How to Prepare for a Comprehensive System Audit and Technical Review of SAP Access Control 10.0

  • by Kehinde Eseyin, Senior SAP GRC Consultant, Turnkey Consulting Ltd.
  • October 28, 2013
Learn invaluable tricks and tips for overcoming top auditing issues specific to an SAP Access Control 10.0 system.
Learning Objectives

By reading this article you will be able to:

  • Identify the areas of SAP Access Control that can cause concerns during an audit of SAP Access Control
  • Understand the strategies and best practices to prepare for an audit of SAP Access Control
  • Maintain segregation of duties (SoD) rule sets and workflow 


Key Concept

A system audit is an exercise performed to gain assurance that defined controls work as intended, thereby eliminating the likelihood of fraudulent or malicious activities in the enterprise system. It involves the verification of conformance to policies and procedures through acute review of objective and empirical evidences. The review of the SAP Access Control 10.0 system is usually performed pre- and post-go-live, as well as on an ongoing basis to ensure continuous compliance. An SAP system audit normally involves checking the controls defined in the system against what is defined in the security policies of an organization.

Over the years, I have been involved with the implementation, audit, and review of SAP Access Control systems. In my experience on these assignments, some functional experts and end users do not give proper attention to specific activities that could expose the SAP Access Control system and connected back-end systems to undue risk. Based on this, I share some important areas that need attention when planning, implementing, and operating SAP Access Control 10.0.

SAP Access Control runs on the standard SAP ABAP framework with an optional SAP Java infrastructure that can be integrated with other SAP and non-SAP systems. Therefore, the conventional audit and technical review applicable to other SAP system landscapes applies to SAP Access Control.

However, in this special report, I focus on the core capabilities of the SAP Access Control system and the areas that can present audit concerns during a system review. I also explore both functional and technical areas that, if not properly managed, can expose SAP Access Control to threats and vulnerability.


Kehinde Eseyin

Kehinde Eseyin is a senior SAP security and GRC consultant with Turnkey Consulting (UK) Limited. He has more than eight years of SAP authorizations, GRC, and Basis experience. In the past, he has managed teams to coordinate security, GRC, and Basis administration activities within a multinational environment and operated as an independent consultant, performing SAP system audits and SAP GRC Access Control implementations. He holds a bachelor’s degree in computer science. He has different certifications, including SAP Access Control 10.0 Consultant; SAP Technical Consultant (SAP NetWeaver on Oracle); SAP Solution Manager Operations Consultant; SAP Support Engineer – SAP Solutions Manager; SAP Business One Consultant; Oracle Database Administration Professional (OCP DBA); ITIL v3; and PRINCE2. He is the co-author of SAP BusinessObjects Access Control 10.0 Application Associate Certification [Review Questions and Answers].

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.