SAP Audit Guide for Financial Accounting
This audit guide is designed to assist the review of financial reporting processes that rely upon automated functions in SAP systems. The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in the General Ledger (GL), Asset Accounting (AA) and Bank Accounting (BA) components of the SAP Financial Accounting module. The guide provides instructions for assessing SAP application-level controls in the following areas of financial statement audits:
Reporting Structure Chart of Accounts Journal Entry Posting Period End Close Foreign Currency Translation Inter-company Transactions Asset Management and Reporting Cash Management
The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Revenue, Inventory, Expenditure, Human Resources and Basis.
Reporting Structure The financial reporting structure in SAP is determined by the organization of reporting units known as company codes. There can be multiple company codes within organizations with each code corresponding to a unique economic entity.
Financial Accounting SAP Audit Guide
Reporting entities in differing countries should have unique company codes since they may be subject to divergent accounting and tax requirements. Each company code has one domestic currency and up to two additional currencies to support financial reporting in multiple currencies. Company codes must be set to productive to prevent the deletion of transactional data. This can be verified through transaction code OBR3 or Table T001 through transaction SE16.
2 The company code structure should correspond to the legal reporting requirements of the company under review. The appropriateness of the structure should be reviewed through the menu path IMG> Enterprise Structure> Financial Accounting> Define Company, transaction OX15 or table T880 (note that IMG can be accessed through transaction SPRO). Relevant global parameters in IMG should also be reviewed. This includes areas such as Country Keys, Currencies, Controlling Areas, Credit Control Areas, Fiscal Year Variants, Sales and Purchasing Organisations, Business Areas and Plants, and Cost and Profit Centers (IMG> Enterprise Structure> Financial Accounting> Global Settings> Company Code> Global Parameters). Access to transactions such as OXO2 (edit company code) and EC01 (copy, delete and check company code) and the client configuration table T001 should be based on role requirements. Other critical transaction codes are listed in the Table A.
TRANSACTION OB37
OBB9
DESCRIPTION Assign Company Code to a Fiscal Year Variant Assign Posting Period Variants to Company Code
OKBD
Define Functional Area
OXO3
Define Business Area
FM_FUNCTION
Define Functional Area
OXO6
Maintain Controlling Area
KEP8
Create Operating Concern
Table A: Company Code Transactions
TRANSACTION
DESCRIPTION
Chart of Accounts
OX16
Assign Company Code to Company
The chart of accounts is the container for General Ledger (GL) accounts and the basis for journal entry posting and financial reporting. Chart of Accounts can be company code specific or cover multiple companies in a single SAP client. GL accounts are assigned to specific groups determined by account type. The field status for account information and the numbering interval is determined at the group level.
OB38
OF18
OX19 OX18 OVX3
OX01
Assign Company Code to Credit Control Area Assign Company Code to Financial Management Area Assign Company Code to Controlling Area Assign Plant to Company Code Assign Sales Organization to Company Code Assign Purchasing Organization to Company Code
OH05
Assignment of Personnel Area to Company Code
OBB5
Cross-System Company Codes
OBY6
Enter Global Parameters
The configuration of all or a sample of account groups should be reviewed to assess which fields are required, optional, displayed or suppressed during the creation of a new account and to ensure that account numbering follows a logical and consistent policy. This can be performed through the menu path General Ledger Accounting> G/L Accounts> Master Data> Preparations> Define Account Group or transaction OBD4. The structure of the Chart of Accounts should also be reviewed through transaction FSP3 to assess account groupings and identify the appropriate use of control accounts for AP and AR. The latter are known as reconciliation accounts and are updated automatically. In other words, SAP does not allow manual journal postings against such accounts. This can be performed through transactions KALE and OK17.
3 Changes to the chart of accounts should be identified through report RFSABL00, accessible through transaction SA38. Alternatively, changes can be isolated through transactions FS04, FSP4 and FSS4. A sample of changes should be examined for evidence of approval, documentation and testing. Access to SAP functions that enable users to create, modify or delete GL accounts should be restricted and based on business need. This should include transactions in Table B with authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion).
