USING SAP SYSTEM CONFIGURATION SECURITY TEST TO

COMPLY WITH SARBANES-OXLEY ACT

Jen-Hao Tu

Internal Auditing, Taiwan Semiconductor Manufacturing Company, Li-Shin 6 rd, Hsin-Chu, Taiwan

Keywords: ERP, Sytem Security, Sarbanes-Oxley

Act, Configuration Management

Abstract: Most observers would agree that the Sarbanes-Oxley Act (SOA) is the single most important piece of

legislation affecting corporate governance, financial disclosure and the practice of public accounting. On

the other hand, the SAP system is the most widely used ERP (Enterprise Resource Planning) system in the

world. There are thousands of seamlessly linked components and subsystems. Conducting security tests in

a complicated ERP system is still a major challenge. Based on the study of the SAP system configuration

security testing at the author’s company, this work-in-progress paper will discuss related configuration

security weakness in SAP system and suggest practical solutions to enhance the security control of SAP to

comply with SOA.

1 INTRODUCTION

As a result of significant accounting scandals and the

subsequent negative effect on the stock market and

stakeholder confidence, the Sarbanes-Oxley Act in

the U.S. was signed into law. The Sarbanes-Oxley

legislation has established a new paradigm for

corporate accountability and also created a new

standard for the implementation of an internal control

structure (Nelson, 2003). Therefore, CEOs and CFOs

must not only certifying the financial statements but

also ensure the data integrity of the information

system. It is not over emphasized that the system

configuration security issues are becoming more

important than ever before.

2 LITERATURE REVIEW

2.1 ERP

ERP (Enterprise Resource Planning) are used to track

companies’ financial, human resources, and logistics.

It is an enterprise’s nerve centre to quickly meet the

stakeholders’ requirements. ERP systems collect an

enormous amount of information, which is used by

top management all the way down to the line

supervisors. Security over access and over who can

change the information is a matter of great concern.

Therefore, the security control of the ERP need to be

carefully evaluated and tested.

ERP system not only deal with thousands of

fin

ancial transactions daily, but additionally, the

enterprise should properly keep their financial

statements to meet legal and regulatory requirements.

Legal and regulatory issues are always the baseline of

the enterprise operation and management. Therefore,

one of the critical successful factors of the security

test in the SAP system should be, whether the goal of

the authorisation control links to the top

management’s concern.

2.2 SAP

SAP is a large ERP system that provides the complex

application software required to support the various

business processes of enterprise. More than half of

the top 500 companies in the world use SAP software

(SAP AG Corporate Overview, 2002). This system is

made up of multiple modules that correlate to

business processes. Essentially, SAP can be

effectively used as the only system an enterprise will

need to conduct business. Therefore, any

inappropriate security setting can create a snowball

affect in many processes (Sims, 2001; Kirk, 2001;

Larson, 2000; Juergens, 1999).

The reasons why the SAP security control is

fferent include (Security and Control for SAP R/3,

2000):

581

Tu J. (2004).

USING SAP SYSTEM CONFIGURATION SECURITY TEST TO COMPLY WITH SARBANES-OXLEY ACT.

In Proceedings of the Sixth International Conference on Enterprise Information Systems, pages 581-583

DOI: 10.5220/0002653205810583

 SciTePress

z SAP covers more business functions than any

other product on the market which adds to the

complexity of security and control issues.

z SAP is complex with thousands of configuration

tables and multitudes of alternatives.

z The integrated nature of SAP increases the risk

that design designs made for one SAP module

might have an unexpected adverse impact on

other modules.

There are few research papers regarding the ERP

or the SAP security control, according to the statistics

of “Enterprise Resource Planning System Research:

an Annotated Bibliography” (Esteves and Pastor,

2001). Moreover, most of the security related

research papers emphasis on the relationship between

database level security (Riet, R., Janssen, W., &

Gruitjer, P., 1998). So, this paper will propose a new

approach to conduct the security test in the SAP

system and will focus on the application level issues.

3 RESEARCH METHOD

The SAP security study is conducted in the system

environment of author’s company. Using IMG

(Implementation Guide) function in SAP the review

the financial related configurations in SOA related

components, such as Financial Accounting,

Controlling, Enterprise Consolidation. The system

architecture of this research is described as following

components:

z SAP version : R/3 Release 4.6C

z AIS version : 46D.1

z Database : Oracle 8.0.6.2.0

z OS : HP-UX 11.0

z Machine type : HP PA-RISC

3.1 Reset Company Code and Posted

Depreciation Test

Company code and Depreciation posting is the key

control point to ensure correctness of the financial

statements. If this configuration is misused, the

accounting entries will be deleted and the financial

reports could be wrong. It is an essential security

configuration to ensure the correctness of financial

statements. Therefore, this setting is the first step to

the financial data protection.

