Audit Security of SAP ERP
Audit Security of SAP ERP
In this four-day seminar, attendees will investigate the risks inherent in the SAP? application and review some of the most effective control opportunities one can configure or design into the application. We will cover the critical business processes required to ensure that SAP is working as intended and that processes/monitoring procedures support effective system control. We will review the risks and general control opportunities provided by SAP and examine the security and basis configuration settings necessary to support a strong control environment for the rest of the system.
We will pinpoint the risks related to default IDs, profile parameters, IMG configuration and maintenance, and segregation of duties. We will then drill down to core business processes, including the financial close cycle (supported by FI/CO), the order-to-cash cycle (supported by SD), the purchase-to-pay cycle (supported by MM), and the personnel management and administration cycle (supported by HCM). Within these modules attendees will review such critical configuration settings as field status groups, validation routines, posting and payment tolerances, stochastic blocking, dual control over sensitive fields, minimum pricing conditions and automatic credit checking. We will also cover the key risks and controls within inventory, asset management, production planning and other common areas supported by SAP.In addition, participants will explore where SAP is going with its SAP Governance, Risk and Compliance (GRC) suite of applications, and review the auditing and monitoring changes required to move down this path. You will learn how to structure your implementation or upgrade to avoid common audit issues post ?go-live.? We will delve into advanced auditing techniques supported by tools within the standard SAP application, including the Audit Information System (AIS) as well as advanced data analysis opportunities that can be provided by ACL, IDEA and, in some cases, the SAP suite itself. Attendees will leave this high-impact seminar with the know-how to assess your own system and provide recommendations for improving both SAP configuration and usage.
Note: The course materials are structured around SAP ECC 6.0, however the control risk content is generally applicable to all versions of SAP R/3 back to 4.6c.
This course is available on-site at your location, or offered through open enrollment in Chicago,IL, San Francisco,CA, Denver,CO, and Washington DC.
- SAP? Overview and Concepts, terminology, SAP naming conventions, ERP Central Component and NetWeaver Architecture, general SAP controls and risks
- SAP Audit Fundamentals, ERP systems: audit implications, high-level approach for auditing SAP, getting started, using a process-based approach, example audit recommendations and tips
- Basic Navigation for Auditors, getting started, running transactions and reports, selecting field values, browsing tables, reviewing configuration settings, Audit Information System (AIS)
- SAP Security, security overview and key risks, system parameters, other password-related settings, SAP Authorization Concept, key steps to auditing SAP security, security best practices
- SAP Administration and Change Control, Basis functional overview, ABAP/4 Workbench, Implementation Management Guide (IMG), Computer Center Management System (CCMS), Transport Management System (TMS), managing change: more than just transports, dealing with emergencies, key risks, primary audit activities, tips for achieving strong change management
- SAP Modules , FI: Financials, CO: Controlling, MM: Materials Management, SD: Sales and Distribution, PP: Production Planning, HCM: Human Capital Management, BI Business Warehouse, other modules
- FI: Financials and CO: Controlling Risks and Controls, configured control opportunities, other process-related controls, useful reports and security considerations
- MM: Materials Management Risks and Controls, configured control opportunities, other process-related controls, useful reports and security considerations
- SD: Sales and Distribution Risks and Controls, configured control opportunities, other process-related controls, useful reports and security considerations
- Other Modules (based on class interest), configured control opportunities, other process-related controls, useful reports and security considerations
- SAP Governance Risk and Compliance (GRC) Solutions, SAP Risk Management, SAP Access Control, SAP Process Control, SAP Global Trade Services, SAP Fraud Management, SAP Audit Management
- Advanced SAP Auditing Techniques, audit challenges in the SAP system, advanced audit tools within and outside SAP, transactional analysis opportunities, using advanced audit analytics tools: IDEA and ACL
- Implementations and Upgrades
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.