Skip to content

Why normalize and automate SAP audits?


Key Takeaways

  • Effort question. Even simple questions require detailed analysis to be able to present a precise answer to the auditors.
  • Comparability. Not all audits are the same. Equating the audit over a longer period of time is necessary.
  • Continuity. Contrary to what many would like to hear, the audit is a necessity to ensure system security and integrity.

Why normalize and automate SAP Audits?

It’s a major clue that there are a big cost and effort in IT audits when the big 4 consultancy giants create departments for that specific purpose.  While they i.e.: EY, KPMG, Deloitte, and PWC,  look for business and financial compliance violations, there’s also now a trend for looking more closely at SAP systems. As a result, auditors are digging into more detail, asking questions about SAP configuration and the use of critical standard profiles, eg: the SAP_ALL authorization profile.

Realizing that SAP systems are an essential component in business processes increases the need for SAP security. That’s why external auditors are currently asking critical questions about the various interrelationships, demanding architecture diagrams or interface maps. Even if the question about the use of „SAP_ALL“, or the state of the profile parameter “rsau/enable” to activate the SAP Security Audit Log seems simple, the folks responsible for this have to meticulously check if there is a deviation before that question can be answered.

If you consider a small landscape with only 5 productive systems, a trainee could be busy for at least a day gathering the required information. And then another day is needed for coordinating the results and populating them in Microsoft Excel and PowerPoint. Needless to say, auditors are paid to find something, so consequently, the answers given to them should be complete and conclusive.

A specific characteristic of audits is that they are repetitive. The time in between them is used to either remediate the findings or to try and forget about how painful the last audit was. If the latter is true, then the next audit will only be even worse, and there will likely be a concerted and last-minute attempt to try and resolve the issues. Unfortunately, this procedure, so often seen in companies, doesn’t result in any increase in security. On the contrary, regular audits tend to make companies feel safe, but it’s a false sense of security.

How can this situation be improved?

Audits are a necessity.  We have to understand that especially for complex SAP applications, it’s better to run an audit more frequently, rather than only once a year. Regardless, the following checklist should be used:

Define the baseline(s)

Companies that are audited by different audit firms experience a variation of checks and expected results. It is vital to define a common SAP security and audit baseline and to align it with the auditors. Cases exist, for which it is advisable to have multiple baselines, i.e. to check for specific regulations like the Payment Card Industry (PCI).

Normalized procedure for the audit

The foundation is set once the baseline(s) are defined and confirmed. To run the audit and to be able to compare the results, any compliance test should be standardized and the results should be provided in the same format.

Automate as much as possible

As mentioned earlier, the audit should be performed frequently. Testing the SAP instances for security and compliance deviations should become a commodity task. However, this is only possible with a high degree of automation. Manual work should be limited to reviewing the findings and the remediation of flaws.

Results and trends

Tracking the progress of evolution over time conveys a positive message to executive management. It is especially effective in motivating and justifying investment in security.

How to reach the optimum state?

If you’ve followed this article to this point, then you’re probably expecting me to propose a solution that is feasible and that provides the described attributes.

The SecurityBridge Platform contains many security features for protecting SAP products on-premise or in the cloud. In the most recent version of the SecurityBridge Security & Compliance Management (link to release highlights) we have introduced the capability for simultaneously checking multiple security & compliance policies.

Audits can be executed fully automatically, and the results then stored in a standardized format enabling trend analysis and benchmarking against historic results. Additionally, the solution delivers a five-star risk rating and maturity level indicator for the various areas of responsibility. This ultimately provides a significant step towards addressing audit issues and compliance requirements.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Watch Your SAP go phishing – SAP Live Hack

Join our webinar, to learn how to identify and prevent an SAP cyber-attack. You will sit in the first row to watch cybersecurity expert Holger Stumm demonstrate a live Phishing Attack targeting SAP.

How to Close the Gap in SAP Compliance

When the auditors ring the doorbell, every SAP client knows what happens next. Christoph Nagy, CEO of SecurityBridge, discusses with Carsten Crantz from PwC Germany on how to master this challenging task.
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
we are hiring - career page
SecurityBridge is a leading provider of cutting-edge cybersecurity for SAP, catering to businesses of all sizes. We are expanding our operation to the US market and are looking for an experienced Sales Representative to join our team. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, and cybersecurity.