501
References
ReferencesBehera, R.: Cross-Enterprise Integration with SAP GRC Access Control. Boston (2009)
Biskie, S.: Surviving an SAP Audit. Boston (2010)
Buchner, R.: Wirtschaftliches Prüfungswesen, 2nd edn. Munich (1997) (Available in German lan-guage only)
Däubler, W., Klebe, T., Wedde, P., Weichert, T.: Bundesdatenschutzgesetz – Kompaktkommentar, 3rdedn. Frankfurt am Main (2010) (Available in German language only)
Gola, P., Klug, C., Körffer, B., Schomerus, R.: BDSG. Bundesdatenschutzgesetz, 10th edn. Munich(2010) (Available in German language only)
Hartke, L., Hohnhorst, G., Sattler, G.: SAP-Handbuch Sicherheit und Prüfung, 4th edn. (2010) (Avail-able in German language only)
Helfen, M., Trauthwein, H.M.: Testing SAP Solutions, 2nd edn. SAP PRESS (2010)
Hellberg, T.: Einkauf mit SAP MM, 2nd edn. Bonn (2009) (Available in German language only)
Horwath, P., Schäfer, H.-T.: Prüfung bei automatisierter Datenverarbeitung, 2nd edn. Berlin (1983)(Available in German language only)
Leffson, U.: Wirtschaftsprüfung, 4th edn. Wiesbaden (1980) (Available in German language only)
Lehnert, V., Bonitz, K.: Authorizations in SAP Software: Design and Configuration. SAP PRESS(2010)
Linkes, M., Karin, H.: SAP Security and Risk Management, 2nd edn. SAP PRESS (2010)
Maurer-Lambrou, U., Vogt, N.P.: Basler Kommentar Datenschutzgesetz, 2nd edn. Zurich (2010)(Available in German language only)
Minz, G., Zepf, G.: Computergestützte Jahresabschlussprüfung. Erfordernis, Möglichkeiten und Vo-raussetzungen. Betriebswirtschaftliche Forschung und Praxis 36(5) (1984) (Available in Germanlanguage only)
Minz, G.: Ansätze einer Prüfungstheorie für computergestützte Buchführungssysteme. Wirtschaft-sprüfung 36(18) (1983) (Available in German language only)
Montgomery, R.H.: Auditing Theory and Practice. New York (1912)
Oberhofer, B.: Datenschutz und Arbeitsrecht (Vol. Handbuch Datenschutzrecht) (2009) (Available inGerman language only)
Schäfer, M., Melich, M.: SAP Solution Manager Enterprise Edition, 2nd edn. Bonn (2009)
Schuppenhauer, R.: Grundsätze für eine ordnungsmäßige Datenverarbeitung (GoDV). Handbuch derDV-Revision, 5th edn. Düsseldorf (2005) (Available in German language only)
Siebert, J.: The SAP General Ledger, 2nd edn. SAP PRESS (2010)
Tinnefeld, M.-T., Ehmann, E., Gerling, R.W.: Einführung in das Datenschutzrecht, 4th edn. Munich(2004) (Available in German language only)
Wiegenstein, A., Schumacher, M., Schnizel, S., Weidemann, F.: Sichere ABAP-Programmierung.Bonn (2009) (Available in German language only)
Withus, K.-H.: Internes Kontrollsystem und Risikomanagementsystem – Neue Anforderungen andie Wirtschaftsprüfer durch das BilMoG. Die Wirtschaftsprüfung. Institut der Wirtschaftsprüfer inDeutschland e.V., (Ed.), Issue 17/2009 (Available in German language only)
502 References
Legislation and Directives ReferencedLoi de Sécurité Financière [Financial Security Act], France
Financial Statements Act, Denmark
Auditors’ Act, Denmark
Aktiengesetz (AktG) [Stock Corporation Act], Germany
Bilanzrechtsmodernisierungsgesetz (BilMoG) [Accounting Law Modernization Act], Germany
Handelsgesetzbuch (HGB) [Commercial Code], Germany
Strafgesetzbuch (STGB) [Penal Code], Germany
Obligationsrecht (OR) [Obligations Code], Switzerland
Aktiengesetz (AktG) [Stock Corporation Act], Austria
GmbH-Gesetz (GmbHG) [Limited Liability Companies Act], Austria
Public Company Accounting Reform and Investor Protection Act (US SOX), USA
Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG) [Control and Trans-parency in Business Act], Germany
National Instruments (NI), Canada
Financial Instruments and Exchange (J-SOX), Japan
Basic Standard for Enterprise Internal Control, China
Foreign Practice Act, USA
Health Insurance Portability and Accountability Act (HIPAA), USA
Code of Federal Regulations (CFR), Title 21, USA
Bundesdatenschutzgesetz (BDSG) [Data Protection Act], Germany 2009
Datenschutzgesetz (DSG) [Data Protection Act], Austria 2000
European Union: Directive 95/46/EC of the European Parliament and of the Council of 24 Octo-ber 1995 on the protection of individuals with regard to the processing of personal data and on thefree movement of such data, Official Journal L 281, 11/23/1995
Council of Europe, COE: Convention for the Protection of Individuals with regard to AutomaticProcessing of Personal Data, 01/28/1981
Organisation for Economic Co-operation and Development, OECD: Recommendation of the CouncilConcerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data,September 23, 1980
UN General Assembly: Guidelines for the Regulation of Computerized Personal Data Files, Decem-ber 14, 1990
US Department of Commerce: Safe Harbor Principles – Privacy Policy, 2000
Verordnung zur Durchführung des Datenschutzgesetzes (VDSG), Switzerland 1993
Internet SourcesGerman Federal Office for Information Security: IT-Grundschutz Catalogues, available at: www.bsi.bund.de/EN
German-speaking SAP user group (DSAG) SAP audit guides, data protection guides, etc., availableat: http://www.sap.com/germany/about/company/revis/infomaterial/index.epx
SAP AG: Users and roles (BC-SEC-USR), available at: http://help.sap.com/
SAP AG: Security Guides, available at: http://service.sap.com/securityguide
503
The Author of this Book
Maxim Chuprunov completed his studies in business administration, including var-ious research projects, as a scholarship student of the German Academic ExchangeService in 2001 with his thesis on the topic “Auditing in the SAP Environment.” Sincethen, he has remained loyal to this topic and is consistently expanding it in the GRC(governance, risk, and compliance) field. His specialist area includes connecting thespecialist and compliance-specific views of business processes with technical solutionknow-how.
Before Maxim Chuprunov founded RISCOMP GmbH (Switzerland) at the end of2010, he was employed at KPMGDTG inMunich, Germany and KPMGLLP in Boston,USA, as well as at SCHENKERAG in Essen, Germany, and SAPAG in Zürich, Switzer-land.
