SAP Audit Guide

for Financial Accounting

This audit guide is designed to assist the

review of financial reporting processes that
rely upon automated functions in SAP
systems.
The specific areas examined in this guide are relevant
configurables, transactions, authorizations and reports
in the General Ledger (GL), Asset Accounting (AA) and
Bank Accounting (BA) components of the SAP
Financial Accounting module.
The guide provides instructions for assessing SAP
application-level controls in the following areas of
financial statement audits:

Reporting Structure
Chart of Accounts
Journal Entry Posting
Period End Close
Foreign Currency Translation
Inter-company Transactions
Asset Management and Reporting
Cash Management

The guide is delivered using clear, non-technical terms

to enable financial and operational auditors to
successfully navigate the complexities of SAP security.
Other volumes of this guide deal with SAP controls in
areas such as Revenue, Inventory, Expenditure, Human
Resources and Basis.

Reporting Structure
The financial reporting structure in SAP is determined
by the organization of reporting units known as
company codes. There can be multiple company
codes within organizations with each code
corresponding to a unique economic entity.

Financial
Accounting
SAP Audit Guide

Reporting entities in differing countries should have

unique company codes since they may be subject to
divergent accounting and tax requirements. Each
company code has one domestic currency and up to
two additional currencies to support financial reporting
in multiple currencies.
Company codes must be set to productive to prevent
the deletion of transactional data. This can be verified
through transaction code OBR3 or Table T001 through
transaction SE16.

2
The company code structure should correspond to the
legal reporting requirements of the company under review.
The appropriateness of the structure should be reviewed
through the menu path IMG> Enterprise Structure>
Financial Accounting> Define Company, transaction OX15
or table T880 (note that IMG can be accessed through
transaction SPRO).
Relevant global parameters in IMG should also be
reviewed. This includes areas such as Country Keys,
Currencies, Controlling Areas, Credit Control Areas, Fiscal
Year Variants, Sales and Purchasing Organisations,
Business Areas and Plants, and Cost and Profit Centers
(IMG> Enterprise Structure> Financial Accounting> Global
Settings> Company Code> Global Parameters).
Access to transactions such as OXO2 (edit company code)
and EC01 (copy, delete and check company code) and the
client configuration table T001 should be based on role
requirements. Other critical transaction codes are listed in
the Table A.

TRANSACTION
OB37

OBB9

DESCRIPTION
Assign Company Code to a Fiscal
Year Variant
Assign Posting Period Variants to
Company Code

OKBD

Define Functional Area

OXO3

Define Business Area

FM_FUNCTION

Define Functional Area

OXO6

Maintain Controlling Area

KEP8

Create Operating Concern

Table A: Company Code Transactions

TRANSACTION

DESCRIPTION

Chart of Accounts

OX16

Assign Company Code to Company

The chart of accounts is the container for General Ledger

(GL) accounts and the basis for journal entry posting and
financial reporting. Chart of Accounts can be company
code specific or cover multiple companies in a single SAP
client. GL accounts are assigned to specific groups
determined by account type. The field status for account
information and the numbering interval is determined at the
group level.

OB38

OF18

OX19
OX18
OVX3

OX01

Assign Company Code to Credit

Control Area
Assign Company Code to Financial
Management Area
Assign Company Code to
Controlling Area
Assign Plant to Company Code
Assign Sales Organization to
Company Code
Assign Purchasing Organization to
Company Code

OH05

Assignment of Personnel Area to

Company Code

OBB5

Cross-System Company Codes

OBY6

Enter Global Parameters

The configuration of all or a sample of account groups

should be reviewed to assess which fields are required,
optional, displayed or suppressed during the creation of a
new account and to ensure that account numbering follows
a logical and consistent policy. This can be performed
through the menu path General Ledger Accounting> G/L
Accounts> Master Data> Preparations> Define Account
Group or transaction OBD4.
The structure of the Chart of Accounts should also be
reviewed through transaction FSP3 to assess account
groupings and identify the appropriate use of control
accounts for AP and AR. The latter are known as
reconciliation accounts and are updated automatically. In
other words, SAP does not allow manual journal postings
against such accounts. This can be performed through
transactions KALE and OK17.

3
Changes to the chart of accounts should be identified
through report RFSABL00, accessible through transaction
SA38. Alternatively, changes can be isolated through
transactions FS04, FSP4 and FSS4. A sample of changes
should be examined for evidence of approval,
documentation and testing.
Access to SAP functions that enable users to create,
modify or delete GL accounts should be restricted and
based on business need. This should include transactions
in Table B with authorization objects F_SKA1_KTP and
F_SKA1_BUK and activity levels 01 (create), 02 (change),
05 (block) or 06 (mark for deletion).

