SAP

Audit and Control Points

Bolt-ons/Interfaces

Have all bolt-ons and interfaces been justified?

Have all bolt-ons and interfaces been documented?

Have all bolt-ons and interfaces been tested?

Does a support agreement exist with each bolt-on vendor?

Is each bolt-on and interface operation stable?

Have contingencies been established in the case of a bolt-on or interface failure?

Is the bolt-on vendor a SAP certified partner?

Has support responsibility been assigned and communicated for all bolt-ons and
interfaces?

Have all bolt-ons and interface dependencies been identified, documented, and
analyzed for operational impact?
Customization and Change Control

Does customize documentation include the menu path/transaction, reference to

business model, 4 Ws (who, what, when, why), standard settings used, current
settings (table blueprints), and cross reference design?

Is each customization documented for the reason needed?

Has an independent table comparison with client 000 been performed to check if
all changes are documented correctly for a specific table?

Have all customizations been categorized as modifications, enhancements, or use

exits?

Have programming standards been documented and communicated?

Are all customizations approved before being written and then again after testing?

Have all ABAP programs without a name or with change/delete functionality been
identified and thoroughly reviewed for actual functionality and applicable
approval and testing?

Have all temporary/conversion ABAPs and tables been identified and evaluated
for need and decommission process?

Has user documentation been prepared for all processes?

Does user documentation include menu paths, transaction codes, specific attention
points, inputs, and control checks?

Does user documentation logically walk a user through all steps in the process?

Are all changes performed in a development environment and transported

upstream for testing?

Is development prohibited in the production environment?

Has a structured transport request/tracking process been established?

Has the transport schedule been communicated to all affected parties?

Does the transport schedule provide for timely updates?

Does the transport process migrate upstream only?

Have customization deadlines been established in order to not impact the rollout
schedule?
Has a process been developed and documented to address upgrades and patches?
Are changes categorized as configuration, exits, enhancements, bolt-ons, or
modifications?
Are authorization checks included in all custom code?
Are standard naming conventions used to identify customized code?
Do all custom ABAPs require authorization objects?
Are changes to interfaces, bolt-ons, database, operating system, and network
programs managed and controlled by a standard process?
Do client settings in table T000 prevent client copy overwrite, prevent clientindependent changes, and automatically record changes (development) or not
changes allowed (production)?
Are Workbench Organizer system change options set to all customer objects
(development), objects cannot be changed (QA and production)?
Is the transport system linked with the Workbench Organizer?
Are all transport system actions logged and reviewed?
Are system changes and transports coordinated so that imports to other systems
are not out of sequence?
Have customizing authorizations been restricted to specific authorizations
profiles/activity groups?
Has the assignment of customizing authorizations been limited to a few
employees?
Are all ABAP developers registered with SAP?
Have the objects for all modifications to SAP standard ABAPs been registered
with SAP?

Conversion

Have data classification standards been developed?

Has the conversion process been tested?

Has data scrubbing and cleansing been performed?

Has data mapping been performed?

Have required fields been populated?

Has duplicate data been eliminated?

Has a data conversion strategy been developed, documented and communicated?

Have procedures been developed for accessing historical data?

Have conversion standards and success criteria been established?

Has a conversion schedule been developed and does it coincide with the rollout?

Has a conversion reconciliation process been developed and tested?

Have backup, recovery, and back out procedures been developed, documented
and tested?

Have appropriate conversion approval responsibilities been assigned?

Has a data conversion team been identified and trained?

Has data to be converted been identified and communicated?

Have archiving/retention policies been developed and communicated?

Maintenance and Support

Has a post-implementation support staff been identified?

Is the post-implementation support staff adequately trained and qualified?

Has a process been developed to report, track and resolve maintenance and
support issues?

Are support groups logically organized by process, modules, or locations?

Are there separate support groups for technical and functional issues?
Security

Is authorization to delete user sessions (SM04) and work processes (SM50)

(Authorization object: S_TKSH_ADM) restricted?

Is access to lock/unlock objects via Work Process (SM01) (Authorization object:

S_TKSH_ADM) restricted?

Is security designed to coincide with the organizational structure?

Were all business areas involved in defining security?

Have authorizations to change account master records been verified to make sure
the controls will always work consistently?

Is master data creation and maintenance limited to a few select individuals?

Is the creation and maintenance of all documents limited to necessary users?

Are document types controlled through authorization groups?

Are posting periods controlled by security?

Are users with release/approval capabilities appropriate?

Is there segregation of duties between users who can enter data and users who can
change tolerance levels?

Is there segregation of duties between users who can enter a document and users
who can release a block?

Is there segregation of duties between users who can enter an invoice document
and users who can create new customer/vendor records or change credit limits?

Are customization capabilities limited to the development team?

Are transport capabilities limited to a few individuals?

Are security administration capabilities (creating and maintaining user master

records) limited to a few employees?

