Upload
jiten76
View
75
Download
1
Embed Size (px)
Citation preview
Security in SAP Environments
ISACA London Chapter26 March 2009
Rajeev DasguptaPricewaterhouseCoopers
2ISACA London Chapter, March 2009
Topics
Introduction
Overview of SAP
Key Risks and Controls in SAP
Audit Challenges in SAP Environments
Preparing for a SAP Audit
Third Party Tools
3ISACA London Chapter, March 2009
An Introduction to ERP Systems
Enterprise resource planning (ERP) is an enterprise-wide information system designed to coordinate all resources, information, and activities needed to perform business activities.
Based on a common database and a modular software design – the common database allows ‘central storage’ of information, with real-time retrieval.
Modular software design allows for free selection of modules required.
Driving benefit is open availability of real-time information which is easily accessible, enabling management by information.
ERP systems attempt to cover all basic functions of an enterprise, regardless of the organisation's business.
High-end ERP systems have business-specific functionality.
Prominent ERP systems – SAP, Oracle, Microsoft Dynamics.
Overview of SAP
5ISACA London Chapter, March 2009
A Bit of History …
• 1973: SAP launches R/1 (‘R’ stands for real-time data processing)
• 1979: Mainframe-based R/2 solution released
• 1992: R/3 solution unleashed on market (real-time data processing; 3-tier client-server architecture)
• The original R/3 solution has evolved significantly over the years – numerous releases (3.0x, 3.1x, 4.0x, 4.6x, Enterprise 4.7 and mySAP ERP
• Most current version of SAP is SAP ECC6 ERP (part of the SAP Business Suite)
6ISACA London Chapter, March 2009
Some Facts and Figures
• World’s 3rd largest independent software vendor
• Originally used primarily by large companies – now widely used by small and medium sized enterprises as well
• SAP solutions help enterprises of all sizes improve customer relationship processes, enhance partner collaboration and create efficiencies across their supply chains and business operations
• In addition, SAP solution portfolios support unique business processes of more than 25 industries, including high tech, retail, financial services, healthcare and the public sector
• Currently, more than 12 million users work each day with SAP solutions!
• SAP now has 121,000 installations worldwide, more than 1,500 SAP partners, and more than 75,000 customers in 120 countries
7ISACA London Chapter, March 2009
SAP can track financial results, procurement, sales, manufacturing, human resources and payroll.
SAP integrates all business processing through one application which can be integrated with other office tools (i.e. MS Word, MS Excel).
SAP comprises of 18-20 modules in finance, logistics and HR.One or more SAP modules can be implemented.
SAP is typically accessible by the entire business organisation.Most company information and transactions originate from SAP.
An order in SAP can automatically generate an inventory movement and a posting in the GL without any “human” intervention.
Integrated
Multifunctional
Modular
Enterprise Wide
“Real Time”
Key CharacteristicsSystems, Applications and Products in Data Processing …
8ISACA London Chapter, March 2009
SAP Technical Structure
Presentations GUIApplication serversDatabase server
9ISACA London Chapter, March 2009
Key Modules
BASISSecurity
Change Management Computer Operations
SDSales
DistributionInvoicing
PPRe-order control
ProductionPlanning & Control
PMPlant Maintenance
FIAccounts Payable
Accounts ReceivableGeneral Ledger
Cash ManagementConsolidation
PMAsset AccountingProject Systems
MMPurchasing
Goods ReceiptInventory Control
Invoice Verification
PMInventory Mgmt
WMSWarehouse Mgmt
HRPersonnel
AdministrationPayroll Accounting
COCost Centre/Profit
CentreProfitability Analysis
Materials Management
Sales & DistributionProduction Planning
Financial Accounting
Human Resources Financial Reporting
10ISACA London Chapter, March 2009
Industry Solutions
Banking
SAP has also developed industry-specific solutions. Some key solutions:
Retail
Energy Utilities
Oil
Insurance
IS - U (Industry specific Utilities – Supplier Switch)
IS - Oil (Industry specific Oil)
FS Insurance (Financial Services Insurance); FS RI (Financial Services Reinsurance Management); FS CM (Financial Services Claim Management)
IS - B (Industry Specific Banking)
IS - R (Industry Specific Retail)
11ISACA London Chapter, March 2009
SAP Basis
A key component of SAP as most security functions are controlled through Basis!
1. It is the middleware that integrates the Database, Operating System, Authorisations and Development/Customising Processes with the application modules (eg. FI, CO, MM).
