Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOX Compliance

Go to solution
Former Member

‎07-16-2006 9:08 PM

0 Kudos

Folks,

Can anybody provide some documents on SOX compliance with respect to SAP Security?

Thanks

Sudhan Shan

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎07-19-2006 7:00 PM

Hi,

Here are some of the things that an auditor looks for compliance from a SAP Security perspective:

Databases are appropriately secured from unauthorized access(looks for approved policies and procedures)

Evidence exists to ensure database integrity(looks to see for evidence of policy and procedures)

Roles and responsibilities for security administration are clearly defined and documented

Processes and Procedures for granting access to sensitive system profiles.

tranfers and Leavers processes and evidence for the same

Segregation of duties conflict matrix and mitigating controls for the same wherever applicable.

Access rights should be reviwed at least on an annual basis.

Password control for users

External connections requests process and review.

Security incident logging, monitoring and follow up

Restrictions for the use of powerful ids like SAP*, DDIC, etc

Cheers,

Kedar

7 REPLIES 7

Go to solution
Former Member

‎07-17-2006 3:34 PM

0 Kudos

Take a look at this site to see what the auditors might be looking for:

http://www.audit.executiveboard.com/ADR/1,3140,,00.html

There was also a 10 hotspots for Security document there, which the auditors got excited about recently, so I think their resource center is well visited.

Some of them also hang out at http://www.auditnet.org/sarbox.htm

Go to solution
arvind_pereira
Participant
In response to Former Member

‎09-14-2016 2:23 PM

0 Kudos

Hi Julius,

First link does not work anymore.

Second link needs membership from your organization.

thanks

Arvind Leo Pereira

Go to solution
Former Member
In response to Former Member

‎09-15-2016 12:11 AM

0 Kudos

It certainly is not my organization. Was just a resource I used back then.

They seem to have stopped SAP related content and delete old content..

So just ignore it.

I will lock this thread now -> 10 years old so outdated.

Cheers,

Julius

Go to solution
Former Member

‎07-19-2006 7:00 PM

Hi,

Here are some of the things that an auditor looks for compliance from a SAP Security perspective:

Databases are appropriately secured from unauthorized access(looks for approved policies and procedures)

Evidence exists to ensure database integrity(looks to see for evidence of policy and procedures)

Roles and responsibilities for security administration are clearly defined and documented

Processes and Procedures for granting access to sensitive system profiles.

tranfers and Leavers processes and evidence for the same

Segregation of duties conflict matrix and mitigating controls for the same wherever applicable.

Access rights should be reviwed at least on an annual basis.

Password control for users

External connections requests process and review.

Security incident logging, monitoring and follow up

Restrictions for the use of powerful ids like SAP*, DDIC, etc

Cheers,

Kedar

Go to solution
Former Member
In response to Former Member

‎07-19-2006 9:50 PM

0 Kudos

Can you provide some documents on SOX Compliance from SAP perspective?Also I would like to know more about VIRSA tool.

Thanks

Sudhan Shan

Go to solution
Former Member
In response to Former Member

‎07-20-2006 5:51 PM

0 Kudos

Hi,

The points that I had sent in the earlier post are the SOX SAP Security framework. The basic idea of SOX is to see whether your company is following its Financial controls and Internal Control Standards. There are hundreds of documents...

VIRSA is a tool that lets you check for conflicts say between roles, etc and is used at the time of granting access to users. If a conflict is found then it has to be resolved before the access is granted. Its nothing but a SE38 program with a selection screen and has tables to capture the data from. Its compatible with all SAP platforms, BW, R3, etc. Recently SAP acquired the company.

Hope this helps.

Cheers,

Kedar

Go to solution
Former Member
In response to Former Member

‎11-23-2006 5:41 AM

0 Kudos

> Hi,

>

> The points that I had sent in the earlier post are

> the SOX SAP Security framework. The basic idea of SOX

> is to see whether your company is following its

> Financial controls and Internal Control Standards.

> There are hundreds of documents...

>

> VIRSA is a tool that lets you check for conflicts say

> between roles, etc and is used at the time of

> granting access to users. If a conflict is found then

> it has to be resolved before the access is granted.

> Its nothing but a SE38 program with a selection

> screen and has tables to capture the data from. Its

> compatible with all SAP platforms, BW, R3, etc.

> Recently SAP acquired the company.

>

> Hope this helps.

>

> Cheers,

> Kedar

Hi,

SAP Security Tool Which is more known as Access Control works on the concept of segregation of duties According to Compliance standards ( SOX - Surbanes Oxley).

Consider we have two Fraudulent activities like :

Creation of vendor and Initiate the payment to this vendor, This activity contains the Activities and potential fraud can happen. Virsa Tools, which are now acquired by SAP checks the potential risk before and after the user is created in to SAP, which can be introduced in to the ERP because of the roles which have conflicts.User is analysed in the real time while granting access in the SAP so that ERP can be Clean and can be according to SOX Compliance for Audit Purposes.

Hope this is relevant.

Regards,

Vikas