501

References

ReferencesBehera, R.: Cross-Enterprise Integration with SAP GRC Access Control. Boston (2009)

Biskie, S.: Surviving an SAP Audit. Boston (2010)

Buchner, R.: Wirtschaftliches Prüfungswesen, 2nd edn. Munich (1997) (Available in German lan-guage only)

Däubler, W., Klebe, T., Wedde, P., Weichert, T.: Bundesdatenschutzgesetz – Kompaktkommentar, 3rdedn. Frankfurt am Main (2010) (Available in German language only)

Gola, P., Klug, C., Körffer, B., Schomerus, R.: BDSG. Bundesdatenschutzgesetz, 10th edn. Munich(2010) (Available in German language only)

Hartke, L., Hohnhorst, G., Sattler, G.: SAP-Handbuch Sicherheit und Prüfung, 4th edn. (2010) (Avail-able in German language only)

Helfen, M., Trauthwein, H.M.: Testing SAP Solutions, 2nd edn. SAP PRESS (2010)

Hellberg, T.: Einkauf mit SAP MM, 2nd edn. Bonn (2009) (Available in German language only)

Horwath, P., Schäfer, H.-T.: Prüfung bei automatisierter Datenverarbeitung, 2nd edn. Berlin (1983)(Available in German language only)

Leffson, U.: Wirtschaftsprüfung, 4th edn. Wiesbaden (1980) (Available in German language only)

Lehnert, V., Bonitz, K.: Authorizations in SAP Software: Design and Configuration. SAP PRESS(2010)

Linkes, M., Karin, H.: SAP Security and Risk Management, 2nd edn. SAP PRESS (2010)

Maurer-Lambrou, U., Vogt, N.P.: Basler Kommentar Datenschutzgesetz, 2nd edn. Zurich (2010)(Available in German language only)

Minz, G., Zepf, G.: Computergestützte Jahresabschlussprüfung. Erfordernis, Möglichkeiten und Vo-raussetzungen. Betriebswirtschaftliche Forschung und Praxis 36(5) (1984) (Available in Germanlanguage only)

Minz, G.: Ansätze einer Prüfungstheorie für computergestützte Buchführungssysteme. Wirtschaft-sprüfung 36(18) (1983) (Available in German language only)

Montgomery, R.H.: Auditing Theory and Practice. New York (1912)

Oberhofer, B.: Datenschutz und Arbeitsrecht (Vol. Handbuch Datenschutzrecht) (2009) (Available inGerman language only)

Schäfer, M., Melich, M.: SAP Solution Manager Enterprise Edition, 2nd edn. Bonn (2009)

Schuppenhauer, R.: Grundsätze für eine ordnungsmäßige Datenverarbeitung (GoDV). Handbuch derDV-Revision, 5th edn. Düsseldorf (2005) (Available in German language only)

Siebert, J.: The SAP General Ledger, 2nd edn. SAP PRESS (2010)

Tinnefeld, M.-T., Ehmann, E., Gerling, R.W.: Einführung in das Datenschutzrecht, 4th edn. Munich(2004) (Available in German language only)

Wiegenstein, A., Schumacher, M., Schnizel, S., Weidemann, F.: Sichere ABAP-Programmierung.Bonn (2009) (Available in German language only)

Withus, K.-H.: Internes Kontrollsystem und Risikomanagementsystem – Neue Anforderungen andie Wirtschaftsprüfer durch das BilMoG. Die Wirtschaftsprüfung. Institut der Wirtschaftsprüfer inDeutschland e.V., (Ed.), Issue 17/2009 (Available in German language only)

502 References

Legislation and Directives ReferencedLoi de Sécurité Financière [Financial Security Act], France

Financial Statements Act, Denmark

Auditors’ Act, Denmark

Aktiengesetz (AktG) [Stock Corporation Act], Germany

Bilanzrechtsmodernisierungsgesetz (BilMoG) [Accounting Law Modernization Act], Germany

Handelsgesetzbuch (HGB) [Commercial Code], Germany

Strafgesetzbuch (STGB) [Penal Code], Germany

Obligationsrecht (OR) [Obligations Code], Switzerland

Aktiengesetz (AktG) [Stock Corporation Act], Austria

GmbH-Gesetz (GmbHG) [Limited Liability Companies Act], Austria

Public Company Accounting Reform and Investor Protection Act (US SOX), USA

Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG) [Control and Trans-parency in Business Act], Germany

National Instruments (NI), Canada

Financial Instruments and Exchange (J-SOX), Japan

Basic Standard for Enterprise Internal Control, China

Foreign Practice Act, USA

Health Insurance Portability and Accountability Act (HIPAA), USA

Code of Federal Regulations (CFR), Title 21, USA

Bundesdatenschutzgesetz (BDSG) [Data Protection Act], Germany 2009

Datenschutzgesetz (DSG) [Data Protection Act], Austria 2000

European Union: Directive 95/46/EC of the European Parliament and of the Council of 24 Octo-ber 1995 on the protection of individuals with regard to the processing of personal data and on thefree movement of such data, Official Journal L 281, 11/23/1995

Council of Europe, COE: Convention for the Protection of Individuals with regard to AutomaticProcessing of Personal Data, 01/28/1981

Organisation for Economic Co-operation and Development, OECD: Recommendation of the CouncilConcerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data,September 23, 1980

UN General Assembly: Guidelines for the Regulation of Computerized Personal Data Files, Decem-ber 14, 1990

US Department of Commerce: Safe Harbor Principles – Privacy Policy, 2000

Verordnung zur Durchführung des Datenschutzgesetzes (VDSG), Switzerland 1993

Internet SourcesGerman Federal Office for Information Security: IT-Grundschutz Catalogues, available at: www.bsi.bund.de/EN

German-speaking SAP user group (DSAG) SAP audit guides, data protection guides, etc., availableat: http://www.sap.com/germany/about/company/revis/infomaterial/index.epx

SAP AG: Users and roles (BC-SEC-USR), available at: http://help.sap.com/

SAP AG: Security Guides, available at: http://service.sap.com/securityguide

503

The Author of this Book

Maxim Chuprunov completed his studies in business administration, including var-ious research projects, as a scholarship student of the German Academic ExchangeService in 2001 with his thesis on the topic “Auditing in the SAP Environment.” Sincethen, he has remained loyal to this topic and is consistently expanding it in the GRC(governance, risk, and compliance) field. His specialist area includes connecting thespecialist and compliance-specific views of business processes with technical solutionknow-how.

Before Maxim Chuprunov founded RISCOMP GmbH (Switzerland) at the end of2010, he was employed at KPMGDTG inMunich, Germany and KPMGLLP in Boston,USA, as well as at SCHENKERAG in Essen, Germany, and SAPAG in Zürich, Switzer-land.

