SAP Audit Guide - Financial Accounting - Layer Seven Security

SAP Audit Guide 

for Financial Accounting

This audit guide is designed to assist the 

review of financial reporting processes that 

rely upon automated functions in SAP 

systems. 

The specific areas examined in this guide are relevant 

configurables, transactions, authorizations and reports 

in the General Ledger (GL), Asset Accounting (AA) and 

Bank Accounting (BA) components of the SAP 

Financial Accounting module. 

The guide provides instructions for assessing SAP 

application-level controls in the following areas of 

financial statement audits: 

Reporting Structure 

Chart of Accounts 

Journal Entry Posting 

Period End Close 

Foreign Currency Translation 

Inter-company Transactions 

Asset Management and Reporting 

Cash Management 

The guide is delivered using clear, non-technical terms 

to enable financial and operational auditors to 

successfully navigate the complexities of SAP security. 

Other volumes of this guide deal with SAP controls in 

areas such as Revenue, Inventory, Expenditure, Human 

Resources and Basis. 

Reporting Structure 

The financial reporting structure in SAP is determined 

by the organization of reporting units known as 

company codes. There can be multiple company 

codes within organizations with each code 

corresponding to a unique economic entity. 

Financial 

Accounting 

SAP Audit Guide 

Reporting entities in differing countries should have 

unique company codes since they may be subject to 

divergent accounting and tax requirements. Each 

company code has one domestic currency and up to 

two additional currencies to support financial reporting 

in multiple currencies. 

Company codes must be set to productive to prevent 

the deletion of transactional data. This can be verified 

through transaction code OBR3 or Table T001 through 

transaction SE16.

2 

The company code structure should correspond to the 

legal reporting requirements of the company under review. 

The appropriateness of the structure should be reviewed 

through the menu path IMG> Enterprise Structure> 

Financial Accounting> Define Company, transaction OX15 

or table T880 (note that IMG can be accessed through 

transaction SPRO). 

Relevant global parameters in IMG should also be 

reviewed. This includes areas such as Country Keys, 

Currencies, Controlling Areas, Credit Control Areas, Fiscal 

Year Variants, Sales and Purchasing Organisations, 

Business Areas and Plants, and Cost and Profit Centers 

(IMG> Enterprise Structure> Financial Accounting> Global 

Settings> Company Code> Global Parameters). 

Access to transactions such as OXO2 (edit company code) 

and EC01 (copy, delete and check company code) and the 

client configuration table T001 should be based on role 

requirements. Other critical transaction codes are listed in 

the Table A. 

TRANSACTION DESCRIPTION 

OB37 

Assign Company Code to a Fiscal 

Year Variant 

OBB9 

Assign Posting Period Variants to 

Company Code 

OKBD 

Define Functional Area 

OXO3 

Define Business Area 

FM_FUNCTION Define Functional Area 

OXO6 

Maintain Controlling Area 

KEP8 

Create Operating Concern 

Table A: Company Code Transactions 

TRANSACTION 

OX16 

OB38 

OF18 

OX19 

OX18 

OVX3 

OX01 

OH05 

OBB5 

OBY6 

DESCRIPTION 

Assign Company Code to Company 

Assign Company Code to Credit 

Control Area 

Assign Company Code to Financial 

Management Area 

Assign Company Code to 

Controlling Area 

Assign Plant to Company Code 

Assign Sales Organization to 

Company Code 

Assign Purchasing Organization to 

Company Code 

Assignment of Personnel Area to 

Company Code 

Cross-System Company Codes 

Enter Global Parameters 

Chart of Accounts 

The chart of accounts is the container for General Ledger 

(GL) accounts and the basis for journal entry posting and 

financial reporting. Chart of Accounts can be company 

code specific or cover multiple companies in a single SAP 

client. GL accounts are assigned to specific groups 

determined by account type. The field status for account 

information and the numbering interval is determined at the 

group level. 

The configuration of all or a sample of account groups 

should be reviewed to assess which fields are required, 

optional, displayed or suppressed during the creation of a 

new account and to ensure that account numbering follows 

a logical and consistent policy. This can be performed 

through the menu path General Ledger Accounting> G/L 

Accounts> Master Data> Preparations> Define Account 

Group or transaction OBD4. 