2. It enables the SAP application modules to operate, irrespective of any underlying IT platform.
3. It includes:• System Configuration (customising)• Repository (programming)• Data Dictionary• Access/Authorisations• System Administration and monitoring tools
12ISACA London Chapter, March 2009
BasisQMPM
HR
FICO
AMPPM
MSD
IMW
MPS
Basis and Security FunctionsUser Access
Only users with active User Master Records can log onto the system. They are always checked during online and background processing and include:
Basic user data
User defaults
User profile information
Security Authorization Concept
Applies to Basis and functional components
Access to the system is restricted through authorisation objects
Access must be explicitly granted through the use of authorisations
Others
Table maintenance
Security parameters
Program security
Remote access
Extensions / bolt-ons
13ISACA London Chapter, March 2009
Interfaces
Many organisations decide not to implement the full suite of modules and instead utilise satellite systems for specific areas.
Some of the most common areas where companies use satellite systems with SAP are:
Industry specific systems
HR / Payroll
Manufacturing
Group consolidation
Management reporting
SAP’s interface framework facilitates communications and interactions between different business tools:
SAP Exchange Infrastructure (SAP XI) enables the implementation of cross-system processes. It allows to connect systems from different vendors and different programming languages to each other.
The Legacy System Migration Workbench (LSMW) is a tool recommended by SAP to transfer data once only or periodically from legacy systems into an R/3 System.
An SAP R/3 Remote Function Call (RFC) is a synchronous communication process method used to call and execute predefined functions within SAP R/3. RFCs work between two SAP systems, or between an SAP system and an external system.
14ISACA London Chapter, March 2009
Key Risks and Controls in SAP
15ISACA London Chapter, March 2009
Key Risks
• Inappropriate access to system functionality because of incorrectly configured SAP security.
• Increased remote or local access by external personnel (i.e. consultants or support teams).
• Inappropriate system management on account of skills gaps.• Data inconsistencies due to interfaces / data conversion processes.
• Integrated data and transaction processing in a single system results in a single point of failure for all organisational data.
• Users’ reluctance to accept this initially complex system could result in data inaccuracies.
• Inherent process risks (e.g. unauthorised purchases, bypassing credit limits etc.)
• SAP control functionality may not be appropriately configured (e.g. super user profiles, generic accounts, system parameters, privileged accounts etc.)
• The high level of integration between processes increases exposure to segregation of duties conflicts.
• Higher level of expertise is required to effectively audit the system.
Business Risks
Technical Risks
Control Risks
16ISACA London Chapter, March 2009
Additional Risk Considerations
Business Warehouse/Reporting1Interfaces2
Asset Accounting 3Consolidation4
HR and Payroll 5Industry Solutions6
17ISACA London Chapter, March 2009
IT General Controls:
Project Management
Testing
Data Conversion
Change Management
SAP Authorisations and User Provisioning
Operating System and Database Security
Backup, Recovery and Contingency Planning
Physical Security and other infrastructure controls
Business Process Controls:
Interfaces
Process-resident controls (e.g. release strategies, credit limit checks etc.)
Edit and validation controls (field settings etc.)
Monitoring Reports
Sensitive access
Segregation of duties
Key Control Points in SAP
18ISACA London Chapter, March 2009
Audit Challenges in SAP Environments
ISACA London Chapter, March 2009
It’s Not Easy! The complexity of the organisational
model in SAP makes it difficult to determine the scope of the audit
Underneath the business front end sits a very complicated system
Integration of business processes within SAP increases the importance of getting segregation of duties right
The use of Computer Assisted Audit Tools and Techniques (CAATTs) is virtually mandatory in order to complete a full SoD analysis.
Process automation and customisation creates new audit challenges
Data errors can flow right through end-to-end business processes
Page 19
Preparing for a SAP Audit
21ISACA London Chapter, March 2009
The Audit Cycle
Auditing in a
SAP environment
22ISACA London Chapter, March 2009
Planning the Right Level of WorkControl Types in SAP
SAP Access and SoD
SAP control environment
Business / IT
T
ransactions
Managem
ent Information
and Financial S
tatements
SAP Reports & Manual Procedures
SAP Inherent controls
SAP Configurable controls
Note: Inherent controls are hard coded into the system and cannot be changed
23ISACA London Chapter, March 2009
Entries must balance prior to processing
Release strategies, Invoice tolerances
Access to Vendor Master Data is restricted
Edit reports, Account analysis, Reconciliations
SAP Inherent Controls
SAP Configuration
SAP Access Controls
Reporting & Manual procedures
Control TypesExamples
24ISACA London Chapter, March 2009
BusinessProcess Controls
IT General Controls
Management reporting
and end-user controls
SAP configurable controls
SAP Authorisations/User profiles
SAP Basis Module
Database
Operating System and other Infrastructure controls
Database InfrastructureLayer
Application Layer
Presentation Layer
Getting the Right CoverageThe SAP Control Environment
25ISACA London Chapter, March 2009
Key Considerations
SAP products and modules used and linkage to business processes
Number of in-scope SAP systems and production clients
Number of in-scope company codes and organisational elements
Proportion of cross-company vs company-specific controls in scope
Interfaces into SAP and their use
‘Other’ systems in use and their impact on the audit
Skill sets of the audit team
Availability of methodologies / tested work programs
26ISACA London Chapter, March 2009
And More Considerations!
