5

Table of Contents

Table of ContentsPreface 7

1 The principles of auditing IT systems 111.1 Legal basis for internal audit 111.2 Importance and background of the audit function 151.3 Standards for auditing information systems 191.4 General approach for auditing information systems 21

2 The basic principles of auditing SAP systems 312.1 Business relevance of SAP systems 312.2 Technical design of SAP systems 342.3 SAP audit universe 452.4 General approach and prerequisites for auditing

SAP systems 58

3 Useful tools for an SAP auditor 673.1 Transaction SE16/SE16N: Data Browser 673.2 Transaction SUIM: User Information System 753.3 Transaction SA38: ABAP program execution 833.4 Transaction SAIS: Audit Information System 85

4 Technical steps for auditing SAP systems 894.1 Change management 894.2 Development management 1114.3 Table logging 1264.4 SAP Security Audit Log 1354.5 Role management 1534.6 User access management 1714.7 Review of privileged access rights 1924.8 Emergency access management 2074.9 Password security and authentication 221

6

Table of Contents

4.10 Batch processing 2294.11 RFC interfaces 2404.12 Database and server security 257

5 Conclusion and outlook 275

6 Abbreviations and glossary 2796.1 Abbreviations 2796.2 Glossary 280

A About the authors 282

B Index 285

C Disclaimer 290

31

2 The basic principles of auditing SAP systems

In this chapter, the focus moves from audit basics to the specifics of the SAP world. We also discuss the business relevance of SAP systems and introduce the general architecture of SAP systems to prepare for the SAP audit universe and its components. Furthermore, we also discuss two particular audit scenarios in an SAP environment. By the end of this chapter, you will know how to scope and prepare an SAP-specific audit.

2.1 Business relevance of SAP systems

Tens of millions of people around the world use SAP systems. Why? One apparent reason is that a lot of companies find it challenging to manage their business using hundreds or thousands of different systems. Once you separate the material and value flow of the factories in different systems, for example, it might be difficult to bring them back together and align them with each other. The higher the number of relevant systems with subsets of the required data that exist within a company, the more cumbersome a month-end or year-end process becomes.

Having separate sales, production, or accounting processes can quickly lead to inconsistencies and difficulties—a factor that motivates companies to invest in highly integrated systems instead.

This is where SAP comes into play: it offers an integrated business solution that ties together disparate procurement, sales, production, consolidation, and many other processes. Its market-leading Enterprise Resource Plan-ning (ERP) systems are only one aspect. Other solutions offered by SAP include (https://www.sap.com/products.html; 01/01/2018):

f ERP (for large, medium, and small enterprises)

f Cloud and data platforms (e.g., SAP HANA platform, big data)

32

The basic principles of auditing SAP systems

f Procurement and networks (e.g., Supplier Management, Strategic Sourcing)

f Analytics (e.g., Business Intelligence, Predictive Analytics)

f Customer engagement and commerce (e.g., Sales, Marketing)

f IoT and the digital supply chain (e.g., Manufacturing, Asset Man-agement)

f Human resources (e.g., Core HR and Payroll, Time and Atten-dance Management)

f Finance (e.g., GRC, Financial Planning, Treasury Management)

SAP is most famous for its Enterprise Resource Planning solutions. Its market share within the ERP market has declined in recent years, but SAP still holds the top position with an estimated 19% of the entire market. Ac-cording to the data available, SAP achieves the highest customer satisfac-tion by realizing more than 50% of the business benefits anticipated in an implementation. Every time a company requires an ERP solution, it is very likely that SAP will be shortlisted. Once SAP is shortlisted, the likelihood of being finally selected for the job is even higher (https://www.panorama-consulting.com/comparison-between-sap-oracle-and-microsoft-dynamics/).

As mentioned above, SAP offers far more than only ERP solutions. To support a company’s customer management and communication, the use of customer data, and other aspects, the CRM market evolved with an estimated volume of roughly $30 billion (http://www.crmsearch.com/crm-software-market-share.php). The big shot here is Salesforce. However, SAP holds a leading position even in this market and is a top player with a market share of around 5% (https://www.appsruntheworld.com/top-10-crm-software-vendors-and-market-forecast-2015-2020/).

By 2020, the global market for HR solutions will eventually reach more than $9 billion. HR solutions range from core administrative and payroll so-lutions to learning platforms, benefits administration, compensation, and much more. With its HR solutions, SAP became one of the market lead-ers and ranked first in 2015 with an overall market share of 14% (https://www.appsruntheworld.com/top-10-core-hr-software-vendors-market-forecast-2015-2020-and-customer-wins/).

33

The basic principles of auditing SAP systems

Data is essential to support business decisions and optimize processes. Within the rapidly growing business analytics market, top players offer data mining solutions, statistical analyses, as well as predictive analyt-ics. In 2015, SAP was one of the market leaders in this field (https://www.forbes.com/sites/louiscolumbus/2016/08/20/roundup-of-analytics-big-data-bi-forecasts-and-market-estimates-2016/#4e7b06356f21), with the highest year-to-year growth rate (https://www.appsruntheworld.com/top-10-analytics-and-bi-software-vendors-and-market-forecast-2015-2020/).

