sap audit guide financial accounting
DESCRIPTION
SAP Audit Guide Financial AccountingTRANSCRIPT
SAP Audit Guidefor Financial Accounting
This audit guide is designed to assist the review of financial reporting processes that rely upon automated functions in SAP systems.
The specific areas examined in this guide are relevant configurables, transactions, authorizations and reports in the General Ledger (GL), Asset Accounting (AA) and Bank Accounting (BA) components of the SAP Financial Accounting module.
The guide provides instructions for assessing SAP application-level controls in the following areas of financial statement audits:
Reporting Structure Chart of Accounts Journal Entry Posting Period End Close Foreign Currency Translation Inter-company Transactions Asset Management and Reporting Cash Management
The guide is delivered using clear, non-technical terms to enable financial and operational auditors to successfully navigate the complexities of SAP security. Other volumes of this guide deal with SAP controls in areas such as Revenue, Inventory, Expenditure, Human Resources and Basis.
Reporting Structure
The financial reporting structure in SAP is determined by the organization of reporting units known as company codes. There can be multiple company codes with in organizat ions with each code corresponding to a unique economic entity.
Reporting entities in differing countries should have unique company codes since they may be subject to divergent accounting and tax requirements. Each company code has one domestic currency and up to two additional currencies to support financial reporting in multiple currencies.
Company codes must be set to productive to prevent the deletion of transactional data. This can be verified through transaction code OBR3 or Table T001 through transaction SE16.
Financial Accounting
SAP Audit Guide
2
The company code structure should correspond to the legal reporting requirements of the company under review. The appropriateness of the structure should be reviewed through the menu path IMG> Enterprise Structure> Financial Accounting> Define Company, transaction OX15 or table T880 (note that IMG can be accessed through transaction SPRO).
Relevant global parameters in IMG should also be reviewed. This includes areas such as Country Keys, Currencies, Controlling Areas, Credit Control Areas, Fiscal Year Variants, Sales and Purchasing Organisations, Business Areas and Plants, and Cost and Profit Centers (IMG> Enterprise Structure> Financial Accounting> Global Settings> Company Code> Global Parameters).
Access to transactions such as OXO2 (edit company code) and EC01 (copy, delete and check company code) and the client configuration table T001 should be based on role requirements. Other critical transaction codes are listed in the Table A.
TRANSACTION DESCRIPTION
OX16 Assign Company Code to Company
OB38Assign Company Code to Credit Control Area
OF18Assign Company Code to Financial Management Area
OX19 Assign Company Code to Controlling Area
OX18 Assign Plant to Company Code
OVX3Assign Sales Organization to Company Code
OX01Assign Purchasing Organization to Company Code
OH05Assignment of Personnel Area to Company Code
OBB5 Cross-System Company Codes
OBY6 Enter Global Parameters
TRANSACTION DESCRIPTION
OB37Assign Company Code to a Fiscal Year Variant
OBB9Assign Posting Period Variants to Company Code
OKBD Define Functional Area
OXO3 Define Business Area
FM_FUNCTION Define Functional Area
OXO6 Maintain Controlling Area
KEP8 Create Operating Concern
Table A: Company Code Transactions
Chart of Accounts
The chart of accounts is the container for General Ledger (GL) accounts and the basis for journal entry posting and financial reporting. Chart of Accounts can be company code specific or cover multiple companies in a single SAP client. GL accounts are assigned to specific groups determined by account type. The field status for account information and the numbering interval is determined at the group level.
The configuration of all or a sample of account groups should be reviewed to assess which fields are required, optional, displayed or suppressed during the creation of a new account and to ensure that account numbering follows a logical and consistent policy. This can be performed through the menu path General Ledger Accounting> G/L Accounts> Master Data> Preparations> Define Account Group or transaction OBD4.
The structure of the Chart of Accounts should also be reviewed through transaction FSP3 to assess account groupings and identify the appropriate use of control accounts for AP and AR. The latter are known as reconciliation accounts and are updated automatically. In other words, SAP does not allow manual journal postings against such accounts. This can be performed through transactions KALE and OK17.
3Changes to the chart of accounts should be identified through report RFSABL00, accessible through transaction SA38. Alternatively, changes can be isolated through transactions FS04, FSP4 and FSS4. A sample of changes should be examined for evidence of approval, documentation and testing.
