Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

SAP Audit Reasoning

Good Morning,

I have a question for anyone in regards to SAP Audit books and the list of tables it supplies. I recently took a job as Internal Controls. I was asked to find out if we are loggin the following list of tables:

Table Name Description

X-DD02V List of tables and descriptions

SREPOATH ABAP program and authorization groups

X-T000 Clients

T001 Company codes

T001B Fiscal periods for company codes

TACT Activities that can be protected

TACTT Activities that can be protected, with descriptions

X-TACTZ Authorization objects and valid activities

X-TBRG Authorization objects and authorization groups

X-TBRGT Authorization objects and authorization groups, with descriptions

TCURR Foreign currency exchange rates

X-TDDAT Table authorization groups

X-TOBJ Authorization objects

X-TOBJT Authorization objects and descriptions

X-TOBC Authorization object class

X-TOBCT Authorization object class, with description

TPGP ABAP program authorization groups

X-TRDIR ABAP program and authorization group

X-TSTC Transaction listing

X-TSTCA Values for transaction code authorizations

X-TSTCT Transactions with description

X-TCESYST Correction and transport system configuration tables

X-TASYS Correction and transport system configuration tables

X-TDEVC Correction and transport system configuration tables

USR01 User Master Records

USR02 User ID and passwords

USR03 User address data

USR04 User master authorizations

USR05 User master parameter ID

USR06 Additional data per user

USR07 Objects/values of last failed authority check

USR08 Table for user menu entries

USR09 Entries for user menus (work areas)

USR10 User master authorization profiles

USR11 User master profiles and descriptions (for USR10)

USR12 User master authorization values

USR13 Authorization descriptions

USR30 Additional information for user menu

X-USR040 Impermissible passwords

USH02 Change history for logon data

USH04 Change history for authorizations

USH10 Change history for authorization profiles

USH12 Change history for authorization values

USOBT Transaction codes and authorization object, with value fields

USOBX Transaction codes and authorization object, with value fields

I know many of these but my question is... why does an audit book tell you to log some of these. I don't get it. I do searches on many of these tables looking for a good reason to log some of these tables and find nothing but this is how to run an audit. Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.

I have put an "X-" in front of the ones that make some sense to me but why the others... and what are the SAP people suppose to review in the tables... Like the USR01, if a person changes there name we need to see that... why? Or the USOBT and USOBX tables... these are only used upon profile generator and no one should be generating a profile in PRD...

Any help would be greatly appreciated.

Kind Regards,

Paul

replied

There are different types of logging.

Table change logging => SE13.

USR* change documents => USH* tables (similar to master data change documents).

Business Change Doucments => SU8* tcodes which have user as well as Archived USH* data.

Auditors often only know about the 1st one and mistake it for the others.

Typically, you can only influence the first one (SE13, log data changes).

> Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.

That sounds like a recipe for misunderstandings, as interpreting SAP tables and single fields of them can be confusing (when it differs from the program's use of them), or even obsolete in some cases...

Hope that helps you define the question and concepts better..

Cheers,

Julius

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question