purchase and financial accounting. The schedule for SAP business process controls training will be released separately.
We also provide in-house corporate SAP security & controls trainings covering these areas and various business process controls. Please email us at trainings@mantranconsulting.com for in-house corporate trainings.
Mantran Consulting Pte Ltd reserves the right to change the venue, date, speakers, and program or cancel the program. A full refund of fees will be made in the event of cancellation.

Registration/ Inquiry
To ensure good learning environment and allow participants to interact with the trainers, we restrict the number of participants for each training. Training seats are awarded on first come first serve basis. Therefore, please register at the earliest. Registration can be confirmed only after receipt of payment.

Please contact us at trainings@mantranconsulting.com to receive detailed information about the training course content, fees and registration.

Who is responsible for SoD - business or IT?

2010-05-18T16:11:00.002+08:00

Who is responsible for Segregation of Duties (SoD) - business or IT? Most of the organizations debate this some point of time in their journey to establish a sustainable SoD framework. And it is often a difficult question to answer.
SAP authorizations are maintained by SAP team (i.e., IT team) - so, some say, SoD should also be their responsibility. But the authorizations are decided and approved by business - SAP team only implements what is told to them by business. Therefore, other say, SoD is the responsibility of business.
And it is not unusual for anyone to be willing to take up the responsibility. After all, SoD is one of the most common audit issues these days. And whoever takes the responsibility is sure of getting some flak for the issues. SoD is not a simple thing to implement - it takes a lot of planning, continuous monitoring and improvement to sustain. Therefore, the results take time to show up. The flak, in most cases, will come faster than the result. And that's the reason no one wants to be responsible for SoD.
SoD, in my view, is a techno-functional area, which requires close coordination between business/ functional and IT/ SAP teams. The organization need to understand the concerns of each party involved in implementing and managing SoD and ensure that their concerns are addressed. The business team should be provided enough time and resources to come up with a good SoD rule/ matrix and the IT team to implement it. There are no quick fixes to SoD - not only takes lots of resources and time to implement, it takes continuous support from both business and IT to sustain it. Business needs to take decisions regarding the potential conflicts - whether to accept the risk or remediate it. They often need to decide the right remediation - change in user access rights or change in business process or a new mitigating control. IT need to continuously monitor user access rights to identify any potential conflict. This requires strict adherence to user and role management.
Here is my prescription to the problem.

The last box can be a dedicated role, which can be assigned to business, IT or a separate team.

-------------------------
Mantran Consulting Pte Ltd provides specialized SoD consulting services. Visit http://www.mantranconsulting.com/segregation.html for details.

CAM for SAP - some screenshots

2010-05-06T12:10:00.000+08:00

Here are some screenshots of Mantran's Continuous Auditing/ Monitoring (CAM) for SAP tool.

Continuous Auditing/ Monitoring (CAM) for SAP

2010-05-05T09:19:00.001+08:00

As promised in my blog on 5 Mar, we are ready to launch the Continuous Auditing/ Monitoring (CAM) tool. Here is a snapshot of the tool. The official website: http://www.mantranconsulting.com/products.html

Organizations are under increased pressure to cut costs and improve efficiencies. Internal audit is no different – audit committees and management increasingly expect their internal audit teams to do more with even lesser resources. CAM for SAP is an effective tool to enhance audit coverage (scope as well as frequency) without adding additional manpower. CAM also enables organizations to audit and monitor their key risk areas more frequently without too much of additional effort. This is possible due to use of technologies, which considerably reduces the cost of automating recurring audit procedures. CAM can also act as an early warning system to detect control failure earlier than under traditional audit approaches.