Access to SAP functions that enable users to create, modify or delete GL accounts should be restricted and based on business need. This should include transactions in Table B with authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion).
TRANSACTION DESCRIPTION
FS01 Create Master Record
FS02 Change Master Record
FS00 G/L Acct Master Record Maintenance
FS05 Block Master Record
FS06 Mark Master Record for Deletion
FSS1 Create Master Record in Company Code
FSS2 G/L Acct Master Record in Chart/Accts
FSP0Create G/L Acct Master Record in Chart/Accts
FSP1 Cross-System Company Codes
FSP2 Change G/L Acct Master Record in Chart/Accts
FSP5 Block Master Record in Chart / Accts
FSP6Mark Master Record for Deletion in Chart/Accts
Table B: GL Account Transactions
Journal Entry Posting
SAP is preconfigured with hundreds of document types for purchase orders, customer invoices, good receipts and many other transactions. Each document type has a unique 2 or 3 letter identifier and a specific numbering range. Particular attention should be paid to the GL account assignments for SAP documents since transactional data is automatically posted by the system based on the assignments defined in the system configuration. These should be reviewed through transactions OBA7 (Define Document Types) and OB41 (Posting Keys). Samples selected for review should include custom documents which are more likely to have assignment errors than standard SAP documents.
Monetary limits for journal entries, cash discounts, payment or receipts differences should be defined for document types. These can vary by company code and employee group. Tolerance levels should be reviewed through transactions OBA4 and OB57. This should include clearing procedures for critical accounts such as GR/IR.
SAP should also be configured to control posting to prior periods even though the system is capable of keeping open multiple periods at the same time. This is performed through rules defined in Posting Period Variants, part of the Financial Accounting Global Settings. Note that back posting settings in Logistics can also be configured to allow posting to prior periods. Both of these areas should be reviewed in the IMG.
SAP Business Workflow is used by many companies to review values and account assignments prior to posting journal entries. If enabled, the relevant settings for workflow variants, company codes, and approval paths and groups should be examined under Financial Accounting Global Settings> Document> Document Parking. This should include a review of fields that would cause a release to be revoked if changed after approval, which would lead to the restart of the release procedure.
BusinessObjects Planning and Consolidation (BPC) and BusinessOne should be configured to block unbalanced journal entries. In the former, this can be verified through the JRN_BALANCE parameter. The parameter should be set to 1 (Journals need to be balanced). The default value is 0 (Journals need not be balanced). In the latter, the field for Block Unbalanced Journal Entry should be checked in Administration> System Initialization> Document Settings> Journal Entry.
4
BPC should be configured to block unbalanced journal entries through the JRN_BALANCE parameter
The ability to create, change, delete and reverse journal entries should be restricted to authorized employees. This includes transactions in Table C with authorization objects with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and BLA and activity levels 01 (create/ enter), 02 (change), 06 (delete) and 77 (pre-enter/ park).
TRANSACTION DESCRIPTION
F-02 Enter G/L Account Posting
F-21/ F-42 Enter Transfer Posting
FB01/ FBR2 Post Document
FB05 Post with Clearing
FB11 Post Held Document
FB21 Enter Statistical Posting
FB50 G/L Account Posting
FBV0/ FBVB Post Parked Document
FBR1 Post with Reference Document
F.81Reverse Accrual Deferral Document Code
FB08 Reverse Document
F.80 Mass Reversal of Documents
TRANSACTION DESCRIPTION
FB08 Reverse Document
FB02/ FB09 Change Document
FBL4 Change G/L Account Line Items
F-03/ FB1S Clear G/L Account
FBV1 Park Document
FBV2 Change Parked Document
FBV4 Change Parked Document Header
FBD1 Enter Recurring Entry
FBD2 Change Recurring Entry
F.14 Execute Recurring Entry
F.56 Delete Recurring Entry
Table C: Journal Entry Transactions
5
Period End Close
The period end close process extends across many different SAP applications including SD, MM and PP. However, the majority of steps are performed within the FI and CO area. Audit procedures for the process should be tuned for each specific client since the process varies between organisations. As a guide, Table D lists the SAP transactions commonly used during the period end close process in sequential order.
