ISACA 2009 Mar 26 - Presentation v8 - from Rajeev Dasgupta 24.3.2009

Security in SAP Environments

ISACA London Chapter26 March 2009

Rajeev DasguptaPricewaterhouseCoopers

2ISACA London Chapter, March 2009

Topics

Introduction

Overview of SAP

Key Risks and Controls in SAP

Audit Challenges in SAP Environments

Preparing for a SAP Audit

Third Party Tools


An Introduction to ERP Systems

Enterprise resource planning (ERP) is an enterprise-wide information system designed to coordinate all resources, information, and activities needed to perform business activities.

Based on a common database and a modular software design – the common database allows ‘central storage’ of information, with real-time retrieval.

Modular software design allows for free selection of modules required.

Driving benefit is open availability of real-time information which is easily accessible, enabling management by information.

ERP systems attempt to cover all basic functions of an enterprise, regardless of the organisation's business.

High-end ERP systems have business-specific functionality.

Prominent ERP systems – SAP, Oracle, Microsoft Dynamics.

Overview of SAP


A Bit of History …

• 1973: SAP launches R/1 (‘R’ stands for real-time data processing)

• 1979: Mainframe-based R/2 solution released

• 1992: R/3 solution unleashed on market (real-time data processing; 3-tier client-server architecture)

• The original R/3 solution has evolved significantly over the years – numerous releases (3.0x, 3.1x, 4.0x, 4.6x, Enterprise 4.7 and mySAP ERP

• Most current version of SAP is SAP ECC6 ERP (part of the SAP Business Suite)


Some Facts and Figures

• World’s 3rd largest independent software vendor

• Originally used primarily by large companies – now widely used by small and medium sized enterprises as well

• SAP solutions help enterprises of all sizes improve customer relationship processes, enhance partner collaboration and create efficiencies across their supply chains and business operations

• In addition, SAP solution portfolios support unique business processes of more than 25 industries, including high tech, retail, financial services, healthcare and the public sector

• Currently, more than 12 million users work each day with SAP solutions!

• SAP now has 121,000 installations worldwide, more than 1,500 SAP partners, and more than 75,000 customers in 120 countries


SAP can track financial results, procurement, sales, manufacturing, human resources and payroll.

SAP integrates all business processing through one application which can be integrated with other office tools (i.e. MS Word, MS Excel).

SAP comprises of 18-20 modules in finance, logistics and HR.One or more SAP modules can be implemented.

SAP is typically accessible by the entire business organisation.Most company information and transactions originate from SAP.

An order in SAP can automatically generate an inventory movement and a posting in the GL without any “human” intervention.

Integrated

Multifunctional

Modular

Enterprise Wide

“Real Time”

Key CharacteristicsSystems, Applications and Products in Data Processing …


SAP Technical Structure

Presentations GUIApplication serversDatabase server


Key Modules

BASISSecurity

Change Management Computer Operations

SDSales

DistributionInvoicing

PPRe-order control

ProductionPlanning & Control

PMPlant Maintenance

FIAccounts Payable

Accounts ReceivableGeneral Ledger

Cash ManagementConsolidation

PMAsset AccountingProject Systems

MMPurchasing

Goods ReceiptInventory Control

Invoice Verification

PMInventory Mgmt

WMSWarehouse Mgmt

HRPersonnel

AdministrationPayroll Accounting

COCost Centre/Profit

CentreProfitability Analysis

Materials Management

Sales & DistributionProduction Planning

Financial Accounting

Human Resources Financial Reporting


Industry Solutions

Banking

SAP has also developed industry-specific solutions. Some key solutions:

Retail

Energy Utilities

Oil

Insurance

IS - U (Industry specific Utilities – Supplier Switch)

IS - Oil (Industry specific Oil)

FS Insurance (Financial Services Insurance); FS RI (Financial Services Reinsurance Management); FS CM (Financial Services Claim Management)

IS - B (Industry Specific Banking)

IS - R (Industry Specific Retail)


SAP Basis

A key component of SAP as most security functions are controlled through Basis!

1. It is the middleware that integrates the Database, Operating System, Authorisations and Development/Customising Processes with the application modules (eg. FI, CO, MM).