TRANSACTION

DESCRIPTION

FS01

Create Master Record

FS02

Change Master Record

FS00

G/L Acct Master Record Maintenance

FS05

Block Master Record

FS06

Mark Master Record for Deletion

FSS1

Create Master Record in Company

FSS2

FSP0

Code
G/L Acct Master Record in Chart/
Accts
Create G/L Acct Master Record in
Chart/Accts

FSP1

Cross-System Company Codes

FSP2

Change G/L Acct Master Record in

FSP5

Chart/Accts
Block Master Record in Chart / Accts

FSP6

Mark Master Record for Deletion in

Chart/Accts

Table B: GL Account Transactions

Journal Entry Posting

SAP is preconfigured with hundreds of document types for
purchase orders, customer invoices, good receipts and
many other transactions. Each document type has a
unique 2 or 3 letter identifier and a specific numbering
range. Particular attention should be paid to the GL
account assignments for SAP documents since
transactional data is automatically posted by the system
based on the assignments defined in the system
configuration. These should be reviewed through
transactions OBA7 (Define Document Types) and OB41
(Posting Keys). Samples selected for review should include
custom documents which are more likely to have
assignment errors than standard SAP documents.
Monetary limits for journal entries, cash discounts, payment
or receipts differences should be defined for document
types. These can vary by company code and employee
group. Tolerance levels should be reviewed through
transactions OBA4 and OB57. This should include clearing
procedures for critical accounts such as GR/IR.
SAP should also be configured to control posting to prior
periods even though the system is capable of keeping
open multiple periods at the same time. This is performed
through rules defined in Posting Period Variants, part of the
Financial Accounting Global Settings. Note that back
posting settings in Logistics can also be configured to allow
posting to prior periods. Both of these areas should be
reviewed in the IMG.
SAP Business Workflow is used by many companies to
review values and account assignments prior to posting
journal entries. If enabled, the relevant settings for workflow
variants, company codes, and approval paths and groups
should be examined under Financial Accounting Global
Settings> Document> Document Parking. This should
include a review of fields that would cause a release to be
revoked if changed after approval, which would lead to the
restart of the release procedure.
BusinessObjects Planning and Consolidation (BPC) and
BusinessOne should be configured to block unbalanced
journal entries. In the former, this can be verified through
the JRN_BALANCE parameter. The parameter should be
set to 1 (Journals need to be balanced). The default value is
0 (Journals need not be balanced). In the latter, the field for
Block Unbalanced Journal Entry should be checked in
Administration> System Initialization> Document Settings>
Journal Entry.

BPC should be configured to block

unbalanced journal entries through the
JRN_BALANCE parameter
4
The ability to create, change, delete and reverse journal
entries should be restricted to authorized employees. This
includes transactions in Table C with authorization objects
with the prefix F_BKPF_ and suffix BUK, KOA, GSB, and
BLA and activity levels 01 (create/ enter), 02 (change), 06
(delete) and 77 (pre-enter/ park).

TRANSACTION

DESCRIPTION

FB08

Reverse Document

FB02/ FB09

Change Document

FBL4

Change G/L Account Line Items

TRANSACTION

DESCRIPTION

F-03/ FB1S

Clear G/L Account

F-02

Enter G/L Account Posting

FBV1

Park Document

F-21/ F-42

Enter Transfer Posting

FBV2

Change Parked Document

FB01/ FBR2

Post Document
FBV4

Change Parked Document Header

FB05

Post with Clearing

FB11

Post Held Document

FBD1

Enter Recurring Entry

FB21

Enter Statistical Posting

FBD2

Change Recurring Entry

FB50

G/L Account Posting

F.14

Execute Recurring Entry

FBV0/ FBVB

Post Parked Document

F.56

Delete Recurring Entry

FBR1

Post with Reference Document

F.81

Reverse Accrual Deferral Document

Code

FB08

Reverse Document

F.80

Mass Reversal of Documents

Table C: Journal Entry Transactions

5
Period End Close
The period end close process extends across many
different SAP applications including SD, MM and PP.
However, the majority of steps are performed within the FI
and CO area. Audit procedures for the process should be
tuned for each specific client since the process varies
between organisations. As a guide, Table D lists the SAP
transactions commonly used during the period end close
process in sequential order.

