SAP Audit Guidelines R/3
Release 3.0D
1.4
Audits
1.4.1
Responsibilities
Current 2/20/97
Author` AK REV
Page 14
You must acquire an overview of the total system responsibilities and of responsibilities involving: - Critical data and tables, - Authorizations, - Programs, and - Interfaces, as well as changes to these elements. The overview will be expanded and enhanced as the audit proceeds. 1.4.2
Systems in use (testing, ..., live) Using transaction SE06 "Setting Up the Correction and Transport System," determine which systems are currently deployed and, of these, which are used for production, development and/or testing purposes, and which are used for acceptance and/or training purposes. In the productive system (whose audit is the focus of the presentation below) use Table T000 in Client 000 to identify which clients are active in this installation. First determine which system in which client contains the: -
Production clients Test clients
For information on connections with other systems (i.e. SAP R/2), see Chapters 3, "Correction and Transport System" and 6 "Batch Input Interfaces." 1.4.3
Authorization and user menu for the auditor The auditor should be granted direct access to the system, including all authorizations listed in section 1.5. In granting access to personal data, care should be taken to ensure compliance with data security requirements and any existing contractual or business agreements. Restricting auditors’ authorization to display only should be sufficient to guarantee that the auditor may not and cannot make any changes to data.