How Using LSMW Can Lead to An Audit Violation

By Winshuttle Staff Blogger on Dec 21, 2016


It should come as no surprise that external and internal audits are cracking down on scrutinizing how companies use and configure SAP systems. In recent years, there has been a lot of attention around vulnerabilities. This past summer the DHS’s US-CERT branch issued a security alert after the security vendor Onapsis discovered an SAP system vulnerability that might be damaging to companies who run SAP systems. While this issue highlighted an old flaw in the application design that SAP patched, sometimes application ‘flaws’  are not flaws at all but rather issues related to poor configuration or the misuse of SAP administration tools.

One tool that is often used and abused is LSMW. Legacy System Migration Workbench (LSMW) is a free ABAP tool that supports data migrations from legacy systems (non-SAP systems) to SAP. As a component in any SAP ABAP installation, it can be used by any developer or systems administrator to perform data uploads to SAP. As a cross-application component (CA) LSMW interfaces with the Data Transfer Center and with batch input and direct input processing methods, as well as out of the box BAPIs and IDoc data processing models.

When you audit an SAP system, it includes looking to see if business users have the right level of access to the system. It also involves ensuring that IT users and nonfunctional users don’t have access to productive systems and productive system data. Auditors have the responsibility of providing investors, owners and regulators the assurance that they’ve checked the systems and can verify that data in the SAP system can’t be inappropriately tampered with.

Fraud potential

When IT continues to use LSMW with the provision of open data used with LSMW by the business in text files, this presents a glaring opportunity for data manipulation and potential fraud. Providing business users with direct access to LSMW doesn’t address the issue because LSMW is a tool that is not intended to be used by end-users. It requires significant levels of training investment in order to be used properly and safely by the business.

If you’ve received a notification that LSMW is being targeted for audit in your business, you should consider utilizing Winshuttle Studio. Not only is Studio easy to use, and requires no developer skills, but  it also comes with two type of licenses and modes of use – authors, and runners.

Runners cannot create integration objects, they can only ‘run’ author-created ones. User can only use Winshuttle Studio against an SAP system that they have credentials for.  They need to be assigned the appropriate SAP authorizations and more importantly they can only use scripts against those SAP objects that they have permissions.

Winshuttle Studio provides a full and detailed usage log which typically meets the needs of an SAP application usage audit. Companies that require the four eyes principle for data management tasks, Winshuttle Foundation can  also be considered. Read more by downloading the Winshuttle white paper “Winshuttle, an easy alternative to LSMW.

About the author

Staff Blogger

The Winshuttle blog is written by professional thought leaders who are dedicated to providing content on a variety of topics, including industry news, best practices, software updates, continued education, tips and techniques, and much more.

Questions or comments about this article?

Tweet @Winshuttle to continue the conversation!