SAP Audit Guide - Layer Seven Security

SAP Audit Guide. 2 The company code ... SAP is preconfigured with hundreds of document types for ... AJRW Fiscal Year Change AJAB Year-end closing Asse...

12 downloads 729 Views 783KB Size
SAP Audit Guide for Financial Accounting

This audit guide is designed to assist the review of financial reporting processes that rely upon automated functions in SAP systems. The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in the General Ledger (GL), Asset Accounting (AA) and Bank Accounting (BA) components of the SAP Financial Accounting module. The guide provides instructions for assessing SAP application-level controls in the following areas of financial statement audits:

Reporting Structure Chart of Accounts Journal Entry Posting Period End Close Foreign Currency Translation Inter-company Transactions Asset Management and Reporting Cash Management

The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Revenue, Inventory, Expenditure, Human Resources and Basis.

Reporting Structure The financial reporting structure in SAP is determined by the organization of reporting units known as company codes. There can be multiple company codes within organizations with each code corresponding to a unique economic entity.

Financial Accounting SAP Audit Guide

Reporting entities in differing countries should have unique company codes since they may be subject to divergent accounting and tax requirements. Each company code has one domestic currency and up to two additional currencies to support financial reporting in multiple currencies. Company codes must be set to productive to prevent the deletion of transactional data. This can be verified through transaction code OBR3 or Table T001 through transaction SE16.

2 The company code structure should correspond to the legal reporting requirements of the company under review. The appropriateness of the structure should be reviewed through the menu path IMG> Enterprise Structure> Financial Accounting> Define Company, transaction OX15 or table T880 (note that IMG can be accessed through transaction SPRO). Relevant global parameters in IMG should also be reviewed. This includes areas such as Country Keys, Currencies, Controlling Areas, Credit Control Areas, Fiscal Year Variants, Sales and Purchasing Organisations, Business Areas and Plants, and Cost and Profit Centers (IMG> Enterprise Structure> Financial Accounting> Global Settings> Company Code> Global Parameters). Access to transactions such as OXO2 (edit company code) and EC01 (copy, delete and check company code) and the client configuration table T001 should be based on role requirements. Other critical transaction codes are listed in the Table A.

TRANSACTION OB37

OBB9

DESCRIPTION Assign Company Code to a Fiscal Year Variant Assign Posting Period Variants to Company Code

OKBD

Define Functional Area

OXO3

Define Business Area

FM_FUNCTION

Define Functional Area

OXO6

Maintain Controlling Area

KEP8

Create Operating Concern

Table A: Company Code Transactions

TRANSACTION

DESCRIPTION

Chart of Accounts

OX16

Assign Company Code to Company

The chart of accounts is the container for General Ledger (GL) accounts and the basis for journal entry posting and financial reporting. Chart of Accounts can be company code specific or cover multiple companies in a single SAP client. GL accounts are assigned to specific groups determined by account type. The field status for account information and the numbering interval is determined at the group level.

OB38

OF18

OX19 OX18 OVX3

OX01

Assign Company Code to Credit Control Area Assign Company Code to Financial Management Area Assign Company Code to Controlling Area Assign Plant to Company Code Assign Sales Organization to Company Code Assign Purchasing Organization to Company Code

OH05

Assignment of Personnel Area to Company Code

OBB5

Cross-System Company Codes

OBY6

Enter Global Parameters

The configuration of all or a sample of account groups should be reviewed to assess which fields are required, optional, displayed or suppressed during the creation of a new account and to ensure that account numbering follows a logical and consistent policy. This can be performed through the menu path General Ledger Accounting> G/L Accounts> Master Data> Preparations> Define Account Group or transaction OBD4. The structure of the Chart of Accounts should also be reviewed through transaction FSP3 to assess account groupings and identify the appropriate use of control accounts for AP and AR. The latter are known as reconciliation accounts and are updated automatically. In other words, SAP does not allow manual journal postings against such accounts. This can be performed through transactions KALE and OK17.

3 Changes to the chart of accounts should be identified through report RFSABL00, accessible through transaction SA38. Alternatively, changes can be isolated through transactions FS04, FSP4 and FSS4. A sample of changes should be examined for evidence of approval, documentation and testing. Access to SAP functions that enable users to create, modify or delete GL accounts should be restricted and based on business need. This should include transactions in Table B with authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion).

