Security in SAP

Environments

ISACA London Chapter

26 March 2009

Rajeev Dasgupta
PricewaterhouseCoopers
 Topics

Introduction

Overview of SAP

Key Risks and Controls in SAP

Audit Challenges in SAP Environments

Preparing for a SAP Audit

Third Party Tools

ISACA London Chapter, March 2009 2

 An Introduction to ERP Systems

• Enterprise resource planning • Driving benefit is open availability of

(ERP) is an enterprise-wide real-time information which is easily
information system designed to accessible, enabling management
coordinate all resources, by information.
information, and activities needed to • ERP systems attempt to cover all
perform business activities.
basic functions of an enterprise,
• Based on a common database and regardless of the organisation's
a modular software design – the business.
common database allows ‘central • High-end ERP systems have
storage’ of information, with real-
business-specific functionality.
time retrieval.
• Prominent ERP systems – SAP,
• Modular software design allows for
Oracle, Microsoft Dynamics.
free selection of modules required.

ISACA London Chapter, March 2009 3

Overview of SAP
 A Bit of History …
• 1973: SAP launches R/1 (‘R’ stands
for real-time data processing)
• 1979: Mainframe-based R/2 solution
released
• 1992: R/3 solution unleashed on
market (real-time data processing; 3-
tier client-server architecture)
• The original R/3 solution has evolved
significantly over the years –
numerous releases (3.0x, 3.1x, 4.0x,
4.6x, Enterprise 4.7 and mySAP ERP
• Most current version of SAP is SAP
ECC6 ERP (part of the SAP Business
Suite)

ISACA London Chapter, March 2009 5

 Some Facts and Figures
• World’s 3rd largest independent • In addition, SAP solution portfolios
software vendor support unique business processes
of more than 25 industries, including
• Originally used primarily by large
high tech, retail, financial services,
companies – now widely used by
healthcare and the public sector
small and medium sized enterprises
as well • Currently, more than 12 million users
work each day with SAP solutions!
• SAP solutions help enterprises of all
sizes improve customer relationship • SAP now has 121,000 installations
processes, enhance partner worldwide, more than 1,500 SAP
collaboration and create efficiencies partners, and more than 75,000
across their supply chains and customers in 120 countries
business operations

ISACA London Chapter, March 2009 6

 Key Characteristics
Systems, Applications and Products in Data Processing …

SAP integrates all business processing through one application which

Integrated
can be integrated with other office tools (i.e. MS Word, MS Excel).

SAP can track financial results, procurement, sales, manufacturing,

Multifunctional
human resources and payroll.

SAP comprises of 18-20 modules in finance, logistics and HR.

Modular
One or more SAP modules can be implemented.

SAP is typically accessible by the entire business organisation.

Enterprise Wide
Most company information and transactions originate from SAP.

An order in SAP can automatically generate an inventory movement and

“Real Time”
a posting in the GL without any “human” intervention.

ISACA London Chapter, March 2009 7

 SAP Technical Structure

Database server Application servers Presentations GUI

ISACA London Chapter, March 2009 8

 Key Modules
Production Planning
Sales & Distribution
PP
Materials Management Re-order control Financial Accounting
SD
MM Production FI
Sales
Purchasing Planning & Control Accounts Payable
Distribution
Goods Receipt Accounts Receivable
Invoicing
Inventory Control PM General Ledger
Invoice Verification Plant Maintenance Cash Management
Consolidation
PM
Inventory Mgmt PM
BASIS Asset Accounting
WMS Security Project Systems
Warehouse Mgmt Change Management
Computer Operations

Financial Reporting
Human Resources

HR CO
Personnel Cost Centre/Profit
Administration Centre
Payroll Accounting Profitability Analysis

ISACA London Chapter, March 2009 9

 Industry Solutions
SAP has also developed industry-specific solutions. Some key solutions:

Banking IS - B (Industry Specific Banking)

Retail IS - R (Industry Specific Retail)

Energy Utilities IS - U (Industry specific Utilities – Supplier Switch)

Oil IS - Oil (Industry specific Oil)

Insurance FS Insurance (Financial Services Insurance); FS RI (Financial Services

Reinsurance Management); FS CM (Financial Services Claim
Management)

ISACA London Chapter, March 2009 10

 SAP Basis

1. It is the middleware that integrates the Database,

Operating System, Authorisations and
Development/Customising Processes with the
application modules (eg. FI, CO, MM).

