R/3 audit review questions

Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3 system. It is always a good idea to review this list a couple times a year and to take the appropriate steps to tighten your security. If requested I can e-mail this to you in Word format.

Review the following:

* System security file parameters (TU02) (e.g. password length/format, forced password sessions, user failures to end session etc.) have been set to ensure confidentiality and integrity of password. Security-Parameter-Settings-Documentation.doc

* Setup and modification of user master records follows a specific procedure and is properly approved by management.

* Setup and modification of authorizations and profiles follows a specific procedure and is performed by someone independent of the person responsible for user master record maintenance.

* An appropriate naming convention for profiles, authorizations and authorization objects has been developed to help security maintenance and to comply with required SAP R/3 naming conventions.

* A user master record is created for each user defining a user ID and password. Each user is assigned to a user group, in the user master record, commensurate with their job responsibilities.

* Check objects (SU24) have been assigned to key transactions) to restrict access to those transaction.

* Authorization objects and authorizations have been assigned to users based on their job responsibilities.

* Authorization objects and authorizations have been assigned to users ensuring segregation of duties.

* Users can maintain only system tables commensurate with their job responsibilities.

* Validity periods are set for user master records assigned to temporary staff.

* All in-house developed programs contain authority check statements to ensure that access to the programs are properly secure.

* Select a sample of:

* Changes to user master records, profiles and authorizations and ensure the changes were properly approved. (The changes can be viewed with transaction (SECR).

* Ensure that security administration is properly segregated. At a minimum there should be separate administrators responsible for:
- User master maintenance. (This process can be further segregated by user group.)
- User profile development and profile activation. (These processes can be further segregated.)

* Verify that a naming convention has been developed for profiles, authorizations and in-house developed authorization objects to ensure:
- They can be easily managed.
- They will not be overwritten by a subsequent release upgrade (for Release 2.2 should begin with Y_ or Z_ and for Release 3.0 by Z_ only.)

* Assess through audit information system (SECR) or through a review of table USR02, whether user master records have been properly established and in particular:
* The SAP_ALL profile is not assigned to any user master records.
* The SAP_NEW profile is not signed to any user master records. Verify that procedures exist for assigning new authorization objects from this profile to users following installation of new SAP releases.

* Assess and review of the use of the authorization object S_TABU_DIS and review of table authorization classes (TDDAT) whether:
- All system tables are assigned an appropriate authorization class.
- Users are assigned system table maintenance access (Through S_TABU_DIS) based on authorization classes commensurate with their job responsibilities.

* Asses and review of the use of the authorization objects S_Program and S_Editor and the review of program classes (TRDIR) whether:
- All programs are assigned the appropriate program class.
- Users are assigned program classes commensurate with their job responsibilities.

* Ensure through a review of a sample of:
- In-house developed programs that the program, code either:
- Contains an Authority-Check statement referring to an appropriate authorization object and valid set of values; or
- Contains a program Include statement, where the referred program contains an Authority-Check statement referring to an appropriate authorization object and valid set of values.