IT Auditing: As an External Checking Tool for IT Auditing Tasks

CT-Assist, an add-on to the SAP SE software technology, provides you with significant support in the area of IT.

Analysis of ABAP Code Without Changes to the Source Code

When you use CT-Assist for auditing purposes, no changes are made to ABAP programs; this is controlled by the SAP authorization concept. As a system-independent external software tool, CT-Assist offers extensive additional checking options and documentation.

Application Areas for IT Auditing

1. Support from CT-Assist During the Check Phases …
1.1 Routine Checks in the IT Area …
1.2. Checking Tasks …
1.3. Results of Checks …

2. Examples of Application Support by CT-Assist …
2.1 Analysis of the Static ABAP® Code and of the Tables Used …
2.2 Analysis of the Dynamic Processes at Time of Program Execution …
2.3 Critical Analysis of the IT Workflow …
2.4 Support for Program Auditing, Program Checks, Compliance, Authority …
2.5 More Audit Fields …

3. The Use of Certified Software = Application Security for Your Company …

1. Support from CT-Assist During the Check Phases

CT-Assist is used as an external checking tool for the following check tasks, for example:

Analysis of ABAP® programs
– Checking of critical sections of code
– Transparent code through visualization
– Auditing of documentation
– Use of programming guidelines
– Checking of project documentation
– Document the results of audits at the relevant point in the ABAP code
– …

System Checks by ABAP Check Programs?

An important criterion for determining the quality of audit tools for program checks is the scope, quality, and level of detail of the analysis and documentation of ABAP programs. It is also important to consider the programming language in which the checking software has been developed (internal control system principles).

CT-Assist was developed as a C++ program (and not as an ABAP program) and can, therefore, analyze even the lowest level of detail of the code of the ABAP programs to be checked completely independently.

1.1. Routine Checks in the IT Area  …

As part of a routine audit in the IT area, you need to systematically work through a specified checking framework to check, for example, the “internal control” in the IT area for functionality, effectiveness, plausibility, and application security.

The critical points in the IT workflow or within the IT objects (e.g. programs, tables, documentation, program results) that are found are then, depending on their relevance, subjected to detailed further checks.

1.2. Checking Tasks …

Detailed checking tasks include, for example, analysis of ABAP programs, checking of project documents, auditing of documentation during the checking period, determining of the data actually processed when the program is in use, of the type and scope of table contents across time, authorization checks, risk evaluation,

1.3. Results of Checks …

The check results in the audit report should be of a form that makes it possible to correct the problematic program objects at source in a cost-effective way.

How can problems resulting from audits be assigned to the relevant source code?
You can assign the problems you identify directly to the relevant place in the ABAP code by bookmarking online forms. By this means, later program corrections can be efficiently implemented.

CT-Assist provides more than 40 online forms for documenting different results. You can adapt these forms/checklists to suit your company guidelines.

After completion of checking, the online forms can be used by the IT department as basic information and program documentation to support the resultant program and workflow changes. In the sections that follow, we show you some application areas for CT-Assist from auditing practice.

2. Examples of Application Support by CT-Assist …

2.1. Analysis of the static ABAP Code and the Tables Used

Checking of the integrity of the data to be processed in IT has a high priority amongst the various program checks. In addition to analyzing the static ABAP code, the table data used, the type and time of program use, and the interactions with other components at run-time, it is essential also to analyze the dynamic events and procedures.

Checklist for critical areas of code
With a combination of automatic analysis of the ABAPcode and searches for critical sections of code, CT-Assist generates a checklist of code inspection points that is relevant for the specific situation.

Questions about critical areas of code
The checklist designated for use with the critical code sections found supports subsequent systematic checks by providing questions/notes/reactions that are relevant to the problems that were detected.

Checklist with more than 60 inspection points
The CT-Assist delivery version proposes more than 60 inspection points for further auditing. You can include your own internal rules in this detailed analysis or you can define your own particular focus for it according to what is important to you.

2.2 Analysis of the Dynamic Processes at Time of Program Execution

Dynamic ABAP commands … 
What this actually refers to is the analysis of dynamic processes at the time of program execution. The aim is to determine the effect of variable ABAP commands at the point at which the command is executed.

Table contents at program run-time … 
Generally ABAP programs (transactions, reports, …) uses lots of  tables, which are managed by the relevant business area.

One of the main tasks is to check which table contents are used at which time by which program.

Auditing for dynamic program execution
You can check dynamic influencing factors, for example, by checking the actual program results (e.g. using systematic test cases) or by recording the results at command level.

The only economically viable method of finding out which ABAP® program produces which results at which time in which way and using which commands is to use trace recordings.

