R/3 audit review questions

Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3 system. It is always a good idea to review this list a couple times a year and to take the appropriate steps to tighten your security. If requested I can e-mail this to you in Word format.

Review the following:

* System security file parameters (TU02) (e.g. password length/format, forced password sessions, user failures to end session etc.) have been set to ensure confidentiality and integrity of password. Security-Parameter-Settings-Documentation.doc

* Setup and modification of user master records follows a specific procedure and is properly approved by management.

* Setup and modification of authorizations and profiles follows a specific procedure and is performed by someone independent of the person responsible for user master record maintenance.

* An appropriate naming convention for profiles, authorizations and authorization objects has been developed to help security maintenance and to comply with required SAP R/3 naming conventions.

* A user master record is created for each user defining a user ID and password. Each user is assigned to a user group, in the user master record, commensurate with their job responsibilities.

* Check objects (SU24) have been assigned to key transactions) to restrict access to those transaction.

* Authorization objects and authorizations have been assigned to users based on their job responsibilities.

* Authorization objects and authorizations have been assigned to users ensuring segregation of duties.

* Users can maintain only system tables commensurate with their job responsibilities.

* Validity periods are set for user master records assigned to temporary staff.

* All in-house developed programs contain authority check statements to ensure that access to the programs are properly secure.

* Select a sample of:

* Cha...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SAP Basis administration tips Converting from MDMP to Unicode Can SAP developer include authority check for S_TCODE in a called transaction? How to fix Smart Forms printing double purchase orders Deriving the name of a Smart Style from a Smart Form SAP FI/CO consultant's role during upgrade from R/3 to ECC 6.0 Alternatives to downloading a trial version of SAP IDES ERP software Verifying data consistency in production SAP FI/CO system when restoring a backup How to upgrade DB2 on SAP R/3 4.7 How to create a snapshot from NAS and SAN of Oracle database How to clone an SAP ECC 6.0 instance SAP Basis administration and NetWeaver administration Seven tips for simplifying SAP data archiving administration Using up-to-date SAP ABAP codes in SAP ECC 6.0 Migrating SAP Solution Manager system between Unix platforms SAP talent management FAQ: Fresh answers to frequently asked questions Collaboration a must for SAP hardware teams and software teams How to establish communication between SAP Unicode and non-Unicode systems Mission-critical SAP software demands a mission-critical hardware infrastructure In an upgrade to SAP ECC 6.0, when do integrated apps get upgraded? NetWeaver PI 7.1 easier to implement than earlier versions, SAP says SAP Software Deployment Manager vs. Java Support Package Manager SAP Basis administration and NetWeaver administration Research SAP security administration SAP TechEd 2009 Phoenix: SearchSAP.com Special Report How to stop SAP users from displaying SAP HR tables content Locating user email addresses in SAP SU01 transaction code How to map multiple SAP roles and profiles Viewing SAP transaction codes and profiles Managing SAP user access and password expirations Can SAP developer include authority check for S_TCODE in a called transaction? Cisco and SAP integrate technologies to create data privacy application SAP administration information for a Basis interview Transferring R/3 Admin skills to SAP NetWeaver

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basis  (SearchSAP.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nges to user master records, profiles and authorizations and ensure the changes were properly approved. (The changes can be viewed with transaction (SECR).

* Ensure that security administration is properly segregated. At a minimum there should be separate administrators responsible for:
- User master maintenance. (This process can be further segregated by user group.)
- User profile development and profile activation. (These processes can be further segregated.)

* Verify that a naming convention has been developed for profiles, authorizations and in-house developed authorization objects to ensure:
- They can be easily managed.
- They will not be overwritten by a subsequent release upgrade (for Release 2.2 should begin with Y_ or Z_ and for Release 3.0 by Z_ only.)

* Assess through audit information system (SECR) or through a review of table USR02, whether user master records have been properly established and in particular:
* The SAP_ALL profile is not assigned to any user master records.
* The SAP_NEW profile is not signed to any user master records. Verify that procedures exist for assigning new authorization objects from this profile to users following installation of new SAP releases.

* Assess and review of the use of the authorization object S_TABU_DIS and review of table authorization classes (TDDAT) whether:
- All system tables are assigned an appropriate authorization class.
- Users are assigned system table maintenance access (Through S_TABU_DIS) based on authorization classes commensurate with their job responsibilities.

* Asses and review of the use of the authorization objects S_Program and S_Editor and the review of program classes (TRDIR) whether:
- All programs are assigned the appropriate program class.
- Users are assigned program classes commensurate with their job responsibilities.

* Ensure through a review of a sample of:
- In-house developed programs that the program, code either:
- Contains an Authority-Check statement referring to an appropriate authorization object and valid set of values; or
- Contains a program Include statement, where the referred program contains an Authority-Check statement referring to an appropriate authorization object and valid set of values.