Defining Sensitive Transaction Codes in SAP For Year-end Audits

By Clinton Jones on April 13, 2015

audit 1 small

Photo by GotCredit [CC Attribution 2.0]

Your year-end has likely just concluded and now you have to brace yourself for the year-end audit. One of the questions likely to arise will be about how you have your SAP security set up. In this vein, you can expect things like transaction code assignments to be tested.

What do you believe are the most sensitive SAP transaction codes in your organization: The ones that your auditors always study the “granted access to” in detail – or perhaps the ones you are really careful about granting access to?

In the past, you’ve likely had to consider or deal with justifying why certain people have access to certain transactions, either during an authorization-inspection project, a Governance Risk and Compliance (GRC) project, or when auditors asked for details.

What are the most critical transaction codes in your business, and what are their functions?

Of course there isn’t one single correct answer, or in classic SAP consultant speak – ‘it depends.

Defining high-risk (sensitive) activities and specific transactions that are deemed “sensitive” is an essential part of every auditor’s role and every authorization-related project, because this could have a significant impact on the company, if misused.

This process requires identification, assessment, and management. What tools are you using in that process?

Several vendors including SAP provide ways to identify, assess and manage these transactions. This process can also of course be supervised by your auditors, IT or internal IT security team, or a third party consulting group.

A list of sensitive transactions for Finance could run several dozen transaction codes depending on your role and responsibilities, but the sensitivity of particular transaction codes also varies depending on the time of year and the characteristics of your business.

Finance master record maintenance transactions can be problematic, and transactions like FS00 (G/L Account Creation) for finance teams are challenging because if they aren’t controlled strictly, there’s a risk of duplication or the creation of dummy GL accounts. Not only can this cause confusion, but it can also cause misallocations and potentially fraud.

Restrict access to SAP functions that modify GL Accounts

Access to SAP functions that enable users to create, modify or delete GL accounts should generally be restricted, and access only granted for very specific business needs.

This restriction is often considered prudent when it includes transactions with the authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion).


Photo by: Justin Jensen [CC Attribution 4.0]

Examples include:

  • FS01 Create Master Record
  • FS02 Change Master Record
  • FS05 Block Master Record
  • FS06 Mark Master Record for Deletion
  • FSS1 Create Master Record in Company
  • FSS2 G/L Acct Master Record
  • FSP0 Create G/L Acct Master Record
  • FSP1 Cross-System Company Codes
  • FSP2 Change G/L Acct Master Records
  • FSP5 Block Master Record
  • FSP6 Mark Master Record for Deletion

Another transaction code that can present problems is ironically FB01 (Post Document) or any manual journal posting transaction for that matter, like FB50, F-02 etc. While these would typically be considered fairly innocuous processing transaction codes, in the wrong hands they can be abused and impact the way your accounting controls are viewed.

People tend to name their most sensitive Transaction Codes based on the last thing they were working on that was noted as a problem area in an audit.

What would you consider your most sensitive transaction codes and why,? How are you controlling and managing access to them?

Winshuttle for Finance focuses on Master Data Governance around Finance Master Records. This enables you to build control and governance around the creation of critical Finance Master Records like GL Accounts, Cost Centers and Profit Centers without having to assign critical transaction codes like FS00 to a large pool of individuals. Winshuttle Finance for Finance Master Records allows you to accelerate your audit compliance testing and lower your audit costs by implementing a robust auditable solution to manage your finance master data.

You can use this no-programming approach to automating SAP transactions for more than just master records, and you can expand the use of the Winshuttle Foundation platform for automating SAP processes to include other master data like vendors, customers, employees, materials and even bank accounts.

Questions or comments about this article?

Tweet @uploadsap to continue the conversation!

About the author

Clinton Jones is a Director for Finance Solutions Management at Winshuttle where he has worked since 2009. He is internationally experienced having worked on finance technologies and business process with a particular focus on integrated business solutions in Europe, the Middle East, Africa and North America. Clinton serves as a technical consultant on technology and quality management as it relates to data and process management and governance for finance organizations globally. Prior to Winshuttle he served as a Technical Quality Manager at SAP and with Microsoft in their Global Foundation Services group.

Related posts

Did you enjoy this article?

Please share it with others and on your social media channels.