SAP Auditing: A Complete Introduction

Have you ever wondered what all the fuss is about SAP and its audit process?

We'll take a look at the SAP audit process and explain what happens when auditors check your SAP system.

• You'll learn what SAP auditors look for and how your SAP system could be improved.
• You'll also discover exactly what will happen if your SAP system is not up to par.

How SAP auditing works

Enterprise executives and IT specialists unaccustomed to SAP service contracts may not be fully aware of the audit process and likely wonder "What is a SAP audit and why does it need to happen?" The answer lies in the audit clause included in the contract SAP provides licensees of its software. As per this clause, companies must be prepared to supply usage information on request to SAP auditors every year.

There are two types of audits that SAP auditors can choose to perform. These are:

• Basic audits: These audits follow a standard trajectory, passing through phases. The four phases themselves are: 
• a representative from SAP's global license auditing service sending an annual SAP auditing notice to your company, 
• your company collecting various kinds of usage data for SAP,
• your company finally consolidating all of this data, and
• your company sending this data to SAP.
• Enhanced audits: These happen if deemed necessary by SAP's auditors. However, they must also be allowed under your specific contract's audit clause, which may vary considerably from others. These audits are far more dynamic and flexible than their basic counterparts, making them a bit trickier to plan for in advance.

The purpose of an SAP audit is to identify potential breaches of contract and ensure that SAP's intellectual property is safe from misuse.

SAP audit compliance is important, but it is equally important to know what information you are contractually obligated to provide and what information you are not required to send to SAP for assessment.

How the SAP audit process breaks down

• Planning: At this stage of the SAP audit, items that are auditable are identified, and a general plan for the rest of the audit to follow is defined. Owing to the fact that your company must decide who audits SAP systems, these parties will need to be included in this planning stage for the best results.
• Preparation: Next up is the preparation phase in which SAP auditing announcement letters are drafted as needed and the entire audit program is reviewed. The audit announcement letter often includes such details as the amount of time it will take to complete and its intended scope.
• Execution: At this stage, the actual auditing process is performed in-house by your SAP experts and IT team. Ideally, your "USMM" reports are cleaned up, then they are all imported into the License Administration Workbench or "LAW" for proper measurement and report generation.
• Reporting: Reports can be generated entirely from within LAW as it provides functionality intended to simplify license-relevant measurement data collection and consolidation. LAW picks up data from component systems as well as the central system in which it is run, generating more useful system usage overviews with less headache.
• Follow-up: Those who know how to audit SAP generally conclude their audit process with a follow-up in which the evaluation result is reviewed and recommendations are made. This is a good time for risks associated with certain recommendations to be assessed in full and formal decisions regarding these to be made.

Audit policies in SAP HANA

In SAP HANA, you can leverage more detailed logs of database access, but these must be manually activated for certain security threats to be caught. Ideally, the following five policies should be configured in HANA:

• User and Role Management
• Authorization Management
• Data Manipulation
• Object Maintenance
• System Management

The following SAP HANA audit policies are already configured by default:

• Audit Activation Configuration
• Audit Policies Configuration
• Deletion of the Audit Logs
• Password Change of the SYSTEM Account

How SAP audit management impacts results

SAP auditing carries the risk of divulging sensitive information if it’s not handled correctly. SAP Audit Management helps minimize this risk and many others by providing simple controls for removing details such as user names as well as monitoring read access to sensitive data.

You can also track open action plans as well as monitoring SAP in audit operations that are ongoing with SAP Audit Management. Your SAP IT audit is fully manageable from within Audit Management thanks to a litany of apps powering a multitude of useful functions.

How you can prepare for your next SAP audit

Improving your SAP system is a great way to get a head start on your next SAP audit.

SAP auditing support can come in handy for this. There are a number of SAP audit services you can turn to for help. Besides partnering with the right audit service, you can also take a proactive stance by setting up your own policies and a general framework for handling audits. Establishing a single point person who can field requests from SAP is another great tactic for keeping requests from spiraling out of control.

For companies that are new to their SAP contracts, reviewing the details concerning your audit rights can be beneficial and keep you from divulging more information than is necessary.

Handling SAP auditing challenges with automation

Avantra's powerful approach toward automating core SAP processes alleviates pain for your administrative team while powering more efficient workflows throughout your organization. Give Avantra a try today with a free demo to see what we can do for you.