What Is the Business Value by Implementing SAP Audit Compliance Solutions?
Posted by admin in Risk Management on January 26, 2012
Companies make huge investment when they implement SAP System to automate the business process. The main goal of these companies is to gain substantial benefits such as improved visibility, operational excellence, increased productivity, standardization of the business process, audit compliance and compliance with all the rules and regulations in different countries where they are deployed. There are other multiple intangible benefits which cannot be quantified. SAP Audits aids companies identify areas that need perfection, allowing them to gain the desired benefits from their SAP implementation.
Quick Audit Compliance:
In the past, for the company to complete the external audit the internal auditors have to work with the external auditors for long hours and provide them with documentation required. After the implementation of SAP Audit compliance solutions the reports required by the auditors can be very quick and easy. All the reports required can be executed quickly with one click of a button. Let us say if the auditor wants list of all the custom tables and programs without authorization groups and transactions. Then the auditor has to go to multiple tables to get this data and then combine them. There could be error introduced in the process and could lead to wrong results. Additionally producing this data could take lot of time and take the auditors’ time away from other valuable tasks.
Business value:
The SAP audit solutions can provide value by automating the business process. One of the areas where there is potential for huge risk is user provisioning and changes to user access in the SAP system. Here the auditors usually look for audit trails for approval. Most of the companies who do not have automated solutions fail the audit due to lack of audit trail. As approvals for the user access is not located in one location. Even if companies use some kind of ticketing software to track all the approvals, there is lot of overhead placed on the support staff. This means when there is a change happening in the SAP system to the user access the support staff has to get multiple approvals and make sure they are properly recorded in the right place.
Process optimization
One of the places where SAP Audit automation tools work their magic is when there locations going live with multiple users. The traditional process is getting all the users in a spread sheet and validates them to make sure they have the right approvals and access. This process is acceptable but the only problem is tracking the approval for individual user. Moreover it will be very difficult for the manager to glance to through the data and accurately confirm that the people have the right access required.
Most of the times SAP Audit compliance solutions could get push back from the business community. This is because the ownership is transferred to them. But ultimately automated SAP Audit solutions will deliver its values in the form of quick and less costly SAP audit.
Top 10 Ways to Monitor Your SAP Roles for SAP Audit Compliance
Posted by admin in Risk Management on January 26, 2012
The SAP System has many reporting tools and ABAP/4 programs that provide detailed investigation and monitoring of SAP security configuration for SAP Audit Compliance. The monitoring reports can be executed via two methods, executing the actual program using transactions SE38, SA38 or SUIM (Repository Information System).
Objective: For each system, review the key security related system profile parameters.
Report: RSPARAM Frequency: Monthly
The parameter values should be configured according to the recommended by the SAP Security Administration Standard Operating Procedures developed by the company. Additionally, these parameters should be consistently set for all SAP systems.
Objective: Ensure security access is properly restricted to Security Team members as defined in Policies and Procedures.
Report: RSUSR040 Frequency: Bi-weekly
Review the users that have access to the authorization objects S_USER_GRP, S_USER_AUT and S_USER_PRO. Access to these objects should be limited to the Basis and Security Administration Teams. The Basis Team should only have display access and the ability to reset passwords for all user groups except SUPER and Security. This access lets the users’ have access to system administration functions. None of the non technical user should have access to these objects
Objective: Ensure access to security transactions is properly secured.
Report: RSUSR010 Frequency: Monthly
Check for transactional access to security administration. Execute report RSUSR010 and check for transactions PFCG, SU01, SU02, SU03 and SU05. They control access to the profile generator, user administration, profile administration, authorization maintenance and internet user administration. If you see any non sap security people have access to this transaction this should raise a red flag.
Objective: Ensure table access is properly configured.
Report: RSUSR040 Frequency: Monthly
Access to maintain tables should be coordinated with the Basis Team. And, table access needs to coincide with the ability to perform configuration. Review the users that have table access for both client independent and dependent table access. (S_TABU_CLI and S_TABU_DIS). Client independent table access should be limited to the Sandbox and Configuration Master clients.
Objective: Ensure that all users are properly assigned to the correct user group.
Report: RSUSR002 Frequency: Monthly
Review the users defined for all clients and systems. Each user should be assigned to a valid pre-approved user group. Check for user who are assigned to basis security and help desk
Objective: Ensure that impermissible passwords are consistently implemented and meet standard operating procedures.
Transaction: SE16 Frequency: Semi-annually
Verify the data contained in table USR40. This table contains specific impermissible password settings.
Objective: Ensure SAP Profile Generator is properly configured.
Transaction SPRO Frequency: Semi-annually.