Both transaction processing and controls can be audited/ monitored using CAM. Examples of transaction processing auditing/ monitoring include the following:
1. Billing documents blocked for accounting
2. Changed bank account numbers in vendor master
3. Open purchase orders
4. Invoice numbers allocated twice, etc.
Examples of controls auditing/ monitoring include the following:
1. GL accounts where manual postings are allowed
2. One time vendors
3. Material masters with unlimited over delivery tolerance
4. Customers without credit limit, etc.
Unlike most of the commercially available tools, which are complex, require lots of resources to implement/ manage/ use and are very expensive, CAM for SAP is an easy to use, easy to manage and no security hassles tool.

CAM is a useful tool for SAP auditors who want to focus on auditing and don’t want to be distracted by technical details of a complex commercial tool. CAM is intuitive to use tool and does not require any specialized training to use. It also does not require a separate hardware and can be installed on any PC or laptop.

It comes with a ready-to-use configuration and auditors can start using it from day one. At the same time, the tool is highly customizable and can be easily and quickly customized, when required. Further, it works in an offline mode (i.e., without directly connecting to your SAP system).
Most important, CAM is very cost effective and caters to small and medium size enterprises using SAP.
The tool consists of two main areas:
1. Import Table(s) - ‘Import Table(s)’ function allows users to upload various tables required for audit/ monitoring. These tables can be downloaded from SAP using transaction code SE16. No external formatting is required to use these tables in CAM.
2. Reports - ‘Reports’ function allows users to view various reports highlighting potential exceptions in transaction processing and controls. The reports are arranged process-wise and can be downloaded for further analysis and follow up.

SPECIFICATIONS
OS: Windows XP Service Pack 2 and above
Software required: Microsoft Access 2007 Runtime or Microsoft Access 2007 (Microsoft Access 2007 Runtimes can be downloaded directly from Microsoft website.
There are five modules within ‘Reports’ tab. These are as follows:
1. Master Data
2. Purchasing
3. Sales
4. Financial Accounting (FI)
5. Others
The following four modules will be added in the next version of the tool:
1. Inventory
2. Human Resources – Payroll (HR-PY)
3. Authorizations
4. Configurations

BENEFITS
In addition to ever-increasing technology and regulatory requirements, organizations are looking to remove excess costs from operations and improve efficiency, improve controls and processes, and prevent and detect fraud and misconduct. CAM offers following benefits to support these requirements:
1. Regular insight into status of transaction processing and controls
2. Early detection and monitoring to expedite response
3. Test a broader range of transactions and controls
4. Improved audit efficiency and effectiveness
5. Better internal controls.

DEMO/ PURCHASE
If you are interested in demo of CAM for SAP or need a quotation, please contact us.
Email – CAM@mantranconsulting.com
Phone - +65 6401 5160
Our team will contact you within three working days to arrange for a demo/ discussions.

Deadline for SAP Security Practices Survey 2010 extended till 10 May

2010-05-04T15:37:00.000+08:00

The deadline for Mantran's first SAP Security Practices Survey has been extended to 10 May 2010. This is the last opportunity for those who have not yet submitted their responses.
SAP Security Practices Survey 2010 aims to identify the most successful practices in managing and reviewing SAP security controls. The result will be an important aid to anyone trying to design, manage, review or fix security controls in their SAP system.

How to participate?

1. Online: If you prefer to complete the questionnaire online, please click HERE.
2. Interview: You can request one of our consultants to meet you to complete questionnaire.
3. Email: You can request us to send the questionnaire through email.
4. Post: You can request us to send a printed questionnaire for completion.

All the information provided will be on ‘no name’ basis and will not be disclosed without your prior permission.

SAP Security Practices Survey 2010

2010-04-26T11:45:00.000+08:00

How do organizations manage security in their SAP implementation? What are the major SAP security concerns faced by organizations? Are SAP security personnel adequately trained?

SAP Security Practices Survey 2010 aims to identify the most successful practices in managing and reviewing SAP security controls. The survey is fast approachig its deadline for participation. We are encouraged by the responses so far and would urge all SAP security practitioner to spend 10-15 minutes completing the survey form.

