Did your last SAP authorization audit drag on for weeks? Did Excel files and endless emails prolong the process even further? See how you can review SAP accesses up to four times faster!
In many organizations, periodic review of authorizations is a formal obligation related to audit requirements, GDPR, or SOX. However, on a large scale—with thousands of users, a dozen or so SAP systems, and complex roles—a manual approach leads to chaos and errors.
This was the daily routine of Marta, the organizer of the SAP authorization review, and Adam, the head of the accounting department responsible for verifying authorizations in his area. They both knew they needed a tool that would allow them to take control of the process. The solution turned out to be the smartReview module in the smartGRC application.
Step 1: Planning the review – a quick start instead of a marathon
Every review begins with defining the scope – what it covers, who will do the verification, and what criteria will be taken into account. This stage is crucial, because mistakes made at the beginning can result in delays and the need to repeat the entire process.
When preparing a review in a company with several thousand employees and a dozen or so SAP systems, Marta used to have to spend hours determining the scope and assigning verifiers. Now, with smartReview, it takes just a few minutes to set the review end date, transaction usage thresholds, comment requirements for high risk, and exclude technical accounts.
“Preparing a review, which used to take me several hours, now takes just a few minutes,” says Marta.
Step 2: Data verification – prevention is better than correction
Once the scope of the review has been determined, the next step is to ensure that all data has been assigned to the right people. This is a common stumbling block: in the traditional model, incorrect assignments only came to light when someone reported that they had received the wrong dataset.
Today, Marta can see immediately whether the system has correctly assigned verifiers according to the established rules. She can filter data and make bulk changes to assignments. This eliminates errors at the outset, before the process gains momentum.
“Now I can catch and correct wrong assignments right away, which eliminates downtime later on,” adds Marta.
Step 3: Decision making – fewer clicks, more decisions
The core of the review process is the decisions made by the verifiers. This is where verifiers decide which accesses remain and which need to be revoked. In the traditional model, this meant that Adam had to analyze hundreds of items and manually check off risks—a tedious and error-prone task.
Now, Adam only sees the items that require his attention. He can use the history of previous decisions, filter data, and copy previously made decisions in bulk. What’s more, if he marks one risk to be revoked, smartReview automatically identifies and marks all its occurrences in the user’s other authorizations.
A common problem in many companies is authorizations left to former employees. Now, thanks to smartReview, Adam can remove all access from inactive accounts in his area with a single click.
“The decision history and automatic marking of related items reduce my working time by up to half,” Adam emphasizes.
Stage 4: Implementation monitoring – visibility until completion
The review itself does not end when a decision is made. It is equally important to ensure that the findings are actually implemented in the system. Without effective monitoring, there is a risk that the same redundant accesses will return in the next cycle.
Previously, Adam had to check statuses manually, which was time-consuming and led to a situation where redundant accesses returned in the next run. Thanks to smartReview, he can now see the progress of decision implementation in his area in his dashboard – green means changes have been implemented, red signals the need for intervention.
“Thanks to the current status preview, I can be sure that decisions are actually being implemented and not just recorded in a report,” Adam concludes.
The results – measurable change
After the first cycle, clear results were visible:
- review time reduced by up to 75% on the verifiers’ side.
- significant reduction in errors thanks to automatic assignments and bulk operations.
- full transparency of the process – from planning to decision implementation.
- higher quality decisions thanks to access to history and analysis of authorization usage – decisions actually implemented in the system.
- more effective removal of redundant access – decisions actually implemented in the system.
After implementing smartReview, not only the pace of work changed, but also the quality of the entire process. Teams gained greater control over the review process, and the activities themselves became more predictable and error-resistant.
Rules for a successful review – general recommendations
Regardless of the tool used, an effective SAP authorization audit should be based on several universal principles:
- clearly defined review criteria (e.g., obligatory comments when accepting risks).
- inclusion of information about the actual use of authorizations in the review.
- monitoring the implementation of decisions, not just recording them.
- documenting the full audit trail in accordance with compliance requirements.
This approach supports compliance with regulations such as SOX, GDPR, and ISO 27001, and also facilitates the control of segregation of duties (SoD).
Conclusion – a review of authorizations as a security measure
The story of Marta and Adam shows that the review of SAP authorizations does not have to be a tedious and chaotic process. Thanks to smartReview, it has become an organized and predictable part of the system security strategy. In an environment where access control is one of the key elements of security, such tools are no longer a luxury – they are a necessity.
If reviews are seen solely as an audit requirement in your company, it is worth treating them as an opportunity to organize access and strengthen the security of the entire SAP environment.
And if you want to see how this process works in practice, we encourage you to check out the interactive smartReview demo. You can find the demo at https://smartgrc.eu/en/demo/.
References:
This article is based on the experience of the GRC Advisory team in conducting authorization reviews in the SAP system and the knowledge gained in designing and implementing the smartReview module in the smartGRC application.