TRANSACTION
DESCRIPTION
FS01
Create Master Record
FS02
Change Master Record
FS00
G/L Acct Master Record Maintenance
FS05
Block Master Record
FS06
Mark Master Record for Deletion
FSS1
Create Master Record in Company
FSS2
FSP0
Code G/L Acct Master Record in Chart/ Accts Create G/L Acct Master Record in Chart/Accts
FSP1
Cross-System Company Codes
FSP2
Change G/L Acct Master Record in
FSP5
Chart/Accts Block Master Record in Chart / Accts
FSP6
Mark Master Record for Deletion in Chart/Accts
Table B: GL Account Transactions
Journal Entry Posting SAP is preconfigured with hundreds of document types for purchase orders, customer invoices, good receipts and many other transactions. Each document type has a unique 2 or 3 letter identifier and a specific numbering range. Particular attention should be paid to the GL account assignments for SAP documents since transactional data is automatically posted by the system based on the assignments defined in the system configuration. These should be reviewed through transactions OBA7 (Define Document Types) and OB41 (Posting Keys). Samples selected for review should include custom documents which are more likely to have assignment errors than standard SAP documents. Monetary limits for journal entries, cash discounts, payment or receipts differences should be defined for document types. These can vary by company code and employee group. Tolerance levels should be reviewed through transactions OBA4 and OB57. This should include clearing procedures for critical accounts such as GR/IR. SAP should also be configured to control posting to prior periods even though the system is capable of keeping open multiple periods at the same time. This is performed through rules defined in Posting Period Variants, part of the Financial Accounting Global Settings. Note that back posting settings in Logistics can also be configured to allow posting to prior periods. Both of these areas should be reviewed in the IMG. SAP Business Workflow is used by many companies to review values and account assignments prior to posting journal entries. If enabled, the relevant settings for workflow variants, company codes, and approval paths and groups should be examined under Financial Accounting Global Settings> Document> Document Parking. This should include a review of fields that would cause a release to be revoked if changed after approval, which would lead to the restart of the release procedure. BusinessObjects Planning and Consolidation (BPC) and BusinessOne should be configured to block unbalanced journal entries. In the former, this can be verified through the JRN_BALANCE parameter. The parameter should be set to 1 (Journals need to be balanced). The default value is 0 (Journals need not be balanced). In the latter, the field for Block Unbalanced Journal Entry should be checked in Administration> System Initialization> Document Settings> Journal Entry.
BPC should be configured to block unbalanced journal entries through the JRN_BALANCE parameter 4 The ability to create, change, delete and reverse journal entries should be restricted to authorized employees. This includes transactions in Table C with authorization objects with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and BLA and activity levels 01 (create/ enter), 02 (change), 06 (delete) and 77 (pre-enter/ park).
TRANSACTION
DESCRIPTION
FB08
Reverse Document
FB02/ FB09
Change Document
FBL4
Change G/L Account Line Items
TRANSACTION
DESCRIPTION
F-03/ FB1S
Clear G/L Account
F-02
Enter G/L Account Posting
FBV1
Park Document
F-21/ F-42
Enter Transfer Posting
FBV2
Change Parked Document
FB01/ FBR2
Post Document FBV4
Change Parked Document Header
FB05
Post with Clearing
FB11
Post Held Document
FBD1
Enter Recurring Entry
FB21
Enter Statistical Posting
FBD2
Change Recurring Entry
FB50
G/L Account Posting
F.14
Execute Recurring Entry
FBV0/ FBVB
Post Parked Document
F.56
Delete Recurring Entry
FBR1
Post with Reference Document
F.81
Reverse Accrual Deferral Document Code
FB08
Reverse Document
F.80
Mass Reversal of Documents
Table C: Journal Entry Transactions
5 Period End Close The period end close process extends across many different SAP applications including SD, MM and PP. However, the majority of steps are performed within the FI and CO area. Audit procedures for the process should be tuned for each specific client since the process varies between organisations. As a guide, Table D lists the SAP transactions commonly used during the period end close process in sequential order.