The structure of the Chart of Accounts should also be 

reviewed through transaction FSP3 to assess account 

groupings and identify the appropriate use of control 

accounts for AP and AR. The latter are known as 

reconciliation accounts and are updated automatically. In 

other words, SAP does not allow manual journal postings 

against such accounts. This can be performed through 

transactions KALE and OK17.

3 

Changes to the chart of accounts should be identified 

through report RFSABL00, accessible through transaction 

SA38. Alternatively, changes can be isolated through 

transactions FS04, FSP4 and FSS4. A sample of changes 

should be examined for evidence of approval, 

documentation and testing. 

Access to SAP functions that enable users to create, 

modify or delete GL accounts should be restricted and 

based on business need. This should include transactions 

in Table B with authorization objects F_SKA1_KTP and 

F_SKA1_BUK and activity levels 01 (create), 02 (change), 

05 (block) or 06 (mark for deletion). 

Journal Entry Posting 

SAP is preconfigured with hundreds of document types for 

purchase orders, customer invoices, good receipts and 

many other transactions. Each document type has a 

unique 2 or 3 letter identifier and a specific numbering 

range. Particular attention should be paid to the GL 

account assignments for SAP documents since 

transactional data is automatically posted by the system 

based on the assignments defined in the system 

configuration. These should be reviewed through 

transactions OBA7 (Define Document Types) and OB41 

(Posting Keys). Samples selected for review should include 

custom documents which are more likely to have 

assignment errors than standard SAP documents. 

TRANSACTION 

FS01 

FS02 

FS00 

FS05 

FS06 

FSS1 

FSS2 

FSP0 

FSP1 

FSP2 

FSP5 

DESCRIPTION 

Create Master Record 

Change Master Record 

G/L Acct Master Record Maintenance 

Block Master Record 

Mark Master Record for Deletion 

Create Master Record in Company 

Code 

G/L Acct Master Record in Chart/ 

Accts 

Create G/L Acct Master Record in 

Chart/Accts 

Cross-System Company Codes 

Change G/L Acct Master Record in 

Chart/Accts 

Block Master Record in Chart / Accts 

Monetary limits for journal entries, cash discounts, payment 

or receipts differences should be defined for document 

types. These can vary by company code and employee 

group. Tolerance levels should be reviewed through 

transactions OBA4 and OB57. This should include clearing 

procedures for critical accounts such as GR/IR. 

SAP should also be configured to control posting to prior 

periods even though the system is capable of keeping 

open multiple periods at the same time. This is performed 

through rules defined in Posting Period Variants, part of the 

Financial Accounting Global Settings. Note that back 

posting settings in Logistics can also be configured to allow 

posting to prior periods. Both of these areas should be 

reviewed in the IMG. 

SAP Business Workflow is used by many companies to 

review values and account assignments prior to posting 

journal entries. If enabled, the relevant settings for workflow 

variants, company codes, and approval paths and groups 

should be examined under Financial Accounting Global 

Settings> Document> Document Parking. This should 

include a review of fields that would cause a release to be 

revoked if changed after approval, which would lead to the 

restart of the release procedure. 

Mark Master Record for Deletion in 

FSP6 

Chart/Accts 

Table B: GL Account Transactions 

BusinessObjects Planning and Consolidation (BPC) and 

BusinessOne should be configured to block unbalanced 

journal entries. In the former, this can be verified through 

the JRN_BALANCE parameter. The parameter should be 

set to 1 (Journals need to be balanced). The default value is 

0 (Journals need not be balanced). In the latter, the field for 

Block Unbalanced Journal Entry should be checked in 

Administration> System Initialization> Document Settings> 

Journal Entry.

BPC should be configured to block 

unbalanced journal entries through the 

JRN_BALANCE parameter 

4 

The ability to create, change, delete and reverse journal 

entries should be restricted to authorized employees. This 

includes transactions in Table C with authorization objects 

with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and 

BLA and activity levels 01 (create/ enter), 02 (change), 06 

(delete) and 77 (pre-enter/ park). 

