Thanks to Philip
Moulton for suggesting this resource for the benefit of auditors
operating in an SAP environment. Phil has offered to be a resource for this
section of AuditNet. AuditNet appreciates Phil's support and making the concept of
Auditors Sharing Knowledge for Progress work! You can show Phil your
appreciation by sharing your knowledge of SAP and contributing resources to
this area.
There are many auditors working for organizations that use SAP, an enterprise resource planning (ERP) system. Enterprise Resource Planning or ERP is an industry term for integrated, multi-module application software packages that are designed to serve and support multiple business functions. The purpose of the SAP AuditNet page is to provide a clearinghouse of information and an opportunity to share resources to facilitate audits of SAP. If you have resources including audit programs, checklists, internal control questionnaires (ICQ) or anything else that will help other auditors please send them to editor@auditnet.org
ERP GENERAL (SAP, BaaN, Oracle, PeopleSoft)
ITtoolbox a knowledge network and support environment for the IT industry containing a section on ERP with links to SAP, BaaN, Oracle, PeopleSoft and more.
Audit and Security Strategies for PeopleSoft Implementation
The following documents were shared by Larry Hanson ISACA-LA Chapter)
BaaN Business Process Controls
ERP Systems: Audit and Control Risks
Introduction to ERP: Overview of ERP Systems
PeopleSoft Business Process Controls
SAP Business Process Controls and AIS
AUDIT PROGRAMS
-
Oracle Application Audit
-
Oracle DB Technical Audit Program
-
Oracle Financials Security Checklist
-
Oracle Infrastructure Audit
-
Oracle Inventory Audit
-
Oracle Security Guide
- PeopleSoft Audit Review
-
PeopleSoft Audit Program
-
PeopleSoft Audit Release 7.X
- SAP Accounts Payable Audit Program
- SAP Audit Info. Approach
-
SAP Audit Program (Word)
SAP Audit Program
- SAP Fixed Assets
- SAP-HR Audit Program
-
SAP Materials Management
SAP Process Controls Audit Program (contribution required)
SAP Security
- SAP Systems Parameters Review
AUDIT GUIDES
-
Auditing SAP R/3
-
Auditing SAP Basis
-
Auditing in an SAP Environment presentation by Phil Moulton
-
SAP R3 Auditing Manual (pdf format)
-
SAP R3 Auditing Guidelines (pdf format)
BEST PRACTICES
Better Practice Guide - Security and Control for SAP R/3 from the Australian National Audit Office.
CHECKLISTS & ICQs
Oracle Audit Checklist
SAP PRESENTATIONS
Auditing in an SAP Environment
Phil Moulton
Fraud
Auditing in an SAP Environment
Phil Moulton
REPORTS
Review of SAP R/3 Upgrade to Version 4.6B - Manitoba Provincial Auditor 2001
SAP
Security and Control Review -
NCUA OIG March 15, 2001
SECURITY
SAP Security Administration SANS Institute Information Security Reading Room
SAP Security and Authorization Concepts
TRAINING
Introduction to SAP Audit (IIA)
SAP
Technical Audit (IIA)
SAP™
R/3™ Concepts and Audit Risks (MISTI)
General SAP R/3 Security Administration
| Topic | File | Description |
| Sarbanes Oxley Compliance |
A
CD full of useful information from the Washington Meeting on
SOX |
Provided by basisbabe. THANKS! |
| Designing Roles |
Security
Design Concepts |
A presentation on responsibility of Security provided by Pandya, Snehal , nice system risk matrix. |
| Designing Roles |
Authorization
Design |
A presentation provided by Pandya, Snehal on role design. |
| Upgrade |
 SAP
Security Upgrade White Paper |
Upgrading to Role Based Profiles |
| SOD |
 Segregation of Duties
Matrix |
This was written by SAP and is based on transactions level authorizations |
| Business Warehouse |
bw30reportingauth.pdf |
Business Warehouse Security Overview |
| Business Warehouse |
bwauthconcepts_JUDI_1204.pdf |
Business Warehouse Security Overview |
| Business Warehouse |
 Training
Document for Learning BW Security |
I am writing this document as I
have time. Gary Morris |
| HR Structural Authorizations |
Structural
Authorizations Step By Step |
HR Security Doc by Norm and Carl provided by Amy Sue Lambermont. Thanks Amy! |
| Security Setup |