At KPMG, he worked in the Information Risk Management and IT Advisory ar-eas. In parallel to numerous projects at international groups of companies, he success-fully completed professional exams to become a CPA (Certified Public Accountant)and CISA (Certified Information Systems Auditor), as well as acquiring certification asFI/CO consultant for SAP. At SCHENKER AG (Essen), he was responsible, within thescope of global rollouts, for the implementation of the FI and CO processes with SAP,including reporting to SEM.
In 2007,MaximChuprunov joined the Center of Expertise Financials &Complianceat SAP Switzerland. In his function as Senior Consultant, he has performed pioneeringwork in implementation projects and proofs of concept for SAP solutions for GRCwitha focus on ICS automation. He is known in SAP Solution Management circles as anexpert and creative force in tests and software design for SAP Process Control, andholds training courses for SAP Education.
505
Contributors to this Book
Reto Bachmann is a project manager in the Operational Excellence area at Mettler-Toledo International, Switzerland. From his time as an SAP consultant, he has aroundseven years of project experience in logistics-related topics, mainly in the consumerelectronics, pharmaceuticals, and food industries (FMCG). He subsequently moved tothe internal audit team of a Swiss chemical company, where over a period of four years,he developed and implemented data analyses for assessing the efficiency of the controlsand the correctness of SAP processes effectively and with a view to cost optimization.He has since been active in similar roles at a Swiss pharmaceuticals company and forMettler-Toledo International.
Reto Bachmann actively contributed to Chap. 14 of this book.
In SAP Business Development, Günther Emmenegger is responsible for the life sci-ences industry in the EMEA economic zone and India. After studying mathematicsand applied physics in Freiburg im Breisgau, Germany, he worked in German space re-search and for 19 years, for a French chemical and pharmaceutical group. After fouryears as a validation consultant at an SAP implementation partner, since 2001 Güntherhas been active in various roles for life sciences customers of SAP.
Günther Emmenegger actively contributed to Chap. 13 of this book.
506 Contributors to this Book
Jan Laurijsen studied business sciences, with a focus on business administration andengineering as well as information management. Since 1987 he has been working atEricsson, and in this time, has gathered extensive experience in the areas of control-ling, process management, and project management. He is responsible for the efficientdesign of the SOX compliance processes at Ericsson.
Jan Laurijsen provided considerable support with regard to the Ericsson practicalreport from Chap. 18.
Since 2000,Volker Lehnert has been active in various roles around compliance and se-curity at SAP. Since 2012, he has been working for SAP AG Installed BaseMaintenanceand Support (IMS) as project manager for data protection. Volker Lehnert is the co-author of the data protection guide produced by DSAG, co-author of the SAP PRESSbestseller “Authorizations in SAP Software: Design and Configuration,” and co-authorof the book “Datenschutz in SAP Systemen” [Data Protection in SAP Systems].
Chapter 11 of this book was written in cooperation with Volker Lehnert (exceptSect. 11.2).
For many years, Marc Michely has been involved with the optimization of processflows and controls in organizations in an international environment. As an auditorand consultant, he gathered experience in these areas and at PricewaterhouseCoopersSwitzerland, in the System and Process Assurance department, focused on the area ofcentral monitoring of organizational processes at shared service centers in internationalcompanies.
Chapter 12 of this book was written with support from Marc Michely.
Contributors to this Book507
Reviewer of this Book
Annett Nowatzki is an auditor and tax consultant and has worked at both Coopers &Lybrand and KPMG during her career. She has been active in various managementpositions, and in 2005, became a partner at KPMG. In 2010, she moved to the exec-utive board of DSJ Revision und Treuhand AG. In addition to creating and auditingyear-end and group financial statements in accordance with the German CommercialCode (HGB) and IFRS, she has extensive experience in auditing IT systems (particularlySAP). She has accompanied SAP implementations in numerous large and medium-sized organizations in Germany and other European countries from an audit perspec-tive.
509
Index
3-way match, 243
AABAP command injection, 157ABAP Editor, 111ABAP programs, 111ABAP security, 158Abuse of information, 290Accelerated SAP (ASAP), 323, 474Access Control, 69, 72, 83, 434
Content, 83integration, 434training, 87
Access Risk Management, 69, see ARMAccess sequences, 267
determine, 268Account determination, 198, 220, 251Account determination transactions, 222Account group, 191, 371
prioritization, 372Accounting reconciliation, 195ACL, 81Acquisition and production costs (APC), 226Administration
BI folders, 162number range intervals, 162profile parameters, 162RFC connections, 162SAP instances, 162Transport Management System, 162
Administration authorization, 66Advance return for tax on sales/purchases, 200Adverse opinion, 19Ageing structure, 234Air-conditioning, 135Analyzing due dates, 311Annual financial statements, 19, 30Anonymization:data, 288Anti-fraud controls, 305Anti-virus software, 65Application control, 60Application lifecycle, 67Application Link Enabling (ALE), 182
ALE audit, 102Auditing, 182
Application Security, 62Appraisal procedures, 285ARF/CMF scenarios
effort, 480implementation, 486
ARM, 72
compensating controls, 73organizational Rules, 73segregation of duties violations, 73
Assertion, 36, 187Asset Accounting
account determination, 220calculation methods, 224consistency check, 221default values, 219movement types, 227reset, 228
Asset accounting, 218Asset classes, 218, 219Asset embezzlement, 304Asset history sheet, 225Asset history sheet program, 218Assets, 218Assignment number, 246Asynchronous RFC, 184Audit, 64
organization and planning, 30Audit and Assurance Faculty Standard (AAF)
01/06, 134Audit approach, 21
balance sheet audit, 21transaction audit, 21
Audit committee, 6, 10Audit Directive
Eighth EU Directive, 8Audit Guide, 68Audit Information System (AIS), 81, 457Audit procedure, 21Audit report, 26Audit risk, 22
discovery risk, 22error risk, 22
