SAP Audit Guide - Financial Accounting - Layer Seven Security
SAP Audit Guide - Financial Accounting - Layer Seven Security
SAP Audit Guide - Financial Accounting - Layer Seven Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>SAP</strong> <strong>Audit</strong> <strong>Guide</strong><br />
for <strong>Financial</strong> <strong>Accounting</strong>
This audit guide is designed to assist the<br />
review of financial reporting processes that<br />
rely upon automated functions in <strong>SAP</strong><br />
systems.<br />
The specific areas examined in this guide are relevant<br />
configurables, transactions, authorizations and reports<br />
in the General Ledger (GL), Asset <strong>Accounting</strong> (AA) and<br />
Bank <strong>Accounting</strong> (BA) components of the <strong>SAP</strong><br />
<strong>Financial</strong> <strong>Accounting</strong> module.<br />
The guide provides instructions for assessing <strong>SAP</strong><br />
application-level controls in the following areas of<br />
financial statement audits:<br />
Reporting Structure<br />
Chart of Accounts<br />
Journal Entry Posting<br />
Period End Close<br />
Foreign Currency Translation<br />
Inter-company Transactions<br />
Asset Management and Reporting<br />
Cash Management<br />
The guide is delivered using clear, non-technical terms<br />
to enable financial and operational auditors to<br />
successfully navigate the complexities of <strong>SAP</strong> security.<br />
Other volumes of this guide deal with <strong>SAP</strong> controls in<br />
areas such as Revenue, Inventory, Expenditure, Human<br />
Resources and Basis.<br />
Reporting Structure<br />
The financial reporting structure in <strong>SAP</strong> is determined<br />
by the organization of reporting units known as<br />
company codes. There can be multiple company<br />
codes within organizations with each code<br />
corresponding to a unique economic entity.<br />
<strong>Financial</strong><br />
<strong>Accounting</strong><br />
<strong>SAP</strong> <strong>Audit</strong> <strong>Guide</strong><br />
Reporting entities in differing countries should have<br />
unique company codes since they may be subject to<br />
divergent accounting and tax requirements. Each<br />
company code has one domestic currency and up to<br />
two additional currencies to support financial reporting<br />
in multiple currencies.<br />
Company codes must be set to productive to prevent<br />
the deletion of transactional data. This can be verified<br />
through transaction code OBR3 or Table T001 through<br />
transaction SE16.
2<br />
The company code structure should correspond to the<br />
legal reporting requirements of the company under review.<br />
The appropriateness of the structure should be reviewed<br />
through the menu path IMG> Enterprise Structure><br />
<strong>Financial</strong> <strong>Accounting</strong>> Define Company, transaction OX15<br />
or table T880 (note that IMG can be accessed through<br />
transaction SPRO).<br />
Relevant global parameters in IMG should also be<br />
reviewed. This includes areas such as Country Keys,<br />
Currencies, Controlling Areas, Credit Control Areas, Fiscal<br />
Year Variants, Sales and Purchasing Organisations,<br />
Business Areas and Plants, and Cost and Profit Centers<br />
(IMG> Enterprise Structure> <strong>Financial</strong> <strong>Accounting</strong>> Global<br />
Settings> Company Code> Global Parameters).<br />
Access to transactions such as OXO2 (edit company code)<br />
and EC01 (copy, delete and check company code) and the<br />
client configuration table T001 should be based on role<br />
requirements. Other critical transaction codes are listed in<br />
the Table A.<br />
TRANSACTION DESCRIPTION<br />
OB37<br />
Assign Company Code to a Fiscal<br />
Year Variant<br />
OBB9<br />
Assign Posting Period Variants to<br />
Company Code<br />
OKBD<br />
Define Functional Area<br />
OXO3<br />
Define Business Area<br />
FM_FUNCTION Define Functional Area<br />
OXO6<br />
Maintain Controlling Area<br />
KEP8<br />
Create Operating Concern<br />
Table A: Company Code Transactions<br />
TRANSACTION<br />
OX16<br />
OB38<br />
OF18<br />
OX19<br />
OX18<br />
OVX3<br />
OX01<br />
OH05<br />
OBB5<br />
OBY6<br />
DESCRIPTION<br />
Assign Company Code to Company<br />
Assign Company Code to Credit<br />
Control Area<br />
Assign Company Code to <strong>Financial</strong><br />
Management Area<br />
Assign Company Code to<br />
Controlling Area<br />
