Home / Blog Overview / Top 5 Reasons Companies Fail Their SAP Audit
Audits | November 25th, 2019

Top 5 Reasons Companies Fail Their SAP Audit

It’s never too early to think about your end-of-year SAP audit. Whether it’s your company’s first audit or your first audit or you’ve been through many audits, knowing the pitfalls while preparing is crucial to avoiding failure.

In our recent webinar, “How to Avoid Audit Failures,” our resident security, audit and GRC expert Drew Steinfatt discussed some of the most common SAP audit issues that can push companies into a failure trap. We’ll summarize the issues in this blog post but be sure to watch the full recording to get even more insights and how to address each issue.

Reason 1: Outdated Policies and Procedures

The external auditors don’t make up the requirements that they hold you responsible for in your audit. They simply make sure the policies and procedures your company has are reasonable for security and that you are meeting your own standards.

How can you know if your policies and procedures could be problematic during an audit? One way to know is if they were updated more than two years ago. Additionally, if you have any uncertainty around being able to describe exceptions to system settings or processes, it can be a red flag to the auditors.

Reason 2: Risks Not Defined Correctly

Every company operates in a unique way, but oftentimes companies don’t take time to identify specific risks that can affect their operations. Each company is going to have different levels of risk and using a one-size-fits-all approach to define them doesn’t work when it comes to internal security or an access SAP audit. Let’s say two companies from two different industries—pharmaceutical and beverage—were to define the same risks around sensitive access and segregation of duties (SoD). The impact of these risks would differ for each company. Given that inventory controls are far more critical in the pharmaceutical industry than they are in the beverage industry, inventory control risks—and the impacts if a breach occurred—would be more significant for the pharmaceutical company.

How do you know if you do not have accurate risk matrices that match to your business processes? One sign is your risk matrices will be difficult for anyone to understand. The terminology may not even match what your company uses. In addition, if there is difficulty in trying to apply the risks and there is no definite ownership of each risk, then it’s further proof that inadequately defined risks are rampant.

Reason 3: Flawed Role Design

Most of flawed role design comes from not the role itself, but how it’s maintained. Inadequate oversight and maintenance of role design makes a company not only more vulnerable to an internal breach of its SAP system, but more likely to get flagged during an SAP audit.

What tends to happen is that overtime people and processes change within the company and those changes to roles are not documented. Without formal documentation that clearly articulates why the design changes were made, you will probably have poorly designed roles that are difficult to adapt. In addition, you may also have complicated and slow role change processes and SoD risks that are built into roles without any consideration of the conflicts. All of this leads to excessive access of sensitive data and transactions and even password sharing of accounts since the role design is unnecessarily complex. No external auditor is willing to take the risk of not addressing flawed role design during the audit.

Reason 4: Ineffective Provisioning Process

A well-functioning process for provisioning users is crucial for SAP access security. An effective process should include carefully designed and documented steps and flow for initiation, approval, execution and documentation requirements of user access, changes in position, re-certification, and termination of access, as well as for creating and changing roles. The key word in this definition is “documented” because auditors must be able to get the evidence,they need in order to properly test its effectiveness.

Often, a lack of documentation is already a sign the provisioning process is not effective. A lack of complete employee provisioning history means that its extremely difficult to eliminate access to someone who has moved around in the company or left it entirely, creating a security risk. Other signs include a slow, manual provisioning process and inability to assess risk impact before changes are made. All of this indicates to the auditor that the provisioning process is operating, but not with consideration to security.

Reason 5: Excessive Admin/Emergency Access

Although the dreaded SAP_ALL or SAP_NEW appears less frequently now than before, it is not completely extinct. SAP_ALL is the default security profile that grants access to everything in SAP. Once an implementation is completed, power users won’t need permanent broad system access like SAP_ALL. In addition, gaining emergency access with a “firefighter” user ID also compromises security. This type of ID is granted by an administrator using a manual or ticketing system. The “firefighter,” in turn, often works with little oversight and no controls to ensure that they perform only approved tasks. Auditors will inquire about the activity that happened and if it was logged because without any documentation, there is no way to know what happened. They want to see a company that can demonstrate what happened through documentation or else red flags will be raised.

Remember that SAP audit findings are made to help make your internal controls processes more effective for your company and its people. In a 2018 report by the Association of Certified Fraud Examiners (“ACFE”), organizations may lose five percent of revenue to fraud each year, due in part to a lack of effective internal controls. For ways to remediate this audit issues before your audit occurs, watch the entire webinar on this topic with Drew Steinfatt, a former associate at KPMG and IT auditor.

    Leave a Reply

    Your email address will not be published. Required fields are marked *