2. It enables the SAP application modules to operate, irrespective of any underlying IT platform.

3. It includes:• System Configuration (customising)• Repository (programming)• Data Dictionary• Access/Authorisations• System Administration and monitoring tools


BasisQMPM

HR

FICO

AMPPM

MSD

IMW

MPS

Basis and Security FunctionsUser Access

Only users with active User Master Records can log onto the system. They are always checked during online and background processing and include:

Basic user data

User defaults

User profile information

Security Authorization Concept

Applies to Basis and functional components

Access to the system is restricted through authorisation objects

Access must be explicitly granted through the use of authorisations

Others

Table maintenance

Security parameters

Program security

Remote access

Extensions / bolt-ons


Interfaces

Many organisations decide not to implement the full suite of modules and instead utilise satellite systems for specific areas.

Some of the most common areas where companies use satellite systems with SAP are:

Industry specific systems

HR / Payroll

Manufacturing

Group consolidation

Management reporting

SAP’s interface framework facilitates communications and interactions between different business tools:

SAP Exchange Infrastructure (SAP XI) enables the implementation of cross-system processes. It allows to connect systems from different vendors and different programming languages to each other.

The Legacy System Migration Workbench (LSMW) is a tool recommended by SAP to transfer data once only or periodically from legacy systems into an R/3 System.

An SAP R/3 Remote Function Call (RFC) is a synchronous communication process method used to call and execute predefined functions within SAP R/3. RFCs work between two SAP systems, or between an SAP system and an external system.


Key Risks and Controls in SAP


Key Risks

• Inappropriate access to system functionality because of incorrectly configured SAP security.

• Increased remote or local access by external personnel (i.e. consultants or support teams).

• Inappropriate system management on account of skills gaps.• Data inconsistencies due to interfaces / data conversion processes.

• Integrated data and transaction processing in a single system results in a single point of failure for all organisational data.

• Users’ reluctance to accept this initially complex system could result in data inaccuracies.

• Inherent process risks (e.g. unauthorised purchases, bypassing credit limits etc.)

• SAP control functionality may not be appropriately configured (e.g. super user profiles, generic accounts, system parameters, privileged accounts etc.)

• The high level of integration between processes increases exposure to segregation of duties conflicts.

• Higher level of expertise is required to effectively audit the system.

Business Risks

Technical Risks

Control Risks


Additional Risk Considerations

Business Warehouse/Reporting1Interfaces2

Asset Accounting 3Consolidation4

HR and Payroll 5Industry Solutions6


IT General Controls:

Project Management

Testing

Data Conversion

Change Management

SAP Authorisations and User Provisioning

Operating System and Database Security

Backup, Recovery and Contingency Planning

Physical Security and other infrastructure controls

Business Process Controls:

Interfaces

Process-resident controls (e.g. release strategies, credit limit checks etc.)

Edit and validation controls (field settings etc.)

Monitoring Reports

Sensitive access

Segregation of duties

Key Control Points in SAP


Audit Challenges in SAP Environments

ISACA London Chapter, March 2009

It’s Not Easy! The complexity of the organisational

model in SAP makes it difficult to determine the scope of the audit

Underneath the business front end sits a very complicated system

Integration of business processes within SAP increases the importance of getting segregation of duties right

The use of Computer Assisted Audit Tools and Techniques (CAATTs) is virtually mandatory in order to complete a full SoD analysis.

Process automation and customisation creates new audit challenges

Data errors can flow right through end-to-end business processes

Page 19

Preparing for a SAP Audit


The Audit Cycle

Auditing in a

SAP environment


Planning the Right Level of WorkControl Types in SAP

SAP Access and SoD

SAP control environment

Business / IT

T

ransactions

Managem

ent Information

and Financial S

tatements

SAP Reports & Manual Procedures

SAP Inherent controls

SAP Configurable controls

Note: Inherent controls are hard coded into the system and cannot be changed


Entries must balance prior to processing

Release strategies, Invoice tolerances

Access to Vendor Master Data is restricted

Edit reports, Account analysis, Reconciliations

SAP Inherent Controls

SAP Configuration

SAP Access Controls

Reporting & Manual procedures

Control TypesExamples


BusinessProcess Controls

IT General Controls

Management reporting

and end-user controls

SAP configurable controls

SAP Authorisations/User profiles

SAP Basis Module

Database

Operating System and other Infrastructure controls

Database InfrastructureLayer

Application Layer

Presentation Layer

Getting the Right CoverageThe SAP Control Environment


Key Considerations

SAP products and modules used and linkage to business processes

Number of in-scope SAP systems and production clients

Number of in-scope company codes and organisational elements

Proportion of cross-company vs company-specific controls in scope

Interfaces into SAP and their use

‘Other’ systems in use and their impact on the audit

Skill sets of the audit team

Availability of methodologies / tested work programs


And More Considerations!

