Solved: Auditing Authorisations - RSUSR002 or a Tool?

Former Member · ‎11-17-2011

I'm an IT auditor and have recently been working on a number of audits of SAP systems in particular looking at segregation of duties and access to certain transactions. I use RSUSR002, S_TCODE and then the relevant authorisations objects and activities etc. by looking in SU24.

I've never had use of a tool to carry out this and was wondering what feedback people have from using them. CSI I know is an example of one and that the big audit firms also have proprietary tools.

As each installation I look at is generally different and different transactions and authorisation objects are used I was wondering is my manual RSUSR002 way nearly as effective and fast or do these tools really speed up the process. If anyone has any experience using the tools and could provide feedback or if there are example of the data they produce freely available that would be very useful.

arpan_paik · ‎11-18-2011

Free of cost compliance tool may be bit tough to find. But CSI AA, BizRights, SAP RAR are there. I wonder still you audit manually!!

Regards,

Arpan Paik

arpan_paik · ‎11-18-2011

Free of cost compliance tool may be bit tough to find. But CSI AA, BizRights, SAP RAR are there. I wonder still you audit manually!!

Regards,

Arpan Paik

koehntopp · ‎11-18-2011

If your customer has no SoD monitoring in place my first guess would be there HAVE to be violations (how would they avoid them without active monitoring/planning?).

In that case, you'd have to loook at their processes to define what should be segregated, a tool would help you discover those issues.

A tool always has advantages, as there are many many different combinations of authorization values that create the same kind of issue. Manually you'll catch some of them, but most will sneak past you. If you catch some, the customer really needs to implement a proper authorizations process with SoD checks in order to fix the issues, otherwise this is a wasted effort and they'll just get rid of the ones you found to pass the audit.

Frank.

OttoGold · ‎11-18-2011

Hi,

I've never had use of a tool to carry out this and was wondering what feedback people have from using them. CSI I know is an example of one and that the big audit firms also have proprietary tools.

I am a happy (co)author of a tool that you may find useful. My company`s customer fo find it useful. But I am not going to sell you anything here, I would like to ask you some more questions (instead of giving answers, sorry for that).

I would like to know:

- how would you describe your skills? Varying from "push the button user" to "revising the security concept type of auditor" we need to know more about what you can do, maybe what you were instructed to do, what you were paid to do, how much time do you have.

- I guess you work for an auditing company, not a customer, is that right? Because that would make a difference. Internal auditors are trying to protect the company (so I heard), but the external ones know that finding "bugs" is "bonus-relevant"

- do you want to audit SoD, or overall authorization concept or what exactly do you audit? Transaction level indicates me, that the "depth" of the audit might not be very "deep" or could be different in goal or scope from what I ahve experienced so far

I am not a native Eng. speaker and am affraid that this might sound sarcastic... please, no offense, I just want to know more about what you want to do, because only then I can have suggestions. Otherwise I would be suggesting nonsense (or just saty quite:)).

Have a nice day and good luck with the tasks,

cheers Otto