SAP has also become a leader in many more business areas. According to Gartner, SAP became a market leader in the combined enterprise infor-mation management tools market in 2016, offering solutions such as master data management and data quality, as well as data integration solutions (https://news.sap.com/sap-leads-in-the-database-and-data-management-solutions-industry-based-on-market-share-revenue-growth-in-gartner-report/).

As you can see, SAP ranks top in a myriad of markets and tool classes. It has significant business relevance in terms of market share and usage.

There are SAP landscapes that use more than 1,000 systems, or immense single implementations with hundreds of thousands of employees. Com-panies rely on SAP for their most essential business processes. Switching costs in the field of ERP are enormous. Furthermore, the more compre-hensive a solution is, and the more widely it is used, the more difficult it becomes to switch. For this reason, even in cases where SAP imple-mentations might not be best-of-breed anymore, high switching costs may cause companies to be locked in to SAP (the same applies for other ERP vendors as well).

However, SAP tools, especially the ERP software, are in fact among the most relevant systems in a lot of companies. The more than 365,000 cus-tomers of SAP include 87% of the Forbes 2000, 98% of the 100 most valued brands, and 100% of the Dow Jones top-scoring sustainability companies (see https://www.sap.com/corporate/de/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71af511fa.html).

An SAP system is the centerpiece of a company’s IT landscape; in most cases, disrupting it would have a devastating business impact. Efficient system operation and a stable security posture are therefore crucial to achieving business targets and ensuring the welfare of the company.

34

The basic principles of auditing SAP systems

2.2 Technical design of SAP systems

SAP runs on a three-tier client-server architecture including a presentation tier, application/business logic tier, and a data tier (a tier can also be re-ferred to as a layer).

The presentation layer is the front end. It has a variety of user interfaces, including the well-known SAP GUI (see Figure 2.1), the SAP NetWeaver Business Client, WebDynpro ABAP, SAP FIORI (2.0), SAP Screen Per-sonas, and others. Here, the user can input data queries and display the system output in a usable fashion. The user requests are transmitted to the application and database servers on the subsequent tiers via the front end. The front end is the only part of the SAP system that resides on the end user’s PC.

Figure 2.1: SAP GUI

The application/business logic layer controls the system functionality and processes requests. It executes the business logic and is the connecting piece between the front end and the database layer and communicates in both directions. A user enters a request in the front end, which the ap-plication server then translates into a database request. The application server thus requests data from the database, processes the data, and sends it back to the presentation layer. Multiple application servers are

35

The basic principles of auditing SAP systems

set up to share the workload requested through the presentation layer and to provide fast output. The technical name of SAP’s software for this tier is SAP NetWeaver Application Server. SAP supports several operating systems and derivatives for the installation of SAP NetWeaver Application Server, such as Windows, AIX, HP-UX, and Solaris.

Transactional data, customer information, program code, function mod-ules, etc. are examples of the data in the data tier. This tier comprises a database management system (DBMS) and the database itself, which retrieves the SQL queries and provides the requested data. SAP supports a variety of different DBMS, such as Oracle, DB/2, and of course Sybase and HANA. Depending on the database system, the DBMS can be either installed on derivatives of Unix/Linux or Windows Server (see Figure 2.2).

Figure 2.2: Rough SAP three-tier client-server architecture

SAP NetWeaver Application Server contains a variety of components. To keep things concise, we will discuss only some of the components in fur-ther detail. One critical element, for example, is the enqueue server. This

285

Index

B Index

AABAP Code Inspector 115, 119ABAP program execution. See

SA38Access management 47, 59, 277AI. See Artificial intelligenceAIS. See SAISApplication/business logic layer 34Application controls 55Application layer 258Archive 56Area menu. See Audit structureArtificial intelligence 275Assessment phase 27Audit cockpit 87Audit committee 11, 29Audit environment 23, 61Audit Information System. See

SAISAudit initiation 21Audit planning 22Audit reporting 29Audit structure 85Authentication 221Authority check 114Authorization concept 50Authorization group 115, 121Authorization management 47, 59,

277Authorization profile. See Profile

BBackup 56Batch input 53, 229Batch input file 237

Batch job 229, 231, 232Batch processing 229, 231Board of directors 12, 22Built-in account 53, 175, 186, 271Business authorizations 54Business interfaces. See InterfacesBusiness owner 48

CCentral user administration 43Change Documents

For Users/For Roles 77, 82Change management 47, 59, 89,

111, 155, 157Change request 89Classic RFC connection 240Client changeability 90, 92, 97Client concept 39Code 55Code of ethics 19CodeProfiler 115Code vulnerability 119Code Vulnerability Analyzer 115Comparisons

Of Roles/Of Users 77, 81Competency 19Composite role 153, 154Confidentiality 19Configuration 54Control-based approach 22Control coverage 55Control owner 49COSO 13Critical authorization 157, 161,

