SAP ECC 6.0 Security and Control Better Practice Guide

SAP ECC 6.0 Security and Control Better Practice Guide

SAP ECC 6.0 Security and Control

Foreword

Chapter 1 Introduction

Purpose of this guide

Structure

Why consider controls?

Previous guides and this guide

How to read this guide

Commonly identified control weaknesses

Risks and controls

Optimising SAP controls

Implementation considerations

Risk Checklist

Application controls

Security considerations

Chapter 2 Procurement and payables

Procurement cycle overview

2.1 Procurement and purchasing activities

Functional overview

Procurement process components

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

2.2 Supplier Relationship Management (SRM)

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

2.3 Vendor Master File

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

2.4 Material Master File

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

2.5 Receipt of goods or services

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

2.6 Invoice Processing

Invoice verification overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

2.7 Payment Processing

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

Chapter 3 General Ledger

Functional overview

3.1 General Ledger Master Maintenance

General Ledger master overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

3.2 General Ledger Postings / Reconciliation

Fuctional overview

Commonly identified control weaknesses

Significant Risks

Security considerations

Optimising the SAP control environment

3.3 New General Ledger

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

Chapter 4 Human Resources

Overview

4.1 Personnel Management

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

4.2 Personal Time Management

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

4.3 Payroll accounting

Payroll calculation and payment overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

4.4 Employee Self Service

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

4.5 Managers Desktop

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

Chapter 5 Basis

Overview

SAP NetWeaver

5.1 Transport Management System

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

5.2 Security

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

5.3 Table and Program Maintenance

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

5.4 Basis System Administration

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

5.5 Mass Maintenance

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

5.6 NetWeaver Security

Functional overview

Security considerations

5.7 Central User Administration

Functional overview

Significant risks

Security considerations

5.8 Backup and Recovery

Functional overview

Significant risks

5.9 Portal Security (SAP Enterprise Portal)

Functional overview

Security considerations

Chapter 6 Controlling

Overview

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

Chapter 7 Project System

Functional Overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

Chapter 8 Asset Accounting

Overview

8.1 Asset Master Maintenance

Functional overview

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

8.2 Asset Transaction Postings

Functional overview

Commonly identified control weaknesses

Summary of risks

Security considerations

Optimising the SAP control environment

Appendices

Appendix 1: Terminology and definitions

Appendix 2: Upgrading to ECC

1. Implementation of the New General Ledger

2. PRG_CUST Security Parameter - New IMG setting.

3. New System Security Parameters

Appendix 3: SAP and segregation of duties risks

Common SAP access exposures

Implementing segregation of duties in SAP

Links to other chapters in this guide

User access risks

Feature articles

Chapter 3 - Feature article: Shared Services

Overview

Significant risks

Security considerations

Chapter 5 - Feature article: GRC Access Control

Overview

What is GRC Access Control?

GRC Access Control

Risk Analysis and Remediation

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP control environment

Superuser Privilege Management

Commonly identified control weaknesses

Significant risks

Security considerations

Optimising the SAP Control Environment

Chapter 7 - Feature article: Grants management

Overview

Significant risks

Risks and controls

Security considerations

Risks

Risks and controls

HIGH

R200 : Unapproved purchase requisitions/orders are created

R201 : Changes are made to approved requisitions or orders

R202 : Purchase orders do not reference purchase requisitions

R206 : Unauthorised purchases are made by SRM users

R207 : Changes are made to orders after approvals have been gained

R209 : Unapproved or incorrect changes are made to vendor records

R210 : Inappropriate use of the alternative payee function

R211 : Vendor records are not allocated to a reconciliation account

R214 : Material master integrity concerns including valuation issues

R215 : Inventory balances recorded in the material master do not exist

R217 : Unapproved or incorrect purchase requisitions are created

R218 : Goods receipt quantity differs from ordered quantity

R220 : Duplicate invoices are processed

R221 : Unapproved or incorrect non-order invoices are created

R222 : Incorrect purchase order payments are processed

R223 : Goods Receipt (GR) / Invoice Receipt (IR) account is not adequately reconciled

R227 : Unauthorised or incorrect EFT payments are processed

R228 : Inappropriate changes are made to payments in the payment program

R229 : Unapproved or incorrect manual payments are made

R300 : General Ledger system is inadequately configured

R301 : Duplicate, incorrect, or unauthorised maintenance of General Ledger accounts

R304 : Ineffective reconciliation of SAP modules and external interfaces

R305 : Duplicate or incorrect General Ledger journals

R306 : Failure to adequately reconcile key bank accounts

R310 : New General Ledger is inadequately configured

R400 : Employee master integrity concerns / employee cost allocations are incorrect

R401 : Employees are not inactivated when employment is terminated.

