Thanks Julius .

Had a meet with them and found that they did not have any clue on what need to be audited ,and as you said got more question than answers ...

Can i get a list of basic audit checks that are done in SAP .

Hi,

Pls check your Authorisation Roles, User Master...

Example : PR - PO Approval, Movement type code, Purchase Access Control to Sales and other Store persons, Finace Roles Like that....

Rajesh.

Hi ,

Add on to the Julius comments,i would like share few points:

In ur scenario i guess auditors may have some doubts after u receive ur EWA from SAP.According to that they may ask u to tune ur security set up in system, which is what we r doing now in my scenario.Cos SAP will always suggest few comments in that EWA with warnings....auditors may point out on them...If this info is wrong pls ignore...

Rgds,

Gadde.

Happy are those, whose auditors have no clue what to audit: This brings you in the driving seat. You can tell them how the system is build and what they should investigate. But be aware you might get external auditors who are experienced EDP auditors.

as as starting point go to SAP Help security and look in www.sapsecurityonline.com

> SAPChizal wrote:

> Can i get a list of basic audit checks that are done in SAP .

Some auditors contribute to and use the resources from http://auditnet.org/

Regardless of your auditors, you may want to "mock" audit yourself first (I mentioned "self assessments" previously).

Or find a colleague to review your work / system and you review theirs - nothing wrong with exchanging opinions, or even solutions...

You might even find a different company which you do not have any conflicts with to do such a supervised peer review with?

Or just hang around and use the search at SDN etc

Actually, many companies are driven by audit requirements (or worse) and not their own free will and interest on security.

Sometimes there are unfortunate and expensive side effects...

FYI: A while ago, I thought of suggesting to SDN to create an "Audit Alert" forum, but did not progress further than the thought of it.

When auditors find something, they tend to spam it around sooner or later and clone it to other customers (sometimes without checking all the details in advance...)

This is perhaps also their job, being independent and all. That is all fine and well; but sustainable solutions to audit issues are hard to find sometimes...

It was just a thought of mine, which might help self-assessments and preparing for an audit (in addition to auditnet.org etc)

If anybody thinks this might be helpfull, then perhaps SDN would create such a forum (in addition to the Security Forum, the GRC Forum and all the other forums).

If there is a demand for it (hopefully not only limited to security) then feel free to post a response.

Kind regards,

Julius