2. It enables the SAP application modules to operate, A key component of SAP as

irrespective of any underlying IT platform.
most security functions are
3. It includes: controlled through Basis!
• System Configuration (customising)
• Repository (programming)
• Data Dictionary
• Access/Authorisations
• System Administration and monitoring tools

ISACA London Chapter, March 2009 11

 Basis and Security Functions
User Access
FI

SD
Only users with active User Master
C
O Records can log onto the system. They
M
M are always checked during online and
AM background processing and include:
PP

• Basic user data

Q
Basis
M • User defaults

PS
PM • User profile information
M
H W
R
IM

Security Authorization Concept

• Applies to Basis and functional
components
Others
• Table maintenance • Access to the system is restricted
through authorisation objects
• Security parameters
• Program security • Access must be explicitly granted
through the use of authorisations
• Remote access
• Extensions / bolt-ons

ISACA London Chapter, March 2009 12

 Interfaces
Many organisations decide not to SAP’s interface framework facilitates
implement the full suite of modules and communications and interactions between
instead utilise satellite systems for specific different business tools:
areas. • SAP Exchange Infrastructure (SAP XI) enables the
implementation of cross-system processes. It allows
Some of the most common areas where to connect systems from different vendors and
different programming languages to each other.
companies use satellite systems with SAP
are: • The Legacy System Migration Workbench (LSMW)
is a tool recommended by SAP to transfer data once
only or periodically from legacy systems into an R/3
• Industry specific systems System.

• HR / Payroll • An SAP R/3 Remote Function Call (RFC) is a

synchronous communication process method used
• to call and execute predefined functions within SAP
Manufacturing R/3. RFCs work between two SAP systems, or
between an SAP system and an external system.
• Group consolidation
• Management reporting

ISACA London Chapter, March 2009 13

 Key Risks and
Controls in SAP
ISACA London Chapter, March 2009 14
 Key Risks
• Integrated data and transaction processing in a single system results in
a single point of failure for all organisational data.
• Users’ reluctance to accept this initially complex system could result in
Business Risks
data inaccuracies.
• Inherent process risks (e.g. unauthorised purchases, bypassing credit
limits etc.)

• Inappropriate access to system functionality because of incorrectly

configured SAP security.
• Increased remote or local access by external personnel (i.e.
Technical Risks
consultants or support teams).
• Inappropriate system management on account of skills gaps.
• Data inconsistencies due to interfaces / data conversion processes.

• SAP control functionality may not be appropriately configured (e.g.

super user profiles, generic accounts, system parameters, privileged
accounts etc.)
Control Risks • The high level of integration between processes increases exposure to
segregation of duties conflicts.
• Higher level of expertise is required to effectively audit the system.

ISACA London Chapter, March 2009 15

 Additional Risk Considerations

1 Business Warehouse/Reporting

2 Interfaces

3 Asset Accounting

4 Consolidation

5 HR and Payroll

6 Industry Solutions

ISACA London Chapter, March 2009 16

 Key Control Points in SAP
IT General Controls: Business Process Controls:
• Project Management • Interfaces
• Testing • Process-resident controls (e.g. release
• strategies, credit limit checks etc.)
Data Conversion
• Edit and validation controls (field
• Change Management
settings etc.)
• SAP Authorisations and User • Monitoring Reports
Provisioning
• Sensitive access
• Operating System and Database
Security • Segregation of duties
• Backup, Recovery and Contingency
Planning
• Physical Security and other
infrastructure controls

ISACA London Chapter, March 2009 17

 Audit Challenges in
SAP Environments
ISACA London Chapter, March 2009 18
 It’s Not Easy!
• The complexity of the organisational
model in SAP makes it difficult to
determine the scope of the audit
• Underneath the business front end sits
a very complicated system
• Integration of business processes within
SAP increases the importance of getting
segregation of duties right
• The use of Computer Assisted Audit
Tools and Techniques (CAATTs) is
virtually mandatory in order to complete
a full SoD analysis.
• Process automation and customisation
creates new audit challenges
• Data errors can flow right through end-
to-end business processes

ISACA London Chapter, March 2009 Page 19

Preparing for a
SAP Audit
 The Audit Cycle

Auditing in a
SAP environment

ISACA London Chapter, March 2009 21

 Planning the Right Level of Work
Control Types in SAP

SAP control environment

and Financial Statements

Management Information
SAP Configurable controls
Transactions
Business / IT

SAP Inherent controls

SAP Reports & Manual Procedures

SAP Access and SoD

Note: Inherent controls are hard coded into the system and cannot be changed

ISACA London Chapter, March 2009 22

 Control Types
Examples

SAP Inherent
Entries must balance prior to processing
Controls

SAP Configuration Release strategies, Invoice tolerances

SAP Access
Access to Vendor Master Data is restricted
Controls

Reporting & Manual

Edit reports, Account analysis, Reconciliations
procedures

ISACA London Chapter, March 2009 23

 Getting the Right Coverage
The SAP Control Environment
Business
Process
Controls
Presentation Layer
Management
reporting
and end-user
controls

