09-03-2007 8:13 AM
Hi Experts,
This is the audit report by deloitte. Can u please guide what does it mean and how to fulfil.
Observation:
It was noted that there was no evidence of review of logs for changes made to critical SAP R/3 tables
Impact:
In the absence of evidence of review of logs, assurance of control activity operated effectively through out the year cannot be ascertained.
Deloitte recommendation:
Evidence of review of logs should be maintained for reasonable time period.
Regards
09-03-2007 10:51 AM
A good EDP auditor tells you how it should be done, as you will hve to kown how they perform this part of the audit.
The days auditors could go away after telling you that you have done something wrong and not help you to solve the problem are long gone!!!!
09-03-2007 11:06 AM
I agree with Auke. Ask them how they would recommend doing it as you want to ensure that you are performing that control step in a way that they believe is adequate.
Their answer will likely involve periodic reviewing of transaction SCU3
The following link also gives useful info:
http://help.sap.com/saphelp_nw2004s/helpdata/en/7e/c81ebb52c511d182c50000e829fbfe/content.htm
If you activate table logging, you also need to take into consideration: system performance, file space requirements and most importantly tables that need to be monitored. If your auditors mandate this control to be active (and most companies do not have this switched on) then they should provide you with a list of tables that they want to see monitored.