To get your SAP system(s) audit proof you need to get a clear view on your SOD (Segregation of Duties) risks. This can be done by performing a Pre Audit .
Once you have a clear overview of your SOD risks, you either solve them by making the necessary role changes in your system or mitigate the risks.
The first step you need to take is performing system checks on:
your authorization parameters.
Your authorization parameters need to be set correctly. One example is the authorization parameter for the strength of your password in which you determine how many characters a password must contain or how many Upper- or Lowercase characters the password must hold.
system critical authorization objects. Some authorization objects can harm your system when assigning them to users. For instance the object s_develop with value debug. This is an authorization object that should never be assigned to end users on your production environment.
the assignment of SAP standard profiles. The SAP standard Profiles SAP ALL/SAP NEW should not be used on a production environment. You should always investigate which authorization is needed and build authorization roles to assign the authorization to the users.
the restrictions on standard SAP users. When implementing a SAP system, some standard users (like DDIC) will be available in your system. It needs to be checked if these users have the correct user type and if they are standard locked.
system critical transaction codes. You can think of checking the assignment of transaction codes like performing a payment run or opening your SAP system for customizing.
the risk of assigning combinations of transaction codes to one user. You need to make sure users can not perform certain combinations of transaction codes like Creating a Purchase Order and Enter the Goods Receipt.
if your naming convention on roles and users is implemented correctly.
All these checks can be done using expensive and additional systems like SAP GRC, CSI AA, etc. When you don’t have such a system available, Next View can perform these checks for you using the Next View Pre Audit Scan.
We use standard SAP transactions, system checks and a deep analysis of SAP tables to map the risks we find.
The second step is mitigating your controls.
Once you have an overview of the risks for your company, you need to mitigate the risks.
This can be done by:
Making the necessary changes to your authorization roles, users, parameters or naming convention;
Setting up mitigating controls for your SOD risks. For instance when you classified a risk as a high risk but are not able to mitigate this risk by changing your authorization roles, you can set up a procedure to periodically check who performed these actions and if they were performed correctly.
Performing these steps will give you an insight in your company risks and how to mitigate them.
As you already know your risks and how they are mitigated, it will make it easier and less time consuming for you to talk to your external auditors!
Do you need more information on this topic or do you want Nextview to perform a Pre Audit at your company? You can contact me at firstname.lastname@example.org
https://www.nextview.nl/wp-content/uploads/2018/01/nextview-logo.svg00nextviewhttps://www.nextview.nl/wp-content/uploads/2018/01/nextview-logo.svgnextview2018-01-20 16:38:012018-01-25 15:02:24How to get SAP authorizations back in control and no longer fear the audit
Nextview Design Thinking Center
Willem Fenengastraat 4C
1096 BN Amsterdam
+31 (0)85 0043065
Nextview Design Thinking Center
High Tech Campus 27
5656 AE Eindhoven
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
The following cookies are also needed - You can choose if you want to allow them: