SAP Compliance for Custom programs is Critical for all the Clients. All SAP customers can create custom transactions, tables and programs in the SAP System. This makes the internal audit team’s job very difficult, having to track every custom object entered into the SAP system. Without a unified view of all the custom objects, it is next to impossible for the team to figure out which objects are not compliant. To realize the magnitude of the SAP Risk is only possible when all information is seen in one report, like the ones generated by SAP Audit. Generally the best practice is to create transactions to all the custom programs and custom tables. Each of the programs should have authority check statements and should be added in SU24 configuration to avoid SAP Risk being introduced through unsecured custom transactions.
For SAP Compliance all the Custom programs should have a good Naming convention which includes the Type of program, team and sub team. This way Custom programs can be identified by all the members of the team.
Authorization Check statement checks whether authorization is entered in the user master record of the current user or the user specified in user for the authorization object entered in the field auth_obj, and whether this authorization is sufficient for the request specified in the statement.
1. Need to Secure the report so only Authorized people are able to access the reports. This is especially critical when you have sensitive data in the report like product pricing.
2. If your Security policy states all the roles will be secured by Sales Org, Company Code, Plant etc for your SAP Compliance. Then if your reports are not secured by those organizational elements then a user can execute the custom report and display all the data.
3. To protect the data which is displayed on your custom reports you also need have authorization check statement in your code to user are restricted by their organizational values.
4. A good practice for SAP Compliance is to update the SU24 with objects which are checked in the Authority check statements.