S_BCE_680001
74
VL10/ VL10A
MIRO

MRBR

VXF3

FBD1

Enter Recurring Document

F-03

Manual Clearing General Ledger

F-32

Manual Clearing Accounts

Receivable
Manual Clearing Accounts Payable

FB50

Post Adjustment Entries

FAGL_FC_VAL

Foreign Currency Revaluation

AIAB

Order Settlement (Asset Under

AFAB

Depreciation Run

ASKBN

Periodic Asset Posting

FB50

Automatic GR/IR Clearing

Ensure Movements are complete

KSA3

Accrual Calculation

Record Purchase Order related AP

MRN0

Stock Valuation

CK11N

Inventory costing

CK24

Price Update

FB50

Stock value adjustment

DESCRIPTION
Update Exchange Ranges

Construction)

Transactions
Release Blocked Invoices
Release Billing Documents for
Accounting

MMPV

Open Period for Material Master

OB52

Records
Open and Close Posting Periods

CJ8G

Calculation of Work In Process

KKS1

DESCRIPTION

F-44

Together with the transactions listed in Table D, user

access to SAP functions that control the opening and
closing of financial periods should be tightly controlled.
This should include transaction OB52 (opening and
closing FI posting periods) and OBBP (define variants for
open posting periods) with authorization object
S_TABU_DIS and activity level 02 (change).
TRANSACTION

TRANSACTION

ENGR

Create Intrastat / Extrastat periodic

declaration

S_ALR_870123

Advance Return for Tax on Sales/

57

Purchases

(WIP)
Prod. and Process Order Variance

FB41

Post Tax Payable

Calculation

F.52

Balance Interest Calculation

CO88

Settlement PP Order

CO02

PP Order (close)

Table D: Period End Close Transactions

6
Asset Management and Reporting
TRANSACTION

DESCRIPTION

S_ALR_87012289

Compact Document Journal

S_ALR_87012287

Document Journal

FF7A

Cash Position & Liquidity Forecast

OB52

Open and Close Posting Periods

KE30

Run Profitability Report

S_ALR_87012284

Financial Statements

S_ALR_87005830

Controlling Maintain Versions

CK40N

Costing Run

S_ALR_87008275

Define Percentage Overhead

(actual)

AFAR

Recalculating Values

ABST2

Account Reconciliation

AJRW

Fiscal Year Change

AJAB

Year-end closing Asset Accounting

F.07

Carry Forward AP/AR Balances

FAGLGVTR

Carry Forward GL Balances

FAGLF101

Regrouping Receivables/Payable

F.17

Balance Confirmation Receivable

F.18

Balance Confirmation Payable

OB52

Close previous account period

S_ALR_87012284

Financial Statements

S_ALR_87012287

Document Journal

Table D: Period End Close Transactions cont.

The Financial Accounting Asset Accounting (FI-AA)

component is responsible for managing fixed assets in
SAP ERP. It serves as a subsidiary ledger to the FI GL,
providing detailed information on transactions involving
fixed assets. AA integrates directly with other FI
components such as Materials Management (MM) and
Plant Maintenance (PM) and manages assets reporting
from acquisition to disposal or retirement. The component
also tracks, depreciates and reports upon leased assets
and assets under construction.
Asset classes in SAP should be configured in line with
country-specific requirements. Therefore, asset classes
and the associated descriptions should be reviewed
through transaction OAOA (define asset classes).
Depreciation keys should be defined for each asset class.
The keys define the rules for calculating depreciation such
as straight line or declining balance. They also control the
useful life of assets. Auditors should review the
configuration of all or a sample of depreciation keys
through transaction AFAMA (View Maint. for Deprec. Key
Method). Depreciation postings can be reviewed through
transactions AFBP and AR25. Transaction ABST displays
the reconciliation between asset accounting and the
general ledger.
If the SAP Project System (PS) is operating alongside FIAA, the relevant availability controls should be reviewed in
PS. These regulate the thresholds for asset acquisitions in
excess of approved, budgeted amounts which, if
configured correctly, can be blocked altogether. This can
be performed through transaction OPS9 and the menu
path IMG> Project System> Costs> Budget> Define
Tolerance Limits.
An audit of FI-AA should include a review of user access to
transaction codes that provide the ability to change AA
master data including asset groups and depreciation
tables, as well as acquire, depreciate and dispose fixed
assets. These are listed in Table E. The review should
focus on authorization objects A_A_VIEW, A_S_ANLKL,
A_B_BWART, F_BKPF_BUK, A_S_ANLGR, A_PERI_BUK,
S_BDC_MONI, or A_C_AFAPL with activity levels 01, 02
and 06.

TRANSACTION

DESCRIPTION

AS01

Create an Asset

AS02

Modify Asset

AS05

Block Asset Master Record

AS06

Delete Asset

ABZE

Acquisition from in-house

ABZK

production
Acquisition from purchase w.