Audit Standards CommitteeReport No. 18, 134
Auditing, 19Auditing and Assurance Standards Board
(AASB), 134Auditing standard, 25, 58, 132
951, 134IDW PS 951, 65SAS 70, 65
Auditing: country specifics, 7Auditor, 19, 26, 27
basic principle, 27burden of proof, 28external auditor, 26independence, 28
510 Index
industry-specific auditor, 26internal audit, 27objectivity, 28professional skepticism, 28tax audit, 27
Austria, 11Art. 1 Section 39 of the Statute for
a European Company, 11Austrian Corporate Governance Code, 11Section 22 GmbHG, 11Section 82 AktG, 11
Authorizationauthorization concept, 135authorization controls, 119authorization group, 153, 194authorization main switch, 299authorization management, 66authorizations in FI-AA, 228
Authorization check, 160profile parameters, 159
Authorization object level, 159Authorization objects, 119, 293
activity, 120default values for the Profile Generator, 125determination, 122documentation, 121F_BKPF_BUK, 120, 121, 124, 129F_BKPF_KOA, 124, 129F_KNA1_APP, 263F_KNA1_BUK, 263M_BAN_*, 239M_BES_*, 239M_BEST_WRK, 124M_ISEG_WDB, 253M_MATE_MAR, 250M_MATE_STA, 250M_MATE_VKO, 250M_MATE_WRK, 250M_MSEG_BMB, 255M_MSEG_BMF, 255M_MSEG_BWA, 242, 255, 266M_MSEG_BWE, 255M_MSEG_LGO, 255PLOG, 293P_ORGIN, 293, 294, 299, 300, 317P_ORGINCON, 300P_ORGXX, 300, 317P_ORGXXCON, 299P_PCLX, 293P_PERNR, 293, 294, 299, 316S_BCD_MONI, 161, 187S_BTCH_NAM, 307S_PROGRAM, 152S_PRO_PAGE, 161S_RFC, 160S_SCDO, 170S_TCODE, 120, 124, 129
structural authorizations, 298switch off check, 159Table USOBT, 125value fields, 119V_KNA1_BRG, 262V_KNA1_VKO, 262V_KNKK_FRE, 263V_VBRK_FKA, 270V_VBRK_VKO, 270V_VBUK_FRE, 263
Automated anti-fraud controls, 305Automated Controls Framework (ACF), see
Continuous Monitoring Framework, 448Automated Monitoring Framework (AMF), see
Continuous Monitoring Framework, 448Automated Rules Framework (ARF), 82, 84Automatic postings, 198Automatic sales price determination, 267Auxiliary transactions, 228
BBalance confirmations, 197Balance sheet
balance sheet fraud/falsification, 308Bank details, 261Basel II, 15Basel III, 16Baseline date for payment, 100, 234Basis authorizations, 161Batch input procedure, 185Batch input sessions, 186Batch job log files, 307Batch management, 251Batch where-used, 327Batches, 327BC Set, 324, 385, 474, 477Best practice role concept, 431Big Four, 29Billing, 266
order-related and delivery-related, 266Billing documents
entry, 270status list, 272transfer, 270
Billing due list, 269BIZEC APP/11 list, 156Blocking reasons, 243Blocks
amount-based, 244stochastic, 244
BRG, 74, 75BS 7799, 54Business area, 117Business blueprint, 135, 475Business partner
tolerance groups, 212Business Performance Management (BPM), 439
Index511
Business Process Change Analyzer, 329Business Process Repository, 91Business Role Governance, 69, 74, 75, see BRGBusiness rule, 452
CCAAT-supported queries, 309Canada
NI 52-109, 7Canadian Institute of Chartered Accountants
(CICA)5970, 134
Canceled posting records, 196Capability Maturity Model Integration (CMMI),
52Cash discount, 5CEA, 76CEAVOP
see Assertion, 36Centralized Emergency Access, 69, see CEACertification, 133Chain transactions, 266Change and Transport Management System
(CTS), 178CTS control parameters, 179CTS directories, 178CTS parameters, 178
Change document, 166, 169, 395delete, 162setting up, 287
Change log, 107Change log tool, 464Change management
audit, 30change management guidelines, 135FDA, 324
Changes to accounting document, 196Changes to bank master data, 196Changes to customer master data, 196Changes to vendor master data, 196Chart of depreciation, 219Check, 163, 209
account determination for materialmovements, 252
account determination in FI-AA, 220Application Link Enabling (ALE), 182authorization main switches, 300authorization protection for programs
developed in-house, 151authorizations for calling up programs
directly, 152authorizations for table maintenance, 158batch input processing, 186billing due list, 269change documents, 170client settings, 141company code protection, 211
completeness of the asset history sheet, 225consistency check in FI-AA, 221contents of the infotypes, 293controls for invoice verification, 244controls for the SAP payment run, 231credit limit in sales and distribution, 264critical authorizations in FI, 216critical movement types, 242debugging authorizations, 167definition of sensitive fields in master data
maintenance, 235delivery of goods, 266depreciation rules, 224depreciation-relevant parameters in asset
classes, 220detecting fraud from the due date, 234dunning process, 273duplicate invoice entry, 245emergency user, 150employee data protection, 285factual accuracy, 280field status groups, 199fields in G/L account master, 193GR/IR account clearing, 246handling of data protection-relevant data in
SAP ERP, 289identity/life cycle of the user, 146logging of infotypes, 288logging of report calls, 288LVA configuration control, 226maintenance, 166maintenance and updates, 142maintenance of customer master data, 262maintenance of exchange rates, 203maintenance of material master data, 250making data anonymous, 288master data protection in FI, 214no gaps in document number assignment,
174one-time account functions and alternative
bank data in a document, 233organizational structures in purchasing, 239personnel event, 295posting logic and account determination,
198presence of parked documents, 206price determination during billing, 267principle of real-time posting, 191process and system documentation, 135processing of personal data, 280product cost accounting in P2P, 256purpose, 280reconciliation accounts in business partner
master data, 230release of scrapping, 255release strategies in the ordering process,
241
512 Index
Remote Function Call (RFC), 184sales documents, 260sales documents at table level, 314SAP system landscape, 136SAP system log, 175Security Audit Log (SAL), 176segregation of duties in FI-GL, 217segregation of duties,
development/authorizations, 161statistics file, 177structural authorizations, 298structural authorizations – context solution,
298system trace for transactions developed
in-house, 152table logging, 172tolerance limits, 205traceability in CTS, 179transfer values from CO to FI, 209treatment of recurring entries, 207update terminations, 182use of document parking, 205valuation of the stock value, 251value adjustment of the stock value, 254
Chief Compliance Officer, 379China, 8
Basic Standard for Enterprise InternalControl, 8
Business management IT systems, 8Cisco SONA check rule, 458Clearing, 246Clearing date, 100C-level management, 55Client, 117, 140
