SAP Business One Audit Logs for Compliance and Auditing

blank

Author

Anand Krishnamoorthy

6 min read

This Blog aims to provide clarity on the different settings and setups available in SAP Business One and it is related to the impact on the Audit Log. The Audit log is called a Change log in SAP Business One.

Audit Log Settings

SAP Business One comes by Default with Audit trail enabled to track the changes for up to 99 updates in all the transactions and masters. This is available in the General Settings. These 99 means, the system tracks 99 changes for each document/ Master or screens in SAP business One. For Example – If a particular AP Invoice is changed 100 times, the system will keep track of the last 99 changes with date and time stamp.

The Log count can be increased or decreased by the users having access to the General Settings Screen. There is no time-based setting for the Log Maintenance.

Note: Having an increased log count, when you have higher volume of master (Customer Master or Item Master more than 100000) can lead to increase in DB size.

The Audit Log of General settings and the changes made to the general settings can be viewed by clicking the change log, while the cursor is present on the general settings screen. This captures all the changes made with the date and time to the General Settings.

User Masters

There are two types of users in SAP Business One, they are Super users and Regular users. The Super User usually has access to all the screens subject to license restrictions, a Super user having Professional licenses will have access to change all the screens (they will be able to change the audit log as well). Under normal scenario, only the admin users providing support should be set as Super users.  Please refer to user Licensing restrictions in the Next Section.

A Locked user cannot login to the system. All the Locked users should not be considered for access. You can get the list of locked users in the License Administration screen.

User Licensing

There are Many types of licenses, however restricting our scope to the Audit log, two types of licenses are important.

Professional License

Users with professional licenses can have access to all the screens in SAP Business One provided they have the authorization. The Persons only with Authorization for General settings screen will be able to edit the change log.

Limited Licenses

Users with Limited licenses will have restricted access to screens. Users with limited licenses cannot access the general settings as per SAP Business One Policy.

For Detailed license comparison – You can download in the following link

https://blogs.avaniko.com/license-comparison-chart-for-sap-business-one/
You can also get a list of users and their assigned licenses from the licenses administration screen below.

Authorization

All the users, either professional or Limited users other than super users’ access can be restricted by the Authorization screen.

However Super Users access cannot be restricted and by default super users get all access. From the screen below you can see that the Super user’s access cannot be restricted, and it comes with full access.

Summary of settings

Audit log is managed in general settings and the user having authorization to the general settings can change audit log instances. Generally, they are super users having Professional licenses. Also, the users, having professional licenses and having access to the General settings (via Authorization) have privileges to edit the general settings.

Audit Log Behavior in Transactions / Screens

Based on the general setting, the Audit log is captured in all the documents. The below section shows how to view the changes made to the transactions. You can click on tools and hit change log as highlighted in below screen.

On clicking the change log, a screen listing all the changes made to the screen will appear. The number of changes managed is maintained based on the general settings. In the company, 99 changes will be tracked as per the general settings.

As you can see the above screenshot, the system shows the update time and date on the clicking the first line, The system shows the exact screenshot of the document before the changes as shown below with the name History Instance # 1

The system will show the differences made in the tabular format below.

Audit Questionnaire

Below is the set of usual questions from Auditors regarding the change Log.

S.No Questions      Answers
1Whether the software(s) have the audit trail feature?      Yes, it’s there at the application level
2Whether the audit trail captures changes to every transaction of books of account; information that needs to be captured may include the following:      Yes, it captures
 – When changes were made     Date and time of change.
 – Who made those changes     Person who made the change
 – What data was changed     The data, which is changed.
3Whether the audit trail feature is always enabled (not disabled)?    Yes. It cannot be Disabled.
4Whether the audit trail is enabled at the database level         (if applicable) for logging any direct data changes?    It is at the application level and not at the DB Level
5Whether the audit trail is appropriately protected from any modification?     Yes, there is no option to modify the Log
6Whether the audit trail feature is configurable (i.e., if it can be disabled or tampered with)?     It cannot be Disabled or Tampered with
7Whether the audit trail has been preserved as per statutory requirements for record retention?     Yes, Its preserved in the Application
8Whether the Company has migrated from one software          to the other which happened during the year or higher version of software installed? No.
9Whether controls over maintenance and monitoring of           audit trail and its feature are designed and operating effectively throughout the period of reporting? Yes, Its maintained throughout the period of Reporting.
10Whether the system has controls to ensure that the audit trail feature has not been disabled or deactivated. Audit trial or Change Log functionality in SAP Business One is enabled automatically and cannot be disabled
11Whether the system has controls to ensure that User IDs are assigned to each individual and that User IDs are not shared. This will be an internal process at the organization level.
12Whether the system has controls to ensure that changes to the configurations of the audit trail are authorized and logs of such changes are maintained. This is maintained by the system automatically.
13Whether the system has controls to ensure that access to the audit trail (and backups) is disabled or restricted and access logs, whenever the audit trails have been accessed, are maintained. The Audit trail cannot be accessed or modified before or after the access.
14Whether the system has controls to ensure that periodic backups of the audit trails are taken and archived as per the statutory period specified under Section 128 of the Act. The Backup of the Database will automatically have the backup of the Audit trials.