Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Quick question about SAP Security analyst responsibilities

Former Member
0 Kudos

This question was posted on another site and I was asked by the moderator to cross-post it here:

On another discussion forum, the topic of the SAP Certification program came up. In the discussion thread, there was some debate about the subject areas tested on the exam for SAP security, so I am putting the question to you.

At your current workplace, which of the following, if any, are responsibilities/ expected competencies of your experienced SAP Security analysts:

Encryption

Single Sign-on configuration/ maintenance

Network topology (SAP router and web dispatcher)

Operating system (SAP gateway)

Database security

J2EE

To categorize the responses, it would be helpful to know if you consider yours is a relatively large SAP support organization or not.

Thanks in advance for your responses and comments.

Regards,

Gretchen Lindquist

1 ACCEPTED SOLUTION

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Gretchen,

I think we can agree that even if we'd try to come up with a certification scheme that would try to make certification as a sole proof of security prowess more meaningful, we'd probably fail. What certification can do is check if there's a certain kind of knowledge available in the applicant, and that maybe therefore he has an overview of the broader area of SAP security.

A good security consultant has a wide overview of general security concepts and how those need to be applied in an SAP landscape, and deeper knowledge in one or several areas of SAP security. And he/she'll know when he needs to bring in someone else for the pieces he doesn't have the required knowledge.

In an SAP context, experience with clients of the same size/business area is certainly a plus. As is having done previous projects successfully, and having a way to prove that.

That's probably all you can reasonably ask for.

"SAP Security" means different things to different people (you didn't even mention authorizations, regulatory compliance, data protection in your post). If you'd be looking for a "full" SAP Security certification you'd have to add sub-certifications for all the topics.

And even then, you still wouldn't know if the consultant was up to the task you have in mind. Exactly as having a medicine degree doesn't make sure you're good at brain surgery.

So let's stop hitting on certification, because that's not leading us anywhere. It is a way of certifying that there is a certain basic knowledge, and that's a value for some, but not necessarily a good criteria to pick consultants.

If you want to pick a consultant, you'd do the same thing you'd do if you had to pick a doctor: you ask friends, you look for references. Nowadays this includes SCN activity, social media, LinkedIn references and much more. You'd talk to the consultant, and maybe go through the task at hand with him to see if he 'gets it'.

Kind regards,

Frank.

27 REPLIES 27

Former Member
0 Kudos

Hi Gretchen,

I am a consultant so have a slightly different perspective than an end user.

A typical client security engagement for me will involve 3 or 4 out of those competency areas and on top of that: secure communications & secure application (what I know and love as roles & users, some of our friends will refer to that as secure coding). In general, security administrators at my clients focus on roles & users and their competencies are only in those area. That is the same for small (<500 users) and large organisations (>20k users)

In my opinion this is one of the problems with our industry and in particular with individuals who consider themselves SAP Security professional. It is no secret that the wider security industry often views SAP Security practitioners as a bit limited in skills due to the lack of understanding of infosec basics.

SAP security is not just roles & users, SoD's & SU53's. They are an important part of securing SAP but only a few of the components. As you have pointed out in the competency areas SAP Security is about the environment in which the SAP system resides and operates and our need is to ensure the C,I,A over those systems that support business processes.

As an employer I expect a SAP Security professional to have understanding of all of those competencies (and a few more). In the same way that GRC is much more than a tool provided by SAP, SAP security is a holistic subject that by necessity covers multiple subject areas.

Regarding expectations of a security analyst, I expect them to be able to understand the wider security environment around their system and to be comfortable talking about things like comms security, SSO, secure programming (the basics), OS, network topology and DB security (the basics). Most importantly they should know how they work together to form the security environment and where the dependencies or touch points are between them. It's not unreasonable for basis and technical teams to perform much of the work in these areas but that is not to say that "out of sight is out of mind".

I don't hide my views on the inadequacy of the certification process in it's previous incarnations. SAP is doing great work to improve this which is a positive step. What is critical is that a demonstration of competency (e.g. certification) in SAP Security covers the whole subject (or as much as practical).

If people want to break the topic down then that's great but resulting certifications should be pointed out as what they are e.g. Certification in role & user administration.

I hope there is something in there to provoke thought & discussion!

