Preventative ongoing maintenance and monitoring of your users’ SAP security access is critical to avoiding significant deficiencies or control weaknesses. A governance, risk, and compliance (GRC) tool (such as SAP GRC, Control Panel, ComplianceNow, ERP Maestro) is a great start, but there is more to monitor! System parameters and client settings are also part of your audit but are outside the monitoring scope of most GRC applications.
Regular security health checks are key to (1) identifying these access issues before they spiral out of control, (2) mitigating the risk from control deficiencies, and (3) ensuring your security administrators are following best practices. In an SAP environment, security health checks are periodic assessments of key application-layer ITGC controls related to user access. They should cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC controls your external auditor may assess.
What should an SAP Security Health Check Monitor?
GRC Access Deviations
If you have a GRC application, you likely have a control policy that states all user access rights originate from the tool and follow an approval process. A health check ensures that any access assignment deviation is identified, investigated, and documented for its inevitable discovery during your audit. For example:
- User Creation: Users created outside of your GRC application
- Role Assignment: Roles assigned outside of your GRC application
- Profile Assignment: Profiles assigned outside of your GRC application
- Unmitigated Users: Users whose mitigating controls are missing or expired
- ITGC Sensitive Access: Review users with sensitive access (tests for this access should correspond to your external auditor’s annual tests)
System and Client Monitoring
There are limitations to what controls a GRC tool can monitor. Health checks help your organization close that gap. Any change should be well documented, reviewed, and executed according to your change management process. These include:
- System parameters: Ensure key system parameters have not been changed
- Client Settings: Ensure key client settings are in place
Industry Best Practices
Health checks assess whether your security administrators are following industry best practices. While best practices are not audit related, your organization will maintain efficiency and lower control costs by following them. Irregularities should be identified and remedied. This review should include:
- User Group Assignment: All user IDs should be assigned to appropriate user groups. This data point facilitates researching users efficiently and accurately.
- Manual or Changed Authorizations: Manual and Changed authorizations can insert risk and inefficiency into SAP security roles. Manual authorizations should be kept to a minimum and be well documented. Changed authorizations should not exist on any end-user facing role in the system.
- License Assignment: Active management of each user ID’s assigned license is critical to controlling licensing costs and understanding licensing distribution.
What Should an SAP Security Health Check Deliver?
An SAP security health check should be well documented and provide your organization with a prioritized list of issues and the actions that should be taken to remediate them. For example:
Getting Started with your SAP Security Health Check
Health checks should be a routine part of your SAP security monitoring efforts. When performed frequently and consistently, they provide critical insights into your SAP access security. Focal Point specializes in helping companies improve their SAP security through a wide range of SAP-specific services, including security health checks. To learn more about our services, contact one of our SAP security specialists.
Want more practical audit insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.