Is the development and maintenance of security/authorization profiles limited to a

few employees?

Have generic roles been designed for common functionality?

Have composite roles been designed to combine multiple functionality?

Has the ability to lock/unlock transactions been limited to a few employees?

Have segregation of duties been evaluated within each authorization profile?

Have segregation of duties been evaluated for all authorizations assigned to each
user?

Are standard naming conventions used for authorizations and custom

authorization objects?

Have standard SAP authorization objects not been altered or deleted?

Have wildcard * authorizations been reviewed for appropriateness?

Has a security design structure been developed?
Does the organizational structure coincide with the desired security structure?
Does a security policy exist which includes the SAP environment?
Is the auth/check_value_write_on parameter set to a value greater than zero so
tht authorization analysis can be performed?
Has the login parameter login/min_password_lng been set to a value greater
than 4?
Has the login parameter login/password_expiration_time been set to a
reasonable number of minutes?
Has the login parameter login/fails_to_session_end been set to between 3 and
5?
Has the login parameter login/fails_to_user_lock been set to between 3 and 5?
Has the login parameter rdisp/gui_auto_logout been set to a reasonable number
of minutes?
Has the login parameter login/no_automatic_user_sap* been set to 1?
Has the login parameter login/no_automatic_user_sapstar been set to 1?
Has the login parameter login/failed_user_auto_unlock been set to 0?
Is the auth/no_check_in_some_cases parameter deactivated?
Is the auth/no_check_on_tcode parameter deactivated?
Is the auth/number_in_userbuffer parameter set to a reasonable number of
authorizations?
Is the rsau/enable parameter activated?
Is the rsau/local/file parameter set to a secure location on the server?
Is the rsau/max_diskspace_local parameter set to a length that provides enough
space to store the audit log for review?
Is the rsau/selection_slots parameter set to a reasonable number of selection
slots?
Is the rec/client parameter activated?
Are user groups used to administer security?
Have all administrators user IDs been assigned to the SUPER group?
Are decentralized security administrators limited to assigning and maintaining
user access for a selected agency?
Are all reports assigned to menu options and transactions?
Does the SAP* user master record still exist?
Has the name of the SAP* user master record been changed?
Has the default password of the SAP* user master record been changed?
Has the SAP* user master record been locked?
Have all authorization profiles been removed from the SAP* user master record?
Has the SAP* user master record been assigned to the SUPER group?
Is the SUPER group assigned and maintained by the system administrator?
Have default passwords been changed for DDCI, EarlyWatch, and SAPCPIC
users?
Have transactions SE16, SA38, and SE38 been limited to a few employees?
Has access to sensitive objects been evaluated, justified, and documented?
Has access to SAP standard profiles been limited and controlled?

Have procedures been developed and documented related to the review of logs?
Has the responsibility of log review been assign to an appropriate employee?
Is the frequency of log reviews appropriate and coincide with the period that log
information is retained?
Is the ability to change master records limited?

Infrastructure (hardware, operating system, database, desktop)

Have operating system and database default account passwords been changed?

Is login directly to the operating system and database limited to only a few
individuals?

Have SAP exist been secured?

Are backups of the development environment being conducted at least daily?

Have contingency plans and alternatives been developed for the implementation
environment?

Has the production hardware been installed, configured and tested in time for
conversion and rollout?

Has operating system and database security been evaluated to ensure that SAP
related files and programs are safeguarded?

Have a sample of change requests been traced through the process to verify
conformance with established procedures?
Business Processes

Have reconciliation processes and responsibilities been defined for control

accounts (reconsolidation and accrual)?

Do control account settings ensure manual journal entries are not allowed?

Are standard reports used to monitor the activity in the control accounts?

Are standard reports used periodically to compare sub ledgers with the
appropriate G/L accounts?

Are control accounts configured to allow only automatic postings (need to

specifically lock account)?

Are control accounts reviewed to ensure that none-zero balances are due to timing
differences as opposed to misapplication of amounts?

Has a process been defined to control the creation and maintenance of master
data?

Has a process been identified to ensure the quality of master data (i.e. to eliminate
duplicates)?

Are number ranges automatically generated?

Have account groups been defined for each logical group of accounts?

Have master records been grouped for consistency and completeness of field
requirements?

Are master record changes logged?

Are logs of master record changes reviewed on a regular basis?

Does each document type have its own number range?

Are number ranges carried over year after year?

Does each posting key have a reversal posting key defined?