Regards

Alex

Edited for clarity by: Alex Ayers on Feb 9, 2012 9:49 AM

0 Kudos

Aw, Alex! Eloquent! Polite! A real gentleman! You covered most of what there is to say on the topic.

I will put it much more blunty than you did: there's no such thing as a SAP-security specialist, restricting her/his activities to SU01. PFCG at the utmost. SU24 only in cases where the world is about to end.

A SAP security expert (where I strongly feel, the "SAP"-bit doesn't really have a place here any longer) does - among many other things - in-SAP security.

IT-landscapes in business processes no longer orbit around SAP as "the leading system", basically SAP ERP is more and more becoming "the backend" for applications put on portals, on sub-, daughter-, sister-, or otherwise related systems - most of the connections to SAP developed using RFC's, Java etc. This is the level where modern "security" happens: coding, interfaces, sub-systems, internet-connections, SSO, ... the SU01-bit already looking archaic!

All of the above are reasons why I am seeing the SAP security certification for what it is: making money. Nothing wrong with that, mind you! But an attestation to a persons qualifications where the most sensitive systems, a company can have, are at stake? Hardly. Too narrow a scope. If given the choice to interview a SAP-certified person as opposed to a CISSP certified person, guess who's getting the interview? That's right: the CISSP person. She/he has a deep knowledge of all things security on many of the most important areas - if I want her/him to meet the challenge of SU01, one SAP course should do nicely, yes?

arpan_paik
Active Contributor
0 Kudos

When we talk about SAP Security consultant then they are very much restricted to ADM940 and partial ADM950. Where as ADM960 is just theory to me till date. I did not found a single client who gives these responsibilities to SAP Security consultant. Where a network security consultant or DBA or Basis guys are much preferred. On the other hand SAP Security consultants are in much more need of knoledge of other components like BI, HR, PI, CRM, SRM, GRC (admin) etc. I can also add SolMan in the list as it is a must buy now

Now a days I have seen how customers are depending on these new technologies and their search for consultants knows all of them not only R/3 or ERP.

Apart from these I think a basic understanding to business process in other domain should also be in certification program. For example, how the SO cycle is happening when I am giving access to VA01, VL01N etc.

Regards,

Arpan Paik

martin_voros
Active Contributor
0 Kudos

Hi,

as a consultant I've seen various clients and it really depends on culture and structure of business. I've never seen organization where SAP analyst was responsible for DB and OS security. Unfortunately, I have to agree with others that usually SAP security analyst = guy who knows PFCG. I am not CISSP certified but I know roughly what is covered by CISSP. So my ideal security analyst is CISSP + SAP knowledge. It's really easy to learn SAP specific tools and apply them properly if you have good foundation. Sometimes it's really painful to see guys who for example do not have any clue how SSL certificate works but are responsible for security roles. I am not a fan of certification, especially certification provided by vendor, but value of security certification would significantly decrease if SAP removes some basic stuff from certification.

Cheers

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Gretchen,

I think we can agree that even if we'd try to come up with a certification scheme that would try to make certification as a sole proof of security prowess more meaningful, we'd probably fail. What certification can do is check if there's a certain kind of knowledge available in the applicant, and that maybe therefore he has an overview of the broader area of SAP security.

A good security consultant has a wide overview of general security concepts and how those need to be applied in an SAP landscape, and deeper knowledge in one or several areas of SAP security. And he/she'll know when he needs to bring in someone else for the pieces he doesn't have the required knowledge.

In an SAP context, experience with clients of the same size/business area is certainly a plus. As is having done previous projects successfully, and having a way to prove that.

That's probably all you can reasonably ask for.

"SAP Security" means different things to different people (you didn't even mention authorizations, regulatory compliance, data protection in your post). If you'd be looking for a "full" SAP Security certification you'd have to add sub-certifications for all the topics.

And even then, you still wouldn't know if the consultant was up to the task you have in mind. Exactly as having a medicine degree doesn't make sure you're good at brain surgery.

So let's stop hitting on certification, because that's not leading us anywhere. It is a way of certifying that there is a certain basic knowledge, and that's a value for some, but not necessarily a good criteria to pick consultants.

