Companies require the department to train, I have prepared training on SAP auditing, it has been four years of no contact with SAP-related operations, and then the information for SAP audit of avant-garde fashion, but quite a few companies to be concerned about this , auditors limited capacity and experience can not be taken into account. It reminds me to engage in this process because the results of the Ministry of Information director, it really is a sigh.
First year in conjunction with HP's consulting leaving material began to introduce Kazakhstan:
1, SAP's internal audit is divided into user rights security, system security were two categories
2, user rights:
2.1 SAP carried out mainly through administrative control ROLE, PROFILE two ways in which the system is installed at the initial stage has been already included some important system-defined roles and parameter files, and parameter files Once these roles are assigned, the holder can be made to the appropriate internal systems management operations, of course, will have a very big risk to the entire system, therefore we must have to be used with caution in the beginning, and in line with its own set of management rules
2.2 listed first should be noted that the use of parameter files:
All rights SAP_ALL ----- entire SAP system (does not include the newly generated)
SAP_NEW ---- entire SAP system for all newly created object privileges
S_A.ADMIN ----------- SAP system operating authority
S_A.CUSTOMIZ ----- All rights background configuration
S_A.DEVELOP ------ unlimited levels of development rights
S_A.SYSTEM -------- SAP system administration privileges (superuser)
S_A.USER -------- SAP system for all business applications operating authority
2.3 For the above parameters Please be properly used in accordance with the following control strategy:
1) as little as possible to reduce the number of super administrator and user
2) Referring to want to achieve as a new permissions feature to copy the parameter files, control and adjust, avoid using the original parameter file brings control vulnerability
3) administrators, business people, developers classify permissions, roles and permissions to avoid mix parameter file system permissions must abide by the business units developed jointly with the audit department to avoid CCA (incompatible duties redundant) appear
After SAP 2.4 is installed, there will be a few special users, system installation set-up phase, must complete a special function, then we are at the end of the setup phase, managers must be properly several users:
1) SAP * ----- system initial users, it has all the permissions system
User 2) DDIC ---- system initialization configured to use, with all the permissions system
3) super-user communication system uses SAPCPIC ----
4) EarlyWatch ----- used for system analysis superuser
2.5 ERP system security settings
SAP system administrators and database & operating system administrator account separately;
SAP_ALL, SAP_NEW, S_A.ADMIN, S_A.CUSOMIZ, S_A.DEVELOP, S_A.SYSTEM, S_A.USER other parameters can not be assigned a larger authority of any ordinary user;
SAP *, DDIC and other super user will be frozen no longer used, generated by the super user name President custody, the user change the password and user name and password into the safe by the president; the user is not used under normal circumstances only when the user is enabled when the system catastrophic failure of the system repair;
Account managers must every 90 days (three months) be replaced once the account password, the new password and password can not be the same as the previous five, set the password to be in letters + numbers principle, and the password must be eight digits or more; user login fails six times the system will automatically lock the account until the system administrator to unlock to unlock ERP account please go head OA process (ERP-SAP system user account and privileges of the application process) to unlock the application; the user within 30 minutes as the system does not make any operation, the system will remove the user;
3, system security
3.1 SAP in enterprise operations, SAP production systems across the enterprise is fundamental, change change any data, change the background settings, system parameters, will have a huge impact on the entire enterprise data flow, business flow, so for production after the on-line data system must have a strict export control policies
3.2 Production System Security
1) within the SAP production system, update all company codes for the "production" type, by performing OBR3, to check and guarantee the correct settings
Inside • 2) SAP production system, be sure to set the mark for the group does not allow for program and configuration changes, set by performing the SCC4 and SE06
Inside • 3) SAP production system, all changes must be done about the system policy transmission mechanism, the implementation of STMS control upload request number.
3.3 SAP audit functions include:
• 1) user login and process monitoring
• 2) file type has been changed record file
• 3) development record
• 4) system log file audit
• (CCA from security sense, since SAP will be stored as files on the SAP server, it should be separated from the true sense AUDIT LOG principle SAP administrator with OS administrator to control)
3.4 Basic monitoring strategies:
1) The system administrator à make a routine inspection a day, through actions within ST22, SM21, OY18, ST02, ST04 view the system, control the daily operation of state
2) the system administrator to monitor STAT à every three days by the system user's operation, cooperate to monitor more details SM20, and can be accomplished by monitoring SUIM for some inappropriate operation of the user
3) à audit department for any action SM20 system administrator can also feedback in detail, every two weeks to list a list of actions to enter the system administrator to monitor
3.5 System permissions audit specification
Ø internal audit department information commissioner has the authority to audit all accounts the SAP system, the Internal Control Department of the required ERP system at least once a year the audit authority, the audit results have to be notified to the information management unit and corporate leadership and the relevant record archived for inspection;
Ø as a result of management needs, especially the need to keep track of transactions, track requests made, after approval by the president, BASIS personnel to keep track of and report output correlation tracking information audit by the Commissioner for Internal Control Department;
Ø Internal Control Department monthly export information the auditors need to track all user actions and be archived in the ERP system, to prepare for inspection;
Internal Control Department audit information commissioner to be exported weekly operating track IT staff in the ERP system, the analysis report the synthesis report showed leadership and company information management department for the record company president and archived for inspection.