Background

Security controls in SAP is one of the more complex areas and requires special focus to implement, manage and review. Organizations have varying perception of risks and therefore, they have a range of practices to manage SAP security. This survey aims to understand the most common SAP security practices and will attempt to identify the most successful practices in this area.
What is the optimal size of SAP security team? How often should the SAP security controls be reviewed? Do organizations enable table logging in SAP? What kinds of changes are performed directly in production environment? How many organizations use PO/ PR approval in SAP? Do organizations use ‘dual control’ for changes to vendor and customer master? How many organizations have documented SoD matrix?
These are some of the questions that many SAP security practitioners ask and often fail to get an answer. MANTRAN’s SAP Security Practices Survey 2010, which is first such survey, aims to find answers to such questions related to SAP security controls. The result will be an important aid to anyone trying to design, manage, review or fix security controls in their SAP system.
Specifically, the SAP Security Practices Survey 2010 aims to understand the following:
• Risks and threats faced by organizations using SAP
• Industry perception of required SAP security controls
• SAP security practices
• How auditors perceive and review SAP security controls?

How to participate?
1. Online: If you prefer to complete the questionnaire online, please click HERE.
2. Interview: You can request one of our consultants to meet you to complete questionnaire.
3. Email: You can request us to send the questionnaire through email.
4. Post: You can request us to send a printed questionnaire for completion.
All the information provided will be on ‘no name’ basis and will not be disclosed without your prior permission.

Why participate?
Whether you are SAP professional, SAP security practitioner, SAP auditor or other stakeholder in your organization’s SAP system, you are interested in having a secure SAP system. The survey results will enable you to make more informed decisions about the security practices that you deploy for your SAP system. You can also benchmark your SAP security practices against other organizations.
Apart from receiving a copy of survey report, as a participant, you will receive the following:
1. Complimentary invitation to special ‘breakfast talk’, where the results of the survey will be presented and analyzed
2. Customized survey report – with special focus on areas relevant for your organization
3. Specially printed SAP Security Flashcards (free shipment only in Singapore and India).

About MANTRAN
MANTRAN’s SAP Consulting Services address risks across all phases of the SAP lifecycle and focus on business process, SAP security, data integrity and SAP administration. We also provide SAP security and controls trainings. Visit us at http://www.mantranconsulting.com/for more details.

Segregation of Duties - What, Why and How?

2010-03-28T01:20:00.002+08:00

Segregation of Duties (SoD) requires that no one individual or related individuals should have complete control over a major phase of a process. Work should proceed from one person to another so that, without duplication, the work of the second acts as a recorded verification of the work of the first. Examples include

Person authorizing the use of an asset should not be responsible for its custody or derive any real or conceived benefits from the use of the asset
Record keeping and bookkeeping activities should be separated from handling and/ or custody of assets

SoD is a key component of any effective internal control environment. It is preventive as well as a detective internal control. It reduces the likelihood of errors and irregularities.

In the context of SAP system, existence of SoD should be checked at the following levels:

Definition of roles/ composite roles
Assignment of roles/ profiles to user master record

Underlying causes of SoD conflicts
Some of the underlying causes of SoD conflicts in SAP system are as follows:

Lack of understanding
Lack of SoD framework
Permission creep
Complexity of SAP authorization concept
Failure of security administration process
Poor design of user access request form
Dynamic pace of organizational change
Security is not first thing on mind of business managers/ users
Lack of security ownership (falls in gap between IT and business)
Lack of business knowledge of security administrators
Limited delivered SAP SoD security reporting

SAP provides native tools for SoD check in form of transactions SU98/ SU99, which only checks access at transaction code.

Mitigate SoD risk
Organizations should create a comprehensive SoD framework, which should include

Business rules (SoD Matrix)
SoD checks

Real time – when access is granted
Review – regular basis

Conflict resolution

Remove conflicting access
Compensating controls

Clearly defined roles and responsibilities

It is important to ensure that ‘compensating controls’ are appropriate and they work. Compensating controls require close coordination between IT and business. It should be

Based on risk exposure (critical/ high/ medium/ low)
Document and assign to business owners
System-based/ automated where possible, to maximize use of SAP and minimize manual intervention
Tested regularly

Tools - how helpful are they?