If you want to pick a consultant, you'd do the same thing you'd do if you had to pick a doctor: you ask friends, you look for references. Nowadays this includes SCN activity, social media, LinkedIn references and much more. You'd talk to the consultant, and maybe go through the task at hand with him to see if he 'gets it'.

Kind regards,

Frank.

Former Member
0 Kudos

Thank you all for sharing your thoughts on the question. It was not intended as "hitting on" the security certification. The original discussion concerned making the SAP certification more valued and sought after, and my original response was that the certification would be more sought after if it were more closely aligned with today's jobs. Considering the responses that are posted here, the common thread is that the respondents seem to see it not aligned with the current jobs, but in different ways. Thus, at this point, I do not see consensus on what competencies should be tested in the SAP security certification, and that was all I was trying to establish. Therefore the suggestion to take a more modular approach might be the way to make it more popular among SAP security practitioners and those who hire us.

I found it interesting that people seemed to read into the question that I was talking about consultants. That word was not used in my post. If the certification program is intended only for consultants, I would suggest that this approach is leaving out a lot of SAP security practitioners.

Thanks again everyone for your comments.

Kind regards,

Gretchen

Former Member
0 Kudos

Interesting exit strategy...

I do not see the discussion so far as being any evidence that more modular certifications are required nor that it is OK to throw anything which cannot be solved by ST01 over the fence to the basis team.

The comment about not being wanted to be operated on by surgeons who are only familiar with one of the tools and the others machines are just flashing lights for them hits the nail on the head.

I do not believe that it is possible to pass the exam unless you also "get it" for the various other non-PFCG topics and have some experience with them. For some questions, they cannot be answered by someone who has not actually "done it" either.

This is IMO correct - the scope and complexity of the exam matches the requirements of the systems and to some extent the security industry outside of the proprietary SAP mechanisms. There are even some legal questions...

@ Mylene: It has significantly improved since you probably last looked. You can find the "modules" here --> https://training.sap.com/ch/de/certification/p_adm_sec_70-sap-certified-technology-professional-secu...

@ Gretchen: Why the venom against the current exam? Did you take the exam and don't like it? SAP also offers a new [Security Workshop|http://www28.sap.com/mk/get/CH_10_WDESEC_EN_JAN] which includes the certification exam as an option for those who are interested in or needy of the needful beyond PFCG.

Cheers,

Julius

Former Member
0 Kudos

Julius,

"Venom"?? What did I say that was venomous? I stated my opinions about the test and what I observed from the responses. I certainly could be mistaken, but I do not recall using any venomous expresssions. Please point out any words or phrases that you deem "venomous", for my edification.

I must say, this has been a most educational experience.

Kind regards,

Gretchen

Former Member
0 Kudos

Hi Gretchen,

I interpret your repeated requests to have infrastructure security topics removed from security certification to be rather venomous, or bitter. Hence my question what your motivation is for this?

These topics are important yet sadly neglected by many customers and auditors due to missing skills. That they are included in the certification exam is IMO perfectly correct.

Cheers,

Julius

Former Member
0 Kudos

Julius,

Your interpretation is quite mistaken. I have already explained that I have observed that the test covers areas not part of many current SAP security jobs today. If you refuse to believe that explanation, and choose to imply that I am a liar, there is nothing more I can say. I have no bitterness or venom towards the test; I just geniunely believe it would be more widely accpeted if it were better aligned with the majority of SAP security jobs. We were discussing how to make it more popular, and I offered my opinion, with which you have disagreed. We can agree to disagree without further personal attacks, which are not helpful responses. End of discussion.

Gretchen

Former Member
0 Kudos

Hi Gretchen,

I believe you that this is your observation from ASUG polls, but in my opinion it is a problem that an internal security analyst, external consultant and a project auditor who are all certified get together to discuss SAP Security and "issue" professional opinions when all they are focusing on is PFCG UIs and GRC rulesets.

The rest gets thrown over the fence to basis (if it even reaches this meeeting agenda at all) or latest the developers write a report which makes it look OK in the UIs.