TRANSACTION

DESCRIPTION

FS01

Create Master Record

FS02

Change Master Record

FS00

G/L Acct Master Record Maintenance

FS05

Block Master Record

FS06

Mark Master Record for Deletion

FSS1

Create Master Record in Company

FSS2

FSP0

Code G/L Acct Master Record in Chart/ Accts Create G/L Acct Master Record in Chart/Accts

FSP1

Cross-System Company Codes

FSP2

Change G/L Acct Master Record in

FSP5

Chart/Accts Block Master Record in Chart / Accts

FSP6

Mark Master Record for Deletion in Chart/Accts

Table B: GL Account Transactions

Journal Entry Posting SAP is preconfigured with hundreds of document types for purchase orders, customer invoices, good receipts and many other transactions. Each document type has a unique 2 or 3 letter identifier and a specific numbering range. Particular attention should be paid to the GL account assignments for SAP documents since transactional data is automatically posted by the system based on the assignments defined in the system configuration. These should be reviewed through transactions OBA7 (Define Document Types) and OB41 (Posting Keys). Samples selected for review should include custom documents which are more likely to have assignment errors than standard SAP documents. Monetary limits for journal entries, cash discounts, payment or receipts differences should be defined for document types. These can vary by company code and employee group. Tolerance levels should be reviewed through transactions OBA4 and OB57. This should include clearing procedures for critical accounts such as GR/IR. SAP should also be configured to control posting to prior periods even though the system is capable of keeping open multiple periods at the same time. This is performed through rules defined in Posting Period Variants, part of the Financial Accounting Global Settings. Note that back posting settings in Logistics can also be configured to allow posting to prior periods. Both of these areas should be reviewed in the IMG. SAP Business Workflow is used by many companies to review values and account assignments prior to posting journal entries. If enabled, the relevant settings for workflow variants, company codes, and approval paths and groups should be examined under Financial Accounting Global Settings> Document> Document Parking. This should include a review of fields that would cause a release to be revoked if changed after approval, which would lead to the restart of the release procedure. BusinessObjects Planning and Consolidation (BPC) and BusinessOne should be configured to block unbalanced journal entries. In the former, this can be verified through the JRN_BALANCE parameter. The parameter should be set to 1 (Journals need to be balanced). The default value is 0 (Journals need not be balanced). In the latter, the field for Block Unbalanced Journal Entry should be checked in Administration> System Initialization> Document Settings> Journal Entry.

BPC should be configured to block unbalanced journal entries through the JRN_BALANCE parameter 4 The ability to create, change, delete and reverse journal entries should be restricted to authorized employees. This includes transactions in Table C with authorization objects with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and BLA and activity levels 01 (create/ enter), 02 (change), 06 (delete) and 77 (pre-enter/ park).

TRANSACTION

DESCRIPTION

FB08

Reverse Document

FB02/ FB09

Change Document

FBL4

Change G/L Account Line Items

TRANSACTION

DESCRIPTION

F-03/ FB1S

Clear G/L Account

F-02

Enter G/L Account Posting

FBV1

Park Document

F-21/ F-42

Enter Transfer Posting

FBV2

Change Parked Document

FB01/ FBR2

Post Document FBV4

Change Parked Document Header

FB05

Post with Clearing

FB11

Post Held Document

FBD1

Enter Recurring Entry

FB21

Enter Statistical Posting

FBD2

Change Recurring Entry

FB50

G/L Account Posting

F.14

Execute Recurring Entry

FBV0/ FBVB

Post Parked Document

F.56

Delete Recurring Entry

FBR1

Post with Reference Document

F.81

Reverse Accrual Deferral Document Code

FB08

Reverse Document

F.80

Mass Reversal of Documents

Table C: Journal Entry Transactions

5 Period End Close The period end close process extends across many different SAP applications including SD, MM and PP. However, the majority of steps are performed within the FI and CO area. Audit procedures for the process should be tuned for each specific client since the process varies between organisations. As a guide, Table D lists the SAP transactions commonly used during the period end close process in sequential order.