Efficiencies can be obtained while reviewing multiple locations and company codes sharing the same SAP instance

Complex/decentralised organisation and homogeneity of processes and controls could impact time and resource requirements

Level of automation and customisation may impact on the method of testing

“Baselining” strategy may be used for automated controls and reports

Timing and extent of review for new implementations or major projects

Availability of appropriate technical documentation and competency level of SAP support organisation

Reliance on the “work of others” (i.e. management, SAS70)

Use of third party tools


Third Party Tools


Why Use Third Party Tools?

Business, Finance, IT and audit professionals face an array of challenging questions as they try to strengthen controls throughout their SAP systems:

How do you uncover existing Segregation of Duties and sensitive access issues, down to the lowest security levels, such as t-codes and authorisation objects?

How do you keep new controls issues from arising through the course of normal change processes?

How can you gain insight into what activities users are performing?

How do you ensure that business policies are being adhered to through the course of daily transactions?

How do you determine if configurable controls are defined properly?

How do you consolidate your data repositories, automate your workflow further and integrate with other solutions?

How do you manage these challenges across multiple SAP instances, without ever affecting their system performance?

Third party tools can be used to help achieve these goals


Third Party Tools - Examples Security

Example Purpose

Reporting tool in that provides detailed analysis of SoD and Sensitive Access based on a set of pre-defined rules

Role management tool that operates within SAP and facilitates role design. Provides the ability to define which objects and transactions are attached to a role

Workflow enabled tool to automate the user administration process

Provides improved control over super-user and emergency access through restrictions on data access and audit trails

Approva Corporation, which includes

Enterprise Controls Suite

BizRights,

Continuous monitoring with exception-based reporting pushes the right information to the right people at the right time

Business controls are organised in a single, manageable library that spans across instances and applications and can easily be customised to keep up with your ever-changing business needs

Application-independent architecture ensures support for all enterprise systems, without introducing performance degradation

Governance, risk and compliance (GRC) suite, which includes

• Risk Analysis and Remediation™• Compliant User Provisioning™• Super User Privilege Management ™• Enterprise Role Management™


Third Party Tools - ExamplesData Analysis

Example Purpose

Direct Link for SAP® ERP

ACL

Continuous Controls Monitoring (CCM)

Data extraction, analysis, and fraud detection providing direct, seamless access to SAP data. Using Direct Link, you no longer need to rely on ABAP programmers or limited reporting utilities -you can easily and quickly access SAP tables and conduct comparative cross-platform analysis with transactional data from other systems.

Analyses financial transaction data from any ERP, mainframe system, custom-built application to check and validate against organization's control parameters and business rules. A review of 100 percent of transactions from any source

Microsoft Access Create ad hoc customised desktop systems for handling the creation and manipulation of data. Access can be used as a database


Third Party Tools - Examples Workflow

Example Purpose

SAP Interactive Forms

(by Adobe)

Capture data in completed forms that can flow directly back to SAP software – eliminating the need for error prone, manual data input

Customise electronic forms to meet the specific needs of your business or industry

Design electronic forms to reflect the familiar "look and feel" of the paper forms they replace

SAP LoadRunner

(by Mercury)

Deployed with HP and SAP Solution Manager, LoadRunner facilitates the management of the development lifecycle, providing time, budget, actual and quality assurance tools.

Duet

(SAP and MS)

Enables access to SAP business processes and data via Microsoft Office, providing wider access to enterprise information and policies, with the objective to assist organizations in obtaining corporate policy compliance, improve decision making.

Thank You


Question

If you were in an organisation with a small version, how to approach auditing?

Date post:	02-Apr-2015
Category:	Documents
Upload:	jiten76
View:	75 times
Download:	1 times

ISACA 2009 Mar 26 - Presentation v8 - from Rajeev Dasgupta 24.3.2009

Documents