Thursday, May 13, 2010

SAP Auditing Made Easy

By: Medi Karkashon, CISA, CPA
GRC Security Division Manager


With companies’ migration to SAP systems, that in essence, have replaced diverse legacy systems and different islands of information – a hotbed of opportunity suddenly opened up to commit diverse types of malicious activity from fraud and embezzlement to information leakage, through authorization bypass in these new data-rich, well-integrated, intricate systems.

Once upon a time manual processes—such as checking invoices against hard-copy purchase orders, or checking signatures on documents—have evolved into automated processes with automated controls built into SAP systems. Traditional auditing methods are becoming obsolete with the integration of SAP, and internal auditors are finding themselves needing to adapt to these changes—and quickly.

Part and parcel to the advantages that come with the integration of a SAP system are the byproduct of new threats—as with any system of this size and nature; especially those that relate to the integration of data for the different internal processes, which did not exist in the past when there was no interaction between the different systems. This new integration has created a crucial need for constant availability, transparency, and integrity of information, in addition to data in real time for different departments.

SAP systems are purposely constructed in such a manner that makes it easy to get from one place to another to facilitate
business processes. This architecture creates many avenues to reach diverse data very easily. This is where the issue of sensitive authorizations and segregation of duties becomes very critical. These different avenues create myriad new threat vectors, making it increasingly important for an internal auditor to be able to understand how exactly the system works, and the business logic and flow that comes with SAP systems.

Many internal auditors have already recognized this criticality and have enlisted the proper professionals to help mitigate these risks; others choose to work very closely with their IT department on these matters. However, there are still many internal auditors that have not yet addressed the security issues involved with migrating to SAP – whether due to lack of awareness to these issues, or limited company resources.

With this need in mind, Comsec developed a solution to facilitate internal auditing of SAP systems. The SAP security portfolio, was designed to create an easily implemented set of advanced rules and reports available to internal auditors at the click of a button – enabling much-needed on-demand and real-time auditing. These reports focus on anomalous and exceptional data that may indicate system irregularities or processes that are being carried out in discord with company policy. A driving factor in the design process was ensuring that this data would be available for key SAP processes, including:

User management
Authorization management
Finance
Human resources
Procurement
Inventory management

This new package helps the internal auditor slowly learn the ins-and-outs of the system, providing internal auditors with the skills and tools to acclimatize to SAP system auditing, all without requiring the investment of unnecessary internal time and resources.