Defining Sensitive Transaction Codes in SAP For Year-end Audits
By Clinton Jones on Apr 13, 2015
Your year-end has likely just concluded and now you have to brace yourself for the year-end audit. One of the questions likely to arise will be about how you have your SAP security set up. In this vein, you can expect things like transaction code assignments to be tested.
What do you believe are the most sensitive SAP transaction codes in your organization: The ones that your auditors always study the “granted access to” in detail – or perhaps the ones you are really careful about granting access to?
In the past, you’ve likely had to consider or deal with justifying why certain people have access to certain transactions, either during an authorization-inspection project, a Governance Risk and Compliance (GRC) project, or when auditors asked for details.
What are the most critical transaction codes in your business, and what are their functions?
Of course there isn’t one single correct answer, or in classic SAP consultant speak – ‘it depends.’
Defining high-risk (sensitive) activities and specific transactions that are deemed “sensitive” is an essential part of every auditor’s role and every authorization-related project, because this could have a significant impact on the company, if misused.
This process requires identification, assessment, and management. What tools are you using in that process?
Several vendors including SAP provide ways to identify, assess and manage these transactions. This process can also of course be supervised by your auditors, IT or internal IT security team, or a third party consulting group.
A list of sensitive transactions for Finance could run several dozen transaction codes depending on your role and responsibilities, but the sensitivity of particular transaction codes also varies depending on the time of year and the characteristics of your business.
Finance master record maintenance transactions can be problematic, and transactions like FS00 (G/L Account Creation) for finance teams are challenging because if they aren’t controlled strictly, there’s a risk of duplication or the creation of dummy GL accounts. Not only can this cause confusion, but it can also cause misallocations and potentially fraud.
Restrict access to SAP functions that modify GL Accounts
Access to SAP functions that enable users to create, modify or delete GL accounts should generally be restricted, and access only granted for very specific business needs.
This restriction is often considered prudent when it includes transactions with the authorization objects F_SKA1_KTP and F_SKA1_BUK and activity levels 01 (create), 02 (change), 05 (block) or 06 (mark for deletion).
- FS01 Create Master Record
- FS02 Change Master Record
- FS05 Block Master Record
- FS06 Mark Master Record for Deletion
- FSS1 Create Master Record in Company
- FSS2 G/L Acct Master Record
- FSP0 Create G/L Acct Master Record
- FSP1 Cross-System Company Codes
- FSP2 Change G/L Acct Master Records
- FSP5 Block Master Record
- FSP6 Mark Master Record for Deletion
Another transaction code that can present problems is ironically FB01 (Post Document) or any manual journal posting transaction for that matter, like FB50, F-02 etc. While these would typically be considered fairly innocuous processing transaction codes, in the wrong hands they can be abused and impact the way your accounting controls are viewed.
People tend to name their most sensitive Transaction Codes based on the last thing they were working on that was noted as a problem area in an audit.
What would you consider your most sensitive transaction codes and why,? How are you controlling and managing access to them?
Winshuttle for Finance focuses on Master Data Governance around Finance Master Records. This enables you to build control and governance around the creation of critical Finance Master Records like GL Accounts, Cost Centers and Profit Centers without having to assign critical transaction codes like FS00 to a large pool of individuals. Winshuttle Finance for Finance Master Records allows you to accelerate your audit compliance testing and lower your audit costs by implementing a robust auditable solution to manage your finance master data.
You can use this no-programming approach to automating SAP transactions for more than just master records, and you can expand the use of the Winshuttle Foundation platform for automating SAP processes to include other master data like vendors, customers, employees, materials and even bank accounts.
About the author
The Winshuttle blog is written by professional thought leaders who are dedicated to providing content on a variety of topics, including industry news, best practices, software updates, continued education, tips and techniques, and much more.
Questions or comments about this article?
Tweet @Winshuttle to continue the conversation!