Hi,
1. Correct, however if you don't have a trusted relationship set up then using S_RFCACL is breaching principle of least privilege, is not required and most importantly if misconfigured it could bring a significant risk.
2. That does depend on the rest of your configuration. If you have RFC_EQUSER = Y then it will force the same ID being used, if you don't you have lost that key control. If you aren't using trust relationships then you can just do away with it.
So looking at the risks I see the following challenges
- Critical auth present in roles when it's not required: breach of common good practice
- Potential serious risk (depending on how you have configured the rest of the fields) if trusted connections were set up
- Potential risk with current RFC destinations being setup with stored credentials allowing misuse
The reality is that I know the square root of zero about your setup and there are always mitigations & other circumstances however I hope you can see how the auditors came up with their finding. Considering that it is not required (no trusted connections) and can cause problems then why would you not remove it?
Cheers,