Assign Plant to Company Code<br />
Assign Sales Organization to<br />
Company Code<br />
Assign Purchasing Organization to<br />
Company Code<br />
Assignment of Personnel Area to<br />
Company Code<br />
Cross-System Company Codes<br />
Enter Global Parameters<br />
Chart of Accounts<br />
The chart of accounts is the container for General Ledger<br />
(GL) accounts and the basis for journal entry posting and<br />
financial reporting. Chart of Accounts can be company<br />
code specific or cover multiple companies in a single <strong>SAP</strong><br />
client. GL accounts are assigned to specific groups<br />
determined by account type. The field status for account<br />
information and the numbering interval is determined at the<br />
group level.<br />
The configuration of all or a sample of account groups<br />
should be reviewed to assess which fields are required,<br />
optional, displayed or suppressed during the creation of a<br />
new account and to ensure that account numbering follows<br />
a logical and consistent policy. This can be performed<br />
through the menu path General Ledger <strong>Accounting</strong>> G/L<br />
Accounts> Master Data> Preparations> Define Account<br />
Group or transaction OBD4.<br />
The structure of the Chart of Accounts should also be<br />
reviewed through transaction FSP3 to assess account<br />
groupings and identify the appropriate use of control<br />
accounts for AP and AR. The latter are known as<br />
reconciliation accounts and are updated automatically. In<br />
other words, <strong>SAP</strong> does not allow manual journal postings<br />
against such accounts. This can be performed through<br />
transactions KALE and OK17.
3<br />
Changes to the chart of accounts should be identified<br />
through report RFSABL00, accessible through transaction<br />
SA38. Alternatively, changes can be isolated through<br />
transactions FS04, FSP4 and FSS4. A sample of changes<br />
should be examined for evidence of approval,<br />
documentation and testing.<br />
Access to <strong>SAP</strong> functions that enable users to create,<br />
modify or delete GL accounts should be restricted and<br />
based on business need. This should include transactions<br />
in Table B with authorization objects F_SKA1_KTP and<br />
F_SKA1_BUK and activity levels 01 (create), 02 (change),<br />
05 (block) or 06 (mark for deletion).<br />
Journal Entry Posting<br />
<strong>SAP</strong> is preconfigured with hundreds of document types for<br />
purchase orders, customer invoices, good receipts and<br />
many other transactions. Each document type has a<br />
unique 2 or 3 letter identifier and a specific numbering<br />
range. Particular attention should be paid to the GL<br />
account assignments for <strong>SAP</strong> documents since<br />
transactional data is automatically posted by the system<br />
based on the assignments defined in the system<br />
configuration. These should be reviewed through<br />
transactions OBA7 (Define Document Types) and OB41<br />
(Posting Keys). Samples selected for review should include<br />
custom documents which are more likely to have<br />
assignment errors than standard <strong>SAP</strong> documents.<br />
TRANSACTION<br />
FS01<br />
FS02<br />
FS00<br />
FS05<br />
FS06<br />
FSS1<br />
FSS2<br />
FSP0<br />
FSP1<br />
FSP2<br />
FSP5<br />
DESCRIPTION<br />
Create Master Record<br />
Change Master Record<br />
G/L Acct Master Record Maintenance<br />
Block Master Record<br />
Mark Master Record for Deletion<br />
Create Master Record in Company<br />
Code<br />
G/L Acct Master Record in Chart/<br />
Accts<br />
Create G/L Acct Master Record in<br />
Chart/Accts<br />
Cross-System Company Codes<br />
Change G/L Acct Master Record in<br />
Chart/Accts<br />
Block Master Record in Chart / Accts<br />
Monetary limits for journal entries, cash discounts, payment<br />
or receipts differences should be defined for document<br />
types. These can vary by company code and employee<br />
group. Tolerance levels should be reviewed through<br />
transactions OBA4 and OB57. This should include clearing<br />
procedures for critical accounts such as GR/IR.<br />
<strong>SAP</strong> should also be configured to control posting to prior<br />
periods even though the system is capable of keeping<br />
open multiple periods at the same time. This is performed<br />
through rules defined in Posting Period Variants, part of the<br />
<strong>Financial</strong> <strong>Accounting</strong> Global Settings. Note that back<br />
