SAP Audit Reasoning
I have a question for anyone in regards to SAP Audit books and the list of tables it supplies. I recently took a job as Internal Controls. I was asked to find out if we are loggin the following list of tables:
Table Name Description
X-DD02V List of tables and descriptions
SREPOATH ABAP program and authorization groups
T001 Company codes
T001B Fiscal periods for company codes
TACT Activities that can be protected
TACTT Activities that can be protected, with descriptions
X-TACTZ Authorization objects and valid activities
X-TBRG Authorization objects and authorization groups
X-TBRGT Authorization objects and authorization groups, with descriptions
TCURR Foreign currency exchange rates
X-TDDAT Table authorization groups
X-TOBJ Authorization objects
X-TOBJT Authorization objects and descriptions
X-TOBC Authorization object class
X-TOBCT Authorization object class, with description
TPGP ABAP program authorization groups
X-TRDIR ABAP program and authorization group
X-TSTC Transaction listing
X-TSTCA Values for transaction code authorizations
X-TSTCT Transactions with description
X-TCESYST Correction and transport system configuration tables
X-TASYS Correction and transport system configuration tables
X-TDEVC Correction and transport system configuration tables
USR01 User Master Records
USR02 User ID and passwords
USR03 User address data
USR04 User master authorizations
USR05 User master parameter ID
USR06 Additional data per user
USR07 Objects/values of last failed authority check
USR08 Table for user menu entries
USR09 Entries for user menus (work areas)
USR10 User master authorization profiles
USR11 User master profiles and descriptions (for USR10)
USR12 User master authorization values
USR13 Authorization descriptions
USR30 Additional information for user menu
X-USR040 Impermissible passwords
USH02 Change history for logon data
USH04 Change history for authorizations
USH10 Change history for authorization profiles
USH12 Change history for authorization values
USOBT Transaction codes and authorization object, with value fields
USOBX Transaction codes and authorization object, with value fields
I know many of these but my question is... why does an audit book tell you to log some of these. I don't get it. I do searches on many of these tables looking for a good reason to log some of these tables and find nothing but this is how to run an audit. Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.
I have put an "X-" in front of the ones that make some sense to me but why the others... and what are the SAP people suppose to review in the tables... Like the USR01, if a person changes there name we need to see that... why? Or the USOBT and USOBX tables... these are only used upon profile generator and no one should be generating a profile in PRD...
Any help would be greatly appreciated.
Julius von dem Bussche replied
There are different types of logging.
Table change logging => SE13.
USR* change documents => USH* tables (similar to master data change documents).
Business Change Doucments => SU8* tcodes which have user as well as Archived USH* data.
Auditors often only know about the 1st one and mistake it for the others.
Typically, you can only influence the first one (SE13, log data changes).
> Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.
That sounds like a recipe for misunderstandings, as interpreting SAP tables and single fields of them can be confusing (when it differs from the program's use of them), or even obsolete in some cases...
Hope that helps you define the question and concepts better..