SAP Audit: SAP Native and Third Party Solutions
Nick Sorenson
July 29, 2021

What Is an SAP Audit?

SAP provides a suite of enterprise software, with enterprise resource planning (ERP) at its core, that allows organizations to enable and track almost any business processes. These include processes like account receivables, account payables, and purchasing.

SAP lets organizations store key financial data in a secure system with strict controls, ensuring that only authorized actors can access or make changes to it. SAP audits help keep track of control management, identify violations, and ensure compliance with standards and regulations, as part of SAP Governance, Risk and Compliance (GRC) processes. 

You can perform audits of business processes managed by SAP systems using native solutions provided by SAP, as part of its solution portfolio, as well as third-party solutions that interface with SAP systems.

Executives and senior management should be familiar with the language of SAP systems and the basics of SAP auditing, security and compliance. This allows them to demonstrate to auditors that they are responsible and informed and can comply with regulations such as SOX, FCFA and ISAE SOC 1.

In this article:

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such.  Information on this website may not constitute the most up-to-date legal or other information.

The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.

You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.

This article may contain links to other third-party websites.  Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.

What Is SAP Audit Management?

SAP Audit Management is a solution that comes with the SAP Assurance and Compliance Software. It is useful for a variety of tasks, including building an audit plan, preparing audits and analyzing the results.

SAP Audit Management is powered by SAP HANA and offers a complete end-to-end management solution for SAP audits. It can help your audit department plan and execute audits, analyze the relevant data, document and communicate results and monitor progress. SAP Audit Management includes the following key features:

  • Mobility—it is fully mobile-enabled, providing easy access through desktops, laptops, and mobile devices
  • Full audit roadmap coverage—this includes the planning, preparation, execution, reporting and followup stages
  • Flexible Audit Universe—provides a centralized source for auditing and monitors global audit requests 
  • Third-party integration—supports integration with systems such as SAP Risk Management and SAP Business Integrity Screening 
  • Working paper management—lets you generate audit documents using drag-and-drop, access documents with a single click and review your management 
  • Global monitoring—allows you to monitor findings and progress 
  • Search function—allows you to find your target information with a single click
  • User interface—the intuitive design helps boost efficiency and enhances user experience 

SAP Audit Management divides the auditing process into five phases—planning, preparation, execution, reporting and followup. Each phase involves a different set of audit tasks.

You can see how SAP Audit Management organizes an audit workflow in the following figure. Keep in mind that these roles are only an example of a standard audit scenario, but you may use a different role for each action in your own organization.

Image Source: SAP

SAP Audit Logs

Many large enterprises use SAP’s ERP systems, and many of these organizations face complex compliance requirements. To achieve compliance, they must enable, properly configure, and secure SAP security audit logs.

The SAP Security Audit Log (SAL) contains all events that occurred in the ERP system. Each operation has its own transaction code and related details—who did it, when and under what circumstances. There are about 100,000 different transaction codes, many of which are important for security and compliance purposes.

What is important to know about SAP logs is that technically, they are endless, fixed-size rows of log entries. This unusual architecture, combined with the 4-digit transaction codes, make it impossible for standard tools to read and understand the logs. One option is SAP Log Viewer, but it is limited compared to third-party log aggregation solutions.

Another challenge is that there is a need to protect log file integrity. Unprotected audit logs are of no value because anyone with relevant access can delete, modify, or create log entries. Therefore, the team managing the SAP installation is responsible for protecting the integrity of the SAP audit log.

You can use security information and event management (SIEM) systems to manage SAP log data, but you usually need to install a special plug-in for your SAP installation to help translate the alerts to a format the SIEM can ingest. 

Another option is to use SAP Enterprise Threat Detection (ETD), a solution that collects events from SAP HANA databases and associated SAP applications. SAP ETD has a purpose-built log preprocessor that normalizes and enriches data from SAP applications, converting it to a format that is useful for security professionals.

The Need for Third-Party SAP Audit Solutions

Many organizations complement SAP Audit Management and SAP Audit Logs with third-party solutions that can help automate and improve compliance efforts centered around SAP systems.

Third party SAP audit solutions can provide the following capabilities, in addition to those provided by native SAP solutions:

  • Automated change tracking—automatic monitoring and auditing of every system change or upgrade to a SAP application, with information about who made the change, according to what policy, why, and in which context. This can quickly reveal violations of company policies or compliance requirements. 
  • Compliance alerting—codifying unique organizational policies and continuously monitoring to see if any activity in SAP systems violates them. When an action does not align with corporate policies, the system alerts and escalates to the relevant personnel.
  • Audit support—readily available reports in the format required by internal or external auditors for each compliance standard. Instead of having to manually reconstruct events from SAP logs, solutions can generate the required information automatically based on data gathered from SAP systems.
  • Audit customization—each company has specific audit requirements, depending on its internal policies, the compliance standards it needs to comply with, and specific requirements within those standards. SAP auditing solutions can help generate customized audits that meet these complex, and often changing requirements.

Related content: Read our guide to SAP GRC tools

SAP Audit Automation with Pathlock

Pathlock is the proven SAP Solution Extension partner, which extends your SAP GRC investment in several critical areas: 

  • With Access Violation Management, System Integration Edition, customers can extend their SAP Access Control and SAP Process Control implementation to monitor cross-application SOD risks in SAP cloud applications (like SAP Ariba and SuccessFactors) and non-SAP applications (like Salesforce and Workday)
  • With Access Violation Management, Risk Analysis Edition, customers can supplement their SAP Access Control implementation with monitoring of violations of SOD risks, to create mitigating controls that can highlight errors and fraud
  • With Pathlock Control, customers can extend their SAP Access Control implementation with Emergency Access Management for SAP Cloud (SAP Ariba and SuccessFactors) and non-SAP applications (like Salesforce and Workday)
  • With Pathlock Control Premium, customers can extend their SAP Process Control implementation to monitor business process controls across SAP cloud applications (like SAP Ariba and SuccessFactors) and non-SAP applications (like Salesforce and Workday)
  • With Pathlock Control 360, customers can extend their Role Based Access Control to Attribute Based Access Control, providing fine grained data masking and encryption to provide greater protection than broad roles can provide on their own

Interested to learn more about how you can extend your SAP GRC investment with Pathlock?  Request a demo of our industry leading capabilities today!