There are many automated tools, which assists organization is managing SoD in SAP system access. While these are very useful tools and goes a long way in making the process more efficient and transparent, they do not in themselves present a solution.

Organizations still need to come up with a SoD framework. Once the framework is there, these tool help them implement and sustain the framework. Remember, the tools (as usual!) are just enablers - they are the solution to your SoD problems.

Final words

Please note that there are no Silver bullet to prevent SoD in SAP system access. As long as organizations identify the cause and fix them (instead of addressing the symptoms), they should be able to control any risks.

Some useful BASIS reports

2010-03-22T11:20:00.001+08:00

Here are some of the not so popular, but useful BASIS reports that I recently came across

PFCG_AGRS_WITH_MANUAL_S_TCODE: List All Roles with Manual S_TCODE Authorization
AGR_CHECK_AUTHS_DUPLICATES: Checking Duplicate Authorizations in Profiles
AGR_CHECK_ALL_ACTIVITY_GROUPS: Old roles check report
PFCG_MASS_DOWNLOAD: Bulk role download
PFCG_MASS_IMPORT: Bulk role import

Hope you find them useful.

Monitoring business transactions and controls in SAP

2010-03-18T17:35:00.001+08:00

How does SAP compare with other ERP systems when it comes to its functionalities to let users monitor business transactions?
The broad answer, it seems, is that it is the better ERPs in this sense. SAP provides lots of logging and audit trails. In addition, the table structure is quite transparent and an organization can easily develop ABAP programs to read data from respective tables and generate reports for monitoring.
SAP prpvides very granular transaction and controls monitoring functionalities. The key functionalities are as follows:
1. Change documents
2. Docuemtn flow
3. Security audit logs
4. System logs
5. CCMS
6. Table logs
7. Transaction usage logs
8. System trace

These functionalities together lets a user keep complete track of everything that goes on inside SAP system.

Here is a brief introduction to these functionalities:
1. Change documents - SAP maintain change documents for many information. These are maintained by default and can be accessed via reports or direct table access. Some example include changes to user master records (report RSUS100), changes to material master records (transaction MM04). Also, tables CDHDR and CDPOS together captures changes to most of the transactional and master data in SAP.
2. Document flow - SAP maintains and lets user view the flow of documents in certain areas. For example, for a sales document, user can view the entire cycle (i.e., order, delivery document, invoice, clearing and reversal, if any) using a simple document flow feature.
3. Security audit logs - It keeps record of all security related activities in SAP. These can be turned on/ off and the extent of audit logs can be determined by organizations. This will typically log activiites like user logon/ log off, transactin start, RFC logons, etc.

4. System logs - It records all system errors, warnings, user locks due to failed log-on attempts and process messages.

5. CCMS - It provides a range of monitors for monitoring the SAP environments and its components. It includes early diagnosis of potential problems, such as resource problems in a host or database system, which could affect the SAP system.
6. Table logs - Logging for changes to specific tables can also be logged. This is an optional feature in SAP.
7. Transaction usage logs - SAP maintains log pf all transactions started by users.
8. System trace - It records the internal SAP system activities, use the function SAP System Trace. Recording the processes in your application server enables you to monitor the system and facilitates troubleshooting.

---------------------------------
Mantran provides detailed trainings about various auditing functionalities in SAP and how they can be used for audits, forensics, etc.
Please contact us at trainings@mantranconsulting.com for more details or any enquiries on SAP security and controls trainings.

Continuous Auditing/ Monitoring (CAM) tool - suggestions required!

