sap risk management

Compliance Designed Well AuditBot

Upload: auditbot-sap-security-audit

Post on 20-Jul-2015




1 download


Page 1: SAP Risk Management

Compliance Designed Well


Page 2: SAP Risk Management


• “All the audit programs are written in ABAP Program”

• “All the audit logs are gathered and recorded into

custom table for unlimited use

ABAP Based

No New




• “Solution can be deployed in SAP System on the

exiting hardware.”

• Existing company resource can support the product

• “Solution can be implement Quickly some time even

within one day.”

• “Training the internal audit team is quick as the report

are one click execution.”


Page 3: SAP Risk Management

SAP Risk Analysis

• A comprehensive list of SAP Risk Rule set out of the box preconfigured.

• Batch programs which can run the SAP Risk analysis daily.

• Risk analysis Report ( SOD, Sensitive Transaction and Sensitive Object )

at the SAP Role level and SAP user level.

• Report to analyze if the SAP risk executions and what are posting related

to the Risk

• Trending reports for manager to monitor the SAP Risk monthly or yearly

• Alert when a specific SAP Risk is introduced at the SAP role level or SAP

user Level

Custom object


Monitor 100% of


Fully Automated

Page 4: SAP Risk Management

SOD Risks: When the User or Roles have combination of two or more SAP Transactions. Example: Transaction FSS0 ( Create GL Master Record and F-02 Enter GL Account Posting. The Risk here is Create GL Account and post Journal Entry to hide the Activity

Sensitive Transaction: This is just having one transaction with a user or Role. A Typical Example is having transaction SCC4 or SU10. These two transaction by itself can do excesive damage to the syestm

Object Level Risks: There are some sensitive objects which could cause risk or should not be assigned to users or a role. Example S_DEVELOP (DEBUG), S_TABU_DIS with Open acccess, or S_TCODE with * or Ranges

Different Types of SAP Risk

SAP Risks-Delivered

Page 5: SAP Risk Management

Simple Steps before SAP License Audit

• Review your SAP User List using Transaction SUIM Regularly

and look for any unwanted User IDs

• Use transaction RSUSR200 to periodically lock users for

Inactivity 90 or 120 days based on your company policy

• Assign a license type to every user in the system. All the user

without License type assignment is charged at the professional

license type level

• Turn on Multiple Logon Parameter so user cannot logon

multiple times with the same user id.

• Assign License type at the role level

• Assign proper roles to the users. Users with broad access roles

can access powerful transactions.

Page 6: SAP Risk Management

Third party review executed

by AuditBot ensures risks

and vulnerabilities are





• Managing a complex software landscape

can be a time consuming and costly

exercise for any organization.

• Taking control by identifying the actual risk

occurrence of your SAP landscape

• Ensuring compliance of external audits and

avoiding surprises

• Awareness of your ‘as is’ situation with respect to your

SAP risk management, including identification of related

vulnerabilities and risks

• Control of SAP Risk in your SAP landscape based on

actual Risk occurrence

• Reduce your Audit Costs.


A common result of SAP

audits is improper

assignment of roles,

excessive access and

what did they do with the


SAP Risk Analysis

Page 7: SAP Risk Management


Awareness of your ‘as is’ situation with respect to your

SAP risk management, including identification of related

vulnerabilities and risks.







• “Control your SAP Risks in your landscape and

reduce your SAP Audit Costs.

• Knowledge of how SAP risks its and provides

awareness and understanding to the internal auditors

of your company

We work closely with our clients to understand their SAP

landscape, current controls and procedures, and to

address their desired objectives for SAP Risk

management ”


Page 8: SAP Risk Management

Object, Sensitive and SOD Rule Set Delivered as part of Install

Page 9: SAP Risk Management

Risk Configuration at Object Level

Page 10: SAP Risk Management

Simulate at User, Role, and Transaction Code Level

Page 11: SAP Risk Management

High Level Summary Report

Page 12: SAP Risk Management

Risk Trending Report Showing Monthly addition or reduction in SAP Risk

Page 13: SAP Risk Management

Showing SOD / Sensitive Transaction Execution happened and changes made

Page 14: SAP Risk Management

Get alerted when Specific risk is added to User or Role

Page 15: SAP Risk Management

See Actual Execution of Transaction with SOD Conflict and Table postings

Page 16: SAP Risk Management

Transactions in Role Vs Actual Usage

Page 17: SAP Risk Management

Value from AuditBot SAP

Compliance tool means

reducing the cost of

compliance and improving

risk management and control.



• Excessive access and the user preforming

unauthorized activities

• Not Control over the user ids with Elevated


• Not able to Track and monitor the Elevated


• Undue delays in Resolving the issues

• Monitors use of Elevated Access

• Tracks actions performed while privileged access is

being used

• Provides detailed, concise audit reports

• Any activities performed are automatically logged and

can be delivered to defined controllers to review the

access which has been used


Provides controlled

means of providing Super

user access to Sensitive

and Critical transactions

on Ad hoc basis

Emergency Help Desk

Page 18: SAP Risk Management


• Auditbot identifies and prevents access and

authorization risks in cross-enterprise IT systems

• Prevent fraud and reduce the cost of continuous

compliance and control..







• “Our AuditBot team is working with leading

organizations to embed and integrate SAP Audit

Compliance solutions, driving value from control..”

• “Validity periods are also assigned at the same time

as provisioning.”

• Getting value from AuditBot technology means

reducing the cost of compliance at the same time as

improving risk management and control


Page 19: SAP Risk Management

• Free 30 Proof of Concept

• Same day installation and Configuration

• 365 Day Money Back Guarantee

• Basic Configuration Includes

• Will Provide Custom Enhancements

• When Can We Start


Our Value