TRANSACTION 

FB08 

FB02/ FB09 

FBL4 

DESCRIPTION 

Reverse Document 

Change Document 

Change G/L Account Line Items 

TRANSACTION 

DESCRIPTION 

F-03/ FB1S 

Clear G/L Account 

F-02 Enter G/L Account Posting 

F-21/ F-42 Enter Transfer Posting 

FB01/ FBR2 Post Document 

FB05 

Post with Clearing 

FB11 

Post Held Document 

FB21 

Enter Statistical Posting 

FBV1 

FBV2 

FBV4 

FBD1 

FBD2 

Park Document 

Change Parked Document 

Change Parked Document Header 

Enter Recurring Entry 

Change Recurring Entry 

FB50 

FBV0/ FBVB 

FBR1 

F.81 

FB08 

G/L Account Posting 

Post Parked Document 

Post with Reference Document 

Reverse Accrual Deferral Document 

Code 

Reverse Document 

F.14 Execute Recurring Entry 

F.56 Delete Recurring Entry 

Table C: Journal Entry Transactions 

F.80 Mass Reversal of Documents

5 

Period End Close 

The period end close process extends across many 

different SAP applications including SD, MM and PP. 

However, the majority of steps are performed within the FI 

and CO area. Audit procedures for the process should be 

tuned for each specific client since the process varies 

between organisations. As a guide, Table D lists the SAP 

transactions commonly used during the period end close 

process in sequential order. 

Together with the transactions listed in Table D, user 

access to SAP functions that control the opening and 

closing of financial periods should be tightly controlled. 

This should include transaction OB52 (opening and 

closing FI posting periods) and OBBP (define variants for 

open posting periods) with authorization object 

S_TABU_DIS and activity level 02 (change). 

TRANSACTION DESCRIPTION 

FBD1 

Enter Recurring Document 

F-03 Manual Clearing General Ledger 

F-32 

Manual Clearing Accounts 

Receivable 

F-44 Manual Clearing Accounts Payable 

FB50 

Post Adjustment Entries 

FAGL_FC_VAL Foreign Currency Revaluation 

AIAB 

Order Settlement (Asset Under 

Construction) 

TRANSACTION 

DESCRIPTION 

AFAB 

Depreciation Run 

S_BCE_680001 

74 

Update Exchange Ranges 

ASKBN 

FB50 

Periodic Asset Posting 

Automatic GR/IR Clearing 

VL10/ VL10A 

Ensure Movements are complete 

KSA3 

Accrual Calculation 

MIRO 

Record Purchase Order related AP 

Transactions 

MRN0 

CK11N 

Stock Valuation 

Inventory costing 

MRBR 

Release Blocked Invoices 

CK24 

Price Update 

VXF3 

MMPV 

OB52 

CJ8G 

KKS1 

CO88 

CO02 

Release Billing Documents for 

Accounting 

Open Period for Material Master 

Records 

Open and Close Posting Periods 

Calculation of Work In Process 

(WIP) 

Prod. and Process Order Variance 

Calculation 

Settlement PP Order 

PP Order (close) 

FB50 

Stock value adjustment 

ENGR 

Create Intrastat / Extrastat periodic 

declaration 

S_ALR_870123 

57 

Advance Return for Tax on Sales/ 

Purchases 

FB41 

Post Tax Payable 

F.52 Balance Interest Calculation 

Table D: Period End Close Transactions

6 

TRANSACTION 

S_ALR_87012289 

S_ALR_87012287 

FF7A 

OB52 

KE30 

S_ALR_87012284 

S_ALR_87005830 

CK40N 

DESCRIPTION 

Compact Document Journal 

Document Journal 

Cash Position & Liquidity Forecast 

Open and Close Posting Periods 

Run Profitability Report 

Financial Statements 

Controlling Maintain Versions 

Costing Run 

Asset Management and Reporting 

The Financial Accounting Asset Accounting (FI-AA) 

component is responsible for managing fixed assets in 

SAP ERP. It serves as a subsidiary ledger to the FI GL, 

providing detailed information on transactions involving 

fixed assets. AA integrates directly with other FI 

components such as Materials Management (MM) and 

Plant Maintenance (PM) and manages assets reporting 

from acquisition to disposal or retirement. The component 

also tracks, depreciates and reports upon leased assets 

and assets under construction. 