2010-03-05T09:45:00.001+08:00

I am working on a tool to assist internal audit/ SAP security teams in transaction, process and controls auditing. The tool is 75% complete and I am currently finalizing the reports section. Some examples of the reports included in the tool are as follows:

Transaction and process monitoring/ auditing:

Billing documents blocked for accounting
Changed bank account numbers in vendor master
Open purchase orders
Invoice numbers allocated twice, etc.

Controls monitoring/ auditing:

GL accounts where manual postings are allowed
One time vendors
Material masters with unlimited over delivery tolerance
Customers without credit limit, etc.

I would like to invite suggestions from internal audit/ SAP security community for various reports, whcih should be included. I would appreciate any suggestions - just drop a note with the report requirements and I will work on the logic and how to get the report running for you.

Feel free to contact me at barunkumar@mantranconsulting.com for any discussions.

Restrict SAP user administration from managing his own access and Segregation of Duties in user administration

2010-02-27T13:10:00.002+08:00

How to protect from one's protector? In other words - how to restrict the access of its user administrators? This is the question faced by most of the organizations. The answer is quite simple in SAP system.

The access can be easily controlled using an authorization object called S_USER_GRP. This authorization object has two fields – user groups and activity. The activity code can have following values:

01: Create user master records, add profiles to new or existing records, and set user defaults for the Basis System and applications
02: Change user master records
03: Display a user master record with the information system
05: Lock or unlock a user (prevent or allow logons); change passwords
06: Delete user master records
08: Display change documents
22: Record users in activity groups
24: Archive change documents.

You need to segregate the user administrator user ID into a separate user group and other users into other user groups. The user administrator should not be assigned the user group that he belongs to.

Havig said that, it will also need some segregation of duties in user adminstration activities. If the user administrator has access to create a new user and assign him a user group, he may be able to bypass this control. Ideally, the following three group of functions should be segregated:

User administration - Create and delete user master records
Authorization administration - Create roles (select transactions and maintain authorization data) and generate profiles
User maintenance - Assign roles/ profiles to user master records and change user master records (except own user master records)

Depending on the size of BASIS/ user administration team, you can have the following three scenarios:

Segregate User Administrator, Authorization Administrator and User Maintenance
User Administrator and Authorization Administrator is same and is segregated from User Maintenance
No segregation possible – establish mitigating controls (e.g., regular review of all user administration activities)

The last point also highlights the importance of detective controls. Small organizations, who cannot have the required segregation, can always establish strong detective controls to ensure that lack of segregation cannot be misused.

Other important authorization objects related to user adminstration are as follows:

S_USER_AGR - roles
S_USER_TCD - transactions
S_USER_PRO - profiles
S_USER_AUT - authorization objects and authorizations
S_USER_VAL - fields in authorization objects

The detective controls shoudl include regular review of user authorizations by relevant business owners. This should include:

Current roles assigned to users
Current authorizations within roles
Changes in roles assigned to users
Changes in authorizations within roles
Inactive users (i.e., users with no system activities for a prolonged period of time)
Segregation of Duties – at role and user levels

There are various standard reports and tools available in SAP to support these review.

------------------------------------------------------------
Mantran Consulting Pte Ltd (MANTRAN) provides end-to-end services in the areas of SAP authorizations, Segregation of Duties and BASIS controls. The services covers design, implementation, maintenance and review of controls in these areas. Please contact MANTRAN at SAP@mantranconsulting.com for more information.

SAP security practices survey

2010-02-23T16:55:00.000+08:00

Security controls in SAP is one of the more complex areas and requires special focus to implement, manage and review. Organizations have varying perception of risks and therefore, they have a range of practices to manage SAP security. This survey aims to understand the most common SAP security practices and will attempt to identify the most successful practices in this area.

What is the optimal size of SAP security team? How often should the SAP security controls be reviewed? Do organizations enable table logging in SAP? What kinds of changes are performed directly in production environment? How many organizations use PO/ PR approval in SAP? Do organizations use ‘dual control’ for changes to vendor and customer master? How many organizations have documented SoD matrix?

