Why normalize and automate SAP audits?

Key Takeaways

  • Effort question. Even simple questions require detailed analysis to be able to present a precise answer to the auditors.
  • Comparability. Not all audits are the same. Equating the audit over a longer period of time is necessary.
  • Continuity. Contrary to what many would like to hear, the audit is a necessity to ensure system security and integrity.

Why normalize and automate SAP Audits?

It’s a major clue that there are a big cost and effort in IT audits when the big 4 consultancy giants create departments for that specific purpose.  While they i.e.: EY, KPMG, Deloitte, and PWC,  look for business and financial compliance violations, there’s also now a trend for looking more closely at SAP systems. As a result, auditors are digging into more detail, asking questions about SAP configuration and the use of critical standard profiles, eg: the SAP_ALL authorization profile.

Realizing that SAP systems are an essential component in business processes increases the need for SAP security. That’s why external auditors are currently asking critical questions about the various interrelationships, demanding architecture diagrams or interface maps. Even if the question about the use of „SAP_ALL“, or the state of the profile parameter “rsau/enable” to activate the SAP Security Audit Log seems simple, the folks responsible for this have to meticulously check if there is a deviation before that question can be answered.

If you consider a small landscape with only 5 productive systems, a trainee could be busy for at least a day gathering the required information. And then another day is needed for coordinating the results and populating them in Microsoft Excel and PowerPoint. Needless to say, auditors are paid to find something, so consequently, the answers given to them should be complete and conclusive.

A specific characteristic of audits is that they are repetitive. The time in between them is used to either remediate the findings or to try and forget about how painful the last audit was. If the latter is true, then the next audit will only be even worse, and there will likely be a concerted and last-minute attempt to try and resolve the issues. Unfortunately, this procedure, so often seen in companies, doesn’t result in any increase in security. On the contrary, regular audits tend to make companies feel safe, but it’s a false sense of security.

How can this situation be improved?

Audits are a necessity.  We have to understand that especially for complex SAP applications, it’s better to run an audit more frequently, rather than only once a year. Regardless, the following checklist should be used:

Define the baseline(s)

Companies that are audited by different audit firms experience a variation of checks and expected results. It is vital to define a common SAP security and audit baseline and to align it with the auditors. Cases exist, for which it is advisable to have multiple baselines, i.e. to check for specific regulations like the Payment Card Industry (PCI).

Normalized procedure for the audit

The foundation is set once the baseline(s) are defined and confirmed. To run the audit and to be able to compare the results, any compliance test should be standardized and the results should be provided in the same format.

Automate as much as possible

As mentioned earlier, the audit should be performed frequently. Testing the SAP instances for security and compliance deviations should become a commodity task. However, this is only possible with a high degree of automation. Manual work should be limited to reviewing the findings and the remediation of flaws.

Results and trends

Tracking the progress of evolution over time conveys a positive message to executive management. It is especially effective in motivating and justifying investment in security.

How to reach the optimum state?

If you’ve followed this article to this point, then you’re probably expecting me to propose a solution that is feasible and that provides the described attributes.

The SecurityBridge Platform contains many security features for protecting SAP products on-premise or in the cloud. In the most recent version of the SecurityBridge Security & Compliance Management (link to release highlights) we have introduced the capability for simultaneously checking multiple security & compliance policies.

Audits can be executed fully automatically, and the results then stored in a standardized format enabling trend analysis and benchmarking against historic results. Additionally, the solution delivers a five-star risk rating and maturity level indicator for the various areas of responsibility. This ultimately provides a significant step towards addressing audit issues and compliance requirements.

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

2nd CROSSTHEBRIDGE
Cycling event

Join our cycling community on September 9th in Brabant (NL), get a SecurityBridge cycling shirt and enjoy a wonderful day.

Watch Your SAP go phishing – SAP Live Hack

Join our webinar, to learn how to identify and prevent an SAP cyber-attack. You will sit in the first row to watch cybersecurity expert Holger Stumm demonstrate a live Phishing Attack targeting SAP.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.