- May 20, 2017
- Posted by: selva
- Category: GRC Software, SAP Access Control, SAP GRC, SAP Process Control, SAP SOD
SAP audit checklist information systems control standard to ensure SAP security
The Companies should adopt and implement a recognized information systems security control standard or framework needed to demonstrate control effectiveness in a consistent and repeatable manner, and it has not complied with requirements for business entities that process credit card transactions. Missing or inadequate controls include:
Security policies and procedures and assignment of responsibility for SAP security.
Security awareness and SAP Audit training program on how to audit SAP Environment.
Information systems risk assessment and internal audit in SAP Environment.
Proper configuration of SAP system security settings.
Effective management of SAP audit Logs
Safeguarding and controlling sensitive production data used for testing.
Ensuring the SAP Users access levels in SAP is optimized. During audit fieldwork, developed and began implementing procedures and processes to address some areas of concern including security of system-provided accounts and user account administration.
Auditing and GRC Automation in SAP
Over the last few years, financial statement scandals, cases of fraud and corruption, data protection violations, and other legal violations have led to numerous liability cases, damages claims, and losses of reputation. As a reaction to these developments, several regulations have been issued: Corporate Governance, the Sarbanes-Oxley Act, IFRS, Basel II and III, Solvency II and BilMoG, to name just a few. In this book, compliance is understood as the process, mapped not only in an internal control system, that is intended to guarantee conformity with legal requirements but also with internal policies and enterprise objectives (in particular, efficiency and profitability).
The current literature primarily confines itself to mapping controls in SAP ERP and auditing SAP systems. Maxim Chuprunov not only addresses this subject but extends the aim of internal controls from legal compliance to include efficiency and profitability and then well beyond, because a basic understanding of the processes involved in IT-supported compliance management processes are not delivered along with the software. Starting with the requirements for compliance (Part I), he not only answers compliance-relevant questions in the form of an audit guide for an SAP ERP system and in the form of risks and control descriptions (Part II), but also shows how to automate the compliance management process based on SAP GRC (Part III). He thus addresses the current need for solutions for implementing an integrated GRC system in an organization, especially focusing on the continuous control monitoring topics.
Maxim Chuprunov mainly targets compliance experts, auditors, SAP project managers and consultants responsible for GRC products as readers for his book. They will find indispensable information for their daily work from the first to the last page. In addition, MBA, management information system students as well as senior managers like CIOs and CFOs will find a wealth of valuable information on compliance in the SAP ERP environment, on GRC in general and its implementation in particular.
Security, Audit and Control Features SAP ERP, 4th Edition
SAP SE is a multinational software corporation that makes enterprise software to manage business operations and customer relations; their primary product is SAP ERP Central Component (known as ECC, but previously named SAP® R/3). This technical reference guide on security and audit of SAP ERP covers the introduction to strategic risk management in an ERP environment, and SAP ERP-specific security and auditing techniques that are unique to SAP ERP.
Security, Audit and Control Features SAP® ERP, 4th Edition provides practical guidance for all stakeholders involved in the SAP enterprise resource planning (ERP) audit/assurance process. The objective of the publication is to enable audit, assurance, risk and security professionals (information technology [IT] and non-IT) to evaluate risk and controls in existing ERP implementations and to facilitate the design and building of better practice controls into system upgrades and enhancements. The publication was designed to be a practical how-to guide based on SAP ECC versions 5.0 and 6.0. However most of the features and testing techniques described are also applicable to the earlier versions of SAP® R/3, namely 4.6c and 4.7.
Updates in this 4th Edition include:
New functionality offered in SAP ECC 6.0 and NetWeaver
8 new chapters to cover Financial Accounting (FI), Managerial Accounting (CO), Human Capital Management (HCM) and BASIS Administration and Security. Following each topic is a “How to Audit” chapter
1 new chapter on SAP security functionality
Updated to the latest Sarbanes-Oxley control objectives
Updated to COBIT 5
8 new internal control questionnaires (ICQs) to prepare audit/assurance plans
Easy to follow risk, control objectives and testing techniques for each module
To ensure Companies appropriately respond to SAP security incidents, Customers should develop and implement a comprehensive
SAP Security Incident response policies and procedures
SAP Security Incident response training
SAP Security Monitoring and reporting
Roles and responsibilities
Business recovery and continuity procedures
Data backup processes
Legal requirements in reporting compromises