Big4Guy
Big4GuyWelcome to Big4Guy.com. Big4Guy is an online resource where I will share with you the latest news, insights, knowledge and some experiences as a Big 4 consultant. We will discuss some of the important issues which organisations are facing today in the areas of information security, security and controls in SAP R/3, Oracle Applications, J.D.Edwards, Peoplesoft and various other ERP's. You will also find information on latest complaince regulations like Sarbanes Oxley, Basel II and so on. Big4guy will also attempt to provide valuable resources for individuals interested in examinations the CISA, CISM, CISSP, PMP and various other security certifications considered essential for entry in any Big 4 accounting, auditing and consulting firms. You are invited to post your comments and viewpoints to posts here. I sincerely hope this online journal will be useful to everyone from a budding student to a professional in the accounting, auditing, management and consultancy professions.
|
Post details: Auditing SAP R3 Customized Programs Reports Y and Z Transactions
07/13/06
Auditing SAP R3 Customized Programs Reports Y and Z Transactions
Almost every SAP R/3 implementation I have reviewed, I have found companies using customized transactions. Though SAP R/3 includes all basic functionalities expected of an ERP, customized transactions may be needed to serve a business specific requirement. Customized transactions in SAP R/3 are popularly known as "Y" or "Z" transactions. My topic
for discussion revolves around how to audit customized Y and Z transactions in SAP. What are the things that you should look for as a SAP auditor in customized transactions.
SAP auditors can find a listing of all customized Y and Z transactions through the menu path below or through transaction SA38.
Menu Path >> system >> Services >> Reporting
You will reach the screens shown below. Here to find all programs i.e. customized transactions beginning with "Y" and "Z", simply enter "YA" in the field from and "ZZ" in the field to. You will get a listing of all customized programs within SAP. Once you have the listing check the following. Note that I have written the tests from a SAP security
perspective.
1. Customized Transaction Title - As an SAP auditor, the first thing you should check is that all custom programs have sufficiently descriptive titles stating the purpose of the program. Any missing title descriptions should be reported.
2. Test Transactions - Next, click on the binocular button and make a search for terms like "TST" or "TEST". Ideally, there should not be any customized Y or Z transactions in the production environment. Test programs Y and Z lying in production environment should be removed.
3. Critical Customized Transactions - SAP Cutomized transactions which are used to execute critical functions like deleting codes, other programs etc pose another security risk. SAP auditors can find such programs using terms like "DEL", "DELETE" or "REMOVE". Such programs
are normally are the ones which need to be removed from SAP before Go Live but have been overlooked. Apart form these, other programs which look conspicous / attract attention like ones with exclamation marks !, question marks ?, should also be investigated by R/3 auditors.
Related Posts
SAP Audit Information system AIS
Defining Password Rules in SAP R/3
SAP BIW BEx Analyzer Concepts
BOM Bill of Material in SAP PP
Comments:
No Comments for this post yet...
Categories
Archives
Search
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| << < | > >> | |||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | |||||
Misc
All content copyright © 2005-2008
Big4Guy.com
Do not reproduce either in part or full without the express permission of the
Webmaster