That is IMO not sufficient, and accordingly the SAP Security certification expects considerably more. This is particularly true when the integration scenarios are remote enabled or internet facing. It is more critical than SAPGui access in most cases...You even need to know about this when building roles for the ICF and RFC scenarios and how much security the middle-ware and network offers in comparison to the backend granularily (and maintenance effort!). Also whether you use propegation of the authenticated ID (which is gaining increasing traction) or system services with generic access, and therefore are forced to consider the front-end (as Mylene also stated). This means you must consider the coding of the front end usually and the APIs on on the backend. How to design the function groups. Virtual hosts or the local one. URL filtering on the incoming calls or reverse proxies. Is there more than one application server and do the applications have statefull requirements which are cached. Is SSL end to end or terminated at a proxy.

Cheers,

Julius

Edited by: Julius Bussche on Feb 10, 2012 12:17 AM

Former Member
0 Kudos

> @ Mylene: It has significantly improved since you probably last looked. You can find the "modules" here --> https://training.sap.com/ch/de/certification/p_adm_sec_70-sap-certified-technology-professional-secu...

>

> @ Gretchen: Why the venom against the current exam? Did you take the exam and don't like it? SAP also offers a new [Security Workshop|http://www28.sap.com/mk/get/CH_10_WDESEC_EN_JAN] which includes the certification exam as an option for those who are interested in or needy of the needful beyond PFCG.

Hi All,

I thought I will throw in my 2 cents even with the risk of getting shot in the crossfire

SAP has different certifications levels. I assume the earlier associate level security certification (C_TADMSEC_04) is just being reviewed and will be back. It may take a long time before it's back but if the history repeats itself that will happen. (I did some sort of workflow certification year 2002 and it disappeared soon after: Now 2012 it is back with code C_BITWF_73 and it now includes areas of ABAP OO and WebFlow services. It's just updated but still associate level since it is very limited in scope.)

Above mentioned SAP security certification (P_ADM_SEC_70) is professional level and because of that it should cover more than PFCG. I have also sat associate level HR certification and I think I was on my limits to pass that with my HR knowledge. I see that SAP has done well with certification levels - I am not even considering professional level HR certification unless I gain >3 years of hands-on experience in the area of professional level certification.

I can see the need for associate level security exam because as said before the reality is that there is PFCG guys like me and then professionals who look after network security also. Any certification itself has never won me a job or a contract but I might try associate level as a test for myself. And new consultants without work experience can maybe prove that they know the basics by sitting the associate level exam.

Julius, that workshop looks very interesting! Pity it's held so far away. Any chance some Swiss professional would like to experience the rainy summer in Australia? I would be glad to participate just for the workshop without the test.

Cheers,

Saku

Edited by: SaQ on Feb 10, 2012 2:18 PM - some typos fixed - still most likely plenty left.

martin_E
Active Contributor
0 Kudos

Gretchen,

My experience is that the smaller the customer, the more the BASIS / Security person is meant to know. For example, for a recent assignment (basically initiated by an acquaintance phoning me and screaming HELP!!!), I had to correct the SSO configuration between the Portal and the ERP system. This required knowledge of :

Encryption (i.e. SSL certificates),

Single Sign-on configuration/ maintenance,

Network topology (the users were customers, accessing the portal via a web dispatcher in the DMZ)

Operating System (Windows firewall settings for the chosen HTTPS ports)

I also had to be cognisant of the the SAP Router and the firewall settings on the customers firewall appliance. About the only thing I didn't use from Gretchen's original list was the Database Security.

When I was working for CSC, larger projects tended to separate the functions out, for example we wouldn't have any access to the firewall appliances, and in some cases SAP security people didn't even have operating system access - that part of the job was performed by BASIS or Operating System people; The most extreme case I saw had ABAP BASIS and Security people and J2EE BASIS and Security people (i.e. 4 teams).

Julius,

I would also be interested in the Best Practice SAP Security Workshop for Professionals workshop, so that makes at least two of us in Australia, if you want to make a business case for running one down here (make it soon, we are slowing heading into autumn and winter !!!)

SaQ,

Look at https://training3.sap.com/au/en/curriculum/nw_adm_tc_basic_au-technology-associate-professional-plat... for the curriculum and path to the P_ADM_SEC_70 certification; the links from this particular page SHOULD take you to the Australian / NZ courses and schedules, but it doesn't look like they have set up the 2012 dates and schedules yet ....

hth

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Thank you all for sharing your thoughts on the question. It was not intended as "hitting on" the security certification. The original discussion concerned making the SAP certification more valued and sought after, and my original response was that the certification would be more sought after if it were more closely aligned with today's jobs.