control function, 140open live client, 141
Client modifiabilitymaintain, 162
CLM, 70, 86Closing operations, 195, 247Code of Federal Regulations (CFR), 320Co-determination (works councils and
employee committees), 283CO-FI integration, 256Combination not permitted, 283Command
AUTHORITY-CHECK, 151CALL TRANSACTION, 151INSERT REPORT, 154
Commissioned data processing, 279Committee of Sponsoring Organizations of the
Treadway Commission, 47Communication user, 184Company code, 117, 209
productive indicator, 210Comparison
FI-GL and subledgers, 197
Compensating control, 73Competence center, 131Compliance, 3
automation, 365Compliance automation
project experiences, 473Compliance initiative, 399Compliance Management Software (CMS), 446Compliance-relevant guide, 61Computer Aided Test Tool (CATT), 140Computer Assisted Auditing Techniques
(CAAT), 81, 442Computer Center Management System (CCMS),
177Condition technology, 266Conference room pilot, 475Configuration controls, 102Configuration tables, 102Configuring condition types, 312Confirmation, 255Consistency check, 200, 221Content, 82, 89Content Lifecycle Management, see CLMContext solution, 298Continuous compliance and monitoring, 488Continuous control monitoring, 71, 487Continuous Monitoring Framework, 78, 421,
448, 457, 479analysis rule, 460BW script, 470change analysis, 462change log tool, 464control, 467expectations, 450GRC Integration Framework, 451, 453logging, 465potential, 450predefined rule, 466rule, 452script type, 457structure in SAP GRC 10.0, 451subscenario, 457
Continuous Monitoring Framework,subscenario
ABAP report, 457BW query, 457configurable, 457event, 457Process Integration (PI), 457programmed, 457SAP query, 457SoD integration, 457
Continuous Rules Monitoring (CRM)Continuous Control Monitoring, 448
Control, 369attribute, 369general application control, 42
Index513
integrative function, 370process control, 42, 43security guidelines, 146
Control and Transparency in Business Act(KonTraG), 9
Control data, 171Control design assessment, 410, 414Control execution
confirm, 375, 382Control identification process, 38Control matrix
implement, 450Control objective, 370Control Objectives for Information and Related
Technologies, 48Control owner, 379Control programs
General Ledger Accounting, 196Control risk assessment, 410Control selection
scoping, 6Controlling area, 117Controls, 142, 145, 147–149
blocking HR data, 316changing client settings, 141client settings, 141configuration controls, 102customer master data, 261deliveries of goods, 265dunning process, 272emergency production corrections, 139FDA/asset maintenance, 326FDA/batch traceability, 327FDA/implementation processes, 324FDA/procurement, 325FDA/production management, 325FDA/quality management, 326FDA/warehouse management processes, 327inventory control, 253master data controls, 103material master data, 249naming transport requests, 137order entry, 260order fulfillment and revenue recognition,
264ordering, 238packaging transport requests, 138profile parameters for handling SAP*, 149return deliveries, 269segregation of duties, 139standard forms and test documentation, 138stocks, 249transaction controls, 103transport requests created in the live system,
140use of critical movement types, 255valuation of stock value, 253
Corporate Governance, 370Corporate governance, 257Corporate governance code, 8COSO cube, 364Cost object, 255, 256Count confirmation, 253Country-specific del credere, 229Credit control area, 263Credit default risk, 15, 263Credit limit assignment, 263Credit limit controls, 263
dynamic, 263static, 263
Credit limit controls:maintain, 264Credit limit data
customer master record, 264Credit limit maintenance, 261Credit management, 196Credit memos, 269, 312Credit memos/discounts
improper, 312Critical action risk, 434Critical administration transactions, 161Critical transactions, 215Crystal Reports, 384, 426Custom code, 158Custom field, 477, 479Customer master data, 261
maintain, 264quality, 261
Customer master data maintenance, 261Customer master record, 261Customizing distribution, 144
DData
anonymizing, 288saving locally, 289
Data backup, 135Data Browser, 104Data Consistency Cockpit, 87Data extraction, 443Data in an SAP system
configuration data, 101date fields, 100master data, 97search, 103transaction data, 98
Data protection, 30, 177, 277data processing, 278data protection officer, 281general data protection-relevant control
mechanisms, 286legislation in Germany, 276personal data, 277sensitive data, 278Switzerland, 278
514 Index
Data protection directivedirective 95/46/EC, 276, 277Safe Harbor Principles, 281
Data Protection Guide, 68Data Retention Tool (DART tool), 443Data source, 452Data transfer
to third countries, 281to third parties, 279
Debugging, 166, 174Declaration of consent, 280Delivery of goods, 265Denmark, 12
Auditors’ Act, 12Financial Statements Act, 12
Depreciation, 220Depreciation area, 218Depreciation key, 219, 223Design test, 376Determination of sales tax, 266Devaluations, 234Developer guidelines, 135Developer key, 162Development standard, 158Development system, 136Directive
75/319/EEC, 32181/851/EEC, 32191/356/EEC, 32191/412/EEC, 32195/46/EC, 2772006/43/EC, 102006/46/EC, 10
Discounts, 312Distribution channel, 117Division, 117Document
archiving, 173change rules, 168changes, 168master data, 213modifiability, 168parking, 173, 205substitution, 202unalterability in SAP ERP, 37validation, 202
Document dataanalyze (general ledger), 310
Document date, 100Document header, 98Document number assignment, 173Document number buffering, 173Document number range intervals, 174Document segments, 98Documentation, 135Documentation Management System (DMS),
323
Due date, 100, 234Dunning, 271, 272
basic settings, 272dunning areas, 273dunning block reasons, 273dunning keys, 273dunning procedure, 274dunning process, 271
Duplicate invoice entry, 245
EEarlyWatch Alert, 67, 142Effectiveness test, 376, 412Eighth EU Directive, 8
Article 39 to 41, 8control and risk management system, 8internal audit, 9strategic risk, 9
E-Learning, 144E-mail security, 65Emergency concept, 65Emergency user concept, 76, 150Emergency user process, 150Employee data, 289Employee data protection, 283Employee group, 117, 292Employee subgroup, 117, 292England, 11
Combined Code on Corporate Governance,11
Turnbull Guidance, 12Enhancement Packages, 142Enterprise Asset Management (EAM), 326Entity level control, 410, 415Entity level controls, 6, 44Ericsson, 488EU Commission, 276EU GCP Note for Guidance, 322Euro SOX, 9European Medicines Agency (EMA), 320Evaluation
