SAP Audit Guide

for Financial Accounting

This Audit Guide is designed to assist the review of nancial reporting processes that rely upon automated functions in SAP systems.
The specic areas examined in this Guide are relevant congurables, transactions, authorizations and reports in the General Ledger (GL), Asset Accounting (AA) and Bank Accounting (BA) components of the SAP Financial Accounting module. The Guide provides instructions for assessing SAP application-level controls in the following areas of nancial statement audits: Reporting Structure Chart of Accounts Journal Entry Posting Period End Close Foreign Currency Translation Inter-company Transactions Asset Management and Reporting Cash Management

The Guide is delivered using clear, non-technical terms to enable nancial and operational auditors successfully navigate the complexities of SAP security. Upcoming volumes of this Guide will deal with SAP controls in areas such as Revenue, Inventory, Expenditure, Human Resources and Basis.

Reporting Structure The nancial reporting structure in SAP is determined by the organization of reporting units known as company codes. There can be multiple company codes within organizations with each code corresponding to a unique economic entity. Reporting entities in differing countries should have unique company codes since they may be subject to divergent accounting and tax requirements. Each company code has one domestic currency and up to two additional currencies to support nancial reporting in multiple currencies. Company codes must be set to productive to prevent the deletion of transactional data. This can be veried through transaction code OBR3 or Table T001 through transaction SE16.

Financial Reporting
SAP Audit Guide

2
The company code structure should correspond to the legal reporting requirements of the company under review. The appropriateness of the structure should be reviewed through the menu path IMG> Enterprise Structure> Financial Accounting> Dene Company, transaction OX15 or table T880 (note that IMG can be accessed through transaction SPRO). Relevant global parameters in IMG should also be reviewed. This includes areas such as Country Keys, Currencies, Controlling Areas, Credit Control Areas, Fiscal Year Variants, Sales and Purchasing Organisations, Business Areas and Plants, and Cost and Prot Centers (IMG> Enterprise Structure> Financial Accounting> Global Settings> Company Code> Global Parameters). Access to transactions such as OXO2 (edit company code) and EC01 (copy, delete and check company code) and the client conguration table T001 should be based on role requirements. Other critical transaction codes are listed in the Table A. TRANSACTION OX16 OB38 DESCRIPTION Assign Company Code to Company Assign Company Code to Credit Control Area Assign Company Code to Financial Management Area Assign Company Code to Controlling Area Assign Plant to Company Code Assign Sales Organization to Company Code Assign Purchasing Organization to Company Code Assignment of Personnel Area to Company Code Cross-System Company Codes Enter Global Parameters TRANSACTION OB37 DESCRIPTION Assign Company Code to a Fiscal Year Variant Assign Posting Period Variants to Company Code Dene Functional Area Dene Business Area Dene Functional Area Maintain Controlling Area Create Operating Concern

OBB9 OKBD OXO3 FM_FUNCTION OXO6 KEP8

Table A: Company Code Transactions

Chart of Accounts The chart of accounts is the container for General Ledger (GL) accounts and the basis for journal entry posting and nancial reporting. Chart of Accounts can be company code specic or cover multiple companies in a single SAP client. GL accounts are assigned to specic groups determined by account type. The eld status for account information and the numbering interval is determined at the group level. The conguration of all or a sample of account groups should be reviewed to assess which elds are required, optional, displayed or suppressed during the creation of a new account and to ensure that account numbering follows a logical and consistent policy. This can be performed through the menu path General Ledger Accounting> G/L Accounts> Master Data> Preparations> Dene Account Group or transaction OBD4. The structure of the Chart of Accounts should also be reviewed through transaction FSP3 to assess account groupings and identify the appropriate use of control accounts for AP and AR. The latter are known as reconciliation accounts and are updated automatically. In other words, SAP does not allow manual journal postings against such accounts. This can be performed through transactions KALE and OK17.

