TIP OF THE DAY: LIMIT VISIBILITY TO CERTAIN FINANCIAL YEARS

Posted by Klea Duro on Feb 10, 2023 8:15:00 AM

For many companies using SAP (if not all of them) it is absolutely normal to 'undergo' inspections by external entities. Especially for the auditing of balance sheet data.

 

audit SAP

 

A common practice is to enable everything to the auditors. And from the perspective of maximum transparency it could certainly make sense. But is it possible to evaluate or reason differently? Continue reading...

 

Financial Audit

For example, in the case of a financial audit or a financial statement audit (Financial Audit) third-party companies must have access to the company's information system to view financial data.

 

What authorizations must be provided during an audit?

In the case of SAP systems, where it is possible, especially in the ERP system, to very precisely define authorizations (and thus technical permissions), there can be multiple ways.

 

Clearly it is also necessary to assess what type of audit is being conducted. Are we talking about an IT audit (perhaps to audit ITGC Controls) or a business audit? Or even other types of audits e.g. GxP etcc?

 

From the most permissive to the most stringent.

  1. I enable everything (similar to SAP_ALL)
  2. I enable everything in view-only (is there a view-only role in SAP?)
  3. I enable everything in view-only but only on certain areas
  4. I enable individual features (SAP transactions) by segregating them for certain aspects

 

Some aspects and reasoning of this type could also apply to different scenarios such as, for example, system carve-outs.

 

But is it possible to segregate SAP data by fiscal years?

This specific scenario could be addressed by a specific German regulation (German tax reduction law StSenkG). The "translation" of the regulation into SAP, is described in section 5 of the following document produced by the German SAP group, i.e., it is shown how to implement it in SAP.

DSAG

The document, however, is no longer accessible on the German DSAG group's disto.

DSAG_SAP

 

But you can find the description of the feature on the SAP Help site ( click here).

 

This feature is therefore designed to segregate access to auditors (a limited number of users) and on certain activities, so it may not be applicable in all such cases.

 

What are the steps to test it?

  1. Insert one or more users into a group (via TPC2 transaction)

    TCP2

  2. Insert of programs to be audited

    TCP2 - programmi

  3. Insert financial period

    TCP2 - periodo

  4. Therefore, trying to execute a transaction related to the programs above (even with SAP_ALL) for a period other than the authorized period (e.g., on year 2015)

 

Financial periods error
A specific error is shown. Unlike the query made on the year 2017 where various information can be retrieved.

 

For further information, consult the following OSS notes:

 

The aspects related to budget certification require that the technical configuration logics (e.g., roles, profiles, authorizations, and configurations) of the system also be handled in the correct way. 

 

Conclusions

How applicable might this functionality really be in contexts other than the countries covered by the legislation? Probably not much, although it is related to a small group of users (that of external auditors primarily).

 

Iscriviti al blog se ancora non lo hai fatto!

 

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all