Trace recordings
In addition to CT-Assist, 2 further add-ons are available for analyzing dynamic influencing factors (not part of the delivery scope of CT-Assist):

  • Dynamic recording with the CT-Debug & Trace_Module
    CT-Assist does not provide such trace recordings. For this area of checking, we recommend the add-on “CT-Debug & Trace_Module” (which is subject to charge). This add-on can automatically and efficiently record the processed commands and the contents of the associated variables. When the automatic trace run is complete, you have comprehensive trace data at your fingertips. You can analyze this pool of information using the supplied evaluation routines. You can see, for example, which variable contents were processed at which time in which variables by which commands (manual debugging is a thing of the past …).
    More information …
  • Visual Representation of the Trace Recording with the CT-Test & Optimizer
    You can use another add-on (“CT-Test & Optimizer”) to display the recorded process information from the information pool of the trace actions as a CALL graph, for example, to gain a quick overview of the program sections currently being processed and how often they are used.It can also be fruitful to compare the graphs from the static analysis of the code (= CT-Assist) with the results of the trace run (= CT-Test & Optimizer). Interesting are, amongst other things, the static program structure, the actual program flow, the program areas that are not processed, and the optimization of the code sections that are used, the process documentation for solving errors, etc.
    More information …

2.3 Critical Analysis of the IT Workflow

The online forms that are generated by CT-Assist can contain IT flow descriptions, planning data, or even actual results for the current IT workflow. The workflow planning data includes, for example, the visual representation of the workflow with input/output definition and the relevant processing steps. The documented results per workflow step provide information for subsequent steps, for example.

On the basis of the implemented online forms for the various IT work processes, IT Auditing can check that the prescribed processing sequence has been adhered to with regard to both formal and content aspects to and can evaluate whether the work steps have been processed correctly.

The use of online forms can ensure that the current work process is transparent. In addition, the later checking work to be done by IT Auditing is significantly reduced.

The sample forms (templates) provided by CT-Assist can be modified to suit your needs. You can also create your own templates as required. You can analyze these online forms using special CT-Assist menu options (“Docu Administration”, “Analyze Info Objects”, …).

2.4. Support for Program Auditing, Program Checks, Compliance, Authority

In the program audit, you can decide to focus on, for example, the user-oriented interfaces used in the ABAP code. By filtering the relevant ABAP keywords (e.g. PARAMETERS, SELECT-OPTIONS, INITIALIZATION, MESSAGE, …), you can determine whether suitable communication/control between user and ABAP program is enabled.

Another focus of audits is, for example, usability (error messages/information messages with clear terminology, clear instructions/alternatives, …) or determining whether ergonomic layout weaknesses are apparent.

In CT-Assist, you can, for example, define your internal questions on the subject of “Interface Checks – User Support” as a checklist (incl. regular expressions) and so use CT-Assist to check your own Y/Z programs. Results are generated for individual processing per hit and associated documentation instructions.

Web Dynpro, digital signature, directory services …
Although not directly supported by CT-Assist, these checks of program elements must also be included in an audit. In addition to virus scanners (HTML code), numerous external interfaces (digital signatures, directory services, …) need to be taken into account.

You need to check the ABAP code for these program elements indirectly and look at the relevant passed parameters or interfaces. The results of the checks can be documented in online forms or linked directly to the ABAP® code as a bookmark.

2.5 More Audit Fields

CT-Assist provides numerous additional options to help you with other auditing tasks:

Auditing for documentation and program analyses
Changes to ABAP programs or to external project documents can be documented by CT-Assist across time. Documentation reflecting the actual program status is, therefore, available for each point in time in the development cycle or after first production release of an ABAP program.
The program documentation generated in the past by CT-Assist contains not just the currently valid code, but also a comprehensive collection of analysis data. This data can be prepared and analyzed from an auditing perspective. By using the same evaluation profiles each time the documentation is generated, you can ensure comparability of the various documentation versions.

Checking the project documents (version management, administration, …)
As well as the program documentation, the linked, supplementary documents (e.g. change requests, maintenance tasks, solving of implausible program results, …) must also be included in the audit assignment. These auditing tasks are supported by some menu options in CT-Assist (e.g. “Docu Administration”).

An example:
The function “Docu Administration” provides a table of contents listing all documentation objects for an ABAP program. By double-clicking on a line, you select the documentation object you require. This object may be linked to other documentation objects as attachments.

Documentation Objects for an ABAP Program

Documentation Objects for an ABAP Program

Checking that internal IT rules are adhered to
You can specify internal processes/rules/notes/help information for program development right down to a detailed level (=ABAP command level). CT-Assist can make these strict requirements and the help information available per ABAP command and for every IT workplace.

Double-click navigation for IT Auditing
IT Auditing can effectively check whether these standards have been adhered to because the information is available via double-click directly in CT-Assist.

Here you can see how the document “DNR1” is called directly from the ABAP code and how you can display the associated IT rules from “DNR1” with a simple mouse-click.

IT-Rules for the User (e.g. how to use form 'DNR1').

IT-Rules for the User (e.g. how to use form ‘DNR1’).

3. The Use of Certified Software =  Secure Applications for Your Company …

The security of your company’s applications is supported by the certification of the CT-AddOn by the manufacturer of the ERP software. This certification confirms that interfaces are used correctly, that add-on functions are relevant to the process, and that technical implementation is correctly done. Your add-on product has undergone system integration tests within an ERP environment.

You receive an add-on product for which system integration tests have been carried out within your ERP environment. Certified software products significantly enhance your IT security

SAP SE certified the software solution ‘CT-Assist’ on 28.03.2011. [More information …]