SAP Exam 31 Questions with Verified Answers
ERP systems - CORRECT ANSWER Enterprise Resource Planning systems
Incredibly large, extensive software
... [Show More] packages used to manage a firm's business processes.
Standard software packages that must be configured to meet the needs of a company
Database programs with the following functions:
Input
Storage/Retrieval
Manipulation
Output
Types of ERP vendors - CORRECT ANSWER SAP, the German juggernaut
Oracle/PeopleSoft/J.D. Edwards
Microsoft Dynamics, aimed at smaller companies
Configuration of SAP - CORRECT ANSWER the process of making standard software fit your business
SAP, as an example, has:
Over 8000 configuration decisions
Data structuring
Sales divisions, distribution channels
Rewriting Code (Modifications)
Not recommended because of compatibility problems when updated versions of the software are installed.
Customization
Writing code at SAP-specified user exits
Third-party software solutions
SAP Modules - CORRECT ANSWER FI - Financial Accounting (external reporting)
QM - Quality Management
PS - Project System
PM - Plant Maintenance
PP - Production Planning
SD - Sales and Distribution
MM - Materials Management
HR - Human Resources
AM - Asset Management
CO - Controlling (internal reporting)
SAP saving system - CORRECT ANSWER Nothing is saved on your PC. All data is saved on a remote server, and they are saved for good.
In SAP, there are very few delete options. Dont save if things dont look 100% correct. Exit the transaction and start over.
Clients in SAP R/3 - CORRECT ANSWER What is a client?
A way to separate data in the system
In some ways, a separate database
Also, a table entry
SAP Gui - CORRECT ANSWER Graphical User Interface of SAP
Master Data (Resources, Agents) - CORRECT ANSWER Data that is relatively stable
Materials, Customers, Vendors
Balance Sheet accounts
G/L
Transaction Data (Events) - CORRECT ANSWER Data that is relatively temporary
Stored at various stages of a business process
Customer orders, purchase orders, production orders, customer payments
Income Statement Accounts
Company Codes - CORRECT ANSWER Independent Balancing/Legal Accounting Entity (financial statements at company code level)
All transactions are recorded at company code level
A conglomerate business entity will usually have multiple company codes
Group Company - CORRECT ANSWER Legal unit of consolidation
Group A = North America / Group B = Western Europe
Business Areas - CORRECT ANSWER Represents separate areas of Operations
Can be across company codes or within a company code
Provide a way to generate operational financial statements (for internal purposes)
Controlling Area - CORRECT ANSWER Self contained organizational element to manage-measure costs and profits
Likely assigned across entire company
Cost allocation across the entire firm
SAP HANA video - CORRECT ANSWER HANA is an in memory database. Instead of being saved on a RAM or an external source the information for HANA is saved within the computers memory.
This takes away a lot or hardware costs and increases the speed of retrieving information from hours/days to seconds/milliseconds.
Workstation Security - CORRECT ANSWER Even if the application is secure, security can be compromised if users leave workstations unattended while they are logged into the system, or store data files or passwords locally on their hard drives.
Operating System Security - CORRECT ANSWER the SAP application communicates with the operating system through a single user account. There is no need for individuals to have access to the operating system. This may be an issue in environments where multiple applications are running on one OS
Database Security - CORRECT ANSWER SAP communicates with the database through a single user account. There is no need for additional user accounts except for database administrative staff.
Concept of Authorization in SAP - CORRECT ANSWER To allow only approved users to perform specific functions or to access specified objects.
Segregation of duty
Authorization Object - CORRECT ANSWER One or more SAP system elements to be protected.
For example, a purchase order will have an authorization object associated with it. Each authorization object consists of up to 10 authorization fields that stand for a system element (e.g., company code, activity type).
Students will often have trouble assimilating the authorization concept. It may be helpful to discuss how authorization objects are the basic building blocks of the system. To run SAP transactions, authorizations are required.
Authorization objects are predefined for all transactions. SAP R/3 comes shipped with approximately 550 objects predefined. While new objects can be created if necessary, this is usually not recommended.
Authorization objects, however, are not the same for each release of R/3.
New objects may be added with each version, and some of the new objects may supersede earlier objects.
One example is the S_TCODE object, which was introduced with version 3.0d.
This protects the ability to run transactions. Without this authorization object in earlier versions, all users could execute transactions at the command line.
The S_TCODE object allows individual transactions to be secured.
The lazy way to implement security is to give access to everything, and then use S_TCODE to grant access to specific transactions.
Set values for a authorization object - CORRECT ANSWER In order to assign access to a specific transaction, a value set is created for an authorization object. This is called an authorization. SAP is shipped with a number of predefined authorizations. These may or may not be used in the company's security framework, depending on their needs
The authorization assigns permissible values to the fields of an object. Note that a single authorization object may have unlimited authorizations created for it. For example, purchase orders have an authorization object defined for them. The company may then create authorization #1 which allows access to create purchase orders for company #1.
Authorization #2 may also be created which allows purchase orders to be viewed for all possible company codes (the ALL value is represented by an *).
Authorizations may continue to be created for all possible permutations of possible values for an authorization (remember that an object may contain up to 10 fields - but usually contains 2-4).