S_BCE_680001 74 VL10/ VL10A MIRO
MRBR
VXF3
FBD1
Enter Recurring Document
F-03
Manual Clearing General Ledger
F-32
Manual Clearing Accounts Receivable Manual Clearing Accounts Payable
FB50
Post Adjustment Entries
FAGL_FC_VAL
Foreign Currency Revaluation
AIAB
Order Settlement (Asset Under
AFAB
Depreciation Run
ASKBN
Periodic Asset Posting
FB50
Automatic GR/IR Clearing
Ensure Movements are complete
KSA3
Accrual Calculation
Record Purchase Order related AP
MRN0
Stock Valuation
CK11N
Inventory costing
CK24
Price Update
FB50
Stock value adjustment
DESCRIPTION Update Exchange Ranges
Construction)
Transactions Release Blocked Invoices Release Billing Documents for Accounting
MMPV
Open Period for Material Master
OB52
Records Open and Close Posting Periods
CJ8G
Calculation of Work In Process
KKS1
DESCRIPTION
F-44
Together with the transactions listed in Table D, user access to SAP functions that control the opening and closing of financial periods should be tightly controlled. This should include transaction OB52 (opening and closing FI posting periods) and OBBP (define variants for open posting periods) with authorization object S_TABU_DIS and activity level 02 (change). TRANSACTION
TRANSACTION
ENGR
Create Intrastat / Extrastat periodic declaration
S_ALR_870123
Advance Return for Tax on Sales/
57
Purchases
(WIP) Prod. and Process Order Variance
FB41
Post Tax Payable
Calculation
F.52
Balance Interest Calculation
CO88
Settlement PP Order
CO02
PP Order (close)
Table D: Period End Close Transactions
6 Asset Management and Reporting TRANSACTION
DESCRIPTION
S_ALR_87012289
Compact Document Journal
S_ALR_87012287
Document Journal
FF7A
Cash Position & Liquidity Forecast
OB52
Open and Close Posting Periods
KE30
Run Profitability Report
S_ALR_87012284
Financial Statements
S_ALR_87005830
Controlling Maintain Versions
CK40N
Costing Run
S_ALR_87008275
Define Percentage Overhead (actual)
AFAR
Recalculating Values
ABST2
Account Reconciliation
AJRW
Fiscal Year Change
AJAB
Year-end closing Asset Accounting
F.07
Carry Forward AP/AR Balances
FAGLGVTR
Carry Forward GL Balances
FAGLF101
Regrouping Receivables/Payable
F.17
Balance Confirmation Receivable
F.18
Balance Confirmation Payable
OB52
Close previous account period
S_ALR_87012284
Financial Statements
S_ALR_87012287
Document Journal
Table D: Period End Close Transactions cont.
The Financial Accounting Asset Accounting (FI-AA) component is responsible for managing fixed assets in SAP ERP. It serves as a subsidiary ledger to the FI GL, providing detailed information on transactions involving fixed assets. AA integrates directly with other FI components such as Materials Management (MM) and Plant Maintenance (PM) and manages assets reporting from acquisition to disposal or retirement. The component also tracks, depreciates and reports upon leased assets and assets under construction. Asset classes in SAP should be configured in line with country-specific requirements. Therefore, asset classes and the associated descriptions should be reviewed through transaction OAOA (define asset classes). Depreciation keys should be defined for each asset class. The keys define the rules for calculating depreciation such as straight line or declining balance. They also control the useful life of assets. Auditors should review the configuration of all or a sample of depreciation keys through transaction AFAMA (View Maint. for Deprec. Key Method). Depreciation postings can be reviewed through transactions AFBP and AR25. Transaction ABST displays the reconciliation between asset accounting and the general ledger. If the SAP Project System (PS) is operating alongside FIAA, the relevant availability controls should be reviewed in PS. These regulate the thresholds for asset acquisitions in excess of approved, budgeted amounts which, if configured correctly, can be blocked altogether. This can be performed through transaction OPS9 and the menu path IMG> Project System> Costs> Budget> Define Tolerance Limits. An audit of FI-AA should include a review of user access to transaction codes that provide the ability to change AA master data including asset groups and depreciation tables, as well as acquire, depreciate and dispose fixed assets. These are listed in Table E. The review should focus on authorization objects A_A_VIEW, A_S_ANLKL, A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK, S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02 and 06.