Is the system date automatically entered in the document header?
Are closing periods scheduled?
Have procedures been developed to close posting periods?
Have posting adjustment procedures been developed?
Are postings to special periods monitored?
Are individual release/approval levels appropriate?
Have tolerance groups been established?
Are tolerance levels (upper and lower) reasonable and appropriate?
Has a process been developed to review cumulative tolerance differences on a
regular basis?
Has exception reporting been developed for manual posting differences?
Has document blocking been activated?
Are document blocking conditions reasonable/acceptable?
Is the document blocking setting appropriate?
Are blocked documents regularly reviewed?
Have data archiving standards and practices been developed?
Is online help activated and populated for efficient and effective use by users?
Have process risks been identified and evaluated?
Have transaction controls (document types, number ranges, automatic postings,
control accounts, posting keys, data entry validation, default values, tolerance
levels, block documents from further processing, tax management, controlling
accounting periods, controlling chart of accounts, code combinations, validations
and substitutions) been appropriately activated and defined/configured?
Have internal and external documents been mapped to internal and external
number ranges?
Are external number ranges monitored?
Does each document type have its own number range?
Are control accounts used to conjunction with automatic postings?
Are reports used to periodically compare sub ledgers with the appropriate G/L
accounts?
Are control accounts locked from activity other than automatic posting?
Are manual journal entries prohibited from control accounts?
Is control account activity monitored?
Is the data dictionary used to validate data input?
Are tolerance levels appropriately configured?
Is a review of cumulative tolerance difference amounts performed?
Is there a segregation of duties between data entry and individuals making
changes to tolerance level?
Has a review of posting rules, control accounts, and posting keys been performed?
Has exception reporting been developed by manual posting of differences?

Testing

Do tolerance levels work appropriately?

Have test plans been developed?

Do test plans cover all business processes and functionality?

Have detailed test scripts been prepared?
Do test scripts include expected results?
Are test scripts realistic and represent normal daily processing?
Has standard testing documentation been established?
Has a test resolution process been established?
Have appropriate approvals been obtained for successful testing?
Are all resting issues logged, tracked, and communicated?
Have all testes been appropriately trained?
Does testing include negative and stress testing?
Does testing include period end and special events?
Does testing encompass a full process rather than specific functionality?
Is testing performed in a test/QA environment?
Do test issues get recycled back to a development environment for resolution?
Are interfaces and bolt-ons included in testing?
Has security been tested?
Is all functionality tested after a change?
Does testing include correct posting rules, accounts, posting keys and amounts for
automatic posting?

Hierarchy

What is the number of legal entities?

What is the number of business units?

What is the number of operations in different countries (time zone/tax structures)?

What is the number of physical and logical plants and sales units?

Does the organizational structure represent the data flow requirements?

Will the organizational structure provide for desired security requirements?

Were all business areas involved in defining their associated hierarchy structures?

Will the organizational structure provide for desired reporting and financial
statement preparation?

Are all financial documents posted at the company code level?

Do document types match the mapped business processes?

Have unique document types been identified for each type of media used?
Have internal control points been considered?
Project Management

Is there adequate and appropriate representation on the implementation team?

Does the structure of the implementation team facilitate efficient and effective
project management?

Are responsibilities and expectations defined for all members of the

implementation team?

Is there a detailed project plan that includes specific milestones, dates, and
assigned resources?

Is the progress of the implementation tracked and communicated on a regular

basis?
Are key business representatives dedicated to the implementation?
Is the implementation schedule reasonable?
Are project decisions fully documented?
Has a functionality gap analysis been performed?
Have all reports and interfaces been identified?
Is an issue log maintained to track outstanding and resolved issues throughout the
implementation?
Have approval points been established between implementation phases?
Have documentation standards been established?
Have all business processes been assigned an owner?
Are assigned business process owners appropriate?
Have specific resources been permanently assigned to the implementation?
Have project task dependencies been identified?
Have all project members been appropriately trained?
Has a rollout team been identified?
Have rollout schedules and tasks been communicated to all affected users?
Has a training plan been developed which includes appropriate training for all
users?
Does the training schedule coincide with the rollout?
Have postponed issues/functionality been fully documented and analyzed for
impact?
Has a rollout checklist been developed?
Has a SWAT team been established to address go live issues?
Has a go live issue reporting and resolution process been developed, documented,
and communicated?
Has an issue escalation process been developed, documented, and communicated?
Are issues prioritized using standard criteria?
Has issue prioritization been communicated throughout the organization?
Is issue prioritization employed consistently throughout the organization?
Has SAP been informed of go live in order to provide expedited support?

Configuration

What is the number of systems?

What are the instances?

What are the clients?

How many charts of accounts have been defined?

Were all business areas involved in defining the chart of accounts?

How many companies have been defined?

Does the organizational structure support security, reporting and data sharing
needs?

System Monitoring

Are background process logs for each server reviewed?

Have procedures been developed and documented related to the review of logs?

Has the responsibility for log review been assigned to an appropriate employee?

Is the frequency of log review appropriate and coincide wit the period that log
information is retained?
Operations

Does the automatic batch scheduler reflect appropriate stat/stop times?

Have actual batch results been compared with expected batch results to ensure
jobs are properly processed?

Is the job log and batch schedule periodically checked?

Have responsibilities been defined of who is responsible for starting batches,

monitoring them, reviewing the log files, and correcting any errors?