SAP Risk Management
www.auditbots.com
Organizations increasingly prefer their SAP operations to be assessed/audited during implementation as well as post-implementations to make sure all the business controls are in place and compliance with statutory/legal & other regulatory requirements such as Sarbanes-Oxley, etc. Auditbot offers SAP Risk Management (ERM) services to its customers to meet these needs.
AuditBOT has been successful in addressing the SAP Audit & Controls and Compliance issues. We have been involved in projects typically involving Basis Security Review, Program Change Control, SAP Basis Authorizations, Legacy System interface controls, IT Environment review, Functional Configuration & Business Process review, User-access and segregation of duties.
2. 2
• “All the audit programs are written in ABAP Program”
• “All the audit logs are gathered and recorded into
custom table for unlimited use
ABAP Based
No New
Hardware
Quick
Implementation
• “Solution can be deployed in SAP System on the
exiting hardware.”
• Existing company resource can support the product
• “Solution can be implement Quickly some time even
within one day.”
• “Training the internal audit team is quick as the report
are one click execution.”
Architecture
3. SAP Risk Analysis
• A comprehensive list of SAP Risk Rule set out of the box preconfigured.
• Batch programs which can run the SAP Risk analysis daily.
• Risk analysis Report ( SOD, Sensitive Transaction and Sensitive Object )
at the SAP Role level and SAP user level.
• Report to analyze if the SAP risk executions and what are posting related
to the Risk
• Trending reports for manager to monitor the SAP Risk monthly or yearly
• Alert when a specific SAP Risk is introduced at the SAP role level or SAP
user Level
Custom object
analysis
Monitor 100% of
transactions
Fully Automated
4. SOD Risks: When the User or Roles have combination of two or more SAP
Transactions. Example: Transaction FSS0 ( Create GL Master Record and F-02 Enter
GL Account Posting. The Risk here is Create GL Account and post Journal Entry to
hide the Activity
Sensitive Transaction: This is just having one transaction with a user or Role. A Typical
Example is having transaction SCC4 or SU10. These two transaction by itself can do
excesive damage to the syestm
Object Level Risks: There are some sensitive objects which could cause risk or should
not be assigned to users or a role. Example S_DEVELOP (DEBUG), S_TABU_DIS with
Open acccess, or S_TCODE with * or Ranges
Different Types of SAP Risk
SAP Risks-Delivered
5. Simple Steps before SAP
License Audit
• Review your SAP User List using Transaction SUIM Regularly
and look for any unwanted User IDs
• Use transaction RSUSR200 to periodically lock users for
Inactivity 90 or 120 days based on your company policy
• Assign a license type to every user in the system. All the user
without License type assignment is charged at the professional
license type level
• Turn on Multiple Logon Parameter so user cannot logon
multiple times with the same user id.
• Assign License type at the role level
• Assign proper roles to the users. Users with broad access roles
can access powerful transactions.
6. Third party review executed
by AuditBot ensures risks
and vulnerabilities are
highlighted.
6
”
“
CHALLENGES
• Managing a complex software landscape
can be a time consuming and costly
exercise for any organization.
• Taking control by identifying the actual risk
occurrence of your SAP landscape
• Ensuring compliance of external audits and
avoiding surprises
• Awareness of your ‘as is’ situation with respect to your
SAP risk management, including identification of related
vulnerabilities and risks
• Control of SAP Risk in your SAP landscape based on
actual Risk occurrence
• Reduce your Audit Costs.
RESULTS
A common result of SAP
audits is improper
assignment of roles,
excessive access and
what did they do with the
access
SAP Risk Analysis
7. 7
Awareness of your ‘as is’ situation with respect to your
SAP risk management, including identification of related
vulnerabilities and risks.
Reduced
Risk
Greater
Assurance
Improved
Productivity
• “Control your SAP Risks in your landscape and
reduce your SAP Audit Costs.
• Knowledge of how SAP risks its and provides
awareness and understanding to the internal auditors
of your company
We work closely with our clients to understand their SAP
landscape, current controls and procedures, and to
address their desired objectives for SAP Risk
management ”
RESULTS
17. Value from AuditBot SAP
Compliance tool means
reducing the cost of
compliance and improving
risk management and control.
17
”
“
CHALLENGES
• Excessive access and the user preforming
unauthorized activities
• Not Control over the user ids with Elevated
access
• Not able to Track and monitor the Elevated
access
• Undue delays in Resolving the issues
• Monitors use of Elevated Access
• Tracks actions performed while privileged access is
being used
• Provides detailed, concise audit reports
• Any activities performed are automatically logged and
can be delivered to defined controllers to review the
access which has been used
RESULTS
Provides controlled
means of providing Super
user access to Sensitive
and Critical transactions
on Ad hoc basis
Emergency Help Desk
18. 18
• Auditbot identifies and prevents access and
authorization risks in cross-enterprise IT systems
• Prevent fraud and reduce the cost of continuous
compliance and control..
Reduced
Risk
Greater
Assurance
Improved
Productivity
• “Our AuditBot team is working with leading
organizations to embed and integrate SAP Audit
Compliance solutions, driving value from control..”
• “Validity periods are also assigned at the same time
as provisioning.”
• Getting value from AuditBot technology means
reducing the cost of compliance at the same time as
improving risk management and control
RESULTS
19. • Free 30 Proof of Concept
• Same day installation and Configuration
• 365 Day Money Back Guarantee
• Basic Configuration Includes
• Will Provide Custom Enhancements
• When Can We Start
• www.auditbots.com
Our Value