At KPMG, he worked in the Information Risk Management and IT Advisory ar-eas. In parallel to numerous projects at international groups of companies, he success-fully completed professional exams to become a CPA (Certified Public Accountant)and CISA (Certified Information Systems Auditor), as well as acquiring certification asFI/CO consultant for SAP. At SCHENKER AG (Essen), he was responsible, within thescope of global rollouts, for the implementation of the FI and CO processes with SAP,including reporting to SEM.

In 2007,MaximChuprunov joined the Center of Expertise Financials &Complianceat SAP Switzerland. In his function as Senior Consultant, he has performed pioneeringwork in implementation projects and proofs of concept for SAP solutions for GRCwitha focus on ICS automation. He is known in SAP Solution Management circles as anexpert and creative force in tests and software design for SAP Process Control, andholds training courses for SAP Education.

505

Contributors to this Book

Reto Bachmann is a project manager in the Operational Excellence area at Mettler-Toledo International, Switzerland. From his time as an SAP consultant, he has aroundseven years of project experience in logistics-related topics, mainly in the consumerelectronics, pharmaceuticals, and food industries (FMCG). He subsequently moved tothe internal audit team of a Swiss chemical company, where over a period of four years,he developed and implemented data analyses for assessing the efficiency of the controlsand the correctness of SAP processes effectively and with a view to cost optimization.He has since been active in similar roles at a Swiss pharmaceuticals company and forMettler-Toledo International.

Reto Bachmann actively contributed to Chap. 14 of this book.

In SAP Business Development, Günther Emmenegger is responsible for the life sci-ences industry in the EMEA economic zone and India. After studying mathematicsand applied physics in Freiburg im Breisgau, Germany, he worked in German space re-search and for 19 years, for a French chemical and pharmaceutical group. After fouryears as a validation consultant at an SAP implementation partner, since 2001 Güntherhas been active in various roles for life sciences customers of SAP.

Günther Emmenegger actively contributed to Chap. 13 of this book.

506 Contributors to this Book

Jan Laurijsen studied business sciences, with a focus on business administration andengineering as well as information management. Since 1987 he has been working atEricsson, and in this time, has gathered extensive experience in the areas of control-ling, process management, and project management. He is responsible for the efficientdesign of the SOX compliance processes at Ericsson.

Jan Laurijsen provided considerable support with regard to the Ericsson practicalreport from Chap. 18.

Since 2000,Volker Lehnert has been active in various roles around compliance and se-curity at SAP. Since 2012, he has been working for SAP AG Installed BaseMaintenanceand Support (IMS) as project manager for data protection. Volker Lehnert is the co-author of the data protection guide produced by DSAG, co-author of the SAP PRESSbestseller “Authorizations in SAP Software: Design and Configuration,” and co-authorof the book “Datenschutz in SAP Systemen” [Data Protection in SAP Systems].

Chapter 11 of this book was written in cooperation with Volker Lehnert (exceptSect. 11.2).

For many years, Marc Michely has been involved with the optimization of processflows and controls in organizations in an international environment. As an auditorand consultant, he gathered experience in these areas and at PricewaterhouseCoopersSwitzerland, in the System and Process Assurance department, focused on the area ofcentral monitoring of organizational processes at shared service centers in internationalcompanies.

Chapter 12 of this book was written with support from Marc Michely.

Contributors to this Book507

Reviewer of this Book

Annett Nowatzki is an auditor and tax consultant and has worked at both Coopers &Lybrand and KPMG during her career. She has been active in various managementpositions, and in 2005, became a partner at KPMG. In 2010, she moved to the exec-utive board of DSJ Revision und Treuhand AG. In addition to creating and auditingyear-end and group financial statements in accordance with the German CommercialCode (HGB) and IFRS, she has extensive experience in auditing IT systems (particularlySAP). She has accompanied SAP implementations in numerous large and medium-sized organizations in Germany and other European countries from an audit perspec-tive.

509

Index

3-way match, 243

AABAP command injection, 157ABAP Editor, 111ABAP programs, 111ABAP security, 158Abuse of information, 290Accelerated SAP (ASAP), 323, 474Access Control, 69, 72, 83, 434

Content, 83integration, 434training, 87

Access Risk Management, 69, see ARMAccess sequences, 267

determine, 268Account determination, 198, 220, 251Account determination transactions, 222Account group, 191, 371

prioritization, 372Accounting reconciliation, 195ACL, 81Acquisition and production costs (APC), 226Administration

BI folders, 162number range intervals, 162profile parameters, 162RFC connections, 162SAP instances, 162Transport Management System, 162

Administration authorization, 66Advance return for tax on sales/purchases, 200Adverse opinion, 19Ageing structure, 234Air-conditioning, 135Analyzing due dates, 311Annual financial statements, 19, 30Anonymization:data, 288Anti-fraud controls, 305Anti-virus software, 65Application control, 60Application lifecycle, 67Application Link Enabling (ALE), 182

ALE audit, 102Auditing, 182

Application Security, 62Appraisal procedures, 285ARF/CMF scenarios

effort, 480implementation, 486

ARM, 72

compensating controls, 73organizational Rules, 73segregation of duties violations, 73

Assertion, 36, 187Asset Accounting

account determination, 220calculation methods, 224consistency check, 221default values, 219movement types, 227reset, 228

Asset accounting, 218Asset classes, 218, 219Asset embezzlement, 304Asset history sheet, 225Asset history sheet program, 218Assets, 218Assignment number, 246Asynchronous RFC, 184Audit, 64

organization and planning, 30Audit and Assurance Faculty Standard (AAF)

01/06, 134Audit approach, 21

balance sheet audit, 21transaction audit, 21

Audit committee, 6, 10Audit Directive

Eighth EU Directive, 8Audit Guide, 68Audit Information System (AIS), 81, 457Audit procedure, 21Audit report, 26Audit risk, 22

discovery risk, 22error risk, 22

Audit Standards CommitteeReport No. 18, 134

Auditing, 19Auditing and Assurance Standards Board

(AASB), 134Auditing standard, 25, 58, 132

951, 134IDW PS 951, 65SAS 70, 65

Auditing: country specifics, 7Auditor, 19, 26, 27

basic principle, 27burden of proof, 28external auditor, 26independence, 28

510 Index

industry-specific auditor, 26internal audit, 27objectivity, 28professional skepticism, 28tax audit, 27

Austria, 11Art. 1 Section 39 of the Statute for

a European Company, 11Austrian Corporate Governance Code, 11Section 22 GmbHG, 11Section 82 AktG, 11

Authorizationauthorization concept, 135authorization controls, 119authorization group, 153, 194authorization main switch, 299authorization management, 66authorizations in FI-AA, 228