S_BCE_680001 74 VL10/ VL10A MIRO

MRBR

VXF3

FBD1

Enter Recurring Document

F-03

Manual Clearing General Ledger

F-32

Manual Clearing Accounts Receivable Manual Clearing Accounts Payable

FB50

Post Adjustment Entries

FAGL_FC_VAL

Foreign Currency Revaluation

AIAB

Order Settlement (Asset Under

AFAB

Depreciation Run

ASKBN

Periodic Asset Posting

FB50

Automatic GR/IR Clearing

Ensure Movements are complete

KSA3

Accrual Calculation

Record Purchase Order related AP

MRN0

Stock Valuation

CK11N

Inventory costing

CK24

Price Update

FB50

Stock value adjustment

DESCRIPTION Update Exchange Ranges

Construction)

Transactions Release Blocked Invoices Release Billing Documents for Accounting

MMPV

Open Period for Material Master

OB52

Records Open and Close Posting Periods

CJ8G

Calculation of Work In Process

KKS1

DESCRIPTION

F-44

Together with the transactions listed in Table D, user access to SAP functions that control the opening and closing of financial periods should be tightly controlled. This should include transaction OB52 (opening and closing FI posting periods) and OBBP (define variants for open posting periods) with authorization object S_TABU_DIS and activity level 02 (change). TRANSACTION

TRANSACTION

ENGR

Create Intrastat / Extrastat periodic declaration

S_ALR_870123

Advance Return for Tax on Sales/

57

Purchases

(WIP) Prod. and Process Order Variance

FB41

Post Tax Payable

Calculation

F.52

Balance Interest Calculation

CO88

Settlement PP Order

CO02

PP Order (close)

Table D: Period End Close Transactions

6 Asset Management and Reporting TRANSACTION

DESCRIPTION

S_ALR_87012289

Compact Document Journal

S_ALR_87012287

Document Journal

FF7A

Cash Position & Liquidity Forecast

OB52

Open and Close Posting Periods

KE30

Run Profitability Report

S_ALR_87012284

Financial Statements

S_ALR_87005830

Controlling Maintain Versions

CK40N

Costing Run

S_ALR_87008275

Define Percentage Overhead (actual)

AFAR

Recalculating Values

ABST2

Account Reconciliation

AJRW

Fiscal Year Change

AJAB

Year-end closing Asset Accounting

F.07

Carry Forward AP/AR Balances

FAGLGVTR

Carry Forward GL Balances

FAGLF101

Regrouping Receivables/Payable

F.17

Balance Confirmation Receivable

F.18

Balance Confirmation Payable

OB52

Close previous account period

S_ALR_87012284

Financial Statements

S_ALR_87012287

Document Journal

Table D: Period End Close Transactions cont.

The Financial Accounting Asset Accounting (FI-AA) component is responsible for managing fixed assets in SAP ERP. It serves as a subsidiary ledger to the FI GL, providing detailed information on transactions involving fixed assets. AA integrates directly with other FI components such as Materials Management (MM) and Plant Maintenance (PM) and manages assets reporting from acquisition to disposal or retirement. The component also tracks, depreciates and reports upon leased assets and assets under construction. Asset classes in SAP should be configured in line with country-specific requirements. Therefore, asset classes and the associated descriptions should be reviewed through transaction OAOA (define asset classes). Depreciation keys should be defined for each asset class. The keys define the rules for calculating depreciation such as straight line or declining balance. They also control the useful life of assets. Auditors should review the configuration of all or a sample of depreciation keys through transaction AFAMA (View Maint. for Deprec. Key Method). Depreciation postings can be reviewed through transactions AFBP and AR25. Transaction ABST displays the reconciliation between asset accounting and the general ledger. If the SAP Project System (PS) is operating alongside FIAA, the relevant availability controls should be reviewed in PS. These regulate the thresholds for asset acquisitions in excess of approved, budgeted amounts which, if configured correctly, can be blocked altogether. This can be performed through transaction OPS9 and the menu path IMG> Project System> Costs> Budget> Define Tolerance Limits. An audit of FI-AA should include a review of user access to transaction codes that provide the ability to change AA master data including asset groups and depreciation tables, as well as acquire, depreciate and dispose fixed assets. These are listed in Table E. The review should focus on authorization objects A_A_VIEW, A_S_ANLKL, A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK, S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02 and 06.