OF18

OX19 OX18 OVX3

OX01

OH05 OBB5 OBY6

3
Changes to the chart of accounts should be identied through report RFSABL00, accessible through transaction SA38. Alternatively, changes can be isolated through transactions FS04, FSP4 and FSS4. A sample of changes should be examined for evidence of approval, documentation and testing. Access to SAP functions that enable users to create, modify or delete GL accounts should be restricted and based on business need. This should include transactions in Table B with authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion). Journal Entry Posting SAP is precongured with hundreds of document types for purchase orders, customer invoices, good receipts and many other transactions. Each document type has a unique 2 or 3 letter identier and a specic numbering range. Particular attention should be paid to the GL account assignments for SAP documents since transactional data is automatically posted by the system based on the assignments dened in the system conguration. These should be reviewed through transactions OBA7 (Dene Document Types) and OB41 (Posting Keys). Samples selected for review should include custom documents which are more likely to have assignment errors than standard SAP documents. Monetary limits for journal entries, cash discounts, payment or receipts differences should be dened for document types. These can vary by company code and employee group. Tolerance levels should be reviewed through transactions OBA4 and OB57. This should include clearing procedures for critical accounts such as GR/IR. SAP should also be congured to control posting to prior periods even though the system is capable of keeping open multiple periods at the same time. This is performed through rules dened in Posting Period Variants, part of the Financial Accounting Global Settings. Note that back posting settings in Logistics can also be congured to allow posting to prior periods. Both of these areas should be reviewed in the IMG. SAP Business Workow is used by many companies to review values and account assignments prior to posting journal entries. If enabled, the relevant settings for workow variants, company codes, and approval paths and groups should be examined under Financial Accounting Global Settings> Document> Document Parking. This should include a review of elds that would cause a release to be revoked if changed after approval, which would lead to the restart of the release procedure. BusinessObjects Planning and Consolidation (BPC) and BusinessOne should be congured to block unbalanced journal entries. In the former, this can be veried through the JRN_BALANCE parameter. The parameter should be set to 1 (Journals need to be balanced). The default value is 0 (Journals need not be balanced). In the latter, the eld for Block Unbalanced Journal Entry should be checked in Administration> System Initialization> Document Settings> Journal Entry.

TRANSACTION FS01 FS02 FS00 FS05 FS06 FSS1 FSS2

DESCRIPTION Create Master Record Change Master Record G/L Acct Master Record Maintenance Block Master Record Mark Master Record for Deletion Create Master Record in Company Code G/L Acct Master Record in Chart/ Accts Create G/L Acct Master Record in Chart/Accts Cross-System Company Codes Change G/L Acct Master Record in Chart/Accts Block Master Record in Chart / Accts Mark Master Record for Deletion in Chart/Accts

FSP0 FSP1 FSP2 FSP5 FSP6

Table B: GL Account Transactions

BPC should be congured to block unbalanced journal entries through the JRN_BALANCE parameter
4
The ability to create, change, delete and reverse journal entries should be restricted to authorized employees. This includes transactions in Table C with authorization objects with the prex F_BKPF_ and sufx BUK, KOA, GSB, and BLA and activity levels 01 (create/ enter), 02 (change), 06 (delete) and 77 (pre-enter/ park). TRANSACTION F-02 F-21/ F-42 FB01/ FBR2 FB05 FB11 FB21 FB50 FBV0/ FBVB FBR1 F.81 FB08 F.80 DESCRIPTION Enter G/L Account Posting Enter Transfer Posting Post Document FBV4 Post with Clearing Post Held Document Enter Statistical Posting G/L Account Posting Post Parked Document Post with Reference Document Reverse Accrual Deferral Document Code Reverse Document Mass Reversal of Documents FBD1 FBD2 F.14 F.56 Enter Recurring Entry Change Recurring Entry Execute Recurring Entry Delete Recurring Entry Change Parked Document Header

TRANSACTION FB08 FB02/ FB09 FBL4 F-03/ FB1S FBV1 FBV2

DESCRIPTION Reverse Document Change Document Change G/L Account Line Items Clear G/L Account Park Document Change Parked Document