Authorization check, 160profile parameters, 159

Authorization object level, 159Authorization objects, 119, 293

activity, 120default values for the Profile Generator, 125determination, 122documentation, 121F_BKPF_BUK, 120, 121, 124, 129F_BKPF_KOA, 124, 129F_KNA1_APP, 263F_KNA1_BUK, 263M_BAN_*, 239M_BES_*, 239M_BEST_WRK, 124M_ISEG_WDB, 253M_MATE_MAR, 250M_MATE_STA, 250M_MATE_VKO, 250M_MATE_WRK, 250M_MSEG_BMB, 255M_MSEG_BMF, 255M_MSEG_BWA, 242, 255, 266M_MSEG_BWE, 255M_MSEG_LGO, 255PLOG, 293P_ORGIN, 293, 294, 299, 300, 317P_ORGINCON, 300P_ORGXX, 300, 317P_ORGXXCON, 299P_PCLX, 293P_PERNR, 293, 294, 299, 316S_BCD_MONI, 161, 187S_BTCH_NAM, 307S_PROGRAM, 152S_PRO_PAGE, 161S_RFC, 160S_SCDO, 170S_TCODE, 120, 124, 129

structural authorizations, 298switch off check, 159Table USOBT, 125value fields, 119V_KNA1_BRG, 262V_KNA1_VKO, 262V_KNKK_FRE, 263V_VBRK_FKA, 270V_VBRK_VKO, 270V_VBUK_FRE, 263

Automated anti-fraud controls, 305Automated Controls Framework (ACF), see

Continuous Monitoring Framework, 448Automated Monitoring Framework (AMF), see

Continuous Monitoring Framework, 448Automated Rules Framework (ARF), 82, 84Automatic postings, 198Automatic sales price determination, 267Auxiliary transactions, 228

BBalance confirmations, 197Balance sheet

balance sheet fraud/falsification, 308Bank details, 261Basel II, 15Basel III, 16Baseline date for payment, 100, 234Basis authorizations, 161Batch input procedure, 185Batch input sessions, 186Batch job log files, 307Batch management, 251Batch where-used, 327Batches, 327BC Set, 324, 385, 474, 477Best practice role concept, 431Big Four, 29Billing, 266

order-related and delivery-related, 266Billing documents

entry, 270status list, 272transfer, 270

Billing due list, 269BIZEC APP/11 list, 156Blocking reasons, 243Blocks

amount-based, 244stochastic, 244

BRG, 74, 75BS 7799, 54Business area, 117Business blueprint, 135, 475Business partner

tolerance groups, 212Business Performance Management (BPM), 439

Index511

Business Process Change Analyzer, 329Business Process Repository, 91Business Role Governance, 69, 74, 75, see BRGBusiness rule, 452

CCAAT-supported queries, 309Canada

NI 52-109, 7Canadian Institute of Chartered Accountants

(CICA)5970, 134

Canceled posting records, 196Capability Maturity Model Integration (CMMI),

52Cash discount, 5CEA, 76CEAVOP

see Assertion, 36Centralized Emergency Access, 69, see CEACertification, 133Chain transactions, 266Change and Transport Management System

(CTS), 178CTS control parameters, 179CTS directories, 178CTS parameters, 178

Change document, 166, 169, 395delete, 162setting up, 287

Change log, 107Change log tool, 464Change management

audit, 30change management guidelines, 135FDA, 324

Changes to accounting document, 196Changes to bank master data, 196Changes to customer master data, 196Changes to vendor master data, 196Chart of depreciation, 219Check, 163, 209

account determination for materialmovements, 252

account determination in FI-AA, 220Application Link Enabling (ALE), 182authorization main switches, 300authorization protection for programs

developed in-house, 151authorizations for calling up programs

directly, 152authorizations for table maintenance, 158batch input processing, 186billing due list, 269change documents, 170client settings, 141company code protection, 211

completeness of the asset history sheet, 225consistency check in FI-AA, 221contents of the infotypes, 293controls for invoice verification, 244controls for the SAP payment run, 231credit limit in sales and distribution, 264critical authorizations in FI, 216critical movement types, 242debugging authorizations, 167definition of sensitive fields in master data

maintenance, 235delivery of goods, 266depreciation rules, 224depreciation-relevant parameters in asset

classes, 220detecting fraud from the due date, 234dunning process, 273duplicate invoice entry, 245emergency user, 150employee data protection, 285factual accuracy, 280field status groups, 199fields in G/L account master, 193GR/IR account clearing, 246handling of data protection-relevant data in

SAP ERP, 289identity/life cycle of the user, 146logging of infotypes, 288logging of report calls, 288LVA configuration control, 226maintenance, 166maintenance and updates, 142maintenance of customer master data, 262maintenance of exchange rates, 203maintenance of material master data, 250making data anonymous, 288master data protection in FI, 214no gaps in document number assignment,

174one-time account functions and alternative

bank data in a document, 233organizational structures in purchasing, 239personnel event, 295posting logic and account determination,

198presence of parked documents, 206price determination during billing, 267principle of real-time posting, 191process and system documentation, 135processing of personal data, 280product cost accounting in P2P, 256purpose, 280reconciliation accounts in business partner

master data, 230release of scrapping, 255release strategies in the ordering process,

241

512 Index

Remote Function Call (RFC), 184sales documents, 260sales documents at table level, 314SAP system landscape, 136SAP system log, 175Security Audit Log (SAL), 176segregation of duties in FI-GL, 217segregation of duties,

development/authorizations, 161statistics file, 177structural authorizations, 298structural authorizations – context solution,

298system trace for transactions developed

in-house, 152table logging, 172tolerance limits, 205traceability in CTS, 179transfer values from CO to FI, 209treatment of recurring entries, 207update terminations, 182use of document parking, 205valuation of the stock value, 251value adjustment of the stock value, 254

Chief Compliance Officer, 379China, 8

Basic Standard for Enterprise InternalControl, 8

Business management IT systems, 8Cisco SONA check rule, 458Clearing, 246Clearing date, 100C-level management, 55Client, 117, 140

control function, 140open live client, 141

Client modifiabilitymaintain, 162

CLM, 70, 86Closing operations, 195, 247Code of Federal Regulations (CFR), 320Co-determination (works councils and

employee committees), 283CO-FI integration, 256Combination not permitted, 283Command

AUTHORITY-CHECK, 151CALL TRANSACTION, 151INSERT REPORT, 154

Commissioned data processing, 279Committee of Sponsoring Organizations of the

Treadway Commission, 47Communication user, 184Company code, 117, 209

productive indicator, 210Comparison

FI-GL and subledgers, 197

Compensating control, 73Competence center, 131Compliance, 3

automation, 365Compliance automation

project experiences, 473Compliance initiative, 399Compliance Management Software (CMS), 446Compliance-relevant guide, 61Computer Aided Test Tool (CATT), 140Computer Assisted Auditing Techniques

