Forensic data analysis in SAP

When data analysis is performed by using transactions and reports, one is already working on data processed by SAP. Errors can occur in this processing. To exclude this, analytical work should be done on the tables of the raw data.

This approach is referred to as SPOT (single point of truth). Transactions and reports often provide aggregated values - there is a loss of information. In data analyses, however, it makes sense to work on the individual data records.

By selecting and linking the correct tables, a business process can be completely mapped in terms of data analysis and analyzed according to a wide range of aspects (e.g. violation of functional separation, fraudulent actions).

For example, the complete document and payment run information of financial accounting is stored in five tables (BKPF, BSEG, BSEC, REGUH and REGUP), the essential process steps in purchasing in eight tables (EBAN, EKKO, EKPO, MKPF, MSEG, RBKP, RSEG and EKBE).

The biggest hurdle in table-oriented testing is determining the tables with the desired information and how they are linked to each other. However, SAP provides numerous aids here, for example the logical databases (transaction SLDB), in which process-related tables are grouped together with their links.

In the logical database BRF, for example, all important information about the document activity of financial accounting is summarized. SAP provides several tools for linking the tables. The transactions SE16H (extended table display), SQVI (QuickViewer) or SQ01-SQ03 (queries) can be used to link tables within SAP.

Export data manually

For more extensive analyses, it is necessary to export the required data from the SAP system using external tools. This export should be performed manually to ensure that the export was performed without errors or manipulation.

Analyze changes over time

In forensic data analysis, the analysis of changes in data over time plays a major role. If only key date-related analysis is performed, statements can only be made on the key date.

Especially in the case of fraudulent actions, the perpetrator will try to remove the traces of his fraudulent actions after they have been executed. However, these cover-up actions leave traces in the logs of the SAP system.

If changes are made in the Customizing of the SAP system, these are recorded in the table change logs. Changes to master and transaction data are logged in the change documents.

The table changes are stored in table DBTABLOG and can be evaluated with transaction SCU3. The change documents are stored in the two tables CDHDR (who made a change when with which transaction) and CDPOS (on which table field was the change made and what was the field content before and after the change).

To display only certain types of changes, you can filter by the change document object. For example, if you only want to display changes to vendor master data, filter by change document object KRED.

However, to ensure the reliability of logging, it is necessary to make sure that it has been configured correctly and that no user has permissions to manipulate logging settings and entries.