Together with the transactions listed in Table D, user access to SAP functions that control the opening and closing of financial periods should be tightly controlled. This should include transaction OB52 (opening and closing FI posting periods) and OBBP (define variants for open posting periods) with authorization object S_TABU_DIS and activity level 02 (change).
TRANSACTION DESCRIPTION
S_BCE_68000174
Update Exchange Ranges
VL10/ VL10A Ensure Movements are complete
MIRORecord Purchase Order related AP Transactions
MRBR Release Blocked Invoices
VXF3Release Billing Documents for Accounting
MMPV Open Period for Material Master Records
OB52 Open and Close Posting Periods
CJ8G Calculation of Work In Process (WIP)
KKS1Prod. and Process Order Variance Calculation
CO88 Settlement PP Order
CO02 PP Order (close)
TRANSACTION DESCRIPTION
FBD1 Enter Recurring Document
F-03 Manual Clearing General Ledger
F-32Manual Clearing Accounts Receivable
F-44 Manual Clearing Accounts Payable
FB50 Post Adjustment Entries
FAGL_FC_VAL Foreign Currency Revaluation
AIAB Order Settlement (Asset Under Construction)
AFAB Depreciation Run
ASKBN Periodic Asset Posting
FB50 Automatic GR/IR Clearing
KSA3 Accrual Calculation
MRN0 Stock Valuation
CK11N Inventory costing
CK24 Price Update
FB50 Stock value adjustment
ENGRCreate Intrastat / Extrastat periodic declaration
S_ALR_87012357
Advance Return for Tax on Sales/Purchases
FB41 Post Tax Payable
F.52 Balance Interest Calculation
Table D: Period End Close Transactions
6
TRANSACTION DESCRIPTION
S_ALR_87012289 Compact Document Journal
S_ALR_87012287 Document Journal
FF7A Cash Position & Liquidity Forecast
OB52 Open and Close Posting Periods
KE30 Run Profitability Report
S_ALR_87012284 Financial Statements
S_ALR_87005830 Controlling Maintain Versions
CK40N Costing Run
S_ALR_87008275 Define Percentage Overhead (actual)
AFAR Recalculating Values
ABST2 Account Reconciliation
AJRW Fiscal Year Change
AJAB Year-end closing Asset Accounting
F.07 Carry Forward AP/AR Balances
FAGLGVTR Carry Forward GL Balances
FAGLF101 Regrouping Receivables/Payable
F.17 Balance Confirmation Receivable
F.18 Balance Confirmation Payable
OB52 Close previous account period
S_ALR_87012284 Financial Statements
S_ALR_87012287 Document Journal
Table D: Period End Close Transactions cont.
Asset Management and Reporting
The Financial Accounting Asset Accounting (FI-AA) component is responsible for managing fixed assets in SAP ERP. It serves as a subsidiary ledger to the FI GL, providing detailed information on transactions involving fixed assets. AA integrates directly with other FI components such as Materials Management (MM) and Plant Maintenance (PM) and manages assets reporting from acquisition to disposal or retirement. The component also tracks, depreciates and reports upon leased assets and assets under construction.
Asset classes in SAP should be configured in line with country-specific requirements. Therefore, asset classes and the associated descriptions should be reviewed through transaction OAOA (define asset classes).
Depreciation keys should be defined for each asset class. The keys define the rules for calculating depreciation such as straight line or declining balance. They also control the useful life of assets. Auditors should review the configuration of all or a sample of depreciation keys through transaction AFAMA (View Maint. for Deprec. Key Method). Depreciation postings can be reviewed through transactions AFBP and AR25. Transaction ABST displays the reconciliation between asset accounting and the general ledger.
If the SAP Project System (PS) is operating alongside FI-AA, the relevant availability controls should be reviewed in PS. These regulate the thresholds for asset acquisitions in excess of approved, budgeted amounts which, if configured correctly, can be blocked altogether. This can be performed through transaction OPS9 and the menu path IMG> Project System> Costs> Budget> Define Tolerance Limits.
An audit of FI-AA should include a review of user access to transaction codes that provide the ability to change AA master data including asset groups and depreciation tables, as well as acquire, depreciate and dispose fixed assets. These are listed in Table E. The review should focus on authorization objects A_A_VIEW, A_S_ANLKL, A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK, S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02 and 06.
