SAP Security Audit
The main building block in SAP Security is user access to the sap system with the transactions to execute specific functions in the system. The transaction access is acquired from the SAP Role which gives the access required in the system. Typically when a company implements SAP they will try to identify the number of people in the company and group their tasks into Jobs. Then build their role based on their job functions.
SAP Security Audit for user approval process
One of the primary aspects looked into when they audit the SAP system is the approval process for adding the users into the system and also approval to change the user access in the system. This process could be automated or manual. But the external audit team will want to walk through the process and confirm that proper approvals were acquired before creating the user in the system.
SAP Security audit for qualifying the users:
In this process the audit team will look for any training requirements before users get access to the system. This training could be professional training or training due to previous professional experience. One of the key aspects they look for is how is the training completion documented and verified.
SAP Security Audit for Removing the Users from the system:
Here the sap security audit process wants to see a process in place for removing or locking the users from the system due to inactivity, leaving the company or access not required. For inactivity the companies will have a policy in place to lock the user if they are not using the system for certain number of days. This could range from 60 days to 180 days. The audit team wants to see what happens when this threshold is met and if the process is followed consistently. The process could be just lock the user or delete the user completely from the system and document the approvals for the change. The other aspect of user removal is leaving the company or moving to a different job within the company which does not require the SAP Access. The audit team will identify the users who have been removed from the HR system or moved to different position or location and try to identify the change which happened in SAP System. Typically the audit team will examine if the change happened and how was this change authorized.
SAP User Validation Process:
With this process the audit team wants to see how often the users are validated and confirmed that their access is still required in the SAP system. The SAP Security audit process requires that there needs to regular intervals where the user access is reviewed by a supervisor or process owner to confirm the access provisioned is appropriate and still valid. This review process could vary from quarterly or yearly based on the company policies.