> Thanks again everyone for your comments.

> Kind regards,

> Gretchen

Hi Gretchen,

I think you're making an important point here (at least I think you are - I'm not a huge fan of cross fire, either ), which is that "todays jobs" rarely include many of the things the certification is looking for.

I think it's about time they do.

The idea that SAP Security ends when the roles have been assigned is a big problem for our customers.(Although I wish even that was done with a bit more seriousness by some...). The "other side of security practitioners", i.e. the people who try to get into systems that don't have enough of it, is shaping up and currently has a wide playing field. We don't have enough security practitioners that see the big picture and understand the implications, i.e. that they need to do much more than use PFCG to make their systems secure.

This starts in system architecture, network design, use of encryption, system maintenance and patch strategies and leads up to processes such as intrusion detection and incident response. Right now many customers are not able to consume the huge effort SAP puts into stuff that makes SAP more secure, often times because the extend of the words "SAP security" is not being fully understood.

So, to make that point: I'm happy that certificatiion and training do cover those areas, and my hope is that this may create a few multipliers that help customers understand this. If we can find some in ASUG which help make todays jobs more aligned with what's being covered in security certification, I'd consider this the right way forward.

Sorry for turning your point on its head

Frank.

Former Member
0 Kudos

Julius, thanks for the link. I apologise for my earlier "making money" comment. Obviously, I have been "out of the loop" for much longer than it felt. The area in security covered by that exam has broadened a lot. Which is good.

It's still not sufficient and I think Martin English's example testifies for that. I'm not quite content with the "the smaller the company" comment ... but I'm willing to let that go. I have been working in this Basis/Sec job for 18 years now and the one thing I can attest is: system landscapes have become extremely complex, spreading over various systems (by even more various vendors) and in our case up to 800 mobile devices. That's not counting the interfaces to output management systems, some 30 portals etc. You cannot simply draw a line and declare basis to be on the right side and security on the left. These times are over and done with. I think, even in bigger companies, managers start to realise that to cover "SAP security", a Martin English beats a pure PFCG guy any time.

Still, weekend is coming - have a nice one, everybody.

Cheers.

Former Member
0 Kudos

I formulated a response last night but Mylene and Frank have covered much of what I wanted to say.

I would like to add the following points.

1. A FI analyst who doesn't understand Financial Accounting would not be deemed proficient however there are many SAP security analysts who do not understand the context in which they operate.

2. Contextual knowledge of the wider topic of security does not equate to a huge level of knowledge, just and understanding of the concepts, how they apply to SAP and how we address them (even if . When I work with my team I apply the test: Could this individual comfortably converse with a client CISO on a range of general security topics?

Cheers & have a great weekend.

Former Member
0 Kudos

@ Martin & Saku: Hmm... tempting. What time of year is crocodile hunting season?

You can enquire about the workshop at your local SAP Education office (I only developed the content, SAP owns it and co-ordinates them). Currently I am only aware that Switzlerland and Walldorf have it on their 2012 catalogues, but there were also requests from the US in the past (that might be closer for you).

As far as I know it only takes place if there are sufficient attendees and for a trip to Australia it would probably need more than 2. Perhaps you can combine it with a TechEd EMEA or some skiing? (ps: I learnt to ski when I was already 20 years old; it was me and a whole bunch of 6 year olds for a 5 day training. I even wore the "bugs-bunny ear warmers" as it was very cold.)

Cheers,

Julius

Former Member
0 Kudos

Dear all,

For folks who are interested in security certification limited to authorizations and audit type of topics, there is now also for release 7.31 an associate level certification:

http://training1.sap.com/v2/certification/c_audsec_731-sap-certified-technology-associate---sap-auth...

It is available in English in Germany and Switzerland already, but it should appear soon elsewhere (particularly if you ask for it...  🙂

Cheers,

Julius

Former Member
0 Kudos

Thanks for the info Julius.

I feel a bit sad this certification wasn't named something more appropriate like certified role monkey.

Former Member
0 Kudos

Alex,

Alex Ayers wrote:

I feel a bit sad this certification wasn't named something more appropriate like certified role monkey.

