10-12-2009 9:24 AM
good ady all,
i would really apprecite it if I could get some assistance with regards to the above. we are preparing for a system audit from external auditors.
I would like to know, How to prepare for an SAP audit: What do i need to do to ensure a successful result. what tranaction codes to i need to ru. in other words what transactions will the auditors be running when they get here?
thanks.
10-12-2009 9:28 AM
Oh oh oh... you are in big trouble...
Just joking.
If you have no clue where to start and what you should have / could have been doing already (the auditors will lookmfor this...) then start transaction 'SECR'. It is obsolete, but will point you to the Audit Information System's role menus. You can then follow through them to cover the basic stuff which an auditor will look for as well.
Cheers,
Julius
10-12-2009 10:59 AM
Adding to Julius' suggestions a basic audit scope would cover the following areas:
- SAP security settings
- Application security design
- Security design for IT support services
- Segregation of duties
- User provisioning and administration processes
- Authorisation change management processes
- SAP development lifecycle and change management processes
Hope this helps.
Best Regards,
Richard
10-12-2009 11:22 AM
Most auditors will use the holy trinity of SUIM, SA38 and SE16 to perform the majority of their tests. The other guys have given you good info on what they will be looking for/how to do it.
The way to pass an audit is to ensure that you have adequate controls embedded in your security implementation and related processes. Your auditors will usually provide you a high level overview of what they are looking for if you ask them (lots of people forget to do this).
02-16-2010 7:34 AM