Embed Compliance Checks in an SAP Implementation

  • by Hussain Ahmed, GRC and SAP Security and Authorizations Consultant, Tata Technologies Ltd.
  • July 8, 2013
See how a UK automotive industry leader defined an approach to compliance that minimizes disruption to businesses that have implemented an SAP application. The approach has teams go through compliance checks at the project phase rather than waiting to solve these issues post go-live. Learn how to:

  • Ensure risk violations found in roles and on users are kept to a minimum
  • Define controls to mitigate risk violations after remediation has been completed
  • Ensure this approach is taken on board at each stage of an SAP implementation and continued once the implementation has gone live

The term compliance checks in the context of this article refers to the embedding of SAP access controls (e.g., roles and user assignments) and controls in general into an SAP implementation. More specifically, compliance checks  involve the use of SAP Access Control access risk analysis to ensure roles and user assignments contain as little risk as possible both during and implementation and beyond go-live. It is also the creation and application of controls to ensure where risks cannot be remediated, valid and effective controls exist for them.


In this case study, I explain how an automotive company used SAP Access Control checks to ensure that an SAP implementation has compliance built into every stage of the project life cycle — from conception to go-live and beyond. This particular case study is useful both to projects in which an SAP application is being implemented for the first time and also for ongoing upgrades.

The access risk analysis component of SAP Access Control was the key tool that was used to keep track of the risks in SAP roles and user assignments. In addition, my team used the internal audit team’s risk and controls matrix to link mitigating controls to access risks, as well as ensure that there was a controls focus in the overall design of each implementation.

Hussain Ahmed

Hussain Ahmed is a GRC and SAP security and authorizations consultant with experience in implementing SAP Access Control as well as SAP security and authorizations. He has experience working in industries as diverse as local government, automotive, and petro-chemical.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.