held documents, 196parked documents, 196
Evaluation paths, 297Exchange rate, 203
direct quotation, 203encryption logic, 204indirect quotation, 203
Expiration date, 251Extended CATT (eCATT), 140External document number assignment, 173
FFactual accuracy, 280FDA compliance, 319, 320
IT, 322system maintenance, 328
Index515
Federal Ministry for Health and Social Affairs(BMGS), 320
Federal Office of Public Health (FOPH), 320Federal Office of the Environment (FOEN), 321Federal Register, 320Fictitious employees, 315Fictitious invoices, 311Field status groups, 194, 199Financial Instruments and Exchange, 7Financial reporting, 20Financial sector
Basel II, 15Basel III, 16Directive 2006/48/EC, 15Directive 2006/49/EC, 15EU Directive, 15MaRisk, 15MRC, 15Solvency II, 14
Financial Services Agency (FSA), 7Financial statements, 192
financial statement structure, 371financial statement version, 192
Financial Systems Integration Office, 58Finished products, 255Fire protection, 135First expired, first out (FEFO), 328First level authorization, 430Fiscal year variant, 190Flow chart, 381Food and Drug Administration (FDA), 84, 319
automating compliance, 366change management, 324, 328configuration management, 328process, 366regulations, 319risk-based validation, 323validation, 322, 323
Food inspection, 319Foreign Corrupt Practices Act, 257Foreign currency, 203Foreign currency differences, 204Forensic science, 309Formal correctness requirement, 36France, 12
AMF, 12Loi de Sécurité Financière, 12
Fraud, 303batch input session, 307fraud-benefiting factors, 304fraudulent document postings, 308fraudulent financial reporting, 303manual journal entries, 309misused functions, 306types of fraud, 303
Fraud audit, 30Free goods, 313
GG/L account master data, 193
change, 196G/L accounts, 192General ledger, 189
analyze document data, 310fraud, 308fraudulent document postings, 308
General Ledger Accountingcontrol programs, 196
Generally Accepted Accounting Principles(GAAP), 24, 36, 58
formal, 36IT-specific, 36material, 36
German Accounting Law Modernization Act(BilMoG), 10
German Commercial Code (HGB), 9German Corporate Governance Code (DCGK),
9German Data Protection Act (BDSG), 68, 276,
284German Federal Financial Supervisory
Authority (BaFin), 15German Federal Office for Information Security
(BSI), 58, 60German Institute of Auditors (IDW), 24German Social Welfare Code (SGB), 276German Stock Corporation Act (AktG), 9German-speaking SAP user group (DSAG), 61,
63DSAG Guides, 61, 68
Germany, 9AktG, 9BaFin, 15BilMoG, 10Cromme Code, 9DCGK, 9HGB, 9KonTraG, 9MaRisk (VA), 15
Global rollout, 144Global system log, 175Good Automated Manufacturing Practice
(GAMP), 321Good clinical practice, 321Good laboratory practice, 321Good Manufacturing Practice (GMP), 321Good working practice, 321Goods receipt, 242
critical movement types, 242without purchase order, 242
Governance, Risk, and Compliance, see GRCGR/IR account, 245
clearing, 245reporting at the end of the month, 248
GR/IR clearing account, 245
516 Index
GRC, 68Integration Framework, 451, 453, 477integration scenarios, 79integration with Audit Management, 80Policy Management v. 10, 77Process Control v. 10, 70, 72Risk Management v. 10, 78Upload Tool, 474
Guidance Statement (GS)007, 134
Guide to the Assessment of IT Risk (GAIT), 49
HHealth Insurance Portability and Accountability
Act (HIPAA), 30Health Products and Food Branch (HPFB), 320Held documents, 196History
transaction calls, 177HKSA-Statements
Auditing Practice Note 860.2, 134HR authorizations
authorization level, 294authorization main switch, 299authorization objects, 293, 294context solution, 298evaluation paths, 297structural authorizations, 297structural profile, 297
HR datalimiting access, 316
HR master data, 294Human Capital Management, 142, 275
attributes, 291
IICS
automation, 70characteristics of automation, 72planning, 70
ICS activitymatrix, 476
ICS and compliance automationproject examples, 482
ICS automationbusiness blueprint, 475
ICS content, 38application control, 43automated monitoring, 43entity level controls, 44general application control, 42IT general controls, 42manual control, 43semi-automated control, 43
ICS framework in Japan, 7IDEA, 81Identity, 145
Identity Management, 145Implementation matrix, 383Implementation of Process Control
tools, 473Incorrect billing documents, 266Information Technology Assurance Framework
(ITAF), 50Information Technology Infrastructure Library
(ITIL), 48Information Technology Security Evaluation
Criteria (ITSEC), 60Infotype, 292, 294, 392
logging, 287In-house developments, 151Initial password, 149Input tax indicator, 201Inspection interval, 326Intermediate Documents (IDocs), 182Internal audit, 27Internal control system (ICS), 3
activity, 373automated control execution, 375automation, 363centrally organized, 403confirmation of control execution, 375content, 477, 481data model, 372, 391, 393, 398, 401domain, 369financial sector, 13ICS attestation, 57ICS basic principle, 35ICS-related audit, 30implementation matrix, 383modeling, 476multiple domain principle, 369object, 367objective, 5organizational unit, 367owner, 379problem-solving process, 416process, 368process definition, 476requirements of ERP systems, 35risk orientation, 10role, 379scoping, 374segregation of duties (SoD), 376segregation of duties principle, 420sign-off, 378structure, 44term, 4
Internal document number assignment, 173International Conference on Harmonization
(ICH), 320ICH GCP Guidelines, 322
International Financial Reporting Standards(IFRS), 24
Index517
International Framework for AssuranceEngagements, 134
International Society for PharmaceuticalEngineering (ISPE), 321
International Standard on AssuranceEngagements (ISAE), 65
3402, 65, 134International Standards of Auditing (ISA), 25Inventory, 253Inventory controls, 253Inventory procedure, 253Invoice verification, 242
tolerance limits, 243ISO 27k, 54ISO 9000, 133ISO 17799, 54Issue, 7
deficiency, 7significant deficiency, 7
IT organization, 131IT Security Evaluation Manual (ITSEM), 60Italy, 12
comply or explain principle, 13Preda Code, 12
JJapan
Financial Instruments and Exchange, 7Financial Services Agency, 7
KKey performance indicator (KPI), 438Key Risk Indicator (KRI), 78, 472, see KRIKRI, 78KUONI, 482
LLegal conformity, 3Legal data protection requirements, 275Liability, 371License, 145Life cycle