posting settings in Logistics can also be configured to allow<br />
posting to prior periods. Both of these areas should be<br />
reviewed in the IMG.<br />
<strong>SAP</strong> Business Workflow is used by many companies to<br />
review values and account assignments prior to posting<br />
journal entries. If enabled, the relevant settings for workflow<br />
variants, company codes, and approval paths and groups<br />
should be examined under <strong>Financial</strong> <strong>Accounting</strong> Global<br />
Settings> Document> Document Parking. This should<br />
include a review of fields that would cause a release to be<br />
revoked if changed after approval, which would lead to the<br />
restart of the release procedure.<br />
Mark Master Record for Deletion in<br />
FSP6<br />
Chart/Accts<br />
Table B: GL Account Transactions<br />
BusinessObjects Planning and Consolidation (BPC) and<br />
BusinessOne should be configured to block unbalanced<br />
journal entries. In the former, this can be verified through<br />
the JRN_BALANCE parameter. The parameter should be<br />
set to 1 (Journals need to be balanced). The default value is<br />
0 (Journals need not be balanced). In the latter, the field for<br />
Block Unbalanced Journal Entry should be checked in<br />
Administration> System Initialization> Document Settings><br />
Journal Entry.
BPC should be configured to block<br />
unbalanced journal entries through the<br />
JRN_BALANCE parameter<br />
4<br />
The ability to create, change, delete and reverse journal<br />
entries should be restricted to authorized employees. This<br />
includes transactions in Table C with authorization objects<br />
with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and<br />
BLA and activity levels 01 (create/ enter), 02 (change), 06<br />
(delete) and 77 (pre-enter/ park).<br />
TRANSACTION<br />
FB08<br />
FB02/ FB09<br />
FBL4<br />
DESCRIPTION<br />
Reverse Document<br />
Change Document<br />
Change G/L Account Line Items<br />
TRANSACTION<br />
DESCRIPTION<br />
F-03/ FB1S<br />
Clear G/L Account<br />
F-02 Enter G/L Account Posting<br />
F-21/ F-42 Enter Transfer Posting<br />
FB01/ FBR2 Post Document<br />
FB05<br />
Post with Clearing<br />
FB11<br />
Post Held Document<br />
FB21<br />
Enter Statistical Posting<br />
FBV1<br />
FBV2<br />
FBV4<br />
FBD1<br />
FBD2<br />
Park Document<br />
Change Parked Document<br />
Change Parked Document Header<br />
Enter Recurring Entry<br />
Change Recurring Entry<br />
FB50<br />
FBV0/ FBVB<br />
FBR1<br />
F.81<br />
FB08<br />
G/L Account Posting<br />
Post Parked Document<br />
Post with Reference Document<br />
Reverse Accrual Deferral Document<br />
Code<br />
Reverse Document<br />
F.14 Execute Recurring Entry<br />
F.56 Delete Recurring Entry<br />
Table C: Journal Entry Transactions<br />
F.80 Mass Reversal of Documents
5<br />
Period End Close<br />
The period end close process extends across many<br />
different <strong>SAP</strong> applications including SD, MM and PP.<br />
However, the majority of steps are performed within the FI<br />
and CO area. <strong>Audit</strong> procedures for the process should be<br />
tuned for each specific client since the process varies<br />
between organisations. As a guide, Table D lists the <strong>SAP</strong><br />
transactions commonly used during the period end close<br />
process in sequential order.<br />
Together with the transactions listed in Table D, user<br />
access to <strong>SAP</strong> functions that control the opening and<br />
closing of financial periods should be tightly controlled.<br />
This should include transaction OB52 (opening and<br />
closing FI posting periods) and OBBP (define variants for<br />
open posting periods) with authorization object<br />
S_TABU_DIS and activity level 02 (change).<br />
TRANSACTION DESCRIPTION<br />
FBD1<br />
Enter Recurring Document<br />
F-03 Manual Clearing General Ledger<br />
F-32<br />
Manual Clearing Accounts<br />
Receivable<br />
F-44 Manual Clearing Accounts Payable<br />
FB50<br />
Post Adjustment Entries<br />
FAGL_FC_VAL Foreign Currency Revaluation<br />
AIAB<br />
Order Settlement (Asset Under<br />
Construction)<br />
TRANSACTION<br />
DESCRIPTION<br />
AFAB<br />
Depreciation Run<br />
S_BCE_680001<br />
74<br />
Update Exchange Ranges<br />
ASKBN<br />
FB50<br />
Periodic Asset Posting<br />
Automatic GR/IR Clearing<br />
VL10/ VL10A<br />
Ensure Movements are complete<br />
KSA3<br />