Menu path 1 - Reset Company Code: Financial

Accounting ∏ Assets Accounting ∏ Preparing for

Production startup ∏ Tools ∏ Reset Company Code.

Menu path 2 - Reset Posted Depreciation:

Financial Accounting ∏ Assets Accounting ∏

Preparing for Production startup ∏ Tools ∏ Reset

Posted Depreciation.

3.2 Create Asset Class Test

Asset Class controls asset master data and

depreciation calculation. The asset master data

includes assets classification, cost center, description,

capitalization information and related invoice, goods

receipt, and purchase order. The depreciation

calculation is composed by depreciation key,

depreciation method, depreciation start date and

depreciation area. If the asset class is modified or

created by non authorized persons, it will not only

bias the decision making of high level management

but also cause incorrect financial statements.

Menu Path 1 – Create Asset Class : Financial

Accounting ∏ Assets Accounting ∏ Asset Class ∏

Create Asset Class From GL (1 to 1).

3.3 Substitution and Validation Test

Substitution and Validation are powerful tool to

control mass data change in either financial data

posting or master data changes in customer, vender,

and fixed assets, etc. However, if these

configurations are misused, the financial data could

be seriously damaged and the all related transactions

should be reviewed or reposted.

Menu Path 1 – Define Substitution: Financial

Accounting ∏ Assets Accounting ∏ Master Data ∏

Define Substitution.

Menu Path 2 – Define Validation: Financial

Accounting ∏ Financial Accounting Global Setting

∏ Document ∏ Line Item ∏ Define Validation.

3.4 Delete Transaction Data Test

These three tests are related to production data

protection issue. The SAP system provides

production start-up tool for the system

implementation in Financial Accounting, Controlling,

and Enterprise Consolidation module for migration

data from testing to production environment.

However, this data cleansing function would also

damage production data if not proper controlled.

Menu Path 1 – Delete FI Transaction Data:

Financial Accounting ∏ Financial Accounting Global

Setting ∏ Delete Transaction Data.

Menu Path 2 – Delete CO Transaction Data:

Controlling ∏ General Controlling ∏ Production

Start-Up Preparation ∏ Delete Test Data ∏ Delete

Transaction Data.

Menu Path 3 – Delete Consolidation Transaction

Data: Financial Accounting ∏ Preparation for

Consolidation ∏ Tool for Creating the Initial Data

ICEIS 2004 - INFORMATION SYSTEMS ANALYSIS AND SPECIFICATION

582

Set ∏ Transaction Data ∏ Delete transaction data

from real time update.

4 CONCLUSIONS

This work-in-progress paper explores four critical

configurations and identifies the risks related to the

control weakness. No matter what kind of risks it

may face to do the system configuration management,

the authorization control of the weakness would be a

practical method to prevent data damage and ensure

financial statement integrity.

REFERENCES

Esteves, J. and Pastor, J., 2001. Enterprise Resource

Planning System Research: An Annotated

Bibliography. Available:

http://www.imm.ecel.uwa.edu.au/.

Juergens, M., 1999. SAP Security. Paper presented at the

Spring Conference of the ISACA, Los Angeles, USA.

Kirk, L. A., 2001. Securing Information within SAP V4.6b

Available: http:// /rr.sans.org/casestudies/SAP.php.

Larson, G., 2000. Auditing SAP R/3. Paper presented at

the Spring Conference of the ISACA, Los Angeles,

USA.

Nelson, D. (2003). Overview of Sarbanes-Oxley and

mySAP Financials Tools. Paper presented at the 2003

SAP Financial Management & Business Analysis

Forum, Dallas, Taxes, USA. [On-line] www.asug.com.

Available: http://files.asug.com/asug/fmbasoa.pdf.

Last access: 2003. October 31.

SAP AG Corporate Overview, 2002. Available from

http://www.sap.com/; Internet.

Security and Control for SAP R/3, 2000. Available:

http://www.anao.gov.au.

Sims, M. E., 2001. Technical Aspect of

Implementing/Upgrading SAP Security 4.6. Available:

http://rr.sans.org/authentic/SAP_sec.php.

USING SAP SYSTEM CONFIGURATION SECURITY TEST TO COMPLY WITH SARBANES-OXLEY ACT

583