For many companies using SAP (if not all of them) it is absolutely normal to 'undergo' inspections by external entities. Especially for the auditing of balance sheet data.
A common practice is to enable everything to the auditors. And from the perspective of maximum transparency it could certainly make sense. But is it possible to evaluate or reason differently? Continue reading...
Financial Audit
For example, in the case of a financial audit or a financial statement audit (Financial Audit) third-party companies must have access to the company's information system to view financial data.
What authorizations must be provided during an audit?
In the case of SAP systems, where it is possible, especially in the ERP system, to very precisely define authorizations (and thus technical permissions), there can be multiple ways.
Clearly it is also necessary to assess what type of audit is being conducted. Are we talking about an IT audit (perhaps to audit ITGC Controls) or a business audit? Or even other types of audits e.g. GxP etcc?
From the most permissive to the most stringent.
- I enable everything (similar to SAP_ALL)
- I enable everything in view-only (is there a view-only role in SAP?)
- I enable everything in view-only but only on certain areas
- I enable individual features (SAP transactions) by segregating them for certain aspects
Some aspects and reasoning of this type could also apply to different scenarios such as, for example, system carve-outs.
But is it possible to segregate SAP data by fiscal years?
This specific scenario could be addressed by a specific German regulation (German tax reduction law StSenkG). The "translation" of the regulation into SAP, is described in section 5 of the following document produced by the German SAP group, i.e., it is shown how to implement it in SAP.
The document, however, is no longer accessible on the German DSAG group's disto.
But you can find the description of the feature on the SAP Help site ( click here).
This feature is therefore designed to segregate access to auditors (a limited number of users) and on certain activities, so it may not be applicable in all such cases.
What are the steps to test it?
- Insert one or more users into a group (via TPC2 transaction)
- Insert of programs to be audited
- Insert financial period
- Therefore, trying to execute a transaction related to the programs above (even with SAP_ALL) for a period other than the authorized period (e.g., on year 2015)
A specific error is shown. Unlike the query made on the year 2017 where various information can be retrieved.
For further information, consult the following OSS notes:
- 445148 - Access by tax authorities to stored data
- 788313 - Tax reduction law: Authorization check for customer-specific reports
The aspects related to budget certification require that the technical configuration logics (e.g., roles, profiles, authorizations, and configurations) of the system also be handled in the correct way.
Conclusions
How applicable might this functionality really be in contexts other than the countries covered by the legislation? Probably not much, although it is related to a small group of users (that of external auditors primarily).