Recently, SAP Insider hosted a webcast Q&A on building a successful security and compliance program for SAP landscapes. The panel answered questions on a variety of topics, including cross-platform audit issues in an SAP landscape and ownership and budget management of a security program. Below is Part 3 in a series of 9 posts.
Security And Compliance For SAP, Part 3: Talking To Auditors About Non-SAP Systems In Your SAP Landscape
This series of blogs highlights ways to ease the pain around security and audits. This area can be pain-free and less time-consuming with the right tools and practices. With the backing of your powerful SAP system, technology like Fastpath, and best practices like implementing a process, taking a risk-based approach, and having the right controls in place, you can meet audit demands and improve the efficiency and effectiveness of your security program.
Part 1 discussed using processes and a risk-based approach, along with the power of SAP, to work smoothly with auditors. Part 2 discussed how to handle custom transaction code. In Part 3, we cover how to talk to auditors about non-SAP systems in an SAP landscape.
Non-SAP Systems in an SAP Landscape: How to Put Auditors at Ease
Many of the audit firms we work with whose clients are working with Fastpath Assure, are starting to talk about the cross-platform, or multiple-scope concept as specifically different business systems besides core accounting or ERP systems. They want to be able to ask questions about segregation of duties and access reviews.
More importantly, they're starting to ask detailed questions about situations like a user who has profile access in SAP as well as a separate profile in a CRM system. Individually, that user might not have any SoD conflicts inside SAP or inside the CRM system, but when you look at the access the user has in both systems cumulatively across systems, or cross-platform, as we call it at Fastpath, they indeed have SoD conflicts.
The challenge is when the auditors start to ask about those non-SAP business software systems. However, as we discussed in the first blog in this series, if you've taken a risk-based approach to evaluate other key business systems and more importantly, the data the systems provide, you've put the appropriate controls into those systems that you can support.
Let’s take another example. An auditor asks cross-platform questions, say, around your CRM, payroll or HR system. If you take a risk-based approach and have similar controls as you have in SAP with user access reviews and SoD reviews, but can also show evidence that you're looking at cross-platform SoD and have a tool that allows you to do that, you’re going to provide the auditor with additional assurances. Looking cross-platform is looking at security holistically, which is likely one of the reasons they're asking about those other systems.
As technology continues to evolve, the cloud especially provides many opportunities for third-party or non-traditional accounting systems to develop. Whether it's Zuora, Coupa or Workday, ERP has come full circle, and what used to be a consolidation of best-of-breed software into one solution like SAP, is now going back the way it was before, with multiple best-of-breed solutions out there, connected via the cloud. Now more than ever, it's important to do that risk analysis, identifying which systems are most critical, have the right controls, and then have that cross-platform SoD analysis in place.
Another step in taking the sting out of dealing with a security program is having the right tools, like Fastpath, in place to manage risk not only SAP, but across all critical systems. This will help you reach your goal of spending less time on security and more time focusing on your business.
Stay tuned for additional blogs in this series! Want them all at a glance? Check out the first blog which will have all 9 links once they are all published.