How to Prepare for a Comprehensive System Audit and Technical Review of SAP Access Control 10.0
- by Kehinde Eseyin, Senior SAP GRC Consultant, Turnkey Consulting Ltd.
- October 28, 2013
Learn invaluable tricks and tips for overcoming top auditing issues specific to an SAP Access Control 10.0 system.
By reading this article you will be able to:
- Identify the areas of SAP Access Control that can cause concerns during an audit of SAP Access Control
- Understand the strategies and best practices to prepare for an audit of SAP Access Control
- Maintain segregation of duties (SoD) rule sets and workflow
A system audit is an exercise performed to gain assurance that defined controls work as intended, thereby eliminating the likelihood of fraudulent or malicious activities in the enterprise system. It involves the verification of conformance to policies and procedures through acute review of objective and empirical evidences. The review of the SAP Access Control 10.0 system is usually performed pre- and post-go-live, as well as on an ongoing basis to ensure continuous compliance. An SAP system audit normally involves checking the controls defined in the system against what is defined in the security policies of an organization.
Over the years, I have been involved with the implementation, audit, and review of SAP Access Control systems. In my experience on these assignments, some functional experts and end users do not give proper attention to specific activities that could expose the SAP Access Control system and connected back-end systems to undue risk. Based on this, I share some important areas that need attention when planning, implementing, and operating SAP Access Control 10.0.
SAP Access Control runs on the standard SAP ABAP framework with an optional SAP Java infrastructure that can be integrated with other SAP and non-SAP systems. Therefore, the conventional audit and technical review applicable to other SAP system landscapes applies to SAP Access Control.
However, in this special report, I focus on the core capabilities of the SAP Access Control system and the areas that can present audit concerns during a system review. I also explore both functional and technical areas that, if not properly managed, can expose SAP Access Control to threats and vulnerability.
Would you like to see this full item?