Technical Audit Scoping of an SAP HANA System: The Comprehensive Audit Questionnaire

  • by Kehinde Eseyin, Security Architect
  • May 29, 2015
Review a series of 30 questions to use as a checklist to form the basis for identifying relevant areas of audit concerns for an SAP HANA review. This questionnaire is not exhaustive and is only designed to be used as a starting point to evaluate the audit requirements in a specific SAP HANA landscape.
Learning Objectives

Reading this article, you will learn:

  • Thirty important questions invaluable for clear-cut and precise SAP HANA system audit scoping
  • The technical makeup of a typical SAP HANA system landscape with the intent of identifying possible audit concerns
  • Possible feedback to be expected to validate correctness and quality of responses
Key Concept

An audit questionnaire is a checklist used as the main instrument for performing an audit exercise as it provides detailed information about the range of the activities, items, and the period of records that are relevant to an audit examination.

SAP HANA is SAP’s flagship database system and it is increasingly becoming important to focus on this innovative product as it is more than a database system. The fact that organizations are beginning to focus on the adoption of this in-memory database technology raises questions about whether auditors are equipped with even the baseline knowledge and expertise to perform a comprehensive and in-depth technical review of the SAP HANA system.

The multipurpose use of the SAP HANA system offers an additional layer of complexity to the general scope of a database audit when compared with conventional database systems, such as Oracle and Microsoft SQL Server. The scope of the audit is often a reflection of the amount of possible vulnerabilities that exist within the enterprise application. As organizations move toward acquisition, migration, adoption, and deployment of the SAP HANA database technology, the security requirements of the system need to be integrated into the wider infrastructure security framework of an enterprise and not treated as a silo application.

Other enterprise applications require auditing to ascertain the effectiveness of defined controls, and the SAP HANA database platform is not any different. However, it is important to identify the key areas to focus on to assign appropriate priority to possible vulnerabilities and subsequently define the basis for resource allocation in terms of auditing and remediation.

To perform a comprehensive technical review of the SAP HANA system landscape, it is important to first gain an understanding of the SAP HANA system landscape, including the implemented functionalities, the adopted options, and dependent technologies. This knowledge gap is commonplace with internal auditors who might not be acquainted with the technicalities associated with the SAP HANA system. Unfortunately, they (internal auditors or process owners) represent the first point of call during the initiation of an audit by external auditors and they may be saddled with the responsibility of providing basic information about the SAP HANA landscape.

Therefore, I walk you through a number of questions that help you gain more information about the setup environment and configuration options adopted in an SAP HANA system landscape when planning a system audit. The intent of the article is to provide baseline information about the initial questions to expect during a system review of the SAP HANA infrastructure by external auditors, which will of course drive the audit scope. It provides uncanny insight to auditees as well as auditors alike.

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.