Copyright © 2003 Americas’ SAP Users’ Group Authorizations in the Finance & Controlling Modules Ranvir Singh, Sherman Wright Business Analysts, LSI LOGIC.

Slides:

Advertisements

Similar presentations

Take the ‘dread’ out of your XA Security Audit Belinda Daub, Senior Consultant Technical Services

Advertisements

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.

For Details Visit: Call Us: US: , India:

MIS 325 PSCJ. 2  Business processes can be quite complex  Process model: any abstract representation of a process  Process-modeling tools provide a.

Copyright © 2003 Americas’ SAP Users’ Group Custom Archiving 101 Session Code 108 Karin Tillotson Sr. Basis Administrator Tuesday, May 20 th, 2003.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.

Automating FI Uploads using GLSU

#4502 – Streamlining the Physical Inventory Process Using a Custom Solution.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

Process Management and Control and Physical Inventory SAP Implementation

SAP Basics for Auditing Change Management and Security September 8, 2014 Presenter: Linda Yates Consultant, Risk Advisory Services.

 SAP AG CSU Chico 102/14/981SAP Security Lecture MINS 298C SAP Configuration & Use: Security Copyright 1996, 1997, James R. Mensching, Gail Corbitt.

Implementation Audit and Control Background Internal Audit Role Go-Live Criteria Audit Approach - Systems Audit Approach - People Summary Agenda.

Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers.

Managing Segregation of Duties (SOD) in R3 Session Code: 808 Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Use of Role Based AIS for Technical System Auditing at DuPont Chris Leeder DuPont Chris Carr SAP Session: 509.

Introduction to SAP R/3.

Continuous Auditing Applications for SAP/R3 Vincent Rykes City of Edmonton.

University of Southern California Enterprise Wide Information Systems The Procurement Process Instructor: Richard W. Vawter.

SAP R/3 Materials Management Module

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.

SAP An Introduction October 2012.

Production Planning Processes Theories & Concepts

EVAT Solution Workshop Public. ©2013 SAP AG. All rights reserved.2 Public 1. eVAT Background 2. SARS process 3. SAP Reporting 4. Note Information 5. Short.

© 2011 Financial Operations Networks LLC AP Policies and Internal Controls for Running a Tight Ship Panel: Susan Tinkler-Muller Mike Iverson Rob Rogers.

Pen Inc Introduction to Your Company

Istanbul Kultur University Enterprise Wide Information Systems The Procurement Process.

Integrated Security Solutions © 2006 TK Consulting, LP realtime Confidential March 11, 2007 APM Demo.

SAP GRC access ULg Pierre Blauwart – Project Manager HERUG BvD-it Confidential.

We present APM - Authorization and Profile Management.

Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Online | classroom| Corporate Training | certifications | placements| support CONTACT US: MAGNIFIC TRAINING INDIA USA :

Production Planning Processes EGN 5620 Enterprise Systems Configuration Spring, 2014.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

UCB SA-NV SAP TEAM EURO Information Session 17th November

Auditing Information Systems (AIS)

presented by Oliver Lamaca Customer Account Manager.

Using the Right Method to Collect Information IW233 Amanda Murphy.

] COREY PEARSON [ ASUG INSTALLATION MEMBER MEMBER SINCE: 2008 CHAVONE JACOBS [ ASUG INSTALLATION MEMBER MEMBER SINCE: 2003 ALLAN FISHER [ ASUG INSTALLATION.

FINANCE MODULE. The various subsystems Financial Accounting Investment management Controlling Treasury Enterprise controlling.

ACCOUNTING INFORMATION SYSTEMS BASIC CONCEPTS & CURRENT ISSUES Chapter 9 Acquisition / payment process McGraw-Hill/Irwin Accounting Information Systems.

Oracle eBusiness Financials R12 Oracle Receivables Functional Overview TCS Oracle Practice.

SPECTO IT TRAING CONTACT US: mail: SAP FSCM ONLINE TRAINING IN BANGALORE.

Oracle apps financial online training with professional experts Online | classroom| Corporate Training | certifications | placements| support CONTACT US:

SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.

Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.

Career Oriented SAP BASIS training in India,uk,usa Online | classroom| Corporate Training | certifications | placements| support CONTACT US: MAGNIFIC TRAINING.

Tips and Tricks: Stress Free Security in Dynamics AX Chris Haley, Microsoft.

SAP GRC(Governance Risk and Compliance)/SECURITY ONLINE TRAINING  Magnific Name : SAP GRC/SECURITY 24*7 Technical support  faculty : Real time Experience.

SAP Security Online Training Online | classroom| Corporate Training | certifications | placements| support CONTACT US: MAGNIFIC TRAINING INDIA

 TATA CONSULTANCY SERVICES MM - INVOICE VERIFICATION.