(CAAT), 81, 442Computer Center Management System (CCMS),

177Condition technology, 266Conference room pilot, 475Configuration controls, 102Configuration tables, 102Configuring condition types, 312Confirmation, 255Consistency check, 200, 221Content, 82, 89Content Lifecycle Management, see CLMContext solution, 298Continuous compliance and monitoring, 488Continuous control monitoring, 71, 487Continuous Monitoring Framework, 78, 421,

448, 457, 479analysis rule, 460BW script, 470change analysis, 462change log tool, 464control, 467expectations, 450GRC Integration Framework, 451, 453logging, 465potential, 450predefined rule, 466rule, 452script type, 457structure in SAP GRC 10.0, 451subscenario, 457

Continuous Monitoring Framework,subscenario

ABAP report, 457BW query, 457configurable, 457event, 457Process Integration (PI), 457programmed, 457SAP query, 457SoD integration, 457

Continuous Rules Monitoring (CRM)Continuous Control Monitoring, 448

Control, 369attribute, 369general application control, 42

Index513

integrative function, 370process control, 42, 43security guidelines, 146

Control and Transparency in Business Act(KonTraG), 9

Control data, 171Control design assessment, 410, 414Control execution

confirm, 375, 382Control identification process, 38Control matrix

implement, 450Control objective, 370Control Objectives for Information and Related

Technologies, 48Control owner, 379Control programs

General Ledger Accounting, 196Control risk assessment, 410Control selection

scoping, 6Controlling area, 117Controls, 142, 145, 147–149

blocking HR data, 316changing client settings, 141client settings, 141configuration controls, 102customer master data, 261deliveries of goods, 265dunning process, 272emergency production corrections, 139FDA/asset maintenance, 326FDA/batch traceability, 327FDA/implementation processes, 324FDA/procurement, 325FDA/production management, 325FDA/quality management, 326FDA/warehouse management processes, 327inventory control, 253master data controls, 103material master data, 249naming transport requests, 137order entry, 260order fulfillment and revenue recognition,

264ordering, 238packaging transport requests, 138profile parameters for handling SAP*, 149return deliveries, 269segregation of duties, 139standard forms and test documentation, 138stocks, 249transaction controls, 103transport requests created in the live system,

140use of critical movement types, 255valuation of stock value, 253

Corporate Governance, 370Corporate governance, 257Corporate governance code, 8COSO cube, 364Cost object, 255, 256Count confirmation, 253Country-specific del credere, 229Credit control area, 263Credit default risk, 15, 263Credit limit assignment, 263Credit limit controls, 263

dynamic, 263static, 263

Credit limit controls:maintain, 264Credit limit data

customer master record, 264Credit limit maintenance, 261Credit management, 196Credit memos, 269, 312Credit memos/discounts

improper, 312Critical action risk, 434Critical administration transactions, 161Critical transactions, 215Crystal Reports, 384, 426Custom code, 158Custom field, 477, 479Customer master data, 261

maintain, 264quality, 261

Customer master data maintenance, 261Customer master record, 261Customizing distribution, 144

DData

anonymizing, 288saving locally, 289

Data backup, 135Data Browser, 104Data Consistency Cockpit, 87Data extraction, 443Data in an SAP system

configuration data, 101date fields, 100master data, 97search, 103transaction data, 98

Data protection, 30, 177, 277data processing, 278data protection officer, 281general data protection-relevant control

mechanisms, 286legislation in Germany, 276personal data, 277sensitive data, 278Switzerland, 278

514 Index

Data protection directivedirective 95/46/EC, 276, 277Safe Harbor Principles, 281

Data Protection Guide, 68Data Retention Tool (DART tool), 443Data source, 452Data transfer

to third countries, 281to third parties, 279

Debugging, 166, 174Declaration of consent, 280Delivery of goods, 265Denmark, 12

Auditors’ Act, 12Financial Statements Act, 12

Depreciation, 220Depreciation area, 218Depreciation key, 219, 223Design test, 376Determination of sales tax, 266Devaluations, 234Developer guidelines, 135Developer key, 162Development standard, 158Development system, 136Directive

75/319/EEC, 32181/851/EEC, 32191/356/EEC, 32191/412/EEC, 32195/46/EC, 2772006/43/EC, 102006/46/EC, 10

Discounts, 312Distribution channel, 117Division, 117Document

archiving, 173change rules, 168changes, 168master data, 213modifiability, 168parking, 173, 205substitution, 202unalterability in SAP ERP, 37validation, 202

Document dataanalyze (general ledger), 310

Document date, 100Document header, 98Document number assignment, 173Document number buffering, 173Document number range intervals, 174Document segments, 98Documentation, 135Documentation Management System (DMS),

323

Due date, 100, 234Dunning, 271, 272

basic settings, 272dunning areas, 273dunning block reasons, 273dunning keys, 273dunning procedure, 274dunning process, 271

Duplicate invoice entry, 245

EEarlyWatch Alert, 67, 142Effectiveness test, 376, 412Eighth EU Directive, 8

Article 39 to 41, 8control and risk management system, 8internal audit, 9strategic risk, 9

E-Learning, 144E-mail security, 65Emergency concept, 65Emergency user concept, 76, 150Emergency user process, 150Employee data, 289Employee data protection, 283Employee group, 117, 292Employee subgroup, 117, 292England, 11

Combined Code on Corporate Governance,11

Turnbull Guidance, 12Enhancement Packages, 142Enterprise Asset Management (EAM), 326Entity level control, 410, 415Entity level controls, 6, 44Ericsson, 488EU Commission, 276EU GCP Note for Guidance, 322Euro SOX, 9European Medicines Agency (EMA), 320Evaluation

held documents, 196parked documents, 196

Evaluation paths, 297Exchange rate, 203

direct quotation, 203encryption logic, 204indirect quotation, 203

Expiration date, 251Extended CATT (eCATT), 140External document number assignment, 173

FFactual accuracy, 280FDA compliance, 319, 320

IT, 322system maintenance, 328

Index515

Federal Ministry for Health and Social Affairs(BMGS), 320

Federal Office of Public Health (FOPH), 320Federal Office of the Environment (FOEN), 321Federal Register, 320Fictitious employees, 315Fictitious invoices, 311Field status groups, 194, 199Financial Instruments and Exchange, 7Financial reporting, 20Financial sector

Basel II, 15Basel III, 16Directive 2006/48/EC, 15Directive 2006/49/EC, 15EU Directive, 15MaRisk, 15MRC, 15Solvency II, 14

Financial Services Agency (FSA), 7Financial statements, 192

financial statement structure, 371financial statement version, 192

Financial Systems Integration Office, 58Finished products, 255Fire protection, 135First expired, first out (FEFO), 328First level authorization, 430Fiscal year variant, 190Flow chart, 381Food and Drug Administration (FDA), 84, 319

automating compliance, 366change management, 324, 328configuration management, 328process, 366regulations, 319risk-based validation, 323validation, 322, 323

