How Using LSMW Can Lead to An Audit Violation
By Clinton Jones on December 21, 2016
It should come as no surprise that external and internal audits are cracking down on scrutinizing how companies use and configure SAP systems. In recent years, there has been a lot of attention around vulnerabilities. This past summer the DHS’s US-CERT branch issued a security alert after the security vendor Onapsis discovered an SAP system vulnerability that might be damaging to companies who run SAP systems. While this issue highlighted an old flaw in the application design that SAP patched, sometimes application ‘flaws’ are not flaws at all but rather issues related to poor configuration or the misuse of SAP administration tools.
One tool that is often used and abused is LSMW. Legacy System Migration Workbench (LSMW) is a free ABAP tool that supports data migrations from legacy systems (non-SAP systems) to SAP. As a component in any SAP ABAP installation, it can be used by any developer or systems administrator to perform data uploads to SAP. As a cross-application component (CA) LSMW interfaces with the Data Transfer Center and with batch input and direct input processing methods, as well as out of the box BAPIs and IDoc data processing models.
When you audit an SAP system, it includes looking to see if business users have the right level of access to the system. It also involves ensuring that IT users and nonfunctional users don’t have access to productive systems and productive system data. Auditors have the responsibility of providing investors, owners and regulators the assurance that they’ve checked the systems and can verify that data in the SAP system can’t be inappropriately tampered with.
When IT continues to use LSMW with the provision of open data used with LSMW by the business in text files, this presents a glaring opportunity for data manipulation and potential fraud. Providing business users with direct access to LSMW doesn’t address the issue because LSMW is a tool that is not intended to be used by end-users. It requires significant levels of training investment in order to be used properly and safely by the business.
If you’ve received a notification that LSMW is being targeted for audit in your business, you should consider utilizing Winshuttle Studio. Not only is Studio easy to use, and requires no developer skills, but it also comes with two type of licenses and modes of use – authors, and runners.
Runners cannot create integration objects, they can only ‘run’ author-created ones. User can only use Winshuttle Studio against an SAP system that they have credentials for. They need to be assigned the appropriate SAP authorizations and more importantly they can only use scripts against those SAP objects that they have permissions.
Winshuttle Studio provides a full and detailed usage log which typically meets the needs of an SAP application usage audit. Companies that require the four eyes principle for data management tasks, Winshuttle Foundation can also be considered. Read more by downloading the Winshuttle white paper “Winshuttle, an easy alternative to LSMW.“
About the author
Clinton Jones is a Director for Finance Solutions Management at Winshuttle where he has worked since 2009. He is internationally experienced having worked on finance technologies and business process with a particular focus on integrated business solutions in Europe, the Middle East, Africa and North America. Clinton serves as a technical consultant on technology and quality management as it relates to data and process management and governance for finance organizations globally. Prior to Winshuttle he served as a Technical Quality Manager at SAP and with Microsoft in their Global Foundation Services group.
Questions or comments about this article?
Tweet @uploadsap to continue the conversation!