Emmanuelle on 9 Years of Working in China - What I've Learned: Part 1

Omar Sharif on How do we audit our SAP system ?

Pia on It is so ANNOYING to say “I told you so” over and over again!!!

How do we audit our SAP system ?

Posted by: Omar Sharif 23 Jun 10 - 5:09PM | Omar Sharif

I still am surprised by the methods in which audits of SAP systems take place.

The likes of the ACE report, hundreds of pages of transactions, objects and field values dumped into the laps of Internal Audit and SAP Security Team. OK, now what?
Key Control Values (KCV), searching for specific settings and values within SAP…

The point of this is?

Critical transaction lists, nobody should have this access…?
Segregation of Duties, violations must be removed…?

Various tools both from SAP and other parties developed to reduce the level of risk in the business. Sometimes, we need to step back and understand what we are trying to achieve. Most clients raise the same questions to all of the above.

What is the basis of the above?
Is this actually resolving anything?

I have witnessed at first hand experience where the implementation of tools designed to reduce risk, has done quite the opposite. This situation occurs when Internal Audit are pushing through an external remit, without having the power to make changes to business processes.

The SAP Security team, are not the decision makers, they are often just following instructions from the business, to grant access to individuals so that they can perform their daily activities.

A new approach is required that can demonstrate the risk levels for each component of the business process. Against each risk level, a pre-determined set of options should be agreed, as actions and responsibilities for process owners.

SAP Audits must move away from technical inspection, and towards business process inspection.

Blog home Email a friend Print article Subscribe To Blog

10 comments

Add new comment

Subscribe to comments of this blog

Julian, do you want to get me black listed from SAP? Compensating controls are not being incorporated into GRC for many reasons. One of the key reasons is lack of feasibility, cost and ability to standardise for the mass market. We are now talking about a very niche level of knowledge, that perhaps, SAP themselves do not understand. PC, lol, Julian, does Internal Audit, have an understanding of every business process, its usage and risk? Âbsolutely not, so how will they make use of PC? Are they relying on the Security Team? Lol. Software has its limits, the most important thing is having good people who understand the business, and are willing to take responsibility for their actions.

Posted by: Omar Sharif, Date 04 August 2010, 07:25AM

Hi Omar, what about compensating controls and PC? Do you think its going to help?

Posted by: Julian, Date 03 August 2010, 07:24AM

Omar, what a response! You need to lead SAP Audits.

Posted by: Peter Newsham, Date 29 June 2010, 01:50PM

Thanks for the feedback. I want to bring a ‘common sense’ approach to SAP Audit. A new method that is bringing ‘real life’ improvements to a business, through clarity and transparency. Business Process Owners, Internal Audit and SAP Security must all have a common understanding, so that risks are agreed upon, and decisions to manage them can be implemented with greater efficiency. SOD Tools are only as good as the data that is put into them (GIGO), on their own they offer no benefit at all. The ruleset must relate to each and every business process, the concept of one size fits all, never has, and never will work for numerous reasons which I am not inclined to discuss here. In some cases, they can place a heavy burdon the business, effecting business efficiency, creativity and intrapreneurship for little or no improvement in business risk. Current methods used by many of the famous Auditing firms, are proving unpopular with clients, as the logic within the remit has many flaws. This lack of support in what is being offered, is a major reason why SOD projects fail. Crtical transaction code lists, Key Control Values, and my personal hate, ‘Quick Wins’, highlight the embarrassing proposals that are made by some Consultancy Firms. There are of course many specialists, that have their own bespoke functionality to offer, this technical view often misses the entire purpose of what is to be achieved, by seeking a technical solution, at the expense of understanding business processes. My proposal is a three way partnership between Internal Audit, Business Process Owner and SAP Security. All three parties must understand the common goal, and be able to work with each other to reduce the level of business risk. Step 1. Map out the business process with the business process owner. This will include sign off from the business process owner, the process must display every stage, the type of user and users who are involved in this, transaction codes, flow of data into and out of third party systems, assessment of where risks exist, and the level of risk. Step 2. The transaction codes must be analysed to a granular level, this will include an assessment of whether the transaction is fit for purpose. Is too much access being granted for a particular task? From these 2 steps, a clear picture can be attained of potential risk within a business process, and discussions can begin on how to improve the situation. This is not just remediation, mitigation, SOD, but how to monitor the risk areas without having to spoil good internal business practices, loss of tacit knowledge, and the creation of disruption by parties who do not understand the business.

Posted by: Omar Sharif, Date 28 June 2010, 04:35PM

I have been at the end of the gun barrel so know that in practice there are many difficulties in satisfying Audit requirements unless the Business is educated to understand how to manage their SAP S&A requirements because the S&A forms the basis of Audit! Businesses do not sometimes work with internal audit effectively to allow the process to work for the parties concerned.

Posted by: Walter Odida, Date 24 June 2010, 04:57PM

Hi Omar, the BIG 4 do not have a clue when it comes to SAP Audit. Show them what they need to do.

Posted by: Harby, Date 24 June 2010, 03:51PM

This is a niche market, that requires a great depth of understanding, not just from a technical perspective. In practice how will risks be assessed, remediated and controlled? Sounds like a new business idea.

Posted by: Sam Iheme, Date 24 June 2010, 03:36PM

This subject is over complex, you are wright a new approach is needed. What is SAP Mafia?

Posted by: Mohammad Karim, Date 24 June 2010, 03:49PM

Omar, I have been in this business for decades, when it comes to IT Audit, most do not have a clue. When it comes to SAP, you are the only person who understands SOX compliance, and can explain it. I agree with you 100%.

Posted by: Peter Newsham, Date 24 June 2010, 03:41PM

Hi Omar, you are absolutely wright. Internal Audit do not understand the ramifications of the remit, and do not have the confidence to challenge external audit. This is why the security team are lumbered with an impossible task. You are the Mafia, push forward your proposals, Regards, Julian

Posted by: Julian, Date 24 June 2010, 10:35AM

Add new comment

Required fields*

Name *

Your email *

Comment *