Embed Size (px)
Citation preview
GRC Nordic SAP User Management webinar
SAP Authorisationmanagement
Security and Risk Managenemt
SAP AuthorisationSupport and Access
Management
Licence Management
SAP User Management
Team today
Matti Halonen Mikko Syrjänen
SAP User Management audit – how to prepare ?
How to prepare for an SAP User Management Audit
We have divided the presentation into six blocks
Focus will be on SAP User Management
Personal experience in auditengagements
Customer auditexperiences
Several areas of expertise not discussed today but we hope to get your feedback !
Take home from this presentation a positive attidudetowards audit !
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Covid-19
Understand different objectives
• Financial audit
• Internal audit
• Tax audit
• Industry / quality
• Special audit
Audit
Types
Audit
Objectives
Efficiency
Effectiveness
Audit
Plan
• Financial reportingreliability
• Internal controlenvironment / risks
• Compliance withindustry standard
• Complexity
• Risk basedapproach
Vs.
• Time
• Skills / Resources
• Framework
• Plan
• Findings
• Report
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
How auditors see SAP User
management? Governance
Processes
Technical reality
ITGC
Top-down risk view
SAP Authorisation concept
Role change process
Object values
System parameters
Description of how everything should work
• Organisation/ownership
• Access risk approach
• Process descriptions
• Access risk tools, details, procedures
• Technical approach
SAP Authorisationconcept
Auditors
view
Recommendation
• Basis for the audit
• Compares contentagainst ”standard”
• Completeness
• Up to date ?
• Invest in this !!!
• Update
• Provide to auditorfor commentingand review
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Real life comments…
Earlier we prepared days for coming audit with mixed feelings…
Now we have everything relevantdocumented and we simply share theupdated authorisation conceptdocument with our audit !
Defined processes, approvals and audit trails
• Roles & responsibilities
• Reporting
• Concept management
• Regular meetings to govern and improve
AuthorisationManagement Processes
User Management Processes
Access riskmanagement Processes
• Tickets, CR, Incidents
• User add, move, remove, leave etc.
• Role assignment
• Role change
• Projects
• Approach /methods
• Monitoring / Reporting
• User Access Review
• Risk reduction
• Risk prevention simulation
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Snap shot of technical reality…
• Job descriptions vs rights
• Access risk levels
• Mitigation of remainingrisks
• Correctly maintained
• Technical feasibility ?!
Business roles
IT roles
Externals
Power/key usermanagement
Special
Topics
• User with widerights without ”jobdescription”
• Method and toolsto control
• Review processfor logs
• Tables
• Program / Executionrights
• Z Codes
• Batch input sessions
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Typical audit requests
• Information securitypolicy
• Authorisation conceptdocument
• Landscape
• Approval policies
Documentation Data requests
• RSPARAM/PAHI
• USR02 table
• RSUSR100 reports
• Tickets / approvals
• PA HR Tables
• Tcode /Object values
• DEVAccess table
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Authentication/pswdsLogon etc
Typical audit requests
• Information securitypolicy
• Authorisation conceptdocument
• Landscape
• Approval policies
Documentation Data requests
• RSPARAM/PAHI
• USR02 table
• RSUSR100 reports
• Tickets / approvals
• PA HR Tables
• Tcode /Object values
• DEVAccess table
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Official processbypassed / Approvals
Typical audit requests
• Information securitypolicy
• Authorisation conceptdocument
• Landscape
• Approval policies
Documentation Data requests
• RSPARAM/PAHI
• USR02 table
• RSUSR100 reports
• Tickets / approvals
• PA HR Tables
• Tcode /Object values
• DEVAccess table
Tables
Program / Executionrights
Z Codes
Batch input sessions
Transport system
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
Who has the responsibility of this area ?
• Standard users
• Password parameters
• Logon settings
System Parameters
Change
Management
Other layers of security
• Transports
• Production clientcontrol history
• Change logging
• Test / qualitysystem security
• Developmentsystem security
• RFC Connections
• Firewalls, networks
• Database
• Operating System
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
SAVE TIME
• Documentation
• Agree timetable / slack in calendar
• Auditor access / data requests
UNDERSTAND•Audit objective
•Audit thinking
How to make audit less painfull / get the value
CO-OPERATE
•Be open about the situation
•Explain your plan and efforts
•Ask for advice and explanations
SELF AUDIT
• Fix obvious things during the year
• Explain this approach to your auditor
• Explain this to your management / user community
Agree the audit findings before the final report
Top 4 Audit issues
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
• No approach to security
• No documentation
Lack of policy
Lack of plan
Power usermonitoring
Access risklevel
Approvals
• Solution missing
• Review processfailing
• Risk levels high
• Several areasunsecure
• Official processbypassed
• Projects
Create plan and improve every year
SAP Documentation and guidelines
S/4 not started….or exit plan
Impact to audit
Understanding the Audit
Governance
Processes
Technical reality
ITGC
To Do List
• Access risks / SoD
• Reduced physicalobservation
Fraud risks higherdue to theuncertainty/ layoffs
Personnelpartly/fullyremote
Audit remotely
• Authentication
• Multifactor to SAP
• Access risks
• No major issueswhen processesin place
Audit focus is in valuations, goingconcern issues currently
Will shift later to remote work questionsCovid-19
GRC Nordic tapahtumat 2020
Tapahtuma Ajankohta
› Lokakuu › Webinaari: Deep dive to SAP Security around authorisations,
› Marraskuu › Webinaari: SAP autorisointikonsepti
› Joulukuu › Webinaari: SAP S/4 analyysi