TRANSACTION
DESCRIPTION
AS01
Create an Asset
AS02
Modify Asset
AS05
Block Asset Master Record
AS06
Delete Asset
ABZE
Acquisition from in-house
ABZK
production Acquisition from purchase w.
F-90
vendor Acquisition w/ Vendor
ABZV
Acquisition from clearing Account
ABZP
Asset Acquisition from affiliated company
AS21
Create an asset group
AS22
Modify Asset
AS25
Block group asset
AS26
Delete an asset group
ABZU
Asset write-up
ABZS
Asset write-up
ABMA
Asset manually depreciate
AFAB/ AFABN
Post depreciation
ABAV/ ABAVN
Retire by scrapping
ABAO/ ABAON
Asset Sale Without Customer
ABAD
Asset Retire from Sale with Customer
ABANK
Retire with cost
AR31
Asset mass retirement
OAP1
Create chart of depreciation
OA52
Close previous account period
OAP2
Change chart of depreciation
Table E: Asset Accounting Transactions
Availability controls should block asset acquisitions in excess of budget
7
8 Foreign Currency Translation
Cash Management
Foreign currency exchange ratios and rates are maintained through transactions OBBS and OB08. The underlying tables should be reviewed through these transactions to ensure that ratios and rates are regularly and accurately updated.
Cash Management (CM) is component of SAP TR that is used to monitor payment flows and safeguard liquidity. This component is used to perform bank reconciliations and therefore should be a crucial element of an SAP financial audit. Management should regularly review reports FF.6, FF67, FF7A and FF68 to monitor cash transactions and ensure bank deposits and payments are reflected in the relevant GL accounts. Note that FF67 can be used to import and process bank statements in SAP.
SAP provides a variety of valuation methods and even provides an option to create custom methods. Custom valuations should be identified and examined very closely. This can be performed through transaction OB59 (foreign currency valuation methods). Automatic postings for foreign currency valuations should be analyzed via transaction OBA1. The assigned accounts are used to record realized/ unrealized gains and losses. This should be followed by a review of foreign currency rounding rules in transaction OB90.
Inter-Company Transactions Inter-company reconciliation is often a bottleneck in the financial close process. As a result, some SAP clients have migrated to the Web-based BusinessObjects Intercompany application. This significantly improves the speed and accuracy of identifying, matching and eliminating related party transactions. However, the majority of organizations continue to rely upon a manual process. Related parties are treated as trading partners in SAP and are defined through IMG > Enterprise Structure > Definition > Financial Accounting > Define Company. Once configured, SAP will post documents such as invoices, payments, receipts and asset transfers between related parties to designated inter-company accounts. Intercompany clearing accounts should be identified using transaction OBYA. All such accounts should be reviewed against the relevant financial statement assertions.
Changes to banking master data should be identified through transaction FI04 or report RFBKABL0 and traced to supporting documents to test for authorization, accuracy and completeness. Also, access to critical CM transactions should be reviewed, including those listed in Table F, focusing on authorization objects F_BNKA_BUK, S_TABU_DIS, F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES, F_BKPF_GSB, F_FDES_BUK, F_REGU_BUK, F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02, 06 and 17
TRANSACTION
DESCRIPTION
FI12
Change House Banks/Bank
FI01
Accounts Change Master Record
FI02
Change Bank
FI06
Set Flag to Delete Bank
FF67
Manual Bank Statement
FF_5
Import Electronic Bank
FEBA
Statement Post-process Electronic Bank Statement
FLB2
Import Lock box Data
FLB1
Post-processing Lock box Data
F-28
Incoming Payments
FB05
Post payment with clearing
FRFT
Set Up Repetitive Wire
FI10
Parameters for Automatic
FF/4
Payment Import electronic check deposit
FFB4
list Import electronic check deposit
FF/5
list Post electronic check deposit
FFB5
list Post electronic check deposit
FF68
list Manual Check Deposit
FCHG
Transaction Reset cashing/extract data
FF63
Create Planning Memo Record
FCHX
Check Extract Creation
FCHG
Delete cashing/extract data
Table F: Cash Management Transactions
9
Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road Oakville, Ontario L6H 0C3, Canada
Web www.layersevensecurity.com Email
[email protected] Telephone 1 888 995 0993
© Copyright Layer Seven Security 2012 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.
