Skip to content

Why normalize and automate SAP audits?


Key Takeaways

  • Effort question. Even simple questions require detailed analysis to be able to present a precise answer to the auditors.
  • Comparability. Not all audits are the same. Equating the audit over a longer period of time is necessary.
  • Continuity. Contrary to what many would like to hear, the audit is a necessity to ensure system security and integrity.

Why normalize and automate SAP Audits?

It’s a major clue that there are a big cost and effort in IT audits when the big 4 consultancy giants create departments for that specific purpose.  While they i.e.: EY, KPMG, Deloitte, and PWC,  look for business and financial compliance violations, there’s also now a trend for looking more closely at SAP systems. As a result, auditors are digging into more detail, asking questions about SAP configuration and the use of critical standard profiles, eg: the SAP_ALL authorization profile.

Realizing that SAP systems are an essential component in business processes increases the need for SAP security. That’s why external auditors are currently asking critical questions about the various interrelationships, demanding architecture diagrams or interface maps. Even if the question about the use of „SAP_ALL“, or the state of the profile parameter “rsau/enable” to activate the SAP Security Audit Log seems simple, the folks responsible for this have to meticulously check if there is a deviation before that question can be answered.

If you consider a small landscape with only 5 productive systems, a trainee could be busy for at least a day gathering the required information. And then another day is needed for coordinating the results and populating them in Microsoft Excel and PowerPoint. Needless to say, auditors are paid to find something, so consequently, the answers given to them should be complete and conclusive.

A specific characteristic of audits is that they are repetitive. The time in between them is used to either remediate the findings or to try and forget about how painful the last audit was. If the latter is true, then the next audit will only be even worse, and there will likely be a concerted and last-minute attempt to try and resolve the issues. Unfortunately, this procedure, so often seen in companies, doesn’t result in any increase in security. On the contrary, regular audits tend to make companies feel safe, but it’s a false sense of security.

How can this situation be improved?

Audits are a necessity.  We have to understand that especially for complex SAP applications, it’s better to run an audit more frequently, rather than only once a year. Regardless, the following checklist should be used:

Define the baseline(s)

Companies that are audited by different audit firms experience a variation of checks and expected results. It is vital to define a common SAP security and audit baseline and to align it with the auditors. Cases exist, for which it is advisable to have multiple baselines, i.e. to check for specific regulations like the Payment Card Industry (PCI).

Normalized procedure for the audit

The foundation is set once the baseline(s) are defined and confirmed. To run the audit and to be able to compare the results, any compliance test should be standardized and the results should be provided in the same format.

Automate as much as possible

As mentioned earlier, the audit should be performed frequently. Testing the SAP instances for security and compliance deviations should become a commodity task. However, this is only possible with a high degree of automation. Manual work should be limited to reviewing the findings and the remediation of flaws.

Results and trends

Tracking the progress of evolution over time conveys a positive message to executive management. It is especially effective in motivating and justifying investment in security.

How to reach the optimum state?

If you’ve followed this article to this point, then you’re probably expecting me to propose a solution that is feasible and that provides the described attributes.

The SecurityBridge Platform contains many security features for protecting SAP products on-premise or in the cloud. In the most recent version of the SecurityBridge Security & Compliance Management (link to release highlights) we have introduced the capability for simultaneously checking multiple security & compliance policies.

Audits can be executed fully automatically, and the results then stored in a standardized format enabling trend analysis and benchmarking against historic results. Additionally, the solution delivers a five-star risk rating and maturity level indicator for the various areas of responsibility. This ultimately provides a significant step towards addressing audit issues and compliance requirements.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Kickstarting Your SAP Security Journey

Do you want to kickstart your journey towards SAP security excellence? Then check out our upcoming webinar. In our webinar, we will show you how to overcome these pitfalls and kickstart your journey to SAP Security excellence. Our customer cbs consulting will talk about their experience with implementing the SecurityBridge Platform and the first milestones achieved on their SAP Security journey.

SAP for Utilities, Presented by ASUG

Be at the forefront of driving change and innovation against the backdrop of digital transformation. This 16th annual SAP for Utilities, Presented by ASUG, takes place Oct. 9–11 in Chicago. Learn how to conquer the industry’s toughest challenges at North America’s leading event for utility.
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.