Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Audit

Go to solution
Former Member

‎09-10-2008 6:58 PM

0 Kudos

Hi gurus,

I'm preparing for my first audit and would appreciate all your inputs.

Is there an audit guideline that I can refer to? What things are the auditors looking for? What is their take on LSMW and SE16 access in prod? What kind of access do they need?

Thanks!

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-10-2008 9:50 PM

0 Kudos

HI Bliss,

Your Auditors would have told your company what they are looking for. Your company should have told you, if not then you should find out why.

If you security build & process meets anything close to reasonable practice then you will have nothing to fear. There is a wealth of information covering all of this in the search function, google, auditnet etc.

You can always get something out of audits, you can either accept it or defend yourself. If you defend yourself, triple check that you have your facts right, often senior management will side with the people they have paid £1500 a day for......

9 REPLIES 9

Go to solution
jurjen_heeck
Active Contributor

‎09-10-2008 7:13 PM

0 Kudos

> Is there an audit guideline that I can refer to?

How do you mean 'refer to'?

> What things are the auditors looking for?

I think they should tell you that.

> What is their take on LSMW and SE16 access in prod?

My experience is they're generally against it but can not motivate that properly. They've learnt it's bad !

> What kind of access do they need?

Search the forum on "AIS" (Audit information system) and you'll get lots of info.

There also is a chapter on auditing in our famous sticky:

Jurjen

PS, don't think an audit is somenthing you should fight against or prepare for. Just hope your system is ready and learn from it if it's not.

Go to solution
Former Member

‎09-10-2008 7:14 PM

0 Kudos

Answering it Julius way..... search the forum for your requirements. Your query way to generic.

For SE16, check this thread :

https://forums.sdn.sap.com/watches!add.jspa?forumID=208&threadID=942050

I am sure if you'll get all what you need if you'll search specific to your needs.

Regards,

Zaheer

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎09-10-2008 7:16 PM

0 Kudos

Nice find Zaheer!

Go to solution
Former Member
In response to Former Member

‎09-10-2008 7:28 PM

0 Kudos

Thanks Jurjen...

I hope Julius wouldn't mind "...the Julius way... "

Go to solution
Former Member
In response to Former Member

‎09-10-2008 7:58 PM

0 Kudos

I heard my name...

I was an auditor for a while. My first issues with this would be that:

- Bliss IM is not following up on his/her posted questions...

- This posted question is very dangerously close to "double-posting", which is against the rules...

- Looks like end user training issues and monitoring weaknesses... <= in my opinion a very underrated audit findings btw.

- ... other 30 MB of audit checks in julius_sap_audit_checks.mdb ...

- Instinct...

Basically, it will depend on the skills and the experience of the auditor and how much support they have.

You can learn stuff from them and their reports can help, but as the above can vary hugely between audits and auditors, it is best to follow George's advise in the closing comments of this thread:

Cheers,

Julius

Go to solution
Former Member

‎09-10-2008 9:15 PM

0 Kudos

A very VERY interesting aspect of this question is:

> What kind of access do they need?

Some systems I have audited used the "you navigate, I drive" approach.

Basically, you go through the audit with them (if you take the time...).

That way you learn the most from the audit and can also judge their skills, not to mention explain some stuff "on site"... this prevents recurring misunderstandings and they can still challenge it if they know what they are talking about.

My experiences from this approach are very positive, and I still have contact to many "auditees" who have taken this approach (other folks never seek contact with auditors... which in their view is always a bad idea...). Fair enough, unless you have worked with the auditor....

The Auditor Role is an excellent question though!!! Thank you Bliss IM...

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎09-10-2008 9:19 PM

0 Kudos

I agree with you Julius, In our implementation we have designed separate roles for Internal and external auditors, which are mostly reports and display.

Regards,

Zaheer

Go to solution
Former Member
In response to Former Member

‎09-10-2008 9:29 PM

0 Kudos

I have worked alot with the external and (also as) internal auditors using the "you navigate, I drive" method.

I am not aware of any valid argument against it, except some special cases where the auditors are infact entitled to make some journal entries to special accounts even.

I sometimes find it ironic that they even bill me for it afterwards...

Cheers,

Julius

Go to solution
Former Member

‎09-10-2008 9:50 PM

0 Kudos

HI Bliss,

Your Auditors would have told your company what they are looking for. Your company should have told you, if not then you should find out why.

If you security build & process meets anything close to reasonable practice then you will have nothing to fear. There is a wealth of information covering all of this in the search function, google, auditnet etc.

You can always get something out of audits, you can either accept it or defend yourself. If you defend yourself, triple check that you have your facts right, often senior management will side with the people they have paid £1500 a day for......