Why normalize and automate SAP audits?
- Effort question. Even simple questions require detailed analysis to be able to present a precise answer to the auditors.
- Comparability. Not all audits are the same. Equating the audit over a longer period of time is necessary.
- Continuity. Contrary to what many would like to hear, the audit is a necessity to ensure system security and integrity.
Why normalize and automate SAP Audits?
It’s a major clue that there are a big cost and effort in IT audits when the big 4 consultancy giants create departments for that specific purpose. While they i.e.: EY, KPMG, Deloitte, and PWC, look for business and financial compliance violations, there’s also now a trend for looking more closely at SAP systems. As a result, auditors are digging into more detail, asking questions about SAP configuration and the use of critical standard profiles, eg: the SAP_ALL authorization profile.
Realizing that SAP systems are an essential component in business processes increases the need for SAP security. That’s why external auditors are currently asking critical questions about the various interrelationships, demanding architecture diagrams or interface maps. Even if the question about the use of „SAP_ALL“, or the state of the profile parameter “rsau/enable” to activate the SAP Security Audit Log seems simple, the folks responsible for this have to meticulously check if there is a deviation before that question can be answered.
If you consider a small landscape with only 5 productive systems, a trainee could be busy for at least a day gathering the required information. And then another day is needed for coordinating the results and populating them in Microsoft Excel and PowerPoint. Needless to say, auditors are paid to find something, so consequently, the answers given to them should be complete and conclusive.
A specific characteristic of audits is that they are repetitive. The time in between them is used to either remediate the findings or to try and forget about how painful the last audit was. If the latter is true, then the next audit will only be even worse, and there will likely be a concerted and last-minute attempt to try and resolve the issues. Unfortunately, this procedure, so often seen in companies, doesn’t result in any increase in security. On the contrary, regular audits tend to make companies feel safe, but it’s a false sense of security.
How can this situation be improved?
Audits are a necessity. We have to understand that especially for complex SAP applications, it’s better to run an audit more frequently, rather than only once a year. Regardless, the following checklist should be used:
Define the baseline(s)
Companies that are audited by different audit firms experience a variation of checks and expected results. It is vital to define a common SAP security and audit baseline and to align it with the auditors. Cases exist, for which it is advisable to have multiple baselines, i.e. to check for specific regulations like the Payment Card Industry (PCI).
Normalized procedure for the audit
The foundation is set once the baseline(s) are defined and confirmed. To run the audit and to be able to compare the results, any compliance test should be standardized and the results should be provided in the same format.
Automate as much as possible
As mentioned earlier, the audit should be performed frequently. Testing the SAP instances for security and compliance deviations should become a commodity task. However, this is only possible with a high degree of automation. Manual work should be limited to reviewing the findings and the remediation of flaws.
Results and trends
Tracking the progress of evolution over time conveys a positive message to executive management. It is especially effective in motivating and justifying investment in security.
How to reach the optimum state?
If you’ve followed this article to this point, then you’re probably expecting me to propose a solution that is feasible and that provides the described attributes.
The SecurityBridge Platform contains many security features for protecting SAP products on-premise or in the cloud. In the most recent version of the SecurityBridge Security & Compliance Management (link to release highlights) we have introduced the capability for simultaneously checking multiple security & compliance policies.
Audits can be executed fully automatically, and the results then stored in a standardized format enabling trend analysis and benchmarking against historic results. Additionally, the solution delivers a five-star risk rating and maturity level indicator for the various areas of responsibility. This ultimately provides a significant step towards addressing audit issues and compliance requirements.