What an interesting insight you have given us into your attitudes towards SAP security production support personnel, which is to say, clients. I wonder if you insult your clients with that moniker to their face or only behind their backs. Would you like it if I said that your comment qualified you for a certification in arrogance and earned you a spot on the list of people I would not want anywhere near my organization's SAP landscape? I suspect not. Keeping in mind that not everyone on SCN is a technology consultant, perhaps we could just agree that there are a variety of jobs within the area of SAP Security, and this new certification seems to come closer to being aligned with the job responsibilities of some of us.

Gretchen

Former Member
0 Kudos

Gretchen,

I think we both appreciate that we will not align on this.   My thoughts on the lack of skills (of which humility is but one of many areas for my personal development) within the SAP security field are well documented.  It is something I openly share with my clients, many of which recognise this issue and are looking to do something about it.

If people want certification to recognise the ability to perform basic security admin tasks then so be it and power to them.  My personal position is that it devalues the certification process by fundamentally failing to address the very skills gap that we have within our community and which are getting more & more relevant each year.

Cheers

Alex

Former Member
0 Kudos

59% to pass also begs the question of whether you want a surgeon to operate on some important parts of your body if he / she has a certificate on the wall that passed 80 multiple choice questions with 60%... 🙂

So, dont underestimate the difficulty of the 80 questions on release 7.31, including Java stack supported concepts as well as the various ABAP ones.

You must also have practical experience - just being a muppet at security meetings, reading a theoretical book and mastering MS PPT will not be enough to pass.

There might also be negative points for any questions dealing with composite roles... not sure.. 🙂

Cheers,

Julius

Former Member
0 Kudos

Alex Ayers wrote:

I feel a bit sad this certification wasn't named something more appropriate like certified role monkey.

FYI: The non-monkey professional security certification exam is now released for 7.31 as well -> http://training2.sap.com/v2/certification/p_admsec_731-sap-certified-technology-professional---syste...

Cheers,

Julius

Former Member
0 Kudos

Great news. 

Former Member
0 Kudos

Hi Alex

I have no other experience in SAP other than MM, WM and a little PM. I moved into security purely to support a UK Gas company during a rollout in 1999.

I openly admit to not having any proper portal etc expertise but I still consider myself to be a half-decent SAP security contractor in the ECC environment.

I have no certificates from SAP (unless you count a procurement one ) but I think I can generally get by in my daily tasks.

Most important thing is (IMO) - working in your team and sharing/working together to understand issue and resolve them.

If you have good selection of people in the team then you are 'cooking' techie, programmer, portals, business knowledge, security

Maybe I'll pick up the new stuff as I bimbles along but I tend to forget the old stuff as the new stuff takes its place. Used to remember where I lived once I think...

Best wishes

David

Former Member
0 Kudos

Hi DB,

That may be a good personal strategy to position yourself in a contract or even globally as a subject matter expert. If you are deep enough into the end-to-end MM, WM and PM implementations then you will know enough about FI etc to avoid TAX problems, consignment stock holding always involves some sort of infrastructure topics and you can hardly implement anything now-a-days without the SD side wanting to come through from mobile devices to verify stock levels or delivery schedules. You will be fine in the exam.

If you are involved, knowledgeable and experienced enough in all aspects of MM, WM, PM security then you will really be fine to pass the exam, even if you have to take a few guesses on the name of the table for HR Org. Management integration... or take a blind guess that GRC is going to lower your ROI instead of waste your time regardless how you use it... etc...


However if your employer or contracting agency or ego forced you into a little box then it might be tough to have enough breadth and depth of knowledge or experience to pass the professional exam, but that was the same in the old exam as well.

If only interested in GRC and some PFCG things, then stick to the Associate exam. If you are deeper into the topics, including upgrades, integration, authentication options, some Java options, selected coding aspects... then go for the professional exam.

Personally I recommend just getting on with your life strategy if that makes sense for you...  Don't let SAP exams get you down if they are easy... 😉

Cheers,

Julius

Former Member
0 Kudos

It is also good to have some functional knowledge so the security person can understand the transaction process flow. This will be helpful in understanding how to restrict the transaction and also help during the testing. One of the good book a security admin should read is Security and Audit Control Features by ISACA.