What audit tools are required to perform an SAP audit?
The 3 main types of review (SAP Basis, SAP Business Process & SAP SoD Review) can be performed entirely using audit tools and techniques existing within the SAP system itself. The type of tools available includes:
- System transactions – for example, transaction ‘SUIM’ allows the reviewer to search for users with access to sensitive system access. In addition, transaction SE16N (display only) allows the reviewer to view SAP tables to identify information such as authorisation groups in use, table protection levels assigned etc
- SAP logs – these allow a reviewer to search for sensitive actions performed in the system (e.g. last logon date for privileged system-delivered user IDs, date production client was last opened for change etc)
- SAP reports – these allow a reviewer to examine security configuration settings (e.g. report RSPARAM can be used to examine password parameter settings)
Therefore, external auditing tools are not essential. However, they can be extremely useful for reducing the amount of manual input required and making the review more efficient. This is most significant when analysing SoD conflicts in the system and/or reviewing assignment of sensitive access, particularly due to the fact there are normally several transactions which allow the same function to be performed in SAP and so each variable needs to be considered.