Why normalize and automate SAP audits?

Key Takeaways

  • Effort question. Even simple questions require detailed analysis to be able to present a precise answer to the auditors.
  • Comparability. Not all audits are the same. Equating the audit over a longer period of time is necessary.
  • Continuity. Contrary to what many would like to hear, the audit is a necessity to ensure system security and integrity.

Why normalize and automate SAP Audits?

It’s a major clue that there are a big cost and effort in IT audits when the big 4 consultancy giants create departments for that specific purpose.  While they i.e.: EY, KPMG, Deloitte, and PWC,  look for business and financial compliance violations, there’s also now a trend for looking more closely at SAP systems. As a result, auditors are digging into more detail, asking questions about SAP configuration and the use of critical standard profiles, eg: the SAP_ALL authorization profile.

Realizing that SAP systems are an essential component in business processes increases the need for SAP security. That’s why external auditors are currently asking critical questions about the various interrelationships, demanding architecture diagrams or interface maps. Even if the question about the use of „SAP_ALL“, or the state of the profile parameter “rsau/enable” to activate the SAP Security Audit Log seems simple, the folks responsible for this have to meticulously check if there is a deviation before that question can be answered.

If you consider a small landscape with only 5 productive systems, a trainee could be busy for at least a day gathering the required information. And then another day is needed for coordinating the results and populating them in Microsoft Excel and PowerPoint. Needless to say, auditors are paid to find something, so consequently, the answers given to them should be complete and conclusive.

A specific characteristic of audits is that they are repetitive. The time in between them is used to either remediate the findings or to try and forget about how painful the last audit was. If the latter is true, then the next audit will only be even worse, and there will likely be a concerted and last-minute attempt to try and resolve the issues. Unfortunately, this procedure, so often seen in companies, doesn’t result in any increase in security. On the contrary, regular audits tend to make companies feel safe, but it’s a false sense of security.

How can this situation be improved?

Audits are a necessity.  We have to understand that especially for complex SAP applications, it’s better to run an audit more frequently, rather than only once a year. Regardless, the following checklist should be used:

Define the baseline(s)

Companies that are audited by different audit firms experience a variation of checks and expected results. It is vital to define a common SAP security and audit baseline and to align it with the auditors. Cases exist, for which it is advisable to have multiple baselines, i.e. to check for specific regulations like the Payment Card Industry (PCI).

Normalized procedure for the audit

The foundation is set once the baseline(s) are defined and confirmed. To run the audit and to be able to compare the results, any compliance test should be standardized and the results should be provided in the same format.

Automate as much as possible

As mentioned earlier, the audit should be performed frequently. Testing the SAP instances for security and compliance deviations should become a commodity task. However, this is only possible with a high degree of automation. Manual work should be limited to reviewing the findings and the remediation of flaws.

Results and trends

Tracking the progress of evolution over time conveys a positive message to executive management. It is especially effective in motivating and justifying investment in security.

How to reach the optimum state?

If you’ve followed this article to this point, then you’re probably expecting me to propose a solution that is feasible and that provides the described attributes.

The SecurityBridge Platform contains many security features for protecting SAP products on-premise or in the cloud. In the most recent version of the SecurityBridge Security & Compliance Management (link to release highlights) we have introduced the capability for simultaneously checking multiple security & compliance policies.

Audits can be executed fully automatically, and the results then stored in a standardized format enabling trend analysis and benchmarking against historic results. Additionally, the solution delivers a five-star risk rating and maturity level indicator for the various areas of responsibility. This ultimately provides a significant step towards addressing audit issues and compliance requirements.

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP Cybersecurity Beyond Authorizations

Watch the webinar on-demand at any time to learn what „holistic“ really means in the context of SAP security…

How to accelerate SAP Security?

Watch the webinar recording to learn how you can accelerate your SAP security initiatives. Special Guest, Sanofi’s SAP Security Leader speaking about their journey …
Ransomware Attack
To demystify ransomware in the context of SAP we need to look at the attack scenario. While traditional ransomware hits the victim on the operating system level, the SAP technology stack is only impacted if the server platform was successfully attacked.
SAP Patchday
On 13th of July 2021, SAP Security Patch Day saw the release of 14 Security Notes. There were 3 updates to previously released Security Notes.