user, 145Limitations on use, 283Line item display, 195Live system, 136Logging, 173, 288, 465Logging flag, 171Logging report calls, 288Logical databases, 107, 108Logistics invoice verification, 243Long-term documents, 288Low value assets (LVA), 226
maximum amounts, 226
MMaintenance, 142
Maintenance of posting periods, 216Maintenance tasks, 327Making data unrecognizable, 288Management Risk Controlling (MRC), 15Manufacture of food and medicinal products,
319Market risk, 15Mass changes, 216Mass maintenance, 216Mass reversal, 216Master data, 97, 213
A segment, 97authorization objects, 215B segment, 97principle of segregation of duties, 234protection, 212
Master data maintenance, 262Master Data Upload Generator, see MDUGMaterial
material correctness requirement, 36material devaluations, 253material movements, 251material valuation, 197material weakness, 422
Material masterworkflow, 249
Material master datamaintain, 249
Materiality-based scoping, 407MDUG, 70, 474Medical Device Evaluation Committee
(MDEC), 320Medicinal product approval authority, 319Message types, 182Metalayer, 472Microsoft Operations Framework (MOF), 53Minimum requirements for risk management
(MaRisk), 15Ministry for Health, Labour and Welfare
(MHLW), 320Mitigating control, 435Mobile end devices, 151Modifications
get an overview, 143Money laundering, 257Monitoring, 87, 375Movement types, 227, 242, 252, 266
501, 242561, 242
Moving average price, 253Multi Application Query Tool (MQT), 455Multi-domain requirements, 329Multiple Compliance Framework (MCF), 399Multiple domain principle, 399
518 Index
NNational Pharmaceutical Control Bureau
(NPCB), 320Net prices, 266New General Ledger, 195, 209, 257NI 52-109, 7Non-routine transactions, 198Non-valuated material, 257
OO2C process, 260Object type, 292Object-related security, 383, 395, 397, 428Object-related security concept, 383Object-specific logging, 465Obligations Code (OR), 11Offline CAAT tool, 442Offline data analysis, 442Offline data analysis tool, 444Offline form, 413Offline test, 413OM, 74, 145, 296, 368One-time account, 103One-time customers, 232one-time vendor, 232Online CAAT report, 445Operating concern, 117Operating system commands, 175Operational risk, 15Operational Risk Management, see ORMOpportunities for fraud, 305
SAP basic component, 306SAP General Ledger, 308SAP personnel accounting, 315SAP sales area, 311
Oracle, 83, 84Order entry, 260Order to cash, 259Ordering, 238Order-related and delivery-related billing, 266Organizational key, 292Organizational Management, see OMOrganizational structures, 117
financial view, 117Logistics, 117Materials Management, 117Personnel Management, 117Sales and Distribution, 117technical view, 117
Organizational unit, 367Organizational units, 117ORM, 78
Loss Database, 78Operational Risk Management, 78Risk Control Self-Assessment, 78Static Data Management, 78
OSS error messages, 142
Output tax, 201Outsourcing, 65, 132, 404
PParallel accounting, 193Parked documents, 196Password protection, 146
profile parameters, 147Payment Card Industry Data Security Standard
(PCI-DSS), 54Payment proposal list, 231Payment run, 230, 231Payments in SAP, 230PCAOB standard, 6PeopleSoft, 83, 84Person responsible, 279, 285Personal data, 277, 280, 284
principles of processing, 281processing, 280protection standards, 290tracing changes, 287
Personnel area, 117, 292Personnel events, 293Pharmaceutical and Medical Safety Bureau
(PMSB), 320Pharmaceutical Inspection Cooperation
Scheme (PIC/S), 320Physical safety, 135Pilot project, 480Plan variant, 292Planning function, 409Planning status, 292Plant, 117Plant Maintenance, 326Policy management, 77, 433Posting periods, 190, 192Postings
blocking, 308restricting, 308
Practical experience, 473Preconfigured workflow, 473Preparatory sales and distribution phase, 260Price control, 253Price variances, 246Pricing, 266Pricing procedure, 267Principle of identity, 145Principle of least privilege, 151Principle of segregation of duties
master data maintenance, 234ordering, 239
Principles for data access and verifiability ofdigital documents (GDPdU), 30, 59, 444
Process, 368Process Control, 69, 70, 84, 325, 388, 473
administration, 386, 390aggregation of deficiencies, 422
Index519
ASAP Roadmap, 474authorization model, 427, 431Automated Rules Framework (ARF), 84, 479BC Set, 474business blueprint, 475carryforward, 424centralized vs. decentralized
documentation, 403change document, 395compliance initiative, 399conference room pilot, 475configuration, 384, 385Content, 84control automation, 82, 84copy, 403Crystal Report, 426custom field, 397data model, 391, 393, 398, 401GRC330, 87ICS master data concept, 392implementation, 473, 480implementation cost, 479installation, 387integration, 78, 421integration with Access Control, 73integration with Risk Management, 78integration with SAP Access Control, 434issue, 416master data, 388materiality-based scoping, 407migration, 387mitigating control, 435Multiple Compliance Framework (MCF),
399notification, 411object, 388object-related security, 395, 428object-related security concept, 383offline form, 413offline test, 413organization hierarchy, 388planning function, 409predefined rules, 85project expense, 479reference, 403Riscomp Automated Monitoring Scenarios,
85risk-based scoping, 408role concept, 431scoping, 405segregation of duties, 402, 420semi-automated control, 423sign-off, 423sizing, 386standard report, 424standard training GRC330, 388technical architecture, 383
time dependency, 388, 393training, 87upgrade, 387user authentication, 428workflow-based activity, 410
Process control, 43Process owner, 379Procure to pay process, 237Product cost accounting, 255Product Cost Controlling (CO-PC), 255Productive indicator, 210Profile Generator, 161Profile parameter, 176, 180
update administration, 181Profile parameters, 159Profit and loss statement (P&L), 192Profitability Analysis (CO-PA), 255Program
GRCPCRTA_CHANGELOGGRC, 464link to transactions, 111
ProgramsABAP source code, 113authorization groups, 153call up directly, 152modify/develop, 162protection, 151, 154RAABST01, 221RAGITT01, 218RFBABL00, 168RFDAUB00, 207RFDOFW00, 234RFDOPR00, 234RFDOPR10, 234RFDSLD00, 197RFHABU00, 197RFKABL00, 169RFKKBU00, 197RFKSLD00, 197RFPUEB00, 206RFSABL00, 169RFSSLD00, 197RFTMPBEL, 206RFUMSV00, 201RFUMSV10, 201RFVBER00, 180, 182RM07CUFA, 200RM07MSAL, 248RS_ABAP_SOURCE_SCAN, 114RSBDCOS0, 175RSPARAM, 172, 175–178RSSTAT26, 177RSTBHIST, 191, 192RSTRFCQDS, 185SAPF120, 207SAPF124, 246SAPF190, 195search, 111
520 Index
table search options, 114TABLES, 113TFC_COMPARE, 195tp, 178use of tables, 113where-used list, 114
Project example, 482Proof of concept (PoC), 480