Efficiencies can be obtained while reviewing multiple locations and company codes sharing the same SAP instance
Complex/decentralised organisation and homogeneity of processes and controls could impact time and resource requirements
Level of automation and customisation may impact on the method of testing
“Baselining” strategy may be used for automated controls and reports
Timing and extent of review for new implementations or major projects
Availability of appropriate technical documentation and competency level of SAP support organisation
Reliance on the “work of others” (i.e. management, SAS70)
Use of third party tools
27ISACA London Chapter, March 2009
Third Party Tools
28ISACA London Chapter, March 2009
Why Use Third Party Tools?
Business, Finance, IT and audit professionals face an array of challenging questions as they try to strengthen controls throughout their SAP systems:
How do you uncover existing Segregation of Duties and sensitive access issues, down to the lowest security levels, such as t-codes and authorisation objects?
How do you keep new controls issues from arising through the course of normal change processes?
How can you gain insight into what activities users are performing?
How do you ensure that business policies are being adhered to through the course of daily transactions?
How do you determine if configurable controls are defined properly?
How do you consolidate your data repositories, automate your workflow further and integrate with other solutions?
How do you manage these challenges across multiple SAP instances, without ever affecting their system performance?
Third party tools can be used to help achieve these goals
29ISACA London Chapter, March 2009
Third Party Tools - Examples Security
Example Purpose
Reporting tool in that provides detailed analysis of SoD and Sensitive Access based on a set of pre-defined rules
Role management tool that operates within SAP and facilitates role design. Provides the ability to define which objects and transactions are attached to a role
Workflow enabled tool to automate the user administration process
Provides improved control over super-user and emergency access through restrictions on data access and audit trails
Approva Corporation, which includes
Enterprise Controls Suite
BizRights,
Continuous monitoring with exception-based reporting pushes the right information to the right people at the right time
Business controls are organised in a single, manageable library that spans across instances and applications and can easily be customised to keep up with your ever-changing business needs
Application-independent architecture ensures support for all enterprise systems, without introducing performance degradation
Governance, risk and compliance (GRC) suite, which includes
• Risk Analysis and Remediation™• Compliant User Provisioning™• Super User Privilege Management ™• Enterprise Role Management™
30ISACA London Chapter, March 2009
Third Party Tools - ExamplesData Analysis
Example Purpose
Direct Link for SAP® ERP
ACL
Continuous Controls Monitoring (CCM)
Data extraction, analysis, and fraud detection providing direct, seamless access to SAP data. Using Direct Link, you no longer need to rely on ABAP programmers or limited reporting utilities -you can easily and quickly access SAP tables and conduct comparative cross-platform analysis with transactional data from other systems.
Analyses financial transaction data from any ERP, mainframe system, custom-built application to check and validate against organization's control parameters and business rules. A review of 100 percent of transactions from any source
Microsoft Access Create ad hoc customised desktop systems for handling the creation and manipulation of data. Access can be used as a database
31ISACA London Chapter, March 2009
Third Party Tools - Examples Workflow
Example Purpose
SAP Interactive Forms
(by Adobe)
Capture data in completed forms that can flow directly back to SAP software – eliminating the need for error prone, manual data input
Customise electronic forms to meet the specific needs of your business or industry
Design electronic forms to reflect the familiar "look and feel" of the paper forms they replace
SAP LoadRunner
(by Mercury)
Deployed with HP and SAP Solution Manager, LoadRunner facilitates the management of the development lifecycle, providing time, budget, actual and quality assurance tools.
Duet
(SAP and MS)
Enables access to SAP business processes and data via Microsoft Office, providing wider access to enterprise information and policies, with the objective to assist organizations in obtaining corporate policy compliance, improve decision making.
Thank You
33ISACA London Chapter, March 2009
Question
If you were in an organisation with a small version, how to approach auditing?