ISACA London Chapter

About This Presentation

Title:

ISACA London Chapter

Description:

Some Facts and Figures. World's 3rd largest independent software vendor ... (Financial Services Insurance); FS RI (Financial Services Reinsurance Management) ... – PowerPoint PPT presentation

Number of Views:38

Avg rating:3.0/5.0

Slides: 34

Provided by: tomrossi

Category:

more less

Transcript and Presenter's Notes

Title: ISACA London Chapter

1
Security in SAP Environments
ISACA London Chapter 26 March 2009 Rajeev
Dasgupta PricewaterhouseCoopers
2
Topics

Introduction
Overview of SAP
Key Risks and Controls in SAP
Audit Challenges in SAP Environments
Preparing for a SAP Audit
Third Party Tools

3
An Introduction to ERP Systems

Enterprise resource planning (ERP) is an
enterprise-wide information system designed to
coordinate all resources, information, and
activities needed to perform business activities.
Based on a common database and a modular software
design the common database allows central
storage of information, with real-time
retrieval.
Modular software design allows for free selection
of modules required.

Driving benefit is open availability of real-time
information which is easily accessible, enabling
management by information.
ERP systems attempt to cover all basic functions
of an enterprise, regardless of the
organisation's business.
High-end ERP systems have business-specific
functionality.
Prominent ERP systems SAP, Oracle, Microsoft
Dynamics.

4
Overview of SAP
5
A Bit of History

1973 SAP launches R/1 (R stands for real-time
data processing)
1979 Mainframe-based R/2 solution released
1992 R/3 solution unleashed on market (real-time
data processing 3-tier client-server
architecture)
The original R/3 solution has evolved
significantly over the years numerous releases
(3.0x, 3.1x, 4.0x, 4.6x, Enterprise 4.7 and mySAP
ERP
Most current version of SAP is SAP ECC6 ERP (part
of the SAP Business Suite)

6
Some Facts and Figures
7
Key Characteristics
Systems, Applications and Products in Data
Processing
8
SAP Technical Structure
9
Key Modules
10
Industry Solutions

SAP has also developed industry-specific
solutions. Some key solutions

Banking
IS - B (Industry Specific Banking)
Retail
IS - R (Industry Specific Retail)
Energy Utilities
IS - U (Industry specific Utilities Supplier
Switch)
IS - Oil (Industry specific Oil)
Oil
Insurance
FS Insurance (Financial Services Insurance) FS
RI (Financial Services Reinsurance Management)
FS CM (Financial Services Claim Management)
11
SAP Basis
12
Basis and Security Functions

User Access
Only users with active User Master Records can
log onto the system. They are always checked
during online and background processing and
include
Basic user data
User defaults
User profile information

Security Authorization Concept
Applies to Basis and functional components
Access to the system is restricted through
authorisation objects
Access must be explicitly granted through the use
of authorisations

Others
Table maintenance
Security parameters
Program security
Remote access
Extensions / bolt-ons

13
Interfaces

SAPs interface framework facilitates
communications and interactions between different
business tools
SAP Exchange Infrastructure (SAP XI) enables the
implementation of cross-system processes. It
allows to connect systems from different vendors
and different programming languages to each
other.
The Legacy System Migration Workbench (LSMW) is a
tool recommended by SAP to transfer data once
only or periodically from legacy systems into an
R/3 System.
An SAP R/3 Remote Function Call (RFC) is a
synchronous communication process method used to
call and execute predefined functions within SAP
R/3. RFCs work between two SAP systems, or
between an SAP system and an external system.

Many organisations decide not to implement the
full suite of modules and instead utilise
satellite systems for specific areas.
Some of the most common areas where companies use
satellite systems with SAP are
Industry specific systems
HR / Payroll
Manufacturing
Group consolidation
Management reporting

14
Key Risks and Controls in SAP
15
Key Risks
16
Additional Risk Considerations
17
Key Control Points in SAP

IT General Controls
Project Management
Testing
Data Conversion
Change Management
SAP Authorisations and User Provisioning
Operating System and Database Security
Backup, Recovery and Contingency Planning
Physical Security and other infrastructure
controls

Business Process Controls
Interfaces
Process-resident controls (e.g. release
strategies, credit limit checks etc.)
Edit and validation controls (field settings
etc.)
Monitoring Reports
Sensitive access
Segregation of duties

18
Audit Challenges in SAP Environments
19
Its Not Easy!

The complexity of the organisational model in SAP
makes it difficult to determine the scope of the
audit
Underneath the business front end sits a very
complicated system
Integration of business processes within SAP
increases the importance of getting segregation
of duties right
The use of Computer Assisted Audit Tools and
Techniques (CAATTs) is virtually mandatory in
order to complete a full SoD analysis.
Process automation and customisation creates new
audit challenges
Data errors can flow right through end-to-end
business processes

Page 19
20
Preparing for a SAP Audit
21
The Audit Cycle
22
Planning the Right Level of WorkControl Types
in SAP
SAP control environment
SAP Configurable controls
SAP Inherent controls
Management Information and Financial Statements
Business / IT Transactions
SAP Reports Manual Procedures
SAP Access and SoD
Note Inherent controls are hard coded into the
system and cannot be changed
23
Control TypesExamples

24
Getting the Right CoverageThe SAP Control
Environment
Business Process Controls
Presentation Layer
SAP configurable controls
Application Layer
SAP Authorisations/User profiles
SAP Basis Module
IT General Controls
Database
Database Infrastructure Layer
Operating System and other Infrastructure controls
25
Key Considerations

SAP products and modules used and linkage to
business processes
Number of in-scope SAP systems and production
clients
Number of in-scope company codes and
organisational elements
Proportion of cross-company vs company-specific
controls in scope
Interfaces into SAP and their use
Other systems in use and their impact on the
audit
Skill sets of the audit team
Availability of methodologies / tested work
programs

26
And More Considerations!

Efficiencies can be obtained while reviewing
multiple locations and company codes sharing the
same SAP instance
Complex/decentralised organisation and
homogeneity of processes and controls could
impact time and resource requirements
Level of automation and customisation may impact
on the method of testing
Baselining strategy may be used for automated
controls and reports
Timing and extent of review for new
implementations or major projects
Availability of appropriate technical
documentation and competency level of SAP support
organisation
Reliance on the work of others (i.e.
management, SAS70)
Use of third party tools

27
Third Party Tools
28
Why Use Third Party Tools?

Business, Finance, IT and audit professionals
face an array of challenging questions as they
try to strengthen controls throughout their SAP
systems
How do you uncover existing Segregation of Duties
and sensitive access issues, down to the lowest
security levels, such as t-codes and
authorisation objects?
How do you keep new controls issues from arising
through the course of normal change processes?
How can you gain insight into what activities
users are performing?

How do you ensure that business policies are
being adhered to through the course of daily
transactions?
How do you determine if configurable controls are
defined properly?
How do you consolidate your data repositories,
automate your workflow further and integrate with
other solutions?
How do you manage these challenges across
multiple SAP instances, without ever affecting
their system performance?
Third party tools can be used to help achieve
these goals

29
Third Party Tools - Examples Security