How to Prepare for a Comprehensive System Audit and Technical Review of SAP Access Control 10.0

  • by Kehinde Eseyin, Security Architect
  • October 28, 2013
Learn invaluable tricks and tips for overcoming top auditing issues specific to an SAP Access Control 10.0 system.
Learning Objectives

By reading this article you will be able to:

  • Identify the areas of SAP Access Control that can cause concerns during an audit of SAP Access Control
  • Understand the strategies and best practices to prepare for an audit of SAP Access Control
  • Maintain segregation of duties (SoD) rule sets and workflow 


Key Concept

A system audit is an exercise performed to gain assurance that defined controls work as intended, thereby eliminating the likelihood of fraudulent or malicious activities in the enterprise system. It involves the verification of conformance to policies and procedures through acute review of objective and empirical evidences. The review of the SAP Access Control 10.0 system is usually performed pre- and post-go-live, as well as on an ongoing basis to ensure continuous compliance. An SAP system audit normally involves checking the controls defined in the system against what is defined in the security policies of an organization.

Over the years, I have been involved with the implementation, audit, and review of SAP Access Control systems. In my experience on these assignments, some functional experts and end users do not give proper attention to specific activities that could expose the SAP Access Control system and connected back-end systems to undue risk. Based on this, I share some important areas that need attention when planning, implementing, and operating SAP Access Control 10.0.

SAP Access Control runs on the standard SAP ABAP framework with an optional SAP Java infrastructure that can be integrated with other SAP and non-SAP systems. Therefore, the conventional audit and technical review applicable to other SAP system landscapes applies to SAP Access Control.

However, in this special report, I focus on the core capabilities of the SAP Access Control system and the areas that can present audit concerns during a system review. I also explore both functional and technical areas that, if not properly managed, can expose SAP Access Control to threats and vulnerability.


Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.