Food inspection, 319Foreign Corrupt Practices Act, 257Foreign currency, 203Foreign currency differences, 204Forensic science, 309Formal correctness requirement, 36France, 12

AMF, 12Loi de Sécurité Financière, 12

Fraud, 303batch input session, 307fraud-benefiting factors, 304fraudulent document postings, 308fraudulent financial reporting, 303manual journal entries, 309misused functions, 306types of fraud, 303

Fraud audit, 30Free goods, 313

GG/L account master data, 193

change, 196G/L accounts, 192General ledger, 189

analyze document data, 310fraud, 308fraudulent document postings, 308

General Ledger Accountingcontrol programs, 196

Generally Accepted Accounting Principles(GAAP), 24, 36, 58

formal, 36IT-specific, 36material, 36

German Accounting Law Modernization Act(BilMoG), 10

German Commercial Code (HGB), 9German Corporate Governance Code (DCGK),

9German Data Protection Act (BDSG), 68, 276,

284German Federal Financial Supervisory

Authority (BaFin), 15German Federal Office for Information Security

(BSI), 58, 60German Institute of Auditors (IDW), 24German Social Welfare Code (SGB), 276German Stock Corporation Act (AktG), 9German-speaking SAP user group (DSAG), 61,

63DSAG Guides, 61, 68

Germany, 9AktG, 9BaFin, 15BilMoG, 10Cromme Code, 9DCGK, 9HGB, 9KonTraG, 9MaRisk (VA), 15

Global rollout, 144Global system log, 175Good Automated Manufacturing Practice

(GAMP), 321Good clinical practice, 321Good laboratory practice, 321Good Manufacturing Practice (GMP), 321Good working practice, 321Goods receipt, 242

critical movement types, 242without purchase order, 242

Governance, Risk, and Compliance, see GRCGR/IR account, 245

clearing, 245reporting at the end of the month, 248

GR/IR clearing account, 245

516 Index

GRC, 68Integration Framework, 451, 453, 477integration scenarios, 79integration with Audit Management, 80Policy Management v. 10, 77Process Control v. 10, 70, 72Risk Management v. 10, 78Upload Tool, 474

Guidance Statement (GS)007, 134

Guide to the Assessment of IT Risk (GAIT), 49

HHealth Insurance Portability and Accountability

Act (HIPAA), 30Health Products and Food Branch (HPFB), 320Held documents, 196History

transaction calls, 177HKSA-Statements

Auditing Practice Note 860.2, 134HR authorizations

authorization level, 294authorization main switch, 299authorization objects, 293, 294context solution, 298evaluation paths, 297structural authorizations, 297structural profile, 297

HR datalimiting access, 316

HR master data, 294Human Capital Management, 142, 275

attributes, 291

IICS

automation, 70characteristics of automation, 72planning, 70

ICS activitymatrix, 476

ICS and compliance automationproject examples, 482

ICS automationbusiness blueprint, 475

ICS content, 38application control, 43automated monitoring, 43entity level controls, 44general application control, 42IT general controls, 42manual control, 43semi-automated control, 43

ICS framework in Japan, 7IDEA, 81Identity, 145

Identity Management, 145Implementation matrix, 383Implementation of Process Control

tools, 473Incorrect billing documents, 266Information Technology Assurance Framework

(ITAF), 50Information Technology Infrastructure Library

(ITIL), 48Information Technology Security Evaluation

Criteria (ITSEC), 60Infotype, 292, 294, 392

logging, 287In-house developments, 151Initial password, 149Input tax indicator, 201Inspection interval, 326Intermediate Documents (IDocs), 182Internal audit, 27Internal control system (ICS), 3

activity, 373automated control execution, 375automation, 363centrally organized, 403confirmation of control execution, 375content, 477, 481data model, 372, 391, 393, 398, 401domain, 369financial sector, 13ICS attestation, 57ICS basic principle, 35ICS-related audit, 30implementation matrix, 383modeling, 476multiple domain principle, 369object, 367objective, 5organizational unit, 367owner, 379problem-solving process, 416process, 368process definition, 476requirements of ERP systems, 35risk orientation, 10role, 379scoping, 374segregation of duties (SoD), 376segregation of duties principle, 420sign-off, 378structure, 44term, 4

Internal document number assignment, 173International Conference on Harmonization

(ICH), 320ICH GCP Guidelines, 322

International Financial Reporting Standards(IFRS), 24

Index517

International Framework for AssuranceEngagements, 134

International Society for PharmaceuticalEngineering (ISPE), 321

International Standard on AssuranceEngagements (ISAE), 65

3402, 65, 134International Standards of Auditing (ISA), 25Inventory, 253Inventory controls, 253Inventory procedure, 253Invoice verification, 242

tolerance limits, 243ISO 27k, 54ISO 9000, 133ISO 17799, 54Issue, 7

deficiency, 7significant deficiency, 7

IT organization, 131IT Security Evaluation Manual (ITSEM), 60Italy, 12

comply or explain principle, 13Preda Code, 12

JJapan

Financial Instruments and Exchange, 7Financial Services Agency, 7

KKey performance indicator (KPI), 438Key Risk Indicator (KRI), 78, 472, see KRIKRI, 78KUONI, 482

LLegal conformity, 3Legal data protection requirements, 275Liability, 371License, 145Life cycle

user, 145Limitations on use, 283Line item display, 195Live system, 136Logging, 173, 288, 465Logging flag, 171Logging report calls, 288Logical databases, 107, 108Logistics invoice verification, 243Long-term documents, 288Low value assets (LVA), 226

maximum amounts, 226

MMaintenance, 142

Maintenance of posting periods, 216Maintenance tasks, 327Making data unrecognizable, 288Management Risk Controlling (MRC), 15Manufacture of food and medicinal products,

319Market risk, 15Mass changes, 216Mass maintenance, 216Mass reversal, 216Master data, 97, 213

A segment, 97authorization objects, 215B segment, 97principle of segregation of duties, 234protection, 212

Master data maintenance, 262Master Data Upload Generator, see MDUGMaterial

material correctness requirement, 36material devaluations, 253material movements, 251material valuation, 197material weakness, 422

Material masterworkflow, 249

Material master datamaintain, 249

Materiality-based scoping, 407MDUG, 70, 474Medical Device Evaluation Committee

(MDEC), 320Medicinal product approval authority, 319Message types, 182Metalayer, 472Microsoft Operations Framework (MOF), 53Minimum requirements for risk management

(MaRisk), 15Ministry for Health, Labour and Welfare

(MHLW), 320Mitigating control, 435Mobile end devices, 151Modifications

get an overview, 143Money laundering, 257Monitoring, 87, 375Movement types, 227, 242, 252, 266