Accrual Calculation<br />
MIRO<br />
Record Purchase Order related AP<br />
Transactions<br />
MRN0<br />
CK11N<br />
Stock Valuation<br />
Inventory costing<br />
MRBR<br />
Release Blocked Invoices<br />
CK24<br />
Price Update<br />
VXF3<br />
MMPV<br />
OB52<br />
CJ8G<br />
KKS1<br />
CO88<br />
CO02<br />
Release Billing Documents for<br />
<strong>Accounting</strong><br />
Open Period for Material Master<br />
Records<br />
Open and Close Posting Periods<br />
Calculation of Work In Process<br />
(WIP)<br />
Prod. and Process Order Variance<br />
Calculation<br />
Settlement PP Order<br />
PP Order (close)<br />
FB50<br />
Stock value adjustment<br />
ENGR<br />
Create Intrastat / Extrastat periodic<br />
declaration<br />
S_ALR_870123<br />
57<br />
Advance Return for Tax on Sales/<br />
Purchases<br />
FB41<br />
Post Tax Payable<br />
F.52 Balance Interest Calculation<br />
Table D: Period End Close Transactions
6<br />
TRANSACTION<br />
S_ALR_87012289<br />
S_ALR_87012287<br />
FF7A<br />
OB52<br />
KE30<br />
S_ALR_87012284<br />
S_ALR_87005830<br />
CK40N<br />
DESCRIPTION<br />
Compact Document Journal<br />
Document Journal<br />
Cash Position & Liquidity Forecast<br />
Open and Close Posting Periods<br />
Run Profitability Report<br />
<strong>Financial</strong> Statements<br />
Controlling Maintain Versions<br />
Costing Run<br />
Asset Management and Reporting<br />
The <strong>Financial</strong> <strong>Accounting</strong> Asset <strong>Accounting</strong> (FI-AA)<br />
component is responsible for managing fixed assets in<br />
<strong>SAP</strong> ERP. It serves as a subsidiary ledger to the FI GL,<br />
providing detailed information on transactions involving<br />
fixed assets. AA integrates directly with other FI<br />
components such as Materials Management (MM) and<br />
Plant Maintenance (PM) and manages assets reporting<br />
from acquisition to disposal or retirement. The component<br />
also tracks, depreciates and reports upon leased assets<br />
and assets under construction.<br />
Asset classes in <strong>SAP</strong> should be configured in line with<br />
country-specific requirements. Therefore, asset classes<br />
and the associated descriptions should be reviewed<br />
through transaction OAOA (define asset classes).<br />
S_ALR_87008275<br />
Define Percentage Overhead<br />
(actual)<br />
AFAR<br />
Recalculating Values<br />
ABST2<br />
Account Reconciliation<br />
AJRW<br />
Fiscal Year Change<br />
AJAB<br />
Year-end closing Asset <strong>Accounting</strong><br />
F.07 Carry Forward AP/AR Balances<br />
FAGLGVTR Carry Forward GL Balances<br />
FAGLF101 Regrouping Receivables/Payable<br />
F.17 Balance Confirmation Receivable<br />
F.18 Balance Confirmation Payable<br />
OB52<br />
Close previous account period<br />
S_ALR_87012284 <strong>Financial</strong> Statements<br />
S_ALR_87012287 Document Journal<br />
Table D: Period End Close Transactions cont.<br />
Depreciation keys should be defined for each asset class.<br />
The keys define the rules for calculating depreciation such<br />
as straight line or declining balance. They also control the<br />
useful life of assets. <strong>Audit</strong>ors should review the<br />
configuration of all or a sample of depreciation keys<br />
through transaction AFAMA (View Maint. for Deprec. Key<br />
Method). Depreciation postings can be reviewed through<br />
transactions AFBP and AR25. Transaction ABST displays<br />
the reconciliation between asset accounting and the<br />
general ledger.<br />
If the <strong>SAP</strong> Project System (PS) is operating alongside FI-<br />
AA, the relevant availability controls should be reviewed in<br />
PS. These regulate the thresholds for asset acquisitions in<br />
excess of approved, budgeted amounts which, if<br />
configured correctly, can be blocked altogether. This can<br />
be performed through transaction OPS9 and the menu<br />
path IMG> Project System> Costs> Budget> Define<br />
Tolerance Limits.<br />
An audit of FI-AA should include a review of user access to<br />
transaction codes that provide the ability to change AA<br />
master data including asset groups and depreciation<br />
tables, as well as acquire, depreciate and dispose fixed<br />
assets. These are listed in Table E. The review should<br />
focus on authorization objects A_A_VIEW, A_S_ANLKL,<br />
A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK,<br />
S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02<br />
and 06.