System
Parameters |
System Parameters related to security |
| Training Ids |
 Creating
Users Script
|
Step by Step Guide to setting up Training IDs and setting same password, Woo Hoo!! |
| RBE |
Using
the RBE Tool for Security |
A document from Larry Justice on How to use the RBE tool for Security |
| AIS |
AIS
Strategy.ppt |
A ppt on Implementing an AIS strategy for auditing. |
| Controls |
Configurable
Controls.ppt |
A ppt on configurable controls |
| ESS |
Security
for ESS.ppt |
a ppt on Security for Employee Self Service and Manager's Desktop |
| R/3 Security Overview |
SecurityFoundations.ppt |
A ppt on R/3 Security Foundational Information |
| R/3 Security Design |
Security
Design.ppt |
A PPT from Coke on R/3 Security Design |
| R/3 Security Overview |
Security
foundation.ppt |
A ppt on foundational R/3 security information |
| R/3 Security Overview |
SAP
Audit Information |
foundational R/3 security information |
| R/3 Security Overview |
SAP
Security |
|
| Security Tools |
Toolstocontrolrisk.ppt |
A PPT on tools to mitigate Risks in R/3 |
| Security Administration |
UserSecurityDelta.ppt |
A ppt on User & Security Administration for e-Procurement at Delta Air Lines |
| Security Administration |
 Authorizations
made easy 45A/B |
The Authorization Made Easy Guide for 45A/B |
| Workplace |
DWorkplacesecurity.ppt |
A ppt on Workplace Security |
|
SAP_System_Parameters.pdf |
||
| Workplace |
WorkplaceSSO.ppt |
A ppt on Workplace Single Sign On |
| User Buffers |
auth/new_buffering |
Info on auth/new_buffering |
| Authorization Objects |
User
Administration Authorizations |
Critical Authorization Objects that control User administration access |
| Third Party Tools |
BindviewSAPControl
overview.ppt |
Overview of the Bindview Control product |
| Third Party Tools |
bv_sap_sample_reports.ppt |
Sample Bindview Control Reports |
| Third Party Tools |
bv-ControlSAPds1.pdf |
Bindview Information |
| Third Party Tools |
bvcvsSAP.doc |
Bindview Information |
| Third Party Tools |
SAPCaseStudy.pdf |
Bindview Information |
| CUA |
CentralUserAdmin.ppt |
A ppt on Central User Administration |
| CUA |
Quick
run through of how to setup |
A quick list of how to setup CUA |
| CUA |
Central
User Administration |
A ppt on Central User Administration management |
| CUA |
Delta
Central User Admin.ppt |
A ppt of Central User Administration at Delta Airlines |
| CUA |
personeldevcua.pdf |
A pdf by P.M.V. Subba Rao |
| RBE |
STEPS
TO GENERATE RBE EXTRACT FILE |
Document on using the RBE tool to analyze transaction usage. |
| Security Audit Logs |
Format
of Security Audit Log Files |
|
| Security Audit Logs |
SECAUDLOGONLINE_EN.pdf |
SAP Manual on Security Audit Logs |
| Security Audit Logs |
 sec_audit_log_param.txt |
Setup Security Audit Logs |
| SAP Security Guide Ver 3 |
secguide.zip
(unzip and use index as starting page) |
The Official SAP Security Guide Version 3 |
| Security Audit Logs |
Security
Audit Logging with SM19 |
All the steps needed to setup Security Audit Logging |
| Security Audit Logs |
Security
Audit Log Filters SM19 |
SM19 Enabling Dynamic Filters for Security Audit Logs Example |
| Security Audit Logs |
Analyzing
Security Audit Logs |
SM20 Analyzing Security Audit Logs Examples |
| Security Audit Logs |
sap_note_135210_secAudLog.txt |
Why the Security Audit Logs lose their Settings when system reboots |
| Tips |
Resetting
SAP* |
ABAP Code for resetting SAP* password across all clients |
| SAP Security Guide Ver 3 |
sapsecurityguidever3.pdf |
|
| SAP Security Guide Ver 2 |
securtyguidever2vol3checklists.pdf |
SAP Security Checklists |
| Security Administration |
business_user_adm_mysap.pdf |
|
| Workplace |
Roles
workplace.ppt |
|
| CRM |
CRM_AUTH_20C.pdf |
|
| All Activities |
tact.xls |
Table TACT |
| Security Adminsitration |
Users_and_Roles_620.pdf |
|
| Designing Roles |
Security
Naming Convention |
|
| Secure OS |
SECUREOSSEN.pdf |
|
| Security Overview |
System
Security Overview.ppt |
SAP PRODUCT VENDORS
Realtime North America - vendor of BioLock, SAP certified biometric identity management system.