501, 242561, 242

Moving average price, 253Multi Application Query Tool (MQT), 455Multi-domain requirements, 329Multiple Compliance Framework (MCF), 399Multiple domain principle, 399

518 Index

NNational Pharmaceutical Control Bureau

(NPCB), 320Net prices, 266New General Ledger, 195, 209, 257NI 52-109, 7Non-routine transactions, 198Non-valuated material, 257

OO2C process, 260Object type, 292Object-related security, 383, 395, 397, 428Object-related security concept, 383Object-specific logging, 465Obligations Code (OR), 11Offline CAAT tool, 442Offline data analysis, 442Offline data analysis tool, 444Offline form, 413Offline test, 413OM, 74, 145, 296, 368One-time account, 103One-time customers, 232one-time vendor, 232Online CAAT report, 445Operating concern, 117Operating system commands, 175Operational risk, 15Operational Risk Management, see ORMOpportunities for fraud, 305

SAP basic component, 306SAP General Ledger, 308SAP personnel accounting, 315SAP sales area, 311

Oracle, 83, 84Order entry, 260Order to cash, 259Ordering, 238Order-related and delivery-related billing, 266Organizational key, 292Organizational Management, see OMOrganizational structures, 117

financial view, 117Logistics, 117Materials Management, 117Personnel Management, 117Sales and Distribution, 117technical view, 117

Organizational unit, 367Organizational units, 117ORM, 78

Loss Database, 78Operational Risk Management, 78Risk Control Self-Assessment, 78Static Data Management, 78

OSS error messages, 142

Output tax, 201Outsourcing, 65, 132, 404

PParallel accounting, 193Parked documents, 196Password protection, 146

profile parameters, 147Payment Card Industry Data Security Standard

(PCI-DSS), 54Payment proposal list, 231Payment run, 230, 231Payments in SAP, 230PCAOB standard, 6PeopleSoft, 83, 84Person responsible, 279, 285Personal data, 277, 280, 284

principles of processing, 281processing, 280protection standards, 290tracing changes, 287

Personnel area, 117, 292Personnel events, 293Pharmaceutical and Medical Safety Bureau

(PMSB), 320Pharmaceutical Inspection Cooperation

Scheme (PIC/S), 320Physical safety, 135Pilot project, 480Plan variant, 292Planning function, 409Planning status, 292Plant, 117Plant Maintenance, 326Policy management, 77, 433Posting periods, 190, 192Postings

blocking, 308restricting, 308

Practical experience, 473Preconfigured workflow, 473Preparatory sales and distribution phase, 260Price control, 253Price variances, 246Pricing, 266Pricing procedure, 267Principle of identity, 145Principle of least privilege, 151Principle of segregation of duties

master data maintenance, 234ordering, 239

Principles for data access and verifiability ofdigital documents (GDPdU), 30, 59, 444

Process, 368Process Control, 69, 70, 84, 325, 388, 473

administration, 386, 390aggregation of deficiencies, 422

Index519

ASAP Roadmap, 474authorization model, 427, 431Automated Rules Framework (ARF), 84, 479BC Set, 474business blueprint, 475carryforward, 424centralized vs. decentralized

documentation, 403change document, 395compliance initiative, 399conference room pilot, 475configuration, 384, 385Content, 84control automation, 82, 84copy, 403Crystal Report, 426custom field, 397data model, 391, 393, 398, 401GRC330, 87ICS master data concept, 392implementation, 473, 480implementation cost, 479installation, 387integration, 78, 421integration with Access Control, 73integration with Risk Management, 78integration with SAP Access Control, 434issue, 416master data, 388materiality-based scoping, 407migration, 387mitigating control, 435Multiple Compliance Framework (MCF),

399notification, 411object, 388object-related security, 395, 428object-related security concept, 383offline form, 413offline test, 413organization hierarchy, 388planning function, 409predefined rules, 85project expense, 479reference, 403Riscomp Automated Monitoring Scenarios,

85risk-based scoping, 408role concept, 431scoping, 405segregation of duties, 402, 420semi-automated control, 423sign-off, 423sizing, 386standard report, 424standard training GRC330, 388technical architecture, 383

time dependency, 388, 393training, 87upgrade, 387user authentication, 428workflow-based activity, 410

Process control, 43Process owner, 379Procure to pay process, 237Product cost accounting, 255Product Cost Controlling (CO-PC), 255Productive indicator, 210Profile Generator, 161Profile parameter, 176, 180

update administration, 181Profile parameters, 159Profit and loss statement (P&L), 192Profitability Analysis (CO-PA), 255Program

GRCPCRTA_CHANGELOGGRC, 464link to transactions, 111

ProgramsABAP source code, 113authorization groups, 153call up directly, 152modify/develop, 162protection, 151, 154RAABST01, 221RAGITT01, 218RFBABL00, 168RFDAUB00, 207RFDOFW00, 234RFDOPR00, 234RFDOPR10, 234RFDSLD00, 197RFHABU00, 197RFKABL00, 169RFKKBU00, 197RFKSLD00, 197RFPUEB00, 206RFSABL00, 169RFSSLD00, 197RFTMPBEL, 206RFUMSV00, 201RFUMSV10, 201RFVBER00, 180, 182RM07CUFA, 200RM07MSAL, 248RS_ABAP_SOURCE_SCAN, 114RSBDCOS0, 175RSPARAM, 172, 175–178RSSTAT26, 177RSTBHIST, 191, 192RSTRFCQDS, 185SAPF120, 207SAPF124, 246SAPF190, 195search, 111

520 Index

table search options, 114TABLES, 113TFC_COMPARE, 195tp, 178use of tables, 113where-used list, 114

Project example, 482Proof of concept (PoC), 480

segregation of duties rule, 486Provision, 272Provisioning tools, 162Public Company Accounting Reform and

Investor Protection Act, 6Public Disclosure Act (PublG), 19Public Key Infrastructure (PKI), 65Purchase orders, 239Purchasing document types, 239Purchasing organization, 117Purchasing processes, 237

local/central, 238Purpose, 280, 285

QQualified suppliers, 325Quality assurance system, 136Quality assurance tool, 158Queued RFC, 184

RRAMS, 85

Riscomp Automated Monitoring Scenarios,85

RAR, 72Read-debugging, 307Reconciliation account, 229Reconciliation ledger, 208Reconciliation work, 197Recruitment, 289Rectification, 378Recurring entries, 207Recurring entry documents, 168Recurring entry original documents, 196Refresh, 137Regulation, 399Release indicator, 240Release strategy, 239

value entries, 241without classification, 240

Release strategy with classification, 240Remote access, 142Remote Function Call (RFC), 184

RFC logon attempts, 176RFC user, 184

Repair code, 143Repairs, 143Report evaluation, 379Repository Information System, 108, 111