segregation of duties rule, 486Provision, 272Provisioning tools, 162Public Company Accounting Reform and
Investor Protection Act, 6Public Disclosure Act (PublG), 19Public Key Infrastructure (PKI), 65Purchase orders, 239Purchasing document types, 239Purchasing organization, 117Purchasing processes, 237
local/central, 238Purpose, 280, 285
QQualified suppliers, 325Quality assurance system, 136Quality assurance tool, 158Queued RFC, 184
RRAMS, 85
Riscomp Automated Monitoring Scenarios,85
RAR, 72Read-debugging, 307Reconciliation account, 229Reconciliation ledger, 208Reconciliation work, 197Recruitment, 289Rectification, 378Recurring entries, 207Recurring entry documents, 168Recurring entry original documents, 196Refresh, 137Regulation, 399Release indicator, 240Release strategy, 239
value entries, 241without classification, 240
Release strategy with classification, 240Remote access, 142Remote Function Call (RFC), 184
RFC logon attempts, 176RFC user, 184
Repair code, 143Repairs, 143Report evaluation, 379Repository Information System, 108, 111
Restart procedure, 135Return deliveries, 269Returns, 257Returns documents, 269Returns processing, 269Revalidation, 329Reversed Business Engineering (RBE), 177RFC communication
asynchronous, 184types, 184
Right of access, 280Right to information, 280Riscomp, 474, 477
Automated Monitoring Scenarios, 486GRC Upload Tool, 477
Riscomp Automated Monitoring Scenarios, seeRAMS
Risk, 22, 371control risk, 22inherent, 22risk assessment, 377risk category, 378risk rule, 83risk-based scoping, 408risk-based validation, 323
Risk Analysis and Remediation, see RARRisk assessment, 410Risk IT, 51Risk Management, 77, 370, 438
GRC340, 87integration, 78integration with SAP Strategy Management,
438Operational Risk Management, 78training, 87
Role, 125adjust, 431authorization analyses, 126role maintenance, 163
Routine transactions, 198RSECNOTE tool, 82
SSafe Harbor Principles, 281Sales & Distribution (SD), 260Sales and distribution phase
preparatory, 260Sales and distribution process, 259Sales area, 117Sales document, 260Sales group, 117Sales office, 117Sales order, 260Sales organization, 117Sales price determination, 267, 268Sales tax, 266SAP Audit Management, 79
Index521
SAP Best Practice, 89SAP Business Workflow, 240, 249SAP Code Inspector, 67SAP GUI, 151SAP Help Portal, 61SAP implementation audit, 30SAP middleware, 151SAP Note, 138
1916, 17131875, 19577503, 81112388, 1711314345, 4651320737, 4651420281, 166671016, 58863362, 82888889, 82table logging, 171
SAP operations audit, 30SAP Process Control
analysis rule, 460change log tool, 464GRC Integration Framework, 451object type, 394SoD Integration, 457
SAP Quality Management, 325SAP Query Painter, 261SAP Security Guide, 62SAP Standard for Security, 63SAP system
data, 97SAP system landscape, 136SAP training, 87
GRC330, 87SAP update system, 180Sarbanes-Oxley Act (SOX), 5, 6
Canada, 7China, 8Euro SOX, 9Japan, 7scoping, 6USA, 5
SAS 70, 65report, 65, 133
Saving data locally, 289Scoping, 6, 374, 375, 405Scrapping
release, 254Script, 456
FIMPRCH_05T1_01_A, 467S_DEVELOP, 154Search
SAP, 116Second level authorization, 429Secure area, 142Secure collaboration, 65
Secure Operations Map, 64Securities and Exchange Commission, 6Security, 61Security audit, 30Security Audit Log (SAL), 176, 289, 290
SAL filter, 176Security certificate, 60Security Guide, 64Security Optimization Service (SOS), 67, 82Security vulnerability, 154Segregation of duties (SoD), 13, 72, 161, 217
Basis, 161confidential data, 316control, 489Controlling, 256deficient, 371design test vs. survey, 377development, 161documentation, 163Ericsson, 489financial accounting, 217General Ledger Accounting, 217ICS application, 376master data maintenance, 262matrix, 163monitoring, 467Profile Generator, 161transport requests, 161user maintenance, 161
Segregation of duties principle, 205control documentation, 402ICS activity, 420maintenance of the ICS framework, 402
Segregation of Duties Review, 74, 75Segregation of duties risk, 434Self-assessment, 410Self-maintenance, 290Semi-finished products, 255Sensitive data, 278
collecting, 284data protection, 278
Sensitive fields, 234Service connections, 142Service desk, 144Service Level Agreements (SLA), 133Service Marketplace, 142Service organization, 131Service Pack, 142Session, 186Shared service, 131, 404Shared services organization, 368Shelf Life Expiration Date, 328Significant deficiency, 422Sign-off, 378, 423Single Sign-on (SSO), 145, 428Sizing, 386Skills databases, 285
522 Index
Software certification, 25, 57criterion, 58security-related, 60
Software Deployment Manager (SDM), 67Software selection, 30Solution Manager, 67, 86, 91, 138, 144, 329
Business Process Repository, 91Data Consistency Cockpit, 87Monitoring, 87
Solution monitoring, 144Solvency II, 14SOX compliance
automating, 366SOX compliance process, 366Spain, 13
Good Governance, 13Good Governance of Listed Companies, 13Securities Markets Commission, 13
Special periods, 190Split valuation, 250SPM, 76Standard business process, 89Standard Operation Procedures (SOP), 326Standard price, 253Standard user, 148
DDIC, 148EARLYWATCH, 148SAP*, 148, 149SAPCPIC, 148TMSADM, 148WF_BATCH, 148
Static code analysis, 158Statistics file, 177Stock
non-valuated, 250, 257split valuation, 251valuated, 250
Stock consistency check, 252Stock value, 253Stock withdrawal strategies, 327Storage
data, 284Storage location, 117Strategy and performance management, 437Strategy Management, 438Structural authorization profile, 297, 298Structural authorizations, 296, 297Substitution rules, 202Subtype, 292Superuser Privilege Management, 76, see SPMSupport, 142Support Packages, 142Survey, 377Swiss Agency for Therapeutic Products, 320Switzerland, 10
Art. 716a (3) OR, 11Art. 728a (1) OR, 11
auditing standard PS 890, 11Obligations Code, 11SOX Light, 10
Synchronous RFC, 184System administration, 66
authorization concept, 66System copy, 288System landscape, 142System log, 166, 174, 175System trace, 123, 152
TTables, 96
advantages from audit view, 97authorization groups, 159change documents, 166changes, 166connections, 108conversion tables, 115Data Dictionary tables, 105debugging activities, 166direct maintenance, 158infotypes, 291keyword search, 107logging, 114, 171logical databases, 108maintenance, 162number, 96protecting data, 166protection, 158, 159SAP, 96SAP_EDIT, 166scope of logging, 171search, 103, 106table manual, 102table search via fields, 106VBRK, 313where-used list, 114, 116
