NOTE: This workpaper does not cover the ability to delete the logging tables SE16N_CD_[KEY/DATA] through the “Delete Change Documents” menu function within SE16N. Access to delete the change logs is granted through authorization object ‘S_ADMI_FCD’ with ‘System Administration Function’ ‘RSET’.

SAP Direct Table Maintenance Client Prepared by Date W/P reference Drew Steinfatt 10/20/2010

Purpose The purpose of this memo is to document the technical aspects of performing direct table maintenance through the ECC 6.0 transaction codes SE16N and UASE16N and the underlying programs. KPMG performed system testing using the KPMG SAP Sandbox environment, performed research through online resources and inquired with KPMG subject matter professionals regarding the technical knowledge required, complexity involved and general awareness regarding deletion of entries from the audit log tables SE16N_CD_KEY and SE16N_CD_DATA. These procedures were performed to determine the reliability of the audit log tables as a complete record of the table data modifications made in the SAP Financials Production environment. SAP Direct Table Maintenance Background During test work performed for GITC control PC5 regarding access to make changes to the production environment KPMG noted the following:

1. Ten users from the BASIS and ABAP Development teams with assigned security privileges which permit direct table maintenance of data. The access was granted via:

• Authorization Object: S_DEVELOP • Object Type: DEBUG • Activity: 03

In conjunction with one of the following combinations 1. Transaction Code: SE16N

a. Authorization Object: S_DEVELOP i. Activity: 01 or 02

2. Transaction Code: UASE16N a. Authorization Object: S_DEVELOP

i. Activity: 01 or 02 3. Transaction Code: SA38 4. Transaction Code: SE38

When table maintenance is performed using the above security permissions (&SAP_EDIT) SAP automatically records an entry each time a maintenance activity is saved (multiple saves will create multiple entries) in one of two change document (audit log) tables following the naming convention of the transaction code:

• SE16N table maintenance entries are recorded in tables: • SE16N_CD_KEY for entry header information • SE16N_CD_DATA for entry details information

• UASE16N table maintenance entries are recorded in tables: • UASE16N_CD_KEY for entry header information • UASE16N_CD_DATA for entry details information

Refer to WP Ref. PC5-1 for entries noted in the SE16N_CD_KEY and SE16N_CD_DATA tables. Queries of the UASE16N_CD_KEY and UASE16N_CD_DATA tables returned no results.

As of August 31, 2010, the SE16N_CD_KEY audit log contained 198 individual entries that were related with table maintenance performed during FY2010. Using a combination of UserID and date as a unique identifier, five user accounts were noted as creating a total of 64 table maintenances during the period January 1, 2010 through August 31, 2010. For this purpose one table maintenance represents a day when table updates were performed regardless of the number of individual entries made that day.

Refer to WP Ref. PC5-2 for documentation references provided by client for the entries noted in the SE16N_CD_KEY and SE16N_CD_DATA tables.

Refer to WP Ref. PC5-3 for Forensic interviews performed with the users identified above and a selection of other client personnel that were noted with access to execute table maintenance but did not appear in the table logs as having performed table updates.

Table Maintenance Process & Testing Table maintenance is performed using an internal sap “OK CODE” originally reserved for internal SAP usage to perform troubleshooting which later became part of the public knowledge base. The OK CODE is “&SAP_EDIT”. The &SAP_EDIT functionality is activated after entering the OK CODE which calls an ABAP Function from either of the programs for SAP “General Table Display”. These include program ‘RK_SE16N’ called via transaction code SE16N and program ‘UA_SE16N_START’ called via transaction code UASE16N. The programs can also be run directly through “ABAP: Program Execution” with transaction codes SA38 and SE38. Inspected the ABAP code in the KPMG test environment and noted that there is a hard-coded constant in the function called to perform table maintenance which checks if the parameter for the ‘table-to-edit’ is equal to either of the names of the Change Document tables (SE16N_CD_KEY and SE16N_CD_DATA). During the authority check for the table maintenance functionality if a user requests to edit the Change Document tables an error message will be generated. Refer to screenshot-1 and screenshot-2 for the ABAP code inspected.

Performed system testing by assigning user “NO_EDIT_LOG” all system authorizations by granting the default super user profiles ‘SAP_ALL’ and ‘SAP_NEW’. Using user NO_EDIT_LOG, attempted to edit tables SE16N_CD_KEY and SE16N_CD_DATA and received an error message for both attempts stating “No authorization for table changes”. Attempted to edit security table for user master records ‘USR02’ and was granted permission to edit the audit log table. Refer to screenshot-3 through screenshot-6 for testing performed to determine if Change Document tables SE16N_CD_KEY and SE16N_CD_DATA can be maintained using &SAP_EDIT.