Restart procedure, 135Return deliveries, 269Returns, 257Returns documents, 269Returns processing, 269Revalidation, 329Reversed Business Engineering (RBE), 177RFC communication

asynchronous, 184types, 184

Right of access, 280Right to information, 280Riscomp, 474, 477

Automated Monitoring Scenarios, 486GRC Upload Tool, 477

Riscomp Automated Monitoring Scenarios, seeRAMS

Risk, 22, 371control risk, 22inherent, 22risk assessment, 377risk category, 378risk rule, 83risk-based scoping, 408risk-based validation, 323

Risk Analysis and Remediation, see RARRisk assessment, 410Risk IT, 51Risk Management, 77, 370, 438

GRC340, 87integration, 78integration with SAP Strategy Management,

438Operational Risk Management, 78training, 87

Role, 125adjust, 431authorization analyses, 126role maintenance, 163

Routine transactions, 198RSECNOTE tool, 82

SSafe Harbor Principles, 281Sales & Distribution (SD), 260Sales and distribution phase

preparatory, 260Sales and distribution process, 259Sales area, 117Sales document, 260Sales group, 117Sales office, 117Sales order, 260Sales organization, 117Sales price determination, 267, 268Sales tax, 266SAP Audit Management, 79

Index521

SAP Best Practice, 89SAP Business Workflow, 240, 249SAP Code Inspector, 67SAP GUI, 151SAP Help Portal, 61SAP implementation audit, 30SAP middleware, 151SAP Note, 138

1916, 17131875, 19577503, 81112388, 1711314345, 4651320737, 4651420281, 166671016, 58863362, 82888889, 82table logging, 171

SAP operations audit, 30SAP Process Control

analysis rule, 460change log tool, 464GRC Integration Framework, 451object type, 394SoD Integration, 457

SAP Quality Management, 325SAP Query Painter, 261SAP Security Guide, 62SAP Standard for Security, 63SAP system

data, 97SAP system landscape, 136SAP training, 87

GRC330, 87SAP update system, 180Sarbanes-Oxley Act (SOX), 5, 6

Canada, 7China, 8Euro SOX, 9Japan, 7scoping, 6USA, 5

SAS 70, 65report, 65, 133

Saving data locally, 289Scoping, 6, 374, 375, 405Scrapping

release, 254Script, 456

FIMPRCH_05T1_01_A, 467S_DEVELOP, 154Search

SAP, 116Second level authorization, 429Secure area, 142Secure collaboration, 65

Secure Operations Map, 64Securities and Exchange Commission, 6Security, 61Security audit, 30Security Audit Log (SAL), 176, 289, 290

SAL filter, 176Security certificate, 60Security Guide, 64Security Optimization Service (SOS), 67, 82Security vulnerability, 154Segregation of duties (SoD), 13, 72, 161, 217

Basis, 161confidential data, 316control, 489Controlling, 256deficient, 371design test vs. survey, 377development, 161documentation, 163Ericsson, 489financial accounting, 217General Ledger Accounting, 217ICS application, 376master data maintenance, 262matrix, 163monitoring, 467Profile Generator, 161transport requests, 161user maintenance, 161

Segregation of duties principle, 205control documentation, 402ICS activity, 420maintenance of the ICS framework, 402

Segregation of Duties Review, 74, 75Segregation of duties risk, 434Self-assessment, 410Self-maintenance, 290Semi-finished products, 255Sensitive data, 278

collecting, 284data protection, 278

Sensitive fields, 234Service connections, 142Service desk, 144Service Level Agreements (SLA), 133Service Marketplace, 142Service organization, 131Service Pack, 142Session, 186Shared service, 131, 404Shared services organization, 368Shelf Life Expiration Date, 328Significant deficiency, 422Sign-off, 378, 423Single Sign-on (SSO), 145, 428Sizing, 386Skills databases, 285

522 Index

Software certification, 25, 57criterion, 58security-related, 60

Software Deployment Manager (SDM), 67Software selection, 30Solution Manager, 67, 86, 91, 138, 144, 329

Business Process Repository, 91Data Consistency Cockpit, 87Monitoring, 87

Solution monitoring, 144Solvency II, 14SOX compliance

automating, 366SOX compliance process, 366Spain, 13

Good Governance, 13Good Governance of Listed Companies, 13Securities Markets Commission, 13

Special periods, 190Split valuation, 250SPM, 76Standard business process, 89Standard Operation Procedures (SOP), 326Standard price, 253Standard user, 148

DDIC, 148EARLYWATCH, 148SAP*, 148, 149SAPCPIC, 148TMSADM, 148WF_BATCH, 148

Static code analysis, 158Statistics file, 177Stock

non-valuated, 250, 257split valuation, 251valuated, 250

Stock consistency check, 252Stock value, 253Stock withdrawal strategies, 327Storage

data, 284Storage location, 117Strategy and performance management, 437Strategy Management, 438Structural authorization profile, 297, 298Structural authorizations, 296, 297Substitution rules, 202Subtype, 292Superuser Privilege Management, 76, see SPMSupport, 142Support Packages, 142Survey, 377Swiss Agency for Therapeutic Products, 320Switzerland, 10

Art. 716a (3) OR, 11Art. 728a (1) OR, 11

auditing standard PS 890, 11Obligations Code, 11SOX Light, 10

Synchronous RFC, 184System administration, 66

authorization concept, 66System copy, 288System landscape, 142System log, 166, 174, 175System trace, 123, 152

TTables, 96

advantages from audit view, 97authorization groups, 159change documents, 166changes, 166connections, 108conversion tables, 115Data Dictionary tables, 105debugging activities, 166direct maintenance, 158infotypes, 291keyword search, 107logging, 114, 171logical databases, 108maintenance, 162number, 96protecting data, 166protection, 158, 159SAP, 96SAP_EDIT, 166scope of logging, 171search, 103, 106table manual, 102table search via fields, 106VBRK, 313where-used list, 114, 116

Tax audit, 30Tax code, 201Taxes, 200Test management, 144Test of control effectiveness, 410Test plan, 413Therapeutic Goods Administration (TGA), 320Tolerance groups, 212, 246Tools

documentation, 474master data, 474

Traceability, 286Transaction

SE16 (Data Browser), 443Transaction audit, 21

outsourcing, 25Transaction calls

history, 177, 289

Index523

Transaction CK24 (Price Update with CostEstimate), 467

Transaction CK40N (Edit Costing Run), 467Transaction CKME (Activation of Planned

Prices), 467Transaction CKMLPC (Price Change), 467Transaction data, 171Transaction FK02 (Change Vendor