Review the configuration and activation of the SAP Profile Generator. Review the documentation in the Enterprise IMG to ensure all configuration steps have been successfully completed. This activity should focus on new systems.
Objective: Check for change and manually inserted objects in to the role
Review the table for objects which have been inserted manually and changed access. This will identify the security administrators about some of the role which are developed as per security policy. It is a good practice not to have roles with manually or change authorization object
Transaction: SE16 Frequency: Semi-annually
Objective: Look for updates to transaction to object configuration in SU24 Transaction
Transaction: SE16 Frequency: Monthly
Transaction SU24 should be maintained so no manual authorization objects need to be added to the authorization tab on profile generator. Also if an incorrect authorization object or field value is brought into the profile generator it should be changed only through SU24. This will then allow only correct or blank field values are brought in so the correct values can be entered and the proper authorizations assigned. Monitoring these changes will give the SAP Audit Group the configuration changes made to the transactions.
Objective: Roles changes in the system
Transaction: SUIM Frequency: Monthly
Here the SAP Audit compliance group is looking for volume of changes happening to the roles. If the volumes of changes are too high, then this will give them a pre warning for more investigation into the approval.
Business Continuity – Keeping Your Business Afloat in a Crisis
Posted by admin in Risk Management on January 26, 2012
A crisis that threatens the survival of your business can happen at any time and without notice. Would your business survive a crisis?
Whether you run a large organization or a small family business the most common and unexpected threats to businesses are the same. Consider a few examples of incidents that could have a devastating impact on your business;
Environmental factors – a pollution incident or regulatory compliance failure could leave your business stranded and will almost certainly undermine customer confidence
Severe weather – flooding and / or wind damage following a storm. If your business is in a remote location you may be particularly vulnerable to disruption
Theft or vandalism – theft of computer equipment and precious business records can bring your business to a complete standstill. Similarly, theft or vandalism of operating plant or vehicles is costly and may pose health and safety issues
Fire – few other situations have such potential to completely destroy a business
Loss of utility – have you considered what you would do if you suffered a loss of electrical power or if your IT or telecoms systems failed to operate?
IT system failure – computer viruses, attacks by hackers or system failures can render your systems useless and affect your employees ability to deliver business functions
Disruption to fuel supplies -how long can you operate vehicles and machinery in the event of a fuel crisis? would staff still be able to get to their work? would your suppliers be able to deliver essential business supplies?
Restricted access to premises – if you had a gas or water leak, how would your business function if you could not access your workplace?
There is no shortage of cases where no one really expected any of these incidents to happen to their business. And while it may be perfectly reasonable to expect that a serious incident will receive a prompt response from the emergency services, what comfort can you take beyond that? What happens next and how your business will respond to customer demands and staff expectations will come down to you.
In today’s fast paced and competitive business climate, customer and brand loyalty is ancient history. The ability to act quickly and get back to “business as usual” has never been more critical. Without structured and well rehearsed contingency arrangements your business could cease trading simply because it was not well prepared.
Hoping for the best and planning for the worst might be an age old saying but, given the unprecedented business challenges that have developed over the last decade, it makes perfect business sense.
Forward planning and protecting the reputation of your business, whatever its size, is paramount. The smaller your business, the more important it is to have contingency arrangements in place. Any incident, no matter how small, is capable of undermining your ability to continue trading and can adversely affect your profitability.
Customers, banks, investors, insurers and suppliers will all take your business more seriously if you have contingency arrangements in place. Staff will also appreciate the fact that the business is doing all it can to protect their safety and place of work.
A Business Continuity Plan (BCP) is simply a means of ensuring that you have contingency arrangements in place and that your business can respond promptly and sensibly to a crisis.
Developing a Business Continuity Plan will identify all the essential requirements that you need to put in place to keep your business running. This includes processes and procedures aimed at minimizing business disruption and keeping your customers and staff informed.
A key challenge in Business Continuity Planning is identifying and protecting essential business elements. The principle aim is to understand the critical and non-critical functions and activities that support the business. An effective plan should consider these aspects and identify the essential needs of the organisation.
Business continuity planning can start with a few basic steps;
consider every facet of your business
decide what is critical and determine how long individual business elements can operate without normal support systems
prioritize what should drive planning decisions, eg, if an IT function cannot be off-line for more than two hours, what secondary systems and data would you need, where will this be located and who will have access
think about operational and financial cost of not having a critical function – how much revenue would be lost by customers taking their business to another supplier?
There is really very little difference between planning for business continuity and buying an insurance policy. Firstly, decide on the fundamental requirements before evaluating the potential contingency strategies and then make an informed decision.