To get your SAP system(s) audit proof you need to get a clear view on your SOD (Segregation of Duties) risks. This can be done by performing a
Pre Audit .

Once you have a clear overview of your SOD risks, you either solve them by making the necessary role changes in your system or mitigate the risks.

The first step you need to take is performing system checks on:

  1. your authorization parameters.

Your authorization parameters need to be set correctly. One example is the authorization  parameter for the strength of your password in which you determine how many characters a password must contain or how many Upper- or Lowercase characters the password must hold.

  1. system critical authorization objects. Some authorization objects can harm your system when assigning them to users. For instance the object s_develop with value debug. This is an authorization object that should never be assigned to end users on your production environment.
  2. the assignment of SAP standard profiles. The SAP standard Profiles SAP ALL/SAP NEW should not be used on a production environment. You should always investigate which authorization is needed and build authorization roles to assign the authorization to the users.
  3. the restrictions on standard SAP users. When implementing a SAP system, some standard users (like DDIC) will be available in your system. It needs to be checked if these users have the correct user type and if they are standard locked.
  4. system critical transaction codes. You can think of checking the assignment of transaction codes like performing a payment run or opening your SAP system for customizing.
  5. the risk of assigning combinations of transaction codes to one user.  You need to make sure users can not perform certain combinations of transaction codes like Creating a Purchase Order and Enter the Goods Receipt.
  6. if your naming convention on roles and users is implemented correctly.

All these checks can be done using expensive and additional systems like SAP GRC, CSI AA, etc. When you don’t have such a system available, Next View can perform these checks for you using the Next View Pre Audit Scan.

We use standard SAP transactions, system checks and a deep analysis of SAP tables to map the risks we find.

The second step is mitigating your controls.

Once you have an overview of the risks for your company, you need to mitigate the risks.

This can be done by:

  1. Making the necessary changes to your authorization roles, users, parameters or naming convention;
  2. Setting up mitigating controls for your SOD risks. For instance when you classified a risk as a high risk but are not able to mitigate this risk by changing your authorization roles, you can set up a procedure to periodically check who performed these actions and if they were performed correctly.

Performing these steps will give you an insight in your company risks and how to mitigate them.

As you already know your risks and how they are mitigated, it will make it easier and less time consuming for you to talk to your external auditors!

Do you need more information on this topic or do you want Nextview to perform a Pre Audit at your company? You can contact me at saskia.berghs@nextview.nl