Screenshot-1 – Authority Check for &SAP_EDIT OK CODE Functionality

Check if table requested for editing equals ‘c_cd_tab1’ or ‘c_cd_tab2’. If so, then exit ‘editing’ mode and generate error message for authority check.

Screenshot-2 – Constant Definition for ‘c_cd_tab1’ and ‘c_cd_tab2’

Screenshot-3 – Assignment of SAP_ALL & SAP_NEW (All Authorizations) to User “NO_EDIT_LOG”

Assignment of all system authorizations through default super user profiles SAP_ALL and SAP_NEW

Definition of constants ‘c_cd_tab1’ or ‘c_cd_tab2’: c_cd_tab1 = SE16N_CD_KEY c_cd_tab2 = SE16N_CD_DATA

Screenshot-4 – Attempt to edit Change Document table SE16N_CD_KEY with All Authorizations

Screenshot-5 – Attempt to edit Change Document table SE16N_CD_DATA with All Authorizations

Attempt to edit Change Document table SE16N_CD_DATA resulted in an error message

Attempt to edit Change Document table SE16N_CD_KEY resulted in an error message

Screenshot-6 – Attempt to edit security table USR02 showing permission granted

Attempt to edit Security table for user master records USR02 resulted in activation of ‘SAP editing function’

Online Research for Table Maintenance General Public Knowledge Performed research using SAP Help at http://help.sap.com, the SAP Software Developers Network at http://www.sdn.sap.com, and http://www.google.com regarding the technical knowledge required, complexity involved and general awareness regarding deletion of entries from the Change Document tables SE16N_CD_KEY SE16N_CD_DATA. As of October 26, 2010, noted no information available from SAP Help regarding &SAP_EDIT, table maintenance through SE16N, and no information available for UASE16N. Through research on the SAP Developers Network and Google noted that information regarding the Change Document tables is not as well disseminated as the overall knowledge of the &SAP_EDIT method for editing tables. Postings and questions regarding the ability to edit tables using &SAP_EDIT was widely available. Fewer postings were noted regarding the Change Document tables SE16N_CD_KEY and SE16N_CD_DATA. When the Change Document tables were referred to, it was commonly stated that “All Changes are noted in the [Change Document] tables”. Additionally, noted that information regarding the deletion of entries from the audit log tables was not available during the research performed. Research indicated that changes made using the &SAP_EDIT method would be logged in the audit tables. Technical Knowledge Required to Perform Editing Through research on the SAP Developers Network and Google noted warnings regarding the use of &SAP_EDIT. Noted multiple warnings regarding the significant corruption of data as a likely result of editing tables using this method. Refer to Screenshot-7 for an example of a warning found on the web. Screenshot-7 – example of warning noted regarding use of &SAP_EDIT

Additionally, per auditor experience, use of &SAP_EDIT to perform cross-module transactions requires extensive research and testing to determine the population of tables involved. SAP is built upon a complex relational database generally containing over seventy-thousand (70,000) tables. Determining the underlying tables for a single SAP transaction requires significant knowledge of SAP, research and time to reveal the tables where each data element of the transaction is stored. This information is often obscured by table views or other data structures. Additionally, SAP contains extensive audit capabilities in the form of Change Document tables which record transactions in the system. These tables are often not documented by SAP and no notes are available regarding the name, location or use to intentionally secure the data contained in them. The complexity of piecing together the multiple tables required for a single transaction must then be considered in the context of an end-to-end process such as Procure-to-Pay. Each piece of the transaction crosses SAP modules and creates entries for Financial Accounting, Materials Management, Cost Accounting, Cash Management, etc. In order to perform an entire process an individual would require extensive knowledge across SAP modules and would also require extensive testing to ensure data integrity remains. The removal of the ‘tracks’ created during this process would require further knowledge and swift action to prevent evidence of the activities from being reported on management reports or during the daily activities performed by SAP business users. Inquiry with KPMG SAP subject matter professionals KPMG inquired of four SAP subject matter professionals about the use of table maintenance as described in this document and the widespread knowledge of table log deletion capabilities. Per inquiry noted that this is not a common access permission granted to SAP technicians due to the risk of damaging data while performing direct entry updates and the level of knowledge of SAP relational database structures required to effectively use this access. Further, noted that these KPMG professionals were not fully familiar with the mechanism to remove records from the audit log tables. Some knew the capacity existed but did not know how to execute the action and others were not aware of that capability. Conclusion Based on the description provided in this memorandum, KPMG considers that using the capability to update tables directly and subsequently remove the entry of the audit log tables requires deep SAP knowledge, and an amount of time that make it unlikely that client personnel found having these access rights will have both the sufficient technical knowledge to update tables and also remove the audit records and the time available to do so.