R402 : Unauthorised changes to employee positions and appointments

R403 : Users are able to view sensitive employee data

R405 : Incorrect or duplicate payments or ghost employees on the payroll

R406 : Payroll system does not reconcile to the General Ledger

R407 : Incorrect changes to pay rates

R408 : Unauthorised or incorrect manual payments

R409 : Incorrect leave accruals

R414 : Unauthorised approval of time, expense or other employee or HR data

R500 : Unauthorised/untested changes are made to the SAP systems

R501 : Emergency changes are not managed appropriately

R503 : Incorrect implementation of administration/ownership policy

R504 : Inappropriate security administration processes

R505 : Ineffective established security parameters

R506 : Inappropriate access to key SAP privileges

R507 : Access is allocated to incompatible transactions

R515 : Changes to critical database tables are not logged

R516 : Users have the ability to modify programs in production

R517 : Inappropriate access to the data dictionary

R519 : SAP security authorisation checks are turned off

R520 : SAP database is not properly maintained

R524 : Inappropriate or unauthorised changes made to data

R526 : Critical SAP data is lost

R550 : Inadequate configuration of segregation of duties ruleset

R551 : Ineffective identification, documentation or over-reliance on mitigation controls

R552 : Failure to implement preventative segregation of duties checking

R554 : Inadequate Firefighter configuration

R555 : Failure to effectively review Firefighter activity logs

R600 : Reconciliation problems between the FI and CO modules

R601 : Ineffective maintenance of CO master data

R602 : Incorrect allocations or reversal of costs to Cost Centres

R603 : Incorrect or failure to settle internal order costs

R700 : Incorrect set up or changes to project or WBS structures

R701 : Configuration issues with settlement rules

R702 : Inadequate project justification or unapproved projects

R703 : Inadequate management of project timeframes, deliverables and costs

R710: Inappropriate establishment approval of each Grant project

R711: Untimely settlement of costs

R712: Allocation of costs against the incorrect project

R800 : High value assets are entered into a low value asset class

R803 : Asset depreciation charges are incorrect

R804 : Expenditure is not correctly capitalised

R805 : Acquisitions are not approved

R806 : Failure to record all asset transactions within the General Ledger

MEDIUM

R203 : Approved blanket purchase order values are exceeded

R204 : Non-strategic vendors are used for purchasing

R205 : Invoice and goods receipt settings are changed in purchase order creation

R208 : Inappropriate invoices are entered into the system

R212 : Duplicate vendor records are created

R213 : Incorrect payments are made through one-time vendor accounts

R216 : Duplicate material items exist

R219 : Damaged goods are accepted

R224 : Parked and blocked invoices are not actioned

R225 : Returned goods are still invoiced

R226 : Inappropriate changes are made to invoices after processing

R230 : Incorrect changes made to recurring payments

R231 : Payment methods are not assigned to vendor accounts

R302 : Incorrect maintenance of accounting periods

R303 : Incorrect maintenance of exchange rates

R307 : Negative postings are permitted

R308 : Parked journals are not actioned on a timely basis

R309 : Failure to adequately perform period end procedures

R404 : Inaccurate or untimely entry of timesheet data

R410 : Executive payroll is not adequately segregated

R411 : Incorrect electronic funds transfer (EFT) payments

R412 : Excessive or unauthorised access to sensitive HR data

R413 : Leave taken is not accurately recorded

R502 : Access to test and quality systems is not appropriately restricted

R508 : Unauthorised OSS access

R509 : Inappropriate access to SAP utilities

R510 : Inappropriate derived role maintenance and configuration

R511 : Insufficient reporting security

R512 : Use of standard SAP roles or profiles

R513 : Inappropriate operating system access

R514 : Unauthorised database access is obtained

R518 : Tables and programs are not restricted by authorisation group

R521 : Inadequate user and system documentation

R522 : Client, country and company code configuration is inadequate

R523 : SAProuter settings are incorrect

R525 : CUA configuration and ALE landscape may not be configured correctly

R553 : Incorrect setup of overall configuration options

R556 : Using Firefighter to remediate segregation of duties issues rather than for support purposes.

R557 : Definition of an incorrect set of critical transactions

R704 : Projects are not closed or are closed with open commitments

R705 : Project System does not interface to the General Ledger

R801 : Duplicate or incomplete Asset Master Records are created

R802 : Asset records on the Asset Register do not exist

R807 : Asset retirements and transfers are processed incorrectly

R808 : Asset revaluations are incorrectly performed

Segregation of duties risks

Procurement and purchasing activities

Supplier Relationship Management (SRM)

Vendor master file

Receipt of goods or services

Invoice processing

Payment processing

General Ledger Master Maintenance

General Ledger Postings / Reconciliation

Personnel Management

Personal Time Management

Payroll accounting

Controlling

Project Systems

Feature Article Grants Management

Asset Master Maintenance

Asset Transaction Postings

Case Study