Table C: Journal Entry Transactions

5
Period End Close The period end close process extends across many different SAP applications including SD, MM and PP. However, the majority of steps are performed within the FI and CO area. Audit procedures for the process should be tuned for each specic client since the process varies between organisations. As a guide, Table D lists the SAP transactions commonly used during the period end close process in sequential order. Together with the transactions listed in Table D, user access to SAP functions that control the opening and closing of nancial periods should be tightly controlled. This should include transaction OB52 (opening and closing FI posting periods) and OBBP (dene variants for open posting periods) with authorization object S_TABU_DIS and activity level 02 (change). TRANSACTION S_BCE_680001 74 VL10/ VL10A MIRO DESCRIPTION Update Exchange Ranges Ensure Movements are complete Record Purchase Order related AP Transactions CK11N MRBR Release Blocked Invoices Release Billing Documents for Accounting Open Period for Material Master Records Open and Close Posting Periods Calculation of Work In Process (WIP) Prod. and Process Order Variance Calculation Settlement PP Order PP Order (close) ENGR S_ALR_870123 57 FB41 F.52 CK24 FB50 Inventory costing Price Update Stock value adjustment Create Intrastat / Extrastat periodic declaration Advance Return for Tax on Sales/ Purchases Post Tax Payable Balance Interest Calculation TRANSACTION FBD1 F-03 F-32 F-44 FB50 FAGL_FC_VAL AIAB AFAB ASKBN FB50 KSA3 MRN0 DESCRIPTION Enter Recurring Document Manual Clearing General Ledger Manual Clearing Accounts Receivable Manual Clearing Accounts Payable Post Adjustment Entries Foreign Currency Revaluation Order Settlement (Asset Under Construction) Depreciation Run Periodic Asset Posting Automatic GR/IR Clearing Accrual Calculation Stock Valuation

VXF3 MMPV OB52 CJ8G KKS1 CO88 CO02

Table D: Period End Close Transactions

6
Asset Management and Reporting TRANSACTION S_ALR_87012289 S_ALR_87012287 FF7A OB52 KE30 S_ALR_87012284 S_ALR_87005830 CK40N S_ALR_87008275 AFAR ABST2 AJRW AJAB F.07 FAGLGVTR FAGLF101 F.17 F.18 OB52 S_ALR_87012284 S_ALR_87012287 DESCRIPTION Compact Document Journal Document Journal Cash Position & Liquidity Forecast Open and Close Posting Periods Run Protability Report Financial Statements Controlling Maintain Versions Costing Run Dene Percentage Overhead (actual) Recalculating Values Account Reconciliation Fiscal Year Change Year-end closing Asset Accounting Carry Forward AP/AR Balances Carry Forward GL Balances Regrouping Receivables/Payable Balance Conrmation Receivable Balance Conrmation Payable Close previous account period Financial Statements Document Journal The Financial Accounting Asset Accounting (FI-AA) component is responsible for managing xed assets in SAP ERP. It serves as a subsidiary ledger to the FI GL, providing detailed information on transactions involving xed assets. AA integrates directly with other FI components such as Materials Management (MM) and Plant Maintenance (PM) and manages assets reporting from acquisition to disposal or retirement. The component also tracks, depreciates and reports upon leased assets and assets under construction. Asset classes in SAP should be congured in line with country-specic requirements. Therefore, asset classes and the associated descriptions should be reviewed through transaction OAOA (dene asset classes). Depreciation keys should be dened for each asset class. The keys dene the rules for calculating depreciation such as straight line or declining balance. They also control the useful life of assets. Auditors should review the conguration of all or a sample of depreciation keys through transaction AFAMA (View Maint. for Deprec. Key Method). Depreciation postings can be reviewed through transactions AFBP and AR25. Transaction ABST displays the reconciliation between asset accounting and the general ledger. If the SAP Project System (PS) is operating alongside FIAA, the relevant availability controls should be reviewed in PS. These regulate the thresholds for asset acquisitions in excess of approved, budgeted amounts which, if congured correctly, can be blocked altogether. This can be performed through transaction OPS9 and the menu path IMG> Project System> Costs> Budget> Dene Tolerance Limits. An audit of FI-AA should include a review of user access to transaction codes that provide the ability to change AA master data including asset groups and depreciation tables, as well as acquire, depreciate and dispose xed assets. These are listed in Table E. The review should focus on authorization objects A_A_VIEW, A_S_ANLKL, A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK, S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02 and 06.

Table D: Period End Close Transactions cont.