These are some of the questions that many SAP security practitioners ask and often fail to get an answer. MANTRAN’s SAP Security Practices Survey 2010, which is first such survey, aims to find answers to such questions related to SAP security controls. The result will be an important aid to anyone trying to design, manage, review or fix security controls in their SAP system.

Specifically, the SAP Security Practices Survey 2010 aims to understand the following:
1. Risks and threats faced by organizations using SAP
2. Industry perception of required SAP security controls
3. SAP security practices
4. How auditors perceive and review SAP security controls?

How to participate?
You can participate using any of the following channels:
1. Online: If you prefer to complete the Questionnaire online, please click HERE to participate.
2. Interview: If you prefer to talk to one of our consultants, please contact us at survey2010@mantranconsutling.com or +65 6401 5160/ +65 8118 9972.
3. Email: If you prefer to receive the questionnaire through email, please send us an email at survey2010@mantranconsutling.com.
4. Post: If you prefer to complete a printed questionnaire, please contact us at survey2010@mantranconsutling.com or +65 6401 5160/ +65 8118 9972 and we will send you a printed questionnaire.

Notes:
1. All the information provided will be on ‘no name’ basis and will not be disclosed without your prior permission.
2. The survey is open till 30 April 2010.

Why participate?
Whether you are SAP professional, SAP security practitioner, SAP auditor or other stakeholder in your organization’s SAP system, you are interested in having a secure SAP system. The survey results will enable you to make more informed decisions about the security practices that you deploy for your SAP system. You can also benchmark your SAP security practices against other organizations.
Apart from receiving a copy of survey report, as a participant, you will also receive the following:
1. Complimentary invitation to special ‘breakfast talk’, where the results of the survey will be presented and analyzed
2. Customized survey report – with special focus on areas relevant for your organization
3. Specially printed SAP Security Flashcards (free shipment only in Singapore and India).

--------------------------------------------------------------
MANTRAN Consulting Pte Ltd is conducting this survey. Please visit http://www.mantranconsulting.com/ for details.

Continuous Auditing under SAP environment

2010-02-09T18:08:00.000+08:00

Old wine in a new bottle! That's the typical reaction from most people when they hear of CA. They are not entirely wrong - the concept is nothing new. We have been talking of using CA to improve efficiency, coverage and reach of audits for many years now. What has really changed are the tools available to realize the concept in real life.
Internal auditors in many companies have been practicing CA in some form or other for many years now. Some use CAATS like ACL to increase their sample size (or to test the entire population). However, in many cases, it is not easy to even obtain the data required to perform such testing.
SAP, on the other hand, provides vast amount of data for any kind of testing and analysis. And there are many commercial tools, which claim to provide CA (or Continuous Monitoring (CM)) functionalities in SAP system. Most of these tools started as authorizations/ Segregation of Duties (SoD) tools and kept on adding functionalities to evolve as CA/ CM tools. However, these functionalities are like food in a flight. While the food on flights are not bad, the flights still are meant to take people from one place to another and do not compete with restaurants for food. Similrily, most of these tools are very good in authorizations and SoD - but when it comes to CA/CM, they are not as good.
Unlike authorizations and SoD, which require lots of technical understanding, CA/CM requires understanding of business risks. Most of the existing CA/CM tools overwhelm users with amount of information contaied in them. But, is this information really useful to the users? These tools are also too complex to use and may require specialised trainings just to use them. It's like learning to cook when you just want to go to a restaurant and have your dinner! And it takes long time to implement these tools - sometime makes you wonder whether its worth the effort with speed of changing system landscape at most of the companies.
What do most auditors want from their CA/CM tool? They require a simple tools, which focuses on business risks, is easily and quickly customizable to their need, intuitive to use, easy to manage, not very complex and most importantly, economical.