SAP configurable controls

Application Layer
SAP Authorisations/User profiles

SAP Basis Module IT General

Controls

Database Database
Infrastructure
Layer Operating System and other Infrastructure controls

ISACA London Chapter, March 2009 24

 Key Considerations
• SAP products and modules used and linkage to business processes

• Number of in-scope SAP systems and production clients

• Number of in-scope company codes and organisational elements

• Proportion of cross-company vs company-specific controls in scope

• Interfaces into SAP and their use

• ‘Other’ systems in use and their impact on the audit

• Skill sets of the audit team

• Availability of methodologies / tested work programs

ISACA London Chapter, March 2009 25

 And More Considerations!
• Efficiencies can be obtained while reviewing multiple locations and company
codes sharing the same SAP instance
• Complex/decentralised organisation and homogeneity of processes and
controls could impact time and resource requirements
• Level of automation and customisation may impact on the method of testing

• “Baselining” strategy may be used for automated controls and reports

• Timing and extent of review for new implementations or major projects

• Availability of appropriate technical documentation and competency level of

SAP support organisation
• Reliance on the “work of others” (i.e. management, SAS70)

• Use of third party tools

ISACA London Chapter, March 2009 26

 Third
Party
Tools

ISACA London Chapter, March 2009 27

 Why Use Third Party Tools?

Business, Finance, IT and audit • How do you ensure that business policies are
professionals face an array of being adhered to through the course of daily
transactions?
challenging questions as they try to
strengthen controls throughout their • How do you determine if configurable controls
SAP systems: are defined properly?

• • How do you consolidate your data

How do you uncover existing Segregation of
Duties and sensitive access issues, down to repositories, automate your workflow further
the lowest security levels, such as t-codes and and integrate with other solutions?
authorisation objects? • How do you manage these challenges across
• How do you keep new controls issues from multiple SAP instances, without ever affecting
arising through the course of normal change their system performance?
processes?
• How can you gain insight into what activities
Third party tools can be used to help
users are performing? achieve these goals

ISACA London Chapter, March 2009 28

 Third Party Tools - Examples
Security
Example Purpose

• Reporting tool in that provides detailed analysis of SoD and Sensitive Access
Governance, risk and compliance (GRC) based on a set of pre-defined rules
suite, which includes • Role management tool that operates within SAP and facilitates role design.
Provides the ability to define which objects and transactions are attached to a
• Risk Analysis and Remediation™ role
• Compliant User Provisioning™
• Super User Privilege Management ™ • Workflow enabled tool to automate the user administration process
• Enterprise Role Management™ • Provides improved control over super-user and emergency access through
restrictions on data access and audit trails

Approva Corporation, which includes • Continuous monitoring with exception-based reporting pushes the right
information to the right people at the right time
• Enterprise Controls Suite
• Business controls are organised in a single, manageable library that spans
• BizRights, across instances and applications and can easily be customised to keep up
with your ever-changing business needs
• Application-independent architecture ensures support for all enterprise
systems, without introducing performance degradation

ISACA London Chapter, March 2009 29

 Third Party Tools - Examples
Data Analysis
Example Purpose

Direct Link for SAP® • Data extraction, analysis, and fraud detection providing direct, seamless access to SAP data. Using
ERP Direct Link, you no longer need to rely on ABAP programmers or limited reporting utilities -you can
easily and quickly access SAP tables and conduct comparative cross-platform analysis with
transactional data from other systems.
• Analyses financial transaction data from any ERP, mainframe system, custom-built application to
ACL check and validate against organization's control parameters and business rules. A review of 100
percent of transactions from any source
Continuous Controls
Monitoring (CCM)

Microsoft Access • Create ad hoc customised desktop systems for handling the creation and manipulation of data. Access
can be used as a database

ISACA London Chapter, March 2009 30

 Third Party Tools - Examples
Workflow
Example Purpose

SAP Interactive Forms • Capture data in completed forms that can flow directly back to SAP software – eliminating the need
for error prone, manual data input
(by Adobe)
• Customise electronic forms to meet the specific needs of your business or industry
• Design electronic forms to reflect the familiar "look and feel" of the paper forms they replace

SAP LoadRunner • Deployed with HP and SAP Solution Manager, LoadRunner facilitates the management of the
development lifecycle, providing time, budget, actual and quality assurance tools.
(by Mercury)

Duet • Enables access to SAP business processes and data via Microsoft Office, providing wider access to
enterprise information and policies, with the objective to assist organizations in obtaining corporate
(SAP and MS) policy compliance, improve decision making.

ISACA London Chapter, March 2009 31

Thank You
 Question
If you were in an organisation with a small version,
how to approach auditing?

ISACA London Chapter, March 2009 33