SAP security online training CONTACT US: MAGNIFIC TRAINING INDIA USA : CONTACT US: MAGNIFIC TRAINING INDIA

Review of IT General Controls

SAP Security Interview Question & Answers

BMO’S SUPPORT FOR YOUR ORGANIZATION

Security Management: Successes and Failures

Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,

SAP GRC(Governance Risk and Compliance)/SECURITY ONLINE TRAINING UK

Chapter 18 Automatic Account Assignment

Financial Accounting (FI)

QAD Enterprise Edition Segregation of Duties

HRMS Security Auditor HRMS Implementation Project.

Course: Module: Lesson # & Name Instructional Material 1 of 32 Lesson Delivery Mode: Lesson Duration: Document Name: 1. Professional Diploma in ERP Systems.

SAP GRC EOH GRC Solutions Divisional divider Option 1.

James Baranello MIS 5121:Business Process, ERP Systems & Controls Week 8: Security 2 – Roles Financial Processes and Controls.

Presentation transcript:

Copyright © 2003 Americas’ SAP Users’ Group Authorizations in the Finance & Controlling Modules Ranvir Singh, Sherman Wright Business Analysts, LSI LOGIC Corporation Sam Sangha Technical Consultant, VIRSA Systems Corp. May 20, 2003

Agenda 1 – Introduction to Finance Authorizations (Basic Concepts) 2 – Important Reports and Transactions (PFCG, SU01, SU53, SUIM, SU24) 3 –Challenges in Finance (Responsibilities and Roles) 4 – Finding Risks in the Finance Environment (Segregation of Duties Matrix, VRAT, etc.) 5 – Tools for Analysis (VIRSA, SAP, etc.)

Authorization object class Authorization object Authorization Profile Role User Linkage of various Objects/Fields/Groups etc. Introduction to Finance Authorizations

Terminology Authorization Profile/Activity Group/Role: Contains instances (Authorization) for different Authorization Objects grouped by Object Class. Authorization Object class: Logical grouping of auth. Objects, for example All auth. Objects for object class FI (Financial Accounting). Authorization Object: Group of Auth. Fields, these fields are checked simultaneously, F_LFA1_APP (Vendor: Application Authorization). Authorization Field: Smallest unit against which the Check should be run, BUKRS for company code Authorization: An instance of Auth. Obj., that is combination of allowed values for each auth. field of a Auth. Obj.

Authorizations Object class : Financial Accounting User name: Joe Smith and N.A. Credit Role / Profile : North America Credit Authorization : Company code= US10 Authorization Objects : Company code Introduction to Finance Authorizations

Create Purchase Requisition (ME51) Order Purchase Requisition (ME58) Release Purchase Requisition (ME54) Employees roles functions authorizations Employees have roles with specific functions and need authorizations for these functions Karen Susan John Procurement Employee Service Representative Employee Service Representative Manager Employee Purchaser Authorization to create purchase requisitions Authorization to release purchase requisitions Authorization to create purchase orders Business Scenario Employee can have multiple roles Role is group of activities performed within a Business Scenario Introduction to Finance Authorizations

BUKRSUS10,US18 ACTVT01, 02, 03 US18 US42 US10 US18 US42 Authorization A BUKRS ACTVT Create Change Display BUKRSUS10, US18, US42 ACTVT03 Authorization B BUKRS ACTVT Create Change Display US18 US42 US10 US18 US42 1.Authorization A allows the user to perform create, change and display activitites in company codes US10&US18 2.Authorization B allows the user to perform only the display activity in company codes US10,US18, & US42. 3.If the user has authorization A and authorization B, they work together. This means that the user can perform create, change and display activities in company codes US10&US18, can only display activity in company code 3000 Introduction to Finance Authorizations

Authorization Objects Work Center 1 Work Center 2 Work Center 3 F-22, F-27 FB02, FB03 F-43, F-41 FB02, FB03 01, 02, , 02, , , 02, 03 A, D, S 01, 02, 03 K S_TCODE TCD F_BKPF_BUK ACTVT BUKRS F_BKPF_GSP ACTVT GSBER F_BKPF_KOA ACTVT KOART , 02, Authorization Profile F-22, F-27 FB02, FB03 01, 02, , 02, , 02, 03 D Introduction to Finance Authorizations

 Any questions ??  Let’s move to the 2 nd Part of our agenda items

1 - PFCG – Profile Generator 2 - SU01 – User Maintenance 3 - SU53 – Display Authorization Data 4 - SUIM – User Information System 5 - SU24 – Authorization Assignment (transactions and authorization objects) 6 - Other important reports. Important Report and Transactions

PFCG – Profile Generator (PG) Important Report and Transactions SAP’s automated method for generating user profiles through the use of pick and choose authorization objects and values.