173, 179

286

Index

Critical combination. See Segre-gation of duties

Crown jewels 56CUA. See Central user admin-

istrationCurrent User setting 248Customer table 115, 121Customer transaction 116, 122Customizing 53, 111

DData availability 56, 63Database 258, 270Databases 57Database server 57Data Browser. See SE16Data classification 56Data criticality 55, 63Data layer 35, 258Data location 55Data owner 49Data privacy 171Data retention 56, 63Data security 171Data tier. See Data layerDDIC 175Debug & replace 126, 140, 151,

201Derived role 153, 154Developer key 111, 116Development 54, 111Development management 111Directory 52

EEARLYWATCH 175Emergency access approval

process 208, 210

Emergency access management 53, 207

Emergency access management procedure 218

Emergency user 208, 211Emergency user authorization

209, 214Encryption 277Enqueue server 35Enron 11Enterprise Resource Planning 31,

32ERP. See Enterprise Resource

Planning

FFirewall 58Follow-up 30Front end. See Presentation layerFunction owner 49

GGateway 58GDPR. See General Data

Protection RegulationsGeneral Data Protection

Regulations 61Generic account 174, 183German Corporate Governance

Code 12Governance 47, 61Guidelines 49

HHigh availability 57HR. See Human resourcesHuman resources 52

287

Index

IIdentity management 51IdM. See Identity managementIncident management 47Information Technology Assurance

Framework (ITAF) 19Infrastructure 57, 63Inner environment 55, 63Integrity 19Interfaces 51, 62Internal audit function 11, 15Internal control system 11IS audit 18, 19, 21ITGC. See IT general controlsIT general controls 59

KKreditwesengesetz 12

LLicense 54Linux 259Load balancing 58Logging 54

MMaster role 154Message server 36Multi-factor authentication 262

NNeed-to-know principle 171Network 58Network and communication 277

OObjectivity 19Object key 111, 117Operating system 57, 258, 259Operations management 47, 59Operations manual 50Outer environment. See Interfaces

PPAM. See Privileged account

managementParent role 154Password configuration credit 261Password parameter 222, 259,

270Password security 221PFCG 153Policies 49Portfolio management 48Presentation layer 34Principle of least privilege 171Privileged access rights 192, 205Privileged account management

51Problem management 48Profile 153Profile Generator. See PFCGProject management 48PuTTY 267

QQuality assurance approval 101

Rrec/client 128RECCLIENT 129Red Hat. See Linux

288

Index

Reference user 174, 184Remote Function Call 42, 54, 240RFC. See Remote Function CallRFC user 250, 252, 254Risk-based approach 22Risk control matrix 65Risk management 15, 22, 48Robotic process automation 275Role administration 53Role concept 50, 156, 158Role management 153Role owner 49Role recertification 156, 159Roles by Complex Selection

Criteria 75, 79Root 263Router 58RPA. See Robotic process

automationRSUSR003 187RSUSR008_009_NEW 161, 179

SSA38 83S_A.ADMIN 193S_A.DEVELOP 193SAIS 85SAL. See Security Audit LogSAP* 175, 187SAP Access Control 44SAP_ALL 193SAP architecture 257SAP audit universe 45SAPCPIC 176SAP CUA 51SAP default profile 193, 195SAP default role 193, 196SAP GRC 51SAP HANA 270, 276

SAP NetWeaver Application Server 35, 258

SAP_NEW 193SAProuter 41, 42, 58SAP S/4 HANA 275SAP Solution Manager 45, 51SAP Web Dispatcher 42, 58Sarbanes-Oxley Act 11S_A.SYSTEM 193SE16 67SE16H 75SE16N 68SE16S 75Secure Shell 266Security Audit Log 135, 272Security Audit Log events

Dialog logon 143Other events 148Remote Function Call 145Report start 144RFC/CPIC logon 146System 146Transaction start 147User master change 147

Security incident 135, 140, 151Security information and event

management 52, 135, 151Security management 48Security policy 226Segregation of duties 91, 99, 157,

161, 165, 173, 179Server 258Service management 48SIEM. See Security information and

event managementSingle role 153, 154SoD. See Segregation of dutiesSoftware development 59SolMan. See SAP Solution

Manager

289

Index

SoP. See Standard operating procedures

SOX. See Sarbanes-Oxley Act SSH. See Secure ShellSSH root login 266Standard accounts. See Built-in

accountsStandard operating procedures 50Standard profiles 53Standards 49Storage 56Sudo 263SUIM 75Switch 58SYSTEM 271System changeability 90, 92, 96System owner 48System parameters 54System separation 90, 98System setup 52, 62

TTable logging 126Three lines of defense model 15Three-tier client-server architecture

34Tier architecture 36, 55TMSADM 176TMS configuration 102, 129Transport management 38, 54Transport Management System 91Transport route 91, 98Trusted RFC connection 245, 253Trusted system 245Trusting system 245

UUnstructured data 56User access management 171User access management process

172, 176User administration 53User deletion 173, 180User Information System. See

SUIMUser manual 50User recertification 173, 180Users by Complex Selection

Criteria 75, 77User type 174, 176, 183