-------------------------------------------------

MANTRAN Consulting Pte Ltd offers a simple and easy to use CA/CM tool for SAP users. This is an intuitive tool, which does not require a separate hardware and can be installed on any normal PC or laptop. This MS Access based tool captures process-wise risks and corresponding controls/ analysis to be monitored on a regular basis. This is highly customizable tool - requires less than a week to configure, install and be ready to use. No separate training is required to use the tool. It works in an offline mode - which makes it easier to use without getting on the wrong side of your SAP/ BASIS team.

Please contact us at CACM@mantranconsulting.com for more details or any enquiries on this tool.

Internal Auditors – what prevents them from integrating SAP security and controls in their audits?

2010-02-02T16:54:00.001+08:00

One of my favorite dialogs from ‘Spiderman’ is “With great power come greater responsibilities”. An apt statement when we think of auditors who suddenly find themselves moving from traditional audit to auditing under SAP environment. SAP system brings great power to business – through its wonderful support for most of the common business processes, SAP makes life simpler and work more efficient. However, this also burdens the internal auditors (and to large extent financial auditors also!) with greater responsibilities – auditing something which happens inside a big black box (i.e., SAP server) is much harder than auditing stuff you can see in black and white. The auditors need to understand what happens inside that big box to shoulder this responsibility.
In my experience, auditors (just like any other business users!) are comfortable with their traditional and time tested ways of auditing. When a company using a basic accounting system (and may be a few other legacy discrete systems) decides to implement SAP, it brings about a generational shift in the way business is done. And auditors need to adapt to these changes. Reconciliations done by finance department, which may have been key controls in legacy environment, can no longer be a key control. Not because business has changed – it just that certain work is done automatically by SAP. Some of these automatic controls are inherent in SAP while others can be turned on and off (just like the switches). Auditors need to understand and utilize these automated controls. Not only does automated controls provide better assurance, it also let’s auditors increase their audit scope – instead of sample check of 25, they may be able to check a larger sample or in some cases, entire population. Only thing standing between the auditors and such a scenario is lack of understanding of security and controls in SAP system.

I find big reluctance on the part of internal auditors to adapt and utilize these controls functionalities in SAP. One of the prime reasons for this reluctance is a perception that SAP controls are technical in nature and require IT specialists to deal with. This, in my view, is a misconception.

SAP security and controls can be separated into two categories – technical and functional, with some overlap. While, internal auditors may be correct in not getting involved in entirely technical areas of BASIS controls, other controls related to authorizations, business process configurations, exception reports, functional procedures, etc can and should be dealt with by the internal auditors. While these areas also require some technical understanding, business process understanding is of much more importance to understand these areas. For example, if an auditor wants to audit procurement process, he can rely on many automated controls in SAP (such as three-way match, PO approval hierarchy, changes to vendor master records, etc). While there is a need to understand some technical aspects to review these configurable controls, these are easy-to-follow with some basic understanding and training. The key still remains the knowledge of process and associated risks.

How do we bridge this knowledge gap in the internal auditors? There are many SAP security and controls trainings available – but most of them focus on the technical aspects. What internal auditors need is a focused training, which understands this gap and equip them to get comfortable with controls in SAP system.

Such training should provide an understanding of what goes inside SAP at a level, which is not too technical for the auditors and yet tell them just enough to do their work. It should provide them with the tools and techniques, which are important for working with these automated controls. The key is to get the right balance between technical aspects and functional aspects – so that auditors are not scared to understand the SAP security and controls.
-------------------------------------------
MANTRAN Consulting Pte Ltd provides many focused SAP security and controls trainings for internal audit teams. These trainings go beyond and also assists auditors integrate these automated controls in their normal audit work – to enhance the efficiency, assurance and coverage of the audits. The trainings are provided by an experienced SAP security and controls professional, who has conducted more than 20 SAP post-implementation reviews, 30 audits under SAP environment and have been involved in design of authorizations and Segregation of Duties for many clients.