PFCG – Profile Generator (PG) Important Report and Transactions When a transaction is selected and placed in the “Menu” while creating or changing the activity group, the PG selects the authorization objects that are checked in this transaction and maintained in the PG.

SU01 – User Maintenance Important Report and Transactions Type of Users: Dialog Users (Only dialog users are logon to R/3 system interactively) Background Users Batch Data communication users (BDC) Common program interface communication users (CPI-C)

SU01 – User Maintenance Important Report and Transactions Main Display of user master data

SU53 – Display Authorization Important Report and Transactions Menu Path is : System>Utilities>Display Authorization Check Authorization can be analyzed by Authorization Trace also, transaction ST01 You can analyze an error in your system which just occurred because of missing authorization. Running SU53 after getting authorization error shows following information: 1.Authorization Object that was checked 2.Authorization Object Class that was checked 3.Value of the object user needs to perform the Action. 4.Value of the object user has already in his/her master record.

SUIM – User Information System Important Report and Transactions A collection of reports to analyze user access, activity group and profile content, and changes to accounts, etc.

SU24 – Authorization Assignment (transactions and authorization objects) Important Report and Transactions Done automatically when the Profile Generator (PFCG) is used, but still useful for modifications and verification.

Other Important reports (some in SUIM) Important Report and Transactions RSUSR000: Display Current Active Users RSUSR002: Display user according to complex selection criteria RSUSR005: Display users with critical authorization RSUSR006: Display users that are locked by the system and by the administrator because of the incorrect logons RSUSR010: Transactions executable for the users, with profile or authorization RSUSR070: Display activity group by complex search criteria.

 Any questions ??  Let’s move to the 3 rd Part of our agenda items Important Report and Transactions

Challenges in Finance Responsibilities & Roles 1.What responsibilities need to be provided & need to be “protected”? - Vendor creation, invoice processing, payment processing, billing, collections, GL, P&L, etc. 2.Have roles been created to provide access for specific responsibilities, yet keeping the different ones separated? 3.Do some roles provide too much access? 4.Who defines the roles (Security Admin, Business Process Owners, others)?

 Any questions ??  Let’s move to the 4 th Part of our agenda items Challenges in Finance

Finding Risks in the Finance Environment Segregation of Duties 1.SOD Concept: Segregation of Duties is the primary internal control intended to prevent, or to minimize, the risk of errors or irregularities; identify problems; and ensure corrective action is taken. 2.No single individual should have control over all phases of a transaction. 3.Using roles to keep job activities separate. 4.Using reports to ensure users don’t have too much access.

Finding Risks in the Finance Environment Segregation of Duties (continued) 5.Defining Risks At what level can risks be defined? - Transaction level - Authorization object level - Other 6.Translating Risks into a Matrix - Transaction level is easy: just list the combinations of transactions that cause risks. - Object level is more difficult because of the many objects and values that can be involved.

Finding Risks in the Finance Environment Segregation of Duties (continued)

 Any questions ??  Let’s move to the 5 th Part of our agenda items Finding Risks in the Finance Environment

Tools for Analysis SAP – what it offers: 1.SUIM: User Information System - Critical Combinations of Authorizations at Transaction Start - Lists of Users with Critical Authorizations - Other reports also 2.AIS: Audit Information System - Several system audit reports - Limited analysis capabilities

Why we selected VIRSA 1.Real time SOD Analysis on live data 2.Real time Simulation on live data (ongoing compliance) 3.Responsive to our needs (Supplementary SOD Analysis) 4.User friendly & powerful reporting (precise information) 5.Eliminates false errors 6.Documentation of Mitigating Controls 7.Positive feedback from other customers

About VIRSA VIRSA Systems, Inc. 1.SAP Security Company with 100% focus on providing SAP Security & Controls products & solutions. 2.VIRSA’s Products and Solutions: -VIRSA Risk Assessment Tool (VRAT) -VIRSA Role Management Tool (VRMT) -VIRSA Fire Fighting Tool (VFAT) -VIRSA Risk Assessment Service (VRAS) -Complete Security Redesign 3.VIRSA Security and controls training and workshops

VIRSA Features 1.VRAT Key Features: Designed for Auditors, Security & Controls Team, Business Process Owners Real Time Online SOD Analysis/Reporting at both Trans. Code and Auth. Object level Automated Simulation & Remote Simulation on live data Intuitive Interface & ALV Drill Down Reports Rule building/upgrading automation (add-on) Supplementary SOD Analysis (e.g. USR05) VRAT Tool Box (Complimentary SOD Reports/Utilities) Monitoring of actual execution of Conflicting Transactions (New Release) HR & BW Specific functionality (Future Release) Custom default settings, can link custom reports to VRAT Tool Box

Copyright © 2003 Americas’ SAP Users’ Group Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 1607