Accounting), 371Transaction GRFN_STR_CHANGE (Change

Process Control), 390, 395Transaction GRFN_STR_CREATE

(Administration), 386Transaction GRFN_STR_DISPLAY (Display

Process Control), 389Transaction MIRO (Logistics Invoice

Verification), 371Transaction MR21 (Price Change), 467Transaction SE38, 154Transaction SE80, 154Transaction SU01 (User Maintenance), 428Transaction V.03 (List of Incomplete Inquiries),

91Transaction VA11 (Create Inquiry), 91Transaction VA12 (Change Inquiry), 91Transaction VA13 (Display Inquiry), 91Transaction VA15 (Inquiries List), 91Transactional RFC, 184Transactions, 109

account determination transactions, 222AFAMA — View Maintenance for

Depreciation Key Method, 224AW01N — Asset Explorer, 218Basis authorizations, 162BD87 — Status Monitor for ALE Messages,

182BDM2 — Monitoring, 183CKMPCD — Display Price Change

Documents, 254display technical name, 111F.15 — List Recurring Entries, 207F-43 — Enter Vendor Invoice, 258F.80 — Mass reversal, 216F110 — Parameters for Automatic Payment,

230FB04 — Document Changes, 168FB60 — Enter Incoming Invoices, 120, 124,

125, 159, 213, 258FBKP — Maintain Accounting

Configuration, 198, 246FBL3N — Vendors, 273FBL5N — Customers, 273FD24 — Credit Limit Changes, 264FD32 — Change Customer Credit

Management, 263FIBLAPOP, 231FP22 — Mass reversal, 216

FPVC — Mass Reversal of Dunning Notices,216

FS00 — G/L Account Master RecordMaintenance, 246

FTXP — Maintain Tax Code, 201GGB0 — Validation Maintenance, 203IDoc, 183KALC — Cost Flow Message, 209MASS — Mass Change, 216MB51 — Material Document List, 242, 255MI01 — Create Physical Inventory

Document, 186MR11 — GR/IR Account Maintenance, 245MRBR — Release Blocked Invoices, 243MRN0 — market prices, 254MRN2 — movement rate, 254MRN3 — loss-free valuation, 254MRN9 — Balance Sheet Values by Account,

254OA79 — Maintain Asset History Sheet

Definition, 225OAAR and OAAQ — Take back year-end

closing activities, 228OABK — Delete Asset Class, 228OABL — Reset Company Code, 210, 216,

228OAMK — Configuration of reconciliation

accounts per company code, 229OAY2 — Asset Class, 226OAYK — Low Value Assets, 226OAYR — Posting Rules for Depreciation,

224OAYZ — Asset Class, 219OB29 — Fiscal Year Variants, 191OB32 — Maintain Table TBAER, 168OBC4 — Maintain Table T004V, 200OB_GLACC11, OB_GLACC12, and

OB_GLACC13 — Mass maintenanceof G/L accounts, 216

OBL6 — Consistency Check, 272, 274OMJJ — Customizing, 242, 266OMR3 — MM-IV Default Account

Maintenance, 247OMW0 — MM-IV Control Valuation, 251OMWB — MM-IV Automatic Account

Assignment (Simulation), 252OMWC — MM-IV Split Material Valuation,

251OOAC — HR, 298, 301OOSB — User (Structural Authorization),

297OOSP — Authorization Profiles, 297PA30 — Maintain HR Master Data, 293PA40 — Personnel Actions, 293PFCG — Profile Generator, 163, 239, 296purchasing process, 109SA38 — ABAP Program Execution, 111

524 Index

SA38 — ABAP Reporting, 148, 152S_AHR_61016380 — Logged Changes in

Infotype Data, 295S_ALR_87003642 — Maintenance of posting

periods, 216S_ALR_87012180 — List of Customer

Addresses, 261SCC4 — Client Administration, 140SDD1 — Duplicate Sales Documents in

Period, 261SE01 — Transport Organizer, 138SE11 — ABAP Dictionary maintenance, 116,

158SE14 — Utilities for Dictionary Tables, 166SE16 — Data Browser, 104, 110, 141, 267,

273SE16N — General Table Display, 166SE38 — ABAP Editor, 111, 153SE84 — Repository Information System,

105, 110, 153search, 109short description, 110SM13 — Administrate Update Records, 180SM14 — Update Program Administration,

180SM20 — Analysis of Security Audit Log, 176SM21 — Online System Log Analysis, 175SM30 — Call View Maintenance, 204SM30 — Table Maintenance, 158, 203SM35 — Batch Input, 187SM58, 184SM59 — RFC Destinations

(Display/Maintain), 184SMQ2 — qRFC Monitor (Inbound Queue),

184SPAM — Support Package Manager, 142SPAU — Display Modified Objects, 143STMS — Transport Management System,

136SU01 — User Maintenance, 149, 161, 296SU10 — User Mass Maintenance, 161SU24 — Authorization Object Check under

Transactions, 159SU53 — Evaluate Authorization Check, 160SUIM — User Information System, 121, 126,

146, 239user menu, 110V.02 — List of Incomplete Sales Orders, 261V.15 — Display Backorders, 261VCHECKT683 — Customizing Check

Pricing Procedure, 267VF03 — Display Billing Document, 270VKM1 — Display Blocked SD Documents,

261VKM2 — Display Released SD Documents,

261

VOV8 — Document Type Maintenance, 266,269

WE05 — IDoc Lists, 182XK99 — mass maintenance, 216

Transport domains, 139Transport Management System (TMS), 136, 158Transport paths, 140Transport request, 136, 137, 161, 178

approval procedure, 139import, 139name, 138release, 139segregation of duties, 139

Triangular deals, 266Trusted system, 184

UUAM, 74UAR, 74Universe, 472Update administration, 162Update system, 180Update terminations, 174, 180Up-to-date software, 142US Department of Commerce, 281USA

PCAOB standard, 6Section 404, 6Section 802, 6Section 1107, 6Securities and Exchange Commission, 6Standard AS 5, 6

User, 127anonymous user accounts, 146attributes, 127authorization analysis, 129authorization assignment, 163communication user type, 128dialog user, 128emergency user concept, 150identity, 145life cycle, 145properties of user types, 128reference user, 128SAP system, 127, 128service user type, 128standard passwords, 149standard user, 148system user type, 128tolerance groups, 212user administration, 145user administration concept, 135user group, 162User Information system, 121, 146user menu, 110

User Access Management, 69, see UAMUser Access Review, 74, see UAR

Index525

User Management Engine (UME), 428

VV model, 323V1 operations, 180V2 operations, 180Val IT, 51Validation, 202Valuated goods movements, 269Value of receivables, 272Variances, 243Vendor invoices, 258

WWarehouse Management, 327Web browser, 151Web dynpro, 162Where-used list, 114, 116White paper, 63Work in Progress (WIP), 197Workflow-based activity, 410Works Council Constitution Act (BetrVG), 276Write-debugging, 307Write-off of open receivables

improper, 314