TRANSACTION AS01 AS02 AS05 AS06 ABZE ABZK F-90 ABZV ABZP AS21 AS22 AS25 AS26 ABZU ABZS ABMA AFAB/ AFABN ABAV/ ABAVN ABAO/ ABAON ABAD ABANK AR31 OAP1 OA52 OAP2

DESCRIPTION Create an Asset Modify Asset Block Asset Master Record Delete Asset Acquisition from in-house production Acquisition from purchase w. vendor Acquisition w/ Vendor Acquisition from clearing Account Asset Acquisition from afliated company Create an asset group Modify Asset Block group asset Delete an asset group Asset write-up Asset write-up Asset manually depreciate Post depreciation Retire by scrapping Asset Sale Without Customer Asset Retire from Sale with Customer Retire with cost Asset mass retirement Create chart of depreciation Close previous account period Change chart of depreciation

Table E: Asset Accounting Transactions

Availability controls should block asset acquisitions in excess of budget

8
Foreign Currency Translation Foreign currency exchange ratios and rates are maintained through transactions OBBS and OB08. The underlying tables should be reviewed through these transactions to ensure that ratios and rates are regularly and accurately updated. SAP provides a variety of valuation methods and even provides an option to create custom methods. Custom valuations should be identied and examined very closely. This can be performed through transaction OB59 (foreign currency valuation methods). Automatic postings for foreign currency valuations should be analyzed via transaction OBA1. The assigned accounts are used to record realized/ unrealized gains and losses. This should be followed by a review of foreign currency rounding rules in transaction OB90. Cash Management Cash Management (CM) is component of SAP TR that is used to monitor payment ows and safeguard liquidity. This component is used to perform bank reconciliations and therefore should be a crucial element of an SAP nancial audit. Management should regularly review reports FF.6, FF67, FF7A and FF68 to monitor cash transactions and ensure bank deposits and payments are reected in the relevant GL accounts. Note that FF67 can be used to import and process bank statements in SAP. Changes to banking master data should be identied through transaction FI04 or report RFBKABL0 and traced to supporting documents to test for authorization, accuracy and completeness. Also, access to critical CM transactions should be reviewed, including those listed in Table F, focusing on authorization objects F_BNKA_BUK, S_TABU_DIS, F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES, F_BKPF_GSB, F_FDES_BUK, F_REGU_BUK, F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02, 06 and 17

Inter-Company Transactions Inter-company reconciliation is often a bottleneck in the nancial close process. As a result, some SAP clients have migrated to the Web-based BusinessObjects Intercompany application. This signicantly improves the speed and accuracy of identifying, matching and eliminating related party transactions. However, the majority of organizations continue to rely upon a manual process. Related parties are treated as trading partners in SAP and are dened through IMG > Enterprise Structure > Denition > Financial Accounting > Dene Company. Once congured, SAP will post documents such as invoices, payments, receipts and asset transfers between related parties to designated inter-company accounts. Intercompany clearing accounts should be identied using transaction OBYA. All such accounts should be reviewed against the relevant nancial statement assertions.

TRANSACTION FI12 FI01 FI02 FI06 FF67 FF_5 FEBA FLB2 FLB1 F-28 FB05 FRFT FI10 FF/4 FFB4 FF/5 FFB5 FF68 FCHG FF63 FCHX FCHG

DESCRIPTION Change House Banks/Bank Accounts Change Master Record Change Bank Set Flag to Delete Bank Manual Bank Statement Import Electronic Bank Statement Post-process Electronic Bank Statement Import Lock box Data Post-processing Lock box Data Incoming Payments Post payment with clearing Set Up Repetitive Wire Parameters for Automatic Payment Import electronic check deposit list Import electronic check deposit list Post electronic check deposit list Post electronic check deposit list Manual Check Deposit Transaction Reset cashing/extract data Create Planning Memo Record Check Extract Creation Delete cashing/extract data

Table F: Cash Management Transactions

Layer Seven Security

About Us Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems. Our consultants have an average of ten years of experience in eld of SAP security and prociency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX. The company is privately owned and headquartered in Toronto, Canada.

Address Westbury Corporate Centre Suite 101 2275 Upper Middle Road Oakville, Ontario L6H 0C3, Canada

Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 0993

 Copyright Layer Seven Security 2011 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specic guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.