7
Table E: Asset Accounting Transactions
Availability controls should block asset acquisitions in excess of budget
TRANSACTION DESCRIPTION
AS01 Create an Asset
AS02 Modify Asset
AS05 Block Asset Master Record
AS06 Delete Asset
ABZE Acquisition from in-house production
ABZK Acquisition from purchase w. vendor
F-90 Acquisition w/ Vendor
ABZV Acquisition from clearing Account
ABZP Asset Acquisition from affiliated company
AS21 Create an asset group
AS22 Modify Asset
AS25 Block group asset
AS26 Delete an asset group
ABZU Asset write-up
ABZS Asset write-up
ABMA Asset manually depreciate
AFAB/ AFABN Post depreciation
ABAV/ ABAVN Retire by scrapping
ABAO/ ABAON Asset Sale Without Customer
ABADAsset Retire from Sale with Customer
ABANK Retire with cost
AR31 Asset mass retirement
OAP1 Create chart of depreciation
OA52 Close previous account period
OAP2 Change chart of depreciation
8
Foreign Currency Translation
Foreign currency exchange ratios and rates are maintained through transactions OBBS and OB08. The underlying tables should be reviewed through these transactions to ensure that ratios and rates are regularly and accurately updated.
SAP provides a variety of valuation methods and even provides an option to create custom methods. Custom valuations should be identified and examined very closely. This can be performed through transaction OB59 (foreign currency valuation methods).
Automatic postings for foreign currency valuations should be analyzed via transaction OBA1. The assigned accounts are used to record realized/ unrealized gains and losses. This should be followed by a review of foreign currency rounding rules in transaction OB90.
Inter-Company Transactions
Inter-company reconciliation is often a bottleneck in the financial close process. As a result, some SAP clients have migrated to the Web-based BusinessObjects Inter-company application. This significantly improves the speed and accuracy of identifying, matching and eliminating related party transactions. However, the majority of organizations continue to rely upon a manual process.
Related parties are treated as trading partners in SAP and are defined through IMG > Enterprise Structure > Definition > Financial Accounting > Define Company. Once configured, SAP will post documents such as invoices, payments, receipts and asset transfers between related parties to designated inter-company accounts. Inter-company clearing accounts should be identified using transaction OBYA. All such accounts should be reviewed against the relevant financial statement assertions.
Cash Management
Cash Management (CM) is component of SAP TR that is used to monitor payment flows and safeguard liquidity. This component is used to perform bank reconciliations and therefore should be a crucial element of an SAP financial audit. Management should regularly review reports FF.6, FF67, FF7A and FF68 to monitor cash transactions and ensure bank deposits and payments are reflected in the relevant GL accounts. Note that FF67 can be used to import and process bank statements in SAP.
Changes to banking master data should be identified through transaction FI04 or report RFBKABL0 and traced to supporting documents to test for authorization, accuracy and completeness.
Also, access to critical CM transactions should be reviewed, including those listed in Table F, focusing on authorization objects F_BNKA_BUK, S_TABU_DIS, F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES, F _ B K P F _ G S B , F _ F D E S _ B U K , F _ R E G U _ B U K , F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02, 06 and 17
9
Table F: Cash Management Transactions
TRANSACTION DESCRIPTION
FI12 Change House Banks/Bank AccountsFI01 Change Master Record
FI02 Change Bank
FI06 Set Flag to Delete Bank
FF67 Manual Bank Statement
FF_5 Import Electronic Bank Statement
FEBAPost-process Electronic Bank Statement
FLB2 Import Lock box Data
FLB1 Post-processing Lock box Data
F-28 Incoming Payments
FB05 Post payment with clearing
FRFT Set Up Repetitive Wire
FI10 Parameters for Automatic PaymentFF/4 Import electronic check deposit listFFB4 Import electronic check deposit listFF/5 Post electronic check deposit list
FFB5 Post electronic check deposit listFF68 Manual Check Deposit TransactionFCHG Reset cashing/extract data
FF63 Create Planning Memo Record
FCHX Check Extract Creation
FCHG Delete cashing/extract data
Webwww.layersevensecurity.comEmailinfo@layersevensecurity.comTelephone1 888 995 0993
Address Westbury Corporate CentreSuite 1012275 Upper Middle RoadOakville, Ontario L6H 0C3, Canada
Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth
© Copyright Layer Seven Security 2012 - All rights reserved.
No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security.
Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.