Asset classes in SAP should be configured in line with 

country-specific requirements. Therefore, asset classes 

and the associated descriptions should be reviewed 

through transaction OAOA (define asset classes). 

S_ALR_87008275 

Define Percentage Overhead 

(actual) 

AFAR 

Recalculating Values 

ABST2 

Account Reconciliation 

AJRW 

Fiscal Year Change 

AJAB 

Year-end closing Asset Accounting 

F.07 Carry Forward AP/AR Balances 

FAGLGVTR Carry Forward GL Balances 

FAGLF101 Regrouping Receivables/Payable 

F.17 Balance Confirmation Receivable 

F.18 Balance Confirmation Payable 

OB52 

Close previous account period 

S_ALR_87012284 Financial Statements 

S_ALR_87012287 Document Journal 

Table D: Period End Close Transactions cont. 

Depreciation keys should be defined for each asset class. 

The keys define the rules for calculating depreciation such 

as straight line or declining balance. They also control the 

useful life of assets. Auditors should review the 

configuration of all or a sample of depreciation keys 

through transaction AFAMA (View Maint. for Deprec. Key 

Method). Depreciation postings can be reviewed through 

transactions AFBP and AR25. Transaction ABST displays 

the reconciliation between asset accounting and the 

general ledger. 

If the SAP Project System (PS) is operating alongside FI- 

AA, the relevant availability controls should be reviewed in 

PS. These regulate the thresholds for asset acquisitions in 

excess of approved, budgeted amounts which, if 

configured correctly, can be blocked altogether. This can 

be performed through transaction OPS9 and the menu 

path IMG> Project System> Costs> Budget> Define 

Tolerance Limits. 

An audit of FI-AA should include a review of user access to 

transaction codes that provide the ability to change AA 

master data including asset groups and depreciation 

tables, as well as acquire, depreciate and dispose fixed 

assets. These are listed in Table E. The review should 

focus on authorization objects A_A_VIEW, A_S_ANLKL, 

A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK, 

S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02 

and 06.

TRANSACTION 

AS01 

AS02 

AS05 

AS06 

DESCRIPTION 

Create an Asset 

Modify Asset 

Block Asset Master Record 

Delete Asset 

ABZE 

Acquisition from in-house 

production 

ABZK Acquisition from purchase w. 

vendor 

F-90 Acquisition w/ Vendor 

ABZV 

ABZP 

AS21 

AS22 

AS25 

AS26 

ABZU 

ABZS 

ABMA 

AFAB/ AFABN 

ABAV/ ABAVN 

ABAO/ ABAON 

ABAD 

Acquisition from clearing Account 

Asset Acquisition from affiliated 

company 

Create an asset group 

Modify Asset 

Block group asset 

Delete an asset group 

Asset write-up 

Asset write-up 

Asset manually depreciate 

Post depreciation 

Retire by scrapping 

Asset Sale Without Customer 

Asset Retire from Sale with 

Customer 

ABANK 

Retire with cost 

AR31 

Asset mass retirement 

OAP1 

Create chart of depreciation 

OA52 

Close previous account period 

OAP2 

Change chart of depreciation 

Table E: Asset Accounting Transactions 

Availability 

controls should 

block asset 

acquisitions in 

excess of 

budget 

7

8 

Foreign Currency Translation 

Foreign currency exchange ratios and rates are maintained 

through transactions OBBS and OB08. The underlying 

tables should be reviewed through these transactions to 

ensure that ratios and rates are regularly and accurately 

updated. 

SAP provides a variety of valuation methods and even 

provides an option to create custom methods. Custom 

valuations should be identified and examined very closely. 

This can be performed through transaction OB59 (foreign 

currency valuation methods). 

Automatic postings for foreign currency valuations should 

be analyzed via transaction OBA1. The assigned accounts 

are used to record realized/ unrealized gains and losses. 