TRANSACTION<br />
AS01<br />
AS02<br />
AS05<br />
AS06<br />
DESCRIPTION<br />
Create an Asset<br />
Modify Asset<br />
Block Asset Master Record<br />
Delete Asset<br />
ABZE<br />
Acquisition from in-house<br />
production<br />
ABZK Acquisition from purchase w.<br />
vendor<br />
F-90 Acquisition w/ Vendor<br />
ABZV<br />
ABZP<br />
AS21<br />
AS22<br />
AS25<br />
AS26<br />
ABZU<br />
ABZS<br />
ABMA<br />
AFAB/ AFABN<br />
ABAV/ ABAVN<br />
ABAO/ ABAON<br />
ABAD<br />
Acquisition from clearing Account<br />
Asset Acquisition from affiliated<br />
company<br />
Create an asset group<br />
Modify Asset<br />
Block group asset<br />
Delete an asset group<br />
Asset write-up<br />
Asset write-up<br />
Asset manually depreciate<br />
Post depreciation<br />
Retire by scrapping<br />
Asset Sale Without Customer<br />
Asset Retire from Sale with<br />
Customer<br />
ABANK<br />
Retire with cost<br />
AR31<br />
Asset mass retirement<br />
OAP1<br />
Create chart of depreciation<br />
OA52<br />
Close previous account period<br />
OAP2<br />
Change chart of depreciation<br />
Table E: Asset <strong>Accounting</strong> Transactions<br />
Availability<br />
controls should<br />
block asset<br />
acquisitions in<br />
excess of<br />
budget<br />
7
8<br />
Foreign Currency Translation<br />
Foreign currency exchange ratios and rates are maintained<br />
through transactions OBBS and OB08. The underlying<br />
tables should be reviewed through these transactions to<br />
ensure that ratios and rates are regularly and accurately<br />
updated.<br />
<strong>SAP</strong> provides a variety of valuation methods and even<br />
provides an option to create custom methods. Custom<br />
valuations should be identified and examined very closely.<br />
This can be performed through transaction OB59 (foreign<br />
currency valuation methods).<br />
Automatic postings for foreign currency valuations should<br />
be analyzed via transaction OBA1. The assigned accounts<br />
are used to record realized/ unrealized gains and losses.<br />
This should be followed by a review of foreign currency<br />
rounding rules in transaction OB90.<br />
Inter-Company Transactions<br />
Cash Management<br />
Cash Management (CM) is component of <strong>SAP</strong> TR that is<br />
used to monitor payment flows and safeguard liquidity.<br />
This component is used to perform bank reconciliations<br />
and therefore should be a crucial element of an <strong>SAP</strong><br />
financial audit. Management should regularly review<br />
reports FF.6, FF67, FF7A and FF68 to monitor cash<br />
transactions and ensure bank deposits and payments are<br />
reflected in the relevant GL accounts. Note that FF67 can<br />
be used to import and process bank statements in <strong>SAP</strong>.<br />
Changes to banking master data should be identified<br />
through transaction FI04 or report RFBKABL0 and traced<br />
to supporting documents to test for authorization,<br />
accuracy and completeness.<br />
Also, access to critical CM transactions should be<br />
reviewed, including those listed in Table F, focusing on<br />
authorization objects F_BNKA_BUK, S_TABU_DIS,<br />
F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES,<br />
F _ B K P F _ G S B , F _ F D E S _ B U K , F _ R E G U _ B U K ,<br />
F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02,<br />
06 and 17<br />
Inter-company reconciliation is often a bottleneck in the<br />
financial close process. As a result, some <strong>SAP</strong> clients have<br />
migrated to the Web-based BusinessObjects Intercompany<br />
application. This significantly improves the speed<br />
and accuracy of identifying, matching and eliminating<br />
related party transactions. However, the majority of<br />
organizations continue to rely upon a manual process.<br />
Related parties are treated as trading partners in <strong>SAP</strong> and<br />
are defined through IMG > Enterprise Structure > Definition<br />
> <strong>Financial</strong> <strong>Accounting</strong> > Define Company. Once<br />
configured, <strong>SAP</strong> will post documents such as invoices,<br />
payments, receipts and asset transfers between related<br />
parties to designated inter-company accounts. Intercompany<br />
clearing accounts should be identified using<br />
transaction OBYA. All such accounts should be reviewed<br />
against the relevant financial statement assertions.