TRANSACTION

DESCRIPTION

AS01

Create an Asset

AS02

Modify Asset

AS05

Block Asset Master Record

AS06

Delete Asset

ABZE

Acquisition from in-house

ABZK

production Acquisition from purchase w.

F-90

vendor Acquisition w/ Vendor

ABZV

Acquisition from clearing Account

ABZP

Asset Acquisition from affiliated company

AS21

Create an asset group

AS22

Modify Asset

AS25

Block group asset

AS26

Delete an asset group

ABZU

Asset write-up

ABZS

Asset write-up

ABMA

Asset manually depreciate

AFAB/ AFABN

Post depreciation

ABAV/ ABAVN

Retire by scrapping

ABAO/ ABAON

Asset Sale Without Customer

ABAD

Asset Retire from Sale with Customer

ABANK

Retire with cost

AR31

Asset mass retirement

OAP1

Create chart of depreciation

OA52

Close previous account period

OAP2

Change chart of depreciation

Table E: Asset Accounting Transactions

Availability controls should block asset acquisitions in excess of budget

7

8 Foreign Currency Translation

Cash Management

Foreign currency exchange ratios and rates are maintained through transactions OBBS and OB08. The underlying tables should be reviewed through these transactions to ensure that ratios and rates are regularly and accurately updated.

Cash Management (CM) is component of SAP TR that is used to monitor payment flows and safeguard liquidity. This component is used to perform bank reconciliations and therefore should be a crucial element of an SAP financial audit. Management should regularly review reports FF.6, FF67, FF7A and FF68 to monitor cash transactions and ensure bank deposits and payments are reflected in the relevant GL accounts. Note that FF67 can be used to import and process bank statements in SAP.

SAP provides a variety of valuation methods and even provides an option to create custom methods. Custom valuations should be identified and examined very closely. This can be performed through transaction OB59 (foreign currency valuation methods). Automatic postings for foreign currency valuations should be analyzed via transaction OBA1. The assigned accounts are used to record realized/ unrealized gains and losses. This should be followed by a review of foreign currency rounding rules in transaction OB90.

Inter-Company Transactions Inter-company reconciliation is often a bottleneck in the financial close process. As a result, some SAP clients have migrated to the Web-based BusinessObjects Intercompany application. This significantly improves the speed and accuracy of identifying, matching and eliminating related party transactions. However, the majority of organizations continue to rely upon a manual process. Related parties are treated as trading partners in SAP and are defined through IMG > Enterprise Structure > Definition > Financial Accounting > Define Company. Once configured, SAP will post documents such as invoices, payments, receipts and asset transfers between related parties to designated inter-company accounts. Intercompany clearing accounts should be identified using transaction OBYA. All such accounts should be reviewed against the relevant financial statement assertions.

Changes to banking master data should be identified through transaction FI04 or report RFBKABL0 and traced to supporting documents to test for authorization, accuracy and completeness. Also, access to critical CM transactions should be reviewed, including those listed in Table F, focusing on authorization objects F_BNKA_BUK, S_TABU_DIS, F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES, F_BKPF_GSB, F_FDES_BUK, F_REGU_BUK, F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02, 06 and 17

TRANSACTION

DESCRIPTION

FI12

Change House Banks/Bank

FI01

Accounts Change Master Record

FI02

Change Bank

FI06

Set Flag to Delete Bank

FF67

Manual Bank Statement

FF_5

Import Electronic Bank

FEBA

Statement Post-process Electronic Bank Statement

FLB2

Import Lock box Data

FLB1

Post-processing Lock box Data

F-28

Incoming Payments

FB05

Post payment with clearing

FRFT

Set Up Repetitive Wire

FI10

Parameters for Automatic

FF/4

Payment Import electronic check deposit

FFB4

list Import electronic check deposit

FF/5

list Post electronic check deposit

FFB5

list Post electronic check deposit

FF68

list Manual Check Deposit

FCHG

Transaction Reset cashing/extract data

FF63

Create Planning Memo Record

FCHX

Check Extract Creation

FCHG

Delete cashing/extract data

Table F: Cash Management Transactions

9

Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road Oakville, Ontario L6H 0C3, Canada

Web www.layersevensecurity.com Email [email protected] Telephone 1 888 995 0993

© Copyright Layer Seven Security 2012 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.