1 featured image 1
Audit Insights

8 Areas to Include in SAP Access Control Testing

February 25, 2019

Information Technology General Controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure. The objective of ITGCs is to ensure the integrity of the data and processes the systems support.

Your SAP ERP applications cross all four systems: IT Infrastructure Applications, Databases, Operating Systems, and the Application Layer. Access control tests, our central focus for this post, are targeted at the Application Layer of your SAP applications. In a recent post, we discussed the importance of security health checks in monitoring SAP access, and today we want to continue the access security conversation by examining the importance of ITGC Access Controls testing in an SAP environment.

What Is SAP Access Control Testing?

Let’s start with the basics. Within the SAP Application Layer, there are specific ITGC Access Controls that every organization needs to test, monitor, remediate, and approve. ITGC Access Controls test sensitive IT access within SAP applications in both production and development environments. These control tests document the specific areas, transactions, authorizations, and field values that permit certain types of critical IT access to the environments.

SAP IT access provides powerful entry to all modules of the SAP application. Inappropriate usage of that access can undermine other financial controls and lead to your auditors issuing significant deficiencies or control weaknesses.

What Should You Test?

There are eight areas that should be tested. If your organization has access to a GRC tool (such as SAP GRC, Control Panel, ERP Maestro), you can leverage reusable semi-automated Sensitive Access tests. 

If your organization doesn’t have a GRC tool, SAP provides reporting transactions such as SUIM (User Information System). But, be cautious. Inaccurate queries in SUIM can lead to false positives or incorrect results. Other tools may also be necessary, such as SE16N (General Table Display) or SQVI (Quickviewer).

  • User Administration → Create/modify/delete/lock/reset passwords/assign roles
  • Role Administration → Create/modify/delete/assign roles, profiles, & authorizations
  • ABAP Development & Program Execution → Execute/debug reports or programs or modify the data dictionary
  • Transport Administration → Import transports to production or modify the transport organizer
  • Table Maintenance → Modify table entries
  • Batch Job Administration → Administer/schedule/release/delete batch jobs
  • Operating System & Basis Sensitive Access → Execute/modify external OS commands
  • Configuration Access → Modify configuration/customizing

The Importance of SAP Access Control Testing

The power SAP IT access gives users makes ITGC access control testing critical to the security of your SAP system and the data that runs through it. With that access, users can gain entry into every feature of an SAP application, which could weaken other controls and result in audit findings you don’t want. Regular access control testing in the key areas examined here can help your organization manage this access effectively and protect the integrity of the data and processes your SAP system supports.   


Want more audit insights?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.