SAP security audit
The most important building block of SAP Security is user access to the sap system of transactions to perform specific functions of the system. Transaction access is acquired from the SAP role that provides the required access in the system. When a company implements SAP, they will typically try to identify the number of people in the company and group their jobs into Jobs. Then build their role based on their job functions.
SAP Security Audit for user authentication process
One of the primary aspects that was examined when revising the SAP system is the authentication process to add users to the system and also authentication to change the user access in the system. This process can be automated or manual. However, the external audit team wants to go through the process and confirm that proper authentication was obtained before the user was created in the system.
SAP Security Audit to Qualify Users:
In this process, the audit team will look for any training requirements before users access the system. This training may be professional training or training due to previous work experience. One of the most important aspects they look for is how is the training completion documented and verified.
SAP Security Audit to remove users from the system:
Here, the sap security audit process wants to see a process in place to remove or lock users from the system due to inactivity, leaving the company or access not required. For inactivity, companies have a policy in place to lock the user in if they do not use the system for a set number of days. This can range from 60 days to 180 days. The audit team wants to see what happens when this threshold is met and whether the process is followed consistently. The process may be just locking the user or deleting the user completely from the system and documenting the approvals for the change. The other aspect of user removal is leaving the company or moving to another job within the company that does not require SAP Access. The audit team identifies the users who have been removed from the HR system or moved to another position or location and tries to identify the change that occurred in the SAP System. Typically, the audit team will investigate if the change occurred and how was this change approved.
SAP authentication process:
With this process, the audit team wants to see how often users are validated and confirmed that their access is still required in the SAP system. The SAP Security audit process requires regular review of user access by a supervisor or process owner to verify that the access granted is appropriate and still valid. This review process may vary from quarterly or yearly based on company policies.