TRANSACTION<br />
FI12<br />
FI01<br />
FI02<br />
FI06<br />
FF67<br />
FF_5<br />
FEBA<br />
FLB2<br />
FLB1<br />
DESCRIPTION<br />
Change House Banks/Bank<br />
Accounts<br />
Change Master Record<br />
Change Bank<br />
Set Flag to Delete Bank<br />
Manual Bank Statement<br />
Import Electronic Bank<br />
Statement<br />
Post-process Electronic Bank<br />
Statement<br />
Import Lock box Data<br />
Post-processing Lock box Data<br />
F-28 Incoming Payments<br />
FB05<br />
FRFT<br />
FI10<br />
FF/4<br />
FFB4<br />
FF/5<br />
FFB5<br />
FF68<br />
FCHG<br />
FF63<br />
FCHX<br />
FCHG<br />
Post payment with clearing<br />
Set Up Repetitive Wire<br />
Parameters for Automatic<br />
Payment<br />
Import electronic check deposit<br />
list<br />
Import electronic check deposit<br />
list<br />
Post electronic check deposit<br />
list<br />
Post electronic check deposit<br />
list Manual Check Deposit<br />
Transaction<br />
Reset cashing/extract data<br />
Create Planning Memo Record<br />
Check Extract Creation<br />
Delete cashing/extract data<br />
Table F: Cash Management Transactions<br />
9
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong><br />
About Us<br />
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> specialize in <strong>SAP</strong> security. We serve customers worldwide to protect information assets<br />
against internal and external threats and comply with industry and statutory reporting requirements. The<br />
company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and<br />
vulnerability assessment solutions targeted at managing risks associated with contemporary <strong>SAP</strong> systems.<br />
Our consultants have an average of ten years of experience in field of <strong>SAP</strong> security and proficiency in<br />
regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX.<br />
The company is privately owned and headquartered in Toronto, Canada.<br />
Address<br />
Westbury Corporate Centre<br />
Suite 101<br />
2275 Upper Middle Road<br />
Oakville, Ontario<br />
L6H 0C3, Canada<br />
Web<br />
www.layersevensecurity.com<br />
Email<br />
info@layersevensecurity.com<br />
Telephone<br />
1 888 995 0993
© Copyright <strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> 2011 - All rights reserved.<br />
No portion of this document may be reproduced in whole or in part without the prior written<br />
permission of <strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong>.<br />
<strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> offers no specific guarantee regarding the accuracy or completeness of the<br />
information presented, but the professional staff of <strong>Layer</strong> <strong>Seven</strong> <strong>Security</strong> makes every reasonable<br />
effort to present the most reliable information available to it and to meet or exceed any applicable<br />
industry standards.<br />
This publication contains references to the products of <strong>SAP</strong> AG. <strong>SAP</strong>, R/3, xApps, xApp, <strong>SAP</strong><br />
NetWeaver, Duet, PartnerEdge, ByDesign, <strong>SAP</strong> Business ByDesign, and other <strong>SAP</strong> products and<br />
services mentioned herein are trademarks or registered trademarks of <strong>SAP</strong> AG in Germany and in<br />
several other countries all over the world. Business Objects and the Business Objects logo,<br />
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business<br />
Objects products and services mentioned herein are trademarks or registered trademarks of Business<br />
Objects in the United States and/or other countries.