The Challenge
Audit program for auditors and risk professionals to assess internal controls over SAP R/3 security (Basis Component of the SAP R/3). SAP Basis deals with the technical layers of the SAP landscape and is tasked with keeping it all healthy, including SAP enterprise cloud, database and applications. Basis administrators install updates and monitor systems for errors. They’re constantly tweaking elements of your SAP landscape so they can be faster and more reliable.
Many industries today need to adhere to stringent audit and compliance rules to prove they’re following established guidelines and laws. Think GxP for pharmaceuticals or SOX for financial data, for example. Gathering the necessary information is often a tedious process that interferes with your software development, slowing other work to a crawl as team members struggle to pull together the necessary information manually from disparate documents, email threads, shared folders, and so on.
Modern enterprises and their SAP teams need a more efficient and less error-prone way to fulfill these compliance and regulation obligations, so they can focus on the activities that generate higher business value for the company.
OUR SOLUTION
Automate SAP Assessment & Audit Processes to Save Time and Ensure Compliance
Our automation software lets you swap opaque SAP workflows for high-visibility automated processes, providing a centralized, fully auditable ‘single source of truth’ for all information on SAP change. With our technology, audit and compliance reporting stops being a time-consuming manual process that distracts team members from delivery of value and innovation. Automatic change tracking and report generation remove the need to locate old spreadsheets, email chains, lost attachments and misplaced test results when you’re asked to deliver the necessary documentation.
Reduce Risk
Reduce production failures by 70% and lower the risk of business disruption
Lower Costs
Cut the cost of SAP change by more than half
Improve Efficiency
Automate 95% of manual tasks to save time and lower risk
Automatically Track and Report on
System Changes
Our automation technology tracks your changes to SAP, recording associated information in a central location so that SAP teams can easily support audit and compliance requirements. Automatically generate reports to eliminate human error from both data collection and documentation.
Total Transparency
Create a full audit history of any change for total transparency into who did what, when. Data includes the results of automated checks, outcome of quality controls, and a complete record of approvals.
Complete Test Library
Maintain a comprehensive record of all automated SAP regression tests, including any screenshots taken during the process and a full record of all results.
Comprehensive Reporting
Leverage a wide range of pre-configured reporting options that support most global audit and compliance requirements, reducing manual effort and associated human errors.
Our Products
Free Up Resources While Maintaining Audit Integrity and Control
ActiveControl implements standard checks and quality controls during development and delivery of SAP change, the results of which are recorded automatically. These results are accessible through simple reports which can be generated to meet audit and compliance requirements.
Free Up Resources While Maintaining Audit Integrity and Control
Testimony uses next-generation automation to perform regression tests whenever needed. It maintains a complete record of what has been tested and the associated outcomes, making audit reporting and regulatory compliance far simpler than with traditional test tools and methods.
Modernize the way you run SAP with fully automated change and release and a revolutionary approach to testing. Accelerate innovation with agile, DevOps and Continuous Delivery.
Streamline Your SAP Audit and Compliance Reporting
Request a demo to see how our automation platform can streamline your SAP audit tracking and compliance reporting.
SAPAudit - Basis Application Infrastructure - Risk and Control Matrix forSAP R/3
Thisrisk and control matrix has been designed to help audit, ITrisk, compliance and security professionals facilitate thereviewof the Basis ApplicationInfrastructure component in SAP R/3. Abrief overview and description of some of the key features ofthis audit program for SAP R/3:- Contains detailedtesting procedures rather than genericdescription of the controls & the tests to be performed. You'llhave step-by-stepguidance on extracting configurable options (systemparameters), useraccess listings and other reports from the system and testing SAP R/3application security controls
- Contains IT general controls (ITGC) process risks/relatedcontrolobjectives for the key ITGC processes: operations,security, change management
- Can be used to ascertain compliance with the Section 404 oftheSarbanes-Oxley Act(SOX)
- Can be used to help identify inherent risksrelated toSAP ERPsecurity, minimize exposure to such risks, ensure that key controls arein place & operate effectively, and ascertain reliability ofthe SAP R/3 Basis application infrastructure component.
Referbelow for thetable of contents. Also, view an excerptfromthe audit program to ensureit's right for you. Audit Programs
Tableof Contents:Thisaudit program for SAP contains 46tests.The control framework has been specifically designed to help evaluatethe adequacy andthe effectiveness of the key configuration settings andaccessrestriction mechanisms to a variety of sensitive basis transactionsin SAP R/3, including:
SAP auditplan and testing guidelines to assessbatch job andbackground session processing and administration functions in SAP R/3:
- Batch scheduling and batch processing authorizations in SAPR/3
- Ability to delete jobs of other users
- Ability to administer background sessions in SAP R/3
- Ability to schedule jobs under different user IDs
- Access to the batch input management functionality in SAPR/3
- Monitoring procedures to identify processing errors and/orissues & much more.
Guidance on auditingend-userauthorization andadministration functionsin SAP R/3
:- Access to maintain roles, authorizations and authorizationprofiles
- Access to maintain the assignment of the authorizationobjects totransactions
- User master record maintenance in SAP R/3
- Access to assign roles or profiles to users
- Controls to ensure access to the SAP R/3 system isauthorized by management
- Controls to ensure access to the SAP R/3 isdisabled foremployees who no longer require such access, etc.
Guidance on auditingsafeguardsagainst unauthorizedaccess to or modifications of programs and data:
- Access to edit and execute programs online and inthe background
- Access to modify table content inSAP R/3,including critical systems tables or security tables andclient-independent tables
- Access to maintain SAP R/3 DataDictionary
- Security of the custom tables, custom programs, and customtransactions, etc.
Guidance on auditingimplementationand administrationof the system configuration &security settings:
- Access to maintain/configure application server parameters
- User access to maintain instances
- Configuration of the SAP R/3 password parameters
- Security of the vendor supplied user IDs
- Access restriction to the powerful SAP R/3 profiles
- Locking critical and sensitive transaction codes
- Security of the remote access to/from the system, includinginterface communications, etc.
SAP audit guidance on auditingchangemanagement andcontrol:
- System configuration to enforce appropriate changemanagement process to prevent changes made directly inproduction
- Ensuring that SAP R/3 system landscapesupports separation of production environment from developmentenvironment
- Access policies over transports
- Security of the developer keys
- Controls to ensure that access to develop programs is notallocated in production and more.
Everythinghas been conveniently pre-documentedwith fill-in fieldsfor company-specific information (entity name, date, data extractedfrom the system, etc.) which willallow you to proceed with your assessment immediately.
Sap Basis Audit Report
Please view an excerptfromthe audit program to ensureit's right for you.