SAP R/3 Basics

High-Risk Areas in the SAP R/3 Infrastructure and How to Mitigate Them

Seminar Focus and Features
This intensive, four-day seminar is designed for technical auditors charged
with auditing the infrastructure of the SAP R/3 system, and focuses on the
control challenges inherent in implementing and managing an on-line and
e-commerce SAP R/3 environment using the Basis Module. You will cover
releases up to and beyond 4.6, including the e-commerce connections using
BAPIs and the Internet Transaction Server (ITS). You will explore the audit
and security control concerns surrounding B2B and e-commerce solutions
integrated into and coexisting with the core SAP architecture and gain a
detailed understanding of the Basis Module and its many parts. You will
examine SAP R/3 Transaction processing for both Internet and direct on-line
processing, and review key master records, transactions, reports, and
administration functions according to authorization/user profiles/activity
groups. You will investigate authentication, authorization, and
accountability controls and settings, and learn the module's defaults
settings, dictionary definition controls, programming RPCs, RFC, user
exits, and BAPI tools, and controlling mechanisms. You will detail user
controls, administrative tools, and their impact on a secure controlled
operating environment, as well as set-up an administration system access
rights for users and the Basis administration team.

Prerequisite: You should have first attended SAP R/3 Concepts and Audit
Risks, or have equivalent on-the-job experience.

Learning Level: Advanced

Who Should Attend
Experienced Information Technology Auditors; Quality Assurance Personnel;
Systems Programmers and Analysts; Audit Managers; Database and System
Administrators

What You Will Learn
1. SAP R/3 Fundamentals Review
- overall architecture
- direct transaction process
- Internet transaction process
- e-commerce solutions
- MySAP.com
- B2B solutions
- SAP R/3 Terms
- system architecture
- technical architectur
- Internet Transaction Server (ITS)
- audit and security features in the new releases

2. SAP R/3 Basis System
- definition of the role of the Basis module
- definition of the various Basis objects
- configuration settings for Basis
- program controls: authentication, defaults, transaction
- standard profiles
- activity groups
- standard authorization
- SAP R/3 object definitions
- data dictionary control and maintenance
- ABAP/4 programming controls
- processing types
- object and component programming: Remote Function Calls (RFCs), Remote
Procedure Calls (RPCs), User Exits, CPIC

3. Understanding SAP R/3 Communications
- key objects
- key processes
-- IDOCs
--CPIC
-- ITS
-- ALE
-- background processes
-- batch processes
-- EDI transaction control
-- network controls
-- middleware controls
-- remote communication controls
- audit trails

4. SAP R/3Records
- user master
- customer
- vendor
- other key master records
- table maintenance controls

5. Auditing Standards
- user access
- profile changes
- activity groups and profile generator
- authorization change
- user administration changes
- transaction trails
- document trails
- log files
- archiving
- SAP R/3 system logs
- SAP R/3 application logs
- operating logs
- operating system audit capability
- operating system audit logs
- database systems
- DBMS logs
- DBMS audit logs
- transaction logs
- user logs
- transaction type logs
- activity logs
- SAP R/3 audit tools and techniques
- workflow

6. SAP R/3 Administration
- system and database administration
- security administration: user, profile, authorization
- Basis administration

7. Internet Transaction Server
- definition
- e-commerce solution
- MySAP.com
- transaction controls
- BAPIs
- program control
- database controls
- B2B solutions
- data integration between solutions sets
- risk and control points

8. Real-World Solutions to SAP R/3 Audit and Control
- special rights and access: OS, DBMS, and application systems rights
- configuration and set-up problems and controls
- system administration and segregation of duties
- development rights
-- access building for SAP R/3
-- business objects
-- interface adviser

9. Correction and Transport System Control
- platform separation
- configuring CTS
- correction process
- transport process
- version control
- delta control
- audit logs
- authorization process
- table reporting
- emergency fixes
- testing approach
- test decking
- integrated testing facility

10. An Audit Approach
- auditing the system tiers: workstation, network, operating system,
network system, interface system, and remote system security
- auditing the infrastructure
- evaluating audit trails
- auditing the Basis Module: access, transaction, table, program, batch,
and output controls
- conversion controls
- system implementation
- audit approach: user, transaction, profile, activity group, and object
audits