Naming conventions are very important for authorizations. The names consist of up to 12 characters (Authorizations generated via the Profile Generator contain 10 characters). SAP default authorizations have an underscore in the second position.
If an appropriate naming convention is not used, custom developed components may be overwritten in later releases.
Also, naming conventions facilitate administration and auditing. SAP recommends that custom developed authorizations begin with a Y or Z and have reserved those ranges for users.
Profiles/Activity Groups - CORRECT ANSWER Developed based on authorizations. A profile usually represents a specific job task that must be performed. A profile can contain one or more authorizations, based on the authorization objects predefined for each transaction. A profile can contain up to 150 authorizations.
For example, Profile #1 can be created, representing the creation of a purchase order. Obviously this would need to contain authorization #1, for the creation of purchase orders. However, the profile may also need to contain additional authorizations, such as access to specific purchasing organizations or document types
Profile #2 can be created to represent the receipt of purchased goods. This profile would need access to view purchase orders, but would likely need to contain additional authorizations to update inventory, etc.
SAP comes shipped with a number of predefined profiles. These should be examined by organizations to determine if they are appropriate for use in the user organizations.
Predefined profiles usually contain a high level of system access.
A naming convention is also crucial for Profiles. SAP profiles are 10 characters long.
Composite Profiles - CORRECT ANSWER A composite profile may contain one or many profiles. A composite profile will usually represent a job role.
For example, a composite profile could be created to represent the role of a Purchasing Rep. This composite profile would need to contain Profile #1 (create purchase order), but would also need additional profiles based on some of the other tasks that must be carried out, such as profiles for maintaining customer master data etc.
Note that a composite profile can contain either simple or composite profiles. Many organizations nest the composite profiles 3-5 deep. One organization even had composite profiles nested 9 deep. Obviously, this would have a significant impact on security administration by greatly increasing the complexity of profiles.
Profiles/Composite Profiles can be created, changed, deleted, or copied.
Some organizations prefer not to use composite profiles and just use simple profiles to represent job roles. This makes administration more difficult, especially if a job role changes.
How SAP Security Works - CORRECT ANSWER When a user attempts a transaction (e.g., create a purchase order), SAP checks the user master record to see if the user ID has the correct authorization object (e.g., purchase order) and activity (e.g., create) combination in any profile assigned to the user, for the particular context (e.g., company code).
Yes = proceed; No = error message.
User Master Records - CORRECT ANSWER Each user must have a user master record. Profiles and composite profiles may be assigned to this user master record.
For example, a purchasing supervisor would probably need to perform all the functions a purchasing clerk performs, and so would have the purchasing clerk composite profile in his master record. In addition, the supervisor would likely need to perform closing procedures and run reports, and so might have simple profiles or additional composite profiles for those tasks included in his user master record.
The user master record also contains user information such as user details (name, address) and defaults (printer, etc).
Profile Generator - CORRECT ANSWER PG used to automatically generate and assign authorization profiles
The PG will determine the appropriate authorization objects for a given transaction - creating a purchase order for example. However, the administrator will still need to go into the profile and configure specific values such as the appropriate company codes.
Implementation of security with the PG is based on the creation of activity groups. Activity groups are collection of linked or associated activities, and usually represent a job role. Activity groups are user defined and allow you to systematically organize and maintain system activities. They contain simple profiles similar to the composite profile concept.
As auditors, we are likely to see more usage of the PG. The standard user maintenance transactions do not work on profiles and activity groups generated by the PG. This can alter our approach to auditing. However, some of the predefined security reports only work on objects generated by the PG.
Pros of SAP - CORRECT ANSWER Extremely functional
Flexible
Real time system
Tightly integrated
Exceptional audit trail
Cons of SAP - CORRECT ANSWER Intimidating to the novice or anyone unfamiliar with the application
HR functionality was relatively young
Certain aspects were not divulged, but we were able to overcome these
Biggest Challenges of SAP - CORRECT ANSWER Selection Process:
Compromise for everyone to use a Single ERP system
Identifying major functional differences in the applications from vendor presentations. This was resolved by requiring the vendors to allow us to work with their application for two days performing scripts we defined and using data we provided.
Implementation Process:
Maintaining scope
Change management in business areas (reluctance to adopt business practices inherent in the system)
Timely business decisions when policies have to change (e.g., HR, Asset Accounting)
Identifying and staffing quality IT associates familiar with whatever application is selected
Don't underestimate the user's ability to screw it up!
Security Challenges in SAP - CORRECT ANSWER Segregation of Duties
Conflicting Roles
-Two transactions call the same security object
Configuration vs. Master Data vs. Transactional Data
Testing of new controls
-Positive and negative testing
Differentiating between SOX controls and Business Requirements
Ongoing Challenges with SAP - CORRECT ANSWER Data archival and retention
Not losing focus on controls (tendency to get lazy)
Communication between business areas
Keeping an awareness that SAP is an Enterprise Application, one area sneezes another area gets a cold
Coordination of testing across the entire application
Lack of financial acumen on SAP support team
Free response practice - CORRECT ANSWER Do Group Exercise on SAP [Show Less]