topic Re: SAP Audit Reasoning in Application Development and Automation Discussions

SAP Audit Reasoning

Former Member — Tue, 07 Oct 2008 14:05:10 GMT

Good Morning,

I have a question for anyone in regards to SAP Audit books and the list of tables it supplies. I recently took a job as Internal Controls. I was asked to find out if we are loggin the following list of tables:

Table Name Description

X-DD02V List of tables and descriptions

SREPOATH ABAP program and authorization groups

X-T000 Clients

T001 Company codes

T001B Fiscal periods for company codes

TACT Activities that can be protected

TACTT Activities that can be protected, with descriptions

X-TACTZ Authorization objects and valid activities

X-TBRG Authorization objects and authorization groups

X-TBRGT Authorization objects and authorization groups, with descriptions

TCURR Foreign currency exchange rates

X-TDDAT Table authorization groups

X-TOBJ Authorization objects

X-TOBJT Authorization objects and descriptions

X-TOBC Authorization object class

X-TOBCT Authorization object class, with description

TPGP ABAP program authorization groups

X-TRDIR ABAP program and authorization group

X-TSTC Transaction listing

X-TSTCA Values for transaction code authorizations

X-TSTCT Transactions with description

X-TCESYST Correction and transport system configuration tables

X-TASYS Correction and transport system configuration tables

X-TDEVC Correction and transport system configuration tables

USR01 User Master Records

USR02 User ID and passwords

USR03 User address data

USR04 User master authorizations

USR05 User master parameter ID

USR06 Additional data per user

USR07 Objects/values of last failed authority check

USR08 Table for user menu entries

USR09 Entries for user menus (work areas)

USR10 User master authorization profiles

USR11 User master profiles and descriptions (for USR10)

USR12 User master authorization values

USR13 Authorization descriptions

USR30 Additional information for user menu

X-USR040 Impermissible passwords

USH02 Change history for logon data

USH04 Change history for authorizations

USH10 Change history for authorization profiles

USH12 Change history for authorization values

USOBT Transaction codes and authorization object, with value fields

USOBX Transaction codes and authorization object, with value fields

I know many of these but my question is... why does an audit book tell you to log some of these. I don't get it. I do searches on many of these tables looking for a good reason to log some of these tables and find nothing but this is how to run an audit. Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.

I have put an "X-" in front of the ones that make some sense to me but why the others... and what are the SAP people suppose to review in the tables... Like the USR01, if a person changes there name we need to see that... why? Or the USOBT and USOBX tables... these are only used upon profile generator and no one should be generating a profile in PRD...

Any help would be greatly appreciated.

Kind Regards,

Paul

Re: SAP Audit Reasoning

Former Member — Tue, 07 Oct 2008 14:28:32 GMT

There are different types of logging.

Table change logging => SE13.

USR* change documents => USH* tables (similar to master data change documents).

Business Change Doucments => SU8* tcodes which have user as well as Archived USH* data.

Auditors often only know about the 1st one and mistake it for the others.

Typically, you can only influence the first one (SE13, log data changes).

> Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.

That sounds like a recipe for misunderstandings, as interpreting SAP tables and single fields of them can be confusing (when it differs from the program's use of them), or even obsolete in some cases...

Hope that helps you define the question and concepts better..

Cheers,

Julius

Re: SAP Audit Reasoning

Former Member — Fri, 17 Oct 2008 15:12:34 GMT

Julius,

Thank you for your assistance. I appologize for not getting back to you more quickly. This helps me explain to others the flaws that I see in there current monitoring of tables.

Have a Great Weekend!

Paul

Re: SAP Audit Reasoning

Former Member — Sat, 18 Oct 2008 19:02:32 GMT

User data resides in table usr01-usr31. This can be used as a quick and dirty way to obtain any user data. All these tables basically shows the current user related details.

USH* data shows all the changes made with the existing user records. For ex: if you one user gets changed with

reseting passwords

roles/profile changes

lock status and etc.

To know more details about why these tables are mainly used for SAP Security, please visit http://sap.service.com/security.

Regards

Anandm

Re: SAP Audit Reasoning

Former Member — Tue, 21 Oct 2008 18:55:51 GMT

Anand,

Thank you for your response. I actually understand SAP security, I have the SAP Security certification. My questions revolves around why they would be monitored and why they would be a Audit concerns. I have been looking at some SAP Audit books and I keep seeing these tables listed as ones needed to be monitored, but not one of the books actually explain how or why. From my Basis and Security background I found that Audit does this a lot, throwing a question or a request out there but not explaining what they mean or what they want. Now that I am in the position to request this information I want to still know why. I dont want to ask some poor SAP Basis/Security person without being able to explain to him/her what I actually want or mean.

I do understand the USH are the logs and the USR tables hold user data. I have looked at them both in the past. but my question as just stated is WHY. Can you give me an example of how this could be of financial impact? Also how would a Auditor look at these tables. do they want to know who is making changes to the tables... direct access to edit these tables...

I am sorry to say but I can still see no need to monitor the USR tables. As the changes to the user information that is most relevant is logged in the USH tables. and as for access to the USH tables that can just be monitored by S_TABU_DIS and the ush tables (or auth group).

Have a great day and thank you again for responding.

Kind Regards,

Paul