Recently, Fastpath SAP experts sat down with SAPInsider for a webcast Q&A about how to build a successful security and compliance program for SAP landscapes. The Fastpath experts answered questions on topics ranging from dealing with non-SAP systems in an SAP landscape, to who should own, implement, and manage the budget for a security program.
This blog series offers tips on how to ease the task of dealing with security and audits.
Security And Compliance For SAP, Part 1: Using Processes, A Risk-Based Approach, And SAP To Work With Auditors
The focus on security, audit, and compliance within you organization does not have to be painful nor time-consuming; SAP has many options, supported by technology like Fastpath as well as security experts, to help you along the way. Ultimately, the key is to implement processes, take a risk-based approach, and have the right controls in place to not only allow you to meet the demands of your auditors, but also to improve the efficiency of your security program, making it more manageable and effective.
How Defined Processes, a Risk-based Approach, and Having SAP Helps You Work with Auditors
Anyone who deals with auditors knows it can be a challenge. Many companies deal with auditors who don't have deep knowledge of SAP, and some of the questions they ask may or may not even fit into how SAP works. Whether internal or external, these auditors move from client to client, often working with different software packages, so it should not be a surprise they don’t have in-depth knowledge of SAP. While this might be frustrating, it’s in your best interest to recognize and accept it, then figure out how to communicate with the auditor to reduce the friction between what you’re doing and what they want to see.
In those cases, we recommend you have a clearly defined process in place that you can explain to the auditor— one that will give them confidence that you have a logical methodology and a risk-based approach so that everything you explain from a process perspective around security and the controls you have in place puts their mind at ease that you have things under control.
That risk-based approach should be understood by any auditor with any background or with any level of SAP knowledge. This will give them confidence in you, so when they ask you detailed questions for specific reports or talk about specific controls you have in place, they can understand that everything you do rolls up to a risk-based approach, with the right controls in place to mitigate the risk, and in some cases, accept the risk.
Oftentimes, auditors are working off a common audit program they use from year to year. If you can show them evidence of your knowledge and understanding of how and what you do individually and how the process supports a larger effort, it goes a long way towards giving them confidence, which, while not specific to the test they’re doing at the time, is still in the back of their mind…the overall feeling that they’re dealing with a competent, responsible organization.
Another factor that helps is that your organization uses SAP. Even if the auditor is not deeply familiar with the software, they will likely know that SAP offers significant advantages over most other ERP systems, including the power to throughput a number of transactions. The ability to address the needs of a growing company or even a large public company is something that people really rely upon SAP for.
In addition, with SAP you are able to build the automated process that you want to rely upon for internal controls. When it comes to internal controls, we talk about the ideal world being 90% automated. Very few companies get to 90% automated, but at the end of the day, what this speaks to is the fact that you want to automate as much as you possibly can because automation allows for less risk in the process, and that equates to less auditing and review on the back end of the process. With automation, you're only monitoring the application and changes to the application, rather than monitoring the actual transactions and then having to go back and audit those transactions, which can be time consuming, expensive, and inefficient.
In the end, your goal is to spend less time dealing with security so your IT people can get back to their day jobs. Putting these basic components in place is one step to helping you get there.
Stay tuned for additional blogs in this series, including:
Part 2: Handling Custom Transaction Code
Part 3: Talking to Auditors about Non-SAP Systems in Your SAP Landscape
Part 4: Granting Users Access in SAP - Who, When & How Much?
Part 5: Ownership of Your Security Program and its Budget
Part 6: Cybersecurity is Important, But Don't Forget About Internal Threats!
Part 7: Using Fastpath With SAP GRC and Non-SAP Identity Management Solutions
Part 8: Comparing The Risks Between SAP ECC And SAP CRM
Part 9: How Using Single and Composite Roles Affect SoD Conflicts