Читать книгу Practical Guide to Auditing SAP Systems - Martin Metz - Страница 5

To call a spade a spade, SAP is unique. Even with a lot of experience in auditing non-SAP IT systems, you might still find it tough to ask the right questions, to meet SAP administrators on equal terms, or to find your way through the opaque correlations of hundreds of SAP tables, the configuration settings, the authorization concept, or application controls in SAP systems.

Have you been lucky enough to have been tasked with auditing a tricky SAP system? Are you preparing the audit plan for the next fiscal year and thinking that an SAP system should be one of the targets? Are you aware of the growing SAP system landscape in your company and the mission-critical importance of SAP? Are you wondering how to control these systems efficiently? If you are a security officer, an auditor, a compliance officer, an SAP administrator, a consultant, or a developer and have asked yourself one of the questions above, this book is for you. The book addresses those who are responsible for SAP security and controls and who are eager to learn how to cope with the security challenges an SAP system poses, how to detect misconfiguration quickly, and how to evaluate the security status of an SAP system.

This book focuses on the tasks of an auditor and the techniques needed to determine the high-level security status of an SAP system quickly. Aside from the fact that this book examines SAP from the audit perspective, SAP administrators and security consultants among the readers are encouraged to reverse the control content and ask themselves: “What do I need to do to successfully complete such an audit? Which settings and processual changes are necessary to meet these requirements?” By doing this, you can use the standard control procedure presented in this book as a guideline to improve the security posture of your SAP system.

Chapter 1 explains the basic principles of a company’s audit function, including the role of the audit function within the three lines of defense model, as well as recent studies covering the tasks and the current priorities of the internal audit function. This chapter also provides further valuable information such as regulatory requirements behind audits, leading practices, and a primary methodology for conducting information system (IS) audits in general.

Chapter 2 looks at SAP and specific audit issues relating to SAP systems more closely, including the business relevance and market share of SAP within and beyond the ERP market. The chapter also discusses the components and general technical architecture of an SAP system, thereby deriving a general approach to an SAP-focused IS audit.

SAP provides some valuable system-internal tools and functionalities that we introduce in Chapter 3. Auditors can use these tools as they offer extensive query capabilities and pre-defined reports, along with a variety of controls. You will learn how to apply these tools as they are a primary means in the daily business of an SAP auditor. Understanding them is vital for an efficient audit and will save you a lot of time.

Chapter 4 is the centerpiece of this book. It guides you through the top 12 controls that should be included in your audit activities. These controls cover areas such as accounts and authorizations, the changeability settings of tables, clients, and entire systems, change logs, and security configuration settings. For each control, we introduce the background to the control as well as the risks associated with the control. You will also learn how to assess the efficiency of the controls. Understanding the risks that the controls are intended to counteract is key to a discussion on equal terms with auditees. You will want to be able to answer their questions, such as: “Why should I change the password of this technical user? What could someone do with this account?” Explanations about how various vulnerabilities can be exploited will help you to respond to such questions. This chapter will be useful as a manual during your audit.

Chapter 5 rounds the book up and provides an overview of upcoming challenges posed by SAP systems and the implications for future audit priorities. The driving topics here are HANA, mobile, and cloud.

This book provides an overview of the reasons why internal audit exists, special aspects relating to SAP systems, and detailed controls and practical instructions to help you through your next audit, regardless of whether you are the auditing or the audited party.

We have added a few icons to highlight important information. These include:

Tip

Tips highlight information concerning more details about the subject being described and/or additional background information.

Example

Examples help illustrate a topic better by relating it to real world scenarios.

Warning

Warnings draw attention to information that you should be aware of when you go through the examples from this book on your own.

Finally, a note concerning the copyright: All screenshots printed in this book are the copyright of SAP SE. All rights are reserved by SAP SE. Copyright pertains to all SAP images in this publication. For simplification, we will not mention this specifically underneath every screenshot.