This should be followed by a review of foreign currency 

rounding rules in transaction OB90. 

Inter-Company Transactions 

Cash Management 

Cash Management (CM) is component of SAP TR that is 

used to monitor payment flows and safeguard liquidity. 

This component is used to perform bank reconciliations 

and therefore should be a crucial element of an SAP 

financial audit. Management should regularly review 

reports FF.6, FF67, FF7A and FF68 to monitor cash 

transactions and ensure bank deposits and payments are 

reflected in the relevant GL accounts. Note that FF67 can 

be used to import and process bank statements in SAP. 

Changes to banking master data should be identified 

through transaction FI04 or report RFBKABL0 and traced 

to supporting documents to test for authorization, 

accuracy and completeness. 

Also, access to critical CM transactions should be 

reviewed, including those listed in Table F, focusing on 

authorization objects F_BNKA_BUK, S_TABU_DIS, 

F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES, 

F _ B K P F _ G S B , F _ F D E S _ B U K , F _ R E G U _ B U K , 

F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02, 

06 and 17 

Inter-company reconciliation is often a bottleneck in the 

financial close process. As a result, some SAP clients have 

migrated to the Web-based BusinessObjects Intercompany 

application. This significantly improves the speed 

and accuracy of identifying, matching and eliminating 

related party transactions. However, the majority of 

organizations continue to rely upon a manual process. 

Related parties are treated as trading partners in SAP and 

are defined through IMG > Enterprise Structure > Definition 

> Financial Accounting > Define Company. Once 

configured, SAP will post documents such as invoices, 

payments, receipts and asset transfers between related 

parties to designated inter-company accounts. Intercompany 

clearing accounts should be identified using 

transaction OBYA. All such accounts should be reviewed 

against the relevant financial statement assertions.

TRANSACTION 

FI12 

FI01 

FI02 

FI06 

FF67 

FF_5 

FEBA 

FLB2 

FLB1 

DESCRIPTION 

Change House Banks/Bank 

Accounts 

Change Master Record 

Change Bank 

Set Flag to Delete Bank 

Manual Bank Statement 

Import Electronic Bank 

Statement 

Post-process Electronic Bank 

Statement 

Import Lock box Data 

Post-processing Lock box Data 

F-28 Incoming Payments 

FB05 

FRFT 

FI10 

FF/4 

FFB4 

FF/5 

FFB5 

FF68 

FCHG 

FF63 

FCHX 

FCHG 

Post payment with clearing 

Set Up Repetitive Wire 

Parameters for Automatic 

Payment 

Import electronic check deposit 

list 

Import electronic check deposit 

list 

Post electronic check deposit 

list 

Post electronic check deposit 

list Manual Check Deposit 

Transaction 

Reset cashing/extract data 

Create Planning Memo Record 

Check Extract Creation 

Delete cashing/extract data 

Table F: Cash Management Transactions 

9

Layer Seven Security 

About Us 

Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets 

against internal and external threats and comply with industry and statutory reporting requirements. The 

company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and 

vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems. 

Our consultants have an average of ten years of experience in field of SAP security and proficiency in 

regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX. 

The company is privately owned and headquartered in Toronto, Canada. 

Address 

Westbury Corporate Centre 

Suite 101 

2275 Upper Middle Road 

Oakville, Ontario 

L6H 0C3, Canada 

Web 

www.layersevensecurity.com 

Email 

info@layersevensecurity.com 

Telephone 

1 888 995 0993

© Copyright Layer Seven Security 2011 - All rights reserved. 

No portion of this document may be reproduced in whole or in part without the prior written 

permission of Layer Seven Security. 

Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the 

information presented, but the professional staff of Layer Seven Security makes every reasonable 

effort to present the most reliable information available to it and to meet or exceed any applicable 

industry standards. 

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP 

NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and 

services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in 

several other countries all over the world. Business Objects and the Business Objects logo, 

BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business 

Objects products and services mentioned herein are trademarks or registered trademarks of Business 

Objects in the United States and/or other countries.

SAP Audit Guide - Financial Accounting - Layer Seven Security

Create successful ePaper yourself

Delete template?

Save as template?