Tax audit, 30Tax code, 201Taxes, 200Test management, 144Test of control effectiveness, 410Test plan, 413Therapeutic Goods Administration (TGA), 320Tolerance groups, 212, 246Tools
documentation, 474master data, 474
Traceability, 286Transaction
SE16 (Data Browser), 443Transaction audit, 21
outsourcing, 25Transaction calls
history, 177, 289
Index523
Transaction CK24 (Price Update with CostEstimate), 467
Transaction CK40N (Edit Costing Run), 467Transaction CKME (Activation of Planned
Prices), 467Transaction CKMLPC (Price Change), 467Transaction data, 171Transaction FK02 (Change Vendor
Accounting), 371Transaction GRFN_STR_CHANGE (Change
Process Control), 390, 395Transaction GRFN_STR_CREATE
(Administration), 386Transaction GRFN_STR_DISPLAY (Display
Process Control), 389Transaction MIRO (Logistics Invoice
Verification), 371Transaction MR21 (Price Change), 467Transaction SE38, 154Transaction SE80, 154Transaction SU01 (User Maintenance), 428Transaction V.03 (List of Incomplete Inquiries),
91Transaction VA11 (Create Inquiry), 91Transaction VA12 (Change Inquiry), 91Transaction VA13 (Display Inquiry), 91Transaction VA15 (Inquiries List), 91Transactional RFC, 184Transactions, 109
account determination transactions, 222AFAMA — View Maintenance for
Depreciation Key Method, 224AW01N — Asset Explorer, 218Basis authorizations, 162BD87 — Status Monitor for ALE Messages,
182BDM2 — Monitoring, 183CKMPCD — Display Price Change
Documents, 254display technical name, 111F.15 — List Recurring Entries, 207F-43 — Enter Vendor Invoice, 258F.80 — Mass reversal, 216F110 — Parameters for Automatic Payment,
230FB04 — Document Changes, 168FB60 — Enter Incoming Invoices, 120, 124,
125, 159, 213, 258FBKP — Maintain Accounting
Configuration, 198, 246FBL3N — Vendors, 273FBL5N — Customers, 273FD24 — Credit Limit Changes, 264FD32 — Change Customer Credit
Management, 263FIBLAPOP, 231FP22 — Mass reversal, 216
FPVC — Mass Reversal of Dunning Notices,216
FS00 — G/L Account Master RecordMaintenance, 246
FTXP — Maintain Tax Code, 201GGB0 — Validation Maintenance, 203IDoc, 183KALC — Cost Flow Message, 209MASS — Mass Change, 216MB51 — Material Document List, 242, 255MI01 — Create Physical Inventory
Document, 186MR11 — GR/IR Account Maintenance, 245MRBR — Release Blocked Invoices, 243MRN0 — market prices, 254MRN2 — movement rate, 254MRN3 — loss-free valuation, 254MRN9 — Balance Sheet Values by Account,
254OA79 — Maintain Asset History Sheet
Definition, 225OAAR and OAAQ — Take back year-end
closing activities, 228OABK — Delete Asset Class, 228OABL — Reset Company Code, 210, 216,
228OAMK — Configuration of reconciliation
accounts per company code, 229OAY2 — Asset Class, 226OAYK — Low Value Assets, 226OAYR — Posting Rules for Depreciation,
224OAYZ — Asset Class, 219OB29 — Fiscal Year Variants, 191OB32 — Maintain Table TBAER, 168OBC4 — Maintain Table T004V, 200OB_GLACC11, OB_GLACC12, and
OB_GLACC13 — Mass maintenanceof G/L accounts, 216
OBL6 — Consistency Check, 272, 274OMJJ — Customizing, 242, 266OMR3 — MM-IV Default Account
Maintenance, 247OMW0 — MM-IV Control Valuation, 251OMWB — MM-IV Automatic Account
Assignment (Simulation), 252OMWC — MM-IV Split Material Valuation,
251OOAC — HR, 298, 301OOSB — User (Structural Authorization),
297OOSP — Authorization Profiles, 297PA30 — Maintain HR Master Data, 293PA40 — Personnel Actions, 293PFCG — Profile Generator, 163, 239, 296purchasing process, 109SA38 — ABAP Program Execution, 111
524 Index
SA38 — ABAP Reporting, 148, 152S_AHR_61016380 — Logged Changes in
Infotype Data, 295S_ALR_87003642 — Maintenance of posting
periods, 216S_ALR_87012180 — List of Customer
Addresses, 261SCC4 — Client Administration, 140SDD1 — Duplicate Sales Documents in
Period, 261SE01 — Transport Organizer, 138SE11 — ABAP Dictionary maintenance, 116,
158SE14 — Utilities for Dictionary Tables, 166SE16 — Data Browser, 104, 110, 141, 267,
273SE16N — General Table Display, 166SE38 — ABAP Editor, 111, 153SE84 — Repository Information System,
105, 110, 153search, 109short description, 110SM13 — Administrate Update Records, 180SM14 — Update Program Administration,
180SM20 — Analysis of Security Audit Log, 176SM21 — Online System Log Analysis, 175SM30 — Call View Maintenance, 204SM30 — Table Maintenance, 158, 203SM35 — Batch Input, 187SM58, 184SM59 — RFC Destinations
(Display/Maintain), 184SMQ2 — qRFC Monitor (Inbound Queue),
184SPAM — Support Package Manager, 142SPAU — Display Modified Objects, 143STMS — Transport Management System,
136SU01 — User Maintenance, 149, 161, 296SU10 — User Mass Maintenance, 161SU24 — Authorization Object Check under
Transactions, 159SU53 — Evaluate Authorization Check, 160SUIM — User Information System, 121, 126,
146, 239user menu, 110V.02 — List of Incomplete Sales Orders, 261V.15 — Display Backorders, 261VCHECKT683 — Customizing Check
Pricing Procedure, 267VF03 — Display Billing Document, 270VKM1 — Display Blocked SD Documents,
261VKM2 — Display Released SD Documents,
261
VOV8 — Document Type Maintenance, 266,269
WE05 — IDoc Lists, 182XK99 — mass maintenance, 216
Transport domains, 139Transport Management System (TMS), 136, 158Transport paths, 140Transport request, 136, 137, 161, 178
approval procedure, 139import, 139name, 138release, 139segregation of duties, 139
Triangular deals, 266Trusted system, 184
UUAM, 74UAR, 74Universe, 472Update administration, 162Update system, 180Update terminations, 174, 180Up-to-date software, 142US Department of Commerce, 281USA
PCAOB standard, 6Section 404, 6Section 802, 6Section 1107, 6Securities and Exchange Commission, 6Standard AS 5, 6
User, 127anonymous user accounts, 146attributes, 127authorization analysis, 129authorization assignment, 163communication user type, 128dialog user, 128emergency user concept, 150identity, 145life cycle, 145properties of user types, 128reference user, 128SAP system, 127, 128service user type, 128standard passwords, 149standard user, 148system user type, 128tolerance groups, 212user administration, 145user administration concept, 135user group, 162User Information system, 121, 146user menu, 110
User Access Management, 69, see UAMUser Access Review, 74, see UAR
Index525
User Management Engine (UME), 428
VV model, 323V1 operations, 180V2 operations, 180Val IT, 51Validation, 202Valuated goods movements, 269Value of receivables, 272Variances, 243Vendor invoices, 258
WWarehouse Management, 327Web browser, 151Web dynpro, 162Where-used list, 114, 116White paper, 63Work in Progress (WIP), 197Workflow-based activity, 410Works Council Constitution Act (BetrVG), 276Write-debugging, 307Write-off of open receivables
improper, 314