Why Are General IT Controls (GITC) Important?
General IT Controls (GITC) form the foundation for a reliable IT environment and are essential for an effective audit. They ensure that SAP systems function correctly, data integrity is maintained, and unauthorized access and modifications are prevented.
Key Components of GITC in SAP
For every IT audit related to financial statement reviews, there are three main areas: Access Management, Authorization Management, and Change Management.
Access Management
Proper management of users and their access to SAP is crucial. Uncontrolled accounts and unauthorized access can lead to data breaches or fraud.
SAP offers various tools and reports to manage and audit access. Transactions (t-codes) such as SU01 and SU10 are used for user management. For an overview of users and their authorizations, SUIM is used. This allows you to retrieve the user list. Additionally, tables such as AGR_USERS and AGR_1251 can be exported to Excel via SE16N.
Steps to Export User (Role) Data:
- Open transaction SUIM.
- Navigate to "Users by Complex Selection Criteria."
- Enter relevant filters (e.g., specific user group).
- Click execute and export the results to Excel or CSV.
Additionally, there are default SAP users such as SAP* and DDIC, which often have broad permissions and should be reviewed during an audit. SAP* is a default superuser account with extensive system rights (and a default password), while DDIC is used for system administration and updates. Both accounts must be strictly controlled to prevent unauthorized use. SAP even recommends deactivating these users and creating a custom Superuser.
Authorization Management
SAP uses an authorization model that determines which users can view and modify specific transactions and data. This model is often complex and requires periodic reviews.
An auditor can use SUIM and AGR_* tables to analyze user authorizations.
The table below lists some key transactions for user and authorization management. Each role or user can be configured to execute these transactions.
| Function | SAP Transaction | Description |
|---|---|---|
| User Management | SU01, SU10 | Manage user accounts |
| Roles and Authorizations | PFCG | Create and manage roles |
| Authorization Profiles | SU02 | Maintain authorization profiles |
| Authorization Objects | SU03 | Maintain authorization objects |
Additionally, there are standard roles such as SAP_ALL and SAP_NEW, which grant unrestricted access and should be avoided in production systems.
Both these standard roles and access to t-codes can be retrieved using SUIM.
Additionally, roles can also be created manually. You can check whether this has happened during a specific period using SUIM:
- Open transaction SUIM.
- Go to "Roles by Complex Selection Criteria".
- Enter filters such as creation date or created by a specific user.
- Click on execute to get an overview of recently created roles.
- Export the list to Excel if further analysis is needed.
Change Management
Changes in an SAP system must be carefully managed to prevent uncontrolled modifications and errors in production environments. This is typically done via transport management and formal change requests.
| Change Management Aspect | SAP Transaction | How to Export? |
|---|---|---|
| Transport Management | SE09, SE10 | Export via SAP GUI |
| Change Logs | SCU3 | Export to Excel or CSV |
| Table Structure Changes | SE11 | View and export log data |
How to check who made changes in SE09 and SE10?
- Open transaction SE09 or SE10.
- Enter a date range and select the relevant transports.
- Check the transport details and the responsible user.
- Export the transport history to Excel if needed.
How to see when and by whom a table or structure was modified in SE11?
- Open transaction SE11.
- Enter the table or structure name and click "Display".
- Click on "Technical Settings" or "Utilities" → "Table History".
- Check the change logs and the responsible user.
Conclusion
That was a brief introduction to GITC for SAP. It does not matter much whether the organization uses SAP S/4HANA or SAP ECC; all the above information should apply to both systems.