F-90

vendor
Acquisition w/ Vendor

ABZV

Acquisition from clearing Account

ABZP

Asset Acquisition from affiliated

company

AS21

Create an asset group

AS22

Modify Asset

AS25

Block group asset

AS26

Delete an asset group

ABZU

Asset write-up

ABZS

Asset write-up

ABMA

Asset manually depreciate

AFAB/ AFABN

Post depreciation

ABAV/ ABAVN

Retire by scrapping

ABAO/ ABAON

Asset Sale Without Customer

ABAD

Asset Retire from Sale with

Customer

ABANK

Retire with cost

AR31

Asset mass retirement

OAP1

Create chart of depreciation

OA52

Close previous account period

OAP2

Change chart of depreciation

Table E: Asset Accounting Transactions

Availability
controls should
block asset
acquisitions in
excess of
budget

8
Foreign Currency Translation

Cash Management

Foreign currency exchange ratios and rates are maintained

through transactions OBBS and OB08. The underlying
tables should be reviewed through these transactions to
ensure that ratios and rates are regularly and accurately
updated.

Cash Management (CM) is component of SAP TR that is

used to monitor payment flows and safeguard liquidity.
This component is used to perform bank reconciliations
and therefore should be a crucial element of an SAP
financial audit. Management should regularly review
reports FF.6, FF67, FF7A and FF68 to monitor cash
transactions and ensure bank deposits and payments are
reflected in the relevant GL accounts. Note that FF67 can
be used to import and process bank statements in SAP.

SAP provides a variety of valuation methods and even

provides an option to create custom methods. Custom
valuations should be identified and examined very closely.
This can be performed through transaction OB59 (foreign
currency valuation methods).
Automatic postings for foreign currency valuations should
be analyzed via transaction OBA1. The assigned accounts
are used to record realized/ unrealized gains and losses.
This should be followed by a review of foreign currency
rounding rules in transaction OB90.

Inter-Company Transactions
Inter-company reconciliation is often a bottleneck in the
financial close process. As a result, some SAP clients have
migrated to the Web-based BusinessObjects Intercompany application. This significantly improves the speed
and accuracy of identifying, matching and eliminating
related party transactions. However, the majority of
organizations continue to rely upon a manual process.
Related parties are treated as trading partners in SAP and
are defined through IMG > Enterprise Structure > Definition
> Financial Accounting > Define Company. Once
configured, SAP will post documents such as invoices,
payments, receipts and asset transfers between related
parties to designated inter-company accounts. Intercompany clearing accounts should be identified using
transaction OBYA. All such accounts should be reviewed
against the relevant financial statement assertions.

Changes to banking master data should be identified

through transaction FI04 or report RFBKABL0 and traced
to supporting documents to test for authorization,
accuracy and completeness.
Also, access to critical CM transactions should be
reviewed, including those listed in Table F, focusing on
authorization objects F_BNKA_BUK, S_TABU_DIS,
F_BNKA_MAN, F_FEBB_BUK, S_GUI, F_BKPF_BES,
F_BKPF_GSB, F_FDES_BUK, F_REGU_BUK,
F_REGU_KOA, or F_PAYR_BUK with activity levels 01, 02,
06 and 17

TRANSACTION

DESCRIPTION

FI12

Change House Banks/Bank

FI01

Accounts
Change Master Record

FI02

Change Bank

FI06

Set Flag to Delete Bank

FF67

Manual Bank Statement

FF_5

Import Electronic Bank

FEBA

Statement
Post-process Electronic Bank
Statement

FLB2

Import Lock box Data

FLB1

Post-processing Lock box Data

F-28

Incoming Payments

FB05

Post payment with clearing

FRFT

Set Up Repetitive Wire

FI10

Parameters for Automatic

FF/4

Payment
Import electronic check deposit

FFB4

list
Import electronic check deposit

FF/5

list
Post electronic check deposit

FFB5

list
Post electronic check deposit

FF68

list
Manual Check Deposit

FCHG

Transaction
Reset cashing/extract data

FF63

Create Planning Memo Record

FCHX

Check Extract Creation

FCHG

Delete cashing/extract data

Table F: Cash Management Transactions

Layer Seven Security empowers organisations to realize the potential of

SAP systems. We serve customers worldwide to secure systems from
cyber threats. We take an integrated approach to build layered controls for
defense in depth
Address
Westbury Corporate Centre
Suite 101
2275 Upper Middle Road
Oakville, Ontario
L6H 0C3, Canada

Web
www.layersevensecurity.com
Email
info@layersevensecurity.com
Telephone
1 888 995 0993

 Copyright Layer Seven Security 2012 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.
Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.